fix(cmd): fix vault refs when both http and stream are enabled

kong/cmd/utils/nginx_signals.lua

@@ -84,7 +84,18 @@ local function set_process_secrets_env(kong_conf)
     return nil, err
   end
 
-  return C.setenv("KONG_PROCESS_SECRETS", secrets, 1) == 0
+  local ok_sub_http
+  if kong_conf.role == "control_plane" or #kong_conf.proxy_listeners > 0
+    or #kong_conf.admin_listeners > 0 or #kong_conf.status_listeners > 0 then
+      ok_sub_http = C.setenv("KONG_PROCESS_SECRETS_HTTP", secrets, 1) == 0
+  end
+
+  local ok_sub_stream
+  if #kong_conf.stream_listeners > 0 then
+    ok_sub_stream = C.setenv("KONG_PROCESS_SECRETS_STREAM", secrets, 1) == 0
+  end
+
+  return ok_sub_http or ok_sub_stream
 end
 
 

kong/cmd/utils/prefix_handler.lua

@@ -374,40 +374,62 @@ local function write_env_file(path, data)
   return true
 end
 
-local function write_process_secrets_file(path, data)
-  os.remove(path)
+local function write_process_secrets_file(kong_conf, data)
+  local path = kong_conf.kong_process_secrets
 
-  local flags = bit.bor(system_constants.O_RDONLY(),
-                        system_constants.O_CREAT())
+  local function write_single_secret_file(path, data)
+    os.remove(path)
 
-  local mode = ffi.new("int", bit.bor(system_constants.S_IRUSR(),
-                                      system_constants.S_IWUSR()))
+    local flags = bit.bor(system_constants.O_RDONLY(),
+                          system_constants.O_CREAT())
 
-  local fd = ffi.C.open(path, flags, mode)
-  if fd < 0 then
-    local errno = ffi.errno()
-    return nil, "unable to open process secrets path " .. path .. " (" ..
-                ffi.string(ffi.C.strerror(errno)) .. ")"
-  end
+    local mode = ffi.new("int", bit.bor(system_constants.S_IRUSR(),
+                                        system_constants.S_IWUSR()))
 
-  local ok = ffi.C.close(fd)
-  if ok ~= 0 then
-    local errno = ffi.errno()
-    return nil, "failed to close fd (" ..
-                ffi.string(ffi.C.strerror(errno)) .. ")"
-  end
+    local fd = ffi.C.open(path, flags, mode)
+    if fd < 0 then
+      local errno = ffi.errno()
+      return nil, "unable to open process secrets path " .. path .. " (" ..
+                  ffi.string(ffi.C.strerror(errno)) .. ")"
+    end
 
-  local file, err = io.open(path, "w+b")
-  if not file then
-    return nil, "unable to open process secrets path " .. path .. " (" .. err .. ")"
-  end
+    local ok = ffi.C.close(fd)
+    if ok ~= 0 then
+      local errno = ffi.errno()
+      return nil, "failed to close fd (" ..
+                  ffi.string(ffi.C.strerror(errno)) .. ")"
+    end
 
-  local ok, err = file:write(data)
+    local file, err = io.open(path, "w+b")
+    if not file then
+      return nil, "unable to open process secrets path " .. path .. " (" .. err .. ")"
+    end
 
-  file:close()
+    local ok, err = file:write(data)
 
-  if not ok then
-    return nil, "unable to write process secrets path " .. path .. " (" .. err .. ")"
+    file:close()
+
+    if not ok then
+      return nil, "unable to write process secrets path " .. path .. " (" .. err .. ")"
+    end
+
+    return true
+
+  end
+
+  if kong_conf.role == "control_plane" or #kong_conf.proxy_listeners > 0
+    or #kong_conf.admin_listeners > 0 or #kong_conf.status_listeners > 0 then
+    local ok, err = write_single_secret_file(path .. "_http", data)
+    if not ok then
+      return nil, err
+    end
+  end
+
+  if #kong_conf.stream_listeners > 0 then
+    local ok, err = write_single_secret_file(path .. "_stream", data)
+    if not ok then
+      return nil, err
+    end
   end
 
   return true
@@ -887,7 +909,7 @@ local function prepare_prefix(kong_config, nginx_custom_template_path, skip_writ
       return nil, err
     end
 
-    ok, err = write_process_secrets_file(kong_config.kong_process_secrets, secrets)
+    ok, err = write_process_secrets_file(kong_config, secrets)
     if not ok then
       return nil, err
     end

kong/conf_loader/init.lua

@@ -31,6 +31,7 @@ local sort = table.sort
 local find = string.find
 local gsub = string.gsub
 local lower = string.lower
+local upper = string.upper
 local match = string.match
 local pairs = pairs
 local assert = assert
@@ -433,12 +434,13 @@ local function load(path, custom_conf, opts)
     local prefix = abspath(conf.prefix or ngx.config.prefix())
     local secret_env
     local secret_file
-    local secrets = getenv("KONG_PROCESS_SECRETS")
+    local secrets_env_var_name = upper("KONG_PROCESS_SECRETS_" .. ngx.config.subsystem)
+    local secrets = getenv(secrets_env_var_name)
     if secrets then
-      secret_env = "KONG_PROCESS_SECRETS"
+      secret_env = secrets_env_var_name
 
     else
-      local secrets_path = pl_path.join(prefix, unpack(conf_constants.PREFIX_PATHS.kong_process_secrets))
+      local secrets_path = pl_path.join(prefix, unpack(conf_constants.PREFIX_PATHS.kong_process_secrets)) .. "_" .. ngx.config.subsystem
       if exists(secrets_path) then
         secrets, err = pl_file.read(secrets_path, true)
         if not secrets then
@@ -456,7 +458,6 @@ local function load(path, custom_conf, opts)
         return nil, err
       end
 
-      -- TODO: remember!
       for k, deref in pairs(secrets) do
         conf[k] = deref
       end

kong/init.lua

@@ -882,15 +882,15 @@ function Kong.init_worker()
 
   if kong.clustering then
     -- full sync dp
-    
+
     local is_dp_full_sync_agent = process.type() == "privileged agent" and not kong.sync
 
     if is_control_plane(kong.configuration) or -- CP needs to support both full and incremental sync
       is_dp_full_sync_agent -- full sync is only enabled for DP if incremental sync is disabled
     then
       kong.clustering:init_worker()
     end
-  
+
     -- DP full sync agent skips the rest of the init_worker
     if is_dp_full_sync_agent then
       return