fix(vault): let shdict secret vault cache presist enough time during …

…resurrect_ttl

kong/pdk/vault.lua

@@ -1264,14 +1264,33 @@ local function new(self)
     local ttl = SECRETS_CACHE:ttl(new_cache_key)
     if ttl and SECRETS_CACHE:get(new_cache_key) ~= NEGATIVELY_CACHED_VALUE then
       local resurrect_ttl = max(config.resurrect_ttl or DAO_MAX_TTL, SECRETS_CACHE_MIN_TTL)
+      -- the secret is still within ttl, no need to refresh
       if ttl > resurrect_ttl then
         return true
+
+      elseif ttl > SECRETS_CACHE_MIN_TTL then
+        local value, _, new_ttl = invoke_strategy(strategy, config, parsed_reference)
+        -- secret is still within resurrect ttl but we cannot fetch value from vault strategy
+        -- so keep the old value in the shared dict
+        if value == nil then
+          return true
+
+        -- we fetched a new value, so we should update the cache
+        else
+          local cache_value, shdict_ttl, lru_ttl = get_cache_value_and_ttl(value, config, new_ttl)
+          local ok, cache_err = SECRETS_CACHE:safe_set(new_cache_key, cache_value, shdict_ttl)
+          if not ok then
+            return nil, fmt("could not retrieve value for reference %s (%s)", reference, cache_err)
+          end
+
+          LRU:set(reference, cache_value, lru_ttl)
+        end
       end
     end
 
     strategy = caching_strategy(strategy, config_hash)
 
-    -- we should refresh the secret at this point
+    -- we should force refresh the secret at this point
     local ok, err = get_from_vault(reference, strategy, config, new_cache_key, parsed_reference)
     if not ok then
       return nil, fmt("could not retrieve value for reference %s (%s)", reference, err)