fix(vault): let shdict secret vault cache presist enough time during resurrect_ttl #13471
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
core/pdk
cherry-pick kong-ee
windmgc
force-pushed
the
vault-shdict-resurrect-ttl
branch
from
74ff0b0
to
61a3e20
Compare
|
LGTM |
tzssangglass
approved these changes
Aug 16, 2024
outsinre
approved these changes
Aug 16, 2024
changelog/unreleased/kong/fix-vault-resurrect-ttl-multi-worker.yml
Outdated
Show resolved
Hide resolved
catbro666
reviewed
Aug 19, 2024
kong/pdk/vault.lua
Outdated
| if ttl > resurrect_ttl then | ||
| return true | ||
|
|
||
| elseif ttl > SECRETS_CACHE_MIN_TTL then |
There was a problem hiding this comment.
Not sure I'm understanding this correctly, but why should ttl > SECRETS_CACHE_MIN_TTL here?
There was a problem hiding this comment.
Right now the vault timer is refreshing all the secrets in shared dict with a period that equals to ROTATION_INTERVAL, and SECRETS_CACHE_MIN_TTL is 2 * ROTATION_INTERVAL. This ensures the execution of the secret refreshing will happen at least once within the last remaining time of SECRETS_CACHE_MIN_TTL, so that it can be refreshed either with a null placholder(NEGATIVELY_CACHED_VALUE) or a new updated value.
catbro666
reviewed
Aug 19, 2024
catbro666
reviewed
Aug 19, 2024
catbro666
reviewed
Aug 21, 2024
changelog/unreleased/kong/fix-vault-resurrect-ttl-multi-worker.yml
Outdated
Show resolved
Hide resolved
catbro666
approved these changes
Aug 21, 2024
|
I will take a look on it. |
Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com>
bungle
approved these changes
Aug 21, 2024
bungle
reviewed
Aug 21, 2024
windmgc
commented
Aug 21, 2024
|
@bungle I applied the reviews above, do you want to take another look? It seems something is wrong with Github Action's worker, all tests are pending, we may need to wait until all tests passed |
catbro666
reviewed
Aug 23, 2024
| if resurrect and value == nil then | ||
| local resurrected_value = SECRETS_CACHE:get(cache_key) | ||
| if resurrected_value then | ||
| return resurrected_value |
There was a problem hiding this comment.
What do you think about adding a log here?
github-actions bot
pushed a commit
that referenced
this pull request
Aug 23, 2024
…resurrect_ttl (#13471) This PR fixes an issue that rotate_secret may flush a secret value with NEGATIVE_CACHED_VALUE when vault backend is down and a secret value stored in the shared dict has passed its ttl and hasn't finished consuming its resurrect_ttl. TLDR; this issue happens easily when a reference is being used via the vault PDK function in custom codes(serverless functions, custom plugins, etc.), and some of the worker processes may not be triggered via the service/routes that use these custom codes, and these worker processes do not hold a valid LRU cache for the secret value The issue was first reported in FTI-6137. --------- Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> Co-authored-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> (cherry picked from commit 9269195)
3 tasks
|
Successfully created backport PR for |
|
Successfully created cherry-pick PR for |
windmgc
added a commit
that referenced
this pull request
Aug 23, 2024
…resurrect_ttl (#13471) This PR fixes an issue that rotate_secret may flush a secret value with NEGATIVE_CACHED_VALUE when vault backend is down and a secret value stored in the shared dict has passed its ttl and hasn't finished consuming its resurrect_ttl. TLDR; this issue happens easily when a reference is being used via the vault PDK function in custom codes(serverless functions, custom plugins, etc.), and some of the worker processes may not be triggered via the service/routes that use these custom codes, and these worker processes do not hold a valid LRU cache for the secret value The issue was first reported in FTI-6137. --------- Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> Co-authored-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> (cherry picked from commit 9269195)
|
Cherry-pick failed for Please cherry-pick the changes locally. git remote add upstream https://github.com/kong/kong-ee
git fetch upstream master
git worktree add -d .worktree/cherry-pick-13471-to-master-to-upstream upstream/master
cd .worktree/cherry-pick-13471-to-master-to-upstream
git checkout -b cherry-pick-13471-to-master-to-upstream
ancref=$(git merge-base 9bc3deb30041dbc45b1fe44fe8069f21ab69caaa 30215e6ff8c7711162107c53a7252f9d78691ca6)
git cherry-pick -x $ancref..30215e6ff8c7711162107c53a7252f9d78691ca6 |
github-actions
bot
added
the
incomplete-cherry-pick
github-actions bot
pushed a commit
that referenced
this pull request
Sep 14, 2024
…resurrect_ttl (#13471) This PR fixes an issue that rotate_secret may flush a secret value with NEGATIVE_CACHED_VALUE when vault backend is down and a secret value stored in the shared dict has passed its ttl and hasn't finished consuming its resurrect_ttl. TLDR; this issue happens easily when a reference is being used via the vault PDK function in custom codes(serverless functions, custom plugins, etc.), and some of the worker processes may not be triggered via the service/routes that use these custom codes, and these worker processes do not hold a valid LRU cache for the secret value The issue was first reported in FTI-6137. --------- Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> Co-authored-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> (cherry picked from commit 9269195)
3 tasks
|
Successfully created backport PR for |
github-actions bot
pushed a commit
that referenced
this pull request
Sep 14, 2024
…resurrect_ttl (#13471) This PR fixes an issue that rotate_secret may flush a secret value with NEGATIVE_CACHED_VALUE when vault backend is down and a secret value stored in the shared dict has passed its ttl and hasn't finished consuming its resurrect_ttl. TLDR; this issue happens easily when a reference is being used via the vault PDK function in custom codes(serverless functions, custom plugins, etc.), and some of the worker processes may not be triggered via the service/routes that use these custom codes, and these worker processes do not hold a valid LRU cache for the secret value The issue was first reported in FTI-6137. --------- Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> Co-authored-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> (cherry picked from commit 9269195)
3 tasks
|
Successfully created backport PR for |
ms2008
pushed a commit
that referenced
this pull request
Sep 14, 2024
…resurrect_ttl (#13471) This PR fixes an issue that rotate_secret may flush a secret value with NEGATIVE_CACHED_VALUE when vault backend is down and a secret value stored in the shared dict has passed its ttl and hasn't finished consuming its resurrect_ttl. TLDR; this issue happens easily when a reference is being used via the vault PDK function in custom codes(serverless functions, custom plugins, etc.), and some of the worker processes may not be triggered via the service/routes that use these custom codes, and these worker processes do not hold a valid LRU cache for the secret value The issue was first reported in FTI-6137. --------- Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> Co-authored-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> (cherry picked from commit 9269195)
kikito
removed
the
incomplete-cherry-pick
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes an issue that
rotate_secretmay flush a secret value withNEGATIVE_CACHED_VALUEwhen vault backend is down and a secret value stored in the shared dict has passed itsttland hasn't finished consuming itsresurrect_ttl.TLDR; this issue happens easily when a reference is being used via the vault PDK function in custom codes(serverless functions, custom plugins, etc.), and some of the worker processes may not be triggered via the service/routes that use these custom codes, and these worker processes do not hold a valid LRU cache for the secret value
The issue was first reported in FTI-6137.
Checklist
changelog/unreleased/kongorskip-changeloglabel added on PR if changelog is unnecessary. README.mdIssue reference
FTI-6137