fix(vault): fix several issues in vault and refactor the vault code base #11402
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bungle
force-pushed
the
fix/vaults-cleanup-pass
branch
from
54b9625 to
719be65
Compare
bungle
force-pushed
the
fix/vaults-cleanup-pass
branch
6 times, most recently
from
92d6bf5 to
fb255df
Compare
bungle
changed the title
bungle
force-pushed
the
fix/vaults-cleanup-pass
branch
10 times, most recently
from
4bf867d to
8821c30
Compare
vm-001
force-pushed
the
fix/vaults-cleanup-pass
branch
from
1b40601 to
0d3f629
Compare
bungle
force-pushed
the
fix/vaults-cleanup-pass
branch
5 times, most recently
from
027b146 to
30893f6
Compare
bungle
force-pushed
the
fix/vaults-cleanup-pass
branch
6 times, most recently
from
0a54f31 to
58fb69a
Compare
|
TODO: add changelog. |
hanshuebner
approved these changes
Aug 31, 2023
|
A changelog file must be added, and I think it would be good to have a little more information in the pull request description. I believe that squashing the commits together is best at this point. |
bungle
force-pushed
the
fix/vaults-cleanup-pass
branch
from
58fb69a to
43ad19f
Compare
bungle
changed the title
bungle
force-pushed
the
fix/vaults-cleanup-pass
branch
from
43ad19f to
5d451d9
Compare
### Summary - Make DAOs to fallback to empty string when resolving Vault references fail - Use node level mutex when rotation references - Refresh references on config changes - Update plugin referenced values only once per request - Pass only the valid config options to vault implementations - Resolve multi-value secrets only once when rotating them - Do not start vault secrets rotation timer on control planes - Re-enable negative caching - Reimplement the kong.vault.try function - Remove references from rotation in case their configuration has changed #### Commits before squashing them (it turned out difficult to split last refactoring commit) - tests(vault): should be able to detect new references when plugin config changes - fix(schema): process auto fields to default to empty string on resolve failures - fix(schema): use pairs to adjust_field_for_context with arrays and sets - perf(plugin-iterator): vault.update only once per request on global iterator - docs(vault): mark local functions with local-attribute - fix(vault): use node level mutex instead of a thread level semaphore - fix(vault): add validation back as the yielding is fixed - refactor(vault): move parse_reference close to is_reference - fix(vault): refresh secrets on flush in timer - refactor(vault): refactor the vault local update function - chore(vault): add cooperative yielding on secret rotation - fix(vault): no event handlers or rotation timer on control planes - refactor(vault): cache key generation and parsing - chore(vault): rename get_subfield to extract_key_from_json_string - chore(vault): rename flush_and_refresh to handle_vault_crud_event - refactor(vault): refactor vault code base Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com>
bungle
force-pushed
the
fix/vaults-cleanup-pass
branch
from
5d451d9 to
d8aee9f
Compare
team-gateway-bot
pushed a commit
that referenced
this pull request
Sep 7, 2023
…ase (#11402) ### Summary - Make DAOs to fallback to empty string when resolving Vault references fail - Use node level mutex when rotation references - Refresh references on config changes - Update plugin referenced values only once per request - Pass only the valid config options to vault implementations - Resolve multi-value secrets only once when rotating them - Do not start vault secrets rotation timer on control planes - Re-enable negative caching - Reimplement the kong.vault.try function - Remove references from rotation in case their configuration has changed #### Commits before squashing them (it turned out difficult to split last refactoring commit) - tests(vault): should be able to detect new references when plugin config changes - fix(schema): process auto fields to default to empty string on resolve failures - fix(schema): use pairs to adjust_field_for_context with arrays and sets - perf(plugin-iterator): vault.update only once per request on global iterator - docs(vault): mark local functions with local-attribute - fix(vault): use node level mutex instead of a thread level semaphore - fix(vault): add validation back as the yielding is fixed - refactor(vault): move parse_reference close to is_reference - fix(vault): refresh secrets on flush in timer - refactor(vault): refactor the vault local update function - chore(vault): add cooperative yielding on secret rotation - fix(vault): no event handlers or rotation timer on control planes - refactor(vault): cache key generation and parsing - chore(vault): rename get_subfield to extract_key_from_json_string - chore(vault): rename flush_and_refresh to handle_vault_crud_event - refactor(vault): refactor vault code base Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> (cherry picked from commit fd64029)
hanshuebner
pushed a commit
that referenced
this pull request
Sep 20, 2023
…ase (#11402) (#11521) ### Summary - Make DAOs to fallback to empty string when resolving Vault references fail - Use node level mutex when rotation references - Refresh references on config changes - Update plugin referenced values only once per request - Pass only the valid config options to vault implementations - Resolve multi-value secrets only once when rotating them - Do not start vault secrets rotation timer on control planes - Re-enable negative caching - Reimplement the kong.vault.try function - Remove references from rotation in case their configuration has changed #### Commits before squashing them (it turned out difficult to split last refactoring commit) - tests(vault): should be able to detect new references when plugin config changes - fix(schema): process auto fields to default to empty string on resolve failures - fix(schema): use pairs to adjust_field_for_context with arrays and sets - perf(plugin-iterator): vault.update only once per request on global iterator - docs(vault): mark local functions with local-attribute - fix(vault): use node level mutex instead of a thread level semaphore - fix(vault): add validation back as the yielding is fixed - refactor(vault): move parse_reference close to is_reference - fix(vault): refresh secrets on flush in timer - refactor(vault): refactor the vault local update function - chore(vault): add cooperative yielding on secret rotation - fix(vault): no event handlers or rotation timer on control planes - refactor(vault): cache key generation and parsing - chore(vault): rename get_subfield to extract_key_from_json_string - chore(vault): rename flush_and_refresh to handle_vault_crud_event - refactor(vault): refactor vault code base Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> (cherry picked from commit fd64029) Co-authored-by: Aapo Talvensaari <aapo.talvensaari@gmail.com>
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Commits before squashing them (it turned out difficult to split last refactoring commit)