fix(vault): fix several issues in vault and refactor the vault code base

CHANGELOG/unreleased/kong/11402.yaml

@@ -0,0 +1,19 @@
+message: >
+  Fix several issues in Vault and refactor the Vault code base:
+  - Make DAOs to fallback to empty string when resolving Vault references fail
+  - Use node level mutex when rotation references 
+  - Refresh references on config changes
+  - Update plugin referenced values only once per request
+  - Pass only the valid config options to vault implementations
+  - Resolve multi-value secrets only once when rotating them
+  - Do not start vault secrets rotation timer on control planes
+  - Re-enable negative caching
+  - Reimplement the kong.vault.try function
+  - Remove references from rotation in case their configuration has changed
+
+type: bugfix
+scope: PDK
+prs:
+  - 11402
+jiras:
+  - "KAG-2273"

kong/concurrency.lua

@@ -24,18 +24,25 @@ function concurrency.with_worker_mutex(opts, fn)
 
   local opts_name    = opts.name
   local opts_timeout = opts.timeout
+  local opts_exptime = opts.exptime
 
   if type(opts_name) ~= "string" then
     error("opts.name is required and must be a string", 2)
   end
+
   if opts_timeout and type(opts_timeout) ~= "number" then
     error("opts.timeout must be a number", 2)
   end
 
+  if opts_exptime and type(opts_exptime) ~= "number" then
+    error("opts.exptime must be a number", 2)
+  end
+
   local timeout = opts_timeout or 60
+  local exptime = opts_exptime or timeout
 
   local rlock, err = resty_lock:new("kong_locks", {
-    exptime = timeout,
+    exptime = exptime,
     timeout = timeout,
   })
   if not rlock then

kong/db/schema/init.lua

@@ -1575,15 +1575,9 @@ local function adjust_field_for_context(field, value, context, nulls, opts)
     end
 
     if subfield then
-      if field.type ~= "map" then
-        for i = 1, #value do
-          value[i] = adjust_field_for_context(subfield, value[i], context, nulls, opts)
-        end
-
-      else
-        for k, v in pairs(value) do
-          value[k] = adjust_field_for_context(subfield, v, context, nulls, opts)
-        end
+      -- uses pairs also for arrays and sets as well as maps, as there can be holes
+      for k, v in pairs(value) do
+        value[k] = adjust_field_for_context(subfield, v, context, nulls, opts)
       end
     end
   end
@@ -1739,7 +1733,7 @@ function Schema:process_auto_fields(data, context, nulls, opts)
                 kong.log.warn("unable to resolve reference ", value)
               end
 
-              value = nil
+              value = ""
             end
 
           elseif prev_refs and prev_refs[key] then
@@ -1778,7 +1772,7 @@ function Schema:process_auto_fields(data, context, nulls, opts)
                       kong.log.warn("unable to resolve reference ", value[i])
                     end
 
-                    value[i] = nil
+                    value[i] = ""
                   end
                 end
               end
@@ -1824,7 +1818,7 @@ function Schema:process_auto_fields(data, context, nulls, opts)
                       kong.log.warn("unable to resolve reference ", v)
                     end
 
-                    value[k] = nil
+                    value[k] = ""
                   end
                 end
               end
@@ -1863,7 +1857,7 @@ function Schema:process_auto_fields(data, context, nulls, opts)
   for key in pairs(data) do
     local field = self.fields[key]
     if field then
-      if field.type == "string" and (field.len_min or 1) > 0 and data[key] == ""
+      if field.type == "string" and (field.len_min or 1) > 0 and data[key] == "" and not (refs and refs[key])
       then
         data[key] = nulls and null or nil
       end