feat(vaults) store configuration references in $refs (needed for rota…

…tion and .kong_env cleanup) ### Summary Kong vault references like `{vault://env/my-env-var}` when used in Kong configuration are replaced with actual secrets. This makes it hard to implement secret rotation as the reference is lost when it is replaced. This commit stores the original references on a side: ```lua kong.configuration[$refs][<key>] = <reference> ```
Kong · Apr 19, 2022 · 7f13cbc · 7f13cbc
1 parent bffa4af
commit 7f13cbc
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua
@@ -1481,6 +1481,7 @@ local function load(path, custom_conf, opts)
   ---------------------------------
 
   local loaded_vaults
+  local refs
   do
     -- validation
     local vaults_array = infer_value(conf.vaults, CONF_INFERENCES["vaults"].typ, opts)
@@ -1507,6 +1508,12 @@ local function load(path, custom_conf, opts)
     local vault = require "kong.pdk.vault".new()
     for k, v in pairs(conf) do
       if vault.is_reference(v) then
+        if refs then
+          refs[k] = v
+        else
+          refs = setmetatable({ [k] = v }, _nop_tostring_mt)
+        end
+
         local deref, deref_err = vault.get(v)
         if deref == nil or deref_err then
           return nil, fmt("failed to dereference '%s': %s for config option '%s'", v, deref_err, k)
@@ -1531,7 +1538,9 @@ local function load(path, custom_conf, opts)
   end
 
   conf = tablex.merge(conf, defaults) -- intersection (remove extraneous properties)
+
   conf.loaded_vaults = loaded_vaults
+  conf["$refs"] = refs
 
   local default_nginx_main_user = false
   local default_nginx_user = false

diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua
@@ -1719,4 +1719,34 @@ describe("Configuration loader", function()
       assert.equal("2m", conf.nginx_http_client_body_buffer_size)
     end)
   end)
+  describe("vault references", function()
+    it("are collected under $refs property", function()
+      finally(function()
+        helpers.unsetenv("PG_DATABASE")
+      end)
+
+      helpers.setenv("PG_DATABASE", "resolved-kong-database")
+
+      local conf = assert(conf_loader(nil, {
+        pg_database = "{vault://env/pg-database}"
+      }))
+
+      assert.equal("resolved-kong-database", conf.pg_database)
+      assert.equal("{vault://env/pg-database}", conf["$refs"].pg_database)
+    end)
+    it("are inferred and collected under $refs property", function()
+      finally(function()
+        helpers.unsetenv("PG_PORT")
+      end)
+
+      helpers.setenv("PG_PORT", "5000")
+
+      local conf = assert(conf_loader(nil, {
+        pg_port = "{vault://env/pg-port}"
+      }))
+
+      assert.equal(5000, conf.pg_port)
+      assert.equal("{vault://env/pg-port}", conf["$refs"].pg_port)
+    end)
+  end)
 end)