fix(conf) properly support vault configurations with process secrets

### Summary Default vault configurations can be configured with Kong configuration. For example using environment variables: - `KONG_VAULT_ENV_PREFIX=vault_` - `KONG_VAULT_HCV_TOKEN=xxx` Previously these settings were not honoured when kong configuration references were dereferenced. This fixes that issue.
Kong · Apr 19, 2022 · 951b93f · 951b93f
1 parent 3d583c8
commit 951b93f
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 6 deletions.
diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua
@@ -1505,7 +1505,15 @@ local function load(path, custom_conf, opts)
 
     loaded_vaults = setmetatable(vaults, _nop_tostring_mt)
 
-    local vault = require "kong.pdk.vault".new()
+    local vault_conf = { loaded_vaults = loaded_vaults }
+    for k, v in pairs(conf) do
+      if string.sub(k, 1, 6) == "vault_" then
+        vault_conf[k] = v
+      end
+    end
+
+    local vault = require("kong.pdk.vault").new({ configuration = vault_conf })
+
     for k, v in pairs(conf) do
       if vault.is_reference(v) then
         if refs then

diff --git a/kong/vaults/env/init.lua b/kong/vaults/env/init.lua
@@ -37,14 +37,11 @@ end
 
 local function get(conf, resource, version)
   local prefix = conf.prefix
-
-  resource = gsub(resource, "-", "_")
-
   if type(prefix) == "string" then
     resource = prefix .. resource
   end
 
-  resource = upper(resource)
+  resource = upper(gsub(resource, "-", "_"))
 
   if version == 2 then
     resource = resource .. "_PREVIOUS"

diff --git a/spec/02-integration/02-cmd/14-vault_spec.lua b/spec/02-integration/02-cmd/14-vault_spec.lua
@@ -51,7 +51,38 @@ describe("kong vault", function()
       helpers.setenv("SECRETS_TEST", "testvalue")
       local ok, stderr, stdout = helpers.kong_exec("vault get env/secrets_test", { vaults = "env" })
       assert.equal("", stderr)
-      assert.matches("testvalue", stdout)
+      assert.matches("testvalue", stdout, nil, true)
+      assert.is_true(ok)
+
+      ok, stderr, stdout = helpers.kong_exec("vault get env/secrets-test", { vaults = "env" })
+      assert.equal("", stderr)
+      assert.matches("testvalue", stdout, nil, true)
+      assert.is_true(ok)
+    end)
+
+    it("vault get env with config", function()
+      finally(function()
+        helpers.unsetenv("KONG_VAULT_ENV_PREFIX")
+        helpers.unsetenv("SECRETS_TEST")
+      end)
+      helpers.setenv("KONG_VAULT_ENV_PREFIX", "SECRETS_")
+      helpers.setenv("SECRETS_TEST", "testvalue-with-config")
+      local ok, stderr, stdout = helpers.kong_exec("vault get env/test", { vaults = "env" })
+      assert.equal("", stderr)
+      assert.matches("testvalue-with-config", stdout, nil, true)
+      assert.is_true(ok)
+    end)
+
+    it("vault get env with config with dash", function()
+      finally(function()
+        helpers.unsetenv("KONG_VAULT_ENV_PREFIX")
+        helpers.unsetenv("SECRETS_AGAIN_TEST")
+      end)
+      helpers.setenv("KONG_VAULT_ENV_PREFIX", "SECRETS-AGAIN-")
+      helpers.setenv("SECRETS_AGAIN_TEST_TOO", "testvalue-with-config-again")
+      local ok, stderr, stdout = helpers.kong_exec("vault get env/test-too", { vaults = "env" })
+      assert.equal("", stderr)
+      assert.matches("testvalue-with-config-again", stdout, nil, true)
       assert.is_true(ok)
     end)
   end)