fix(vaults) do not leak resolved vault references to .kong_env file

### Summary When Kong prepares a `prefix` directory, it also stores current environment related to Kong in file called `.kong_env`. As Kong resolves the Vault references when it starts, the resolved values got leaked to `.kong_env` file. This was partly because for `vaults-beta` we didn't yet implement secret rotation, and we decided to also not keep the references around when they were resolved. Not that we have added the `"$refs"` property to `kong.configuration`, we can replace the values of configuration with the references before we write the `.kong_env` file. This commit fixes that.
Kong · Apr 19, 2022 · ac69743 · ac69743
1 parent 7f13cbc
commit ac69743
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/kong/cmd/utils/prefix_handler.lua b/kong/cmd/utils/prefix_handler.lua
@@ -485,7 +485,13 @@ local function prepare_prefix(kong_config, nginx_custom_template_path, skip_writ
     "",
   }
 
+  local refs = kong_config["$refs"]
+
   for k, v in pairs(kong_config) do
+    if refs and refs[k] then
+      v = refs[k]
+    end
+
     if type(v) == "table" then
       if (getmetatable(v) or {}).__tostring then
         -- the 'tostring' meta-method knows how to serialize

diff --git a/spec/01-unit/04-prefix_handler_spec.lua b/spec/01-unit/04-prefix_handler_spec.lua
@@ -844,6 +844,31 @@ describe("NGINX conf compiler", function()
       assert.True(in_prefix_kong_conf.loaded_plugins.bar)
     end)
 
+    describe("vault references", function()
+      it("are kept as references in .kong_env", function()
+        finally(function()
+          helpers.unsetenv("PG_DATABASE")
+        end)
+
+        helpers.setenv("PG_DATABASE", "resolved-kong-database")
+
+        local conf = assert(conf_loader(nil, {
+          prefix = tmp_config.prefix,
+          pg_database = "{vault://env/pg-database}",
+        }))
+
+        assert.equal("resolved-kong-database", conf.pg_database)
+        assert.equal("{vault://env/pg-database}", conf["$refs"].pg_database)
+
+        assert(prefix_handler.prepare_prefix(conf))
+
+        local contents = helpers.file.read(tmp_config.kong_env)
+
+        assert.matches("pg_database = {vault://env/pg-database}", contents, nil, true)
+        assert.not_matches("resolved-kong-database", contents, nil, true)
+      end)
+    end)
+
     describe("ssl", function()
       it("does not create SSL dir if disabled", function()
         local conf = conf_loader(nil, {