This is an automated email from the ASF dual-hosted git repository.
shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 2f0898c1e fix: invalidate secret LRU cache on /secrets changes (#13668)
2f0898c1e is described below
commit 2f0898c1ee28a1e3918221650f83526c6781bb24
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Fri Jul 10 11:53:37 2026 +0800
fix: invalidate secret LRU cache on /secrets changes (#13668)
---
apisix/secret.lua | 4 ++-
t/secret/secret_lru.t | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 76 insertions(+), 1 deletion(-)
diff --git a/apisix/secret.lua b/apisix/secret.lua
index d64851115..f25daa647 100644
--- a/apisix/secret.lua
+++ b/apisix/secret.lua
@@ -233,7 +233,9 @@ local function fetch(uri, use_cache)
return val
end
- return secrets_cache(uri, "", fetch_by_uri, uri)
+ -- pass the secrets conf_version so the cache re-resolves when /secrets
changes
+ local version = secrets and secrets.conf_version or ""
+ return secrets_cache(uri, version, fetch_by_uri, uri)
end
local function retrieve_refs(refs, use_cache)
diff --git a/t/secret/secret_lru.t b/t/secret/secret_lru.t
index 3ff3386fc..670bf03b5 100644
--- a/t/secret/secret_lru.t
+++ b/t/secret/secret_lru.t
@@ -96,3 +96,76 @@ GET /t
}
--- response_body
nil
+
+
+
+=== TEST 2: store secret into vault
+--- exec
+VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put
kv/apisix/lru-key/jack key=value
+--- response_body
+Success! Data written to: kv/apisix/lru-key/jack
+
+
+
+=== TEST 3: deleted secret is evicted from the LRU cache
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local secret = require("apisix.secret")
+
+ -- configure the vault secret manager
+ local code, body = t('/apisix/admin/secrets/vault/lru',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "http://127.0.0.1:8200",
+ "prefix": "kv/apisix",
+ "token": "root"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+
+ local ref = { key = "$secret://vault/lru/lru-key/jack/key" }
+
+ -- resolve through the cache once the manager config is synced
+ local resolved
+ for _ = 1, 50 do
+ resolved = secret.fetch_secrets(ref, true)
+ if resolved.key == "value" then
+ break
+ end
+ ngx.sleep(0.1)
+ end
+ ngx.say(resolved.key)
+
+ local _, ver = secret.secrets()
+
+ code, body = t('/apisix/admin/secrets/vault/lru', ngx.HTTP_DELETE)
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+
+ -- wait for the /secrets config version to bump
+ for _ = 1, 50 do
+ local _, new_ver = secret.secrets()
+ if new_ver ~= ver then
+ break
+ end
+ ngx.sleep(0.1)
+ end
+
+ -- cache must re-resolve: the manager is gone, so it falls back to
the literal ref
+ resolved = secret.fetch_secrets(ref, true)
+ ngx.say(resolved.key)
+ }
+ }
+--- request
+GET /t
+--- timeout: 20
+--- response_body
+value
+$secret://vault/lru/lru-key/jack/key