-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(response-ratelimiting): add support for secret rotation with redis connection #10570
feat(response-ratelimiting): add support for secret rotation with redis connection #10570
Conversation
0dc63b4
to
dc8703b
Compare
ok, err = red:auth(conf.redis_username, conf.redis_password) | ||
ok, err = kong.vault.try(function(cfg) | ||
return red:auth(cfg.redis_username, cfg.redis_password) | ||
end, conf) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aapo, was the plan not to keep this transparent to the plugin authors and resolve the referenced username/password before calling any plugin handler code?
I'm surprised to see this code here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hbagdi, this is the resolve-secret-on-failure
approach. Most of the cases we have with secrets are resolve-on-secret-failure
. But we decided to focus on more generic ttl
, but that has limitations. E.g. with try
, you can just go to vault and change secret and then change db password, and Kong should be able to pick it up. The TTL approach requires a more coordinated approach. That is when rotating, you should keep the old one at least for TTL amount of time, and after that you may drop the old credentials. The TTL approach can be seen in action here (the update function): 83bd52b
But the TTL we currently only re-resolve secrets only every minute as most:
20c2da8#diff-212b3488c5eb070820f7bc5178fbaa56e9435fe49cf050feb29091ca9aa1540bR49
There is no way to do fail-and-resolve
anywhere else than where the failure happens.
@bungle I have seen this PR was added to 3.3 milestones, And the code looks Okay. Why was this PR labeled draft? |
Moving this to 3.4, and perhaps abstract it a bit more. |
dc8703b
to
b340c9f
Compare
b340c9f
to
fd973ec
Compare
I'm going to remove this from the 3.4 milestone. We are too busy fixing the bugs we found on the "regular" (non-try-based) TTL code to expand the scope even more. Also, this PR has no tests. |
fd973ec
to
605b7ae
Compare
605b7ae
to
6b866ab
Compare
I'm approving this because (request-)ratelimiting has the same change and otherwise this would make both plugins iconsistent. |
6b866ab
to
ddffc7a
Compare
ddffc7a
to
139635b
Compare
139635b
to
31caef8
Compare
…is connection Signed-off-by: Aapo Talvensaari <[email protected]>
31caef8
to
3c513f4
Compare
Summary
Adds support for secret rotation for redis credentials in response-ratelimiting plugin.