This is an automated email from the ASF dual-hosted git repository.

shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new 2f0898c1e fix: invalidate secret LRU cache on /secrets changes (#13668)
2f0898c1e is described below

commit 2f0898c1ee28a1e3918221650f83526c6781bb24
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Fri Jul 10 11:53:37 2026 +0800

    fix: invalidate secret LRU cache on /secrets changes (#13668)
---
 apisix/secret.lua     |  4 ++-
 t/secret/secret_lru.t | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 1 deletion(-)

diff --git a/apisix/secret.lua b/apisix/secret.lua
index d64851115..f25daa647 100644
--- a/apisix/secret.lua
+++ b/apisix/secret.lua
@@ -233,7 +233,9 @@ local function fetch(uri, use_cache)
         return val
     end
 
-    return secrets_cache(uri, "", fetch_by_uri, uri)
+    -- pass the secrets conf_version so the cache re-resolves when /secrets 
changes
+    local version = secrets and secrets.conf_version or ""
+    return secrets_cache(uri, version, fetch_by_uri, uri)
 end
 
 local function retrieve_refs(refs, use_cache)
diff --git a/t/secret/secret_lru.t b/t/secret/secret_lru.t
index 3ff3386fc..670bf03b5 100644
--- a/t/secret/secret_lru.t
+++ b/t/secret/secret_lru.t
@@ -96,3 +96,76 @@ GET /t
     }
 --- response_body
 nil
+
+
+
+=== TEST 2: store secret into vault
+--- exec
+VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put 
kv/apisix/lru-key/jack key=value
+--- response_body
+Success! Data written to: kv/apisix/lru-key/jack
+
+
+
+=== TEST 3: deleted secret is evicted from the LRU cache
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local secret = require("apisix.secret")
+
+            -- configure the vault secret manager
+            local code, body = t('/apisix/admin/secrets/vault/lru',
+                ngx.HTTP_PUT,
+                [[{
+                    "uri": "http://127.0.0.1:8200";,
+                    "prefix": "kv/apisix",
+                    "token": "root"
+                }]]
+                )
+            if code >= 300 then
+                ngx.status = code
+                return ngx.say(body)
+            end
+
+            local ref = { key = "$secret://vault/lru/lru-key/jack/key" }
+
+            -- resolve through the cache once the manager config is synced
+            local resolved
+            for _ = 1, 50 do
+                resolved = secret.fetch_secrets(ref, true)
+                if resolved.key == "value" then
+                    break
+                end
+                ngx.sleep(0.1)
+            end
+            ngx.say(resolved.key)
+
+            local _, ver = secret.secrets()
+
+            code, body = t('/apisix/admin/secrets/vault/lru', ngx.HTTP_DELETE)
+            if code >= 300 then
+                ngx.status = code
+                return ngx.say(body)
+            end
+
+            -- wait for the /secrets config version to bump
+            for _ = 1, 50 do
+                local _, new_ver = secret.secrets()
+                if new_ver ~= ver then
+                    break
+                end
+                ngx.sleep(0.1)
+            end
+
+            -- cache must re-resolve: the manager is gone, so it falls back to 
the literal ref
+            resolved = secret.fetch_secrets(ref, true)
+            ngx.say(resolved.key)
+        }
+    }
+--- request
+GET /t
+--- timeout: 20
+--- response_body
+value
+$secret://vault/lru/lru-key/jack/key

Reply via email to