fix: invalidate secret LRU cache on /secrets changes#13668
Merged
shreemaan-abhishek merged 2 commits intoJul 10, 2026
Merged
Conversation
The secret resolver passed a constant "" version to the secret LRU cache, so core.lrucache never detected staleness: a deleted secret kept resolving to its cached value indefinitely, and updates were only picked up after the TTL window. With refresh_stale = true an expired entry is served while a background refresh retries, so once a secret is deleted the refresh fails forever and the stale value is served forever. Pass the real secrets conf_version (already exposed via _M.secrets) so a change to /secrets re-resolves the entry on the next access, matching how route/service caches behave. $env:// shares this cache; env values are static, so dropping them on a /secrets bump is harmless. Signed-off-by: Abhishek Choudhary <shreemaan.abhishek@gmail.com>
TEST 3 polls for the /secrets version bump after the delete, which can take a couple of seconds on a loaded runner. Give the request a 20s ceiling so a slow poll fails on the assertion, not a client timeout. Signed-off-by: Abhishek Choudhary <shreemaan.abhishek@gmail.com>
nic-6443
reviewed
Jul 8, 2026
nic-6443
approved these changes
Jul 8, 2026
AlinsRan
approved these changes
Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
After a
secretobject is deleted via the Admin API,$secret://references keep resolving to the previously cached value indefinitely. Updates to a secret are only picked up after the cache TTL window.Root cause:
apisix/secret.luaresolved secret URIs through the secret LRU cache with a constant version string:core.lrucacheuses theversionargument to detect staleness (an entry is re-resolved only whenobj.ver ~= version). Every other cached resource passes its realconf_version; the secret cache passed"", so no/secretschange ever invalidated an entry. Withrefresh_stale = truean expired entry keeps being served while a background timer retries, so once the secret is deleted the refresh fails forever and the stale value is served forever.Fix: Pass the real secrets
conf_version(already exposed via_M.secrets()). A change to/secretsbumps the version, so the cache re-resolves on the next access, matching how route/service caches behave.Notes:
/secretshas one sharedconf_version, so any secret change invalidates all cached secret values (consistent with route/service cache behavior).$env://shares this cache; bumping on/secretschanges also drops env entries, which is harmless since env values are static.Checklist
Test
t/secret/secret_lru.tadds a case that resolves a secret through the cache, deletes it, and asserts the reference stops resolving (falls back to the literal string) instead of serving the stale value. Verified the test fails before the fix and passes after.