fix(dao) invalidate client certificate cache when updating (#8934)

use correct cache_key to automatically invalidate certificate in core_cache and add a test

Co-authored-by: robin.xiang <[email protected]>
Co-authored-by: Qirui(Keery) Nie <[email protected]>
Co-authored-by: Mayo <[email protected]>

CHANGELOG.md

@@ -277,6 +277,8 @@ a restart (e.g., upon a plugin server crash).
   being reloaded. [#8702](https://github.com/Kong/kong/pull/8702)
 - The private stream API has been rewritten to allow for larger message payloads
   [#8641](https://github.com/Kong/kong/pull/8641)
+- Fixed an issue that the client certificate sent to upstream was not updated when calling PATCH Admin API
+  [#8934](https://github.com/Kong/kong/pull/8934)
 
 #### Plugins
 

kong/runloop/certificate.lua

@@ -193,9 +193,10 @@ end
 
 
 local function get_certificate(pk, sni_name)
-  return kong.core_cache:get("certificates:" .. pk.id,
-                        get_certificate_opts, fetch_certificate,
-                        pk, sni_name)
+  local cache_key = kong.db.certificates:cache_key(pk)
+  return kong.core_cache:get(cache_key,
+                             get_certificate_opts, fetch_certificate,
+                             pk, sni_name)
 end
 
 

kong/runloop/handler.lua

@@ -525,23 +525,6 @@ local function register_events()
     end
   end, "crud", "snis")
 
-
-  worker_events.register(function(data)
-    log(DEBUG, "[events] SSL cert updated, invalidating cached certificates")
-    local certificate = data.entity
-
-    for sni, err in db.snis:each_for_certificate({ id = certificate.id }, nil, GLOBAL_QUERY_OPTS) do
-      if err then
-        log(ERR, "[events] could not find associated snis for certificate: ",
-          err)
-        break
-      end
-
-      local cache_key = "certificates:" .. sni.certificate.id
-      core_cache:invalidate(cache_key)
-    end
-  end, "crud", "certificates")
-
   register_balancer_events(core_cache, worker_events, cluster_events)
 end
 

spec/02-integration/05-proxy/18-upstream_tls_spec.lua

@@ -19,6 +19,7 @@ local fixtures = {
           keepalive_requests     0;
 
           location = / {
+              add_header 'X-Cert' $ssl_client_escaped_cert;
               echo 'it works';
           }
       }
@@ -184,6 +185,36 @@ for _, strategy in helpers.each_strategy() do
           end, 10)
         end)
 
+        it("send updated client certificate", function ()
+          local res = assert(proxy_client:send {
+            path    = "/mtls",
+            headers = {
+              ["Host"] = "example.com",
+            }
+          })
+          assert.res_status(200, res)
+          local res_cert = res.headers["X-Cert"]
+
+          res = admin_client:patch("/certificates/" .. certificate.id, {
+            body = {
+              cert = ssl_fixtures.cert_client2,
+              key = ssl_fixtures.key_client2,
+            },
+            headers = { ["Content-Type"] = "application/json" }
+          })
+          assert.res_status(200, res)
+
+          res = assert(proxy_client:send {
+            path    = "/mtls",
+            headers = {
+              ["Host"] = "example.com",
+            }
+          })
+          assert.res_status(200, res)
+          local res_cert2 = res.headers["X-Cert"]
+          assert.not_equals(res_cert, res_cert2)
+        end)
+
         it("remove client_certificate removes access", function()
           local res = assert(admin_client:patch("/services/" .. service_mtls.id, {
             body = {