Re: Change: The jwt-auth plugin uses APISIX Secret to integrate with Vault instead of using the plugin's own vault configuration item

Tue, 03 Jan 2023 20:52:19 -0800 

LGTM

soulbird <soulb...@apache.org> 于2023年1月4日周三 12:07写道:
>
> Hi, community,
>
> I wanted to talk to you about tweaking the way the jwt-auth plugin
> integrates with Vault.
>
> WHAT
>
> Currently, the jwt-auth plugin can be integrated with HashiCorp Vault
> to save the secret value in the Vault. Specific usage reference:
> https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/jwt-auth.md#usage-with-hashicorp-vault
>
> After version 3.1.0, APISIX can connect to Vault through Secret
> resource, which is applicable to all identity authentication plug-ins
> in APISIX and has better versatility. The original design can be
> referred to: https://github.com/apache/apisix/issues/8319
>
> Therefore, we plan to remove the Vault configuration of the jwt-auth
> plugin itself, and use the APISIX Secret resource to provide the
> jwt-auth plugin with the ability to integrate with Vault.
>
> WHY
>
> 1. Merge codes with the same function to make the code of APISIX more concise
> 2. The jwt-auth plugin can more conveniently connect to more Secret
> Managers (such as: Vault, etc.)
> 3. The private_key of jwt-auth plugin can also be saved in Vault
>
> HOW
>
> 1. Delete the vault configuration of the jwt-auth plugin
> 2. Delete apisix/core/vault.lua
>
> After doing this, if we need to save the secret configuration in
> Vault, we can do this:
>
> First, create the corresponding secret in the vault. You can use the
> following command:
>
> vault kv put apisix/jack jwt-key=value
>
> Next, you can configure APISIX through the following steps:
>
> Step 1: Add Secret resources through the Admin API, and configure the
> connection information such as the address of the vault:
>
> curl http://127.0.0.1:9180/apisix/admin/secrets/vault/1\
> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
> {
>      "uri": "https://127.0.0.1:8200";,
>      "prefix": "apisix",
>      "token": "root"
> }'
>
> Step 2: Refer to the Secret resource in the jwt-auth plugin and fill
> in the secret information
>
> curl http://127.0.0.1:9180/apisix/admin/consumers\
> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
> {
>      "username": "jack",
>      "plugins": {
>          "jwt-auth": {
>              "key": "user-key",
>              "secret": "$secret://vault/1/jack/jwt-key"
>          }
>      }
> }'
>
> --
> *Shirui Zhao*
> My GitHub: https://github.com/soulbird

Reply via email to