Sn0rt opened a new issue, #10221: URL: https://github.com/apache/apisix/issues/10221
### Description this proposal base on https://github.com/apache/apisix/issues/9915, Adjust the field's design. this part of https://github.com/apache/apisix/issues/8319 ### Description sensitive information in `config.yaml` supports vault (need to implement) Through analysis, the sensitive information in `config.yaml` that meets the definition of secret is: 1. Admin Key 2. etcd password 3. etcd certificate 4. Admin API certificate 5. information that may exist in the plugin_attr The above-mentioned sensitive information needs to be designed and implemented according to priority, and stored in the `vault`. Original configuration method The admin key and etcd password are configured in clear text, and the certificate is the path ```yaml deployment: admin: admin_key: - name: admin key: edd1c9f034335f136f87ad84b625c8f1 role: admin - name: viewer key: 4054f7cf07e344346cd3f287985e76a2 role: viewer admin_api_mtls: admin_ssl_cert: "" admin_ssl_cert_key: "" admin_ssl_ca_cert: "" etcd: password: 5tHkHhYkjr6cQY tls: cert: /path/to/cert key: /path/to/key ``` Among them, in the plugin_attr of config-default, there is no special need to be stored in vault for the time being. If there is, add it later. Add configuration items An example is as follows: ```yaml deployment: secret_manager: vault: uri: https://vault.vault:8200 prefix: "kv/apisix" token: "${{VAULT_TOKEN}}" ``` When deployment.secret_vault .enable is true, APISIX will allow values in the form $secret://$secret_name/$key : 1. Key value under deployment.admin.admin_key 2. Three certificate entries under deployment.admin.admin_api_mtls 3. deployment.etcd.password 4. Two certificate entries under deployment.etcd.tls The vault token is taken from the environment variables. Example configuration: ```yaml deployment: admin: admin_key: - name: admin key: "$secret://vault/apisix_config/admin_key" role: admin - name: viewer key: "$secret://vault/apisix_config/viewer_key" role: viewer admin_api_mtls: admin_ssl_cert_content: "$secret://vault/apisix_config/admin_ssl_cert" admin_ssl_cert_key_content: "$secret://vault/apisix_config/admin_ssl_cert_key" admin_ssl_ca_cert_content: "$secret://vault/apisix_config/admin_ssl_ca_cert" etcd: password: "$secret://vault/apisix_config/etcd_password" tls: cert_content: "$secret://vault/apisix_config/etcd_cert" key_content: "$secret://vault/apisix_config/etcd_cert_key" ``` When deployment.secret_vault .enable is not true, the original string is kept. If the return value of Vault is empty (the key does not exist), log and keep the original string. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
