[I] bug: Vault Secret Engine Issue LUA Trust Certificates [apisix]

[via GitHub]

GrayHatLabs opened a new issue, #11720:
URL: https://github.com/apache/apisix/issues/11720

   ### Current Behavior
   
   I am running Api Six in stand-alone mode and want to use Vault for secret 
management.
   
   I am using the Docker images, and I keep getting this error. I don't know 
how to add certificates to the trust.
   
   global_rules:
   -
   id: 1
   plugins:
   key-auth:
   header: "Authorization"
   
   routes:
   - id: "test_route"
   uri: "/test"
   plugins:
   key-auth: {}
   upstream:
   type: roundrobin
   scheme: "https"
   nodes:
   "postb.in:443": 1
   
   consumers:
   - username: nemus_dupper
   plugins:
   key-auth:
   key: $secret://vault/1/nemus_dupper/auth-key
   
   secrets:
   - id: vault/1
   ssl_verify: false
   prefix: apisix
   token: hvs.asdfasdfasdfasdf
   uri: https://vault.mydomain.com:8200/
   
   api-gateway-1 | 2024/11/07 06:41:12 [error] 37#37: *1755 [lua] 
secret.lua:180: fetch(): failed to fetch secret value: failed to retrtive data 
from vault kv engine: 20: unable to get local issuer certificate, client: 
172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
   api-gateway-1 | 2024/11/07 06:41:12 [warn] 37#37: *1755 [lua] 
plugin.lua:1174: run_plugin(): key-auth exits with http status code 401, 
client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
   
   ### Expected Behavior
   
   I would like it to call the vault server I've specified in the config.
   
   ### Error Logs
   
   api-gateway-1  | 2024/11/07 06:41:12 [error] 37#37: *1755 [lua] 
secret.lua:180: fetch(): failed to fetch secret value: failed to retrtive data 
from vault kv engine: 20: unable to get local issuer certificate, client: 
172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
   api-gateway-1  | 2024/11/07 06:41:12 [warn] 37#37: *1755 [lua] 
plugin.lua:1174: run_plugin(): key-auth exits with http status code 401, 
client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
   api-gateway-1  | 172.18.0.1 - - [07/Nov/2024:06:41:12 +0000] 127.0.0.1:8080 
"GET / HTTP/1.1" 401 52 0.006 "-" "curl/8.2.1" - - - "http://127.0.0.1:8080";
   
   ### Steps to Reproduce
   
   services:
       api-gateway:
           image: apache/apisix:latest
           environment:
               - APISIX_STAND_ALONE=true
               - 
LUA_SSL_TRUSTED_CERTIFICATE=/usr/local/share/ca-certificates/vault-ca.crt
           volumes:
               - 
${CONFIGS:-./configs}/apisix/apisix.yaml:/usr/local/apisix/conf/apisix.yaml:ro
               - ./vault_ca.crt:/usr/local/share/ca-certificates/vault-ca.crt  
# Mount the CA cert into the container
           extra_hosts:
               - "vault.mydomain.com:192.168.10.60"
           ports:
               - '${LISTEN_ADDRESS:-127.0.0.1}:8080:9080'
               - '${LISTEN_ADDRESS:-127.0.0.1}:8443:9443'
           networks:
               - public
   networks:
      public:
       external: true
       
       
      curl -H 'Authorization:asdfasdfasdfas' -H "Content-Type: 
application/json" -i http://127.0.0.1:8080   
   
   ### Environment
   
   - APISIX version (run `apisix version`):
   - Operating system (run `uname -a`):
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
   - etcd version, if relevant (run `curl 
http://127.0.0.1:9090/v1/server_info`):
   - APISIX Dashboard version, if relevant:
   - Plugin runner version, for issues related to plugin runners:
   - LuaRocks version, for installation issues (run `luarocks --version`):
    docker exec -it  apisix-api-gateway-1 bash                                  
                                                                                
                                                                      ❌1 00:01
   apisix@b7e90f1785f2:/usr/local/apisix$ apisix version
   /usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua version
   3.11.0
   apisix@b7e90f1785f2:/usr/local/apisix$ uname -a
   Linux b7e90f1785f2 5.15.153.1-microsoft-standard-WSL2 #1 SMP Fri Mar 29 
23:14:13 UTC 2024 x86_64 GNU/Linux
   apisix@b7e90f1785f2:/usr/local/apisix$ openresty -V` or `nginx -V`
   > ^C
   apisix@b7e90f1785f2:/usr/local/apisix$ 'penresty -V` or `nginx -V`
   > ^C
   apisix@b7e90f1785f2:/usr/local/apisix$ 'Openresty -V` or `nginx -V`
   > ^C
   apisix@b7e90f1785f2:/usr/local/apisix$ `Openresty -V` or `nginx -V`
   bash: Openresty: command not found
   nginx version: openresty/1.25.3.2
   built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
   built with OpenSSL 3.2.0 23 Nov 2023
   TLS SNI support enabled
   configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 
-DAPISIX_RUNTIME_VER=1.2.1 -DNGX_LUA_ABORT_AT_PANIC 
-I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include 
-I/usr/local/openresty/openssl3/include' --add-module=../ngx_devel_kit-0.3.3 
--add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 
--add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 
--add-module=../form-input-nginx-module-0.12 
--add-module=../encrypted-session-nginx-module-0.09 
--add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.26 
--add-module=../ngx_lua_upstream-0.07 
--add-module=../headers-more-nginx-module-0.37 
--add-module=../array-var-nginx-module-0.06 
--add-module=../memc-nginx-module-0.20 --add-module=../redis2-nginx-module-0.15 
--add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.14 
--with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib 
-Wl,-rpath,/usr/local/openresty/wasmtime-c-api/li
 b -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib 
-L/usr/local/openresty/openssl3/lib 
-Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl3/lib'
 --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../mod_dubbo-1.0.2 
--add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../ngx_multi_upstream_module-1.2.0
 
--add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../apisix-nginx-module-1.16.1
 
--add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../apisix-nginx-module-1.16.1/src/stream
 
--add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../apisix-nginx-module-1.16.1/src/meta
 --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../wasm-nginx-module-0.7.0 
--add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../lua-var-nginx-module-v0.5.3
 --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../lua-resty-events-0.2.0 
--with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module 
--with-stream_ssl_preread_module --with-http_v2_mod
 ule --with-http_v3_module --without-mail_pop3_module 
--without-mail_imap_module --without-mail_smtp_module 
--with-http_stub_status_module --with-http_realip_module 
--with-http_addition_module --with-http_auth_request_module 
--with-http_secure_link_module --with-http_random_index_module 
--with-http_gzip_static_module --with-http_sub_module --with-http_dav_module 
--with-http_flv_module --with-http_mp4_module --with-http_gunzip_module 
--with-threads --with-compat --with-stream --without-pcre2 
--with-http_ssl_module
   bash: or: command not found
   
   apisix@b7e90f1785f2:/usr/local/apisix$ luarocks --version
   bash: luarocks: command not found


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org