nic-6443 commented on issue #13493: URL: https://github.com/apache/apisix/issues/13493#issuecomment-4676897548
Good news: both validation failures you hit are already fixed on master, and the kubernetes secret manager part is a new feature rather than a regression — it has never existed in any APISIX release, which is why it's "missing" from the 3.16.0 image (your PR #13509 is the right place to add it). One correction on the mechanics: APISIX never writes resolved secret values back to etcd. What got encrypted was the `$secret://...` reference string itself, by the Admin API at write time, and on 3.16.0 `plugin_checker` validated the still-encrypted value before decrypting, which is what produced the `string too long ... got 128` error on reload. That ordering was fixed in 9a2380c68 (#13192), which decrypts before validation, and c22058ce5 (#13312) goes further by skipping schema checks like `maxLength` for any `$secret://`/`$env://` reference, so long reference strings are no longer rejected either. Both landed right after 3.16.0 was cut and will be in the next release. The remaining 100-char limit only applies to plaintext secrets now, which Keycloak/Azure-generated secrets fit comfortably. Since the secret manager itself is tracked in #13509, I'd suggest closing this one. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
