nic-6443 commented on code in PR #12935:
URL: https://github.com/apache/apisix/pull/12935#discussion_r3393102016
##########
apisix/init.lua:
##########
@@ -1243,6 +1244,7 @@ function _M.stream_init_worker()
plugin.init_worker()
xrpc.init_worker()
+ apisix_secret.init_worker()
Review Comment:
The `$secret://` half of this fix is still incomplete, and it is why your
earlier vault tests kept failing in CI before you removed them: `/secrets` is
missing from `STREAM_ETCD_DIRECTORY` in `apisix/constants.lua`. The init-phase
etcd snapshot is filtered by that list (see `create_formatter` in
`apisix/core/config_etcd.lua`), so unlike the http subsystem the stream VM does
not preload the secrets config. The first TLS handshake then reaches
`secret_kv()` before the async watcher finishes its first sync and fails with
`no secret conf`, and `retrieve_refs()` silently falls back to the raw
`$secret://...` string — which is exactly the `failed to parse PEM cert:
PEM_read_bio_X509_AUX() failed` error you saw.
I verified this locally on your branch by re-adding the vault test from your
earlier revision (405092c54): it fails as-is with `no secret conf`, and passes
deterministically once I add `["/secrets"] = true` to `STREAM_ETCD_DIRECTORY`.
Could you add that line and restore the vault test case? That would also
resolve the open request from @Baoyuantop for `$secret://` coverage.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
