nic-6443 opened a new pull request, #13624:
URL: https://github.com/apache/apisix/pull/13624

   ### Description
   
   The Redis-based rate limiting policies of `limit-count`, `limit-req`, and 
`limit-conn` accept `redis_password` (and `sentinel_password` for 
`limit-count`), but these fields were not listed in the plugin schema's 
`encrypt_fields`. As a result they were stored in plaintext in etcd even when 
`data_encryption.enable_encrypt_fields` is on, unlike other Redis-using plugins 
such as `ai-cache` which already encrypts `redis_password`.
   
   This PR adds the password fields to each plugin schema's `encrypt_fields`:
   
   - `limit-count`: `redis_password`, `sentinel_password`
   - `limit-req`: `redis_password`
   - `limit-conn`: `redis_password`
   
   With `data_encryption` enabled, these fields are now encrypted at rest in 
etcd and transparently decrypted at runtime / on Admin API reads.
   
   ### Tests
   
   Added cases to `t/node/data_encrypt.t` that PUT a route with each plugin 
using `policy: redis` and a `redis_password`, then assert the Admin API returns 
the decrypted value while the raw etcd entry stores it encrypted.
   
   Plugin docs (en/zh) updated with the standard `encrypt_fields` note.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to