membphis commented on PR #13670:
URL: https://github.com/apache/apisix/pull/13670#issuecomment-4912138523
I think this should be fixed before merge.
`ai-rate-limiting` now exposes Redis credential fields by reusing the
`limit-count` Redis schemas, but its own plugin schema does not declare those
fields in `encrypt_fields`. APISIX config encryption is driven by each plugin
schema's `encrypt_fields`, so `redis_password` / `sentinel_password` would be
stored as plain plugin config here, while comparable plugins such as
`limit-count`, `limit-req`, and `ai-cache` encrypt Redis passwords.
There is also a sentinel wiring gap: the schema accepts Redis master
credentials for `redis-sentinel`, and the backend uses `redis_username` /
`redis_password` for the Redis master connection, but `transform_limit_conf`
only forwards the sentinel credentials and does not pass `redis_username` /
`redis_password` in the sentinel branch. A valid sentinel config with Redis
master auth can pass validation but fail at runtime.
Suggested fix: add `encrypt_fields = {"redis_password",
"sentinel_password"}` to the `ai-rate-limiting` schema, forward
`redis_username` / `redis_password` for `redis-sentinel`, and add coverage for
encrypted Redis credentials plus sentinel master auth.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]