AlinsRan commented on code in PR #13062:
URL: https://github.com/apache/apisix/pull/13062#discussion_r3548069703


##########
apisix/schema_def.lua:
##########
@@ -838,7 +838,12 @@ _M.ssl = {
         client = {
             type = "object",
             properties = {
-                ca = certificate_scheme,
+                ca = {
+                    oneOf = {
+                        certificate_scheme,
+                        secret_uri_schema

Review Comment:
   Right, dropped that hunk when merging master. `secret_uri_schema` is gone 
and `skip_validation = secret.is_secret_ref` already lets `$env://` / 
`$secret://` through the schema check. Only the `check_ssl_conf` guard in 
ssl.lua is left.



##########
apisix/init.lua:
##########
@@ -552,9 +552,22 @@ function _M.handle_upstream(api_ctx, route, 
enable_websocket)
             return ngx_exit(1)
         end
 
+        local new_upstream_ssl = apisix_secret.fetch_secrets(upstream_ssl, 
true)

Review Comment:
   Done. Master refactored this into `resolve_upstream_client_cert()`, so the 
resolve now lives there and is gated on `secret.has_secret_ref(upstream_ssl)` — 
plain cert/key keeps the zero-copy path, and the stream subsystem gets the fix 
too since it shares that helper.



##########
apisix/init.lua:
##########
@@ -552,9 +552,22 @@ function _M.handle_upstream(api_ctx, route, 
enable_websocket)
             return ngx_exit(1)
         end
 
+        local new_upstream_ssl = apisix_secret.fetch_secrets(upstream_ssl, 
true)
+
+        if not new_upstream_ssl then

Review Comment:
   Agreed, the nil check was dead code. Removed it, now it matches 
radixtree_sni.lua: `fetch_secrets(...) or upstream_ssl`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to