AlinsRan commented on code in PR #13062:
URL: https://github.com/apache/apisix/pull/13062#discussion_r3548069703
##########
apisix/schema_def.lua:
##########
@@ -838,7 +838,12 @@ _M.ssl = {
client = {
type = "object",
properties = {
- ca = certificate_scheme,
+ ca = {
+ oneOf = {
+ certificate_scheme,
+ secret_uri_schema
Review Comment:
Right, dropped that hunk when merging master. `secret_uri_schema` is gone
and `skip_validation = secret.is_secret_ref` already lets `$env://` /
`$secret://` through the schema check. Only the `check_ssl_conf` guard in
ssl.lua is left.
##########
apisix/init.lua:
##########
@@ -552,9 +552,22 @@ function _M.handle_upstream(api_ctx, route,
enable_websocket)
return ngx_exit(1)
end
+ local new_upstream_ssl = apisix_secret.fetch_secrets(upstream_ssl,
true)
Review Comment:
Done. Master refactored this into `resolve_upstream_client_cert()`, so the
resolve now lives there and is gated on `secret.has_secret_ref(upstream_ssl)` —
plain cert/key keeps the zero-copy path, and the stream subsystem gets the fix
too since it shares that helper.
##########
apisix/init.lua:
##########
@@ -552,9 +552,22 @@ function _M.handle_upstream(api_ctx, route,
enable_websocket)
return ngx_exit(1)
end
+ local new_upstream_ssl = apisix_secret.fetch_secrets(upstream_ssl,
true)
+
+ if not new_upstream_ssl then
Review Comment:
Agreed, the nil check was dead code. Removed it, now it matches
radixtree_sni.lua: `fetch_secrets(...) or upstream_ssl`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]