Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: use env var instead of plain text for vault token #8866

Merged
merged 24 commits into from
Feb 24, 2023
Merged

feat: use env var instead of plain text for vault token #8866

merged 24 commits into from
Feb 24, 2023

Conversation

shreemaan-abhishek
Copy link
Contributor

@shreemaan-abhishek shreemaan-abhishek commented Feb 15, 2023
edited
Loading

Description

Currently, we use plain text to add vault as a secret resource. Like so:

curl http://127.0.0.1:9180/apisix/admin/secret/vault/1 \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "https://127.0.0.1:8200",
    "prefix": "apisix",
    "token": "root"
}'

This PR implements a feature that would allow the use of environment variables in the following format: $ENV://NAME_OF_ENV_VAR.

This is the final outcome:

curl http://127.0.0.1:9180/apisix/admin/secret/vault/1 \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "https://127.0.0.1:8200",
    "prefix": "apisix",
    "token": "$ENV://VAULT_TOKEN"
}'

A part of #8319

cc: @soulbird

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@shreemaan-abhishek shreemaan-abhishek marked this pull request as ready for review February 15, 2023 09:03
soulbird
soulbird reviewed Feb 15, 2023
View reviewed changes
t/config-center-yaml/secret.t Outdated
@@ -61,7 +61,7 @@ __DATA__
secrets:
- id: vault/1
prefix: kv/apisix
token: root
token: "$ENV://VAULT_TOKEN"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we can no longer use such a configuration?

token: root

Copy link
Contributor Author

@shreemaan-abhishek shreemaan-abhishek Feb 15, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we won't be able to use such a configuration. Let me fix that quickly.

soulbird
soulbird reviewed Feb 16, 2023
View reviewed changes
ci/centos7-ci.sh Outdated
@@ -84,6 +84,7 @@ run_case() {
export_or_prefix
make init
set_coredns
export VAULT_TOKEN="root"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

refer: https://github.com/apache/apisix/blob/master/t/core/env.t#L17-L20

soulbird
soulbird reviewed Feb 16, 2023
View reviewed changes
t/config-center-yaml/secret.t Outdated
--- response_body
0
--- error_log
property "uri" validation failed: failed to match pattern "^[^\\/]+:\\/\\/([\\da-zA-Z.-]+|\\[[\\da-fA-F:]+\\])(:\\d+)?"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why add this test case? It doesn't look like it has anything to do with your modification?

Copy link
Contributor Author

@shreemaan-abhishek shreemaan-abhishek Feb 16, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just duplicated all the test cases containing the token with just one change: replace the token with the environment variable. Let me do something better. 😂

t/config-center-yaml/secret.t Outdated
--- response_body
0
--- error_log
secret manager not exits
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

t/config-center-yaml/secret.t Outdated
prefix: kv/apisix
token: $ENV://VAULT_TOKEN
uri: http://127.0.0.1:8200

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no need to add this test

t/config-center-yaml/secret.t Outdated



=== TEST 21: secret.fetch_by_uri, no sub key value with the token in an env var
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test case already exists

t/plugin/basic-auth.t
}
}
--- response_body
passed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You only configured the route, you also need to verify whether the route is effective

soulbird
soulbird reviewed Feb 20, 2023
View reviewed changes
t/config-center-yaml/secret.t Outdated
@@ -14,6 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
BEGIN {
$ENV{VAULT_TOKEN} = "root";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this added?

@soulbird
Copy link
Contributor

IMO, just adding a test case for t/secret/vault.t is enough. The test cases under t/plugin seem redundant, don't you think?

@shreemaan-abhishek
Copy link
Contributor Author

The test cases under t/plugin seem redundant, don't you think?

I thought the same. But then I thought they would provide better safety from potential nasty bugs in the future.

@soulbird
Copy link
Contributor

The test cases under t/plugin seem redundant, don't you think?

I thought the same. But then I thought they would provide better safety from potential nasty bugs in the future.

ok

soulbird
soulbird previously approved these changes Feb 20, 2023
View reviewed changes
spacewander
spacewander reviewed Feb 21, 2023
View reviewed changes
Copy link
Member

@spacewander spacewander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's update https://github.com/apache/apisix/blob/master/docs/en/latest/terminology/secret.md

apisix/secret/vault.lua Outdated
@@ -26,6 +26,7 @@ local norm_path = require("pl.path").normpath
local sub = core.string.sub
local rfind_char = core.string.rfind_char

local env = require("apisix.core.env")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we import it like core.string.sub?

soulbird
soulbird previously approved these changes Feb 22, 2023
View reviewed changes
spacewander
spacewander reviewed Feb 22, 2023
View reviewed changes
apisix/secret/vault.lua Outdated
@@ -26,6 +26,7 @@ local norm_path = require("pl.path").normpath
local sub = core.string.sub
local rfind_char = core.string.rfind_char

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can avoid the blank line here? Other files don't add a blank line among localized variables.

@spacewander spacewander merged commit 14727fc into apache:master Feb 24, 2023
@shreemaan-abhishek shreemaan-abhishek deleted the vault-token-env-var branch April 27, 2023 04:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soulbird soulbird soulbird approved these changes

@spacewander spacewander spacewander approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shreemaan-abhishek @soulbird @spacewander