feat: allow admin key and admin api cert to be stored in vault

[rodman10]

Description

Fixes #9915

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

[Sn0rt]

the TEST case look good

[Sn0rt]

If you think you can enter the review, or you want to run a CI test first. You can remove the Draft label.

Generally, I will conduct code review after CI is completed.

[Sn0rt]

@rodman10 are you still process this PR ?

[rodman10]

I have removed the draft state and ready for review.@Sn0rt

[Sn0rt]

I have removed the draft state and ready for review.@Sn0rt

PTAL the CI ?

[rodman10]

I have removed the draft state and ready for review.@Sn0rt

PTAL the CI ?

Ok, I will check it.

[rodman10]

I have removed the draft state and ready for review.@Sn0rt

PTAL the CI ?

I have looked into the centos7 case,

It seems failed in case t/deployment/conf_server.t, but I can't reproduce the problem with cmd prove -I../test-nginx/lib -I./ -r -s t/deployment/conf_server.t, whether I have mistaken the test method @Sn0rt ?

[Sn0rt]

@rodman10 Don't worry, sometimes ci is unstable. Re-run CI to try.

[Sn0rt]

@rodman10

PTAL the CI https://github.com/apache/apisix/actions/runs/5856541181/job/15966889114?pr=9930

+ VAULT_TOKEN=root
+ VAULT_ADDR=http://0.0.0.0:8200/
+ vault kv put kv/apisix/apisix_config admin_ssl_cert=@./t/certs/mtls_server.crt admin_ssl_cert_key=@./t/certs/mtls_server.key admin_ssl_ca_cert=@./t/certs/mtls_ca.crt
./t/cli/test_admin_mtls.sh: line 76: vault: command not found

[rodman10]

@rodman10

PTAL the CI https://github.com/apache/apisix/actions/runs/5856541181/job/15966889114?pr=9930

+ VAULT_TOKEN=root
+ VAULT_ADDR=http://0.0.0.0:8200/
+ vault kv put kv/apisix/apisix_config admin_ssl_cert=@./t/certs/mtls_server.crt admin_ssl_cert_key=@./t/certs/mtls_server.key admin_ssl_ca_cert=@./t/certs/mtls_ca.crt
./t/cli/test_admin_mtls.sh: line 76: vault: command not found

I have add vault dependency in ci/linux_apisix_current_luarocks_runner.sh. @Sn0rt

[Sn0rt]

Can I cooperate? Give me permission

[rodman10]

Can I cooperate? Give me permission

Ok.

[Sn0rt]

this test case can't pass

[Sn0rt]

diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
index 7aa65540..4cde0dfe 100644
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -53,6 +53,7 @@ jobs:
       - name: Linux launch common services
         run: |
           project_compose_ci=ci/pod/docker-compose.common.yml make ci-env-up
+          sudo ./ci/init-common-test-service.sh

[kingluo]

The code is fine with me.

But I think it should be noted in the PR description which configuration fields support encryption:

• Admin Key
• Admin API certificate
• etcd password
• etcd certificate
• information that may exist in the plugin_attr

Also, whether in this PR or not, the relevant documentation should also describe this change.

[Sn0rt]

The code is fine with me.

But I think it should be noted in the PR description which configuration fields support encryption:

• Admin Key
• Admin API certificate
• etcd password
• etcd certificate
• information that may exist in the plugin_attr

Also, whether in this PR or not, the relevant documentation should also describe this change.

yep. Because our underlying library can only use the path to pass in the certificate, so avoid the PR being too large. We will support this feature in other PRs.

api7/lua-resty-etcd#208

[Sn0rt]

I plan to close this PR and continue to improve this feature based on your commit and new proposal.
The new PR will contain complete information about your commit.
Do you have any suggestions?

@rodman10

[rodman10]

I plan to close this PR and continue to improve this feature based on your commit and new proposal. The new PR will contain complete information about your commit. Do you have any suggestions?

@rodman10

Ok.