-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: APISIX Supports Secrets Management #8319
Comments
We noticed that cloud vendors such as aws have Secret management service and Key management service, which are two different products. The function we implemented this time is more in line with the definition of Secret management. There is obvious ambiguity in using "KMS" here, so we will rename "KMS" to "Secret". |
Define the Data Range That Secret Manager Can ProtectThe following configuration is designed to obtain values from the secert manager, which is called referenceable.
Sensitive data at startup needs to be protected by secret managermore info: #10221
|
This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions. |
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time. |
Background
Secrets refer to any sensitive information required during the running process of APISIX, which may be part of the core configuration (such as the etcd's password) or some sensitive information in the plugin. Common types of Secrets in APISIX include:
Secrets Management refers to allowing users to store Secrets in APISIX through some secrets management services (vault, etc.), and read them according to the key when using them to ensure that Secrets do not exist in plaintext in the entire platform.
Currently, APISIX only supports the use of vault to manage secrets in the
jwt-auth
plugin. We plan to use more secrets management services in more plugins.Scheme
Overall Design
In order to conveniently use the Secrets Management capability in various plugins of APISIX to protect secrets or other sensitive data, we will implement the following steps:
It works as follows:
Detailed Design
Environment variable
APISIX loads all environment variables at startup, so there is no need to add them through custom resources. Environment variables can be referenced in the following ways:
If the value of the environment variable is of type string, such as:
It can be referenced as follows:
If the value of the environment variable is a JSON string like:
It can be referenced as follows:
Example: use in jwt-auth plugin
First, create environment variables before the APISIX instance starts
Reference environment variables in the jwt-auth plugin
Through the steps shown above, you can save the secret configuration in the jwt-auth plugin in an environment variable instead of displaying it in plaintext when configuring the plugin.
KMS Component Design
Core Points
$KMS://vault/jwt/secret_id/jwt
to get the secrets management service object and keyReference Method
In the plugin, KMS components can be referenced through special variables in the following format:
Example: use in jwt-auth plugin
First, create the corresponding secret in the vault. You can use the following command:
Next, you can configure APISIX through the following steps:
Step 1: Add KMS resources through the Admin API, and configure the connection information such as the address of the vault:
Step 2: Refer to the KMS resource in the jwt-auth plugin and fill in the secret information
Through the above two steps, when the user request hits the jwt-auth plugin, the user-configured secrets management service will be called through the interface provided by the KMS component to obtain the real value of the secret in the vault.
In addition, the token required for APISIX to interact with the vault can also be stored in the environment variable. Before APISIX starts, the environment variable can be set by the following command:
Reference the environment variable when adding the KMS resource:
Through the above steps, you can configure the secret in the jwt-auth plugin to the vault instead of displaying it in plaintext when configuring the plugin. Among them, the token used by APISIX to connect to the vault can also be saved in the environment variable.
KMS Resource Admin API Design
When adding KMS resources through the Admin API, the request is designed as follows:
Request URI
Request Method
Request Body
The secrets management service currently only supports vaults, so the request URI can currently only be:
The definitions of the fields in the corresponding request body are as follows:
The text was updated successfully, but these errors were encountered: