-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: As a user, I want to protect the sensitive information of config.yaml
, so that move the data to the Vault
#9915
Comments
I think we need to be a bit more general here.
|
config.yaml
, so that move the data to the Vault
Hi, I'd like to work on this. Is this feature works like the following?
|
Great! thank you help! sorry . I misunderstand what's is
correcty. before start the process . the value of secret store in vault.
yep.
replace the refence with a value which query from vault.
yep. but i not very understand what's is |
@Sn0rt Sorry, my bad, I means the variable name here https://github.com/apache/apisix/blob/master/apisix/cli/ops.lua#L741 |
It looks like this. In this function, make a judgment whether the vault is used. If so, you need to take the value from the vault to render the actual configuration file. But you can write the test file first, we are confirming? |
Ok, I will try it. Whether should I open a pr with test file only or just paste the test code snippet here? @Sn0rt |
thank you . it's very useful for APISIX. |
What about this? For ssl, we will add a new handler for admin which manually fetch from vault then set ctx without reusing the existed radix_sni ? @Sn0rt |
This is not a secret, so it does not need to be stored according to the previous scheme. |
@Sn0rt Hi, I have implemented admin relative secret vault, but when trying to move etcd secret into vault, I met some problems, it seems that ssl infos are all used as path, no direct way to use text fetched from vault. Whether I misunderstood the feature requirement? |
I understand what you mean.
My idea is that the implementation can be distinguished according to the prefix difference, because the semantics are consistent to read the resources of the specified path. |
I have looked into resty.etcd and found options only support read ssl info from disk (maybe I miss something), and the following code also use file path as parameters: |
Indeed, I've seen that etcd's underlying library only supports pass the path of file. Then I think the tasks of the current issues can be divided into multiple stages to achieve.
|
Ok, I will add more tests and finish in these days :). |
thx your help. and we need create a new issues for track the etcd tls feature. |
I will create another PR for the below feature
|
this part of #8319
Description
sensitive information in config.yaml supports vault (need to implement)
Through analysis, the sensitive information in
config.yaml
that meets the definition of secret is:The above-mentioned sensitive information needs to be designed and implemented according to priority, and stored in the
vault
.Original configuration method
The admin key and etcd password are configured in clear text, and the certificate is the path
Among them, in the plugin_attr of config-default, there is no special need to be stored in vault for the time being. If there is, add it later.
Add configuration items
An example is as follows:
When deployment.secret_vault .enable is true, APISIX will allow values in the form $secret://$secret_name/$key :
The vault token is taken from the environment variables.
Example configuration:
When deployment.secret_vault .enable is not true, the original string is kept.
If the return value of Vault is empty (the key does not exist), log and keep the original string.
The text was updated successfully, but these errors were encountered: