Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: use env var instead of plain text for vault token #8866

Merged
merged 24 commits into from
Feb 24, 2023
Merged

feat: use env var instead of plain text for vault token #8866

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
aa8b1bd
feat: use env var instead of plain text
shreemaan-abhishek Feb 15, 2023
7f938e2
modify tests to use env var
shreemaan-abhishek Feb 15, 2023
c13c6ec
export env var
shreemaan-abhishek Feb 15, 2023
6bc6d61
export env var for centos
shreemaan-abhishek Feb 15, 2023
111ac11
fix breaking change, allow plain text env vars
shreemaan-abhishek Feb 15, 2023
2d988b7
Revert "modify tests to use env var"
shreemaan-abhishek Feb 15, 2023
62eb6f9
add tests
shreemaan-abhishek Feb 15, 2023
26627b7
place env var in correct place
shreemaan-abhishek Feb 16, 2023
0868b43
Revert "add tests"
shreemaan-abhishek Feb 16, 2023
c562216
add tests
shreemaan-abhishek Feb 16, 2023
206dd90
fix tests
shreemaan-abhishek Feb 16, 2023
3aeed0d
Merge branch 'master' into vault-token-env-var
shreemaan-abhishek Feb 16, 2023
6c8cf91
add quotes
shreemaan-abhishek Feb 16, 2023
756f3b4
use print instead of "say"
shreemaan-abhishek Feb 17, 2023
37a3406
Revert "add quotes"
shreemaan-abhishek Feb 17, 2023
d4d5fb3
add line break
shreemaan-abhishek Feb 17, 2023
30a296b
replace with \R
shreemaan-abhishek Feb 18, 2023
1626dce
remove directory added by mistake
shreemaan-abhishek Feb 18, 2023
46b992e
use regex
shreemaan-abhishek Feb 18, 2023
f2c1c27
trigger build
shreemaan-abhishek Feb 18, 2023
9bfaede
remove unnecessary env var
shreemaan-abhishek Feb 20, 2023
234346a
clean way to import
shreemaan-abhishek Feb 21, 2023
8b72f12
remove newline
shreemaan-abhishek Feb 22, 2023
74b3e66
trigger build
shreemaan-abhishek Feb 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion apisix/secret/vault.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ local norm_path = require("pl.path").normpath
local sub = core.string.sub
local rfind_char = core.string.rfind_char

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can avoid the blank line here? Other files don't add a blank line among localized variables.

local env = require("apisix.core.env")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we import it like core.string.sub?


local schema = {
type = "object",
Expand Down Expand Up @@ -56,7 +57,7 @@ local function make_request_to_vault(conf, method, key, data)
local res, err = httpc:request_uri(req_addr, {
method = method,
headers = {
["X-Vault-Token"] = conf.token
["X-Vault-Token"] = env.fetch_by_uri(conf.token)
},
body = core.json.encode(data or {}, true)
})
Expand Down
1 change: 1 addition & 0 deletions ci/centos7-ci.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ run_case() {
export_or_prefix
make init
set_coredns
export VAULT_TOKEN="root"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

refer: https://github.com/apache/apisix/blob/master/t/core/env.t#L17-L20

# run test cases
FLUSH_ETCD=1 prove --timer -Itest-nginx/lib -I./ -r ${TEST_FILE_SUB_DIR} | tee /tmp/test.result
rerun_flaky_tests /tmp/test.result
Expand Down
1 change: 1 addition & 0 deletions ci/linux_openresty_common_runner.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ script() {
sleep 1
done

export VAULT_TOKEN="root"
# APISIX_ENABLE_LUACOV=1 PERL5LIB=.:$PERL5LIB prove -Itest-nginx/lib -r t
FLUSH_ETCD=1 prove --timer -Itest-nginx/lib -I./ -r $TEST_FILE_SUB_DIR | tee /tmp/test.result
rerun_flaky_tests /tmp/test.result
Expand Down
10 changes: 5 additions & 5 deletions t/config-center-yaml/secret.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ __DATA__
secrets:
- id: vault/1
prefix: kv/apisix
token: root
token: "$ENV://VAULT_TOKEN"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we can no longer use such a configuration?

token: root

Copy link
Contributor Author

@shreemaan-abhishek shreemaan-abhishek Feb 15, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, we won't be able to use such a configuration. Let me fix that quickly.

uri: 127.0.0.1:8200
#END
--- config
Expand All @@ -86,7 +86,7 @@ property "uri" validation failed: failed to match pattern "^[^\\/]+:\\/\\/([\\da
secrets:
- id: hhh/1
prefix: kv/apisix
token: root
token: "$ENV://VAULT_TOKEN"
uri: 127.0.0.1:8200
#END
--- config
Expand All @@ -111,7 +111,7 @@ secret manager not exits
secrets:
- id: vault/1
prefix: kv/apisix
token: root
token: "$ENV://VAULT_TOKEN"
uri: http://127.0.0.1:8200
#END
--- config
Expand All @@ -133,7 +133,7 @@ GET /t
len: 1
id: vault/1
prefix: kv/apisix
token: root
token: $ENV://VAULT_TOKEN
uri: http://127.0.0.1:8200


Expand All @@ -151,7 +151,7 @@ Success! Data written to: kv/apisix/apisix-key
secrets:
- id: vault/1
prefix: kv/apisix
token: root
token: "$ENV://VAULT_TOKEN"
uri: http://127.0.0.1:8200
#END
--- config
Expand Down
2 changes: 1 addition & 1 deletion t/plugin/basic-auth.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -468,7 +468,7 @@ GET /t
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "root"
"token" : "$ENV://VAULT_TOKEN"
}]]
)

Expand Down
2 changes: 1 addition & 1 deletion t/plugin/hmac-auth4.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ __DATA__
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "root"
"token" : "$ENV://VAULT_TOKEN"
}]]
)

Expand Down
2 changes: 1 addition & 1 deletion t/plugin/jwt-auth3.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -458,7 +458,7 @@ GET /t
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "root"
"token" : "$ENV://VAULT_TOKEN"
}]]
)

Expand Down
2 changes: 1 addition & 1 deletion t/plugin/key-auth.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -590,7 +590,7 @@ auth: authone
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "root"
"token" : "$ENV://VAULT_TOKEN"
}]]
)

Expand Down
2 changes: 1 addition & 1 deletion t/plugin/ldap-auth.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@ GET /t
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "root"
"token" : "$ENV://VAULT_TOKEN"
}]]
)

Expand Down
2 changes: 1 addition & 1 deletion t/plugin/wolf-rbac.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -560,7 +560,7 @@ ERR_TOKEN_INVALID
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "root"
"token" : "$ENV://VAULT_TOKEN"
}]]
)

Expand Down
10 changes: 5 additions & 5 deletions t/secret/vault.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ __DATA__
local vault = require("apisix.secret.vault")
local conf = {
prefix = "/kv/prefix",
token = "root",
token = "$ENV://VAULT_TOKEN",
uri = "http://127.0.0.1:2800"
}
local data, err = vault.get(conf, "apisix")
Expand All @@ -57,7 +57,7 @@ error key format, key: apisix
local vault = require("apisix.secret.vault")
local conf = {
prefix = "/kv/prefix",
token = "root",
token = "$ENV://VAULT_TOKEN",
uri = "http://127.0.0.1:2800"
}
local data, err = vault.get(conf, "/apisix")
Expand All @@ -82,7 +82,7 @@ can't find main key, key: /apisix
local vault = require("apisix.secret.vault")
local conf = {
prefix = "/kv/prefix",
token = "root",
token = "$ENV://VAULT_TOKEN",
uri = "http://127.0.0.1:2800"
}
local data, err = vault.get(conf, "apisix/")
Expand All @@ -107,7 +107,7 @@ can't find sub key, key: apisix/
local vault = require("apisix.secret.vault")
local conf = {
prefix = "/kv/prefix",
token = "root",
token = "$ENV://VAULT_TOKEN",
uri = "http://127.0.0.2:2800"
}
local data, err = vault.get(conf, "/apisix/sub")
Expand Down Expand Up @@ -141,7 +141,7 @@ Success! Data written to: kv/apisix/apisix-key/jack
local vault = require("apisix.secret.vault")
local conf = {
prefix = "kv/apisix",
token = "root",
token = "$ENV://VAULT_TOKEN",
uri = "http://127.0.0.1:8200"
}
local value, err = vault.get(conf, "/apisix-key/jack/key")
Expand Down