-
Notifications
You must be signed in to change notification settings - Fork 2.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add vault common components (#8412)
Co-authored-by: soulbird <zhaothree@gmail.com>
- Loading branch information
Showing
9 changed files
with
292 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
-- | ||
-- Licensed to the Apache Software Foundation (ASF) under one or more | ||
-- contributor license agreements. See the NOTICE file distributed with | ||
-- this work for additional information regarding copyright ownership. | ||
-- The ASF licenses this file to You under the Apache License, Version 2.0 | ||
-- (the "License"); you may not use this file except in compliance with | ||
-- the License. You may obtain a copy of the License at | ||
-- | ||
-- http://www.apache.org/licenses/LICENSE-2.0 | ||
-- | ||
-- Unless required by applicable law or agreed to in writing, software | ||
-- distributed under the License is distributed on an "AS IS" BASIS, | ||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
-- See the License for the specific language governing permissions and | ||
-- limitations under the License. | ||
-- | ||
|
||
--- Vault Tools. | ||
-- Vault is an identity-based secrets and encryption management system. | ||
|
||
local core = require("apisix.core") | ||
local http = require("resty.http") | ||
|
||
local norm_path = require("pl.path").normpath | ||
|
||
local sub = core.string.sub | ||
local rfind_char = core.string.rfind_char | ||
|
||
local _M = {} | ||
|
||
|
||
local function make_request_to_vault(conf, method, key, data) | ||
local httpc = http.new() | ||
-- config timeout or default to 5000 ms | ||
httpc:set_timeout((conf.timeout or 5)*1000) | ||
|
||
local req_addr = conf.uri .. norm_path("/v1/" | ||
.. conf.prefix .. "/" .. key) | ||
|
||
local res, err = httpc:request_uri(req_addr, { | ||
method = method, | ||
headers = { | ||
["X-Vault-Token"] = conf.token | ||
}, | ||
body = core.json.encode(data or {}, true) | ||
}) | ||
|
||
if not res then | ||
return nil, err | ||
end | ||
|
||
return res.body | ||
end | ||
|
||
-- key is the vault kv engine path | ||
local function get(conf, key) | ||
core.log.info("fetching data from vault for key: ", key) | ||
|
||
local idx = rfind_char(key, '/') | ||
if not idx then | ||
return nil, "error key format, key: " .. key | ||
end | ||
|
||
local main_key = sub(key, 1, idx - 1) | ||
if main_key == "" then | ||
return nil, "can't find main key, key: " .. key | ||
end | ||
local sub_key = sub(key, idx + 1) | ||
if sub_key == "" then | ||
return nil, "can't find sub key, key: " .. key | ||
end | ||
|
||
core.log.info("main: ", main_key, " sub: ", sub_key) | ||
|
||
local res, err = make_request_to_vault(conf, "GET", main_key) | ||
if not res then | ||
return nil, "failed to retrtive data from vault kv engine: " .. err | ||
end | ||
|
||
local ret = core.json.decode(res) | ||
if not ret or not ret.data then | ||
return nil, "failed to decode result, res: " .. res | ||
end | ||
|
||
return ret.data[sub_key] | ||
end | ||
|
||
_M.get = get | ||
|
||
|
||
return _M |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#!/usr/bin/env bash | ||
# | ||
# Licensed to the Apache Software Foundation (ASF) under one or more | ||
# contributor license agreements. See the NOTICE file distributed with | ||
# this work for additional information regarding copyright ownership. | ||
# The ASF licenses this file to You under the Apache License, Version 2.0 | ||
# (the "License"); you may not use this file except in compliance with | ||
# the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
|
||
# prepare vault kv engine | ||
sleep 3s | ||
docker exec -i vault sh -c "VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault secrets enable -path=kv -version=1 kv" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,158 @@ | ||
# | ||
# Licensed to the Apache Software Foundation (ASF) under one or more | ||
# contributor license agreements. See the NOTICE file distributed with | ||
# this work for additional information regarding copyright ownership. | ||
# The ASF licenses this file to You under the Apache License, Version 2.0 | ||
# (the "License"); you may not use this file except in compliance with | ||
# the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
use t::APISIX 'no_plan'; | ||
|
||
repeat_each(1); | ||
no_long_string(); | ||
no_root_location(); | ||
log_level("info"); | ||
|
||
run_tests; | ||
|
||
__DATA__ | ||
|
||
=== TEST 1: check key: error format | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local vault = require("apisix.kms.vault") | ||
local conf = { | ||
prefix = "/kv/prefix", | ||
token = "root", | ||
uri = "http://127.0.0.1:2800" | ||
} | ||
local data, err = vault.get(conf, "apisix") | ||
if err then | ||
return ngx.say(err) | ||
end | ||
|
||
ngx.say("done") | ||
} | ||
} | ||
--- request | ||
GET /t | ||
--- response_body | ||
error key format, key: apisix | ||
|
||
|
||
|
||
=== TEST 2: check key: no main key | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local vault = require("apisix.kms.vault") | ||
local conf = { | ||
prefix = "/kv/prefix", | ||
token = "root", | ||
uri = "http://127.0.0.1:2800" | ||
} | ||
local data, err = vault.get(conf, "/apisix") | ||
if err then | ||
return ngx.say(err) | ||
end | ||
|
||
ngx.say("done") | ||
} | ||
} | ||
--- request | ||
GET /t | ||
--- response_body | ||
can't find main key, key: /apisix | ||
|
||
|
||
|
||
=== TEST 3: check key: no sub key | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local vault = require("apisix.kms.vault") | ||
local conf = { | ||
prefix = "/kv/prefix", | ||
token = "root", | ||
uri = "http://127.0.0.1:2800" | ||
} | ||
local data, err = vault.get(conf, "apisix/") | ||
if err then | ||
return ngx.say(err) | ||
end | ||
|
||
ngx.say("done") | ||
} | ||
} | ||
--- request | ||
GET /t | ||
--- response_body | ||
can't find sub key, key: apisix/ | ||
|
||
|
||
|
||
=== TEST 4: error vault uri | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local vault = require("apisix.kms.vault") | ||
local conf = { | ||
prefix = "/kv/prefix", | ||
token = "root", | ||
uri = "http://127.0.0.2:2800" | ||
} | ||
local data, err = vault.get(conf, "/apisix/sub") | ||
if err then | ||
return ngx.say(err) | ||
end | ||
|
||
ngx.say("done") | ||
} | ||
} | ||
--- request | ||
GET /t | ||
--- response_body | ||
failed to retrtive data from vault kv engine: connection refused | ||
--- timeout: 6 | ||
|
||
|
||
|
||
=== TEST 5: store secret into vault | ||
--- exec | ||
VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/apisix-key/jack key=value | ||
--- response_body | ||
Success! Data written to: kv/apisix/apisix-key/jack | ||
|
||
|
||
|
||
=== TEST 6: get value from vault | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local vault = require("apisix.kms.vault") | ||
local conf = { | ||
prefix = "kv/apisix", | ||
token = "root", | ||
uri = "http://127.0.0.1:8200" | ||
} | ||
local value, err = vault.get(conf, "/apisix-key/jack/key") | ||
if err then | ||
return ngx.say(err) | ||
end | ||
|
||
ngx.say("value") | ||
} | ||
} | ||
--- request | ||
GET /t | ||
--- response_body | ||
value |