-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change(jwt-auth): unify apisix/core/vault.lua and apisix/secret/vault.lua #8660
Conversation
apisix/plugins/jwt-auth.lua
Outdated
local new_tab = require ("table.new") | ||
local secrets = require("apisix.admin.secrets") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All functions in apisix.admin.secrets
are only used to configure secret manager. It should not be called from plugins.
If you want to use the secret manager function, you should use the get
function in apisix.secret
apisix/plugins/jwt-auth.lua
Outdated
@@ -252,15 +253,12 @@ end | |||
local function get_secret(conf, consumer_name) | |||
local secret = conf.secret | |||
if conf.vault then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just delete the vault-related configuration directly, because we have already retrieved and replaced the configuration of all auth plugins (type = "auth") in the consumer.
https://github.com/apache/apisix/blob/master/apisix/consumer.lua#L107
After deleting a configuration, a break change is introduced in APISIX, so the title of the PR should be Other legitimate headers can be seen here: https://github.com/apache/apisix/blob/master/.github/workflows/semantic.yml#L23 |
Should also update doc: https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/jwt-auth.md If you are interested, you can update the Chinese documentation at the same time, you can use the tool to translate. |
How should this be handled? |
A link should be added after the field, pointing to APISIX Secret |
As described in the comments, this code fits into three possible scenarios. So, just remove some of the comments |
Vault related links in this chapter should be updated https://github.com/apache/apisix/blob/master/docs/en/latest/getting-started.md#features |
apisix/plugins/jwt-auth.lua
Outdated
if public_key and private_key then | ||
return public_key, private_key | ||
elseif public_key and not private_key then | ||
return public_key, nil, "missing private key" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we add a nil check there? I think we should. Even the previous implementation would return nil in some cases. Not sure why it is not being checked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apisix/apisix/plugins/jwt-auth.lua
Line 347 in 9c899b8
if not public_key then |
Here we check if public_key is nil to detect the err.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not quite sure what you are trying to say, could you please elaborate? 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we drop
apisix/conf/config-default.yaml
Line 253 in 4131fbf
# HashiCorp Vault storage backend for sensitive data retrieval. The config shows an example of what APISIX expects if you |
elseif not public_key and private_key then | ||
return nil, nil, "missing public key" | ||
else | ||
return nil, nil, "public and private keys are missing" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't remove the elseif statements so that a better error message could be returned. Let me know if this is not up to the mark.
* upstream/master: (67 commits) fix: grpc-transcode plugin: fix map data population (apache#8731) change(jwt-auth): unify apisix/core/vault.lua and apisix/secret/vault.lua (apache#8660) feat: stream subsystem support consul_kv service discovery (apache#8633) fix(proxy-mirror): use with uri rewrite (apache#8718) ci: move helper script to the right dir (apache#8691) refactor(pubsub): simpify the get_cmd implementation (apache#8608) feat: stream subsystem support kubernetes service discovery (apache#8640) docs: fix deployment links (apache#8714) fix: remove backslash before slash when encoding (apache#8684) ci: kafka should register port in the zookeeper same as exposed (apache#8672) docs: fix plugin config naming (apache#8701) docs: fix code block (apache#8700) docs: rename kms to secret (apache#8697) docs: replace transparent logos with white background logos (apache#8689) fix: upgrade lua-resty-etcd to 1.10.3 (apache#8668) fix: upgrade casbin to 1.41.3 to improve performance (apache#8676) chore: make send_stream_request more clear (apache#8627) feat: stream subsystem support nacos service discovery (apache#8584) feat: stream subsystem support dns service discovery (apache#8593) refactor(admin): refactor resource routes (apache#8611) ...
Description
Fixes #8424
Checklist