Skip to content

Commit 1f16a6c

Browse files
fix: fetch secrets from upstream ssl config (#13062)
1 parent cbd264a commit 1f16a6c

8 files changed

Lines changed: 467 additions & 60 deletions

File tree

apisix/cli/file.lua

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -342,7 +342,7 @@ function _M.read_yaml_conf(apisix_home)
342342
-- Therefore we need to check the absolute version instead
343343
local cert_path = pl_path.abspath(apisix_ssl.ssl_trusted_certificate)
344344
if not pl_path.exists(cert_path) then
345-
util.die("certificate path", cert_path, "doesn't exist\n")
345+
util.die("certificate path ", cert_path, " doesn't exist\n")
346346
end
347347
apisix_ssl.ssl_trusted_certificate = cert_path
348348
end

apisix/init.lua

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -564,6 +564,13 @@ local function resolve_upstream_client_cert(api_ctx)
564564

565565
core.log.info("matched upstream client ssl object, id: ", cert_id,
566566
", type: ", upstream_ssl.type)
567+
568+
-- avoid the per-request deepcopy done by fetch_secrets when the ssl object
569+
-- holds plain cert/key
570+
if apisix_secret.has_secret_ref(upstream_ssl) then
571+
upstream_ssl = apisix_secret.fetch_secrets(upstream_ssl, true) or upstream_ssl
572+
end
573+
567574
api_ctx.upstream_ssl = upstream_ssl
568575
return true
569576
end

apisix/ssl.lua

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -214,9 +214,11 @@ function _M.check_ssl_conf(in_dp, conf)
214214
return nil, "client tls verify unsupported"
215215
end
216216

217-
local ok, err = validate(conf.client.ca, nil)
218-
if not ok then
219-
return nil, "failed to validate client_cert: " .. err
217+
if not secret.check_secret_uri(conf.client.ca) then
218+
local ok, err = validate(conf.client.ca, nil)
219+
if not ok then
220+
return nil, "failed to validate client_cert: " .. err
221+
end
220222
end
221223
end
222224

apisix/ssl/router/radixtree_sni.lua

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -251,9 +251,9 @@ function _M.set(matched_ssl, sni)
251251
return false, err
252252
end
253253

254-
if matched_ssl.value.client then
255-
local ca_cert = matched_ssl.value.client.ca
256-
local depth = matched_ssl.value.client.depth
254+
if new_ssl_value.client then
255+
local ca_cert = new_ssl_value.client.ca
256+
local depth = new_ssl_value.client.depth
257257
if apisix_ssl.support_client_verification() then
258258
local parsed_cert, err = apisix_ssl.fetch_cert(sni, ca_cert)
259259
if not parsed_cert then
@@ -262,7 +262,7 @@ function _M.set(matched_ssl, sni)
262262

263263
local reject_in_handshake =
264264
(ngx.config.subsystem == "stream") or
265-
(matched_ssl.value.client.skip_mtls_uri_regex == nil)
265+
(new_ssl_value.client.skip_mtls_uri_regex == nil)
266266
-- TODO: support passing `trusted_certs` (3rd arg, keep it nil for now)
267267
local ok, err = ngx_ssl.verify_client(parsed_cert, depth, nil,
268268
reject_in_handshake)

docs/en/latest/terminology/secret.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,10 @@ title: Secret
2323

2424
## Description
2525

26-
Secrets refer to any sensitive information required during the running process of APISIX, which may be part of the core configuration (such as the etcd's password) or some sensitive information in the plugin. Common types of Secrets in APISIX include:
26+
Secrets refer to any sensitive information required during the running process of APISIX, which may be part of the core configuration (such as the etcd's password), cryptographic material or some sensitive information in the plugin. Common types of Secrets in APISIX include:
2727

2828
- username, the password for some components (etcd, Redis, Kafka, etc.)
29-
- the private key of the certificate
29+
- the public certificate, private key and ca certificates
3030
- API key
3131
- Sensitive plugin configuration fields, typically used for authentication, hashing, signing, or encryption
3232

docs/zh/latest/terminology/secret.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,10 @@ title: Secret
2323

2424
## 描述
2525

26-
密钥是指 APISIX 运行过程中所需的任何敏感信息,它可能是核心配置的一部分(如 etcd 的密码),也可能是插件中的一些敏感信息。APISIX 中常见的密钥类型包括:
26+
密钥是指 APISIX 运行过程中所需的任何敏感信息,它可能是核心配置的一部分(如 etcd 的密码)、加密材料,也可能是插件中的一些敏感信息。APISIX 中常见的密钥类型包括:
2727

2828
- 一些组件(etcd、Redis、Kafka 等)的用户名、密码
29-
- 证书的私钥
29+
- 公钥证书、私钥和 CA 证书
3030
- API 密钥
3131
- 敏感的插件配置字段,通常用于身份验证、hash、签名或加密
3232

0 commit comments

Comments
 (0)