nic-6443 opened a new pull request, #13312: URL: https://github.com/apache/apisix/pull/13312
## Description Secret references (`$secret://` and `$env://`) now work automatically for **all** plugins. Previously only 5 plugins explicitly called `fetch_secrets()` — plugins that didn't would silently pass the raw `$secret://...` string to backends, causing confusing failures. ### What changed **Central resolution in `plugin.filter()`**: After the plugin array is built, all plugin confs are scanned for secret refs and resolved automatically. This covers HTTP plugins, stream plugins, global rules, and consumer-merged configs — all from a single injection point. **Stable table references**: A weak-keyed cache returns the same resolved table when secret values haven't changed (common case — no rotation). This preserves plugin-internal caching that uses conf identity as cache key (e.g., `ai-rate-limiting`'s rate limit conf cache). **Secret-aware schema validation**: When a plugin conf contains `$secret://` or `$env://` refs, the DP-side validator strips those fields from both conf and schema copies before checking. This lets constrained fields (`enum`, `pattern`, `minLength`, `maxLength`) accept secret ref strings during config loading. **Removed explicit `fetch_secrets`** from: `authz-keycloak`, `openid-connect`, `limit-count`, `clickhouse-logger`, `ai-aws-content-moderation`. ### Non-plugin call sites unchanged - `consumer.lua` — resolves secrets in consumer auth configs (independent path) - `ssl/router/radixtree_sni.lua` — resolves secrets in SSL certs -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
