hiades-devops opened a new pull request, #13509:
URL: https://github.com/apache/apisix/pull/13509
Implements the Kubernetes secret manager (apisix/secret/kubernetes.lua)
which allows APISIX to read Kubernetes Secrets directly from the cluster using
the pod's ServiceAccount token.
URI format:
$secret://kubernetes/{manager-id}/{namespace}/{secret-name}/{data-key}
Example:
$secret://kubernetes/my-k8s/default/api-creds/client_secret
The implementation follows the same pattern as the existing Vault, AWS, and
GCP secret managers: a schema for Admin API configuration and a get(conf, key)
function called by apisix.secret.fetch_secrets() at request time.
Key features:
- Uses pod ServiceAccount token (default in-cluster path) for auth
- Reads KUBERNETES_SERVICE_HOST/PORT from env if not explicitly configured
- Verifies TLS using the in-cluster CA bundle by default
- Decodes base64 Secret.data values automatically
- Clear error messages for auth failures, missing secrets, missing keys
Also fixes two bugs in authz-keycloak.lua discovered while using the
Kubernetes secret manager in production (fixes #13493):
1. client_id and client_secret maxLength was 100 characters. When APISIX
resolves a $secret:// reference, encrypts the value (encrypt_fields), and
stores it back to etcd, the AES-encrypted result can be 128-152 chars —
exceeding the schema limit and causing load_full_data() to fail on restart,
dropping all authz-keycloak services with a 404. Increased maxLength to 4096
for both fields.
2. The same maxLength = 100 constraint also blocked $secret://kubernetes/
references from being stored at all via the Admin API, since the reference
string itself (e.g. $secret://kubernetes/my-k8s/my-ns/ my-secret/client_secret)
can exceed 100 characters.
Closes #13493
### Description
<!-- Please include a summary of the change and which issue is fixed. -->
<!-- Please also include relevant motivation and context. -->
#### Which issue(s) this PR fixes:
<!--
*Automatically closes linked issue when PR is merged.
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
-->
Fixes #
### Checklist
- [ ] I have explained the need for this PR and the problem it solves
- [ ] I have explained the changes or the new features added to this PR
- [ ] I have added tests corresponding to this change
- [ ] I have updated the documentation to reflect this change
- [ ] I have verified that this change is backward compatible (If not,
please discuss on the [APISIX mailing
list](https://github.com/apache/apisix/tree/master#community) first)
<!--
Note
1. Mark the PR as draft until it's ready to be reviewed.
2. Always add/update tests for any changes unless you have a good reason.
3. Always update the documentation to reflect the changes made in the PR.
4. Make a new commit to resolve conversations instead of `push -f`.
5. To resolve merge conflicts, merge master instead of rebasing.
6. Use "request review" to notify the reviewer after making changes.
7. Only a reviewer can mark a conversation as resolved.
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
