apisix
apisix copied to clipboard
apache
bug: unable to setup ssls with env reference
Current Behavior
I'm struggling with adding certificate with /ssls admin endpoint using env reference.
curl --location --request PUT 'http://127.0.0.1:9180/apisix/admin/ssls' \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' \
--data '{
"id": "some_id",
"type": "server",
"snis": ["localhost"],
"cert": "$ENV://APISIX_ENV_CERT",
"key": "$ENV://APISIX_ENV_KEY",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"]
}'
I'm always getting this, no matter what I put inside cert/key fields unless they are proper certs.
{
"error_msg": "invalid configuration: property \"key\" validation failed: value should match only one schema, but matches none"
}
Accordingly to admin api documentation those fields support those env references, but it seems it's not the case. Note: I'm using such env reference in key-auth plugin and it works just fine, but here it seems like it doesn't expect any other pattern than cert, and message/logs are not helpful.
Expected Behavior
It's possible to setup ssls and provide cert location as env reference.
Error Logs
No response
Steps to Reproduce
Send following request to admin-api:
curl --location --request PUT 'http://127.0.0.1:9180/apisix/admin/ssls' \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' \
--data '{
"id": "some_id",
"type": "server",
"snis": ["localhost"],
"cert": "$ENV://APISIX_ENV_CERT",
"key": "$ENV://APISIX_ENV_KEY",
"ssl_protocols": ["TLSv1.2", "TLSv1.3"]
}'
Environment
- APISIX version (run
apisix version): 3.7.0 - Operating system (run
uname -a): Linux 4091912aa453 6.6.16-linuxkit #1 SMP Fri Feb 16 11:54:02 UTC 2024 x86_64 GNU/Linux - OpenResty / Nginx version (run
openresty -Vornginx -V): n/a - etcd version, if relevant (run
curl http://127.0.0.1:9090/v1/server_info): 3.5.9 - APISIX Dashboard version, if relevant: n/a
- Plugin runner version, for issues related to plugin runners: n/a
- LuaRocks version, for installation issues (run
luarocks --version): n/a
From TEST18 in https://github.com/apache/apisix/blob/master/t/router/radixtree-sni2.t, it looks like it should be supported.
@Sebastian-Pietrzak this is a limitation (or a bug) with APISIX, using env reference will work as expected if you use the declaration in lower case. i.e $env:// instead of $ENV:// 😅
Would you like to fix this?
Thanks for checking! Knowing there's workaround is helpful. I think it would make sense to fix it at some point for consistency with other places, so that nobody will have issues with this anymore.
anyone interested in taking this up can refer this piece of code:
https://github.com/shreemaan-abhishek/apisix/blob/1f775c8ace851a8b8862801ad35e7cf4cd00851f/apisix/schema_def.lua#L739
This is exactly where the bug is.
anyone interested in taking this up can refer this piece of code:
https://github.com/shreemaan-abhishek/apisix/blob/1f775c8ace851a8b8862801ad35e7cf4cd00851f/apisix/schema_def.lua#L739
This is exactly where the bug is.
@shreemaan-abhishek This looks easier to fix. I want to try it out. Do you think we need to support matching both uppercase and lowercase at the same time? I would think it's necessary to consider the users who are already using it. So, the ^\\$(secret|env|SECRET|ENV):// would be better?
Should we support SecReT and enV? I don't think we should add more ugliness to the world.
I checked the secret manager code and $env is automatically applied if the read value tries to take a referent from the secret manager format. So we should use it.
