apisix icon indicating copy to clipboard operation
apisix copied to clipboard
verified publisher icon apache

help request: Integrating APISIX with External Secret Operator

Open mayankmurari opened this issue 7 months ago • 3 comments

Description

Issue: 'm using APISIX in standalone mode and have configured a Kubernetes ExternalSecret that syncs a secret from HashiCorp Vault to a Kubernetes Secret. Now I want to reference this secret in an APISIX consumer for the key-auth or basic-auth plugin.

Setup: APISIX running in standalone mode Kubernetes secret created via External Secrets Operator Storing all Consumer Keys(Basic Auth, Key Auth) in Vault.

Question: What's the recommended way to reference Kubernetes secrets in APISIX standalone mode? Specifically: Does APISIX standalone support any native Kubernetes secret integration? Is environment variable substitution the only supported method?

Environment

  • APISIX version (run apisix version): 3.11.0
  • Operating system (run uname -a): NA
  • OpenResty / Nginx version (run openresty -V or nginx -V): NA
  • etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info): NA
  • APISIX Dashboard version, if relevant: NA
  • Plugin runner version, for issues related to plugin runners: NA
  • LuaRocks version, for installation issues (run luarocks --version): NA

mayankmurari avatar Jun 04 '25 10:06 mayankmurari

The Secret resource type is provided in APISIX to handle such issues. You can refer to https://apisix.apache.org/docs/apisix/terminology/secret/

You can use environment variables to manage secrets like:

$ENV://$env_name/$sub_key

You can also just citation HashiCorp Vault secrets like:

$secret://$manager/$id/$secret_name/$key

Baoyuantop avatar Jun 05 '25 01:06 Baoyuantop

Hi @Baoyuantop Thanks for your inputs. I am able to load secret data in APISIX plugin using ENV variable.

I am connecting to vault using External Secret operator and creating kubernetes Secret object.

Setting env variable from secret key reference.

env:
 - name: BASIC_AUTH_PASSWORD
    valueFrom:
      secretKeyRef:
          name: apisix-app
          key: apisix-keyauth-credential

Using env variable in APISIX Consumer

- username: testuser
   plugins:
      basic-auth:
        username: jack2020
        password: $ENV://BASIC_AUTH_PASSWORD 

Above config is working but can I not use secret key reference directly in APISIX consumers?

- username: testuser
   plugins:
      basic-auth:
        username: jack2020
        password:
          secretRef:
            name: apisix-app
            key: apisix-keyauth-credential

mayankmurari avatar Jun 05 '25 09:06 mayankmurari

Above config is working but can I not use secret key reference directly in APISIX consumers?

Not currently supported.

Baoyuantop avatar Jun 05 '25 13:06 Baoyuantop