You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apisix.apache.org by soulbird <so...@apache.org> on 2023/01/04 04:07:19 UTC

Change: The jwt-auth plugin uses APISIX Secret to integrate with Vault instead of using the plugin's own vault configuration item

Hi, community,

I wanted to talk to you about tweaking the way the jwt-auth plugin
integrates with Vault.

WHAT

Currently, the jwt-auth plugin can be integrated with HashiCorp Vault
to save the secret value in the Vault. Specific usage reference:
https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/jwt-auth.md#usage-with-hashicorp-vault

After version 3.1.0, APISIX can connect to Vault through Secret
resource, which is applicable to all identity authentication plug-ins
in APISIX and has better versatility. The original design can be
referred to: https://github.com/apache/apisix/issues/8319

Therefore, we plan to remove the Vault configuration of the jwt-auth
plugin itself, and use the APISIX Secret resource to provide the
jwt-auth plugin with the ability to integrate with Vault.

WHY

1. Merge codes with the same function to make the code of APISIX more concise
2. The jwt-auth plugin can more conveniently connect to more Secret
Managers (such as: Vault, etc.)
3. The private_key of jwt-auth plugin can also be saved in Vault

HOW

1. Delete the vault configuration of the jwt-auth plugin
2. Delete apisix/core/vault.lua

After doing this, if we need to save the secret configuration in
Vault, we can do this:

First, create the corresponding secret in the vault. You can use the
following command:

vault kv put apisix/jack jwt-key=value

Next, you can configure APISIX through the following steps:

Step 1: Add Secret resources through the Admin API, and configure the
connection information such as the address of the vault:

curl http://127.0.0.1:9180/apisix/admin/secrets/vault/1\
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
     "uri": "https://127.0.0.1:8200",
     "prefix": "apisix",
     "token": "root"
}'

Step 2: Refer to the Secret resource in the jwt-auth plugin and fill
in the secret information

curl http://127.0.0.1:9180/apisix/admin/consumers\
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
     "username": "jack",
     "plugins": {
         "jwt-auth": {
             "key": "user-key",
             "secret": "$secret://vault/1/jack/jwt-key"
         }
     }
}'

-- 
*Shirui Zhao*
My GitHub: https://github.com/soulbird

Re: Change: The jwt-auth plugin uses APISIX Secret to integrate with Vault instead of using the plugin's own vault configuration item

Posted by Zexuan Luo <sp...@apache.org>.

LGTM

soulbird <so...@apache.org> 于2023年1月4日周三 12:07写道：
>
> Hi, community,
>
> I wanted to talk to you about tweaking the way the jwt-auth plugin
> integrates with Vault.
>
> WHAT
>
> Currently, the jwt-auth plugin can be integrated with HashiCorp Vault
> to save the secret value in the Vault. Specific usage reference:
> https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/jwt-auth.md#usage-with-hashicorp-vault
>
> After version 3.1.0, APISIX can connect to Vault through Secret
> resource, which is applicable to all identity authentication plug-ins
> in APISIX and has better versatility. The original design can be
> referred to: https://github.com/apache/apisix/issues/8319
>
> Therefore, we plan to remove the Vault configuration of the jwt-auth
> plugin itself, and use the APISIX Secret resource to provide the
> jwt-auth plugin with the ability to integrate with Vault.
>
> WHY
>
> 1. Merge codes with the same function to make the code of APISIX more concise
> 2. The jwt-auth plugin can more conveniently connect to more Secret
> Managers (such as: Vault, etc.)
> 3. The private_key of jwt-auth plugin can also be saved in Vault
>
> HOW
>
> 1. Delete the vault configuration of the jwt-auth plugin
> 2. Delete apisix/core/vault.lua
>
> After doing this, if we need to save the secret configuration in
> Vault, we can do this:
>
> First, create the corresponding secret in the vault. You can use the
> following command:
>
> vault kv put apisix/jack jwt-key=value
>
> Next, you can configure APISIX through the following steps:
>
> Step 1: Add Secret resources through the Admin API, and configure the
> connection information such as the address of the vault:
>
> curl http://127.0.0.1:9180/apisix/admin/secrets/vault/1\
> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
> {
>      "uri": "https://127.0.0.1:8200",
>      "prefix": "apisix",
>      "token": "root"
> }'
>
> Step 2: Refer to the Secret resource in the jwt-auth plugin and fill
> in the secret information
>
> curl http://127.0.0.1:9180/apisix/admin/consumers\
> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
> {
>      "username": "jack",
>      "plugins": {
>          "jwt-auth": {
>              "key": "user-key",
>              "secret": "$secret://vault/1/jack/jwt-key"
>          }
>      }
> }'
>
> --
> *Shirui Zhao*
> My GitHub: https://github.com/soulbird