You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apisix.apache.org by soulbird <so...@apache.org> on 2023/01/04 04:07:19 UTC
Change: The jwt-auth plugin uses APISIX Secret to integrate with Vault instead of using the plugin's own vault configuration item
Hi, community,
I wanted to talk to you about tweaking the way the jwt-auth plugin
integrates with Vault.
WHAT
Currently, the jwt-auth plugin can be integrated with HashiCorp Vault
to save the secret value in the Vault. Specific usage reference:
https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/jwt-auth.md#usage-with-hashicorp-vault
After version 3.1.0, APISIX can connect to Vault through Secret
resource, which is applicable to all identity authentication plug-ins
in APISIX and has better versatility. The original design can be
referred to: https://github.com/apache/apisix/issues/8319
Therefore, we plan to remove the Vault configuration of the jwt-auth
plugin itself, and use the APISIX Secret resource to provide the
jwt-auth plugin with the ability to integrate with Vault.
WHY
1. Merge codes with the same function to make the code of APISIX more concise
2. The jwt-auth plugin can more conveniently connect to more Secret
Managers (such as: Vault, etc.)
3. The private_key of jwt-auth plugin can also be saved in Vault
HOW
1. Delete the vault configuration of the jwt-auth plugin
2. Delete apisix/core/vault.lua
After doing this, if we need to save the secret configuration in
Vault, we can do this:
First, create the corresponding secret in the vault. You can use the
following command:
vault kv put apisix/jack jwt-key=value
Next, you can configure APISIX through the following steps:
Step 1: Add Secret resources through the Admin API, and configure the
connection information such as the address of the vault:
curl http://127.0.0.1:9180/apisix/admin/secrets/vault/1\
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "https://127.0.0.1:8200",
"prefix": "apisix",
"token": "root"
}'
Step 2: Refer to the Secret resource in the jwt-auth plugin and fill
in the secret information
curl http://127.0.0.1:9180/apisix/admin/consumers\
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"username": "jack",
"plugins": {
"jwt-auth": {
"key": "user-key",
"secret": "$secret://vault/1/jack/jwt-key"
}
}
}'
--
*Shirui Zhao*
My GitHub: https://github.com/soulbird
Re: Change: The jwt-auth plugin uses APISIX Secret to integrate with Vault instead of using the plugin's own vault configuration item
Posted by Zexuan Luo <sp...@apache.org>.
LGTM
soulbird <so...@apache.org> 于2023年1月4日周三 12:07写道:
>
> Hi, community,
>
> I wanted to talk to you about tweaking the way the jwt-auth plugin
> integrates with Vault.
>
> WHAT
>
> Currently, the jwt-auth plugin can be integrated with HashiCorp Vault
> to save the secret value in the Vault. Specific usage reference:
> https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/jwt-auth.md#usage-with-hashicorp-vault
>
> After version 3.1.0, APISIX can connect to Vault through Secret
> resource, which is applicable to all identity authentication plug-ins
> in APISIX and has better versatility. The original design can be
> referred to: https://github.com/apache/apisix/issues/8319
>
> Therefore, we plan to remove the Vault configuration of the jwt-auth
> plugin itself, and use the APISIX Secret resource to provide the
> jwt-auth plugin with the ability to integrate with Vault.
>
> WHY
>
> 1. Merge codes with the same function to make the code of APISIX more concise
> 2. The jwt-auth plugin can more conveniently connect to more Secret
> Managers (such as: Vault, etc.)
> 3. The private_key of jwt-auth plugin can also be saved in Vault
>
> HOW
>
> 1. Delete the vault configuration of the jwt-auth plugin
> 2. Delete apisix/core/vault.lua
>
> After doing this, if we need to save the secret configuration in
> Vault, we can do this:
>
> First, create the corresponding secret in the vault. You can use the
> following command:
>
> vault kv put apisix/jack jwt-key=value
>
> Next, you can configure APISIX through the following steps:
>
> Step 1: Add Secret resources through the Admin API, and configure the
> connection information such as the address of the vault:
>
> curl http://127.0.0.1:9180/apisix/admin/secrets/vault/1\
> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
> {
> "uri": "https://127.0.0.1:8200",
> "prefix": "apisix",
> "token": "root"
> }'
>
> Step 2: Refer to the Secret resource in the jwt-auth plugin and fill
> in the secret information
>
> curl http://127.0.0.1:9180/apisix/admin/consumers\
> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
> {
> "username": "jack",
> "plugins": {
> "jwt-auth": {
> "key": "user-key",
> "secret": "$secret://vault/1/jack/jwt-key"
> }
> }
> }'
>
> --
> *Shirui Zhao*
> My GitHub: https://github.com/soulbird