You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by zh...@apache.org on 2023/04/07 09:31:31 UTC

[apisix-helm-chart] branch master updated: feat: support configuring APISIX admin_key via secret (#530)

This is an automated email from the ASF dual-hosted git repository.

zhangjintao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-helm-chart.git


The following commit(s) were added to refs/heads/master by this push:
     new 23b991a  feat: support configuring APISIX admin_key via secret (#530)
23b991a is described below

commit 23b991aa41797c267a070cff1e8043c2e9f20399
Author: Jintao Zhang <zh...@gmail.com>
AuthorDate: Fri Apr 7 17:31:26 2023 +0800

    feat: support configuring APISIX admin_key via secret (#530)
    
    Signed-off-by: Jintao Zhang <zh...@gmail.com>
---
 charts/apisix/README.md                |  3 ++-
 charts/apisix/templates/_pod.tpl       | 14 ++++++++++++++
 charts/apisix/templates/configmap.yaml |  8 ++++++++
 charts/apisix/values.yaml              |  4 ++++
 4 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/charts/apisix/README.md b/charts/apisix/README.md
index 1c8c2ac..642ae4b 100644
--- a/charts/apisix/README.md
+++ b/charts/apisix/README.md
@@ -42,8 +42,9 @@ The command removes all the Kubernetes components associated with the chart and
 |-----|------|---------|-------------|
 | admin.allow.ipList | list | `["127.0.0.1/24"]` | The client IP CIDR allowed to access Apache APISIX Admin API service. |
 | admin.cors | bool | `true` | Admin API support CORS response headers |
-| admin.credentials | object | `{"admin":"edd1c9f034335f136f87ad84b625c8f1","viewer":"4054f7cf07e344346cd3f287985e76a2"}` | Admin API credentials |
+| admin.credentials | object | `{"admin":"edd1c9f034335f136f87ad84b625c8f1","secretName":"","viewer":"4054f7cf07e344346cd3f287985e76a2"}` | Admin API credentials |
 | admin.credentials.admin | string | `"edd1c9f034335f136f87ad84b625c8f1"` | Apache APISIX admin API admin role credentials |
+| admin.credentials.secretName | string | `""` | The APISIX Helm chart supports storing user credentials in a secret. The secret needs to contain two keys, admin and viewer, with their respective values set. |
 | admin.credentials.viewer | string | `"4054f7cf07e344346cd3f287985e76a2"` | Apache APISIX admin API viewer role credentials |
 | admin.enabled | bool | `true` | Enable Admin API |
 | admin.externalIPs | list | `[]` | IPs for which nodes in the cluster will also accept traffic for the servic |
diff --git a/charts/apisix/templates/_pod.tpl b/charts/apisix/templates/_pod.tpl
index 49db791..50f2732 100644
--- a/charts/apisix/templates/_pod.tpl
+++ b/charts/apisix/templates/_pod.tpl
@@ -40,6 +40,20 @@ spec:
       {{- if .Values.apisix.extraEnvVars }}
       {{- include "apisix.tplvalues.render" (dict "value" .Values.apisix.extraEnvVars "context" $) | nindent 8 }}
       {{- end }}
+
+      {{- if .Values.admin.credentials.secretName }}
+        - name: APISIX_ADMIN_KEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.admin.credentials.secretName }}
+              key: admin
+        - name: APISIX_VIEWER_KEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.admin.credentials.secretName }}
+              key: viewer
+      {{- end }}
+
       ports:
         - name: http
           containerPort: {{ .Values.gateway.http.containerPort }}
diff --git a/charts/apisix/templates/configmap.yaml b/charts/apisix/templates/configmap.yaml
index 5549089..5fc970b 100644
--- a/charts/apisix/templates/configmap.yaml
+++ b/charts/apisix/templates/configmap.yaml
@@ -310,11 +310,19 @@ data:
         admin_key:
           # admin: can everything for configuration data
           - name: "admin"
+            {{- if .Values.admin.credentials.secretName }}
+            key: "{{"{{"}}APISIX_ADMIN_KEY{{"}}"}}"
+            {{- else }}
             key: {{ .Values.admin.credentials.admin }}
+            {{- end }}
             role: admin
           # viewer: only can view configuration data
           - name: "viewer"
+            {{- if .Values.admin.credentials.secretName }}
+            key: "{{"{{"}}APISIX_VIEWER_KEY{{"}}"}}"
+            {{- else }}
             key: {{ .Values.admin.credentials.viewer }}
+            {{- end }}
             role: viewer
 
       {{- if not (eq .Values.deployment.role "data_plane") }}
diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml
index 09c7dd5..1569d26 100644
--- a/charts/apisix/values.yaml
+++ b/charts/apisix/values.yaml
@@ -308,6 +308,10 @@ admin:
     # -- Apache APISIX admin API viewer role credentials
     viewer: 4054f7cf07e344346cd3f287985e76a2
 
+    # -- The APISIX Helm chart supports storing user credentials in a secret.
+    # The secret needs to contain two keys, admin and viewer, with their respective values set.
+    secretName: ""
+
   allow:
     # -- The client IP CIDR allowed to access Apache APISIX Admin API service.
     ipList: