[GitHub] [apisix] SylviaBABY commented on a diff in pull request #8421: feat: Support store secrets in secrets manager for auth plugin via kms components

[GitBox <gi...@apache.org>]

SylviaBABY commented on code in PR #8421:
URL: https://github.com/apache/apisix/pull/8421#discussion_r1035500035


##########
docs/zh/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 通过以上步骤，可以将 `key-auth` 插件中的 key 配置保存在环境变量中，而不是在配置插件时明文显示。
+
+## 使用 Vault 管理密钥
+
+使用 Vault 来管理密钥意味着你可以将密钥信息保存在 Vault 服务中，在配置插件时通过特定格式的变量来引用。APISIX 目前支持对接 [Vault KV 引擎的 V1 版本](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### 引用方式
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: 密钥管理服务，可以是 vault、aws 等
+- id：KMS 资源 id， 需要和添加 KMS 资源时指定的保持一致

Review Comment:
   ```suggestion
   - id：KMS 资源 ID， 需要与添加 KMS 资源时指定的 ID 保持一致
   ```



##########
docs/zh/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 通过以上步骤，可以将 `key-auth` 插件中的 key 配置保存在环境变量中，而不是在配置插件时明文显示。
+
+## 使用 Vault 管理密钥
+
+使用 Vault 来管理密钥意味着你可以将密钥信息保存在 Vault 服务中，在配置插件时通过特定格式的变量来引用。APISIX 目前支持对接 [Vault KV 引擎的 V1 版本](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### 引用方式
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: 密钥管理服务，可以是 vault、aws 等
+- id：KMS 资源 id， 需要和添加 KMS 资源时指定的保持一致
+- secret_id: 密钥管理服务中的密钥 id

Review Comment:
   ```suggestion
   - secret_id: 密钥管理服务中的密钥 ID
   ```



##########
docs/zh/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 通过以上步骤，可以将 `key-auth` 插件中的 key 配置保存在环境变量中，而不是在配置插件时明文显示。
+
+## 使用 Vault 管理密钥
+
+使用 Vault 来管理密钥意味着你可以将密钥信息保存在 Vault 服务中，在配置插件时通过特定格式的变量来引用。APISIX 目前支持对接 [Vault KV 引擎的 V1 版本](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### 引用方式
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: 密钥管理服务，可以是 vault、aws 等
+- id：KMS 资源 id， 需要和添加 KMS 资源时指定的保持一致
+- secret_id: 密钥管理服务中的密钥 id
+- key： 密钥管理服务中密钥对应的 key
+
+### 示例：在 key-auth 插件中使用
+
+第一步：在 Vault 中创建对应的密钥，可以使用如下命令：
+
+```bash

Review Comment:
   ```suggestion
   ```shell
   ```



##########
docs/zh/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 通过以上步骤，可以将 `key-auth` 插件中的 key 配置保存在环境变量中，而不是在配置插件时明文显示。
+
+## 使用 Vault 管理密钥
+
+使用 Vault 来管理密钥意味着你可以将密钥信息保存在 Vault 服务中，在配置插件时通过特定格式的变量来引用。APISIX 目前支持对接 [Vault KV 引擎的 V1 版本](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### 引用方式
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: 密钥管理服务，可以是 vault、aws 等

Review Comment:
   ```suggestion
   - secretmanager: 密钥管理服务，可以是 Vault、AWS 等
   ```



##########
docs/en/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 Through the above steps, the `key` configuration in the `key-auth` plugin can be saved in the environment variable instead of being displayed in plain text when configuring the plugin.
+
+## Use Vault to manage secrets
+
+Using Vault to manage secrets means that you can store secrets information in the Vault service and refer to it through variables in a specific format when configuring plugins. APISIX currently supports [Vault KV engine version V1](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### Usage
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: secrets management service, could be the vault, aws, etc.
+- id: KMS resource id, which needs to be consistent with the one specified when adding the KMS resource
+- secret_id: the secret id in the secrets management service
+- key: the key corresponding to the secret in the secrets management service
+
+### Example: use in key-auth plugin
+
+Step 1: Create the corresponding key in the Vault, you can use the following command:
+
+```
+vault kv put apisix/jack auth-key=value
+```
+
+Step 2: Add KMS resources through the Admin API, configure the vault address and other connection information:

Review Comment:
   ```suggestion
   Step 2: Add KMS resources through the Admin API, configure the Vault address and other connection information:
   ```



##########
docs/en/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 Through the above steps, the `key` configuration in the `key-auth` plugin can be saved in the environment variable instead of being displayed in plain text when configuring the plugin.
+
+## Use Vault to manage secrets
+
+Using Vault to manage secrets means that you can store secrets information in the Vault service and refer to it through variables in a specific format when configuring plugins. APISIX currently supports [Vault KV engine version V1](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### Usage
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: secrets management service, could be the vault, aws, etc.
+- id: KMS resource id, which needs to be consistent with the one specified when adding the KMS resource
+- secret_id: the secret id in the secrets management service
+- key: the key corresponding to the secret in the secrets management service
+
+### Example: use in key-auth plugin
+
+Step 1: Create the corresponding key in the Vault, you can use the following command:
+
+```
+vault kv put apisix/jack auth-key=value
+```
+
+Step 2: Add KMS resources through the Admin API, configure the vault address and other connection information:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/kms/vault/1 \
+-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "uri": "https://127.0.0.1:8200"，
+    "prefix": "apisix",
+    "token": "root"
+}'
+```
+
+If you use APISIX Standalone mode, you can add the following configuration in apisix.yaml:

Review Comment:
   ```suggestion
   If you use APISIX Standalone mode, you can add the following configuration in `apisix.yaml` configuration file:
   ```



##########
docs/zh/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 通过以上步骤，可以将 `key-auth` 插件中的 key 配置保存在环境变量中，而不是在配置插件时明文显示。
+
+## 使用 Vault 管理密钥
+
+使用 Vault 来管理密钥意味着你可以将密钥信息保存在 Vault 服务中，在配置插件时通过特定格式的变量来引用。APISIX 目前支持对接 [Vault KV 引擎的 V1 版本](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).

Review Comment:
   ```suggestion
   使用 Vault 来管理密钥意味着你可以将密钥信息保存在 Vault 服务中，在配置插件时通过特定格式的变量来引用。APISIX 目前支持对接 [Vault KV 引擎的 V1 版本](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1)。
   ```



##########
docs/en/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 Through the above steps, the `key` configuration in the `key-auth` plugin can be saved in the environment variable instead of being displayed in plain text when configuring the plugin.
+
+## Use Vault to manage secrets
+
+Using Vault to manage secrets means that you can store secrets information in the Vault service and refer to it through variables in a specific format when configuring plugins. APISIX currently supports [Vault KV engine version V1](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### Usage
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: secrets management service, could be the vault, aws, etc.

Review Comment:
   ```suggestion
   - secretmanager: secrets management service, could be the Vault, AWS, etc.
   ```



##########
docs/en/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 Through the above steps, the `key` configuration in the `key-auth` plugin can be saved in the environment variable instead of being displayed in plain text when configuring the plugin.
+
+## Use Vault to manage secrets
+
+Using Vault to manage secrets means that you can store secrets information in the Vault service and refer to it through variables in a specific format when configuring plugins. APISIX currently supports [Vault KV engine version V1](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### Usage
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: secrets management service, could be the vault, aws, etc.
+- id: KMS resource id, which needs to be consistent with the one specified when adding the KMS resource
+- secret_id: the secret id in the secrets management service

Review Comment:
   ```suggestion
   - secret_id: the secret ID in the secrets management service
   ```



##########
docs/zh/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 通过以上步骤，可以将 `key-auth` 插件中的 key 配置保存在环境变量中，而不是在配置插件时明文显示。
+
+## 使用 Vault 管理密钥
+
+使用 Vault 来管理密钥意味着你可以将密钥信息保存在 Vault 服务中，在配置插件时通过特定格式的变量来引用。APISIX 目前支持对接 [Vault KV 引擎的 V1 版本](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### 引用方式
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: 密钥管理服务，可以是 vault、aws 等
+- id：KMS 资源 id， 需要和添加 KMS 资源时指定的保持一致
+- secret_id: 密钥管理服务中的密钥 id
+- key： 密钥管理服务中密钥对应的 key
+
+### 示例：在 key-auth 插件中使用
+
+第一步：在 Vault 中创建对应的密钥，可以使用如下命令：
+
+```bash
+vault kv put apisix/jack auth-key=value
+```
+
+第二步：通过 Admin API 添加 KMS 资源，配置 vault 的地址等连接信息：
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/kms/vault/1 \
+-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+    "uri": "https://127.0.0.1:8200"，
+    "prefix": "apisix",
+    "token": "root"
+}'
+```
+
+如果使用 APISIX Standalone 版本，则可以在 apisix.yaml 中添加如下配置：

Review Comment:
   ```suggestion
   如果使用 APISIX Standalone 版本，则可以在 `apisix.yaml` 文件中添加如下配置：
   ```



##########
docs/zh/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 通过以上步骤，可以将 `key-auth` 插件中的 key 配置保存在环境变量中，而不是在配置插件时明文显示。
+
+## 使用 Vault 管理密钥
+
+使用 Vault 来管理密钥意味着你可以将密钥信息保存在 Vault 服务中，在配置插件时通过特定格式的变量来引用。APISIX 目前支持对接 [Vault KV 引擎的 V1 版本](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### 引用方式
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: 密钥管理服务，可以是 vault、aws 等
+- id：KMS 资源 id， 需要和添加 KMS 资源时指定的保持一致
+- secret_id: 密钥管理服务中的密钥 id
+- key： 密钥管理服务中密钥对应的 key
+
+### 示例：在 key-auth 插件中使用
+
+第一步：在 Vault 中创建对应的密钥，可以使用如下命令：
+
+```bash
+vault kv put apisix/jack auth-key=value
+```
+
+第二步：通过 Admin API 添加 KMS 资源，配置 vault 的地址等连接信息：

Review Comment:
   ```suggestion
   第二步：通过 Admin API 添加 KMS 资源，配置 Vault 的地址等连接信息：
   ```



##########
docs/en/latest/terminology/kms.md:
##########
@@ -107,3 +113,65 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \
 ```
 
 Through the above steps, the `key` configuration in the `key-auth` plugin can be saved in the environment variable instead of being displayed in plain text when configuring the plugin.
+
+## Use Vault to manage secrets
+
+Using Vault to manage secrets means that you can store secrets information in the Vault service and refer to it through variables in a specific format when configuring plugins. APISIX currently supports [Vault KV engine version V1](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
+
+### Usage
+
+```
+$KMS://$secretmanager/$id/$secret_id/$key
+```
+
+- secretmanager: secrets management service, could be the vault, aws, etc.
+- id: KMS resource id, which needs to be consistent with the one specified when adding the KMS resource

Review Comment:
   ```suggestion
   - id: KMS resource ID, which needs to be consistent with the one specified when adding the KMS resource
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org