feat: Autogenerate admin api key if not passed

.github/workflows/source-install.yml

@@ -88,8 +88,15 @@ jobs:
 
       - name: Test apisix
         run: |
-          curl http://127.0.0.1:9180/apisix/admin/routes/1 \
-            -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+            wget https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq
+            get_admin_key() {
+                local admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml)
+                echo "$admin_key"
+            }
+            export admin_key=$(get_admin_key); echo $admin_key
+            cat conf/config.yaml
+            curl -v http://127.0.0.1:9180/apisix/admin/routes/1 \
+            -H "X-API-KEY: $admin_key" -X PUT -d '
             {
               "uri": "/get",
               "upstream": {
@@ -99,15 +106,15 @@ jobs:
                   }
               }
             }'
-          result_code=`curl -I -m 10 -o /dev/null -s -w %{http_code} http://127.0.0.1:9080/get`
-          if [[ $result_code -ne 200 ]]; then
-              printf "result_code: %s\n" "$result_code"
-              echo "===============access.log==============="
-              cat logs/access.log
-              echo "===============error.log==============="
-              cat logs/error.log
-              exit 125
-          fi
+            result_code=`curl -I -m 10 -o /dev/null -s -w %{http_code} http://127.0.0.1:9080/get`
+            if [[ $result_code -ne 200 ]]; then
+                printf "result_code: %s\n" "$result_code"
+                echo "===============access.log==============="
+                cat logs/access.log
+                echo "===============error.log==============="
+                cat logs/error.log
+                exit 125
+            fi
 
       - name: Check error log
         run: |

Makefile

@@ -41,6 +41,7 @@ ENV_DOCKER_COMPOSE     ?= docker-compose --project-directory $(CURDIR) -p $(proj
 ENV_NGINX              ?= $(ENV_NGINX_EXEC) -p $(CURDIR) -c $(CURDIR)/conf/nginx.conf
 ENV_NGINX_EXEC         := $(shell command -v openresty 2>/dev/null || command -v nginx 2>/dev/null)
 ENV_OPENSSL_PREFIX     ?= /usr/local/openresty/openssl3
+ENV_LIBYAML_INSTALL_PREFIX ?= /usr
 ENV_LUAROCKS           ?= luarocks
 ## These variables can be injected by luarocks
 ENV_INST_PREFIX        ?= /usr
@@ -131,6 +132,7 @@ deps: install-runtime
 		mkdir -p ~/.luarocks; \
 		$(ENV_LUAROCKS) config $(ENV_LUAROCKS_FLAG_LOCAL) variables.OPENSSL_LIBDIR $(addprefix $(ENV_OPENSSL_PREFIX), /lib); \
 		$(ENV_LUAROCKS) config $(ENV_LUAROCKS_FLAG_LOCAL) variables.OPENSSL_INCDIR $(addprefix $(ENV_OPENSSL_PREFIX), /include); \
+		$(ENV_LUAROCKS) config $(ENV_LUAROCKS_FLAG_LOCAL) variables.YAML_DIR $(ENV_LIBYAML_INSTALL_PREFIX); \
 		$(ENV_LUAROCKS) install apisix-master-0.rockspec --tree deps --only-deps $(ENV_LUAROCKS_SERVER_OPT); \
 	else \
 		$(call func_echo_warn_status, "WARNING: You're not using LuaRocks 3.x; please remove the luarocks and reinstall it via https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh"); \

apisix-master-0.rockspec

@@ -32,6 +32,7 @@ description = {
 
 dependencies = {
     "lua-resty-ctxdump = 0.1-0",
+    "lyaml = 6.2.8",
     "api7-lua-resty-dns-client = 7.0.1",
     "lua-resty-template = 2.0",
     "lua-resty-etcd = 1.10.5",

apisix/admin/init.lua

@@ -117,7 +117,7 @@ local function set_ctx_and_check_token()
     local ok, err = check_token(api_ctx)
     if not ok then
         core.log.warn("failed to check token: ", err)
-        core.response.exit(401, { error_msg = "failed to check token" })
+        core.response.exit(401, { error_msg = "failed to check token", description = err })
     end
 end
 

apisix/cli/ops.lua

@@ -221,12 +221,9 @@ Please modify "admin_key" in conf/config.yaml .
             end
 
             if admin.key == "" then
-                util.die(help:format("ERROR: missing valid Admin API token."), "\n")
-            end
-
-            if admin.key == "edd1c9f034335f136f87ad84b625c8f1" then
                 stderr:write(
-                    help:format([[WARNING: using fixed Admin API token has security risk.]]),
+                    help:format([[WARNING: using empty Admin API.
+                    This will trigger APISIX to automatically generate a random Admin API token.]]),
                     "\n"
                 )
             end

apisix/core/id.lua

@@ -20,17 +20,22 @@
 -- @module core.id
 
 local fetch_local_conf = require("apisix.core.config_local").local_conf
-local try_read_attr    = require("apisix.core.table").try_read_attr
-local log              = require("apisix.core.log")
-local uuid             = require('resty.jit-uuid')
-local smatch           = string.match
-local open             = io.open
-
-
+local try_read_attr = require("apisix.core.table").try_read_attr
+local profile = require("apisix.core.profile")
+local log = require("apisix.core.log")
+local uuid = require("resty.jit-uuid")
+local lyaml = require("lyaml")
+local smatch = string.match
+local open = io.open
+local type = type
+local ipairs = ipairs
+local string = string
+local math = math
 local prefix = ngx.config.prefix()
 local apisix_uid
+local pairs = pairs
 
-local _M = {version = 0.1}
+local _M = { version = 0.1 }
 
 
 local function rtrim(str)
@@ -62,18 +67,78 @@ local function write_file(path, data)
 end
 
 
+local function generate_yaml(table)
+    -- By default lyaml will parse null values as []
+    -- The following logic is a workaround so that null values are parsed as null
+    local function replace_null(tbl)
+        for k, v in pairs(tbl) do
+            if type(v) == "table" then
+                replace_null(v)
+            elseif v == nil then
+                tbl[k] = "<PLACEHOLDER>"
+            end
+        end
+    end
+
+    -- Replace null values with "<PLACEHOLDER>"
+    replace_null(table)
+    local yaml = lyaml.dump({ table })
+    yaml = yaml:gsub("<PLACEHOLDER>", "null"):gsub("%[%s*%]", "null")
+    return yaml
+end
+
+
 _M.gen_uuid_v4 = uuid.generate_v4
 
 
+--- This will autogenerate the admin key if it's passed as an empty string in the configuration.
+local function autogenerate_admin_key(default_conf)
+    local changed = false
+   -- Check if deployment.role is either traditional or control_plane
+    local deployment_role = default_conf.deployment and default_conf.deployment.role
+    if deployment_role and (deployment_role == "traditional" or
+       deployment_role == "control_plane") then
+        -- Check if deployment.admin.admin_key is not nil and it's an empty string
+        local admin_keys = default_conf.deployment
+            and default_conf.deployment.admin
+            and default_conf.deployment.admin.admin_key
+        if admin_keys and type(admin_keys) == "table" then
+            for i, admin_key in ipairs(admin_keys) do
+                if admin_key.role == "admin" and admin_key.key == "" then
+                    changed = true
+                    admin_keys[i].key = ""
+                    for _ = 1, 32 do
+                        admin_keys[i].key = admin_keys[i].key ..
+                        string.char(math.random(65, 90) + math.random(0, 1) * 32)
+                    end
+                end
+            end
+        end
+    end
+    return default_conf,changed
+end
+
+
 function _M.init()
+    local local_conf = fetch_local_conf()
+
+    local local_conf, changed = autogenerate_admin_key(local_conf)
+    if changed then
+        local yaml_conf = generate_yaml(local_conf)
+        local local_conf_path = profile:yaml_path("config")
+        local ok, err = write_file(local_conf_path, yaml_conf)
+        if not ok then
+            log.error(err)
+        end
+    end
+
+    --allow user to specify a meaningful id as apisix instance id
     local uid_file_path = prefix .. "/conf/apisix.uid"
     apisix_uid = read_file(uid_file_path)
     if apisix_uid then
         return
     end
 
-    --allow user to specify a meaningful id as apisix instance id
-    local local_conf = fetch_local_conf()
     local id = try_read_attr(local_conf, "apisix", "id")
     if id then
         apisix_uid = local_conf.apisix.id
@@ -89,6 +154,7 @@ function _M.init()
     end
 end
 
+
 ---
 -- Returns the instance id of the running APISIX
 --
@@ -100,5 +166,4 @@ function _M.get()
     return apisix_uid
 end
 
-
 return _M

benchmark/run.sh

@@ -74,8 +74,8 @@ sleep 3
 
 #############################################
 echo -e "\n\napisix: $worker_cnt worker + $upstream_cnt upstream + no plugin"
-
-curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
+curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
 {
     "uri": "/hello",
     "plugins": {
@@ -100,8 +100,8 @@ sleep 1
 
 #############################################
 echo -e "\n\napisix: $worker_cnt worker + $upstream_cnt upstream + 2 plugins (limit-count + prometheus)"
-
-curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
+curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
 {
     "uri": "/hello",
     "plugins": {

ci/centos7-ci.sh

@@ -29,6 +29,7 @@ install_dependencies() {
         cpanminus perl \
         openssl-devel
 
+    yum install -y libyaml-devel
     # install newer curl
     yum makecache
     yum install -y libnghttp2-devel

ci/common.sh

@@ -23,6 +23,7 @@ export_version_info() {
 
 export_or_prefix() {
     export OPENRESTY_PREFIX="/usr/local/openresty"
+
     export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
     export OPENSSL_PREFIX=$OPENRESTY_PREFIX/openssl3
     export OPENSSL_BIN=$OPENSSL_PREFIX/bin/openssl
@@ -178,6 +179,8 @@ GRPC_SERVER_EXAMPLE_VER=20210819
 linux_get_dependencies () {
     apt update
     apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl libpcre3 libpcre3-dev libldap2-dev
+    apt-get install -y libyaml-dev
+    wget https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq
 }
 
 function start_grpc_server_example() {

ci/redhat-ci.sh

@@ -26,7 +26,7 @@ install_dependencies() {
     wget tar gcc gcc-c++ automake autoconf libtool make unzip git sudo openldap-devel hostname patch \
     which ca-certificates pcre pcre-devel xz \
     openssl-devel
-
+    yum install -y libyaml-devel
     yum install -y --disablerepo=* --enablerepo=ubi-8-appstream-rpms --enablerepo=ubi-8-baseos-rpms cpanminus perl
 
     # install newer curl

conf/config-default.yaml

@@ -170,7 +170,8 @@ nginx_config:                     # Config for render the template to generate n
   stream:
     enable_access_log: false                 # Enable stream proxy access logging.
     access_log: logs/access_stream.log       # Location of the stream access log.
-    access_log_format: "$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time" # Customize log format: http://nginx.org/en/docs/varindex.html
+    access_log_format: |
+      "$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time" # Customize log format: http://nginx.org/en/docs/varindex.html
     access_log_format_escape: default        # Escape default or json characters in variables.
     lua_shared_dict:                         # Nginx Lua shared memory zone. Size units are m or k.
       etcd-cluster-health-check-stream: 10m
@@ -208,7 +209,8 @@ nginx_config:                     # Config for render the template to generate n
     enable_access_log: true             # Enable HTTP proxy access logging.
     access_log: logs/access.log         # Location of the access log.
     access_log_buffer: 16384            # buffer size of access log.
-    access_log_format: "$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\""
+    access_log_format: |
+      "$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\""
     # Customize log format: http://nginx.org/en/docs/varindex.html
     access_log_format_escape: default   # Escape default or json characters in variables.
     keepalive_timeout: 60s              # Set the maximum time for which TCP connection keeps alive.
@@ -643,7 +645,7 @@ deployment:                    # Deployment configurations
     admin_key:
       -
         name: admin                             # admin: write access to configurations.
-        key: edd1c9f034335f136f87ad84b625c8f1   # Set API key for the admin of Admin API.
+        key: ''   # Set API key for the admin of Admin API.
         role: admin
       -
         name: viewer                            # viewer: read-only to configurations.

conf/config.yaml

@@ -59,5 +59,5 @@ deployment:
   admin:
     admin_key:
       - name: admin
-        key: edd1c9f034335f136f87ad84b625c8f1  # using fixed API token has security risk, please update it when you deploy to production environment
+        key: ''  # using fixed API token has security risk, please update it when you deploy to production environment. If passed empty then will be autogenerated by APISIX and will be written back here. Recommended is to use external mechanism to generate and store the token.
         role: admin