Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add kms env doc #8419

Merged
merged 4 commits into from
Nov 29, 2022
Merged

docs: add kms env doc #8419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ba25df1
docs: add kms env doc
Nov 29, 2022
1607bb9
update config.json
Nov 29, 2022
e266534
update doc
Nov 29, 2022
2956add
update doc
Nov 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/en/latest/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@
"terminology/router",
"terminology/script",
"terminology/service",
"terminology/upstream"
"terminology/upstream",
"terminology/kms"
]
},
{
Expand Down
109 changes: 109 additions & 0 deletions docs/en/latest/terminology/kms.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
---
title: KMS
---

<!--
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
-->

## Description

Secrets refer to any sensitive information required during the running process of APISIX, which may be part of the core configuration (such as the etcd's password) or some sensitive information in the plugin. Common types of Secrets in APISIX include:

- username, the password for some components (etcd, Redis, Kafka, etc.)
- the private key of the certificate
- API key
- Sensitive plugin configuration fields, typically used for authentication, hashing, signing, or encryption

KMS allows users to store Secrets through some secrets management services (Vault, etc.) in APISIX, and read them according to the key when using them to ensure that **Secrets do not exist in plain text throughout the platform**.

APISIX currently supports storing keys in environment variables.

You use KMS functions by specifying format variables in the consumer configuration of the following plugins, such as `key-auth`.

::: note

If a configuration item is: `key: "$ENV://ABC"`, when the actual value corresponding to $ENV://ABC is not retrieved in KMS, the value of the key will be "$ENV://ABC" instead of `nil`.

:::

## Use environment variables to manage keys

Using environment variables to manage keys means that you can save key information in environment variables, and refer to environment variables through variables in a specific format when configuring plugins. APISIX supports referencing system environment variables and environment variables configured through the Nginx `env` directive.

### Usage

```
$ENV://$env_name/$sub_key
```

- env_name: environment variable name
- sub_key: get the value of a property when the value of the environment variable is a JSON string

If the value of the environment variable is of type string, such as:

```
export JACK_AUTH_KEY=abc
```

It can be referenced as follows:

```
$ENV://JACK_AUTH_KEY
```

If the value of the environment variable is a JSON string like:

```
export JACK={"auth-key":"abc","openid-key": "def"}
```

It can be referenced as follows:

```
# Get the auth-key of the environment variable JACK
$ENV://JACK/auth-key

# Get the openid-key of the environment variable JACK
$ENV://JACK/openid-key
```

### Example: use in key-auth plugin

Step 1: Create environment variables before the APISIX instance starts

```
export JACK_AUTH_KEY=abc
```

Step 2: Reference the environment variable in the `key-auth` plugin

```shell
curl http://127.0.0.1:9180/apisix/admin/consumers \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"username": "jack",
"plugins": {
"key-auth": {
"key": "$ENV://JACK_AUTH_KEY"
}
}
}'
```

Through the above steps, the `key` configuration in the `key-auth` plugin can be saved in the environment variable instead of being displayed in plain text when configuring the plugin.
3 changes: 2 additions & 1 deletion docs/zh/latest/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,8 @@
"terminology/router",
"terminology/script",
"terminology/service",
"terminology/upstream"
"terminology/upstream",
"terminology/kms"
]
},
{
Expand Down
109 changes: 109 additions & 0 deletions docs/zh/latest/terminology/kms.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
---
title: KMS
---

<!--
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
-->

## 描述

Secrets 是指 APISIX 运行过程中所需的任何敏感信息,它可能是核心配置的一部分(如 etcd 的密码),也可能是插件中的一些敏感信息。APISIX 中常见的 Secrets 类型包括:

- 一些组件(etcd、Redis、Kafka 等)的用户名、密码
- 证书的私钥
- API 密钥
- 敏感的插件配置字段,通常用于身份验证、hash、签名或加密

KMS 允许用户在 APISIX 中通过一些密钥管理服务(Vault 等)来存储 Secrets,在使用的时候根据 key 进行读取,确保 Secrets 在整个平台中不以明文的形式存在。

APISIX 目前支持将密钥存储在环境变量中。

你可以在以下插件的 consumer 配置中通过指定格式的变量来使用 KMS 功能,比如 `key-auth` 插件。

::: note

如果某个配置项为:`key: "$ENV://ABC"`,当 KMS 中没有检索到 $ENV://ABC 对应的真实值,那么 key 的值将是 "$ENV://ABC" 而不是 `nil`。

:::

## 使用环境变量管理密钥

使用环境变量来管理密钥意味着你可以将密钥信息保存在环境变量中,在配置插件时通过特定格式的变量来引用环境变量。APISIX 支持引用系统环境变量和通过 Nginx `env` 指令配置的环境变量。

### 引用方式

```
$ENV://$env_name/$sub_key
```

- env_name: 环境变量名称
- sub_key: 当环境变量的值是 JSON 字符串时,获取某个属性的值

如果环境变量的值是字符串类型,如:

```
export JACK_AUTH_KEY=abc
```

则可以通过如下方式引用:

```
$ENV://JACK_AUTH_KEY
```

如果环境变量的值是一个 JSON 字符串,例如:

```
export JACK={"auth-key":"abc","openid-key": "def"}
```

则可以通过如下方式引用:

```
# 获取环境变量 JACK 的 auth-key
$ENV://JACK/auth-key

# 获取环境变量 JACK 的 openid-key
$ENV://JACK/openid-key
```

### 示例:在 key-auth 插件中使用

第一步:APISIX 实例启动前创建环境变量

```
export JACK_AUTH_KEY=abc
```

第二步:在 `key-auth` 插件中引用环境变量

```shell
curl http://127.0.0.1:9180/apisix/admin/consumers \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"username": "jack",
"plugins": {
"key-auth": {
"key": "$ENV://JACK_AUTH_KEY"
}
}
}'
```

通过以上步骤,可以将 `key-auth` 插件中的 key 配置保存在环境变量中,而不是在配置插件时明文显示。