apache / apisix

The Cloud-Native API Gateway
https://apisix.apache.org/blog/
Apache License 2.0
14.49k stars 2.52k forks source link

bug: Vault Secret Engine Issue LUA Trust Certificates #11720

Open GrayHatLabs opened 1 day ago

GrayHatLabs commented 1 day ago

Current Behavior

I am running Api Six in stand-alone mode and want to use Vault for secret management.

I am using the Docker images, and I keep getting this error. I don't know how to add certificates to the trust.

global_rules:
-
id: 1
plugins:
key-auth:
header: "Authorization"

routes:
- id: "test_route"
uri: "/test"
plugins:
key-auth: {}
upstream:
type: roundrobin
scheme: "https"
nodes:
"postb.in:443": 1

consumers:
- username: nemus_dupper
plugins:
key-auth:
key: $secret://vault/1/nemus_dupper/auth-key

secrets:
- id: vault/1
ssl_verify: false
prefix: apisix
token: hvs.asdfasdfasdfasdf
uri: https://vault.mydomain.com:8200/
api-gateway-1 | 2024/11/07 06:41:12 [error] 37#37: *1755 [lua] secret.lua:180: fetch(): failed to fetch secret value: failed to retrtive data from vault kv engine: 20: unable to get local issuer certificate, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
api-gateway-1 | 2024/11/07 06:41:12 [warn] 37#37: *1755 [lua] plugin.lua:1174: run_plugin(): key-auth exits with http status code 401, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"

Expected Behavior

I would like it to call the vault server I've specified in the config.

Error Logs

api-gateway-1  | 2024/11/07 06:41:12 [error] 37#37: *1755 [lua] secret.lua:180: fetch(): failed to fetch secret value: failed to retrtive data from vault kv engine: 20: unable to get local issuer certificate, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
api-gateway-1  | 2024/11/07 06:41:12 [warn] 37#37: *1755 [lua] plugin.lua:1174: run_plugin(): key-auth exits with http status code 401, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
api-gateway-1  | 172.18.0.1 - - [07/Nov/2024:06:41:12 +0000] 127.0.0.1:8080 "GET / HTTP/1.1" 401 52 0.006 "-" "curl/8.2.1" - - - "http://127.0.0.1:8080"

Steps to Reproduce

services:
    api-gateway:
        image: apache/apisix:latest
        environment:
            - APISIX_STAND_ALONE=true
            - LUA_SSL_TRUSTED_CERTIFICATE=/usr/local/share/ca-certificates/vault-ca.crt
        volumes:
            - ${CONFIGS:-./configs}/apisix/apisix.yaml:/usr/local/apisix/conf/apisix.yaml:ro
            - ./vault_ca.crt:/usr/local/share/ca-certificates/vault-ca.crt  # Mount the CA cert into the container
        extra_hosts:
            - "vault.mydomain.com:192.168.10.60"
        ports:
            - '${LISTEN_ADDRESS:-127.0.0.1}:8080:9080'
            - '${LISTEN_ADDRESS:-127.0.0.1}:8443:9443'
        networks:
            - public
networks:
   public:
    external: true
curl -H 'Authorization:asdfasdfasdfas' -H "Content-Type: application/json" -i http://127.0.0.1:8080   

Environment

HuanXin-Chen commented 11 hours ago

This issue may will help you:https://github.com/apache/apisix/issues/11657

Adding this config block to config.yaml:

apisix:
  ssl:
    ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt