Open GrayHatLabs opened 1 day ago
I am running Api Six in stand-alone mode and want to use Vault for secret management.
I am using the Docker images, and I keep getting this error. I don't know how to add certificates to the trust.
global_rules: - id: 1 plugins: key-auth: header: "Authorization" routes: - id: "test_route" uri: "/test" plugins: key-auth: {} upstream: type: roundrobin scheme: "https" nodes: "postb.in:443": 1 consumers: - username: nemus_dupper plugins: key-auth: key: $secret://vault/1/nemus_dupper/auth-key secrets: - id: vault/1 ssl_verify: false prefix: apisix token: hvs.asdfasdfasdfasdf uri: https://vault.mydomain.com:8200/
api-gateway-1 | 2024/11/07 06:41:12 [error] 37#37: *1755 [lua] secret.lua:180: fetch(): failed to fetch secret value: failed to retrtive data from vault kv engine: 20: unable to get local issuer certificate, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080" api-gateway-1 | 2024/11/07 06:41:12 [warn] 37#37: *1755 [lua] plugin.lua:1174: run_plugin(): key-auth exits with http status code 401, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
I would like it to call the vault server I've specified in the config.
api-gateway-1 | 2024/11/07 06:41:12 [error] 37#37: *1755 [lua] secret.lua:180: fetch(): failed to fetch secret value: failed to retrtive data from vault kv engine: 20: unable to get local issuer certificate, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080" api-gateway-1 | 2024/11/07 06:41:12 [warn] 37#37: *1755 [lua] plugin.lua:1174: run_plugin(): key-auth exits with http status code 401, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080" api-gateway-1 | 172.18.0.1 - - [07/Nov/2024:06:41:12 +0000] 127.0.0.1:8080 "GET / HTTP/1.1" 401 52 0.006 "-" "curl/8.2.1" - - - "http://127.0.0.1:8080"
services: api-gateway: image: apache/apisix:latest environment: - APISIX_STAND_ALONE=true - LUA_SSL_TRUSTED_CERTIFICATE=/usr/local/share/ca-certificates/vault-ca.crt volumes: - ${CONFIGS:-./configs}/apisix/apisix.yaml:/usr/local/apisix/conf/apisix.yaml:ro - ./vault_ca.crt:/usr/local/share/ca-certificates/vault-ca.crt # Mount the CA cert into the container extra_hosts: - "vault.mydomain.com:192.168.10.60" ports: - '${LISTEN_ADDRESS:-127.0.0.1}:8080:9080' - '${LISTEN_ADDRESS:-127.0.0.1}:8443:9443' networks: - public networks: public: external: true
curl -H 'Authorization:asdfasdfasdfas' -H "Content-Type: application/json" -i http://127.0.0.1:8080
apisix version
uname -a
openresty -V
nginx -V
curl http://127.0.0.1:9090/v1/server_info
luarocks --version
docker exec -it apisix-api-gateway-1 bash ❌1 00:01 apisix@b7e90f1785f2:/usr/local/apisix$ apisix version /usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua version 3.11.0 apisix@b7e90f1785f2:/usr/local/apisix$ uname -a Linux b7e90f1785f2 5.15.153.1-microsoft-standard-WSL2 #1 SMP Fri Mar 29 23:14:13 UTC 2024 x86_64 GNU/Linux apisix@b7e90f1785f2:/usr/local/apisix$ openresty -V` or `nginx -V` > ^C apisix@b7e90f1785f2:/usr/local/apisix$ 'penresty -V` or `nginx -V` > ^C apisix@b7e90f1785f2:/usr/local/apisix$ 'Openresty -V` or `nginx -V` > ^C apisix@b7e90f1785f2:/usr/local/apisix$ `Openresty -V` or `nginx -V` bash: Openresty: command not found nginx version: openresty/1.25.3.2 built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 3.2.0 23 Nov 2023 TLS SNI support enabled configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_RUNTIME_VER=1.2.1 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl3/include' --add-module=../ngx_devel_kit-0.3.3 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.26 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.37 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.20 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.14 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl3/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl3/lib' --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../ngx_multi_upstream_module-1.2.0 --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../apisix-nginx-module-1.16.1 --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../apisix-nginx-module-1.16.1/src/stream --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../apisix-nginx-module-1.16.1/src/meta --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../wasm-nginx-module-0.7.0 --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../lua-var-nginx-module-v0.5.3 --add-module=/tmp/tmp.0vt0zLPiwq/openresty-1.25.3.2/../lua-resty-events-0.2.0 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --with-http_v3_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --without-pcre2 --with-http_ssl_module bash: or: command not found
apisix@b7e90f1785f2:/usr/local/apisix$ luarocks --version bash: luarocks: command not found
This issue may will help you:https://github.com/apache/apisix/issues/11657
Adding this config block to config.yaml:
apisix: ssl: ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt
Current Behavior
I am running Api Six in stand-alone mode and want to use Vault for secret management.
I am using the Docker images, and I keep getting this error. I don't know how to add certificates to the trust.
Expected Behavior
I would like it to call the vault server I've specified in the config.
Error Logs
Steps to Reproduce
Environment
apisix version
):uname -a
):openresty -V
ornginx -V
):curl http://127.0.0.1:9090/v1/server_info
):luarocks --version
):