Skip to content

fix: Support secrets for client ca#13061

Open
cybersec-jochenarnold wants to merge 1 commit intoapache:masterfrom
cybersec-jochenarnold:fix/secrets_in_ssl_client_ca
Open

fix: Support secrets for client ca#13061
cybersec-jochenarnold wants to merge 1 commit intoapache:masterfrom
cybersec-jochenarnold:fix/secrets_in_ssl_client_ca

Conversation

@cybersec-jochenarnold
Copy link

@cybersec-jochenarnold cybersec-jochenarnold commented Mar 2, 2026

Description

Allow secrets like env or secret for client ca in ssl config.
Useful to fetch ca cert directly from e.g. Vault.

Which issue(s) this PR fixes:

Fixes #13021

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@cybersec-jochenarnold cybersec-jochenarnold mentioned this pull request Mar 2, 2026
Open
@cybersec-jochenarnold cybersec-jochenarnold marked this pull request as ready for review March 2, 2026 19:11
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. bug Something isn't working labels Mar 2, 2026
janiussyafiq
janiussyafiq reviewed Mar 2, 2026
View reviewed changes
t/node/ssl.t
Copy link
Contributor

@janiussyafiq janiussyafiq Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can move the test case to client-mtls.t https://github.com/apache/apisix/blob/16b9d7e5b611a729c6eb99d3fbca6c8bce71f494/t/node/client-mtls.t, since the test cases involve mTLS (client side verification)

@Baoyuantop Baoyuantop requested a review from Copilot March 4, 2026 02:07
Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for secret references (e.g., $env:// or $secret:// for Vault) in the client.ca field of the SSL configuration, allowing CA certificates for mTLS client verification to be fetched from secret managers like HashiCorp Vault or environment variables. This is consistent with how cert, key, certs, and keys fields already support secret URIs.

Changes:

  • Schema updated to allow client.ca to accept either a PEM certificate string or a secret URI (consistent with other SSL fields).
  • SSL validation logic updated to skip PEM validation when client.ca is a secret URI.
  • SSL router updated to read client.ca and client.depth from the secrets-resolved copy (new_ssl_value) rather than matched_ssl.value.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
apisix/schema_def.lua Updates client.ca schema to use oneOf allowing a certificate string or a secret URI, matching the pattern used for cert, key, certs, and keys.
apisix/ssl.lua Skips PEM validation for client.ca when it is a secret URI, consistent with how cert/key validation is skipped.
apisix/ssl/router/radixtree_sni.lua Reads client.ca and client.depth from new_ssl_value (the secrets-resolved copy) instead of from the raw matched_ssl.value.
docs/en/latest/terminology/secret.md Adds mention of CA certificates and public certificates alongside private keys in the description of cryptographic material that can be stored as secrets.
t/node/ssl.t Adds TEST 8–11 covering vault and env secret support for client.ca; also stores the CA cert in vault as part of TEST 1.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

t/node/ssl.t
key = "$secret://vault/test/ssl/test.com.key",
cert = "$secret://vault/test/ssl/test.com.crt",
client = {
ca = "$secret://vault/test/ssl/test.com.3.client-ca.key"
Copy link

Copilot AI Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In TEST 8, the request data for the client CA uses the wrong vault key name: "$secret://vault/test/ssl/test.com.3.client-ca.key". The vault secret was stored in TEST 1 as test.com.3.client-ca.crt, so the correct URI should be "$secret://vault/test/ssl/test.com.3.client-ca.crt". Using the .key suffix will cause the vault lookup to fail at runtime in TEST 9 since the key does not exist in vault.

The expected response body in the t.test call (line 273) correctly shows .crt, but the input data (line 260) sends .key, causing a mismatch between what is stored and what the test expects to see in the response.

Suggested change
ca = "$secret://vault/test/ssl/test.com.3.client-ca.key"
ca = "$secret://vault/test/ssl/test.com.3.client-ca.crt"

Copilot uses AI. Check for mistakes.
t/node/ssl.t
Comment on lines +296 to +299
fetching data from env uri
fetching data from env uri
fetching data from env uri
fetching data from env uri
Copy link

Copilot AI Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TEST 9 uses vault-based SSL configuration (cert, key, and client CA are all $secret://vault/... URIs from TEST 8), but the --- error_log section expects fetching data from env uri (which is the log message emitted when fetching $env:// URIs). Since the configuration uses vault secret URIs, the actual log message would be fetching data from secret uri (emitted by fetch_by_uri_secret in apisix/secret.lua). This mismatch will cause the test to fail. Compare with TEST 5, which also uses vault secrets and correctly expects fetching data from secret uri.

Suggested change
fetching data from env uri
fetching data from env uri
fetching data from env uri
fetching data from env uri
fetching data from secret uri
fetching data from secret uri
fetching data from secret uri
fetching data from secret uri

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@janiussyafiq janiussyafiq janiussyafiq left review comments

Reviewers whose approvals may not affect merge requirements

At least 3 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cybersec-jochenarnold @janiussyafiq