Skip to content

fix: Support secrets for client ca #13061

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cybersec-jochenarnold wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: Support secrets for client ca #13061

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion apisix/schema_def.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -838,7 +838,12 @@ _M.ssl = {
client = {
type = "object",
properties = {
ca = certificate_scheme,
ca = {
oneOf = {
certificate_scheme,
secret_uri_schema
}
},
depth = {
type = "integer",
minimum = 0,
Expand Down
8 changes: 5 additions & 3 deletions apisix/ssl.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -300,9 +300,11 @@ function _M.check_ssl_conf(in_dp, conf)
return nil, "client tls verify unsupported"
end

local ok, err = validate(conf.client.ca, nil)
if not ok then
return nil, "failed to validate client_cert: " .. err
if not secret.check_secret_uri(conf.client.ca) then
local ok, err = validate(conf.client.ca, nil)
if not ok then
return nil, "failed to validate client_cert: " .. err
end
end
end

Expand Down
6 changes: 3 additions & 3 deletions apisix/ssl/router/radixtree_sni.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,9 +253,9 @@ function _M.set(matched_ssl, sni)
return false, err
end

if matched_ssl.value.client then
local ca_cert = matched_ssl.value.client.ca
local depth = matched_ssl.value.client.depth
if new_ssl_value.client then
local ca_cert = new_ssl_value.client.ca
local depth = new_ssl_value.client.depth
if apisix_ssl.support_client_verification() then
local parsed_cert, err = apisix_ssl.fetch_cert(sni, ca_cert)
if not parsed_cert then
Expand Down
4 changes: 2 additions & 2 deletions docs/en/latest/terminology/secret.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,10 @@ title: Secret

## Description

Secrets refer to any sensitive information required during the running process of APISIX, which may be part of the core configuration (such as the etcd's password) or some sensitive information in the plugin. Common types of Secrets in APISIX include:
Secrets refer to any sensitive information required during the running process of APISIX, which may be part of the core configuration (such as the etcd's password), cryptographic material or some sensitive information in the plugin. Common types of Secrets in APISIX include:

- username, the password for some components (etcd, Redis, Kafka, etc.)
- the private key of the certificate
- the public certificate, private key and ca certificates
- API key
- Sensitive plugin configuration fields, typically used for authentication, hashing, signing, or encryption

Expand Down
113 changes: 112 additions & 1 deletion t/node/ssl.t
View file
Open in desktop
Copy link
Contributor

@janiussyafiq janiussyafiq Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can move the test case to client-mtls.t https://github.com/apache/apisix/blob/16b9d7e5b611a729c6eb99d3fbca6c8bce71f494/t/node/client-mtls.t, since the test cases involve mTLS (client side verification)

Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ BEGIN {
set_env_from_file('TEST_KEY', 't/certs/apisix.key');
set_env_from_file('TEST2_CERT', 't/certs/test2.crt');
set_env_from_file('TEST2_KEY', 't/certs/test2.key');
set_env_from_file('TEST_CA_CERT', 't/certs/mtls_ca.crt');
}

use t::APISIX 'no_plan';
Expand Down Expand Up @@ -67,7 +68,8 @@ VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/ssl \
test.com.crt=@t/certs/apisix.crt \
test.com.key=@t/certs/apisix.key \
test.com.2.crt=@t/certs/test2.crt \
test.com.2.key=@t/certs/test2.key
test.com.2.key=@t/certs/test2.key \
test.com.3.client-ca.crt=@t/certs/mtls_ca.crt
--- response_body
Success! Data written to: kv/apisix/ssl

Expand Down Expand Up @@ -241,3 +243,112 @@ fetching data from env uri
fetching data from env uri
fetching data from env uri
fetching data from env uri


=== TEST 8: set ssl with cert, key and client ca in vault
--- config
location /t {
content_by_lua_block {
local core = require("apisix.core")
local t = require("lib.test_admin")

local data = {
snis = {"test.com"},
key = "$secret://vault/test/ssl/test.com.key",
cert = "$secret://vault/test/ssl/test.com.crt",
client = {
ca = "$secret://vault/test/ssl/test.com.3.client-ca.key"
Copy link

Copilot AI Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In TEST 8, the request data for the client CA uses the wrong vault key name: "$secret://vault/test/ssl/test.com.3.client-ca.key". The vault secret was stored in TEST 1 as test.com.3.client-ca.crt, so the correct URI should be "$secret://vault/test/ssl/test.com.3.client-ca.crt". Using the .key suffix will cause the vault lookup to fail at runtime in TEST 9 since the key does not exist in vault.

The expected response body in the t.test call (line 273) correctly shows .crt, but the input data (line 260) sends .key, causing a mismatch between what is stored and what the test expects to see in the response.

Suggested change
ca = "$secret://vault/test/ssl/test.com.3.client-ca.key"
ca = "$secret://vault/test/ssl/test.com.3.client-ca.crt"

Copilot uses AI. Check for mistakes.
},
}

local code, body = t.test('/apisix/admin/ssls/1',
ngx.HTTP_PUT,
core.json.encode(data),
[[{
"value": {
"snis": ["test.com"],
"key": "$secret://vault/test/ssl/test.com.key",
"cert": "$secret://vault/test/ssl/test.com.crt",
"client": {
"ca": "$secret://vault/test/ssl/test.com.3.client-ca.crt"
}
},
"key": "/apisix/ssls/1"
}]]
)

ngx.status = code
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed


=== TEST 9: access to https with test.com
--- exec
curl -s -k --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt https://test.com:1994/hello
--- response_body
hello world
--- error_log
fetching data from env uri
fetching data from env uri
fetching data from env uri
fetching data from env uri
Comment on lines +296 to +299
Copy link

Copilot AI Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TEST 9 uses vault-based SSL configuration (cert, key, and client CA are all $secret://vault/... URIs from TEST 8), but the --- error_log section expects fetching data from env uri (which is the log message emitted when fetching $env:// URIs). Since the configuration uses vault secret URIs, the actual log message would be fetching data from secret uri (emitted by fetch_by_uri_secret in apisix/secret.lua). This mismatch will cause the test to fail. Compare with TEST 5, which also uses vault secrets and correctly expects fetching data from secret uri.

Suggested change
fetching data from env uri
fetching data from env uri
fetching data from env uri
fetching data from env uri
fetching data from secret uri
fetching data from secret uri
fetching data from secret uri
fetching data from secret uri

Copilot uses AI. Check for mistakes.


=== TEST 10: set ssl with cert, key and client ca in env
--- config
location /t {
content_by_lua_block {
local core = require("apisix.core")
local t = require("lib.test_admin")

local data = {
snis = {"test.com"},
key = "$env://TEST_KEY",
cert = "$env://TEST_CERT",
client = {
ca = "$env://TEST_CA_CERT"
},
}

local code, body = t.test('/apisix/admin/ssls/1',
ngx.HTTP_PUT,
core.json.encode(data),
[[{
"value": {
"snis": ["test.com"],
"key": "$env://TEST_KEY",
"cert": "$env://TEST_CERT",
"client": {
"ca": "$env://TEST_CA_CERT"
},
},
"key": "/apisix/ssls/1"
}]]
)

ngx.status = code
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed



=== TEST 11: access to https with test.com
--- exec
curl -s -k --cacert ./t/certs/mtls_ca.crt --key ./t/certs/mtls_client.key --cert ./t/certs/mtls_client.crt https://test.com:1994/hello
--- response_body
hello world
--- error_log
fetching data from env uri
fetching data from env uri
fetching data from env uri
fetching data from env uri
Loading