feat: allow to use environment variables for openid-connect plugin

[darkSheep404]

Description

feat: allow to use environment variables for openid-connect plugin

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

[darkSheep404]

hi good morning @shreemaan-abhishek clould you kindly review this PR for me ?

[shreemaan-abhishek]

please write a test case that uses vault as well.

[shreemaan-abhishek]

this is not needed.

[darkSheep404]

this is not needed.↳

This is needed when someone puts a non-string value such as a Boolean into env var, otherwise the type inconsistency will fail the check

[brmejia]

This line is giving me some issues after apisix reload.
If line fetch_secrets is done in check_schema, the route fails showing me the following error:

2024/11/12 17:12:51 [error] 240#240: *13728 lua entry thread aborted: runtime error: ...isix/custom-plugins/apisix/plugins/openid-connect.lua:478: attempt to compare nil with number
stack traceback:
coroutine 0:
     ...isix/custom-plugins/apisix/plugins/openid-connect.lua: in function 'phase_func'
     /usr/local/apisix/apisix/plugin.lua:1166: in function 'run_plugin'
     /usr/local/apisix/apisix/init.lua:689: in function 'http_access_phase'
     access_by_lua(nginx.conf:310):2: in main chunk, client: 10.89.2.37, server: _, request: "GET /private/anything HTTP/2.0", host: "XXXX"

If I remove fetch_secrets from check_schema, the route work as expected but the following warning is shown at startup:
[warn] 187#187: *8391 [lua] utils.lua:418: find_and_log(): Using openid-connect discovery with no TLS is a security risk, context: init_worker_by_lua*
I assume that without the fetch_secrets the value of discovery is not resolved and openid checks https for it.

[darkSheep404]

So should we remove fetch_secrets from check_schema to avoid this?
By contrast, putting a Boolean value in a secret is not a particularly common case in this plugin. Typically, only string urls and secret keys will be placed in valut

[darkSheep404]

pushed this change

[shreemaan-abhishek]

please write a test case that uses vault as well.

[shreemaan-abhishek]

please add new test cases in t/plugin/openid-connect

[darkSheep404]

please write a test case that uses vault as well.↳
hi @shreemaan-abhishek
I tried to add a test for valut but I am not sure if it is correct, may need your help to have a look

[shreemaan-abhishek]

the test cases for secret resource seems correct to me, please resolve the conflicts with master so that the tests can run

[alberto-corrales]

Great contribution!! I'm looking forward to this fix, as we are using AWS Secrets Manager as a secrets provider and we need to configure the secret as an environment variable. I hope this fix is merged and released soon 🙏

[darkSheep404]

the test cases for secret resource seems correct to me, please resolve the conflicts with master so that the tests can run↳

hi @shreemaan-abhishek
The conflict has been resolved. Please help approve it when you are free so that can run the test

[brmejia]

This is exactly what I was looking for. I've tested this config on my local environment, and it works as expected.

client_id: "$env://APISIX_OIDC_CLIENT_ID"
client_secret: "$env://APISIX_OIDC_CLIENT_SECRET"
discovery: $env://APISIX_OIDC_DISCOVERY_URL

I hope this will be merged soon

[alberto-corrales]

Are there any updates on this? At the moment we have to keep a secret in our repo because of the bug that it is fixing this PR, and we need to move it to environment variables. So it would be awesome if we could have this fixed in a patch soon

[darkSheep404]

Are there any updates on this? At the moment we have to keep a secret in our repo because of the bug that it is fixing this PR, and we need to move it to environment variables. So it would be awesome if we could have this fixed in a patch soon

We need another good Samaritan to approve this change, then this PR will have three approve and be merged

[darkSheep404]

Are there any updates on this? At the moment we have to keep a secret in our repo because of the bug that it is fixing this PR, and we need to move it to environment variables. So it would be awesome if we could have this fixed in a patch soon

We need another good Samaritan to approve this change, then this PR will have three approve and be merged

@shreemaan-abhishek @nic-6443

Could any of you help approve this PR at your convenience? It has been pending here for a long time and only needs the last approver

[darkSheep404]

Are there any updates on this? At the moment we have to keep a secret in our repo because of the bug that it is fixing this PR, and we need to move it to environment variables. So it would be awesome if we could have this fixed in a patch soon

We need another good Samaritan to approve this change, then this PR will have three approve and be merged

@shreemaan-abhishek @nic-6443

Could any of you help approve this PR at your convenience? It has been pending here for a long time and only needs the last approver

hi @kayx23 @membphis @Revolyssup Could any of you help?

[shreemaan-abhishek]

I have left a comment: https://github.com/apache/apisix/pull/11451/files#r1896868940

[darkSheep404]

I have left a comment: https://github.com/apache/apisix/pull/11451/files#r1896868940

i think fetch_sercets should already return a clone conf instead of modify origianl plugin_conf
anyway, i just adopted your suggestion and committed the change which clone plugin_conf before fetch_sercets to avoid possible problems
pls have to review at your convinence, many thanks

[membphis]

performance tips:

we can use a lrucache, avoid repeated rendering of plugin_conf configuration

[darkSheep404]

performance tips:

we can use a lrucache, avoid repeated rendering of plugin_conf configuration

Thank you, but I don't fully understand your suggestion

The original way, I just used fetch_secret without clone the config first , but with this suggestion, I add table.clone before fetch_secret

I think fetch_secret itself will return a clone of conf, and if you want to optimize it, maybe can just keep using fetch_secret directly, instead of add another extra lrucache

[darkSheep404]

In addition, I noticed that two tests failed, but I don't know how to fix them. Is there anyone who is kind enough to help 😢

[membphis]

1th tip

=====bad style=====
reindex: t/plugin/openid-connect.t: done.

• echo 'you need to run '''reindex''' to fix them. Read CONTRIBUTING.md for more details.'
  you need to run 'reindex' to fix them. Read CONTRIBUTING.md for more details.
• exit 1
  make: *** [Makefile:173: lint] Error 1

2th tip

you can merge the latest master branch

[darkSheep404]

1th tip

=====bad style===== reindex: t/plugin/openid-connect.t: done.↳

• echo 'you need to run '''reindex''' to fix them. Read CONTRIBUTING.md for more details.'
  you need to run 'reindex' to fix them. Read CONTRIBUTING.md for more details.
• exit 1
  make: *** [Makefile:173: lint] Error 1

2th tip

you can merge the latest master branch↳

1th tip

=====bad style===== reindex: t/plugin/openid-connect.t: done.↳

• echo 'you need to run '''reindex''' to fix them. Read CONTRIBUTING.md for more details.'
  you need to run 'reindex' to fix them. Read CONTRIBUTING.md for more details.
• exit 1
  make: *** [Makefile:173: lint] Error 1

2th tip

you can merge the latest master branch↳

merged latest master branch

for 1th tip, cloud you kindly help to run reindex for me ?
my local windows pc no apisix source code env, we do development related to apisix use apisix offical docker image