Skip to content

Commit

Permalink
change: move admin conf under deployment (#7823)
Browse files Browse the repository at this point in the history
  • Loading branch information
spacewander authored Sep 13, 2022
1 parent c759a63 commit 2a44ba6
Show file tree
Hide file tree
Showing 61 changed files with 448 additions and 464 deletions.
6 changes: 3 additions & 3 deletions apisix/admin/init.lua
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,8 @@ local router

local function check_token(ctx)
local local_conf = core.config.local_conf()
if not local_conf or not local_conf.apisix
or not local_conf.apisix.admin_key then
local admin_key = core.table.try_read_attr(local_conf, "deployment", "admin", "admin_key")
if not admin_key then
return true
end

Expand All @@ -75,7 +75,7 @@ local function check_token(ctx)
end

local admin
for i, row in ipairs(local_conf.apisix.admin_key) do
for i, row in ipairs(admin_key) do
if req_token == row.key then
admin = row
break
Expand Down
2 changes: 1 addition & 1 deletion apisix/admin/v3_adapter.lua
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ local function enable_v3()
return false
end

local api_ver = try_read_attr(local_conf, "apisix", "admin_api_version")
local api_ver = try_read_attr(local_conf, "deployment", "admin", "admin_api_version")
if api_ver ~= "v3" then
admin_api_version = "default"
return false
Expand Down
53 changes: 31 additions & 22 deletions apisix/cli/ops.lua
Original file line number Diff line number Diff line change
Expand Up @@ -183,8 +183,10 @@ local function init(env)

-- check the Admin API token
local checked_admin_key = false
if yaml_conf.apisix.enable_admin and yaml_conf.apisix.allow_admin then
for _, allow_ip in ipairs(yaml_conf.apisix.allow_admin) do
local allow_admin = yaml_conf.deployment.admin and
yaml_conf.deployment.admin.allow_admin
if yaml_conf.apisix.enable_admin and allow_admin then
for _, allow_ip in ipairs(allow_admin) do
if allow_ip == "127.0.0.0/24" then
checked_admin_key = true
end
Expand All @@ -198,13 +200,17 @@ local function init(env)
Please modify "admin_key" in conf/config.yaml .
]]
if type(yaml_conf.apisix.admin_key) ~= "table" or
#yaml_conf.apisix.admin_key == 0
local admin_key = yaml_conf.deployment.admin
if admin_key then
admin_key = admin_key.admin_key
end

if type(admin_key) ~= "table" or #admin_key == 0
then
util.die(help:format("ERROR: missing valid Admin API token."))
end

for _, admin in ipairs(yaml_conf.apisix.admin_key) do
for _, admin in ipairs(admin_key) do
if type(admin.key) == "table" then
admin.key = ""
else
Expand All @@ -224,6 +230,19 @@ Please modify "admin_key" in conf/config.yaml .
end
end

if yaml_conf.deployment.admin then
local admin_api_mtls = yaml_conf.deployment.admin.admin_api_mtls
local https_admin = yaml_conf.deployment.admin.https_admin
if https_admin and not (admin_api_mtls and
admin_api_mtls.admin_ssl_cert and
admin_api_mtls.admin_ssl_cert ~= "" and
admin_api_mtls.admin_ssl_cert_key and
admin_api_mtls.admin_ssl_cert_key ~= "")
then
util.die("missing ssl cert for https admin")
end
end

if yaml_conf.apisix.enable_admin and
yaml_conf.apisix.config_center == "yaml"
then
Expand Down Expand Up @@ -315,8 +334,8 @@ Please modify "admin_key" in conf/config.yaml .
-- listen in admin use a separate port, support specific IP, compatible with the original style
local admin_server_addr
if yaml_conf.apisix.enable_admin then
local ip = yaml_conf.apisix.admin_listen.ip
local port = yaml_conf.apisix.admin_listen.port
local ip = yaml_conf.deployment.admin.admin_listen.ip
local port = yaml_conf.deployment.admin.admin_listen.port
admin_server_addr = validate_and_get_listen_addr("admin port", "0.0.0.0", ip,
9180, port)
end
Expand Down Expand Up @@ -464,17 +483,6 @@ Please modify "admin_key" in conf/config.yaml .
yaml_conf.apisix.ssl.ssl_trusted_certificate = cert_path
end

local admin_api_mtls = yaml_conf.apisix.admin_api_mtls
if yaml_conf.apisix.https_admin and
not (admin_api_mtls and
admin_api_mtls.admin_ssl_cert and
admin_api_mtls.admin_ssl_cert ~= "" and
admin_api_mtls.admin_ssl_cert_key and
admin_api_mtls.admin_ssl_cert_key ~= "")
then
util.die("missing ssl cert for https admin")
end

-- enable ssl with place holder crt&key
yaml_conf.apisix.ssl.ssl_cert = "cert/ssl_PLACE_HOLDER.crt"
yaml_conf.apisix.ssl.ssl_cert_key = "cert/ssl_PLACE_HOLDER.key"
Expand Down Expand Up @@ -570,6 +578,11 @@ Please modify "admin_key" in conf/config.yaml .
for k,v in pairs(yaml_conf.nginx_config) do
sys_conf[k] = v
end
if yaml_conf.deployment.admin then
for k,v in pairs(yaml_conf.deployment.admin) do
sys_conf[k] = v
end
end
sys_conf["wasm"] = yaml_conf.wasm


Expand All @@ -588,10 +601,6 @@ Please modify "admin_key" in conf/config.yaml .
sys_conf["worker_processes"] = "auto"
end

if sys_conf.allow_admin and #sys_conf.allow_admin == 0 then
sys_conf.allow_admin = nil
end

local dns_resolver = sys_conf["dns_resolver"]
if not dns_resolver or #dns_resolver == 0 then
local dns_addrs, err = local_dns_resolver("/etc/resolv.conf")
Expand Down
64 changes: 42 additions & 22 deletions apisix/cli/schema.lua
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ local etcd_schema = {
},
required = {"prefix", "host"}
}

local config_schema = {
type = "object",
properties = {
Expand Down Expand Up @@ -133,19 +134,6 @@ local config_schema = {
}
}
},
https_admin = {
type = "boolean",
},
admin_listen = {
properties = {
listen = { type = "string" },
port = { type = "integer" },
},
default = {
listen = "0.0.0.0",
port = 9180,
}
},
stream_proxy = {
type = "object",
properties = {
Expand Down Expand Up @@ -292,17 +280,51 @@ local config_schema = {
type = "object",
properties = {
role = {
enum = {"traditional", "control_plane", "data_plane", "standalone"}
enum = {"traditional", "control_plane", "data_plane", "standalone"},
default = "traditional"
}
},
},
},
required = {"apisix", "deployment"},
}

local admin_schema = {
type = "object",
properties = {
admin_key = {
type = "array",
properties = {
items = {
properties = {
name = {type = "string"},
key = {type = "string"},
role = {type = "string"},
}
}
}
},
admin_listen = {
properties = {
listen = { type = "string" },
port = { type = "integer" },
},
required = {"role"},
default = {
listen = "0.0.0.0",
port = 9180,
}
},
https_admin = {
type = "boolean",
},
}
}

local deployment_schema = {
traditional = {
properties = {
etcd = etcd_schema,
admin = admin_schema,
role_traditional = {
properties = {
config_provider = {
Expand Down Expand Up @@ -402,13 +424,11 @@ function _M.validate(yaml_conf)
end
end

if yaml_conf.deployment then
local role = yaml_conf.deployment.role
local validator = jsonschema.generate_validator(deployment_schema[role])
local ok, err = validator(yaml_conf.deployment)
if not ok then
return false, "invalid deployment " .. role .. " configuration: " .. err
end
local role = yaml_conf.deployment.role
local validator = jsonschema.generate_validator(deployment_schema[role])
local ok, err = validator(yaml_conf.deployment)
if not ok then
return false, "invalid deployment " .. role .. " configuration: " .. err
end

return true
Expand Down
2 changes: 1 addition & 1 deletion apisix/init.lua
Original file line number Diff line number Diff line change
Expand Up @@ -762,7 +762,7 @@ end

local function cors_admin()
local_conf = core.config.local_conf()
if local_conf.apisix and not local_conf.apisix.enable_admin_cors then
if not core.table.try_read_attr(local_conf, "deployment", "admin", "enable_admin_cors") then
return
end

Expand Down
5 changes: 0 additions & 5 deletions benchmark/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -68,11 +68,6 @@ else
fi

echo "
apisix:
admin_key:
- name: admin
key: edd1c9f034335f136f87ad84b625c8f1
role: admin
nginx_config:
worker_processes: ${worker_cnt}
" > conf/config.yaml
Expand Down
66 changes: 34 additions & 32 deletions conf/config-default.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ apisix:
# port: 9082
# enable_http2: true
enable_admin: true
enable_admin_cors: true # Admin API support CORS response headers.
enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true
enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true.
show_upstream_status_in_response_header: false # when true all upstream status write to `X-APISIX-Upstream-Status` otherwise only 5xx code
Expand Down Expand Up @@ -71,37 +70,6 @@ apisix:
- name: memory_cache
memory_size: 50m

allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default.
#- "::/64"
admin_listen: # use a separate port
ip: 0.0.0.0 # Specific IP, if not set, the default value is `0.0.0.0`.
port: 9180 # Specific port, which must be different from node_listen's port.

#https_admin: true # enable HTTPS when use a separate port for Admin API.
# Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
admin_api_mtls: # Depends on `admin_listen` and `https_admin`.
admin_ssl_cert: "" # Path of your self-signed server side cert.
admin_ssl_cert_key: "" # Path of your self-signed server side key.
admin_ssl_ca_cert: "" # Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates.

admin_api_version: v3 # The version of admin api, latest version is v3.

# Default token when use API to call for Admin API.
# *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
# Disabling this configuration item means that the Admin API does not
# require any authentication.
admin_key:
-
name: admin
key: edd1c9f034335f136f87ad84b625c8f1
role: admin # admin: manage all configuration data
# viewer: only can view configuration data
-
name: viewer
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer

delete_uri_tail_slash: false # delete the '/' at the end of the URI
# The URI normalization in servlet is a little different from the RFC's.
# See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization,
Expand Down Expand Up @@ -543,6 +511,40 @@ deployment:
role: traditional
role_traditional:
config_provider: etcd
admin:
# Default token when use API to call for Admin API.
# *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
# Disabling this configuration item means that the Admin API does not
# require any authentication.
admin_key:
-
name: admin
key: edd1c9f034335f136f87ad84b625c8f1
role: admin # admin: manage all configuration data
# viewer: only can view configuration data
-
name: viewer
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer

enable_admin_cors: true # Admin API support CORS response headers.
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default.
#- "::/64"
admin_listen: # use a separate port
ip: 0.0.0.0 # Specific IP, if not set, the default value is `0.0.0.0`.
port: 9180 # Specific port, which must be different from node_listen's port.

#https_admin: true # enable HTTPS when use a separate port for Admin API.
# Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.

admin_api_mtls: # Depends on `admin_listen` and `https_admin`.
admin_ssl_cert: "" # Path of your self-signed server side cert.
admin_ssl_cert_key: "" # Path of your self-signed server side key.
admin_ssl_ca_cert: "" # Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates.

admin_api_version: v3 # The version of admin api, latest version is v3.

etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://127.0.0.1:2379" # multiple etcd address, if your etcd cluster enables TLS, please use https scheme,
Expand Down
14 changes: 9 additions & 5 deletions conf/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,12 @@
#
# This will find environment variable `ETCD_HOST` first, and if it's not exist it will use `localhost` as default value.
#
apisix:
admin_key:
- name: admin
key: edd1c9f034335f136f87ad84b625c8f1 # using fixed API token has security risk, please update it when you deploy to production environment
role: admin
deployment:
role: traditional
role_traditional:
config_provider: etcd
admin:
admin_key:
- name: admin
key: edd1c9f034335f136f87ad84b625c8f1 # using fixed API token has security risk, please update it when you deploy to production environment
role: admin
16 changes: 9 additions & 7 deletions docs/en/latest/FAQ.md
Original file line number Diff line number Diff line change
Expand Up @@ -365,10 +365,11 @@ You can follow the steps below to configure this:
1. Configure different ports for Apache APISIX proxy and Admin API. Or, disable the Admin API.

```yaml
apisix:
admin_listen: # use a separate port
ip: 127.0.0.1
port: 9180
deployment:
admin:
admin_listen: # use a separate port
ip: 127.0.0.1
port: 9180
```

2. Add a proxy Route for the Apache APISIX dashboard:
Expand Down Expand Up @@ -501,9 +502,10 @@ By default, Apache APISIX only allows IPs in the range `127.0.0.0/24` to access
To allow IPs in all ranges, you can update your configuration file as show below and restart or reload Apache APISIX.

```yaml
apisix:
allow_admin:
- 0.0.0.0/0
deployment:
admin:
allow_admin:
- 0.0.0.0/0
```

**Note**: This should only be used in non-production environments to allow all clients to access Apache APISIX and is not safe for production environments. Always authorize specific IP addresses or address ranges for production environments.
Expand Down
Loading

0 comments on commit 2a44ba6

Please sign in to comment.