fix(stream): initialize env and secret for TLS cert resolution#12935
fix(stream): initialize env and secret for TLS cert resolution#12935suryaparua-official wants to merge 5 commits intoapache:masterfrom
Conversation
dosubot
bot
added
size:XS
|
Hi @suryaparua-official, we need add test case for this fix |
dosubot
bot
added
size:M
|
I’ve added a Stream TLS test covering |
| BEGIN { | ||
| use t::APISIX; | ||
|
|
||
| $ENV{APISIX_STREAM_ENV_CERT} = t::APISIX::read_file("t/certs/apisix.crt"); | ||
| $ENV{APISIX_STREAM_ENV_KEY} = t::APISIX::read_file("t/certs/apisix.key"); | ||
| } |
There was a problem hiding this comment.
You can refer to https://github.com/apache/apisix/blob/master/t/node/ssl.t#L18-L33
There was a problem hiding this comment.
Hi @suryaparua-official, this still needs some tweaking.
Baoyuantop
added
the
wait for update
dosubot
bot
added
size:L
|
I’ve added test coverage for |
|
I’ve fixed the remaining issues. Please let me know if anything else is needed. |
|
Hi @suryaparua-official, please fix code lint error |
There was a problem hiding this comment.
Pull request overview
This PR fixes Stream TLS certificate/key resolution for $ENV://... and $secret://... references by aligning Stream initialization with the existing HTTP initialization flow.
Changes:
- Initialize
core.envduringstream_initso env references can be resolved during Stream TLS handshakes. - Initialize
apisix_secretduringstream_init_workerso secret references are available in Stream TLS mode. - Add Stream TLS regression tests covering both
$ENV://and$secret://certificate/key references.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
apisix/init.lua |
Adds missing env + secret subsystem initialization for Stream lifecycle to enable $ENV:///$secret:// TLS cert resolution. |
t/stream-node/tls.t |
Adds regression tests validating Stream TLS works with env-backed and Vault-backed certificate references. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if code >= 300 then | ||
| ngx.status = code | ||
| end | ||
|
|
||
| ngx.say("passed") | ||
| } |
There was a problem hiding this comment.
In this test block, if creating the stream_route fails (code >= 300) you still respond with body "passed". Even though the status is set to the error code, this hides the actual error response and makes failures harder to debug. Consider returning early on error and outputting the admin API response body instead of always printing "passed".
| if code >= 300 then | ||
| ngx.status = code | ||
| end | ||
|
|
||
| ngx.say("passed") | ||
| } |
There was a problem hiding this comment.
Same pattern here: when the stream_route creation fails (code >= 300), the handler still prints "passed". This discards the actual error payload from the admin API and makes the test output misleading. Return early and print the error body when code indicates failure.
|
I’ve fixed the code lint related issues. Please let me know if anything else needs adjustment. |
Description
This PR fixes an issue where
$ENV://and$secret://certificate referenceswere not resolved in Stream TLS mode.
While the same configuration works correctly in HTTP, Stream TLS was passing
the raw reference strings directly to OpenSSL, which resulted in TLS handshake
failures.
Root cause
The Stream lifecycle was missing initializations that already exist in HTTP:
core.env.init()andapisix_secret.init_worker().Because of this, environment variables and secrets were not available when
certificates were loaded during the TLS handshake.
Fix
This change aligns Stream initialization with HTTP by initializing the
environment and secret subsystems for Stream.
Notes
This change follows the same initialization flow already used in HTTP mode
and addresses the missing setup in Stream TLS.
Related issue
Fixes #12934