Skip to content

feat: add more config for gatewayproxy#885

Merged
AlinsRan merged 3 commits intoapache:masterfrom
AlinsRan:feat/ingress-gatewayproxy-config
Oct 17, 2025
Merged

feat: add more config for gatewayproxy#885
AlinsRan merged 3 commits intoapache:masterfrom
AlinsRan:feat/ingress-gatewayproxy-config

Conversation

@AlinsRan
Copy link
Copy Markdown
Contributor

@AlinsRan AlinsRan commented Oct 16, 2025
edited
Loading

@AlinsRan AlinsRan marked this pull request as ready for review October 17, 2025 00:06
ronething
ronething approved these changes Oct 17, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@ronething ronething left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm.

@AlinsRan AlinsRan merged commit 4883379 into apache:master Oct 17, 2025
2 checks passed
@vichaos
Copy link
Copy Markdown

vichaos commented Oct 20, 2025

Hi @AlinsRan and team! 👋

First, thank you for this excellent fix! This addresses a critical security issue we've been experiencing in our production environment.

Our Current Situation

We're currently using APISIX Helm chart version 2.12.1 and encountering the exact issue this PR fixes. When we configure the GatewayProxy to use secret-based authentication, the generated resource includes both the hardcoded admin key and our secret reference:

apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
spec:
  provider:
    controlPlane:
      auth:
        adminKey:
          value: edd1c9f034335f136f87ad84b625c8f1  # ❌ Hardcoded default
          valueFrom:
            secretKeyRef:
              key: ADMIN_KEY
              name: apisix-private

This creates security concerns as the hardcoded admin key appears alongside our intended secret-based authentication.

Our Configuration

gatewayProxy:
  provider:
    controlPlane:
      auth:
        type: AdminKey
        adminKey:
          valueFrom:
            secretKeyRef:
              name: apisix-private
              key: ADMIN_KEY

Questions

  1. Release Timeline: When can we expect this fix to be available in a released chart version? Will it be in 2.12.2 or 2.13.0?

  2. Workaround Confirmation: In the meantime, we've implemented the same conditional logic fix locally. Can you confirm this is the recommended approach until the official release?

Impact

This issue affects anyone using secret-based authentication for GatewayProxy in production environments, as it exposes hardcoded credentials alongside the intended secret references.

Thank you again for addressing this issue! Looking forward to the official release. 🙏

Environment Details:

  • Chart Version: 2.12.1
  • APISIX Version: 3.14.1
  • Use Case: Production deployment with secret-based admin authentication

@AlinsRan
Copy link
Copy Markdown
Contributor Author

AlinsRan commented Oct 23, 2025

@vichaos Thank you for your feedback. The next version is expected to be released in a few days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ronething ronething ronething approved these changes

@Revolyssup Revolyssup Revolyssup approved these changes

@bzp2010 bzp2010 Awaiting requested review from bzp2010

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AlinsRan @vichaos @ronething @Revolyssup