KNEL/KNELProductionContainers
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

feat(apisix): add Cloudron package

Browse Source 
- Implements Apache APISIX packaging for Cloudron platform.
- Includes Dockerfile, CloudronManifest.json, and start.sh.
- Configured to use Cloudron's etcd addon.

🤖 Generated with Gemini CLI
Co-Authored-By: Gemini <noreply@google.com>
This commit is contained in:
Charles N Wyble - admin
2025-09-04 09:42:47 -05:00
parent f7bae09f22
commit 54cc5f7308
1608 changed files with 388342 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
CloudronPackages/APISIX/apisix-source/apisix/secret/aws.lua Normal file
View File

@@ -0,0 +1,140 @@
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
--- AWS Tools.
require("resty.aws.config") -- to read env vars before initing aws module
local core = require("apisix.core")
local http = require("resty.http")
local aws = require("resty.aws")
local aws_instance
local sub = core.string.sub
local find = core.string.find
local env = core.env
local unpack = unpack
local schema = {
type = "object",
properties = {
access_key_id = {
type = "string",
},
secret_access_key = {
type = "string",
},
session_token = {
type = "string",
},
region = {
type = "string",
default = "us-east-1",
},
endpoint_url = core.schema.uri_def,
},
required = {"access_key_id", "secret_access_key"},
}
local _M = {
schema = schema
}
local function make_request_to_aws(conf, key)
if not aws_instance then
aws_instance = aws()
end
local region = conf.region
local access_key_id = env.fetch_by_uri(conf.access_key_id) or conf.access_key_id
local secret_access_key = env.fetch_by_uri(conf.secret_access_key) or conf.secret_access_key
local session_token = env.fetch_by_uri(conf.session_token) or conf.session_token
local credentials = aws_instance:Credentials({
accessKeyId = access_key_id,
secretAccessKey = secret_access_key,
sessionToken = session_token,
})
local default_endpoint = "https://secretsmanager." .. region .. ".amazonaws.com"
local scheme, host, port, _, _ = unpack(http:parse_uri(conf.endpoint_url or default_endpoint))
local endpoint = scheme .. "://" .. host
local sm = aws_instance:SecretsManager({
credentials = credentials,
endpoint = endpoint,
region = region,
port = port,
})
local res, err = sm:getSecretValue({
SecretId = key,
VersionStage = "AWSCURRENT",
})
if not res then
return nil, err
end
if res.status ~= 200 then
local data = core.json.encode(res.body)
if data then
return nil, "invalid status code " .. res.status .. ", " .. data
end
return nil, "invalid status code " .. res.status
end
return res.body.SecretString
end
-- key is the aws secretId
function _M.get(conf, key)
core.log.info("fetching data from aws for key: ", key)
local idx = find(key, '/')
local main_key = idx and sub(key, 1, idx - 1) or key
if main_key == "" then
return nil, "can't find main key, key: " .. key
end
local sub_key = idx and sub(key, idx + 1) or nil
core.log.info("main: ", main_key, sub_key and ", sub: " .. sub_key or "")
local res, err = make_request_to_aws(conf, main_key)
if not res then
return nil, "failed to retrtive data from aws secret manager: " .. err
end
if not sub_key then
return res
end
local data, err = core.json.decode(res)
if not data then
return nil, "failed to decode result, res: " .. res .. ", err: " .. err
end
return data[sub_key]
end
return _M

202
CloudronPackages/APISIX/apisix-source/apisix/secret/gcp.lua Normal file
View File

@@ -0,0 +1,202 @@
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
--- GCP Tools.
local core = require("apisix.core")
local http = require("resty.http")
local google_oauth = require("apisix.utils.google-cloud-oauth")
local str_sub = core.string.sub
local str_find = core.string.find
local decode_base64 = ngx.decode_base64
local lrucache = core.lrucache.new({ ttl = 300, count = 8 })
local schema = {
type = "object",
properties = {
auth_config = {
type = "object",
properties = {
client_email = { type = "string" },
private_key = { type = "string" },
project_id = { type = "string" },
token_uri = {
type = "string",
default = "https://oauth2.googleapis.com/token"
},
scope = {
type = "array",
items = {
type = "string"
},
default = {
"https://www.googleapis.com/auth/cloud-platform"
}
},
entries_uri = {
type = "string",
default = "https://secretmanager.googleapis.com/v1"
},
},
required = { "client_email", "private_key", "project_id" }
},
ssl_verify = {
type = "boolean",
default = true
},
auth_file = { type = "string" },
},
oneOf = {
{ required = { "auth_config" } },
{ required = { "auth_file" } },
},
}
local _M = {
schema = schema
}
local function fetch_oauth_conf(conf)
if conf.auth_config then
return conf.auth_config
end
local file_content, err = core.io.get_file(conf.auth_file)
if not file_content then
return nil, "failed to read configuration, file: " .. conf.auth_file .. ", err: " .. err
end
local config_tab, err = core.json.decode(file_content)
if not config_tab then
return nil, "config parse failure, data: " .. file_content .. ", err: " .. err
end
local config = {
auth_config = {
client_email = config_tab.client_email,
private_key = config_tab.private_key,
project_id = config_tab.project_id
}
}
local ok, err = core.schema.check(schema, config)
if not ok then
return nil, "config parse failure, file: " .. conf.auth_file .. ", err: " .. err
end
return config_tab
end
local function get_secret(oauth, secrets_id)
local httpc = http.new()
local access_token = oauth:generate_access_token()
if not access_token then
return nil, "failed to get google oauth token"
end
local entries_uri = oauth.entries_uri .. "/projects/" .. oauth.project_id
.. "/secrets/" .. secrets_id .. "/versions/latest:access"
local res, err = httpc:request_uri(entries_uri, {
ssl_verify = oauth.ssl_verify,
method = "GET",
headers = {
["Content-Type"] = "application/json",
["Authorization"] = (oauth.access_token_type or "Bearer") .. " " .. access_token,
},
})
if not res then
return nil, err
end
if res.status ~= 200 then
return nil, res.body
end
local body, err = core.json.decode(res.body)
if not body then
return nil, "failed to parse response data, " .. err
end
local payload = body.payload
if not payload then
return nil, "invalid payload"
end
return decode_base64(payload.data)
end
local function make_request_to_gcp(conf, secrets_id)
local auth_config, err = fetch_oauth_conf(conf)
if not auth_config then
return nil, err
end
local lru_key = auth_config.client_email .. "#" .. auth_config.project_id
local oauth, err = lrucache(lru_key, "gcp", google_oauth.new, auth_config, conf.ssl_verify)
if not oauth then
return nil, "failed to create oauth object, " .. err
end
local secret, err = get_secret(oauth, secrets_id)
if not secret then
return nil, err
end
return secret
end
function _M.get(conf, key)
core.log.info("fetching data from gcp for key: ", key)
local idx = str_find(key, '/')
local main_key = idx and str_sub(key, 1, idx - 1) or key
if main_key == "" then
return nil, "can't find main key, key: " .. key
end
local sub_key = idx and str_sub(key, idx + 1)
core.log.info("main: ", main_key, sub_key and ", sub: " .. sub_key or "")
local res, err = make_request_to_gcp(conf, main_key)
if not res then
return nil, "failed to retrtive data from gcp secret manager: " .. err
end
if not sub_key then
return res
end
local data, err = core.json.decode(res)
if not data then
return nil, "failed to decode result, err: " .. err
end
return data[sub_key]
end
return _M

122
CloudronPackages/APISIX/apisix-source/apisix/secret/vault.lua Normal file
View File

@@ -0,0 +1,122 @@
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
--- Vault Tools.
-- Vault is an identity-based secrets and encryption management system.
local core = require("apisix.core")
local http = require("resty.http")
local norm_path = require("pl.path").normpath
local sub = core.string.sub
local rfind_char = core.string.rfind_char
local env = core.env
local schema = {
type = "object",
properties = {
uri = core.schema.uri_def,
prefix = {
type = "string",
},
token = {
type = "string",
},
namespace = {
type = "string",
},
},
required = {"uri", "prefix", "token"},
}
local _M = {
schema = schema
}
local function make_request_to_vault(conf, method, key, data)
local httpc = http.new()
-- config timeout or default to 5000 ms
httpc:set_timeout((conf.timeout or 5)*1000)
local req_addr = conf.uri .. norm_path("/v1/"
.. conf.prefix .. "/" .. key)
local token, _ = env.fetch_by_uri(conf.token)
if not token then
token = conf.token
end
local headers = {
["X-Vault-Token"] = token
}
if conf.namespace then
-- The namespace rule is referenced in
-- https://developer.hashicorp.com/vault/docs/enterprise/namespaces#vault-api-and-namespaces
headers["X-Vault-Namespace"] = conf.namespace
end
local res, err = httpc:request_uri(req_addr, {
method = method,
headers = headers,
body = core.json.encode(data or {}, true)
})
if not res then
return nil, err
end
return res.body
end
-- key is the vault kv engine path
local function get(conf, key)
core.log.info("fetching data from vault for key: ", key)
local idx = rfind_char(key, '/')
if not idx then
return nil, "error key format, key: " .. key
end
local main_key = sub(key, 1, idx - 1)
if main_key == "" then
return nil, "can't find main key, key: " .. key
end
local sub_key = sub(key, idx + 1)
if sub_key == "" then
return nil, "can't find sub key, key: " .. key
end
core.log.info("main: ", main_key, " sub: ", sub_key)
local res, err = make_request_to_vault(conf, "GET", main_key)
if not res then
return nil, "failed to retrtive data from vault kv engine: " .. err
end
local ret = core.json.decode(res)
if not ret or not ret.data then
return nil, "failed to decode result, res: " .. res
end
return ret.data[sub_key]
end
_M.get = get
return _M