fix: hmac-auth plugin spec compatibility with latest apisix

api/adc/plugin_types.go

@@ -77,15 +77,8 @@ type JwtAuthConsumerConfig struct {
 // used in Consumer object.
 // +k8s:deepcopy-gen=true
 type HMACAuthConsumerConfig struct {
-	AccessKey           string   `json:"access_key" yaml:"access_key"`
-	SecretKey           string   `json:"secret_key" yaml:"secret_key"`
-	Algorithm           string   `json:"algorithm,omitempty" yaml:"algorithm,omitempty"`
-	ClockSkew           int64    `json:"clock_skew,omitempty" yaml:"clock_skew,omitempty"`
-	SignedHeaders       []string `json:"signed_headers,omitempty" yaml:"signed_headers,omitempty"`
-	KeepHeaders         bool     `json:"keep_headers,omitempty" yaml:"keep_headers,omitempty"`
-	EncodeURIParams     bool     `json:"encode_uri_params,omitempty" yaml:"encode_uri_params,omitempty"`
-	ValidateRequestBody bool     `json:"validate_request_body,omitempty" yaml:"validate_request_body,omitempty"`
-	MaxReqBody          int64    `json:"max_req_body,omitempty" yaml:"max_req_body,omitempty"`
+	KeyID     string `json:"key_id" yaml:"key_id"`
+	SecretKey string `json:"secret_key" yaml:"secret_key"`
 }
 
 // LDAPAuthConsumerConfig is the rule config for ldap-auth plugin

api/v2/apisixconsumer_types.go

@@ -160,24 +160,10 @@ type ApisixConsumerHMACAuth struct {
 
 // ApisixConsumerHMACAuthValue defines configuration for HMAC authentication.
 type ApisixConsumerHMACAuthValue struct {
-	// AccessKey is the identifier used to look up the HMAC secret.
-	AccessKey string `json:"access_key" yaml:"access_key"`
+	// KeyID is the identifier used to look up the HMAC secret.
+	KeyID string `json:"key_id" yaml:"key_id"`
 	// SecretKey is the HMAC secret used to sign the request.
 	SecretKey string `json:"secret_key" yaml:"secret_key"`
-	// Algorithm specifies the hashing algorithm (e.g., "hmac-sha256").
-	Algorithm string `json:"algorithm,omitempty" yaml:"algorithm,omitempty"`
-	// ClockSkew is the allowed time difference (in seconds) between client and server clocks.
-	ClockSkew int64 `json:"clock_skew,omitempty" yaml:"clock_skew,omitempty"`
-	// SignedHeaders lists the headers that must be included in the signature.
-	SignedHeaders []string `json:"signed_headers,omitempty" yaml:"signed_headers,omitempty"`
-	// KeepHeaders determines whether the HMAC signature headers are preserved after verification.
-	KeepHeaders bool `json:"keep_headers,omitempty" yaml:"keep_headers,omitempty"`
-	// EncodeURIParams indicates whether URI parameters are encoded when calculating the signature.
-	EncodeURIParams bool `json:"encode_uri_params,omitempty" yaml:"encode_uri_params,omitempty"`
-	// ValidateRequestBody enables HMAC validation of the request body.
-	ValidateRequestBody bool `json:"validate_request_body,omitempty" yaml:"validate_request_body,omitempty"`
-	// MaxReqBody sets the maximum size (in bytes) of the request body that can be validated.
-	MaxReqBody int64 `json:"max_req_body,omitempty" yaml:"max_req_body,omitempty"`
 }
 
 // ApisixConsumerLDAPAuth defines configuration for the LDAP authentication.

config/crd/bases/apisix.apache.org_apisixconsumers.yaml

@@ -99,48 +99,16 @@ spec:
                       value:
                         description: Value specifies HMAC authentication credentials.
                         properties:
-                          access_key:
+                          key_id:
                             description: AccessKey is the identifier used to look
                               up the HMAC secret.
                             type: string
-                          algorithm:
-                            description: Algorithm specifies the hashing algorithm
-                              (e.g., "hmac-sha256").
-                            type: string
-                          clock_skew:
-                            description: ClockSkew is the allowed time difference
-                              (in seconds) between client and server clocks.
-                            format: int64
-                            type: integer
-                          encode_uri_params:
-                            description: EncodeURIParams indicates whether URI parameters
-                              are encoded when calculating the signature.
-                            type: boolean
-                          keep_headers:
-                            description: KeepHeaders determines whether the HMAC signature
-                              headers are preserved after verification.
-                            type: boolean
-                          max_req_body:
-                            description: MaxReqBody sets the maximum size (in bytes)
-                              of the request body that can be validated.
-                            format: int64
-                            type: integer
                           secret_key:
                             description: SecretKey is the HMAC secret used to sign
                               the request.
                             type: string
-                          signed_headers:
-                            description: SignedHeaders lists the headers that must
-                              be included in the signature.
-                            items:
-                              type: string
-                            type: array
-                          validate_request_body:
-                            description: ValidateRequestBody enables HMAC validation
-                              of the request body.
-                            type: boolean
                         required:
-                        - access_key
+                        - key_id
                         - secret_key
                         type: object
                     type: object

docs/en/latest/reference/api-reference.md

@@ -745,15 +745,8 @@ ApisixConsumerHMACAuthValue defines configuration for HMAC authentication.
 
 | Field | Description |
 | --- | --- |
-| `access_key` _string_ | AccessKey is the identifier used to look up the HMAC secret. |
+| `key_id` _string_ | KeyID is the identifier used to look up the HMAC secret. |
 | `secret_key` _string_ | SecretKey is the HMAC secret used to sign the request. |
-| `algorithm` _string_ | Algorithm specifies the hashing algorithm (e.g., "hmac-sha256"). |
-| `clock_skew` _integer_ | ClockSkew is the allowed time difference (in seconds) between client and server clocks. |
-| `signed_headers` _string array_ | SignedHeaders lists the headers that must be included in the signature. |
-| `keep_headers` _boolean_ | KeepHeaders determines whether the HMAC signature headers are preserved after verification. |
-| `encode_uri_params` _boolean_ | EncodeURIParams indicates whether URI parameters are encoded when calculating the signature. |
-| `validate_request_body` _boolean_ | ValidateRequestBody enables HMAC validation of the request body. |
-| `max_req_body` _integer_ | MaxReqBody sets the maximum size (in bytes) of the request body that can be validated. |
 
 
 _Appears in:_

internal/adc/translator/apisixconsumer.go

@@ -38,15 +38,7 @@ var (
 
 const (
 	_jwtAuthExpDefaultValue = 86400
-
-	_hmacAuthAlgorithmDefaultValue           = "hmac-sha256"
-	_hmacAuthClockSkewDefaultValue           = int64(0)
-	_hmacAuthKeepHeadersDefaultValue         = false
-	_hmacAuthEncodeURIParamsDefaultValue     = true
-	_hmacAuthValidateRequestBodyDefaultValue = false
-	_hmacAuthMaxReqBodyDefaultValue          = 524288
-
-	_true = "true"
+	_true                   = "true"
 )
 
 func (t *Translator) TranslateApisixConsumer(tctx *provider.TranslateContext, ac *v2.ApisixConsumer) (*TranslateResult, error) {
@@ -235,15 +227,8 @@ func (t *Translator) translateConsumerJwtAuthPlugin(tctx *provider.TranslateCont
 func (t *Translator) translateConsumerHMACAuthPlugin(tctx *provider.TranslateContext, consumerNamespace string, cfg *v2.ApisixConsumerHMACAuth) (*adctypes.HMACAuthConsumerConfig, error) {
 	if cfg.Value != nil {
 		return &adctypes.HMACAuthConsumerConfig{
-			AccessKey:           cfg.Value.AccessKey,
-			SecretKey:           cfg.Value.SecretKey,
-			Algorithm:           cfg.Value.Algorithm,
-			ClockSkew:           cfg.Value.ClockSkew,
-			SignedHeaders:       cfg.Value.SignedHeaders,
-			KeepHeaders:         cfg.Value.KeepHeaders,
-			EncodeURIParams:     cfg.Value.EncodeURIParams,
-			ValidateRequestBody: cfg.Value.ValidateRequestBody,
-			MaxReqBody:          cfg.Value.MaxReqBody,
+			KeyID:     cfg.Value.KeyID,
+			SecretKey: cfg.Value.SecretKey,
 		}, nil
 	}
 
@@ -255,8 +240,8 @@ func (t *Translator) translateConsumerHMACAuthPlugin(tctx *provider.TranslateCon
 		return nil, fmt.Errorf("secret %s/%s not found", consumerNamespace, cfg.SecretRef.Name)
 	}
 
-	accessKeyRaw, ok := sec.Data["access_key"]
-	if !ok || len(accessKeyRaw) == 0 {
+	keyIDRaw, ok := sec.Data["key_id"]
+	if !ok || len(keyIDRaw) == 0 {
 		return nil, _errKeyNotFoundOrInvalid
 	}
 
@@ -265,78 +250,9 @@ func (t *Translator) translateConsumerHMACAuthPlugin(tctx *provider.TranslateCon
 		return nil, _errKeyNotFoundOrInvalid
 	}
 
-	algorithmRaw, ok := sec.Data["algorithm"]
-	var algorithm string
-	if !ok {
-		algorithm = _hmacAuthAlgorithmDefaultValue
-	} else {
-		algorithm = string(algorithmRaw)
-	}
-
-	clockSkewRaw := sec.Data["clock_skew"]
-	clockSkew, _ := strconv.ParseInt(string(clockSkewRaw), 10, 64)
-	if clockSkew < 0 {
-		clockSkew = _hmacAuthClockSkewDefaultValue
-	}
-
-	signedHeadersRaw := sec.Data["signed_headers"]
-	signedHeaders := make([]string, 0, len(signedHeadersRaw))
-	for _, b := range signedHeadersRaw {
-		signedHeaders = append(signedHeaders, string(b))
-	}
-
-	var keepHeader bool
-	keepHeaderRaw, ok := sec.Data["keep_headers"]
-	if !ok {
-		keepHeader = _hmacAuthKeepHeadersDefaultValue
-	} else {
-		if string(keepHeaderRaw) == _true {
-			keepHeader = true
-		} else {
-			keepHeader = false
-		}
-	}
-
-	var encodeURIParams bool
-	encodeURIParamsRaw, ok := sec.Data["encode_uri_params"]
-	if !ok {
-		encodeURIParams = _hmacAuthEncodeURIParamsDefaultValue
-	} else {
-		if string(encodeURIParamsRaw) == _true {
-			encodeURIParams = true
-		} else {
-			encodeURIParams = false
-		}
-	}
-
-	var validateRequestBody bool
-	validateRequestBodyRaw, ok := sec.Data["validate_request_body"]
-	if !ok {
-		validateRequestBody = _hmacAuthValidateRequestBodyDefaultValue
-	} else {
-		if string(validateRequestBodyRaw) == _true {
-			validateRequestBody = true
-		} else {
-			validateRequestBody = false
-		}
-	}
-
-	maxReqBodyRaw := sec.Data["max_req_body"]
-	maxReqBody, _ := strconv.ParseInt(string(maxReqBodyRaw), 10, 64)
-	if maxReqBody < 0 {
-		maxReqBody = _hmacAuthMaxReqBodyDefaultValue
-	}
-
 	return &adctypes.HMACAuthConsumerConfig{
-		AccessKey:           string(accessKeyRaw),
-		SecretKey:           string(secretKeyRaw),
-		Algorithm:           algorithm,
-		ClockSkew:           clockSkew,
-		SignedHeaders:       signedHeaders,
-		KeepHeaders:         keepHeader,
-		EncodeURIParams:     encodeURIParams,
-		ValidateRequestBody: validateRequestBody,
-		MaxReqBody:          maxReqBody,
+		KeyID:     string(keyIDRaw),
+		SecretKey: string(secretKeyRaw),
 	}, nil
 }