feat: As a user, I want to reference a secret in ai-rag plugin, so that I don't have to write the apikey in plain text in plugin configuration

[mikyll]

Description

Similar to #13132

I'd like to avoid writing the api key in plain text in the plugin configuration and use a secret reference (Secret Manager or environment variable, see APISIX Docs | Secret).

Current situation:

routes:
  - id: ai-rag-azure
    uri: /ai/rag
    plugins:
      ai-rag:
        embeddings_provider:
          azure_openai:
            endpoint: "https://ai-plugin-developer.openai.azure.com/openai/deployments/text-embedding-3-large/embeddings?api-version=2023-05-15"
            api_key: "myopenaiapikey"
        vector_search_provider:
          azure_ai_search:
            endpoint: "https://ai-plugin-developer.search.windows.net/indexes/vectest/docs/search?api-version=2024-07-01
            api_key: "myazuresearchapikey"
      ai-proxy:
      # ...

Feature request:

routes:
  - id: ai-rag-azure
    uri: /ai/rag
    plugins:
      ai-rag:
        embeddings_provider:
          azure_openai:
            endpoint: "https://ai-plugin-developer.openai.azure.com/openai/deployments/text-embedding-3-large/embeddings?api-version=2023-05-15"
            api_key: "$ENV://AZURE_OPENAI_APIKEY"
        vector_search_provider:
          azure_ai_search:
            endpoint: "https://ai-plugin-developer.search.windows.net/indexes/vectest/docs/search?api-version=2024-07-01
            api_key: "$ENV://AZURE_AI_SEARCH_APIKEY"
      ai-proxy:
      # ...

Implementation

Just call apisix.secret.fetch_secrets() on the embeddings and vector_search configuration tables, to resolve secret references if present.

I can submit a PR to implement this feature 🙂

[Baoyuantop]

Hi @mikyll, thank you for reporting this issue. We welcome you to submit a pull request to address it.