feat(ai-proxy*): support resolving secrets from environment variables and secret vaults

[mikyll]

Description

This PR introduces the possibility to reference a secret in ai-proxy and ai-proxy-multi plugins, from a ENV variable or a Secret Manager service, as documented in APISIX Docs | Terminology | Secret.

This change makes it possible to avoid hard-coding the API keys in ai-proxy* plugin configuration 🙂

The changes include:

• Calling fetch_secret() in ai-proxy/base.lua to resolve secrets.
• 2 new test cases
• documentation updates

Which issue(s) this PR fixes:

Fixes #13132

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first).

[Baoyuantop]

I suggest adding a test case for auth.header + $ENV://.

[Baoyuantop]

Hi @mikyll, we've just fixed some CI issues. You can merge the main branch and then run CI again.

[mikyll]

@Baoyuantop I updated the auth.header test to replace Authorization: Bearer token to X-Api-Key: apikey, because apparently Nginx env directive doesn't support spaces. I couldn't find anything in the official Nginx documentation, but here's a reference from one of your comments: #7223 (comment).

I also tested it with a minimal Nginx setup and yes, spaces in env directive throw an error:

nginx: [emerg] invalid number of arguments in "env" directive in /etc/nginx/nginx.conf:5

---

Can you review again the PR? 🙂