This is an automated email from the ASF dual-hosted git repository.
zhangjintao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-ingress-controller.git
The following commit(s) were added to refs/heads/master by this push:
new 8b51c6e1 docs: update all api-version to v2 (#1189)
8b51c6e1 is described below
commit 8b51c6e173db12592f6fcfa8d59aaa6fd50e7922
Author: Jintao Zhang <[email protected]>
AuthorDate: Wed Jul 27 10:33:11 2022 +0800
docs: update all api-version to v2 (#1189)
Signed-off-by: Jintao Zhang <[email protected]>
---
docs/en/latest/concepts/annotations.md | 2 +-
docs/en/latest/concepts/apisix_cluster_config.md | 4 +-
docs/en/latest/concepts/apisix_route.md | 18 +-
docs/en/latest/concepts/apisix_tls.md | 2 +-
docs/en/latest/concepts/apisix_upstream.md | 12 +-
docs/en/latest/design.md | 2 +-
docs/en/latest/plugins/prometheus.md | 2 +-
docs/en/latest/tutorials/check-crd-status.md | 2 +-
.../enable-authentication-and-restriction.md | 1364 ++++++++++----------
...cess-Apache-APISIX-Prometheus-Metrics-on-k8s.md | 4 +-
...ow-to-use-go-plugin-runner-in-apisix-ingress.md | 2 +-
.../manage-certificates-with-cert-manager.md | 4 +-
docs/en/latest/tutorials/mtls.md | 6 +-
docs/en/latest/tutorials/mtls/mtls.yaml | 2 +-
docs/en/latest/tutorials/mtls/route.yaml | 2 +-
docs/en/latest/tutorials/mtls/tls.yaml | 2 +-
docs/en/latest/tutorials/proxy-grpc-service.md | 6 +-
.../latest/tutorials/proxy-the-httpbin-service.md | 2 +-
docs/en/latest/tutorials/the-hard-way.md | 4 +-
docs/en/latest/upgrade.md | 2 +-
20 files changed, 722 insertions(+), 722 deletions(-)
diff --git a/docs/en/latest/concepts/annotations.md
b/docs/en/latest/concepts/annotations.md
index acb82f93..c53b7d4f 100644
--- a/docs/en/latest/concepts/annotations.md
+++ b/docs/en/latest/concepts/annotations.md
@@ -219,7 +219,7 @@ ApisixPluginConfig is a resource under the same Namespace
as Ingress
As an example, we attach the annotation
`k8s.apisix.apache.org/plugin-conifg-name: "echo-and-cors-apc` for the
following Ingress resource, so that `/api/*` route will enable the
[echo](https://apisix.apache.org/docs/apisix/plugins/echo/) and
[cors](https://apisix.apache.org/docs/apisix/plugins/cors/) plugins.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixPluginConfig
metadata:
name: echo-and-cors-apc
diff --git a/docs/en/latest/concepts/apisix_cluster_config.md
b/docs/en/latest/concepts/apisix_cluster_config.md
index 74f7c643..4e9b5f75 100644
--- a/docs/en/latest/concepts/apisix_cluster_config.md
+++ b/docs/en/latest/concepts/apisix_cluster_config.md
@@ -35,7 +35,7 @@ if you'd like to learn the real running status of your
cluster. In such a case,
could create a `ApisixClusterConfig` to enable these features explicitly.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixClusterConfig
metadata:
name: default
@@ -58,7 +58,7 @@ The default APISIX cluster is configured through command line
options like `--de
of Deployment or Pod template. Now with the help of `ApisixClusterConfig`, you
can change some administrative fields on it.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixClusterConfig
metadata:
name: default
diff --git a/docs/en/latest/concepts/apisix_route.md
b/docs/en/latest/concepts/apisix_route.md
index 6b627ede..a7ecd238 100644
--- a/docs/en/latest/concepts/apisix_route.md
+++ b/docs/en/latest/concepts/apisix_route.md
@@ -35,7 +35,7 @@ should be routed to service `bar`, in the manner of
`ApisixRoute`, the configura
should be:
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: foo-bar-route
@@ -73,7 +73,7 @@ The `methods` splits traffic according to the HTTP method,
the following configu
with `GET` method to `foo` service (a Kubernetes Service).
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: method-route
@@ -94,7 +94,7 @@ The `exprs` allows user to configure match conditions with
arbitrary predicates
It's composed by several expressions, which in turn composed by subject,
operator and value/set.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: method-route
@@ -128,7 +128,7 @@ the `ClusterIP` of this service, if that's what you want,
just set
the `resolveGranularity` to `service` (default is `endpoint`).
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: method-route
@@ -155,7 +155,7 @@ will be applied (which actually uses the
[traffic-split](http://apisix.apache.or
You can specify weight for each backend, the default weight is `100`.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: method-route
@@ -193,7 +193,7 @@ Apache APISIX provides more than 70
[plugins](https://github.com/apache/apisix/t
in `ApisixRoute`. All configuration items are named same to the one in APISIX.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpbin-route
@@ -223,7 +223,7 @@ Websocket Proxy
by creating a route with specifying the `websocket` field.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: ws-route
@@ -247,7 +247,7 @@ TCP Route
apisix-ingress-controller supports the port-based tcp route.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: tcp-route
@@ -272,7 +272,7 @@ UDP Route
apisix-ingress-controller supports the port-based udp route.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: udp-route
diff --git a/docs/en/latest/concepts/apisix_tls.md
b/docs/en/latest/concepts/apisix_tls.md
index 71a97ca7..20c80eed 100644
--- a/docs/en/latest/concepts/apisix_tls.md
+++ b/docs/en/latest/concepts/apisix_tls.md
@@ -27,7 +27,7 @@ Secret must have two keys `cert` and `key`, which used to
store the certificate
PEM format respectively.
```shell
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: sample-tls
diff --git a/docs/en/latest/concepts/apisix_upstream.md
b/docs/en/latest/concepts/apisix_upstream.md
index a0e906c7..f35add5f 100644
--- a/docs/en/latest/concepts/apisix_upstream.md
+++ b/docs/en/latest/concepts/apisix_upstream.md
@@ -32,7 +32,7 @@ To learn more, please check the [Apache APISIX
architecture-design docs](https:/
A proper load balancing algorithm is required to scatter requests reasonably
for a Kubernetes Service.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
name: httpbin
@@ -58,7 +58,7 @@ The above example shows that
[ewma](https://linkerd.io/2016/03/16/beyond-round-r
Sometimes the session sticky is desired, and you can use the [Consistent
Hashing](https://en.wikipedia.org/wiki/Consistent_hashing) load balancing
algorithm.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
name: httpbin
@@ -77,7 +77,7 @@ Although Kubelet already provides
[probes](https://kubernetes.io/docs/tasks/conf
like the passive feedback capability.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
name: httpbin
@@ -128,7 +128,7 @@ if nothing has been sent to a client yet. That is, if an
error or timeout occurs
of the transferring of a response, fixing this is impossible.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
name: httpbin
@@ -140,7 +140,7 @@ The default connect, read and send timeout are `60s`, which
might not proper for
just change them in the `timeout` field.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
name: httpbin
@@ -159,7 +159,7 @@ Once in a while a single Kubernetes Service might expose
multiple ports which pr
In that case, you can create configurations for individual port.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
name: foo
diff --git a/docs/en/latest/design.md b/docs/en/latest/design.md
index 9c2b2b89..1c6247f3 100644
--- a/docs/en/latest/design.md
+++ b/docs/en/latest/design.md
@@ -122,7 +122,7 @@ Unlike the implementation of Kubernetes Nginx Ingress, the
implementation of Ann
For example, the settings of the black and white list can be configured
through the `k8s.apisix.apache.org/whitelist-source-range` annotation in the
`ApisixRoute` resource object.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
annotations:
diff --git a/docs/en/latest/plugins/prometheus.md
b/docs/en/latest/plugins/prometheus.md
index 693698ef..65fe10cb 100644
--- a/docs/en/latest/plugins/prometheus.md
+++ b/docs/en/latest/plugins/prometheus.md
@@ -28,7 +28,7 @@ This guide shows how to monitor Apache APISIX Ingress
Controller using Prometheu
Use CRD file to enable Prometheus in global configurations. The definition
file for custom resources is `ApisixClusterConfig`, so the configuration should
be:
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixClusterConfig
metadata:
name: default
diff --git a/docs/en/latest/tutorials/check-crd-status.md
b/docs/en/latest/tutorials/check-crd-status.md
index fffb009c..13f5abdf 100644
--- a/docs/en/latest/tutorials/check-crd-status.md
+++ b/docs/en/latest/tutorials/check-crd-status.md
@@ -46,7 +46,7 @@ e.g.
```yaml
kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpbin-route
diff --git a/docs/en/latest/tutorials/enable-authentication-and-restriction.md
b/docs/en/latest/tutorials/enable-authentication-and-restriction.md
index 9d2c90ea..e67e17d8 100644
--- a/docs/en/latest/tutorials/enable-authentication-and-restriction.md
+++ b/docs/en/latest/tutorials/enable-authentication-and-restriction.md
@@ -1,682 +1,682 @@
----
-title: Enable authentication and restriction
----
-
-<!--
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
--->
-
-## Description
-
-Consumers are used for the authentication method controlled by Apache APISIX,
if users want to use their own auth system or 3rd party systems, use OIDC.
-
-## Attributes
-
-### Authentication
-
-#### Key Auth
-
-Consumers add their key either in a header or query string parameter to
authenticate their requests. For more information about `Key Auth`, please
refer to [APISIX key-auth
plugin](https://apisix.apache.org/docs/apisix/plugins/key-auth/).
-Also, we can using the `secretRef` field to reference a K8s Secret object so
that we can avoid the hardcoded sensitive data in the ApisixConsumer object.
For reference Secret use example, please refer to the
[key-auth-reference-secret-object](#key-auth-reference-secret-object).
-
-<details>
- <summary>Key Auth yaml configure</summary>
-
-```yaml
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
- name: ${name}
-spec:
- authParameter:
- keyAuth:
- value:
- key: ${key} #required
-```
-
-</details>
-
-#### Basic Auth
-
-Consumers add their key in a header to authenticate their requests. For more
information about `Basic Auth`, please refer to [APISIX basic-auth
plugin](https://apisix.apache.org/docs/apisix/plugins/basic-auth/).
-Also, we can using the `secretRef` field to reference a K8s Secret object so
that we can avoid the hardcoded sensitive data in the ApisixConsumer object.
For reference Secret use example, please refer to the
[key-auth-reference-secret-object](#key-auth-reference-secret-object).
-
-<details>
- <summary>Basic Auth yaml configure</summary>
-
-```yaml
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
- name: ${name}
-spec:
- authParameter:
- basicAuth:
- value:
- username: ${username} #required
- password: ${password} #required
-```
-
-</details>
-
-#### JWT Auth
-
-The consumer then adds its key to the query string parameter, request header,
or cookie to verify its request. For more information about `JWT Auth`, please
refer to [APISIX jwt-auth
plugin](https://apisix.apache.org/docs/apisix/plugins/jwt-auth/).
-Also, we can using the `secretRef` field to reference a K8s Secret object so
that we can avoid the hardcoded sensitive data in the ApisixConsumer object.
For reference Secret use example, please refer to the
[key-auth-reference-secret-object](#key-auth-reference-secret-object).
-
-:::note Need to expose API
-This plugin will add `/apisix/plugin/jwt/sign` to sign. You may need to use
`public-api` plugin to expose it.
-:::
-
-<details>
- <summary>JWT Auth yaml configure</summary>
-
-```yaml
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
- name: ${name}
-spec:
- authParameter:
- wolfRbac:
- value:
- key: "${key}" #required
- secret: "${secret}" #optional
- public_key: "${public_key}" #optional, required
when algorithm attribute selects RS256 algorithm.
- private_key: "{private_key}" #optional, required
when algorithm attribute selects RS256 algorithm.
- algorithm: "${HS256 | HS512 | RS256}" #optional
- exp: ${ 86400 | token's expire time, in seconds} #optional
- algorithm: ${true | false} #optional
-```
-
-</details>
-
-#### `Wolf RBAC`
-
-To use wolfRbac authentication, you need to start and install
[wolf-server](https://github.com/iGeeky/wolf/blob/master/quick-start-with-docker/README.md).
For more information about `Wolf RBAC`, please refer to [APISIX wolf-rbac
plugin](https://apisix.apache.org/zh/docs/apisix/plugins/wolf-rbac/).
-Also, we can using the `secretRef` field to reference a K8s Secret object so
that we can avoid the hardcoded sensitive data in the ApisixConsumer object.
For reference Secret use example, please refer to the
[key-auth-reference-secret-object](#key-auth-reference-secret-object).
-
-:::note This plugin will add several APIs
-
-* /apisix/plugin/wolf-rbac/login
-* /apisix/plugin/wolf-rbac/change_pwd
-* /apisix/plugin/wolf-rbac/user_info
-
-You may need to use `public-api` plugin to expose it.
-:::
-
-<details>
- <summary>Wolf RBAC yaml configure</summary>
-
-```yaml
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
- name: ${name}
-spec:
- authParameter:
- wolfRBAC:
- value:
- server: "${server of wolf-rbac}" #optional
- appid: "${appid of wolf-rbac}" #optional
- header_prefix: "${X- | X-UserId | X-Username | X-Nickname}" #optional
-```
-
-</details>
-
-###
[Restriction](https://apisix.apache.org/docs/apisix/plugins/consumer-restriction/)
-
-#### `whitelist` or `blacklist`
-
-`whitelist`: Grant full access to all users specified in the provided list,
**has the priority over `allowed_by_methods`**
-`blacklist`: Reject connection to all users specified in the provided list,
**has the priority over `whitelist`**
-
-<details>
- <summary>whitelist or blacklist with consumer-restriction yaml
configure</summary>
-
-```yaml
-plugins:
-- name: consumer-restriction
- enable: true
- config:
- blacklist:
- - "${consumer_name}"
- - "${consumer_name}"
-```
-
-</details>
-
-#### `allowed_by_methods`
-
-HTTP methods can be `methods:["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD",
"OPTIONS", "CONNECT", "TRACE", "PURGE"]`
-
-<details>
- <summary>allowed_by_methods with consumer-restriction yaml
configure</summary>
-
-```yaml
-plugins:
-- name: consumer-restriction
- enable: true
- config:
- allowed_by_methods:
- - user: "${consumer_name}"
- methods:
- - "${GET | POST | PUT |...}"
- - "${GET | POST | PUT |...}"
- - user: "${consumer_name}"
- methods:
- - "${GET | POST | PUT |...}"
-```
-
-</details>
-
-## Example
-
-[Refer to the corresponding e2e test
case.](../../../../test/e2e/suite-plugins/suite-plugins-authentication/)
-
-### Prepare env
-
-To use this tutorial, you must deploy `Ingress APISIX` and `httpbin` in
Kubernetes cluster.
-
-* Installing [`Ingress APISIX`](../deployments/minikube.md).
-* Deploy `httpbin` service.
-
-```shell
-#Now, try to deploy httpbin to your Kubernetes cluster:
-kubectl run httpbin --image kennethreitz/httpbin --port 80
-kubectl expose pod httpbin --port 80
-```
-
-### How to enable `Authentication`
-
-#### Enable `keyAuth`
-
-The following is an example. The `keyAuth` is enabled on the specified route
to restrict user access.
-
-* Creates an ApisixConsumer, and set the attributes of plugin `key-auth`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
- name: foo
-spec:
- authParameter:
- keyAuth:
- value:
- key: foo-key
-EOF
-```
-
-* Creates an ApisixRoute, and enable plugin `key-auth`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: httpserver-route
-spec:
- http:
- - name: rule1
- match:
- hosts:
- - httpbin.org
- paths:
- - /*
- backends:
- - serviceName: httpbin
- servicePort: 80
- authentication:
- enable: true
- type: keyAuth
-EOF
-```
-
-* Requests from foo:
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key'
-i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-##### Key Auth reference Secret object
-
-<details>
- <summary>ApisixRoute with keyAuth consumer using secret example</summary>
-
-* Creates a `Secret` object:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: Secret
-metadata:
- name: foovalue
-data:
- key: Zm9vLWtleQ==
-EOF
-```
-
-* Creates an ApisixConsumer and reference `Secret` object:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
- name: foo
-spec:
- authParameter:
- keyAuth:
- secretRef:
- name: foovalue
-EOF
-```
-
-* Creates an ApisixRoute, and enables plugin `key-auth`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: httpserver-route
-spec:
- http:
- - name: rule1
- match:
- hosts:
- - httpbin.org
- paths:
- - /*
- backends:
- - serviceName: httpbin
- servicePort: 80
- authentication:
- enable: true
- type: keyAuth
-EOF
-```
-
-* Requests from foo:
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key'
-i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-</details>
-
-#### Enable `JWT Auth`
-
-* Creates an ApisixConsumer, and set the attributes of plugin `jwt-auth`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
- name: foo2
-spec:
- authParameter:
- jwtAuth:
- value:
- key: foo2-key
-EOF
-```
-
-* Use the `public-api` plugin to expose the public API:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: default
-spec:
- http:
- - name: public-api
- match:
- paths:
- - /apisix/plugin/jwt/sign
- backends:
- - serviceName: apisix-admin
- servicePort: 9180
- plugins:
- - name: public-api
- enable: true
-EOF
-```
-
-* Creates an ApisixRoute, and enable the jwt-auth plugin:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: httpbin-route
-spec:
- http:
- - name: rule1
- match:
- hosts:
- - httpbin.org
- paths:
- - /*
- backends:
- - serviceName: httpbin
- servicePort: 80
- authentication:
- enable: true
- type: jwtAuth
-EOF
-```
-
-* Get the token:
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=foo2-key -H 'Host:
httpbin.org' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI
-```
-
-* Without token:
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -i
-```
-
-```shell
-HTTP/1.1 401
-...
-{"message":"Missing JWT token in request"}
-```
-
-* Request header with token:
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'Authorization:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI'
-i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-### How to enable `Restriction`
-
-We can also use the `consumer-restriction` Plugin to restrict our user from
accessing the API.
-
-#### How to restrict `consumer_name`
-
-The following is an example. The `consumer-restriction` plugin is enabled on
the specified route to restrict `consumer_name` access.
-
-* **consumer_name**: Add the `username` of `consumer` to a whitelist or
blacklist (supporting single or multiple consumers) to restrict access to
services or routes.
-
-* Create ApisixConsumer jack1:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
- name: jack1
-spec:
- authParameter:
- keyAuth:
- value:
- key: jack1-key
-EOF
-```
-
-* Create ApisixConsumer jack2:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
- name: jack2
-spec:
- authParameter:
- keyAuth:
- value:
- key: jack2-key
-EOF
-```
-
-* Creates an ApisixRoute, and enable config `whitelist` of the plugin
`consumer-restriction`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: httpserver-route
-spec:
- http:
- - name: rule1
- match:
- hosts:
- - httpbin.org
- paths:
- - /*
- backends:
- - serviceName: httpbin
- servicePort: 80
- authentication:
- enable: true
- type: keyAuth
- plugins:
- - name: consumer-restriction
- enable: true
- config:
- whitelist:
- - "default_jack1"
-EOF
-```
-
-:::note The `default_jack1` generation rules:
-
-view ApisixConsumer resource object from this namespace `default`
-
-```shell
-$ kubectl get apisixconsumers.apisix.apache.org -n default
-NAME AGE
-foo 14h
-jack1 14h
-jack2 14h
-```
-
-`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_foo`
-`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_jack1`
-`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_jack2`
-
-:::
-
-**Example usage**
-
-* Requests from jack1:
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack1-key' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-* Requests from jack2:
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack2-key' -i
-```
-
-```shell
-HTTP/1.1 403 Forbidden
-...
-{"message":"The consumer_name is forbidden."}
-```
-
-#### How to restrict `allowed_by_methods`
-
-This example restrict the user `jack2` to only `GET` on the resource.
-
-* Creates an ApisixRoute, and enable config `allowed_by_methods` of the
plugin `consumer-restriction`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: httpserver-route
-spec:
- http:
- - name: rule1
- match:
- hosts:
- - httpbin.org
- paths:
- - /*
- backends:
- - serviceName: httpbin
- servicePort: 80
- authentication:
- enable: true
- type: keyAuth
- plugins:
- - name: consumer-restriction
- enable: true
- config:
- allowed_by_methods:
- - user: "default_jack1"
- methods:
- - "POST"
- - "GET"
- - user: "default_jack2"
- methods:
- - "GET"
-EOF
-```
-
-**Example usage**
-
-* Requests from jack1:
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack1-key' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack1-key' -d '' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-* Requests from jack2:
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack2-key' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack2-key' -d '' -i
-```
-
-```shell
-HTTP/1.1 403 Forbidden
-...
-```
-
-### Disable authentication and restriction
-
-To disable the `consumer-restriction` Plugin, you can set the `enable: false`
from the `plugins` configuration.
-Also, disable the `keyAuth`, you can set the `enable: false` from the
`authentication` configuration.
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: httpserver-route
-spec:
- http:
- - name: rule1
- match:
- hosts:
- - httpbin.org
- paths:
- - /*
- backends:
- - serviceName: httpbin
- servicePort: 80
- authentication:
- enable: false
- type: keyAuth
- plugins:
- - name: consumer-restriction
- enable: false
- config:
- allowed_by_methods:
- - user: "default_jack1"
- methods:
- - "POST"
- - "GET"
- - user: "default_jack2"
- methods:
- - "GET"
-EOF
-```
-
-```shell
-kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
+---
+title: Enable authentication and restriction
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Description
+
+Consumers are used for the authentication method controlled by Apache APISIX,
if users want to use their own auth system or 3rd party systems, use OIDC.
+
+## Attributes
+
+### Authentication
+
+#### Key Auth
+
+Consumers add their key either in a header or query string parameter to
authenticate their requests. For more information about `Key Auth`, please
refer to [APISIX key-auth
plugin](https://apisix.apache.org/docs/apisix/plugins/key-auth/).
+Also, we can using the `secretRef` field to reference a K8s Secret object so
that we can avoid the hardcoded sensitive data in the ApisixConsumer object.
For reference Secret use example, please refer to the
[key-auth-reference-secret-object](#key-auth-reference-secret-object).
+
+<details>
+ <summary>Key Auth yaml configure</summary>
+
+```yaml
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: ${name}
+spec:
+ authParameter:
+ keyAuth:
+ value:
+ key: ${key} #required
+```
+
+</details>
+
+#### Basic Auth
+
+Consumers add their key in a header to authenticate their requests. For more
information about `Basic Auth`, please refer to [APISIX basic-auth
plugin](https://apisix.apache.org/docs/apisix/plugins/basic-auth/).
+Also, we can using the `secretRef` field to reference a K8s Secret object so
that we can avoid the hardcoded sensitive data in the ApisixConsumer object.
For reference Secret use example, please refer to the
[key-auth-reference-secret-object](#key-auth-reference-secret-object).
+
+<details>
+ <summary>Basic Auth yaml configure</summary>
+
+```yaml
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: ${name}
+spec:
+ authParameter:
+ basicAuth:
+ value:
+ username: ${username} #required
+ password: ${password} #required
+```
+
+</details>
+
+#### JWT Auth
+
+The consumer then adds its key to the query string parameter, request header,
or cookie to verify its request. For more information about `JWT Auth`, please
refer to [APISIX jwt-auth
plugin](https://apisix.apache.org/docs/apisix/plugins/jwt-auth/).
+Also, we can using the `secretRef` field to reference a K8s Secret object so
that we can avoid the hardcoded sensitive data in the ApisixConsumer object.
For reference Secret use example, please refer to the
[key-auth-reference-secret-object](#key-auth-reference-secret-object).
+
+:::note Need to expose API
+This plugin will add `/apisix/plugin/jwt/sign` to sign. You may need to use
`public-api` plugin to expose it.
+:::
+
+<details>
+ <summary>JWT Auth yaml configure</summary>
+
+```yaml
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: ${name}
+spec:
+ authParameter:
+ wolfRbac:
+ value:
+ key: "${key}" #required
+ secret: "${secret}" #optional
+ public_key: "${public_key}" #optional, required
when algorithm attribute selects RS256 algorithm.
+ private_key: "{private_key}" #optional, required
when algorithm attribute selects RS256 algorithm.
+ algorithm: "${HS256 | HS512 | RS256}" #optional
+ exp: ${ 86400 | token's expire time, in seconds} #optional
+ algorithm: ${true | false} #optional
+```
+
+</details>
+
+#### `Wolf RBAC`
+
+To use wolfRbac authentication, you need to start and install
[wolf-server](https://github.com/iGeeky/wolf/blob/master/quick-start-with-docker/README.md).
For more information about `Wolf RBAC`, please refer to [APISIX wolf-rbac
plugin](https://apisix.apache.org/zh/docs/apisix/plugins/wolf-rbac/).
+Also, we can using the `secretRef` field to reference a K8s Secret object so
that we can avoid the hardcoded sensitive data in the ApisixConsumer object.
For reference Secret use example, please refer to the
[key-auth-reference-secret-object](#key-auth-reference-secret-object).
+
+:::note This plugin will add several APIs
+
+* /apisix/plugin/wolf-rbac/login
+* /apisix/plugin/wolf-rbac/change_pwd
+* /apisix/plugin/wolf-rbac/user_info
+
+You may need to use `public-api` plugin to expose it.
+:::
+
+<details>
+ <summary>Wolf RBAC yaml configure</summary>
+
+```yaml
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: ${name}
+spec:
+ authParameter:
+ wolfRBAC:
+ value:
+ server: "${server of wolf-rbac}" #optional
+ appid: "${appid of wolf-rbac}" #optional
+ header_prefix: "${X- | X-UserId | X-Username | X-Nickname}" #optional
+```
+
+</details>
+
+###
[Restriction](https://apisix.apache.org/docs/apisix/plugins/consumer-restriction/)
+
+#### `whitelist` or `blacklist`
+
+`whitelist`: Grant full access to all users specified in the provided list,
**has the priority over `allowed_by_methods`**
+`blacklist`: Reject connection to all users specified in the provided list,
**has the priority over `whitelist`**
+
+<details>
+ <summary>whitelist or blacklist with consumer-restriction yaml
configure</summary>
+
+```yaml
+plugins:
+- name: consumer-restriction
+ enable: true
+ config:
+ blacklist:
+ - "${consumer_name}"
+ - "${consumer_name}"
+```
+
+</details>
+
+#### `allowed_by_methods`
+
+HTTP methods can be `methods:["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD",
"OPTIONS", "CONNECT", "TRACE", "PURGE"]`
+
+<details>
+ <summary>allowed_by_methods with consumer-restriction yaml
configure</summary>
+
+```yaml
+plugins:
+- name: consumer-restriction
+ enable: true
+ config:
+ allowed_by_methods:
+ - user: "${consumer_name}"
+ methods:
+ - "${GET | POST | PUT |...}"
+ - "${GET | POST | PUT |...}"
+ - user: "${consumer_name}"
+ methods:
+ - "${GET | POST | PUT |...}"
+```
+
+</details>
+
+## Example
+
+[Refer to the corresponding e2e test
case.](../../../../test/e2e/suite-plugins/suite-plugins-authentication/)
+
+### Prepare env
+
+To use this tutorial, you must deploy `Ingress APISIX` and `httpbin` in
Kubernetes cluster.
+
+* Installing [`Ingress APISIX`](../deployments/minikube.md).
+* Deploy `httpbin` service.
+
+```shell
+#Now, try to deploy httpbin to your Kubernetes cluster:
+kubectl run httpbin --image kennethreitz/httpbin --port 80
+kubectl expose pod httpbin --port 80
+```
+
+### How to enable `Authentication`
+
+#### Enable `keyAuth`
+
+The following is an example. The `keyAuth` is enabled on the specified route
to restrict user access.
+
+* Creates an ApisixConsumer, and set the attributes of plugin `key-auth`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: foo
+spec:
+ authParameter:
+ keyAuth:
+ value:
+ key: foo-key
+EOF
+```
+
+* Creates an ApisixRoute, and enable plugin `key-auth`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpserver-route
+spec:
+ http:
+ - name: rule1
+ match:
+ hosts:
+ - httpbin.org
+ paths:
+ - /*
+ backends:
+ - serviceName: httpbin
+ servicePort: 80
+ authentication:
+ enable: true
+ type: keyAuth
+EOF
+```
+
+* Requests from foo:
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key'
-i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+##### Key Auth reference Secret object
+
+<details>
+ <summary>ApisixRoute with keyAuth consumer using secret example</summary>
+
+* Creates a `Secret` object:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+ name: foovalue
+data:
+ key: Zm9vLWtleQ==
+EOF
+```
+
+* Creates an ApisixConsumer and reference `Secret` object:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: foo
+spec:
+ authParameter:
+ keyAuth:
+ secretRef:
+ name: foovalue
+EOF
+```
+
+* Creates an ApisixRoute, and enables plugin `key-auth`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpserver-route
+spec:
+ http:
+ - name: rule1
+ match:
+ hosts:
+ - httpbin.org
+ paths:
+ - /*
+ backends:
+ - serviceName: httpbin
+ servicePort: 80
+ authentication:
+ enable: true
+ type: keyAuth
+EOF
+```
+
+* Requests from foo:
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key'
-i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+</details>
+
+#### Enable `JWT Auth`
+
+* Creates an ApisixConsumer, and set the attributes of plugin `jwt-auth`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: foo2
+spec:
+ authParameter:
+ jwtAuth:
+ value:
+ key: foo2-key
+EOF
+```
+
+* Use the `public-api` plugin to expose the public API:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: default
+spec:
+ http:
+ - name: public-api
+ match:
+ paths:
+ - /apisix/plugin/jwt/sign
+ backends:
+ - serviceName: apisix-admin
+ servicePort: 9180
+ plugins:
+ - name: public-api
+ enable: true
+EOF
+```
+
+* Creates an ApisixRoute, and enable the jwt-auth plugin:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpbin-route
+spec:
+ http:
+ - name: rule1
+ match:
+ hosts:
+ - httpbin.org
+ paths:
+ - /*
+ backends:
+ - serviceName: httpbin
+ servicePort: 80
+ authentication:
+ enable: true
+ type: jwtAuth
+EOF
+```
+
+* Get the token:
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=foo2-key -H 'Host:
httpbin.org' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI
+```
+
+* Without token:
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -i
+```
+
+```shell
+HTTP/1.1 401
+...
+{"message":"Missing JWT token in request"}
+```
+
+* Request header with token:
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'Authorization:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI'
-i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+### How to enable `Restriction`
+
+We can also use the `consumer-restriction` Plugin to restrict our user from
accessing the API.
+
+#### How to restrict `consumer_name`
+
+The following is an example. The `consumer-restriction` plugin is enabled on
the specified route to restrict `consumer_name` access.
+
+* **consumer_name**: Add the `username` of `consumer` to a whitelist or
blacklist (supporting single or multiple consumers) to restrict access to
services or routes.
+
+* Create ApisixConsumer jack1:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: jack1
+spec:
+ authParameter:
+ keyAuth:
+ value:
+ key: jack1-key
+EOF
+```
+
+* Create ApisixConsumer jack2:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: jack2
+spec:
+ authParameter:
+ keyAuth:
+ value:
+ key: jack2-key
+EOF
+```
+
+* Creates an ApisixRoute, and enable config `whitelist` of the plugin
`consumer-restriction`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpserver-route
+spec:
+ http:
+ - name: rule1
+ match:
+ hosts:
+ - httpbin.org
+ paths:
+ - /*
+ backends:
+ - serviceName: httpbin
+ servicePort: 80
+ authentication:
+ enable: true
+ type: keyAuth
+ plugins:
+ - name: consumer-restriction
+ enable: true
+ config:
+ whitelist:
+ - "default_jack1"
+EOF
+```
+
+:::note The `default_jack1` generation rules:
+
+view ApisixConsumer resource object from this namespace `default`
+
+```shell
+$ kubectl get apisixconsumers.apisix.apache.org -n default
+NAME AGE
+foo 14h
+jack1 14h
+jack2 14h
+```
+
+`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_foo`
+`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_jack1`
+`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_jack2`
+
+:::
+
+**Example usage**
+
+* Requests from jack1:
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack1-key' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+* Requests from jack2:
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack2-key' -i
+```
+
+```shell
+HTTP/1.1 403 Forbidden
+...
+{"message":"The consumer_name is forbidden."}
+```
+
+#### How to restrict `allowed_by_methods`
+
+This example restrict the user `jack2` to only `GET` on the resource.
+
+* Creates an ApisixRoute, and enable config `allowed_by_methods` of the
plugin `consumer-restriction`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpserver-route
+spec:
+ http:
+ - name: rule1
+ match:
+ hosts:
+ - httpbin.org
+ paths:
+ - /*
+ backends:
+ - serviceName: httpbin
+ servicePort: 80
+ authentication:
+ enable: true
+ type: keyAuth
+ plugins:
+ - name: consumer-restriction
+ enable: true
+ config:
+ allowed_by_methods:
+ - user: "default_jack1"
+ methods:
+ - "POST"
+ - "GET"
+ - user: "default_jack2"
+ methods:
+ - "GET"
+EOF
+```
+
+**Example usage**
+
+* Requests from jack1:
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack1-key' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack1-key' -d '' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+* Requests from jack2:
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack2-key' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H
'apikey:jack2-key' -d '' -i
+```
+
+```shell
+HTTP/1.1 403 Forbidden
+...
+```
+
+### Disable authentication and restriction
+
+To disable the `consumer-restriction` Plugin, you can set the `enable: false`
from the `plugins` configuration.
+Also, disable the `keyAuth`, you can set the `enable: false` from the
`authentication` configuration.
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpserver-route
+spec:
+ http:
+ - name: rule1
+ match:
+ hosts:
+ - httpbin.org
+ paths:
+ - /*
+ backends:
+ - serviceName: httpbin
+ servicePort: 80
+ authentication:
+ enable: false
+ type: keyAuth
+ plugins:
+ - name: consumer-restriction
+ enable: false
+ config:
+ allowed_by_methods:
+ - user: "default_jack1"
+ methods:
+ - "POST"
+ - "GET"
+ - user: "default_jack2"
+ methods:
+ - "GET"
+EOF
+```
+
+```shell
+kubectl exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} --
curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
diff --git
a/docs/en/latest/tutorials/how-to-access-Apache-APISIX-Prometheus-Metrics-on-k8s.md
b/docs/en/latest/tutorials/how-to-access-Apache-APISIX-Prometheus-Metrics-on-k8s.md
index 4fed57d6..c19cad02 100644
---
a/docs/en/latest/tutorials/how-to-access-Apache-APISIX-Prometheus-Metrics-on-k8s.md
+++
b/docs/en/latest/tutorials/how-to-access-Apache-APISIX-Prometheus-Metrics-on-k8s.md
@@ -34,7 +34,7 @@ Before starting, please make sure that Apache APISIX (version
>= 2.13)and APISIX
If you need to monitor Apache APISIX simultaneously, you can create the
following ApisixClusterConfig resource.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixClusterConfig
metadata:
name: default
@@ -49,7 +49,7 @@ spec:
Let's make a basic routing setup, and please note that further configuration
should be done based on your local backend service information. The primary
solution concept is to use the `public-api` plugin to protect the routes
exposed by *Prometheus*. For a more detailed configuration, you can refer to
the
[example](https://apisix.apache.org/docs/apisix/plugins/public-api/#example)
section of the `public-api` plugin.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: prometheus-route
diff --git
a/docs/en/latest/tutorials/how-to-use-go-plugin-runner-in-apisix-ingress.md
b/docs/en/latest/tutorials/how-to-use-go-plugin-runner-in-apisix-ingress.md
index d714773f..72c7b310 100644
--- a/docs/en/latest/tutorials/how-to-use-go-plugin-runner-in-apisix-ingress.md
+++ b/docs/en/latest/tutorials/how-to-use-go-plugin-runner-in-apisix-ingress.md
@@ -155,7 +155,7 @@ kubectl expose pod httpbin --port 80
Create the `go-plugin-runner-route.yaml` file to enable the ApisixRoute
resource, with the following configuration file:
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: plugin-runner-demo
diff --git a/docs/en/latest/tutorials/manage-certificates-with-cert-manager.md
b/docs/en/latest/tutorials/manage-certificates-with-cert-manager.md
index 564f047b..42ff97de 100644
--- a/docs/en/latest/tutorials/manage-certificates-with-cert-manager.md
+++ b/docs/en/latest/tutorials/manage-certificates-with-cert-manager.md
@@ -132,7 +132,7 @@ kubectl run httpbin --image kennethreitz/httpbin --expose
--port 80
Create an ApisixRoute to route the service:
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpserver-route
@@ -168,7 +168,7 @@ It should output:
Create an ApisixTls to secure the route, referring to the secret created by
cert-manager:
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: example-tls
diff --git a/docs/en/latest/tutorials/mtls.md b/docs/en/latest/tutorials/mtls.md
index 5be01755..30d29d19 100644
--- a/docs/en/latest/tutorials/mtls.md
+++ b/docs/en/latest/tutorials/mtls.md
@@ -51,7 +51,7 @@ Since SSL is not configured in ApisixRoute, we can use the
config similar to the
```yaml
# route.yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpserver-route
@@ -117,7 +117,7 @@ The secret name is `server-secret`, we created it in the
`default` namespace. We
```yaml
# tls.yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: sample-tls
@@ -164,7 +164,7 @@ Then, change our ApisixTls and apply it:
```yaml
# mtls.yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: sample-tls
diff --git a/docs/en/latest/tutorials/mtls/mtls.yaml
b/docs/en/latest/tutorials/mtls/mtls.yaml
index 20a6fa66..1315e334 100644
--- a/docs/en/latest/tutorials/mtls/mtls.yaml
+++ b/docs/en/latest/tutorials/mtls/mtls.yaml
@@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: sample-tls
diff --git a/docs/en/latest/tutorials/mtls/route.yaml
b/docs/en/latest/tutorials/mtls/route.yaml
index fb86d353..a07610d5 100644
--- a/docs/en/latest/tutorials/mtls/route.yaml
+++ b/docs/en/latest/tutorials/mtls/route.yaml
@@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpserver-route
diff --git a/docs/en/latest/tutorials/mtls/tls.yaml
b/docs/en/latest/tutorials/mtls/tls.yaml
index cfea8f38..35ef6598 100644
--- a/docs/en/latest/tutorials/mtls/tls.yaml
+++ b/docs/en/latest/tutorials/mtls/tls.yaml
@@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: sample-tls
diff --git a/docs/en/latest/tutorials/proxy-grpc-service.md
b/docs/en/latest/tutorials/proxy-grpc-service.md
index b7174489..d734cc77 100644
--- a/docs/en/latest/tutorials/proxy-grpc-service.md
+++ b/docs/en/latest/tutorials/proxy-grpc-service.md
@@ -82,7 +82,7 @@ If you don't see a command prompt, try pressing enter.
```bash
kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: grpc-proxy-route
@@ -106,7 +106,7 @@ EOF
```bash
kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixUpstream
metadata:
name: yages
@@ -134,7 +134,7 @@ Inform APISIX SSL configuration through ApisixTls.
```bash
kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: grpc-secret
diff --git a/docs/en/latest/tutorials/proxy-the-httpbin-service.md
b/docs/en/latest/tutorials/proxy-the-httpbin-service.md
index b0db1d89..5865f54d 100644
--- a/docs/en/latest/tutorials/proxy-the-httpbin-service.md
+++ b/docs/en/latest/tutorials/proxy-the-httpbin-service.md
@@ -46,7 +46,7 @@ In order to let Apache APISIX proxies requests to httpbin, we
need to create an
```yaml
# httpbin-route.yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpserver-route
diff --git a/docs/en/latest/tutorials/the-hard-way.md
b/docs/en/latest/tutorials/the-hard-way.md
index dab4e981..07df65ac 100644
--- a/docs/en/latest/tutorials/the-hard-way.md
+++ b/docs/en/latest/tutorials/the-hard-way.md
@@ -644,7 +644,7 @@ data:
- "apisix.ingress=watching"
ingress_class: "apisix"
ingress_version: "networking/v1"
- apisix_route_version: "apisix.apache.org/v2beta3"
+ apisix_route_version: "apisix.apache.org/v2"
apisix:
default_cluster_base_url: "http://apisix-admin.apisix:9180/apisix/admin";
default_cluster_admin_key: "edd1c9f034335f136f87ad84b625c8f1"
@@ -752,7 +752,7 @@ After the ingress controller status is converted to
`Running`, we could create a
Here is an example ApisixRoute:
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpserver-route
diff --git a/docs/en/latest/upgrade.md b/docs/en/latest/upgrade.md
index 04160282..881ba5ac 100644
--- a/docs/en/latest/upgrade.md
+++ b/docs/en/latest/upgrade.md
@@ -33,7 +33,7 @@ you can use the
[`conftest`](https://github.com/open-policy-agent/conftest) tool
Here's a quick example.
```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpbin-route
