This is an automated email from the ASF dual-hosted git repository.
traky pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-website.git
The following commit(s) were added to refs/heads/master by this push:
new 59a7feb04e0 blog: add release notes 3.10.0 (#1816)
59a7feb04e0 is described below
commit 59a7feb04e094fd488e998b4634de28d88135f54
Author: Traky Deng <[email protected]>
AuthorDate: Thu Aug 15 11:38:50 2024 +0800
blog: add release notes 3.10.0 (#1816)
* add release notes
* fix for mdlint
* update breanking changes and correct zh doc
* Update blog/zh/blog/2024/08/08/release-apache-apisix-3.10.0.md
Co-authored-by: 徐瑞东 <[email protected]>
* update date to aug 14
* update code block syntax highlight
---------
Co-authored-by: 徐瑞东 <[email protected]>
---
.../2024/08/14/release-apache-apisix-3.10.0.md | 202 +++++++++++++++++++++
.../2024/08/14/release-apache-apisix-3.10.0.md | 202 +++++++++++++++++++++
2 files changed, 404 insertions(+)
diff --git a/blog/en/blog/2024/08/14/release-apache-apisix-3.10.0.md
b/blog/en/blog/2024/08/14/release-apache-apisix-3.10.0.md
new file mode 100644
index 00000000000..4efb0ef6990
--- /dev/null
+++ b/blog/en/blog/2024/08/14/release-apache-apisix-3.10.0.md
@@ -0,0 +1,202 @@
+---
+title: "Release Apache APISIX 3.10.0"
+authors:
+ - name: "Abhishek Choudhary"
+ title: "Author"
+ url: "https://github.com/shreemaan-abhishek";
+ image_url: "https://github.com/shreemaan-abhishek.png";
+ - name: "Traky Deng"
+ title: "Technical Writer"
+ url: "https://github.com/kayx23";
+ image_url: "https://github.com/kayx23.png";
+keywords:
+- Apache APISIX
+- API Gateway
+- API Management Platform
+- New Release
+- Cloud Native
+description: The Apache APISIX 3.10.0 version is released on August 14, 2024.
This release includes a few changes, new features, bug fixes, and other
improvements to user experiences.
+tags: [Community]
+---
+
+We are glad to present Apache APISIX 3.10.0 with exciting new features, bug
fixes, and other improvements to user experiences.
+
+<!--truncate-->
+
+This new release adds a number of new features, including the support for
add-on headers in the `openid-connect` plugin, storing SSL certs and keys in
secrets manager, autogeneration of Admin API key, and more.
+
+There are a few important changes included in this release. Should you find
these changes impacting your operations, please plan accordingly for a seamless
upgrade.
+
+## Breaking Changes
+
+### Autogenerate Admin API key if not configured
+
+The default Admin API key `edd1c9f034335f136f87ad84b625c8f1` is now removed.
If no custom Admin API key is configured in `config.yaml`, APISIX will
autogenerate an Admin API key.
+
+For more details, see [PR #11080](https://github.com/apache/apisix/pull/11080).
+
+### Enable data encryption by default
+
+The `data_encryption.enable_encrypt_fields` option, previously defaults to
`false`, now defaults to `true` to enhance data security. This means that by
default, sensitive plugin fields (defined in the `encrypt_fields` attribute of
plugin schema) and TLS certificate private key are now encrypted.
+
+The configuration only applies when the configuration center is etcd.
Encryption does not take place when the configuration center is YAML (i.e.
standalone mode) to avoid unexpected failures.
+
+For more details, see [PR #11076](https://github.com/apache/apisix/pull/11076).
+
+### Categorize more sensitive plugin fields for encryption
+
+Categorize more sensitive plugin data fields under the `encrypt_fields`
attributes, which should be encrypted when
`data_encryption.enable_encrypt_fields` option is set to `true`.
+
+For more information, see [PR
#11095](https://github.com/apache/apisix/pull/11095).
+
+### Introduce max request and response body sizes to `kafka-logger` plugin
+
+Introduce maximum request and response body size attributes
`max_req_body_bytes` and `max_resp_body_bytes` to the `kafka-logger` plugin.
The default values are set to 524288 bytes, or 512 KiB.
+
+This helps mitigates the situation when `include_req_body` or
`include_resp_body` is enabled and the request or response body is very large,
leading to high CPU usage.
+
+For more details, see [PR #11133](https://github.com/apache/apisix/pull/11133).
+
+### Remove `core.grpc` module
+
+As the `core.grpc` module is observed to be unstable in production and APISIX
no longer depends on it, this release removes the module.
+
+For users that depend on the gRPC module for custom functionalities, please
plan accordingly.
+
+For more details, see
[proposal](https://lists.apache.org/thread/05xvcbvty1txr1owx61vyktsmgs2pdd5)
and [PR #11427](https://github.com/apache/apisix/pull/11427).
+
+## New Features
+
+### Support add-on headers in the `openid-connect` plugin
+
+You can now append additional header values to the introspection request in
the `introspection_addon_headers` field when working with the `openid-connect`
plugin.
+
+For more information, see [PR
#11090](https://github.com/apache/apisix/pull/11090).
+
+### Print warning message in log when requesting external services without TLS
+
+If you request external services without TLS, for example, using the
`authz-casdoor` plugin, you should now see warning messages similar to the
following in the error log:
+
+```text
+Using authz-casdoor endpoint_addr with no TLS is a security risk
+Using authz-casdoor callback_url with no TLS is a security risk
+```
+
+For more information, see [PR
#11403](https://github.com/apache/apisix/pull/11403).
+
+### Support storing SSL certs and keys in secrets manager
+
+Support storing certificates `certs` and private keys `keys` on SSL resource
in secrets manager. In the earlier releases, only `cert` and `key` support
secrets manager.
+
+You can now configure a SSL resource such as the following:
+
+```shell
+curl "http://127.0.0.1:9180/apisix/admin/ssls"; -X PUT -d '
+{
+ "id": "sample-ssl",
+ "sni": "test.com",
+ "cert": "$secret://vault/test/ssl/test.com.crt",
+ "key": "$secret://vault/test/ssl/test.com.key",
+ "certs": ["$secret://vault/test/ssl/test.com.crt"],
+ "keys": ["$secret://vault/test/ssl/test.com.key"]
+}'
+```
+
+For more information, see [PR
#11339](https://github.com/apache/apisix/pull/11339).
+
+### Support HashiCorp Vault namespace
+
+Support specifying HashiCorp Vault namespace in SSL resource, for example:
+
+```shell
+curl "http://127.0.0.1:9180/apisix/admin/ssls"; -X PUT -d '
+{
+ "id": "sample-ssl",
+ "sni": "test.com",
+ "certs": "$secret://vault/test/ssl/test.com.crt",
+ "keys": "$secret://vault/test/ssl/test.com.key"],
+ "namespace": "apisix"
+}'
+```
+
+For more information, see [PR
#11277](https://github.com/apache/apisix/pull/11277).
+
+### Add K8s discovery memory dump endpoint to Control API
+
+The Control API now offers a new endpoint `/v1/discovery/kubernetes/dump` to
see the nodes discovered by K8s discovery. For example:
+
+```shell
+curl http://127.0.0.1:9090/v1/discovery/kubernetes/dump | jq
+```
+
+You will see the discovered node information:
+
+```json
+{
+ "endpoints": [
+ {
+ "endpoints": [
+ {
+ "value":
"{\"https\":[{\"host\":\"172.18.164.170\",\"port\":6443,\"weight\":50},{\"host\":\"172.18.164.171\",\"port\":6443,\"weight\":50},{\"host\":\"172.18.164.172\",\"port\":6443,\"weight\":50}]}",
+ "name": "default/kubernetes"
+ },
+ {
+ "value":
"{\"metrics\":[{\"host\":\"172.18.164.170\",\"port\":2379,\"weight\":50},{\"host\":\"172.18.164.171\",\"port\":2379,\"weight\":50},{\"host\":\"172.18.164.172\",\"port\":2379,\"weight\":50}]}",
+ "name": "kube-system/etcd"
+ },
+ {
+ "value":
"{\"http-85\":[{\"host\":\"172.64.89.2\",\"port\":85,\"weight\":50}]}",
+ "name": "test-ws/testing"
+ }
+ ],
+ "id": "first"
+ }
+ ],
+ "config": [
+ {
+ "default_weight": 50,
+ "id": "first",
+ "client": {
+ "token": "xxx"
+ },
+ "service": {
+ "host": "172.18.164.170",
+ "port": "6443",
+ "schema": "https"
+ },
+ "shared_size": "1m"
+ }
+ ]
+}
+```
+
+For more information, see [PR
#11111](https://github.com/apache/apisix/pull/11111).
+
+## Other Updates
+
+- Use LRU cache in secret fetching to improve performance ([PR
#11201](https://github.com/apache/apisix/pull/11201))
+- Move default configurations in `config-default.yaml` to a hardcoded Lua file
([PR #11343](https://github.com/apache/apisix/pull/11343))
+- Fix etcd sync data checker ([PR
#11457](https://github.com/apache/apisix/pull/11457))
+- Add plugin metadata ID to avoid the etcd checker failure ([PR
#11452](https://github.com/apache/apisix/pull/11452))
+- Allow trailing period in SNI and CN for SSL ([PR
#11414](https://github.com/apache/apisix/pull/11414))
+- Upgrade `lua-protobuf` dependency version to filter out illegal
`INT(string)` formats in the `grpc-transcode` plugin ([PR
#11367](https://github.com/apache/apisix/pull/11367))
+- Rectify the error message when API key is missing ([PR
#11370](https://github.com/apache/apisix/pull/11370))
+- Fix the failure of reporting consumer username tag using the `datadog`
plugin ([PR #11354](https://github.com/apache/apisix/pull/11354))
+- Fix request error caused by SSL key rotation ([PR
#11305](https://github.com/apache/apisix/pull/11305))
+- Ensure that all etcd events are handled properly ([PR
#11268](https://github.com/apache/apisix/pull/11268))
+- Fix stream route matcher being `nil` after the first match ([PR
#11269](https://github.com/apache/apisix/pull/11269))
+- Rectify the way to fetch secret resource by ID ([PR
#11164](https://github.com/apache/apisix/pull/11164))
+- Fix the 500 error thrown when using the default configuration in the
`multi-auth` plugin ([PR #11145](https://github.com/apache/apisix/pull/11145))
+- Avoid overwriting the `Access-Control-Expose-Headers` response header in the
`cors` plugin ([PR #11136](https://github.com/apache/apisix/pull/11136))
+- Close session in case of error to avoid blocked session ([PR
#11089](https://github.com/apache/apisix/pull/11089))
+- Restore pb state before other operations in the kafka pubsub module ([PR
#11135](https://github.com/apache/apisix/pull/11135))
+- Add a default limit of 100 for request headers to limit security risks ([PR
#11140](https://github.com/apache/apisix/pull/11140))
+- Allow disabling prometheus metric export server when `prometheus` plugin is
turned off ([PR #11117](https://github.com/apache/apisix/pull/11117))
+- Add POST request headers only if the `request_method` is set to POST in the
`forward-auth` plugin ([PR #11021](https://github.com/apache/apisix/pull/11021))
+- Fix the 500 error in the `hmac-auth` plugin when using duplicate signature
header ([PR #11127](https://github.com/apache/apisix/pull/11127))
+- Fix brotli partial response ([PR
#11087](https://github.com/apache/apisix/pull/11087))
+- Update the upstream schema to disallow port value greater than 65535 ([PR
#11043](https://github.com/apache/apisix/pull/11043))
+
+## Changelog
+
+For a complete list of changes in this release, please see
[CHANGELOG](https://github.com/apache/apisix/blob/master/CHANGELOG.md#3100).
diff --git a/blog/zh/blog/2024/08/14/release-apache-apisix-3.10.0.md
b/blog/zh/blog/2024/08/14/release-apache-apisix-3.10.0.md
new file mode 100644
index 00000000000..02015173bae
--- /dev/null
+++ b/blog/zh/blog/2024/08/14/release-apache-apisix-3.10.0.md
@@ -0,0 +1,202 @@
+---
+title: "Apache APISIX 3.10.0 正式发布"
+authors:
+ - name: "Abhishek Choudhary"
+ title: "Author"
+ url: "https://github.com/shreemaan-abhishek";
+ image_url: "https://github.com/shreemaan-abhishek.png";
+ - name: "Traky Deng"
+ title: "Technical Writer"
+ url: "https://github.com/kayx23";
+ image_url: "https://github.com/kayx23.png";
+keywords:
+- Apache APISIX
+- API Gateway
+- API Management Platform
+- New Release
+- Cloud Native
+description: Apache APISIX 3.10.0 版本于 2024 年 8 月 14
日发布。该版本带来了一系列新功能、修复、以及相关用户体验优化。
+tags: [Community]
+---
+
+我们很高兴地宣布 Apache APISIX 3.10.0 版本已经发布,带来了一系列新功能、修复、以及相关用户体验优化。
+
+<!--truncate-->
+
+这个新版本增加了许多新功能,包括对 `openid-connect` 插件中的附加标头的支持、在 secrets manager 中存储 SSL
证书和密钥、自动生成 Admin API 密钥等。
+
+此外,该版本还包含了一些重要的变更。如果您发现这些变更会对您的使用产生影响,请进行相应的计划升级。
+
+## 重大变更
+
+### 如未配置 Admin API 密钥则自动生成
+
+默认 Admin API 密钥 `edd1c9f034335f136f87ad84b625c8f1` 现已删除。如果未配置自定义 Admin API
密钥,APISIX 将自动生成 Admin API 密钥,以提高安全性。
+
+有关更多信息,请参阅 [PR #11080](https://github.com/apache/apisix/pull/11080)。
+
+### 默认启用数据加密
+
+`data_encryption.enable_encrypt_fields` 选项此前默认为 `false`,现在默认为
`true`,以增强数据安全性。这意味着默认情况下,敏感插件字段(在插件架构的 `encrypt_fields` 属性中定义)和 TLS
证书私钥现在已默认加密。
+
+该配置仅适用于配置中心为 etcd 的情况。当配置中心为 YAML(即 standalone 模式)时,不会进行加密,以避免意外报错。
+
+有关更多信息,请参阅 [PR #11076](https://github.com/apache/apisix/pull/11076)。
+
+### 对更多敏感的插件字段进行加密
+
+在 `encrypt_fields` 属性下对更多敏感的插件数据字段进行加密,当
`data_encryption.enable_encrypt_fields` 选项设置为 `true` 时生效。
+
+有关更多信息,请参阅 [PR #11095](https://github.com/apache/apisix/pull/11095)。
+
+### `kafka-logger` 插件设置默认最大请求和响应主体大小
+
+`kafka-logger` 插件引入了最大请求和响应主体大小属性 `max_req_body_bytes` 和
`max_resp_body_bytes`。默认值设置为 524288 字节,即 512 KiB。
+
+这有助于缓解启用 `include_req_body` 或 `include_resp_body` 且请求或响应主体非常大而导致 CPU 使用率过高的情况。
+
+有关更多信息,请参阅 [PR #11133](https://github.com/apache/apisix/pull/11133)。
+
+### 删除 `core.grpc` 模块
+
+由于 `core.grpc` 模块在生产中不稳定,并且 APISIX 不再依赖它,因此此版本删除了该模块。
+
+对于依赖 gRPC 模块实现自定义功能的用户,请相应规划。
+
+有关更多信息,请参阅
[proposal](https://lists.apache.org/thread/05xvcbvty1txr1owx61vyktsmgs2pdd5) 和
[PR #11427](https://github.com/apache/apisix/pull/11427)。
+
+## 新功能
+
+### 在 `openid-connect` 插件中支持附加标头
+
+在使用 `openid-connect` 插件时,您可以在 `introspection_addon_headers` 字段中将其他标头值附加到自省请求。
+
+有关更多信息,请参阅 [PR #11090](https://github.com/apache/apisix/pull/11090)。
+
+### 在没有 TLS 的情况下请求外部服务时在日志中打印警告消息
+
+如果您在没有 TLS 的情况下请求外部服务,例如使用 `authz-casdoor` 插件,您现在应该会在错误日志中看到类似以下内容的警告消息:
+
+```text
+Using authz-casdoor endpoint_addr with no TLS is a security risk
+Using authz-casdoor callback_url with no TLS is a security risk
+```
+
+有关更多信息,请参阅 [PR #11403](https://github.com/apache/apisix/pull/11403)。
+
+### 支持在 secrets manager 中存储 SSL 证书和密钥
+
+支持在机密管理器中的 SSL 资源上存储证书 `certs` 和私钥 `keys`。在早期版本中,只有 `cert` 和 `key` 支持机密管理器。
+
+您现在可以配置 SSL 资源,如下所示:
+
+```shell
+curl "http://127.0.0.1:9180/apisix/admin/ssls"; -X PUT -d '
+{
+ "id": "sample-ssl",
+ "sni": "test.com",
+ "cert": "$secret://vault/test/ssl/test.com.crt",
+ "key": "$secret://vault/test/ssl/test.com.key",
+ "certs": ["$secret://vault/test/ssl/test.com.crt"],
+ "keys": ["$secret://vault/test/ssl/test.com.key"]
+}'
+```
+
+有关更多信息,请参阅 [PR #11339](https://github.com/apache/apisix/pull/11339)。
+
+### 支持 HashiCorp Vault namespace
+
+支持在 SSL 资源中指定 HashiCorp Vault namespace,例如:
+
+```shell
+curl "http://127.0.0.1:9180/apisix/admin/ssls"; -X PUT -d '
+{
+ "id": "sample-ssl",
+ "sni": "test.com",
+ "certs": "$secret://vault/test/ssl/test.com.crt",
+ "keys": "$secret://vault/test/ssl/test.com.key"],
+ "namespace": "apisix"
+}'
+```
+
+有关更多信息,请参阅 [PR #11277](https://github.com/apache/apisix/pull/11277)。
+
+### Control API 支持查看 K8s 服务发现的节点
+
+Control API 现在提供了一个新端点 `/v1/discovery/kubernetes/dump`,用于查看 K8s 发现发现的节点。例如:
+
+```shell
+curl http://127.0.0.1:9090/v1/discovery/kubernetes/dump | jq
+```
+
+您将看到发现的节点信息:
+
+```json
+{
+ "endpoints": [
+ {
+ "endpoints": [
+ {
+ "value":
"{\"https\":[{\"host\":\"172.18.164.170\",\"port\":6443,\"weight\":50},{\"host\":\"172.18.164.171\",\"port\":6443,\"weight\":50},{\"host\":\"172.18.164.172\",\"port\":6443,\"weight\":50}]}",
+ "name": "default/kubernetes"
+ },
+ {
+ "value":
"{\"metrics\":[{\"host\":\"172.18.164.170\",\"port\":2379,\"weight\":50},{\"host\":\"172.18.164.171\",\"port\":2379,\"weight\":50},{\"host\":\"172.18.164.172\",\"port\":2379,\"weight\":50}]}",
+ "name": "kube-system/etcd"
+ },
+ {
+ "value":
"{\"http-85\":[{\"host\":\"172.64.89.2\",\"port\":85,\"weight\":50}]}",
+ "name": "test-ws/testing"
+ }
+ ],
+ "id": "first"
+ }
+ ],
+ "config": [
+ {
+ "default_weight": 50,
+ "id": "first",
+ "client": {
+ "token": "xxx"
+ },
+ "service": {
+ "host": "172.18.164.170",
+ "port": "6443",
+ "schema": "https"
+ },
+ "shared_size": "1m"
+ }
+ ]
+}
+```
+
+有关更多信息,请参阅 [PR #11111](https://github.com/apache/apisix/pull/11111)。
+
+## 其他更新
+
+- 在秘密获取中使用 LRU 缓存来提高性能 ([PR
#11201](https://github.com/apache/apisix/pull/11201))
+- 将 `config-default.yaml` 中的默认配置移动到硬编码的 Lua 文件 ([PR
#11343](https://github.com/apache/apisix/pull/11343))
+- 修复 etcd 同步数据检查器 ([PR #11457](https://github.com/apache/apisix/pull/11457))
+- 添加插件元数据 ID 以避免 etcd 检查器失败 ([PR
#11452](https://github.com/apache/apisix/pull/11452))
+- 允许在 SSL 的 SNI 和 CN 中使用尾随句点 ([PR
#11414](https://github.com/apache/apisix/pull/11414))
+- 升级 `lua-protobuf` 依赖版本,以过滤 `grpc-transcode` 插件中非法的 `INT(string)` 格式 ([PR
#11367](https://github.com/apache/apisix/pull/11367))
+- 纠正 API 密钥缺失时的错误消息 ([PR #11370](https://github.com/apache/apisix/pull/11370))
+- 修复使用 `datadog` 插件报告消费者用户名标签失败的问题 ([PR
#11354](https://github.com/apache/apisix/pull/11354))
+- 修复 SSL 密钥轮换导致的请求错误 ([PR #11305](https://github.com/apache/apisix/pull/11305))
+- 确保所有 etcd 事件均已正确处理 ([PR #11268](https://github.com/apache/apisix/pull/11268))
+- 修复流路由匹配器在第一次匹配后为 `nil` 的问题 ([PR
#11269](https://github.com/apache/apisix/pull/11269))
+- 纠正通过 ID 获取机密资源的方式 ([PR #11164](https://github.com/apache/apisix/pull/11164))
+- 修复在 `multi-auth` 插件中使用默认配置时抛出的 500 错误 ([PR
#11145](https://github.com/apache/apisix/pull/11145))
+- 避免覆盖 `cors` 插件中的 `Access-Control-Expose-Headers` 响应标头 ([PR
#11136](https://github.com/apache/apisix/pull/11136))
+- 发生错误时关闭会话以避免会话被阻塞 ([PR #11089](https://github.com/apache/apisix/pull/11089))
+- 在 kafka pubsub 模块中执行其他操作之前恢复 pb 状态 ([PR
#11135](https://github.com/apache/apisix/pull/11135))
+- 为请求标头添加 100 的默认限制以限制安全风险 ([PR
#11140](https://github.com/apache/apisix/pull/11140))
+- 允许在关闭 `prometheus` 插件时禁用 prometheus 指标导出服务器 ([PR
#11117](https://github.com/apache/apisix/pull/11117))
+- 添加仅当 `forward-auth` 插件中的 `request_method` 设置为 POST 时,才使用 POST 请求标头 ([PR
#11021](https://github.com/apache/apisix/pull/11021))
+- 修复使用重复签名标头时 `hmac-auth` 插件中的 500 错误 ([PR
#11127](https://github.com/apache/apisix/pull/11127))
+- 修复 brotli 部分响应 ([PR #11087](https://github.com/apache/apisix/pull/11087))
+- 更新上游架构以禁止端口值大于 65535 ([PR
#11043](https://github.com/apache/apisix/pull/11043))
+
+## 变更日志
+
+有关此版本的完整变更列表,请参阅
[CHANGELOG](https://github.com/apache/apisix/blob/master/CHANGELOG.md#3100)。
![https://github.com/shreemaan-abhishek.png"](https://github.com/shreemaan-abhishek.png"){kind=link}
![https://github.com/kayx23.png"](https://github.com/kayx23.png"){kind=link}