From 8b51c6e173db12592f6fcfa8d59aaa6fd50e7922 Mon Sep 17 00:00:00 2001
From: Jintao Zhang <zhangjintao9020@gmail.com>
Date: Wed, 27 Jul 2022 10:33:11 +0800
Subject: [PATCH] docs: update all api-version to v2 (#1189)

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
---
 docs/en/latest/concepts/annotations.md        |    2 +-
 .../latest/concepts/apisix_cluster_config.md  |    4 +-
 docs/en/latest/concepts/apisix_route.md       |   18 +-
 docs/en/latest/concepts/apisix_tls.md         |    2 +-
 docs/en/latest/concepts/apisix_upstream.md    |   12 +-
 docs/en/latest/design.md                      |    2 +-
 docs/en/latest/plugins/prometheus.md          |    2 +-
 docs/en/latest/tutorials/check-crd-status.md  |    2 +-
 .../enable-authentication-and-restriction.md  | 1364 ++++++++---------
 ...Apache-APISIX-Prometheus-Metrics-on-k8s.md |    4 +-
 ...-use-go-plugin-runner-in-apisix-ingress.md |    2 +-
 .../manage-certificates-with-cert-manager.md  |    4 +-
 docs/en/latest/tutorials/mtls.md              |    6 +-
 docs/en/latest/tutorials/mtls/mtls.yaml       |    2 +-
 docs/en/latest/tutorials/mtls/route.yaml      |    2 +-
 docs/en/latest/tutorials/mtls/tls.yaml        |    2 +-
 .../en/latest/tutorials/proxy-grpc-service.md |    6 +-
 .../tutorials/proxy-the-httpbin-service.md    |    2 +-
 docs/en/latest/tutorials/the-hard-way.md      |    4 +-
 docs/en/latest/upgrade.md                     |    2 +-
 20 files changed, 722 insertions(+), 722 deletions(-)

diff --git a/docs/en/latest/concepts/annotations.md b/docs/en/latest/concepts/annotations.md
index acb82f93f6..c53b7d4f83 100644
--- a/docs/en/latest/concepts/annotations.md
+++ b/docs/en/latest/concepts/annotations.md
@@ -219,7 +219,7 @@ ApisixPluginConfig is a resource under the same Namespace as Ingress
 As an example, we attach the annotation `k8s.apisix.apache.org/plugin-conifg-name: "echo-and-cors-apc` for the following Ingress resource, so that `/api/*` route will enable the [echo](https://apisix.apache.org/docs/apisix/plugins/echo/) and [cors](https://apisix.apache.org/docs/apisix/plugins/cors/) plugins.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixPluginConfig
 metadata:
   name: echo-and-cors-apc
diff --git a/docs/en/latest/concepts/apisix_cluster_config.md b/docs/en/latest/concepts/apisix_cluster_config.md
index 74f7c643a7..4e9b5f75d8 100644
--- a/docs/en/latest/concepts/apisix_cluster_config.md
+++ b/docs/en/latest/concepts/apisix_cluster_config.md
@@ -35,7 +35,7 @@ if you'd like to learn the real running status of your cluster. In such a case,
 could create a `ApisixClusterConfig` to enable these features explicitly.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixClusterConfig
 metadata:
   name: default
@@ -58,7 +58,7 @@ The default APISIX cluster is configured through command line options like `--de
 of Deployment or Pod template. Now with the help of `ApisixClusterConfig`, you can change some administrative fields on it.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixClusterConfig
 metadata:
   name: default
diff --git a/docs/en/latest/concepts/apisix_route.md b/docs/en/latest/concepts/apisix_route.md
index 6b627edeb1..a7ecd238fc 100644
--- a/docs/en/latest/concepts/apisix_route.md
+++ b/docs/en/latest/concepts/apisix_route.md
@@ -35,7 +35,7 @@ should be routed to service `bar`, in the manner of `ApisixRoute`, the configura
 should be:
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: foo-bar-route
@@ -73,7 +73,7 @@ The `methods` splits traffic according to the HTTP method, the following configu
 with `GET` method to `foo` service (a Kubernetes Service).
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: method-route
@@ -94,7 +94,7 @@ The `exprs` allows user to configure match conditions with arbitrary predicates
 It's composed by several expressions, which in turn composed by subject, operator and value/set.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: method-route
@@ -128,7 +128,7 @@ the `ClusterIP` of this service, if that's what you want, just set
 the `resolveGranularity` to `service` (default is `endpoint`).
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: method-route
@@ -155,7 +155,7 @@ will be applied (which actually uses the [traffic-split](http://apisix.apache.or
 You can specify weight for each backend, the default weight is `100`.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: method-route
@@ -193,7 +193,7 @@ Apache APISIX provides more than 70 [plugins](https://github.com/apache/apisix/t
 in `ApisixRoute`. All configuration items are named same to the one in APISIX.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: httpbin-route
@@ -223,7 +223,7 @@ Websocket Proxy
 by creating a route with specifying the `websocket` field.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: ws-route
@@ -247,7 +247,7 @@ TCP Route
 apisix-ingress-controller supports the port-based tcp route.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: tcp-route
@@ -272,7 +272,7 @@ UDP Route
 apisix-ingress-controller supports the port-based udp route.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: udp-route
diff --git a/docs/en/latest/concepts/apisix_tls.md b/docs/en/latest/concepts/apisix_tls.md
index 71a97ca7d9..20c80eed4c 100644
--- a/docs/en/latest/concepts/apisix_tls.md
+++ b/docs/en/latest/concepts/apisix_tls.md
@@ -27,7 +27,7 @@ Secret must have two keys `cert` and `key`, which used to store the certificate
 PEM format respectively.
 
 ```shell
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixTls
 metadata:
   name: sample-tls
diff --git a/docs/en/latest/concepts/apisix_upstream.md b/docs/en/latest/concepts/apisix_upstream.md
index a0e906c7f4..f35add5f3f 100644
--- a/docs/en/latest/concepts/apisix_upstream.md
+++ b/docs/en/latest/concepts/apisix_upstream.md
@@ -32,7 +32,7 @@ To learn more, please check the [Apache APISIX architecture-design docs](https:/
 A proper load balancing algorithm is required to scatter requests reasonably for a Kubernetes Service.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixUpstream
 metadata:
   name: httpbin
@@ -58,7 +58,7 @@ The above example shows that [ewma](https://linkerd.io/2016/03/16/beyond-round-r
 Sometimes the session sticky is desired, and you can use the [Consistent Hashing](https://en.wikipedia.org/wiki/Consistent_hashing) load balancing algorithm.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixUpstream
 metadata:
   name: httpbin
@@ -77,7 +77,7 @@ Although Kubelet already provides [probes](https://kubernetes.io/docs/tasks/conf
 like the passive feedback capability.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixUpstream
 metadata:
   name: httpbin
@@ -128,7 +128,7 @@ if nothing has been sent to a client yet. That is, if an error or timeout occurs
 of the transferring of a response, fixing this is impossible.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixUpstream
 metadata:
   name: httpbin
@@ -140,7 +140,7 @@ The default connect, read and send timeout are `60s`, which might not proper for
 just change them in the `timeout` field.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixUpstream
 metadata:
   name: httpbin
@@ -159,7 +159,7 @@ Once in a while a single Kubernetes Service might expose multiple ports which pr
 In that case, you can create configurations for individual port.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixUpstream
 metadata:
   name: foo
diff --git a/docs/en/latest/design.md b/docs/en/latest/design.md
index 9c2b2b8914..1c6247f303 100644
--- a/docs/en/latest/design.md
+++ b/docs/en/latest/design.md
@@ -122,7 +122,7 @@ Unlike the implementation of Kubernetes Nginx Ingress, the implementation of Ann
 For example, the settings of the black and white list can be configured through the `k8s.apisix.apache.org/whitelist-source-range` annotation in the `ApisixRoute` resource object.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   annotations:
diff --git a/docs/en/latest/plugins/prometheus.md b/docs/en/latest/plugins/prometheus.md
index 693698efc7..65fe10cb72 100644
--- a/docs/en/latest/plugins/prometheus.md
+++ b/docs/en/latest/plugins/prometheus.md
@@ -28,7 +28,7 @@ This guide shows how to monitor Apache APISIX Ingress Controller using Prometheu
 Use CRD file to enable Prometheus in global configurations. The definition file for custom resources is `ApisixClusterConfig`, so the configuration should be:
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixClusterConfig
 metadata:
   name: default
diff --git a/docs/en/latest/tutorials/check-crd-status.md b/docs/en/latest/tutorials/check-crd-status.md
index fffb009c67..13f5abdf86 100644
--- a/docs/en/latest/tutorials/check-crd-status.md
+++ b/docs/en/latest/tutorials/check-crd-status.md
@@ -46,7 +46,7 @@ e.g.
 
 ```yaml
 kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: httpbin-route
diff --git a/docs/en/latest/tutorials/enable-authentication-and-restriction.md b/docs/en/latest/tutorials/enable-authentication-and-restriction.md
index 9d2c90ea59..e67e17d847 100644
--- a/docs/en/latest/tutorials/enable-authentication-and-restriction.md
+++ b/docs/en/latest/tutorials/enable-authentication-and-restriction.md
@@ -1,682 +1,682 @@
----
-title: Enable authentication and restriction
----
-
-<!--
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
--->
-
-## Description
-
-Consumers are used for the authentication method controlled by Apache APISIX, if users want to use their own auth system or 3rd party systems, use OIDC.  
-
-## Attributes
-
-### Authentication
-
-#### Key Auth
-
-Consumers add their key either in a header or query string parameter to authenticate their requests. For more information about `Key Auth`, please refer to [APISIX key-auth plugin](https://apisix.apache.org/docs/apisix/plugins/key-auth/).  
-Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object).
-
-<details>
-  <summary>Key Auth yaml configure</summary>
-
-```yaml
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
-  name: ${name}
-spec:
-  authParameter:
-    keyAuth:
-      value:
-        key: ${key} #required
-```
-
-</details>
-
-#### Basic Auth
-
-Consumers add their key in a header to authenticate their requests. For more information about `Basic Auth`, please refer to [APISIX basic-auth plugin](https://apisix.apache.org/docs/apisix/plugins/basic-auth/).  
-Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object).
-
-<details>
-  <summary>Basic Auth yaml configure</summary>
-
-```yaml
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
-  name: ${name}
-spec:
-  authParameter:
-    basicAuth:
-      value:
-        username: ${username} #required
-        password: ${password} #required
-```
-
-</details>
-
-#### JWT Auth
-
-The consumer then adds its key to the query string parameter, request header, or cookie to verify its request. For more information about `JWT Auth`, please refer to [APISIX jwt-auth plugin](https://apisix.apache.org/docs/apisix/plugins/jwt-auth/).  
-Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object).
-
-:::note Need to expose API  
-This plugin will add `/apisix/plugin/jwt/sign` to sign. You may need to use `public-api` plugin to expose it.  
-:::
-
-<details>
-  <summary>JWT Auth yaml configure</summary>
-
-```yaml
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
-  name: ${name}
-spec:
-  authParameter:
-    wolfRbac:
-      value:
-        key: "${key}"                                    #required
-        secret: "${secret}"                              #optional
-        public_key: "${public_key}"                      #optional, required when algorithm attribute selects RS256 algorithm.
-        private_key: "{private_key}"                     #optional, required when algorithm attribute selects RS256 algorithm.
-        algorithm: "${HS256 | HS512 | RS256}"            #optional
-        exp: ${ 86400 | token's expire time, in seconds} #optional
-        algorithm: ${true | false}                       #optional
-```
-
-</details>
-
-#### `Wolf RBAC`
-
-To use wolfRbac authentication, you need to start and install [wolf-server](https://github.com/iGeeky/wolf/blob/master/quick-start-with-docker/README.md). For more information about `Wolf RBAC`, please refer to [APISIX wolf-rbac plugin](https://apisix.apache.org/zh/docs/apisix/plugins/wolf-rbac/).  
-Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object).
-
-:::note This plugin will add several APIs
-
-* /apisix/plugin/wolf-rbac/login
-* /apisix/plugin/wolf-rbac/change_pwd
-* /apisix/plugin/wolf-rbac/user_info
-
-You may need to use `public-api` plugin to expose it.  
-:::
-
-<details>
-  <summary>Wolf RBAC yaml configure</summary>
-
-```yaml
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
-  name: ${name}
-spec:
-  authParameter:
-    wolfRBAC:
-      value:
-      server: "${server of wolf-rbac}"                            #optional
-      appid: "${appid of wolf-rbac}"                              #optional
-      header_prefix: "${X- | X-UserId | X-Username | X-Nickname}" #optional
-```
-
-</details>
-
-### [Restriction](https://apisix.apache.org/docs/apisix/plugins/consumer-restriction/)
-
-#### `whitelist` or `blacklist`
-
-`whitelist`: Grant full access to all users specified in the provided list, **has the priority over `allowed_by_methods`**  
-`blacklist`: Reject connection to all users specified in the provided list, **has the priority over `whitelist`**
-
-<details>
-  <summary>whitelist or blacklist with consumer-restriction yaml configure</summary>
-
-```yaml
-plugins:
-- name: consumer-restriction
-  enable: true
-  config:
-    blacklist:
-    - "${consumer_name}"
-    - "${consumer_name}"
-```
-
-</details>
-
-#### `allowed_by_methods`
-
-HTTP methods can be `methods:["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE", "PURGE"]`
-
-<details>
-  <summary>allowed_by_methods with consumer-restriction yaml configure</summary>
-
-```yaml
-plugins:
-- name: consumer-restriction
-  enable: true
-  config:
-    allowed_by_methods:
-    - user: "${consumer_name}"
-      methods:
-      - "${GET | POST | PUT |...}"
-      - "${GET | POST | PUT |...}"
-    - user: "${consumer_name}"
-      methods:
-      - "${GET | POST | PUT |...}"
-```
-
-</details>
-
-## Example
-
-[Refer to the corresponding e2e test case.](../../../../test/e2e/suite-plugins/suite-plugins-authentication/)
-
-### Prepare env
-
-To use this tutorial, you must deploy `Ingress APISIX` and `httpbin` in Kubernetes cluster.
-
-* Installing [`Ingress APISIX`](../deployments/minikube.md).
-* Deploy `httpbin` service.
-
-```shell
-#Now, try to deploy httpbin to your Kubernetes cluster:
-kubectl run httpbin --image kennethreitz/httpbin --port 80
-kubectl expose pod httpbin --port 80
-```
-
-### How to enable `Authentication`
-
-#### Enable `keyAuth`
-
-The following is an example. The `keyAuth` is enabled on the specified route to restrict user access.  
-
-* Creates an ApisixConsumer, and set the attributes of plugin `key-auth`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
-  name: foo
-spec:
-  authParameter:
-    keyAuth:
-      value:
-        key: foo-key
-EOF
-```
-
-* Creates an ApisixRoute, and enable plugin `key-auth`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
-  name: httpserver-route
-spec:
-  http:
-  - name: rule1
-    match:
-      hosts:
-      - httpbin.org
-      paths:
-      - /*
-    backends:
-    - serviceName: httpbin
-      servicePort: 80
-    authentication:
-      enable: true
-      type: keyAuth
-EOF
-```
-
-* Requests from foo:
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX}  -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-##### Key Auth reference Secret object
-
-<details>
-  <summary>ApisixRoute with keyAuth consumer using secret example</summary>
-
-* Creates a `Secret` object:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: Secret
-metadata:
-  name: foovalue
-data:
-  key: Zm9vLWtleQ==
-EOF
-```
-
-* Creates an ApisixConsumer and reference `Secret` object:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
-  name: foo
-spec:
-  authParameter:
-    keyAuth:
-      secretRef:
-        name: foovalue
-EOF
-```
-
-* Creates an ApisixRoute, and enables plugin `key-auth`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
-  name: httpserver-route
-spec:
-  http:
-  - name: rule1
-    match:
-      hosts:
-      - httpbin.org
-      paths:
-      - /*
-    backends:
-    - serviceName: httpbin
-      servicePort: 80
-    authentication:
-      enable: true
-      type: keyAuth
-EOF
-```
-
-* Requests from foo:
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX}  -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-</details>
-
-#### Enable `JWT Auth`
-
-* Creates an ApisixConsumer, and set the attributes of plugin `jwt-auth`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
-  name: foo2
-spec:
-  authParameter:
-    jwtAuth:
-      value:
-        key: foo2-key
-EOF
-```
-
-* Use the `public-api` plugin to expose the public API:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
-  name: default
-spec:
-  http:
-  - name: public-api
-    match:
-      paths:
-      - /apisix/plugin/jwt/sign
-    backends:
-    - serviceName: apisix-admin
-      servicePort: 9180
-    plugins:
-    - name: public-api
-      enable: true
-EOF
-```
-
-* Creates an ApisixRoute, and enable the jwt-auth plugin:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: httpbin-route
-spec:
- http:
- - name: rule1
-   match:
-     hosts:
-     - httpbin.org
-     paths:
-       - /*
-   backends:
-   - serviceName: httpbin
-     servicePort: 80
-   authentication:
-     enable: true
-     type: jwtAuth
-EOF
-```
-
-* Get the token:
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=foo2-key -H 'Host: httpbin.org' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI
-```
-
-* Without token:
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -i
-```
-
-```shell
-HTTP/1.1 401
-...
-{"message":"Missing JWT token in request"}
-```
-
-* Request header with token:
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-### How to enable `Restriction`
-
-We can also use the `consumer-restriction` Plugin to restrict our user from accessing the API.
-
-#### How to restrict `consumer_name`
-
-The following is an example. The `consumer-restriction` plugin is enabled on the specified route to restrict `consumer_name` access.
-
-* **consumer_name**: Add the `username` of `consumer` to a whitelist or blacklist (supporting single or multiple consumers) to restrict access to services or routes.
-
-* Create ApisixConsumer jack1:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
-  name: jack1
-spec:
-  authParameter:
-    keyAuth:
-      value:
-        key: jack1-key
-EOF
-```
-
-* Create ApisixConsumer jack2:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixConsumer
-metadata:
-  name: jack2
-spec:
-  authParameter:
-    keyAuth:
-      value:
-        key: jack2-key
-EOF
-```
-
-* Creates an ApisixRoute, and enable config `whitelist`  of the plugin `consumer-restriction`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: httpserver-route
-spec:
- http:
- - name: rule1
-   match:
-     hosts:
-     - httpbin.org
-     paths:
-       - /*
-   backends:
-   - serviceName: httpbin
-     servicePort: 80
-   authentication:
-     enable: true
-     type: keyAuth
-   plugins:
-   - name: consumer-restriction
-     enable: true
-     config:
-       whitelist:
-       - "default_jack1"
-EOF
-```
-
-:::note The `default_jack1` generation rules:
-
-view ApisixConsumer resource object from this namespace `default`
-
-```shell
-$ kubectl get apisixconsumers.apisix.apache.org -n default
-NAME    AGE
-foo     14h
-jack1   14h
-jack2   14h
-```
-
-`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_foo`  
-`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_jack1`  
-`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_jack2`
-
-:::
-
-**Example usage**
-
-* Requests from jack1:
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack1-key' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-* Requests from jack2:
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack2-key' -i
-```
-
-```shell
-HTTP/1.1 403 Forbidden
-...
-{"message":"The consumer_name is forbidden."}
-```
-
-#### How to restrict `allowed_by_methods`
-
-This example restrict the user `jack2` to only `GET` on the resource.
-
-* Creates an ApisixRoute, and enable config `allowed_by_methods`  of the plugin `consumer-restriction`:
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: httpserver-route
-spec:
- http:
- - name: rule1
-   match:
-     hosts:
-     - httpbin.org
-     paths:
-       - /*
-   backends:
-   - serviceName: httpbin
-     servicePort: 80
-   authentication:
-     enable: true
-     type: keyAuth
-   plugins:
-   - name: consumer-restriction
-     enable: true
-     config:
-       allowed_by_methods:
-       - user: "default_jack1"
-         methods:
-         - "POST"
-         - "GET"
-       - user: "default_jack2"
-         methods:
-         - "GET"
-EOF
-```
-
-**Example usage**
-
-* Requests from jack1:
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack1-key' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack1-key' -d '' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-* Requests from jack2:
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack2-key' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack2-key' -d '' -i
-```
-
-```shell
-HTTP/1.1 403 Forbidden
-...
-```
-
-### Disable authentication and restriction
-
-To disable the `consumer-restriction` Plugin, you can set the `enable: false` from the `plugins` configuration.  
-Also, disable the `keyAuth`, you can set the `enable: false` from the `authentication` configuration.
-
-```shell
-kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
-kind: ApisixRoute
-metadata:
- name: httpserver-route
-spec:
- http:
- - name: rule1
-   match:
-     hosts:
-     - httpbin.org
-     paths:
-       - /*
-   backends:
-   - serviceName: httpbin
-     servicePort: 80
-   authentication:
-     enable: false
-     type: keyAuth
-   plugins:
-   - name: consumer-restriction
-     enable: false
-     config:
-       allowed_by_methods:
-       - user: "default_jack1"
-         methods:
-         - "POST"
-         - "GET"
-       - user: "default_jack2"
-         methods:
-         - "GET"
-EOF
-```
-
-```shell
-kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX}  -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -i
-```
-
-```shell
-HTTP/1.1 200 OK
-...
-```
+---
+title: Enable authentication and restriction
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Description
+
+Consumers are used for the authentication method controlled by Apache APISIX, if users want to use their own auth system or 3rd party systems, use OIDC.
+
+## Attributes
+
+### Authentication
+
+#### Key Auth
+
+Consumers add their key either in a header or query string parameter to authenticate their requests. For more information about `Key Auth`, please refer to [APISIX key-auth plugin](https://apisix.apache.org/docs/apisix/plugins/key-auth/).
+Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object).
+
+<details>
+  <summary>Key Auth yaml configure</summary>
+
+```yaml
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: ${name}
+spec:
+  authParameter:
+    keyAuth:
+      value:
+        key: ${key} #required
+```
+
+</details>
+
+#### Basic Auth
+
+Consumers add their key in a header to authenticate their requests. For more information about `Basic Auth`, please refer to [APISIX basic-auth plugin](https://apisix.apache.org/docs/apisix/plugins/basic-auth/).
+Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object).
+
+<details>
+  <summary>Basic Auth yaml configure</summary>
+
+```yaml
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: ${name}
+spec:
+  authParameter:
+    basicAuth:
+      value:
+        username: ${username} #required
+        password: ${password} #required
+```
+
+</details>
+
+#### JWT Auth
+
+The consumer then adds its key to the query string parameter, request header, or cookie to verify its request. For more information about `JWT Auth`, please refer to [APISIX jwt-auth plugin](https://apisix.apache.org/docs/apisix/plugins/jwt-auth/).
+Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object).
+
+:::note Need to expose API
+This plugin will add `/apisix/plugin/jwt/sign` to sign. You may need to use `public-api` plugin to expose it.
+:::
+
+<details>
+  <summary>JWT Auth yaml configure</summary>
+
+```yaml
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: ${name}
+spec:
+  authParameter:
+    wolfRbac:
+      value:
+        key: "${key}"                                    #required
+        secret: "${secret}"                              #optional
+        public_key: "${public_key}"                      #optional, required when algorithm attribute selects RS256 algorithm.
+        private_key: "{private_key}"                     #optional, required when algorithm attribute selects RS256 algorithm.
+        algorithm: "${HS256 | HS512 | RS256}"            #optional
+        exp: ${ 86400 | token's expire time, in seconds} #optional
+        algorithm: ${true | false}                       #optional
+```
+
+</details>
+
+#### `Wolf RBAC`
+
+To use wolfRbac authentication, you need to start and install [wolf-server](https://github.com/iGeeky/wolf/blob/master/quick-start-with-docker/README.md). For more information about `Wolf RBAC`, please refer to [APISIX wolf-rbac plugin](https://apisix.apache.org/zh/docs/apisix/plugins/wolf-rbac/).
+Also, we can using the `secretRef` field to reference a K8s Secret object so that we can avoid the hardcoded sensitive data in the ApisixConsumer object. For reference Secret use example, please refer to the [key-auth-reference-secret-object](#key-auth-reference-secret-object).
+
+:::note This plugin will add several APIs
+
+* /apisix/plugin/wolf-rbac/login
+* /apisix/plugin/wolf-rbac/change_pwd
+* /apisix/plugin/wolf-rbac/user_info
+
+You may need to use `public-api` plugin to expose it.
+:::
+
+<details>
+  <summary>Wolf RBAC yaml configure</summary>
+
+```yaml
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: ${name}
+spec:
+  authParameter:
+    wolfRBAC:
+      value:
+      server: "${server of wolf-rbac}"                            #optional
+      appid: "${appid of wolf-rbac}"                              #optional
+      header_prefix: "${X- | X-UserId | X-Username | X-Nickname}" #optional
+```
+
+</details>
+
+### [Restriction](https://apisix.apache.org/docs/apisix/plugins/consumer-restriction/)
+
+#### `whitelist` or `blacklist`
+
+`whitelist`: Grant full access to all users specified in the provided list, **has the priority over `allowed_by_methods`**
+`blacklist`: Reject connection to all users specified in the provided list, **has the priority over `whitelist`**
+
+<details>
+  <summary>whitelist or blacklist with consumer-restriction yaml configure</summary>
+
+```yaml
+plugins:
+- name: consumer-restriction
+  enable: true
+  config:
+    blacklist:
+    - "${consumer_name}"
+    - "${consumer_name}"
+```
+
+</details>
+
+#### `allowed_by_methods`
+
+HTTP methods can be `methods:["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE", "PURGE"]`
+
+<details>
+  <summary>allowed_by_methods with consumer-restriction yaml configure</summary>
+
+```yaml
+plugins:
+- name: consumer-restriction
+  enable: true
+  config:
+    allowed_by_methods:
+    - user: "${consumer_name}"
+      methods:
+      - "${GET | POST | PUT |...}"
+      - "${GET | POST | PUT |...}"
+    - user: "${consumer_name}"
+      methods:
+      - "${GET | POST | PUT |...}"
+```
+
+</details>
+
+## Example
+
+[Refer to the corresponding e2e test case.](../../../../test/e2e/suite-plugins/suite-plugins-authentication/)
+
+### Prepare env
+
+To use this tutorial, you must deploy `Ingress APISIX` and `httpbin` in Kubernetes cluster.
+
+* Installing [`Ingress APISIX`](../deployments/minikube.md).
+* Deploy `httpbin` service.
+
+```shell
+#Now, try to deploy httpbin to your Kubernetes cluster:
+kubectl run httpbin --image kennethreitz/httpbin --port 80
+kubectl expose pod httpbin --port 80
+```
+
+### How to enable `Authentication`
+
+#### Enable `keyAuth`
+
+The following is an example. The `keyAuth` is enabled on the specified route to restrict user access.
+
+* Creates an ApisixConsumer, and set the attributes of plugin `key-auth`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: foo
+spec:
+  authParameter:
+    keyAuth:
+      value:
+        key: foo-key
+EOF
+```
+
+* Creates an ApisixRoute, and enable plugin `key-auth`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: httpserver-route
+spec:
+  http:
+  - name: rule1
+    match:
+      hosts:
+      - httpbin.org
+      paths:
+      - /*
+    backends:
+    - serviceName: httpbin
+      servicePort: 80
+    authentication:
+      enable: true
+      type: keyAuth
+EOF
+```
+
+* Requests from foo:
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX}  -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+##### Key Auth reference Secret object
+
+<details>
+  <summary>ApisixRoute with keyAuth consumer using secret example</summary>
+
+* Creates a `Secret` object:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: foovalue
+data:
+  key: Zm9vLWtleQ==
+EOF
+```
+
+* Creates an ApisixConsumer and reference `Secret` object:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: foo
+spec:
+  authParameter:
+    keyAuth:
+      secretRef:
+        name: foovalue
+EOF
+```
+
+* Creates an ApisixRoute, and enables plugin `key-auth`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: httpserver-route
+spec:
+  http:
+  - name: rule1
+    match:
+      hosts:
+      - httpbin.org
+      paths:
+      - /*
+    backends:
+    - serviceName: httpbin
+      servicePort: 80
+    authentication:
+      enable: true
+      type: keyAuth
+EOF
+```
+
+* Requests from foo:
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX}  -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:foo-key' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+</details>
+
+#### Enable `JWT Auth`
+
+* Creates an ApisixConsumer, and set the attributes of plugin `jwt-auth`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: foo2
+spec:
+  authParameter:
+    jwtAuth:
+      value:
+        key: foo2-key
+EOF
+```
+
+* Use the `public-api` plugin to expose the public API:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: default
+spec:
+  http:
+  - name: public-api
+    match:
+      paths:
+      - /apisix/plugin/jwt/sign
+    backends:
+    - serviceName: apisix-admin
+      servicePort: 9180
+    plugins:
+    - name: public-api
+      enable: true
+EOF
+```
+
+* Creates an ApisixRoute, and enable the jwt-auth plugin:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpbin-route
+spec:
+ http:
+ - name: rule1
+   match:
+     hosts:
+     - httpbin.org
+     paths:
+       - /*
+   backends:
+   - serviceName: httpbin
+     servicePort: 80
+   authentication:
+     enable: true
+     type: jwtAuth
+EOF
+```
+
+* Get the token:
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=foo2-key -H 'Host: httpbin.org' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI
+```
+
+* Without token:
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -i
+```
+
+```shell
+HTTP/1.1 401
+...
+{"message":"Missing JWT token in request"}
+```
+
+* Request header with token:
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+### How to enable `Restriction`
+
+We can also use the `consumer-restriction` Plugin to restrict our user from accessing the API.
+
+#### How to restrict `consumer_name`
+
+The following is an example. The `consumer-restriction` plugin is enabled on the specified route to restrict `consumer_name` access.
+
+* **consumer_name**: Add the `username` of `consumer` to a whitelist or blacklist (supporting single or multiple consumers) to restrict access to services or routes.
+
+* Create ApisixConsumer jack1:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: jack1
+spec:
+  authParameter:
+    keyAuth:
+      value:
+        key: jack1-key
+EOF
+```
+
+* Create ApisixConsumer jack2:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: jack2
+spec:
+  authParameter:
+    keyAuth:
+      value:
+        key: jack2-key
+EOF
+```
+
+* Creates an ApisixRoute, and enable config `whitelist`  of the plugin `consumer-restriction`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpserver-route
+spec:
+ http:
+ - name: rule1
+   match:
+     hosts:
+     - httpbin.org
+     paths:
+       - /*
+   backends:
+   - serviceName: httpbin
+     servicePort: 80
+   authentication:
+     enable: true
+     type: keyAuth
+   plugins:
+   - name: consumer-restriction
+     enable: true
+     config:
+       whitelist:
+       - "default_jack1"
+EOF
+```
+
+:::note The `default_jack1` generation rules:
+
+view ApisixConsumer resource object from this namespace `default`
+
+```shell
+$ kubectl get apisixconsumers.apisix.apache.org -n default
+NAME    AGE
+foo     14h
+jack1   14h
+jack2   14h
+```
+
+`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_foo`
+`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_jack1`
+`${consumer_name}` = `${namespace}_${ApisixConsumer_name}` --> `default_jack2`
+
+:::
+
+**Example usage**
+
+* Requests from jack1:
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack1-key' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+* Requests from jack2:
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack2-key' -i
+```
+
+```shell
+HTTP/1.1 403 Forbidden
+...
+{"message":"The consumer_name is forbidden."}
+```
+
+#### How to restrict `allowed_by_methods`
+
+This example restrict the user `jack2` to only `GET` on the resource.
+
+* Creates an ApisixRoute, and enable config `allowed_by_methods`  of the plugin `consumer-restriction`:
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpserver-route
+spec:
+ http:
+ - name: rule1
+   match:
+     hosts:
+     - httpbin.org
+     paths:
+       - /*
+   backends:
+   - serviceName: httpbin
+     servicePort: 80
+   authentication:
+     enable: true
+     type: keyAuth
+   plugins:
+   - name: consumer-restriction
+     enable: true
+     config:
+       allowed_by_methods:
+       - user: "default_jack1"
+         methods:
+         - "POST"
+         - "GET"
+       - user: "default_jack2"
+         methods:
+         - "GET"
+EOF
+```
+
+**Example usage**
+
+* Requests from jack1:
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack1-key' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack1-key' -d '' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+* Requests from jack2:
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack2-key' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX} -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -H 'apikey:jack2-key' -d '' -i
+```
+
+```shell
+HTTP/1.1 403 Forbidden
+...
+```
+
+### Disable authentication and restriction
+
+To disable the `consumer-restriction` Plugin, you can set the `enable: false` from the `plugins` configuration.
+Also, disable the `keyAuth`, you can set the `enable: false` from the `authentication` configuration.
+
+```shell
+kubectl apply -f - <<EOF
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+ name: httpserver-route
+spec:
+ http:
+ - name: rule1
+   match:
+     hosts:
+     - httpbin.org
+     paths:
+       - /*
+   backends:
+   - serviceName: httpbin
+     servicePort: 80
+   authentication:
+     enable: false
+     type: keyAuth
+   plugins:
+   - name: consumer-restriction
+     enable: false
+     config:
+       allowed_by_methods:
+       - user: "default_jack1"
+         methods:
+         - "POST"
+         - "GET"
+       - user: "default_jack2"
+         methods:
+         - "GET"
+EOF
+```
+
+```shell
+kubectl  exec -it -n ${namespace of Apache APISIX} ${pod of Apache APISIX}  -- curl http://127.0.0.1:9080/anything -H 'Host: httpbin.org' -i
+```
+
+```shell
+HTTP/1.1 200 OK
+...
+```
diff --git a/docs/en/latest/tutorials/how-to-access-Apache-APISIX-Prometheus-Metrics-on-k8s.md b/docs/en/latest/tutorials/how-to-access-Apache-APISIX-Prometheus-Metrics-on-k8s.md
index 4fed57d636..c19cad02ea 100644
--- a/docs/en/latest/tutorials/how-to-access-Apache-APISIX-Prometheus-Metrics-on-k8s.md
+++ b/docs/en/latest/tutorials/how-to-access-Apache-APISIX-Prometheus-Metrics-on-k8s.md
@@ -34,7 +34,7 @@ Before starting, please make sure that Apache APISIX (version >= 2.13)and APISIX
 If you need to monitor Apache APISIX simultaneously, you can create the following ApisixClusterConfig resource.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixClusterConfig
 metadata:
   name: default
@@ -49,7 +49,7 @@ spec:
 Let's make a basic routing setup, and please note that further configuration should be done based on your local backend service information. The primary solution concept is to use the `public-api` plugin to protect the routes exposed by *Prometheus*. For a more detailed configuration, you can refer to the [example](https://apisix.apache.org/docs/apisix/plugins/public-api/#example) section of the `public-api` plugin.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: prometheus-route
diff --git a/docs/en/latest/tutorials/how-to-use-go-plugin-runner-in-apisix-ingress.md b/docs/en/latest/tutorials/how-to-use-go-plugin-runner-in-apisix-ingress.md
index d714773f32..72c7b3109a 100644
--- a/docs/en/latest/tutorials/how-to-use-go-plugin-runner-in-apisix-ingress.md
+++ b/docs/en/latest/tutorials/how-to-use-go-plugin-runner-in-apisix-ingress.md
@@ -155,7 +155,7 @@ kubectl expose pod httpbin --port 80
 Create the `go-plugin-runner-route.yaml` file to enable the ApisixRoute resource, with the following configuration file:
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: plugin-runner-demo
diff --git a/docs/en/latest/tutorials/manage-certificates-with-cert-manager.md b/docs/en/latest/tutorials/manage-certificates-with-cert-manager.md
index 564f047b10..42ff97de3f 100644
--- a/docs/en/latest/tutorials/manage-certificates-with-cert-manager.md
+++ b/docs/en/latest/tutorials/manage-certificates-with-cert-manager.md
@@ -132,7 +132,7 @@ kubectl run httpbin --image kennethreitz/httpbin --expose --port 80
 Create an ApisixRoute to route the service:
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: httpserver-route
@@ -168,7 +168,7 @@ It should output:
 Create an ApisixTls to secure the route, referring to the secret created by cert-manager:
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixTls
 metadata:
   name: example-tls
diff --git a/docs/en/latest/tutorials/mtls.md b/docs/en/latest/tutorials/mtls.md
index 5be017559c..30d29d19f7 100644
--- a/docs/en/latest/tutorials/mtls.md
+++ b/docs/en/latest/tutorials/mtls.md
@@ -51,7 +51,7 @@ Since SSL is not configured in ApisixRoute, we can use the config similar to the
 
 ```yaml
 # route.yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: httpserver-route
@@ -117,7 +117,7 @@ The secret name is `server-secret`, we created it in the `default` namespace. We
 
 ```yaml
 # tls.yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixTls
 metadata:
   name: sample-tls
@@ -164,7 +164,7 @@ Then, change our ApisixTls and apply it:
 
 ```yaml
 # mtls.yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixTls
 metadata:
   name: sample-tls
diff --git a/docs/en/latest/tutorials/mtls/mtls.yaml b/docs/en/latest/tutorials/mtls/mtls.yaml
index 20a6fa6666..1315e3341a 100644
--- a/docs/en/latest/tutorials/mtls/mtls.yaml
+++ b/docs/en/latest/tutorials/mtls/mtls.yaml
@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixTls
 metadata:
   name: sample-tls
diff --git a/docs/en/latest/tutorials/mtls/route.yaml b/docs/en/latest/tutorials/mtls/route.yaml
index fb86d35312..a07610d593 100644
--- a/docs/en/latest/tutorials/mtls/route.yaml
+++ b/docs/en/latest/tutorials/mtls/route.yaml
@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: httpserver-route
diff --git a/docs/en/latest/tutorials/mtls/tls.yaml b/docs/en/latest/tutorials/mtls/tls.yaml
index cfea8f384a..35ef6598f3 100644
--- a/docs/en/latest/tutorials/mtls/tls.yaml
+++ b/docs/en/latest/tutorials/mtls/tls.yaml
@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixTls
 metadata:
   name: sample-tls
diff --git a/docs/en/latest/tutorials/proxy-grpc-service.md b/docs/en/latest/tutorials/proxy-grpc-service.md
index b717448999..d734cc775b 100644
--- a/docs/en/latest/tutorials/proxy-grpc-service.md
+++ b/docs/en/latest/tutorials/proxy-grpc-service.md
@@ -82,7 +82,7 @@ If you don't see a command prompt, try pressing enter.
 
 ```bash
 kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: grpc-proxy-route
@@ -106,7 +106,7 @@ EOF
 
 ```bash
 kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixUpstream
 metadata:
   name: yages
@@ -134,7 +134,7 @@ Inform APISIX SSL configuration through ApisixTls.
 
 ```bash
 kubectl apply -f - <<EOF
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixTls
 metadata:
   name: grpc-secret
diff --git a/docs/en/latest/tutorials/proxy-the-httpbin-service.md b/docs/en/latest/tutorials/proxy-the-httpbin-service.md
index b0db1d89e4..5865f54dd4 100644
--- a/docs/en/latest/tutorials/proxy-the-httpbin-service.md
+++ b/docs/en/latest/tutorials/proxy-the-httpbin-service.md
@@ -46,7 +46,7 @@ In order to let Apache APISIX proxies requests to httpbin, we need to create an
 
 ```yaml
 # httpbin-route.yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: httpserver-route
diff --git a/docs/en/latest/tutorials/the-hard-way.md b/docs/en/latest/tutorials/the-hard-way.md
index dab4e98119..07df65ac3b 100644
--- a/docs/en/latest/tutorials/the-hard-way.md
+++ b/docs/en/latest/tutorials/the-hard-way.md
@@ -644,7 +644,7 @@ data:
       - "apisix.ingress=watching"
       ingress_class: "apisix"
       ingress_version: "networking/v1"
-      apisix_route_version: "apisix.apache.org/v2beta3"
+      apisix_route_version: "apisix.apache.org/v2"
     apisix:
       default_cluster_base_url: "http://apisix-admin.apisix:9180/apisix/admin"
       default_cluster_admin_key: "edd1c9f034335f136f87ad84b625c8f1"
@@ -752,7 +752,7 @@ After the ingress controller status is converted to `Running`, we could create a
 Here is an example ApisixRoute:
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
   name: httpserver-route
diff --git a/docs/en/latest/upgrade.md b/docs/en/latest/upgrade.md
index 0416028228..881ba5acb6 100644
--- a/docs/en/latest/upgrade.md
+++ b/docs/en/latest/upgrade.md
@@ -33,7 +33,7 @@ you can use the [`conftest`](https://github.com/open-policy-agent/conftest) tool
 Here's a quick example.
 
 ```yaml
-apiVersion: apisix.apache.org/v2beta3
+apiVersion: apisix.apache.org/v2
 kind: ApisixRoute
 metadata:
  name: httpbin-route