From 309bdba3472de33f1aea750d92baaa5e5376a573 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Thu, 2 Oct 2025 17:49:43 +0530 Subject: [PATCH 01/16] chore: release 3.14 --- .asf.yaml | 4 ++ CHANGELOG.md | 103 ++++++++++++++++++++++++++++++ apisix/core/version.lua | 2 +- docs/en/latest/building-apisix.md | 2 +- docs/en/latest/config.json | 2 +- docs/zh/latest/config.json | 2 +- 6 files changed, 111 insertions(+), 4 deletions(-) diff --git a/.asf.yaml b/.asf.yaml index 603066cebe92..5d070228314a 100644 --- a/.asf.yaml +++ b/.asf.yaml @@ -54,6 +54,10 @@ github: dismiss_stale_reviews: true require_code_owner_reviews: true required_approving_review_count: 3 + release/3.14: + required_pull_request_reviews: + require_code_owner_reviews: true + required_approving_review_count: 3 release/3.13: required_pull_request_reviews: require_code_owner_reviews: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 41c430ab2005..2381cc7b8823 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ title: Changelog ## Table of Contents +- [3.14.0](#3140) - [3.13.0](#3130) - [3.12.0](#3120) - [3.11.0](#3110) @@ -80,6 +81,108 @@ title: Changelog - [0.7.0](#070) - [0.6.0](#060) +## 3.14.0 + +**The changes marked with :warning: are not backward compatible.** + +### Change + +- :warning: feat: admin api no longer populates default values when writing [#12603](https://github.com/apache/apisix/pull/12603) +- :warning: change(jwt-auth): when algorithm is not RS256 or ES256, require the user to fill in secret [#12611](https://github.com/apache/apisix/pull/12611) +- :warning: change(openid-connect): when bearer_only is false, require the user to fill in session.secret [#12609](https://github.com/apache/apisix/pull/12609) + +### Bugfixes + +- fix: redact encrypted fields from error log [#12629](https://github.com/apache/apisix/pull/12629) +- fix: run init_worker of apisix.admin module in stream subsystem [#12632](https://github.com/apache/apisix/pull/12632) +- fix(ai-proxy-multi): inconsistent resolved nodes for healthcheck [#12594](https://github.com/apache/apisix/pull/12594) +- fix: only trust X-Forwarded-* headers from trusted_addresses [#12551](https://github.com/apache/apisix/pull/12551) +- fix(plugin/redirect): ensure redirect when scheme is not https [#12561](https://github.com/apache/apisix/pull/12561) +- fix: fix ui redirect error when behind proxy [#12566](https://github.com/apache/apisix/pull/12566) +- fix(secret): refresh stale lru cache item in background [#12614](https://github.com/apache/apisix/pull/12614) +- fix: healthcheck manager missing runtime information [#12607](https://github.com/apache/apisix/pull/12607) +- fix(standalone): support stream route in admin api mode [#12604](https://github.com/apache/apisix/pull/12604) +- fix: only log response body when include_resp_body is enabled [#12599](https://github.com/apache/apisix/pull/12599) +- fix: correct spelling error in get_healthcheck_events_module function name [#12587](https://github.com/apache/apisix/pull/12587) +- fix: typo in ai-proxy-multi [#12601](https://github.com/apache/apisix/pull/12601) +- fix(ai-proxy-multi): panic when instance dont have custom endpoint [#12584](https://github.com/apache/apisix/pull/12584) +- fix(ai-prompt-decorator): prevent message accumulation across requests [#12582](https://github.com/apache/apisix/pull/12582) +- fix: docker entrypoint remove stream_worker_events.sock if exists [#12546](https://github.com/apache/apisix/pull/12546) +- fix: add exptime to ewma shared dict items [#12557](https://github.com/apache/apisix/pull/12557) +- fix(ai-proxy): catch malformed override endpoint in schema validation [#12563](https://github.com/apache/apisix/pull/12563) +- fix: missing ctx.llm_raw_usage in non-stream mode [#12564](https://github.com/apache/apisix/pull/12564) +- fix(ai-proxy): set llm variables default value to 0 [#12549](https://github.com/apache/apisix/pull/12549) +- fix(ai-proxy): check type of choices/usage/content fields before use it [#12548](https://github.com/apache/apisix/pull/12548) +- fix(discovery/kubernetes): adjust id length [#12536](https://github.com/apache/apisix/pull/12536) +- fix: basic auth scheme supports case insensitivity [#12539](https://github.com/apache/apisix/pull/12539) +- fix: when only tls.verify, skip the logic of judging client cert [#12527](https://github.com/apache/apisix/pull/12527) +- fix(etcd): load full data from etcd while worker restart [#12523](https://github.com/apache/apisix/pull/12523) +- fix(etcd): upgrade revision when watch request timeout [#12514](https://github.com/apache/apisix/pull/12514) +- fix: enable issue of endpointslices for k8s discovery [#11654](https://github.com/apache/apisix/pull/11654) +- fix(grpc-web): missing trailers when empty resp body [#12490](https://github.com/apache/apisix/pull/12490) +- fix: can not get hostname in redhat [#12267](https://github.com/apache/apisix/pull/12267) +- fix: batch processor cache not working when configure plugin in service [#12474](https://github.com/apache/apisix/pull/12474) +- fix(forward-auth): extra_headers not resolving variable on $post_arg. [#12435](https://github.com/apache/apisix/pull/12435) +- fix: skipped failing bailedout tests in CI [#12462](https://github.com/apache/apisix/pull/12462) +- fix(api-breaker): inconsistent circuit breaking due to premature breaker_time increment [#12451](https://github.com/apache/apisix/pull/12451) +- fix(standalone): lack of configuration validation in api [#12424](https://github.com/apache/apisix/pull/12424) +- fix(log-rotate): skip access log when enable_access_log is set to false [#11310](https://github.com/apache/apisix/pull/11310) +- fix(opentelemetry): remove plugin attr set_ngx_var [#12411](https://github.com/apache/apisix/pull/12411) +- fix: broken mcp-bridge test cases [#12425](https://github.com/apache/apisix/pull/12425) +- fix(request-validation): support Content-Type header with charset for urlencoded data [#12406](https://github.com/apache/apisix/pull/12406) +- fix: zipkin trace_id and span_id format in ngx_var [#12403](https://github.com/apache/apisix/pull/12403) +- fix(consumer): missed consumer update due to wrong version in cache [#12413](https://github.com/apache/apisix/pull/12413) +- revert: fix: forward-auth request body too large [#12404](https://github.com/apache/apisix/pull/12404) +- fix: get_keys only return first 1024 items in shared dict by default [#12380](https://github.com/apache/apisix/pull/12380) + +### Core + +- ci: migrate docker image for testing to bitnamilegacy repo [#12562](https://github.com/apache/apisix/pull/12562) +- chore: remove redundant profile.apisix_home assignment in start [#12529](https://github.com/apache/apisix/pull/12529) +- chore: upgrade deps to solve vulnerability alerts [#12473](https://github.com/apache/apisix/pull/12473) +- refactor: add healthcheck manager to decouple upstream [#12426](https://github.com/apache/apisix/pull/12426) +- feat: add last modified and digest metadata to standalone API [#12526](https://github.com/apache/apisix/pull/12526) +- feat: support ctx.var.post_arg for vars based route matching on request body [#12388](https://github.com/apache/apisix/pull/12388) +- feat: add a global switch to disable upstream health check [#12407](https://github.com/apache/apisix/pull/12407) +- feat: support multiple json.delay_encode objects in single log [#12395](https://github.com/apache/apisix/pull/12395) + +### Plugins + +- feat: support traffic split plugin for stream routes [#12630](https://github.com/apache/apisix/pull/12630) +- feat: add ksuid algorithm on request-id plugin [#12573](https://github.com/apache/apisix/pull/12573) +- feat: add fallback mechanism for specific error codes in ai-proxy-multi [#12571](https://github.com/apache/apisix/pull/12571) +- feat(ai-proxy): add upstream_response_time in access log [#12555](https://github.com/apache/apisix/pull/12555) +- feat(ai-proxy): add new ctx variable for request llm model [#12554](https://github.com/apache/apisix/pull/12554) +- feat: add support for azure-ai driver [#12565](https://github.com/apache/apisix/pull/12565) +- feat(ai-proxy): add support for pushing logs in ai-proxy plugins [#12515](https://github.com/apache/apisix/pull/12515) +- feat: add ai-aliyun-content-moderation plugin [#12530](https://github.com/apache/apisix/pull/12530) +- feat: allow to use environment variables for openid-connect plugin [#11451](https://github.com/apache/apisix/pull/11451) +- feat(ai-proxy-multi): add support for healthcheck [#12509](https://github.com/apache/apisix/pull/12509) +- feat(ai-proxy): add latency and usage in access log and prometheus metrics [#12518](https://github.com/apache/apisix/pull/12518) +- feat: support limit-conn in workflow plugin [#12465](https://github.com/apache/apisix/pull/12465) +- feat(datadog): Improve Datadog plugin tag support [#11943](https://github.com/apache/apisix/pull/11943) +- feat: decoupled prometheus exporter's calculation and output [#12383](https://github.com/apache/apisix/pull/12383) +- feat: support OIDC claim validator [#11824](https://github.com/apache/apisix/pull/11824) +- feat: add support for extra_headers in forward-auth plugin [#12405](https://github.com/apache/apisix/pull/12405) +- feat: Add AIMLAPI provider support to AI plugins [#12379](https://github.com/apache/apisix/pull/12379) + +## Doc improvements + +- docs: update admin api documentation for plugin metadata list endpoint [#12621](https://github.com/apache/apisix/pull/12621) +- docs: add new dashboard documentation [#12616](https://github.com/apache/apisix/pull/12616) +- docs: update note for API-drive standalone mode [#12612](https://github.com/apache/apisix/pull/12612) +- docs: Improve chaitin-waf plugin docs and remove unintended highlights [#12608](https://github.com/apache/apisix/pull/12608) +- docs: remove outdate dashboard doc [#12596](https://github.com/apache/apisix/pull/12596) +- docs: update apisix-upstream_response_time and request_llm_model in access log info [#12583](https://github.com/apache/apisix/pull/12583) +- docs: remove LLM variable in access log examples +- docs: update jwt-auth docs [#12450](https://github.com/apache/apisix/pull/12450) +- docs: update rpm installation guide [#12460](https://github.com/apache/apisix/pull/12460) +- docs: fix typo in credentials doc [#12434](https://github.com/apache/apisix/pull/12434) +- docs: add dashboard ui tips [#12420](https://github.com/apache/apisix/pull/12420) +- docs: correct minor typo for openwhisk [#12401](https://github.com/apache/apisix/pull/12401) +- docs: update changelog with breakchange notices [#12396](https://github.com/apache/apisix/pull/12396) +- docs: improve openid-connect plugin doc and add keycloak OIDC tutorial [#11889](https://github.com/apache/apisix/pull/11889) + ## 3.13.0 **The changes marked with :warning: are not backward compatible.** diff --git a/apisix/core/version.lua b/apisix/core/version.lua index 882e228ef615..42ed228e92aa 100644 --- a/apisix/core/version.lua +++ b/apisix/core/version.lua @@ -20,5 +20,5 @@ -- @module core.version return { - VERSION = "3.13.0" + VERSION = "3.14.0" } diff --git a/docs/en/latest/building-apisix.md b/docs/en/latest/building-apisix.md index cf2c2da7ea34..470302df789c 100644 --- a/docs/en/latest/building-apisix.md +++ b/docs/en/latest/building-apisix.md @@ -48,7 +48,7 @@ To build and package APISIX for a specific platform, see [apisix-build-tools](ht First of all, we need to specify the branch to be built: ```shell -APISIX_BRANCH='release/3.13' +APISIX_BRANCH='release/3.14' ``` Then, you can run the following command to clone the APISIX source code from Github: diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json index e9505f3a7393..bee266f04d63 100644 --- a/docs/en/latest/config.json +++ b/docs/en/latest/config.json @@ -1,5 +1,5 @@ { - "version": "3.13.0", + "version": "3.14.0", "sidebar": [ { "type": "category", diff --git a/docs/zh/latest/config.json b/docs/zh/latest/config.json index 6462e8258e0a..c0489e6415de 100644 --- a/docs/zh/latest/config.json +++ b/docs/zh/latest/config.json @@ -1,5 +1,5 @@ { - "version": "3.13.0", + "version": "3.14.0", "sidebar": [ { "type": "category", From c9cedc6dafbd62d0af3377e090a6c9bc8be16b63 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Thu, 2 Oct 2025 17:51:35 +0530 Subject: [PATCH 02/16] add missing --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2381cc7b8823..69391c8c642e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -148,6 +148,7 @@ title: Changelog ### Plugins +- feat: support OIDC claim validator (#8772) (#11824) - feat: support traffic split plugin for stream routes [#12630](https://github.com/apache/apisix/pull/12630) - feat: add ksuid algorithm on request-id plugin [#12573](https://github.com/apache/apisix/pull/12573) - feat: add fallback mechanism for specific error codes in ai-proxy-multi [#12571](https://github.com/apache/apisix/pull/12571) From f896f1893d40d4d4395193331bf630def6ae4fd2 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Sun, 5 Oct 2025 21:01:38 +0530 Subject: [PATCH 03/16] remove warning --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69391c8c642e..a0258d268f07 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -89,7 +89,7 @@ title: Changelog - :warning: feat: admin api no longer populates default values when writing [#12603](https://github.com/apache/apisix/pull/12603) - :warning: change(jwt-auth): when algorithm is not RS256 or ES256, require the user to fill in secret [#12611](https://github.com/apache/apisix/pull/12611) -- :warning: change(openid-connect): when bearer_only is false, require the user to fill in session.secret [#12609](https://github.com/apache/apisix/pull/12609) +- change(openid-connect): when bearer_only is false, require the user to fill in session.secret [#12609](https://github.com/apache/apisix/pull/12609) ### Bugfixes From 8bf61dd152373da5c063610eb650632f298aa796 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Thu, 9 Oct 2025 12:12:44 +0530 Subject: [PATCH 04/16] apply suggestion --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a0258d268f07..0e440d9e9b85 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -89,7 +89,7 @@ title: Changelog - :warning: feat: admin api no longer populates default values when writing [#12603](https://github.com/apache/apisix/pull/12603) - :warning: change(jwt-auth): when algorithm is not RS256 or ES256, require the user to fill in secret [#12611](https://github.com/apache/apisix/pull/12611) -- change(openid-connect): when bearer_only is false, require the user to fill in session.secret [#12609](https://github.com/apache/apisix/pull/12609) +- :warning: change(openid-connect): when bearer_only is false, require the user to fill in session.secret [#12609](https://github.com/apache/apisix/pull/12609) ### Bugfixes @@ -148,7 +148,7 @@ title: Changelog ### Plugins -- feat: support OIDC claim validator (#8772) (#11824) +- feat: support OIDC claim validator [#11824](https://github.com/apache/apisix/pull/11824) - feat: support traffic split plugin for stream routes [#12630](https://github.com/apache/apisix/pull/12630) - feat: add ksuid algorithm on request-id plugin [#12573](https://github.com/apache/apisix/pull/12573) - feat: add fallback mechanism for specific error codes in ai-proxy-multi [#12571](https://github.com/apache/apisix/pull/12571) From 04912256dccf7b74ba0e1dbbb6bbc7be70c64cae Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Thu, 9 Oct 2025 12:13:09 +0530 Subject: [PATCH 05/16] remove repeated --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e440d9e9b85..49a4a4a7b591 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -163,7 +163,6 @@ title: Changelog - feat: support limit-conn in workflow plugin [#12465](https://github.com/apache/apisix/pull/12465) - feat(datadog): Improve Datadog plugin tag support [#11943](https://github.com/apache/apisix/pull/11943) - feat: decoupled prometheus exporter's calculation and output [#12383](https://github.com/apache/apisix/pull/12383) -- feat: support OIDC claim validator [#11824](https://github.com/apache/apisix/pull/11824) - feat: add support for extra_headers in forward-auth plugin [#12405](https://github.com/apache/apisix/pull/12405) - feat: Add AIMLAPI provider support to AI plugins [#12379](https://github.com/apache/apisix/pull/12379) From f91ecea5bfac45fee07c0e081588d46d9c03df01 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Thu, 9 Oct 2025 12:17:40 +0530 Subject: [PATCH 06/16] fix lint --- ci/check_changelog_prs.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ci/check_changelog_prs.ts b/ci/check_changelog_prs.ts index e2cad274d87b..786719d4202b 100755 --- a/ci/check_changelog_prs.ts +++ b/ci/check_changelog_prs.ts @@ -49,7 +49,9 @@ const IGNORE_PRS = [ // 3.12.0 11769, 11816, 11881, 11905, 11924, 11926, 11973, 11991, 11992, 11829, // 3.13.0 - 9945, 11420, 11765, 12036, 12048, 12057, 12076, 12122, 12123, 12168, 12199, 12218, 12225, 12272, 12277, 12300, 12306, 12329, 12353, 12364, 12375, 12358 + 9945, 11420, 11765, 12036, 12048, 12057, 12076, 12122, 12123, 12168, 12199, 12218, 12225, 12272, 12277, 12300, 12306, 12329, 12353, 12364, 12375, 12358, + //3.14.0 + 8772 ]; From 6c0af02713081efd2ef837040afe999bad1ddce0 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Thu, 9 Oct 2025 14:55:39 +0530 Subject: [PATCH 07/16] apply doc improvements --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49a4a4a7b591..0a3aa5acef6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -173,8 +173,8 @@ title: Changelog - docs: update note for API-drive standalone mode [#12612](https://github.com/apache/apisix/pull/12612) - docs: Improve chaitin-waf plugin docs and remove unintended highlights [#12608](https://github.com/apache/apisix/pull/12608) - docs: remove outdate dashboard doc [#12596](https://github.com/apache/apisix/pull/12596) -- docs: update apisix-upstream_response_time and request_llm_model in access log info [#12583](https://github.com/apache/apisix/pull/12583) -- docs: remove LLM variable in access log examples +- docs: update apisix_upstream_response_time and request_llm_model in access log info [#12583](https://github.com/apache/apisix/pull/12583) +- docs: remove LLM variable in access log examples [#12503](https://github.com/apache/apisix/pull/12503) - docs: update jwt-auth docs [#12450](https://github.com/apache/apisix/pull/12450) - docs: update rpm installation guide [#12460](https://github.com/apache/apisix/pull/12460) - docs: fix typo in credentials doc [#12434](https://github.com/apache/apisix/pull/12434) From c89d39cf3e7ccc333e1c7b74b1097a09f2f1ef87 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Thu, 9 Oct 2025 14:58:52 +0530 Subject: [PATCH 08/16] fix lint --- ci/check_changelog_prs.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/check_changelog_prs.ts b/ci/check_changelog_prs.ts index 786719d4202b..dc7929557aa9 100755 --- a/ci/check_changelog_prs.ts +++ b/ci/check_changelog_prs.ts @@ -51,7 +51,7 @@ const IGNORE_PRS = [ // 3.13.0 9945, 11420, 11765, 12036, 12048, 12057, 12076, 12122, 12123, 12168, 12199, 12218, 12225, 12272, 12277, 12300, 12306, 12329, 12353, 12364, 12375, 12358, //3.14.0 - 8772 + 8772, 12655 ]; From e674e921e72542363480ab4209629139eee86ce4 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Tue, 14 Oct 2025 14:04:23 +0530 Subject: [PATCH 09/16] chore: release 3.14.1 --- CHANGELOG.md | 16 ++++++++++++++++ apisix/core/version.lua | 2 +- docs/en/latest/config.json | 2 +- docs/zh/latest/config.json | 2 +- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a3aa5acef6e..36d3c66e1595 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ title: Changelog ## Table of Contents +- [3.14.1](#3141) - [3.14.0](#3140) - [3.13.0](#3130) - [3.12.0](#3120) @@ -81,6 +82,21 @@ title: Changelog - [0.7.0](#070) - [0.6.0](#060) +## 3.14.1 + +### Bugfixes + +- fix: port conflict in worker process for prometheus port [#12667](https://github.com/apache/apisix/pull/12667) + +### Core + +- fix: add warning log when skipping check for disabled plugin [#12655](https://github.com/apache/apisix/pull/12655) +- chore: add test for verifying lua-resty-openssl bug fix [#12656](https://github.com/apache/apisix/pull/12656) + +## Doc improvements + +- docs: remove unnecessary sentence in opentelemetry plugin doc [#12660](https://github.com/apache/apisix/pull/12660) + ## 3.14.0 **The changes marked with :warning: are not backward compatible.** diff --git a/apisix/core/version.lua b/apisix/core/version.lua index 42ed228e92aa..db47f95cbb7a 100644 --- a/apisix/core/version.lua +++ b/apisix/core/version.lua @@ -20,5 +20,5 @@ -- @module core.version return { - VERSION = "3.14.0" + VERSION = "3.14.1" } diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json index bee266f04d63..7052adca4b13 100644 --- a/docs/en/latest/config.json +++ b/docs/en/latest/config.json @@ -1,5 +1,5 @@ { - "version": "3.14.0", + "version": "3.14.1", "sidebar": [ { "type": "category", diff --git a/docs/zh/latest/config.json b/docs/zh/latest/config.json index c0489e6415de..2e48f06532a6 100644 --- a/docs/zh/latest/config.json +++ b/docs/zh/latest/config.json @@ -1,5 +1,5 @@ { - "version": "3.14.0", + "version": "3.14.1", "sidebar": [ { "type": "category", From d5bcf5cd35918047ded020f4cd79bc1fa209b009 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Thu, 9 Oct 2025 14:33:51 +0530 Subject: [PATCH 10/16] fix: add warning log when skipping check for disabled plugin (#12655) --- apisix/plugin.lua | 2 ++ t/config-center-yaml/plugin.t | 39 +++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/apisix/plugin.lua b/apisix/plugin.lua index a01bdfd1855d..789eb528d546 100644 --- a/apisix/plugin.lua +++ b/apisix/plugin.lua @@ -893,6 +893,8 @@ local function check_single_plugin_schema(name, plugin_conf, schema_type, skip_d local plugin_obj = local_plugins_hash[name] if not plugin_obj then if skip_disabled_plugin then + core.log.warn("skipping check schema for disabled or unknown plugin [", + name, "]. Enable the plugin or modify configuration") return true else return false, "unknown plugin [" .. name .. "]" diff --git a/t/config-center-yaml/plugin.t b/t/config-center-yaml/plugin.t index 2ee975d0d990..fd3c35734d88 100644 --- a/t/config-center-yaml/plugin.t +++ b/t/config-center-yaml/plugin.t @@ -40,6 +40,10 @@ _EOC_ my $routes = <<_EOC_; routes: - uri: /hello + plugins: + ip-restriction: + whitelist: + - "127.0.0.1" upstream: nodes: "127.0.0.1:1980": 1 @@ -227,3 +231,38 @@ hello world use config_provider: yaml load(): new plugins: {} load_stream(): new plugins: {} + + + +=== TEST 7: route with plugin not in plugins list +--- yaml_config +apisix: + node_listen: 1984 + enable_admin: false +deployment: + role: data_plane + role_data_plane: + config_provider: yaml +plugins: +--- debug_config eval: $::debug_config +--- config + location /t { + content_by_lua_block { + ngx.sleep(0.3) + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello" + local res, err = httpc:request_uri(uri, { + method = "GET", + }) + ngx.print(res.body) + } + } +--- request +GET /t +--- response_body +hello world +--- no_error_log +[error] +--- error_log +skipping check schema for disabled or unknown plugin [ip-restriction]. Enable the plugin or modify configuration From 499334cce94469923fe60da58f3f4ad77deffbb2 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Fri, 10 Oct 2025 11:01:29 +0530 Subject: [PATCH 11/16] chore: add test for verifying lua-resty-openssl bug fix (#12656) --- t/plugin/jwt-auth4.t | 74 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/t/plugin/jwt-auth4.t b/t/plugin/jwt-auth4.t index 333b26166c22..b1e873f7d70d 100644 --- a/t/plugin/jwt-auth4.t +++ b/t/plugin/jwt-auth4.t @@ -350,3 +350,77 @@ Authorization: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtle --- error_code: 200 --- response_body JWT found in ctx. Payload key: user-key + + + +=== TEST 10: Test Ed448 signature verification with lua-resty-openssl +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local core = require("apisix.core") + local pkey = require("resty.openssl.pkey") + local base64 = require("ngx.base64") + + -- Test data for Ed448 verification + local header = "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImtpZCI6InNjTy16dnUwWWRxOEVJSmxIb25CdWNYVmN2VjVnUm1oZ1BnZXFWSzZFdVkiLCJqa3UiOiJodHRwOi8vbG9jYWxob3N0OjkwNDIvb2lkYy9qd2tzIn0" + local payload = "eyJjbGllbnRfaWQiOiJhcHAtMDEifQ" + local signature = "kOC0UuRy3-eOSZiYWdH1izidwg1cWHsVAgvWgonOw7q1fEOXxD-AG3R1aj-heq-ENZn4hHWv3j8AabiBm6psCwrtf9C7ygDJmFT38Q2-EB3aVlbXSujXjwvWrw0o4yCZciHRVB2pNVkw36pjbQm2Lh8A" + local jwk = '{"alg": "EdDSA", "crv": "Ed448", "kty": "OKP", "use": "sig", "x": "XtrFWAUpoSzZd8OXZAP8LAUyfcGKVnAH7MNJZmqlmz-vz05pwP2q-8cOb14UmkY9nvbL1iBl1tUA"}' + + local raw_signature = base64.decode_base64url(signature) + + -- Test JWK import + local ed448, err = pkey.new(jwk, { format = "JWK" }) + if not ed448 then + ngx.say("FAIL: Failed to create pkey from JWK: ", err) + return + end + + -- Test JWK export to verify consistency + local exported_jwk, export_err = ed448:tostring("public", "JWK") + if not exported_jwk then + ngx.say("FAIL: Failed to export JWK: ", export_err) + return + end + + -- Parse JWKs to compare + local original_parsed = core.json.decode(jwk) + local exported_parsed = core.json.decode(exported_jwk) + + if not original_parsed or not exported_parsed then + ngx.say("FAIL: Failed to parse JWKs") + return + end + + -- Verify key parameters are consistent + local jwk_consistent = (original_parsed.crv == exported_parsed.crv) and + (original_parsed.kty == exported_parsed.kty) + + if not jwk_consistent then + ngx.say("FAIL: JWK parameters inconsistent - Original crv: ", original_parsed.crv, + ", Exported crv: ", exported_parsed.crv) + return + end + + -- Test signature verification + local data_to_verify = header .. "." .. payload + local verify, verify_err = ed448:verify(raw_signature, data_to_verify) + + if verify then + ngx.say("PASS: Ed448 signature verification successful") + ngx.say("PASS: JWK import/export consistent") + else + ngx.say("FAIL: Ed448 signature verification failed - Error: ", verify_err) + ngx.say("INFO: This may be expected with older lua-resty-openssl versions") + ngx.say("INFO: Original JWK x: ", original_parsed.x) + ngx.say("INFO: Exported JWK x: ", exported_parsed.x) + end + } + } +--- request +GET /t +--- response_body_like +(PASS: Ed448 signature verification successful|FAIL: Ed448 signature verification failed) +--- no_error_log +[error] From 3fc200a51654a24edbfc552c7e8b5f7ed29a5454 Mon Sep 17 00:00:00 2001 From: Traky Deng Date: Sat, 11 Oct 2025 16:31:48 +0800 Subject: [PATCH 12/16] docs: remove unnecessary sentence in opentelemetry plugin doc (#12660) --- docs/en/latest/plugins/opentelemetry.md | 2 -- docs/zh/latest/plugins/opentelemetry.md | 2 -- 2 files changed, 4 deletions(-) diff --git a/docs/en/latest/plugins/opentelemetry.md b/docs/en/latest/plugins/opentelemetry.md index dc47b0f66f76..061c26212dd5 100644 --- a/docs/en/latest/plugins/opentelemetry.md +++ b/docs/en/latest/plugins/opentelemetry.md @@ -107,8 +107,6 @@ plugins: Reload APISIX for changes to take effect. -See [static configurations](#static-configurations) for other available options you can configure in `config.yaml`. - ### Send Traces to OpenTelemetry The following example demonstrates how to trace requests to a Route and send traces to OpenTelemetry. diff --git a/docs/zh/latest/plugins/opentelemetry.md b/docs/zh/latest/plugins/opentelemetry.md index 2ba1c099dcbc..f22d90c932b3 100644 --- a/docs/zh/latest/plugins/opentelemetry.md +++ b/docs/zh/latest/plugins/opentelemetry.md @@ -106,8 +106,6 @@ plugins: 重新加载 APISIX 以使更改生效。 -有关 `config.yaml` 中可以配置的其他选项,请参阅[静态配置](#静态配置)。 - ### 将 Traces 上报到 OpenTelemetry 以下示例展示了如何追踪对路由的请求并将 traces 发送到 OpenTelemetry。 From b118f72e79f7cd0366370ee82f039587fb588e4f Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Tue, 14 Oct 2025 12:50:21 +0530 Subject: [PATCH 13/16] fix: port conflict in worker process for prometheus port (#12667) --- apisix/cli/ngx_tpl.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua index 18b77fd3c590..bfca1ccba5a2 100644 --- a/apisix/cli/ngx_tpl.lua +++ b/apisix/cli/ngx_tpl.lua @@ -105,7 +105,7 @@ http { } server { - listen {* prometheus_server_addr *}; + listen {* prometheus_server_addr *} reuseport; access_log off; @@ -578,7 +578,7 @@ http { {% if enabled_plugins["prometheus"] and prometheus_server_addr then %} server { - listen {* prometheus_server_addr *}; + listen {* prometheus_server_addr *} reuseport; access_log off; From e0cc7009aaabcc08becfff9594e6674e241034b6 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Thu, 2 Oct 2025 17:49:43 +0530 Subject: [PATCH 14/16] chore: release 3.14 --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 36d3c66e1595..b8a4eba23f9a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -164,7 +164,6 @@ title: Changelog ### Plugins -- feat: support OIDC claim validator [#11824](https://github.com/apache/apisix/pull/11824) - feat: support traffic split plugin for stream routes [#12630](https://github.com/apache/apisix/pull/12630) - feat: add ksuid algorithm on request-id plugin [#12573](https://github.com/apache/apisix/pull/12573) - feat: add fallback mechanism for specific error codes in ai-proxy-multi [#12571](https://github.com/apache/apisix/pull/12571) @@ -179,6 +178,7 @@ title: Changelog - feat: support limit-conn in workflow plugin [#12465](https://github.com/apache/apisix/pull/12465) - feat(datadog): Improve Datadog plugin tag support [#11943](https://github.com/apache/apisix/pull/11943) - feat: decoupled prometheus exporter's calculation and output [#12383](https://github.com/apache/apisix/pull/12383) +- feat: support OIDC claim validator [#11824](https://github.com/apache/apisix/pull/11824) - feat: add support for extra_headers in forward-auth plugin [#12405](https://github.com/apache/apisix/pull/12405) - feat: Add AIMLAPI provider support to AI plugins [#12379](https://github.com/apache/apisix/pull/12379) @@ -189,8 +189,8 @@ title: Changelog - docs: update note for API-drive standalone mode [#12612](https://github.com/apache/apisix/pull/12612) - docs: Improve chaitin-waf plugin docs and remove unintended highlights [#12608](https://github.com/apache/apisix/pull/12608) - docs: remove outdate dashboard doc [#12596](https://github.com/apache/apisix/pull/12596) -- docs: update apisix_upstream_response_time and request_llm_model in access log info [#12583](https://github.com/apache/apisix/pull/12583) -- docs: remove LLM variable in access log examples [#12503](https://github.com/apache/apisix/pull/12503) +- docs: update apisix-upstream_response_time and request_llm_model in access log info [#12583](https://github.com/apache/apisix/pull/12583) +- docs: remove LLM variable in access log examples - docs: update jwt-auth docs [#12450](https://github.com/apache/apisix/pull/12450) - docs: update rpm installation guide [#12460](https://github.com/apache/apisix/pull/12460) - docs: fix typo in credentials doc [#12434](https://github.com/apache/apisix/pull/12434) From bbcbac345ec47444131f2c2a990b579cce245274 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Thu, 9 Oct 2025 12:17:40 +0530 Subject: [PATCH 15/16] fix lint --- ci/check_changelog_prs.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/check_changelog_prs.ts b/ci/check_changelog_prs.ts index dc7929557aa9..786719d4202b 100755 --- a/ci/check_changelog_prs.ts +++ b/ci/check_changelog_prs.ts @@ -51,7 +51,7 @@ const IGNORE_PRS = [ // 3.13.0 9945, 11420, 11765, 12036, 12048, 12057, 12076, 12122, 12123, 12168, 12199, 12218, 12225, 12272, 12277, 12300, 12306, 12329, 12353, 12364, 12375, 12358, //3.14.0 - 8772, 12655 + 8772 ]; From 2f8ebf8527cdc878afe30100077c471879a5c133 Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Tue, 14 Oct 2025 15:22:16 +0530 Subject: [PATCH 16/16] update dashboard commit --- .requirements | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.requirements b/.requirements index ebf9ef2ab67e..9e96f5679438 100644 --- a/.requirements +++ b/.requirements @@ -18,4 +18,4 @@ APISIX_PACKAGE_NAME=apisix APISIX_RUNTIME=1.3.2 -APISIX_DASHBOARD_COMMIT=70712bd33f55f7979d4cb73a898e9778e0fbfe8b +APISIX_DASHBOARD_COMMIT=39be363cdbc5395d3163572c532be95f3dbad03a