Merge branch 'apache:master' into feat/ssl_protocols

.github/workflows/build.yml

@@ -28,7 +28,6 @@ jobs:
           - ubuntu-20.04
         os_name:
           - linux_openresty
-          - linux_openresty_1_19
         test_dir:
           - t/plugin/[a-k]*
           - t/plugin/[l-z]*

.github/workflows/kubernetes-ci.yml

@@ -28,7 +28,6 @@ jobs:
           - ubuntu-20.04
         os_name:
           - linux_openresty
-          - linux_openresty_1_19
 
     runs-on: ${{ matrix.platform }}
     timeout-minutes: 15

.github/workflows/tars-ci.yml

@@ -28,7 +28,6 @@ jobs:
           - ubuntu-20.04
         os_name:
           - linux_openresty
-          - linux_openresty_1_19
 
     runs-on: ${{ matrix.platform }}
     timeout-minutes: 15

apisix/cli/ops.lua

@@ -258,7 +258,7 @@ Please modify "admin_key" in conf/config.yaml .
         util.die("can not find openresty\n")
     end
 
-    local need_ver = "1.19.3"
+    local need_ver = "1.21.4"
     if not version_greater_equal(or_ver, need_ver) then
         util.die("openresty version must >=", need_ver, " current ", or_ver, "\n")
     end

apisix/ssl/router/radixtree_sni.lua

@@ -185,6 +185,7 @@ function _M.match_and_set(api_ctx, match_only, alt_sni)
         for _, msni in ipairs(api_ctx.matched_sni) do
             if sni_rev == msni or not str_find(sni_rev, ".", #msni) then
                 matched = true
+                break
             end
         end
         if not matched then

ci/centos7-ci.sh

@@ -33,7 +33,7 @@ install_dependencies() {
 
     # install openresty to make apisix's rpm test work
     yum install -y yum-utils && yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
-    yum install -y openresty openresty-debug openresty-openssl111-debug-devel pcre pcre-devel
+    yum install -y openresty-1.21.4.1 openresty-debug-1.21.4.1 openresty-openssl111-debug-devel pcre pcre-devel
 
     # install luarocks
     ./utils/linux-install-luarocks.sh

ci/redhat-ci.sh

@@ -32,7 +32,7 @@ install_dependencies() {
 
     # install openresty to make apisix's rpm test work
     yum install -y yum-utils && yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
-    yum install -y openresty openresty-debug openresty-openssl111-debug-devel pcre pcre-devel xz
+    yum install -y openresty-1.21.4.1 openresty-debug-1.21.4.1 openresty-openssl111-debug-devel pcre pcre-devel xz
 
     # install luarocks
     ./utils/linux-install-luarocks.sh

conf/config-default.yaml

@@ -611,9 +611,34 @@ plugin_attr:          # Plugin attributes
                                                               # write access to this file for security.
 
 deployment:                    # Deployment configurations
-  role: traditional            # Set deployment mode: traditional, control_plane, data_plane.
+  role: traditional            # Set deployment mode: traditional, control_plane, or data_plane.
   role_traditional:
     config_provider: etcd      # Set the configuration center.
+
+    # role_data_plane:         # Set data plane details if role is data_plane.
+    #   config_provider: control_plane          # Set the configuration center: control_plane, or yaml.
+    #   control_plane:                          # Set control plane details if config_provider is control_plane.
+    #     host:                                 # Set the address of control plane.
+    #       - https://${control_plane_IP}:9280
+    #     prefix: /apisix                       # Set etcd prefix.
+    #     timeout: 30                           # Set timeout in seconds.
+    #   certs:
+    #     cert: /path/to/client.crt           # Set path to the client certificate.
+    #     cert_key: /path/to/client.key       # Set path to the client key.
+    #     trusted_ca_cert: /path/to/ca.crt    # Set path to the trusted CA certificate.
+
+    # role_control_plane:         # Set control plane details if role is control_plane.
+    #   config_provider: etcd     # Set the configuration center.
+    #   conf_server:
+    #     listen: 0.0.0.0:9280                # Set the address of the conf server.
+    #     cert: /path/to/server.crt           # Set path to the server certificate.
+    #     cert_key: /path/to/server.key       # Set path to the server key.
+    #     client_ca_cert: /path/to/ca.crt     # Set path to the trusted CA certificate.
+    # certs:
+    #   cert: /path/to/client.crt             # Set path to the client certificate.
+    #   cert_key: /path/to/client.key         # Set path to the client key.
+    #   trusted_ca_cert: /path/to/ca.crt      # Set path to the trusted CA certificate.
+
   admin:                       # Admin API
     admin_key_required: true   # Enable Admin API authentication by default for security.
     admin_key:
@@ -646,7 +671,7 @@ deployment:                    # Deployment configurations
   etcd:
     host:                         # Set etcd address(es) in the same etcd cluster.
       - "http://127.0.0.1:2379"   # If TLS is enabled for etcd, use https://127.0.0.1:2379.
-    prefix: /apisix               # Set prefix in etcd.
+    prefix: /apisix               # Set etcd prefix.
     use_grpc: false               # Use gRPC (experimental) for etcd configuration sync.
     timeout: 30                   # Set timeout in seconds.
                                   # Set a higher timeout (e.g. an hour) if `use_grpc` is true.

docs/en/latest/certificate.md

@@ -31,73 +31,51 @@ It is most common for an SSL certificate to contain only one domain. We can crea
 * `key`: PEM-encoded private key of the SSL key pair.
 * `snis`: Hostname(s) to associate with this certificate as SNIs. To set this attribute this certificate must have a valid private key associated with it.
 
-We will use the Python script below to simplify the example:
-
-```python title="create-ssl.py"
-#!/usr/bin/env python
-# coding: utf-8
-import sys
-# sudo pip install requests
-import requests
-
-if len(sys.argv) <= 3:
-    print("bad argument")
-    sys.exit(1)
-with open(sys.argv[1]) as f:
-    cert = f.read()
-with open(sys.argv[2]) as f:
-    key = f.read()
-sni = sys.argv[3]
-api_key = "edd1c9f034335f136f87ad84b625c8f1"
-resp = requests.put("http://127.0.0.1:9180/apisix/admin/ssls/1", json={
-    "cert": cert,
-    "key": key,
-    "snis": [sni],
-}, headers={
-    "X-API-KEY": api_key,
-})
-print(resp.status_code)
-print(resp.text)
-```
+We will use the shell command below to simplify the example:
 
 ```shell
 # create SSL object
-./create-ssl.py t.crt t.key test.com
+curl http://127.0.0.1:9180/apisix/admin/ssls/1 \
+-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+     "cert" : "'"$(cat t/certs/apisix.crt)"'",
+     "key": "'"$(cat t/certs/apisix.key)"'",
+     "snis": ["test.com"]
+}'
 
 # create Router object
 curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -i -d '
 {
-    "uri": "/hello",
+    "uri": "/get",
     "hosts": ["test.com"],
     "methods": ["GET"],
     "upstream": {
         "type": "roundrobin",
         "nodes": {
-            "127.0.0.1:1980": 1
+            "httpbin.org": 1
         }
     }
 }'
 
 # make a test
 
-curl --resolve 'test.com:9443:127.0.0.1' https://test.com:9443/hello  -vvv
+curl --resolve 'test.com:9443:127.0.0.1' https://test.com:9443/hello -k -vvv
 * Added test.com:9443:127.0.0.1 to DNS cache
 * About to connect() to test.com port 9443 (#0)
 *   Trying 127.0.0.1...
 * Connected to test.com (127.0.0.1) port 9443 (#0)
-* Initializing NSS with certpath: sql:/etc/pki/nssdb
-* skipping SSL peer certificate verification
-* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN, server accepted to use h2
 * Server certificate:
-* 	subject: CN=test.com,O=iresty,L=ZhuHai,ST=GuangDong,C=CN
-* 	start date: Jun 24 22:18:05 2019 GMT
-* 	expire date: May 31 22:18:05 2119 GMT
-* 	common name: test.com
-* 	issuer: CN=test.com,O=iresty,L=ZhuHai,ST=GuangDong,C=CN
-> GET /hello HTTP/1.1
-> User-Agent: curl/7.29.0
+*   subject: C=CN; ST=GuangDong; L=ZhuHai; O=iresty; CN=test.com
+*   start date: Jun 24 22:18:05 2019 GMT
+*   expire date: May 31 22:18:05 2119 GMT
+*   issuer: C=CN; ST=GuangDong; L=ZhuHai; O=iresty; CN=test.com
+*   SSL certificate verify result: self-signed certificate (18), continuing anyway.
+> GET /get HTTP/2
 > Host: test.com:9443
-> Accept: */*
+> user-agent: curl/7.81.0
+> accept: */*
 ```
 
 ### wildcard SNI

docs/en/latest/config.json

@@ -26,11 +26,18 @@
       "items": [
         "tutorials/expose-api",
         "tutorials/protect-api",
-        "tutorials/observe-your-api",
+        {
+          "type": "category",
+          "label": "Observability",
+          "items": [
+            "tutorials/observe-your-api",
+            "tutorials/health-check",
+            "tutorials/monitor-api-health-check"
+          ]
+        },
         "tutorials/manage-api-consumers",
         "tutorials/cache-api-responses",
         "tutorials/add-multiple-api-versions",
-        "tutorials/health-check",
         "tutorials/client-to-apisix-mtls",
         "tutorials/websocket-authentication"
       ]

docs/en/latest/deployment-modes.md

@@ -97,9 +97,9 @@ deployment:
            prefix: /apisix
            timeout: 30
     certs:
-        cert: /path/to/ca-cert
-        cert_key: /path/to/ca-cert
-        trusted_ca_cert: /path/to/ca-cert
+        cert: /path/to/client.crt
+        cert_key: /path/to/client.key
+        trusted_ca_cert: /path/to/ca.crt
 #END
 ```
 
@@ -117,18 +117,18 @@ deployment:
         config_provider: etcd
         conf_server:
             listen: 0.0.0.0:9280
-            cert: /path/to/ca-cert
-            cert_key: /path/to/ca-cert
-            client_ca_cert: /path/to/ca-cert
+            cert: /path/to/server.crt
+            cert_key: /path/to/server.key
+            client_ca_cert: /path/to/ca.crt
     etcd:
        host:
            - https://${etcd_IP}:${etcd_Port}
        prefix: /apisix
        timeout: 30
     certs:
-        cert: /path/to/ca-cert
-        cert_key: /path/to/ca-cert
-        trusted_ca_cert: /path/to/ca-cert
+        cert: /path/to/client.crt
+        cert_key: /path/to/client.key
+        trusted_ca_cert: /path/to/ca.crt
 #END
 ```
 
@@ -143,15 +143,15 @@ deployment:
         config_provider: etcd
         conf_server:
             listen: 0.0.0.0:9280
-            cert: /path/to/ca-cert
-            cert_key: /path/to/ca-cert
+            cert: /path/to/server.crt
+            cert_key: /path/to/server.key
     etcd:
        host:
            - https://${etcd_IP}:${etcd_Port}
        prefix: /apisix
        timeout: 30
     certs:
-        trusted_ca_cert: /path/to/ca-cert
+        trusted_ca_cert: /path/to/ca.crt
 #END
 ```
 
@@ -434,3 +434,25 @@ upstreams:
     id: 1
 #END
 ```
+
+### How to configure protos
+
+```yaml
+protos:
+  - id: helloworld
+    desc: hello world
+    content: >
+      syntax = "proto3";
+      package helloworld;
+
+      service Greeter {
+        rpc SayHello (HelloRequest) returns (HelloReply) {}
+      }
+      message HelloRequest {
+        string name = 1;
+      }
+      message HelloReply {
+        string message = 1;
+      }
+#END
+```

docs/en/latest/plugins/api-breaker.md

@@ -108,9 +108,9 @@ HTTP/1.1 502 Bad Gateway
 </html>
 ```
 
-## Disable Plugin
+## Delete Plugin
 
-To disable the `api-breaker` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
+To remove the `api-breaker` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
 
 ```shell
 curl http://127.0.0.1:9180/apisix/admin/routes/1 \

docs/en/latest/plugins/authz-casbin.md

@@ -234,9 +234,9 @@ And only users with admin privileges can access the endpoints:
 curl -i http://127.0.0.1:9080/res -H 'user: alice' -X GET
 ```
 
-## Disable Plugin
+## Delete Plugin
 
-To disable the `authz-casbin` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
+To remove the `authz-casbin` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
 
 ```shell
 curl http://127.0.0.1:9180/apisix/admin/routes/1  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '

docs/en/latest/plugins/authz-casdoor.md

@@ -89,9 +89,9 @@ After successfully logging in, Casdoor will redirect this user to the `callback_
 
 Once this is done, the user is redirected to the original URL they wanted to visit.
 
-## Disable Plugin
+## Delete Plugin
 
-To disable the `authz-casdoor` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
+To remove the `authz-casdoor` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
 
 ```shell
 curl http://127.0.0.1:9180/apisix/admin/routes/1  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '

docs/en/latest/plugins/authz-keycloak.md

@@ -200,9 +200,9 @@ The image below shows how the policies are configured in the Keycloak server:
 
 ![Keycloak policy design](https://raw.githubusercontent.com/apache/apisix/master/docs/assets/images/plugin/authz-keycloak.png)
 
-## Disable Plugin
+## Delete Plugin
 
-To disable the `authz-keycloak` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
+To remove the `authz-keycloak` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
 
 ```shell
 curl http://127.0.0.1:9180/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '

docs/en/latest/plugins/aws-lambda.md

@@ -194,9 +194,9 @@ Server: APISIX/2.11.0
 "Hello, APISIX!"
 ```
 
-## Disable Plugin
+## Delete Plugin
 
-To disable the `aws-lambda` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
+To remove the `aws-lambda` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
 
 ```shell
 curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '

docs/en/latest/plugins/azure-functions.md

@@ -171,9 +171,9 @@ Server: APISIX/2.11.0
 Hello, APISIX
 ```
 
-## Disable Plugin
+## Delete Plugin
 
-To disable the `azure-functions` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
+To remove the `azure-functions` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
 
 ```shell
 curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '