Merge branch 'apache:master' into master

apache · Jan 7, 2025 · a0a86d3 · a0a86d3
2 parents 66fb79c + d4d99e7
commit a0a86d3
Show file tree

Hide file tree

Showing 96 changed files with 6,557 additions and 1,345 deletions.
diff --git a/.asf.yaml b/.asf.yaml
@@ -53,6 +53,10 @@ github:
           dismiss_stale_reviews: true
           require_code_owner_reviews: true
           required_approving_review_count: 3
+      release/3.11:
+        required_pull_request_reviews:
+          require_code_owner_reviews: true
+          required_approving_review_count: 3
       release/3.10:
         required_pull_request_reviews:
           require_code_owner_reviews: true

diff --git a/.gitignore b/.gitignore
@@ -56,7 +56,6 @@ uwsgi_temp
 proxy_temp
 fastcgi_temp
 client_body_temp
-utils/lj-releng
 utils/reindex
 *.etcd/
 t/lib/dubbo*/**/target/

diff --git a/.licenserc.yaml b/.licenserc.yaml
@@ -55,5 +55,6 @@ header:
     - '.luacheckrc'
     # Exclude file contains certificate revocation information
     - 't/certs/ocsp/index.txt'
+    - 'utils/lj-releng'
 
   comment: on-failure
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,7 @@ title: Changelog
 
 ## Table of Contents
 
+- [3.11.0](#3110)
 - [3.10.0](#3100)
 - [3.9.0](#390)
 - [3.8.0](#380)
@@ -77,6 +78,33 @@ title: Changelog
 - [0.7.0](#070)
 - [0.6.0](#060)
 
+## 3.11.0
+
+### Change
+
+- remove JWT signing endpoint and no longer require a private key to be uploaded in the jwt-auth plugin. [#11597](https://github.com/apache/apisix/pull/11597)
+- rewrite hmac-auth plugin for usability [#11581](https://github.com/apache/apisix/pull/11581)
+
+### Plugins
+
+- allow configuring keepalive_timeout in splunk-logger [#11611](https://github.com/apache/apisix/pull/11611)
+- add plugin attach-consmer-label [#11604](https://github.com/apache/apisix/pull/11604)
+- ai-proxy plugin [#11499](https://github.com/apache/apisix/pull/11499)
+- ai-prompt-decorator plugin [#11515](https://github.com/apache/apisix/pull/11515)
+- ai-prompt-template plugin [#11517](https://github.com/apache/apisix/pull/11517)
+
+### Bugfixes
+
+- Fix: adjust the position of enums in pb_option_def [#11448](https://github.com/apache/apisix/pull/11448)
+- Fix: encryption/decryption for non-auth plugins in consumer [#11600](https://github.com/apache/apisix/pull/11600)
+- Fix: confusion when substituting ENV in config file [#11545](https://github.com/apache/apisix/pull/11545)
+
+### Core
+
+- support gcp secret manager [#11436](https://github.com/apache/apisix/pull/11436)
+- support aws secret manager [#11417](https://github.com/apache/apisix/pull/11417)
+- add credential resource and include `X-Consumer-Username`, `X-Credential-Identifier`, and `X-Consumer-Custom-ID` headers in requests to upstream services [#11601](https://github.com/apache/apisix/pull/11601)
+
 ## 3.10.0
 
 ### Change

diff --git a/Makefile b/Makefile
@@ -377,6 +377,15 @@ install: runtime
 	$(ENV_INSTALL) -d $(ENV_INST_LUADIR)/apisix/plugins/ai-proxy/drivers
 	$(ENV_INSTALL) apisix/plugins/ai-proxy/drivers/*.lua $(ENV_INST_LUADIR)/apisix/plugins/ai-proxy/drivers
 
+	$(ENV_INSTALL) -d $(ENV_INST_LUADIR)/apisix/plugins/ai-rag/embeddings
+	$(ENV_INSTALL) apisix/plugins/ai-rag/embeddings/*.lua $(ENV_INST_LUADIR)/apisix/plugins/ai-rag/embeddings
+	$(ENV_INSTALL) -d $(ENV_INST_LUADIR)/apisix/plugins/ai-rag/vector-search
+	$(ENV_INSTALL) apisix/plugins/ai-rag/vector-search/*.lua $(ENV_INST_LUADIR)/apisix/plugins/ai-rag/vector-search
+
+	# ai-content-moderation plugin
+	$(ENV_INSTALL) -d $(ENV_INST_LUADIR)/apisix/plugins/ai
+	$(ENV_INSTALL) apisix/plugins/ai/*.lua $(ENV_INST_LUADIR)/apisix/plugins/ai
+
 	$(ENV_INSTALL) bin/apisix $(ENV_INST_BINDIR)/apisix
 
 
@@ -429,7 +438,6 @@ compress-tar:
 	./apisix \
 	./bin \
 	./conf \
-	./apisix-$(VERSION)*.rockspec \
 	./apisix-master-0.rockspec \
 	LICENSE \
 	Makefile \

diff --git a/apisix-master-0.rockspec b/apisix-master-0.rockspec
@@ -47,7 +47,7 @@ dependencies = {
     "lua-resty-cookie = 0.2.0-1",
     "lua-resty-session = 3.10",
     "opentracing-openresty = 0.1",
-    "lua-resty-radixtree = 2.9.1",
+    "lua-resty-radixtree = 2.9.2",
     "lua-protobuf = 0.5.2-1",
     "lua-resty-openidc = 1.7.6-3",
     "luafilesystem = 1.7.0-2",
@@ -71,7 +71,6 @@ dependencies = {
     "ext-plugin-proto = 0.6.1",
     "casbin = 1.41.9-1",
     "inspect == 3.1.1",
-    "lualdap = 1.2.6-1",
     "lua-resty-rocketmq = 0.3.0-0",
     "opentelemetry-lua = 0.2-3",
     "net-url = 0.9-1",
@@ -82,7 +81,8 @@ dependencies = {
     "lua-resty-t1k = 1.1.5",
     "brotli-ffi = 0.3-1",
     "lua-ffi-zlib = 0.6-0",
-    "api7-lua-resty-aws == 2.0.1-1",
+    "api7-lua-resty-aws == 2.0.2-1",
+    "multipart = 0.5.9-1",
 }
 
 build = {

diff --git a/apisix/cli/config.lua b/apisix/cli/config.lua
@@ -216,6 +216,8 @@ local _M = {
     "body-transformer",
     "ai-prompt-template",
     "ai-prompt-decorator",
+    "ai-rag",
+    "ai-content-moderation",
     "proxy-mirror",
     "proxy-rewrite",
     "workflow",

diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
@@ -49,6 +49,9 @@ local str_find = string.find
 local str_byte = string.byte
 local str_sub = string.sub
 local str_format = string.format
+local string = string
+local table = table
+
 
 local _M = {}
 
@@ -502,17 +505,34 @@ Please modify "admin_key" in conf/config.yaml .
 
 
     if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then
-        local cert_path = yaml_conf.apisix.ssl.ssl_trusted_certificate
-        -- During validation, the path is relative to PWD
-        -- When Nginx starts, the path is relative to conf
-        -- Therefore we need to check the absolute version instead
-        cert_path = pl_path.abspath(cert_path)
+        local cert_paths = {}
+        local ssl_certificates = yaml_conf.apisix.ssl.ssl_trusted_certificate
+        for cert_path in string.gmatch(ssl_certificates, '([^,]+)') do
+            cert_path = util.trim(cert_path)
+            if cert_path == "system" then
+                local trusted_certs_path, err = util.get_system_trusted_certs_filepath()
+                if not trusted_certs_path then
+                    util.die(err)
+                end
+                table.insert(cert_paths, trusted_certs_path)
+            else
+                -- During validation, the path is relative to PWD
+                -- When Nginx starts, the path is relative to conf
+                -- Therefore we need to check the absolute version instead
+                cert_path = pl_path.abspath(cert_path)
+                if not pl_path.exists(cert_path) then
+                    util.die("certificate path", cert_path, "doesn't exist\n")
+                end
 
-        if not pl_path.exists(cert_path) then
-            util.die("certificate path", cert_path, "doesn't exist\n")
+                table.insert(cert_paths, cert_path)
+            end
         end
 
-        yaml_conf.apisix.ssl.ssl_trusted_certificate = cert_path
+        local combined_cert_filepath = yaml_conf.apisix.ssl.ssl_trusted_combined_path
+                                       or "/usr/local/apisix/conf/ssl_trusted_combined.pem"
+        util.gen_trusted_certs_combined_file(combined_cert_filepath, cert_paths)
+
+        yaml_conf.apisix.ssl.ssl_trusted_certificate = combined_cert_filepath
     end
 
     -- enable ssl with place holder crt&key

diff --git a/apisix/cli/schema.lua b/apisix/cli/schema.lua
@@ -209,6 +209,9 @@ local config_schema = {
                         ssl_trusted_certificate = {
                             type = "string",
                         },
+                        ssl_trusted_combined_path = {
+                            type = "string",
+                        },
                         listen = {
                             type = "array",
                             items = {

diff --git a/apisix/cli/util.lua b/apisix/cli/util.lua
@@ -24,6 +24,9 @@ local exit = os.exit
 local stderr = io.stderr
 local str_format = string.format
 local tonumber = tonumber
+local io = io
+local ipairs = ipairs
+local assert = assert
 
 local _M = {}
 
@@ -133,4 +136,54 @@ function _M.file_exists(file_path)
     return f ~= nil and close(f)
 end
 
+do
+    local trusted_certs_paths = {
+        "/etc/ssl/certs/ca-certificates.crt",                -- Debian/Ubuntu/Gentoo
+        "/etc/pki/tls/certs/ca-bundle.crt",                  -- Fedora/RHEL 6
+        "/etc/ssl/ca-bundle.pem",                            -- OpenSUSE
+        "/etc/pki/tls/cacert.pem",                           -- OpenELEC
+        "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", -- CentOS/RHEL 7
+        "/etc/ssl/cert.pem",                                 -- OpenBSD, Alpine
+    }
+
+    -- Check if a file exists using Lua's built-in `io.open`
+    local function file_exists(path)
+        local file = io.open(path, "r")
+        if file then
+            file:close()
+            return true
+        else
+            return false
+        end
+    end
+
+    function _M.get_system_trusted_certs_filepath()
+        for _, path in ipairs(trusted_certs_paths) do
+            if file_exists(path) then
+                return path
+            end
+        end
+
+        return nil,
+            "Could not find trusted certs file in " ..
+            "any of the `system`-predefined locations. " ..
+            "Please install a certs file there or set " ..
+            "`lua_ssl_trusted_certificate` to a " ..
+            "specific file path instead of `system`"
+    end
+end
+
+
+function _M.gen_trusted_certs_combined_file(combined_filepath, paths)
+    local combined_file = assert(io.open(combined_filepath, "w"))
+    for _, path in ipairs(paths) do
+        local cert_file = assert(io.open(path, "r"))
+        combined_file:write(cert_file:read("*a"))
+        combined_file:write("\n")
+        cert_file:close()
+    end
+    combined_file:close()
+end
+
+
 return _M
diff --git a/apisix/consumer.lua b/apisix/consumer.lua
@@ -114,6 +114,7 @@ local function plugin_consumer()
                     local the_consumer = consumers:get(consumer_name)
                     if the_consumer and the_consumer.value then
                         consumer = core.table.clone(the_consumer.value)
+                        consumer.modifiedIndex = the_consumer.modifiedIndex
                         consumer.credential_id = get_credential_id_from_etcd_key(val.key)
                     else
                         -- Normally wouldn't get here:
@@ -125,6 +126,7 @@ local function plugin_consumer()
                     end
                 else
                     consumer = core.table.clone(val.value)
+                    consumer.modifiedIndex = val.modifiedIndex
                 end
 
                 -- if the consumer has labels, set the field custom_id to it.
@@ -137,7 +139,6 @@ local function plugin_consumer()
                 -- is 'username' field in admin
                 consumer.consumer_name = consumer.id
                 consumer.auth_conf = config
-                consumer.modifiedIndex = val.modifiedIndex
                 core.log.info("consumer:", core.json.delay_encode(consumer))
                 core.table.insert(plugins[name].nodes, consumer)
             end

diff --git a/apisix/control/v1.lua b/apisix/control/v1.lua
@@ -269,6 +269,11 @@ local function iter_add_get_routes_info(values, route_id)
         if new_route.value.upstream and new_route.value.upstream.parent then
             new_route.value.upstream.parent = nil
         end
+        -- remove healthcheck info
+        new_route.checker = nil
+        new_route.checker_idx = nil
+        new_route.checker_upstream = nil
+        new_route.clean_handlers = nil
         core.table.insert(infos, new_route)
         -- check the route id
         if route_id and route.value.id == route_id then
@@ -352,6 +357,11 @@ local function iter_add_get_services_info(values, svc_id)
         if new_svc.value.upstream and new_svc.value.upstream.parent then
             new_svc.value.upstream.parent = nil
         end
+        -- remove healthcheck info
+        new_svc.checker = nil
+        new_svc.checker_idx = nil
+        new_svc.checker_upstream = nil
+        new_svc.clean_handlers = nil
         core.table.insert(infos, new_svc)
         -- check the service id
         if svc_id and svc.value.id == svc_id then

diff --git a/apisix/core/config_etcd.lua b/apisix/core/config_etcd.lua
@@ -257,6 +257,11 @@ local function do_run_watch(premature)
         end
 
         local rev = tonumber(res.result.header.revision)
+        if rev == nil then
+            log.warn("receive a invalid revision header, header: ", inspect(res.result.header))
+            cancel_watch(http_cli)
+            break
+        end
         if rev > watch_ctx.rev then
             watch_ctx.rev = rev + 1
         end
@@ -284,7 +289,8 @@ local function run_watch(premature)
 
     local ok, err = ngx_thread_wait(run_watch_th, check_worker_th)
     if not ok then
-        log.error("check_worker thread terminates failed, retart checker, error: " .. err)
+        log.error("run_watch or check_worker thread terminates failed",
+                        " restart those threads, error: ", inspect(err))
     end
 
     ngx_thread_kill(run_watch_th)

diff --git a/apisix/core/config_util.lua b/apisix/core/config_util.lua
@@ -58,6 +58,10 @@ end
 -- or cancelled. Note that Nginx worker exit doesn't trigger the clean handler.
 -- Return an index so that we can cancel it later.
 function _M.add_clean_handler(item, func)
+    if not item.clean_handlers then
+        return nil, "clean handlers for the item are nil"
+    end
+
     if not item.clean_handlers._id then
         item.clean_handlers._id = 1
     end