API7 Enterprise Release Notes

3.8.3

Release Date: 2025-06-04

Features

Data Plane

• Supported the configuration of apisix.disable_upstream_healthcheck in conf/config.yaml to disable all health checks with a single switch.
• Optimized Prometheus performance by mitigating high memory consumption.
• Released API7 Ingress Controller 2.0.

Plugins

• Automatically inserted _meta into the schemas of custom plugins.

Dashboard

• Optimized the deployment process for ingress controller type of gateway groups.
• Added alert policy event trigger "license will expire".

Fixes

Data Plane

• Fixed issue: Occasional route matching error when reading body for GraphQL requests with post_arg.

Dashboard

• Fixed issue: Upgrade dependencies ramda to 0.30.1 and cross-spawn to 7.0.5 to avoid high-risk vulnerabilities.
• Fixed issue: The max-age field is displayed incorrectly when configuring the cors plugin details using the dashboard form.
• Fixed issue: After upgrading ADC from version 17.x to 19.x, the Dashboard continues displaying outdated configurations when multiple routes under the same service are updated simultaneously.
• Fixed issue: Unable to view plugin configurations within a service with the gateway:GetPublishedService or gateway:GetServiceTemplate permissions in the dashboard.
• Fixed issue: API7 Enterprise built-in plugins do not work properly when two custom plugins contain faulty code.
• Fixed issue: Kubernetes service discovery experiences performance issues with a high number of upstream nodes.
• Fixed issue: Headers have inconsistent casing. They are standardized to title case.

3.8.2

Release Date: 2025-05-19

Features

AI Plugins

• AI Proxy Multi
  • Added retry logic for 429/5xx response codes to improve request success rate.

AI Gateway

• Added support for reverse proxying AzureAI services.

Dashboard

• Supported CAS as an SSO login option for API7 Enterprise.

Fixes

Dashboard

• Fixed issue: Failed to update basic information of published services.
• Fixed issue: retry_timeout and retries cannot be edited in the stream service upstream.
• Fixed issue: Page crash when gateway instance is missing compatibility field.

Data Plane

• Fixed issue: Long startup time for standalone mode with large configuration files.
• Fixed issue: OAS Validator plugin incorrectly rejecting numbers between 1.11-1.19 with multipleOf: 0.01 rule.
• Fixed issue: AI Proxy plugin would accept invalid endpoint URLs (e.g. missing colon in "http//localhost").

3.8.1

Release Date: 2025-05-07

Features

Dashboard

• Specified the validity period of the gateway instance certificate when adding a gateway instance.
• Added a warning in the gateway instance list when the certificate is about to expire.
• Supported viewing the certificate renew method for gateway instances in the dashboard and generating new gateway instance certificates.

Fixes

Data Plane

• Fixed issue: Health checks do not work as expected when using TCP services, and requests are still forwarded to unhealthy upstream nodes.
• Fixed issue: High latency in gateway requests due to Redis service failures.
• Fixed issue: Error in determining the default value of llm_time_to_first_token in AI Gateway.

Plugins

• Removed the snowflake algorithm frome the request-id plugin due to potential risks.

Dashboard

• Fixed issue: The total bandwidth chart data on the monitoring page was inconsistent with Prometheus.
• Fixed issue: When forced publishing is enabled, modifications to the Route’s timeout and plugin configurations are not allowed in the published service.

3.8.0

Release Date: 2025-04-22

Features

Data Plane

• Supported using values from an array object within the user request body in routing conditions. While post_arg was already permitted in routing conditions, this update introduces support for array scenarios for the type field's location.
• Supported the recording of additional AI request context information within access logs.
• Supported adding a request type identifier to Prometheus metrics to collect more granular data on AI requests.

Plugins

• AI Proxy
  • Implemented new identifier fields logging and summaries for collecting LLM request and response content.
• AI Proxy Multi
  • Supported HTTP POST method for health checks.
  • Displayed a record at the warning log level if the fallback was triggered.
  • Implemented a new identifier field for collecting LLM request and response content.
• AI Aliyun Content Moderation
  • Added support for streaming (HTTP SSE) scenarios.
• AI Prompt Guard
  • Introduced new plugin.
• Kafka Logger
  • Supported reading the user request and response body content cached in ctx and pushing it to the specified Kafka service.

Dashboard

• Added detailed statistics for service name and route name in status code alert messages.
• Optimized plugin configuration: When configuring Traffic Split plugin on a service or route, verify that the upstream_id configured indeed belongs to the current service's upstreams.
• Aligned the upstream connection configuration field names with the API in published services.
• Introduced a form-based UI for CORS plugin configuration.

Fixes

Data Plane

• Fixed issue: When the upstream type was Kubernetes service discovery, nodes in health checks were not updated after node changes, resulting in many health check failure logs.
• Fixes issue: An error occurred when the shared_size parameter for Kubernetes service discovery was adjusted to 100m.#11857
• Fixed issue: APISIX/API7 Enterprise with Kubernetes discovery will fail after token file expires. #11779
• Fixed issue: After updating the prefix of Vault secret provider, the data plane continued to use the old configuration.

Dashboard

• Fixed issue: The retries field in the upstream was incorrectly set as required.
• Fixed issue: An error occurred on the published service page due to lack of service template permissions.
• Fixed issue: Updating the service discovery service name in published services did not take effect.
• Fixed issue: Creating multiple records with rapid clicks.
• Fixed issue: High database CPU utilization when using large scale of consumers.
• Optimized the wildcard configuration method for Permission Policy:
  • Wildcard configuration using * is now supported in authorization statements, with the same meaning as the current <.*>；
  • The asterisk * is restricted and not allowed in any resource ID fields to prevent authorization failures.

3.7.5

Release Date: 2025-05-19

Fixes

Dashboard

• Fixed issue: Failed to update basic information of published services.

Data Plane

• Fixed issue: Long startup time for standalone mode with large configuration files.
• Fixed issue: OAS Validator plugin incorrectly rejecting numbers between 1.11-1.19 with multipleOf: 0.01 rule.

3.7.4

Release Date: 2025-04-30

Features

Dashboard

• Specified the validity period of the gateway instance certificate when adding a gateway instance.
• Added a warning in the gateway instance list when the certificate is about to expire.
• Supported viewing the certificate renew method for gateway instances in the dashboard and generating new gateway instance certificates.

Fixes

Data Plane

• Fixed issue: Health checks do not work as expected when using TCP services, and requests are still forwarded to unhealthy upstream nodes.
• Fixed issue: High latency in gateway requests due to Redis service failures.
• Fixed issue: Error in determining the default value of llm_time_to_first_token in AI Gateway.

Plugins

• Removed the snowflake algorithm frome the request-id plugin due to potential risks.

Dashboard

• Fixed issue: The total bandwidth chart data on the monitoring page was inconsistent with Prometheus.
• Fixed issue: When forced publishing is enabled, modifications to the Route’s timeout and plugin configurations are not allowed in the published service.

3.7.3

Release Date: 2025-04-22

Fixes

Dashboard

• Fixed issue: High database CPU utilization when using large scale of consumers.
• Optimized the wildcard configuration method for Permission Policy:
  • Wildcard configuration using * is now supported in authorization statements, with the same meaning as the current <.*>；
  • The asterisk * is restricted and not allowed in any resource ID fields to prevent authorization failures.

3.7.2

Release Date: 2025-03-24

Fixes

Plugins

• OpenTelemetry
  • Fixed issue: A 404 response on the dynamic route /v2/:customerNumber results in an empty reported path.

Admin APIs

• Fixed issue: Resources lack consistent name and desc length enforcement up to 65535 characters, causing errors when users input valid long strings.

Dashboard

• Fixed issue: Users observe encrypted ciphertext, not their original plaintext input, for sensitive service and route fields after database storage.
• Fixed issue: Upon dashboard restart, the previously deleted default gateway group is erroneously regenerated.
• Fixed issue: Token name updates are not reflected in the notification area.

Dependencies

• Upgraded to Go 1.23.

3.7.1

Release Date: 2025-03-14

Fixes

Plugins

• OpenID Connect
  • Fixed issue: Cannot configuring verify issuer.
  • Fixed issue: Unable to validate audience claim. #11018.

3.7.0

Release Date: 2025-03-10

Features

Data Plane

• Reference Secrets in Kubernetes Secret: The secret provider now supports Kubernetes secrets. This allows you to reference sensitive values from Kubernetes secrets for use in SSL certificates, SSL private keys, consumer credentials, and various plugin configurations.

Plugins

• AI Rate Limiting
  • Introduced new AI plugin which enforces token-based rate limiting for requests sent to LLM services. It helps manage API usage by controlling the number of tokens consumed within a specified time frame, ensuring fair resource allocation and preventing excessive load on the service. It is often used with AI Proxy Multi plugin.
• AI Proxy
  • Supported openai-compatible provider.
  • Supported proxying embedding model APIs.
• AI Proxy Multi
  • Supported openai-compatible provider.
  • Supported bypassing upstream configuration when using the plugin.
  • Supported active health check.
  • Supported proxying embedding model APIs.

Dashboard

• Supported *referencing a specific secret from Kubernetes Secrets: See Reference a secret in Kubernetes Secrets for details.
• Added page size selector for all tables.
• Displayed the service ID and service template ID on the service page header, and the route ID and route template ID on the route page header.

Admin APIs

• Added Reference Secrets in Kubernetes Secret related APIs:
  • Get a Kubernetes secret provider on a gateway group.
  • Update a Kubernetes secret provider on a gateway group.
  • Delete a Kubernetes secret provider on a gateway group.

Fixes

Data Plane

• Fixed issue: Duplicated gateway instance IDs result in inaccurate CPU counts.

Dashboard

• Fixed issue: Alert email delivery failed due to an invalid From Name format in the SMTP server configuration.
• Fixed issue: Plugin metadata is not deleted when deleting the custom plugin.
• Fixed issue: The Skip Path Prefix field is not removed when manually adding a stream service.
• Fixed issue: The priority of route cannot be set to negative numbers.

3.6.1

Release Date: 2025-03-14

Fixes

Plugins

• Limit Count Advanced
  • Fixed issue: Intermittently experiences 500 errors during load testing.
• OpenID Connect
  • Fixed issue: The plugin does not support configuring verify issuer.

3.6.0

Release Date: 2025-02-26

Breaking Changes

• Removed service runtime configurations in service templates, for better template reuse across gateway groups. Existing service runtime configurations within service templates will be removed, but your published service configurations will remain unchanged. Furthermore, the publishing process is simplified and streamlined, with no service runtime configurations allowed during the process. See the renewed guide to publish service.

Features

Data Plane

• Supported the configuration of upstream mTLS: see Configure mTLS between API7 Enterprise and Upstream for more details.

Dashboard

• Supported Logged in with Email: API7 Enterprise dashboard now supports login using either username or email address with password. To use email for login or to receive notifications, please bind an email address to your user profile.
• Supported configuring mTLS for upstreams.
• Supported referencing environment variables for SSO connection information.
• Introduced a form-based UI for plugin configuration.
• Added Basic Authentication as an authentication option for Developer Portal credentials. If the API product allows multiple authentication types, any valid credential can be used.

Fixes

Data Plane

• Fixed issue: Race condition problem while update upstream.nodes.#11916.
• Fixed service discovery issue: Upstream original_nodes is not updated when fill_node_info structure after cloning the nodes table.#10722.

3.5.5

Release Date: 2025-03-14

Fixes

Plugins

• Limit Count Advanced
  • Fixed issue: Intermittently experiences 500 errors during load testing.
• OpenID Connect
  • Fixed issue: The plugin does not support configuring verify issuer.
  • Fixed issue: Unable to validate audience claim.#11018

3.5.4

Release Date: 2025-03-07

Fixes

Plugins

• Elasticsearch Logger
  • Fixed issue: The plugin cannot configuring the index to dynamically send data based on the current date in the plugin.

Dashboard

• Fixed issue: Re-publishing with a template can lead to the loss of upstream configurations.
• Fixed issue: The OpenAPI cache on the page failed to invalidate after a service was rebuilt with ADC.
• Optimized slow queries.

3.5.3

Release Date: 2025-02-18

Fixes

• Fixed issue: Alert email subject cannot contain variables.

3.5.2

Release Date: 2025-02-18

Fixes

Data Plane

• Fixed issue: Failed to enable the Log Rotate plugin.
• Fixed issue: Duplicate data may occasionally occur in gateway instances during the upgrade process, specifically when using MySQL databases.
• Fixed issue: Deletion of custom plugins may occasionally fail.
• Fixed issue: When the data plane reports metrics, it may occasional encounter 500 errors.

Plugins

• Proxy Rewrite
  • Fixed issue: Version compatibility issue with the plugin.

Admin API

• List all stream routes in a published service on a gateway group
  • Fixed issue: Response error.

Dashboard

• Fixed issue: Upgrading the dashboard before the DP Manager during a version upgrade can cause the DP Manager to restart continuously.

3.5.1

Release Date: 2025-02-06

Fixes

Plugins

• OpenTelemetry
  • Fixed issue: Cannot reporting request.url as route.url when the plugin reports dynamic routes /v2/:customerNumber.

Dashboard

• Fixed issue: Failed to configure the Azure SMTP server to send alert emails.

3.5.0

Release Date: 2025-01-27

Features

Data Plane

• Multiple Upstreams in a Service: For advanced scenarios such as canary deployments, blue-green deployments, or managing multiple clusters, a service can now utilize multiple upstreams. In such cases, a default upstream serves as the primary target for most requests, while other upstreams can be used for specific purposes, such as routing traffic to a canary deployment or a secondary cluster. See the renewed Configure Canary Traffic Shifting for details.

info

The old Canary Rule function is no longer available.

• Supported custom configuration of DP metrics label through Prometheus plugin metadata.
• Optimized performance of data plane Prometheus metrics reporting.
• [Beta] Configured mTLS for upstream. API support is currently available. Full support is coming soon.

Plugins

• OpenID Connect
  • Added redirect_after_logout_uri for plugin that do not have an end_session_endpoint.#10653
• Zipkin
  • Added Zipkin variable.#10361
• Proxy Rewrite
  • Supported miltiple regex pattern matching.#9194
  • Supported variable when rewrite header.#9112
• GRPC web
  • Supported configuring allow-headers.#10904
• Mocking
  • Supported adding headers.#9720
• OPA
  • Supported sending headers upstream returned by OPA.#9710
• HTTP Logger
  • Supported compressed responses in loggers.#10884
• Kafka Logger
  • Supported compressed responses in loggers.#10884
• RocketMQ Logger
  • Supported compressed responses in loggers.#10884
• Traffic Split
  • Supported HTTPs.#9115

Admin APIs

• Added Multiple Upstreams related APIs:
  • Create a upstream in a published service on a gateway group.
  • Update a upstream in a published service on a gateway group.
  • Patch a upstream in a published service on a gateway group.
  • List all upstreams in a published service on a gateway group.
  • Get a upstream in a published service on a gateway group.
  • Delete a upstream in a published service on a gateway group.
• Updated Published Service APIs due to the new feature:Configured mTLS for upstreams:
  • Create a published service on a gateway group
    • Added properties: client_certificate, ca_certificate, tls_verify.
  • Create a upstream in a published service on a gateway group
    • Added properties: client_certificate, ca_certificate, tls_verify.
  • Update published service(without publishing)
    • Added properties: client_certificate, ca_certificate, tls_verify.
  • Update a upstream in a published service on a gateway group
    • Added properties: client_certificate, ca_certificate, tls_verify.

Dashboard

• Multiple Upstreams in a Service: For advanced scenarios such as canary deployments, blue-green deployments, or managing multiple clusters, a service can now utilize multiple upstreams. In such cases, a default upstream serves as the primary target for most requests, while other upstreams can be used for specific purposes, such as routing traffic to a canary deployment or a secondary cluster. See the renewed Configure Canary Traffic Shifting for details.
• Prohibited new resource creation due to exceeding the License CPU limit.
• Added page size selection for API7 Portal dashboard pages.
• Supported both YAML/JSON format for plugin configurations.
• Improved UI for upstream health check configuration.
• Renamed Enable/Disable Plugin to Add/Delete Plugin for improved accuracy.

Fixes

Plugins

• Traffic Split
  • Fixed issue: LRU Cache object creation function causes client request exceptions.
• Limit Conn
  • Fixed issue: Report error attribute does not exist because using HTTP variable in stream mode.#9816
• Prometheus
  • Fixed issue: Even after the Prometheus plugin is disabled, all features related to Prometheus are not entirely shut down..#11117
• OpenID Connect
  • Fixed issue: The redirect_uri was set to ngx.var.request_uri if not configured and caused the underlying lua-resty-openidc module to raise error.#7690
• Zipkin
  • Fixed issue: Getting a nil value in log phase.#10666
• Proxy Rewrite
  • Fixed issue: Incompatibility problems arise from not setting ngx.var.uri.#9309
• Log Rotate
  • Fixed issue: The use of string.byte is less efficient than string.sub.#9984

3.4.2

Release Date: 2025-02-18

Fixes

Admin APIs

• List all stream routes in a published service on a gateway group
  • Fixed issue: Response error.

Dashboard

• Fixed issue: Upgrading the dashboard before the DP Manager during a version upgrade can cause the DP Manager to restart continuously.

3.4.1

Release Date: 2025-01-14

Fixes

Data Plane

• Fixed issue: Configuring access_log_format in DP and setting access_log_format_escape to json, the result will append an extra request_id.

Dashboard

• Fixed issue: Pasting the password failed when using BasicAuth authentication for online debugging in API7 Portal.

3.4.0

Release Date: 2025-01-07

Features

Data Plane

• SNI Management: Introduced SNI as a new mechanism for managing TLS and mTLS authentication and certificate matching. See Configure mTLS between Client and API7 Gateway for details.

Plugins

• OpenID Connect
  • Added authorization parameters.#10058
  • Added more attributes.#10591
  • Added required scopes configuration property.#10493
  • Added session.cookie configuration.#10919
  • Supported setting headers in introspection request.#11090
• Fault Injection
  • Supported header injection.#9039.
• Skywalking Logger
  • Supported $hostname in skywalking service_instance_name.#9401
  • Add option to include request body and response body in logger plugins.#10888
• Forward Auth
  • Added exception configuration status_on_error.#10898
  • Supported degradation.#9435.
• Elastic Search Logger
  • Added compatibility headers.#10828
  • Added option to include request body and response body in logger plugins.#10888
• Prometheus
  • Supported custom configuration of DEFAULT_BUCKETS.#9673
• CORS
  • Supported for the Timing-Allow-Origin header.#9365
• File Logger:
  • Added schema attribute definition for logger plugins.#10738
• HTTP Logger:
  • Added schema attribute definition for logger plugins.#10738
• Syslog
  • Added option to include request body and response body in logger plugins.#10888
• SLS Logger
  • Added option to include request body and response body in logger plugins.#10888
• TCP Logger
  • Added option to include request body and response body in logger plugins.#10888
• UDP Logger
  • Added option to include request body and response body in logger plugins.#10888
• Tencent Cloud CLS
  • Added schema attribute definition for logger plugins.#10738
  • Added option to include request body and response body in logger plugins.#10888

Admin APIs

• Added SNI related APIs:
  • Create a SNI.
  • Update a SNI on a gateway group.
  • List all SNIs on a gateway group.
  • Get a SNI on a gateway group.
  • Delete a SNI on a gateway group.

Dashboard

• API7 Portal Monitoring: Provided monitoring data and visualizations to track API Product metrics.
• Applied custom plugin configuration at the gateway group level. See Add Custom Plugin for details.

Fixes

Data Plane

• Fixed issue: Shared memory leak used by Redis delayed synchronization function.
• Fixed issue: Warn log when sending requests to external services insecurely.#11403

Plugins

• AI Proxy
  • Fixed issue: Query parameters from override.endpoint are not sent to LLM.
• OpenID Connect
  • Fixed issue: Not closing session and blocking until TTL expired when using lockable session storage backend.#10788
• Forward Auth
  • Fixed issue: Request body is too large.#10589
  • Fixed issue: Plugin does not work if the request is POST and authentication service API is GET.#11021
• GRPC Web:
  • Fixed issue: Receiving an error missing trailers.#10851
• GRPC Transcode
  • Fixed issue: The position of enumerations in pb_option_def is wrong.#11448

Dashboard

• Fixed issue: Audit log failed to record when publishing multiple services.

Dependencies

• Data plane upgraded to LuaJit 2.1-20240815.
• Removed grpc-client-nginx-module.

3.3.4

Release Date: 2025-02-18

Fixes

Admin APIs

• List all stream routes in a published service on a gateway group
  • Fixed issue: Response error.

Dashboard

• Fixed issue: Upgrading the dashboard before the DP Manager during a version upgrade can cause the DP Manager to restart continuously.

3.3.3

Release Date: 2025-01-14

Fixes

Data Plane

• Fixed issue: Configuring access_log_format in DP and setting access_log_format_escape to json, the result will append an extra request_id.

Dashboard

• Fixed issue: Pasting the password failed when using BasicAuth authentication for online debugging in API7 Portal.

3.3.2

Release Date: 2024-12-24

Fixes

Dashboard

• Fixed issue: Dashboard failed to start when upgrading from 3.2.16.2 or older version to 3.3.1 and higher version.

3.3.1

Release Date: 2024-12-19

Fixes

Data Plane

• Fixed issue: Plugins running in the rewrite phase will be executed repeatedly after hitting a consumer.

3.3.0

Release Date: 2024-12-17

Features

Data Plane

• Refactored an expiration and elimination mechanism in the data plane.

Plugins

• OpenID Connect
  • Synchronized the latest APISIX code.
• Datadog
  • Reported consumer username tag.#11354
• **Body Transformer
  • Supported content-type using x-www-form-urlencoded format and parsing uri parameters of get requests#10496
• OpenTelemetry
  • Added variables.#8871
• OpenID Connect
  • Added proxy_opts attribute.#9948

Dashboard

• Announced the General Availability (GA) of the API7 Portal, a comprehensive solution for API exposure and consumption. Explore the key concepts of the API Portal and Developers, and begin your journey towards productize services.
• Recorded request IDs in access logs and error logs.
• Added prompt in the alert history when an alert policy had not been configured with a notification channel.
• Supported integration with external Prometheus metrics.

Security

• Fixed the vulnerabilities from the CVE report.

Fixes

Data Plane

• Fixed issue: Data plane queries to the DPM for consumer errors, other than 404 errors, should not have been cached.

Plugins

• CORS
  • Fixed issue: The Access-Control-Expose-Headers response header will be overwritten.#11136.
• Body Transformer
  • Fixed issue: The input_format enumeration lacks a means to prevent body parsing and validation, leading to unnecessary warnings.#10862

Dashboard

• Fixed issue: After disabling the API7 integrated authentication, password login on the login page had been unavailable.
• Fixed issue: The plugin global rules search result is not accurate.

3.2.16.7

Release Date: 2024-12-13

Fixes

• Fixed issue: The DP Manager had entered an infinite loop when it received truncated Prometheus metrics.
• Fixed issue: Data plane synchronization with the control plane may have been disrupted due to an interrupted watch.
• Fixed issue: The Redis delayed synchronization function of the rate limiting plugin had not worked as expected for low-frequency requests.
• Fixed issue: The shared memory used by Limit Count Advanced plugin had been faulty.
• Fixed issue: radixtree_uri_with_parameter had been unable to match requests containing path parameters with special characters.
• Fixed issue: The remain value in Limit Count Advanced plugin sliding window should have been rounded down, and the reset value should have had two decimal places.

3.2.16.6

Release Date: 2024-11-25

Improvements

• The JWT Auth plugin supported key_claim_name.
• Added gateway group filtering to monitoring.

Fixes

• Fixed UI issues in alert pages.
• Fixed issue: Multiple data plane containers had been identified as a single instance in the control plane, which had impaired license control capabilities and some metric reporting display functions.
• Fixed issue: Audit logs failed to record when multiple services were published.
• Revised SSL certificate expiration alert condition text.
• Fixed issue: The health check had failed because the node IP address had not been updated.
• Added validation of the legitimacy of Lua code in plugins to the control plane codes.
• Added a record of error messages for sub-plugins to the Multi Auth plugin.
• Removed extra warning log in the Basic Auth plugin.
• Fixed the permission verification error of the secret providers when new credentials were added.
• Fixed issue: Added published service on gateway group had lacked the skip path prefix configuration item.

3.2.16.5

Release Date: 2024-11-21

Improvements

• Added multipart content type to body transformer.
• Adjusted resource ID length limit from 64 to 256.
• The workflow plugin has supported limit-count-advanced as an action.
• Refactored core.response.exit to clarify parameter definitions.
• Recorded the executed plugins in the request context to ensure that the same plugin had only been executed once when using the workflow plugin.

Fixes

• Fixed issue: Enabling the prefer_name option in the Prometheus plugin will cause the filters on the monitor page to malfunction.
• Fixed issue: When an anonymous consumer is matched, the x-consumer-custom-id header is not added to the request.
• Fixed issue: When configured together, the body transformer plugin and CORS plugin had caused errors with OPTIONS requests.
• Temporarily removed the sandbox mechanism in theexit transformer plugin.

3.2.16.4.1

Release Date: 2024-12-09

Fixes

• Fixed issue: The DP Manager had entered an infinite loop when it received truncated Prometheus metrics.
• Fixed issue: Data plane synchronization with the control plane may have been disrupted due to an interrupted watch.

3.2.16.4

Release Date: 2024-11-01

Features

Send Notification through Email

Alert policies can send notification through webhook and email at the same time by utilizing the new Contact Points. A Contact Point defines a set of email addresses or webhook URLs that can be used by multiple alert policies.

See Trigger Gateway Alerts for instruction.

note

Existing Webhook Templates will be migrated to new contact points and notifications, ensuring seamless transition and backward compatibility for alert policies.

Limit Count Advanced Plugin

Enhanced the open-source limit count plugin with a sliding window algorithm for more accurate rate limiting.

Exit Transformer Plugin

The exit-transformer plugin supports the customization of gateway responses based on the status codes, headers, and bodies returned from APISIX plugins. When configured as a global plugin, it also supports the response customization when a route that does not exist is requested.

Count Healthy Gateway Instances in a Gateway Group Through Alert Policy

If the number of healthy gateway instances in a gateway group falls below a critical threshold, it indicates potential service disruptions and impacts on traffic handling. This scenario is particularly relevant in Kubernetes deployments, where gateway instances may experience failures or be scaled down unexpectedly.

Create an alert policy for counting healthy gateway instances in a gateway group and send notifications to relevant personnel.

Utilized Expression Matching

Enable Expression Match in a route to match requests based on specific variables for greater precision, similar to nginx. Use expressions in the format [[var, operator, val], [var, operator, val], ...] to define matching criteria. Note that cookie name matching is case-sensitive.

See Expressions and lua-resty-expr for more details.

Security

• Added a status interface for self health checks on the data plane. For details, see enable data plane health check for high availability.

Improvements

• JWT Auth Plugin now supports more algorithm.
• Enriched more metrics in Grafana Dashboard Template.
• Allowed users to log in by pressing Enter.

Fixes

• Fixed issue: CORS Plugin expose_headers default value should not be *.
• Fixed issue: Successfully added first stream route when adding stream service.
• Fixed issue: max_req_body_bytes limit does not take effect in logger plugins.
• Fixed issue: Dynamic updates to rate limiting parameters in the Limit Count Plugin are now reflected in the data plane.
• Fixed issue: Services deleted via API are now consistently removed from the data plane.

3.2.16.3

Release Date: 2024-10-21

Features

Reference Secrets in AWS Secrets Manager

A secret object is a piece of sensitive information that needs to be protected from unauthorized access, while a secret provider object is used to set up integration with an external secret manager(HashiCorp Vault, AWS Secret Manager, etc.), so that API7 Gateway can establish connections and fetch secrets from the secret manager dynamically at runtime.

See Reference Secrets in AWS Secrets Manager for more details.

Anonymous Consumers for API authentication

An anonymous consumer does not need to authenticate, but can be restricted by rate limiting. You should configure anonymous consumers in authentication plugins on the service/route, then combined with rate limiting plugins.

For details, see the following documentation:

• Key Authentication
• Basic Authentication
• JWT Authentication
• HMAC Authentication
• Rate Limit with Anonymous Consumers

Security

• Added a status interface for self health checks on the data plane. For details, see enable data plane health check for high availability.

Improvements

• Supported for 2 million consumers.
• Sorted the consumer list by name.
• Removed conf_server from API7 gateway.
• Improved rate limiting related plugins to be more flexible, allowed for consumer-specific rate limits on a per-service/route basis. For details, see Limit Count Plugin and Limit Req Plugin.
• Advanced request & response transformation:
  • During request transformation, support passing Lua code to obtain values.
  • Aligned the capabilities of Kong's Request Transformation and Response Transformation.
• Displayed the total number of routes added in a service.
• Changed plugin list configuration from data plane to control plane. Not compatible with version under 3.2.15.0
• Added certificate expiration reminder in alert policies.
• Displayed a notification explaining the logout reason before redirecting to the login page due to multi-device login.
• Improved frontend page responsiveness and loading speed.
• Optimized the "Use Upstream Timeout" UI.
• Optimized API7 Portal(Beta) list page rendering speed.

Fixes

• Fixed issue: multiple paths can now be configured for a single route on the Dashboard.
• Fixed issue：the OpenTelemetry Plugin did not support set_ngx_var.
• Fixed issue: the ACL Plugin should not output warning logs during normal use.
• Enhanced data plane lua_ssl_trusted_certificate configuration item.
• Synchronized the Body Transformer Plugin code with the APISIX mainline version.
• Resolve issue: when a plugin that is not available to the stream module is configured on a service, the data plane prints error logs.
• Changed the Edit operation for Token to Edit Name.
• Resolve issue: when editing a service registry, the service discovery type does not match the form.

3.2.16.2

Release Date: 2024-10-11

Fixes

• Fixed the issue where plugin configuration updates in Consumer were not taking effect.

3.2.16.1

Release Date: 2024-10-04

Improvements

• Improved Developer Portal(Beta) performance.

Fixes

• Fixed panic issue in the radixtree_host_uri routing mode when deleting routes.
• Fixed incompatibility between custom authentication type plugins and the multi-auth plugin.

3.2.16.0

Release Date: 2024-09-30

Features

Reference Secrets in HashiCorp Vault

info

This is a breaking change. The secrets resource has been renamed to secret provider to align with best practices and facilitate integration with external secret management tools. All associated APIs have been updated accordingly.

A secret object is a piece of sensitive information that needs to be protected from unauthorized access, while a secret provider object is used to set up integration with an external secret manager(HashiCorp Vault, AWS Secret Manager, etc.), so that API7 Gateway can establish connections and fetch secrets from the secret manager dynamically at runtime.

See Reference Secrets in HashiCorp Vault for more details.

Improvements

• 【Breaking Change】Removed the JWT plugin's functionality for issuing tokens, and removed the ability to upload private keys. See JWT Plugin for details.
• Added support for deleting offline gateway instances.
• Added a sync_rate parameter to plugins that utilize Redis to control the frequency of counter synchronization with Redis. Real-time synchronization can put significant pressure on Redis.
• Supported accessing specific route detail pages via URL.
• Supported API online test for API7 Portal(Beta).
• UI Improvement: shorten the custom host input box.
• UI Improvement: change the load balancing algorithm dropdown to radio buttons.
• UI Improvement: new style for creating labels.

Fixes

• Fixed issue: the data plane failed to start due to an improperly cleaned config_listen.sock.
• Fixed issue: requests return a 404 error after disabling the service.
• Added keepalive_timeout configuration to splunk-hec-logging plugin.
• Removed whitespace before and after the delimiter after splitting consumer labels.
• Fixed issue: the Skywalking plugin cannot be restarted after being destroyed.
• Handled encryption and decryption correctly when non-authentication plugin configurations were applied to the consumer.
• Fixed issue: built-in permission policies should not be able to deleted.
• Fixed issue: ingress controller type gateway group should be able to delete.
• Fixed issue: data plane now supports / as a path prefix.
• Fixed UI issue: clicking on the label page jumps to the search bar.
• Fixed UI issue: after creating and deleting a token, the new token prompt does not disappear.
• Added Chinese translation for the plugin categories.
• Enlarged the plugin description text box to fully display the plugin's introduction.
• Fixed the issue where the new token prompt did not disappear after creating and deleting a token.

3.2.15.2.1

Release Date: 2024-12-09

Fixes

• Fixed issue: The DP Manager had entered an infinite loop when it received truncated Prometheus metrics.
• Fixed issue: Data plane synchronization with the control plane may have been disrupted due to an interrupted watch.

3.2.15.2

Release Date: 2024-09-19

Fixes

• Adjusted the attach-consumer-label plugin to execute in the before_proxy phase.

3.2.15.1

Release Date: 2024-09-18

Fixes

• Fixed issue: Using token to get instance_token returns 401.

3.2.15.0

Release Date: 2024-09-14

Features

Consumer Credentials

info

This is a breaking change. Creating new authentication plugins (key-auth, basic-auth, JWT-auth, or HMAC-auth) for consumers is no longer supported. Please use consumer credentials instead. Existing plugin configurations will remain accessible and editable until disabled.

Consumer credentials offer enhanced flexibility by allowing multiple credentials per consumer. They replace traditional authentication plugins like key-auth, basic-auth, JWT-auth, and HMAC-auth, providing a more user-friendly experience. See Manage Consumer Credentials for details.

Security

• The root user, admin, becomes a protected account that cannot be modified by roles, permission policies, or other users. It cannot be deleted or have its password reset by other users.

Improvements

• Sorted the service list alphabetically by name is now supported.
• Added gateway group ID to every audit log, so you can search or filter audit logs by gateway group.
• Recorded audit log for automatically deleted gateway instances that have been offline for more than 7 days.
• Supported filtering published services on a gateway group by label.
• Ensured control plane addresses do not end with a slash.
• Supported annotations in Helm.
• Provided configuration options to control the timeout for data plane heartbeat and telemetry requests, and adjust the default value to 30s.

Fixes

• Clarified the error message when a user logs in via SSO after SCIM is enabled, but the user does not exist in the system.
• Fixed the issue of failed canary configuration adjustments after modifying no version published service.

3.2.14.6

Release Date: 2024-08-28

Features

ARM Installation

Standardized ARM installation packages are available since version 3.2.14.6.

Security

• Fixed known CVE vulnerabilities.

Improvements

• Reduced installation image size through component optimization.
• Enabled mqtt-proxy plugin support for stream routes.
• Enhanced alert policy trigger conditions to include Allowed license CPU quota exceeded.

Fixes

• Wrote data plane certificate to a fixed local file.
• Fixed the issue of not being able to directly set the weight of the canary upstream to 100 when starting canary.
• Adjusted the order of custom plugins in the init_worker phase to avoid printing warning logs when the data plane restarts.
• Fixed UI display of blank route Methods when calling Admin API without methods.
• Fixed the issue where the route name length limit was 100 characters when synchronizing with ADC.
• Fixed the issue of alerts being sent even after the alert policy was disabled.

3.2.14.5.1

Release Date: 2024-12-09

Fixes

• Fixed issue: The DP Manager had entered an infinite loop when it received truncated Prometheus metrics.
• Fixed issue: Data plane synchronization with the control plane may have been disrupted due to an interrupted watch.

3.2.14.5

Release Date: 2024-08-20

Fixes

• Fixed a body validation bug in the response-rewrite plugin when body_base64 is set to false.

3.2.14.4.1

Release Date: 2024-12-09

Fixes

• Fixed issue: The DP Manager had entered an infinite loop when it received truncated Prometheus metrics.
• Fixed issue: Data plane synchronization with the control plane may have been disrupted due to an interrupted watch.

3.2.14.4

Release Date: 2024-08-14

Features

Override Upstream Timeout for Each Route

API7 Gateway offers granular control over request handling by enabling the configuration of distinct upstream timeouts for individual routes, to override the timeout configuration at the upstream side.

User Permission Boundary

Permissions boundaries define the maximum allowable permissions for a user, acting as a safeguard against excessive privilege escalation.

Security

• Upgraded frontend dependency.
• Ensured single device login - new login will revoke previous active sessions.
• Prohibited importing old license.
• Upgraded OpenResty version to fix security vulnerabilities.

Improvements

• Added service description in service hub list and published services list.
• Added "Connecting" status for service registry to avoid misunderstanding.
• Optimized custom plugin: Code Obfuscation and Encrypted Storage.
• Displayed a notification when using a test environment license.
• Implemented card-based UI for plugin management and modification.
• Supported configuration of custom plugin metadata.
• Minimized the image size of API7 Enterprise.

Fixes

• Fixed the issue of empty values for service runtime configuration parameters (e.g., host, path prefix) being lost when publishing a service version to a gateway group.
• Eliminated unnecessary audit log generation for dry-run license uploads.
• Fixed issue with incorrect route creation and modification timestamps.
• Fixed plugin metadata schema validation errors.
• Improved service search accuracy.
• Fixed issue with plugin loss during service template publishing.

3.2.14.3

Release Date: 2024-08-06

Fixes

• Supported referencing $env in SSL Certificates.
• Fixed UI instability when labels contained periods.
• Removed source code from frontend build artifacts.

3.2.14.2

Release Date: 2024-07-30

Fixes

• Fixed UI error for viewing Ingress Controller routes on the Dashboard.
• Fixed missing default Helm release name when installing gateway instance on Kubernetes.
• Enhanced Microsoft Entra ID (Azure AD) integration through ID token utilization.
• Fixed the issue that plugin inconsistencies may occur between service templates and published gateway groups.

3.2.14.1

Release Date: 2024-07-22

Improvements

Import OpenAPI to Create Service on Gateway Group

Simply import your OpenAPI specification directly into a gateway group to have your new service and all its routes ready.

Unveiling Granular Access Control with API7 Portal

Leverage custom roles and permission policies for granular control over access to API Products.

Security

• Control plane address must be HTTPs.
• Removed the use of ngx.req.get_post_args(0), use the default value instead to avoid potential attacks.
• Regenerate Ingress Controller deployment scripts now requires second confirmation.

Managing Published Service Basics without Versioning

Service name/description/labels now can be modified without publishing a new version.

First Route Creation During Service Setup

Allowing you to define the initial route right from the start. This eliminates the need for a separate step and simplifies your workflow.

Fixes

• Merged datadog plugin fix(https://github.com/apache/apisix/pull/11354) to API7 Enterprise.
• Fixed the issue of DP being invisible on the console.
• Fixed an issue: service registry status was always displayed as "disconnected" after changing the Prometheus data reporting method from remote-write to scrape.
• Fixed issue: Data plane encountered errors after deploying a custom plugin through the Dashboard.
• Fixed UI issue: you can not modify upstream of published service on a Ingress Controller gateway group.
• Wrong notification: When switching to Nodes, even if health checks are enabled, the prompt for users to enable health checks still exists.
• Fixed issue: When uploading a custom plugin, if there is a parsing error, the plugin name displayed in the error message does not match the actual file name.

3.2.14.0

Release Date: 2024-07-08

Features

Brand Access Control

info

This is a breaking change. Roles from older versions can not be kept.

API7 Enterprise moves beyond traditional role-based permissions, adopting a permission policy architecture for granular access control through reusable policies assigned to roles. See roles and permission policies

Improvements

Configure Priority for Routes

In specific scenarios, you can configure same routes within two different services. With priority determining which route handles the request. The route with a higher assigned priority will be used first.

Harden mTLS Certificate Security

Improved following issues:

• Overly Long Certificate: The certificate string is too long and should be shortened.
• Unnecessary Tokens: The certificate contains unnecessary tokens that should be removed.
• Shared CA: Using the same Certificate Authority (CA) for multiple certificates is insecure.
• Mismatched Certificate Handling: When a certificate mismatch occurs, the handshake should immediately fail, rejecting the client's request instead of proceeding with further validation.

Include Parameter lua_shared_dict in API7 Helm Chart

Introduced new parameter to Helm chart.

Fixes

• Upgrading from older version may cause missing upstream data or 404 errors.
• UI error encountered during service request URL update.
• Fixed Developer Portal library issue.
• Fixed HTTP logger plugin memory leak.
• Frontend and backend password policies are inconsistent.
• The data-mask plugin reports an error when the GET request does not match any route.
• The status field of the ApisixUpstream CRD is recorded incorrectly
• Data Plane supports configuring the reporting interval for monitoring data.
• Fixed warning logs after configuring plugin metadata.
• Fixed plugin reload issue.
• Reduced the number of PostgreSQL connections.
• Optimized frontend resource consumption.
• Removed trailing dot in FQDN.
• Plugin Metadata should be able to be deleted.

3.2.11.8

Release Date: 2024-06-26

Fixes

• Reduced API latency by minimizing etcd calls.
• Kine database connection pool configuration can function normally.

3.2.11.7

Release Date: 2024-06-24

Fixes

• Improve API performance.
• Data Plane supports disabling telemetry data collection and configuring reporting intervals.
• Custom plugins can function even without a schema definition.

3.2.11.6

Release Date: 2024-06-24

Fixes

• Large data sets no longer cause etcd range API error.

3.2.13.0

Release Date: 2024-06-19

Admin API Breaking Changes

1. The service template API has been migrated to the "/api/services/template" path prefix.

• Service template APIs
• Route template APIs

2. The original "/apisix/admin/services" endpoint now requires the gateway_group_id parameter.

• Service APIs on the gateway group
• Route APIs on the gateway group

Features

Create/Update Service on Gateway Group without Publishing

If version control is not your requirement, you can now directly create services on the gateway group. These services become active immediately, eliminating the need for a separate publishing step. This simplifies the deployment process and saves you time.

However, it is important to consider the trade-off involved. By bypassing the publishing stage, you also lose the ability to easily roll back to a previous version or track the version changes.

See the latest starter tutorial for details: Launch your first API.

Integrate with Ingress Controller(UI Support)

API7 Gateway officially introduces Ingress Controllers, a new type of gateway group. While the dashboard offers convenient management for creating and viewing your Ingress Controller, configuration modifications require to declarative way for any configuration changes.

Improvement

Search for Gateway Group Name and Filter by Labels

Makes it easier to find the specific gateway group you are looking for within the gateway group list.

Secure Sensitive Data in Configuration File

The database's DSN configuration (including access address, username, and password) can be configured through environment variables and Helm chart.

Support Prometheus Authentication

Prometheus remote write now supports Basic Auth/mTLS.

Support Secret Feature for SSL Variables

Secure ssl.certs and ssl.keys with encrypted secrets.

Fixes

• The ctx.var variable will be updated promptly after setting headers.
• Duplicate SSL certificates cannot be uploaded.

3.2.11.5

Release Date: 2024-06-18

Fixes

• The ssl_verify configuration now works fine for the Login Option OIDC and LDAP protocols.

3.2.11.4

Release Date: 2024-06-07

Fixes

• Protect sensitive fields within the login options related to API.

3.2.12.0

Release Date: 2024-05-24

Admin API Breaking Changes

1. The "service status" field has been changed from "0: enabled, 1: disabled" to "0: disabled, 1: enabled".

• Publish a service
• Update service runtime configurations by ID
• Get all published services in Gateway Group

2. The "ID" field has been removed from the consumer API. Queries and deletions are now performed using "gateway group ID" and "username".

• Consumers APIs

3. SSL-related APIs now require the "gateway group ID" parameter.

• SSL APIs

Features

Stream Route

API7 Gateway extends beyond API management. It can also handle Layer 4 (L4) traffic, like database or Kafka connections. Add a stream service and several stream routes to Proxy TCP Traffic.

Custom Role (UI Support)

Design your own custom roles with granular permission control. See Add Custom Role.

Ingress Controller (Beta, API Support Only)

Integrate with Ingress Controller.

Improvement

Optimize Left Navigation Menu

• Users will now see the gateway group menu as the primary landing page.
• Change the Service menu item to Service Hub.

Fixes

• Avoid duplicate API keys when using key-auth plugin.
• Enable allowlist and denylist at the same time in ua-restriction plugin.
• Reset the password without expiring the access token.
• Labels can be up to 64 characters long and include spaces.
• Validate the configuration of loggly plugin successfully.
• Force configuration synchronization to the data plane, even with schema validation errors. This prevents data loss and ensures uninterrupted workflow.
• The meaning of API7 Gateway service status is consistent with the corresponding field in Apache APISIX.

3.2.11.3

Release Date: 2024-05-20

Fixes

• etcd watch can pass SNI correctly.
• API7 Enterprise will attempt to create a database automatically. If permission issues arise, it will launch using a pre-configured database provided by the user, preventing installation failure.

3.2.11.2

Release Date: 2024-05-20

Fixes

• Labels can be up to 64 characters long and include spaces.
• Force configuration synchronization to the data plane, even with schema validation errors. This prevents data loss and ensures uninterrupted workflow.

3.2.11.1

Release Date: 2024-05-08

Features

SSO Role Mapping

This automated role mapping eliminates the need for manual role assignment by Super Admins. Users who satisfy the defined key-value mapping rules will be automatically assigned the corresponding roles upon login. For details, see Set Role Mapping.

SCIM Provisioning

Streamline your identity management with SCIM Provisioning. It automatically synchronizes user data from your Identity Provider, ensuring consistent and effortless user management. For details, see Sync User Data from IdP.

Custom Role (Beta, API Support Only)

Design your own custom roles with granular permission control. UI support coming soon.

Improvement

Upgrade to OpenSSL 3

Improved Security, Performance, and Availability.

Plugin Global Rules Ordering

To streamline the management of global rules, API7 Enterprise merges multiple rules into a single rule, ensuring that plugin configurations are unique within each rule.

Fixes

Settings Modal Add HTTP Protocol Detection

Not properly detecting whether HTTP or HTTPS is required, leading to errors when deploying gateway instances using the given script.

Error Uploading SSL Certificate

An issue exists where uploading an SSL certificate intended for gateway group A may inadvertently assign it to gateway group B.

Support Host Level Dynamic Setting of TLS Protocol Version

Incorporated the fix from the resolved Apache APISIX issue.

3.2.10.1

Release Date: 2024-04-28

Features

Support MySQL 5.7

API7 Enterprise now supports MySQL 5.7.

3.2.10.0

Release Date: 2024-04-22

Breaking Changes

Bind Token with User

Tokens are bound to specific users and share the same permissions. When the user is deleted, the associated token will also be deleted.

3.2.9.5

Release Date: 2024-04-16

Features

Upstream mTLS(API Support Only)

API7 Enterprise now supports mutual TLS (mTLS) authentication between the gateway and upstream services. mTLS is a form of communication security that requires both parties to present certificates to each other. This ensures that both parties are who they claim to be and that the data transmitted between them is encrypted. UI support coming soon.

3.2.9.4

Release Date: 2024-04-07

Fixes

Assessment of CPU Core Limitations

Fixed the issue that occurs when the maximum number of CPU cores is reached.

3.2.9.3

Release Date: 2024-04-03

Features

Integrate with Vault (Beta)

You can store sensitive data securely in your Vault. Admin API support is available; UI support coming soon.

3.2.9.2

Release Date: 2024-04-01

Features

Support SAML SSO Login

API7 Enterprise supports Single Sign-On (SSO) with SAML implementations. For details about how to configure SAML SSO login method, see configure SSO with SAML.

Plugin: Data Mask

The data-mask plugin provides the capability to remove or replace sensitive information in request headers, request bodies, and URL queries. Learn more about Data Mask.

Feature Enhancements

Skip Path Prefix

You can opt to skip the path prefix when sending requests to the upstream. This adjustment is imperceptible to users and may be useful when using different path prefixes to identify APIs sent to different gateway groups.

Better Health Check Configuration UI

Introduced a user-friendly and intuitive UI for your health check configuration in upstreams.

Upgraded Encryption Algorithm

Upgraded from AES128 to AES256 algorithm.

Performance Improvement

Eliminated the impact caused by disabling plugins.

3.2.9.1

Release Date: 2024-03-19

Features

Support Add Custom Plugin

API7 Enterprise now allows you to build custom plugins to add extra functionalities and manage API traffic with custom flow. See how to Add Custom Plugin

Support OIDC SSO Login

API7 Enterprise supports Single Sign-On (SSO) with OIDC implementations. For details about how to configure the LDAP SSO login method, see configure SSO with LDAP.

Use Service Labels as API Provider Scope

By assigning service labels as the scope for an API Provider, you can grant them access to all services with a specific label. It will help reduce the workload of the Super Admin. Typically, services can be grouped using a 'Department' label. Thus, users from that department will be able to access all services belonging to that department.

3.2.8.1

Release Date: 2024-02-08

Features

Support Nacos Service Discovery

API7 Enterprise uses service discovery to automatically detect available upstream services, keeping their addresses in a database (called a service registry). Therefore, an API gateway can always fetch the latest list of upstream addresses through the service registry, ensuring all requests are forwarded to healthy upstream nodes.

In this release, API7 Enterprise supports integrating with Nacos service discovery, which can be used to publish services and synchronize services between gateway groups.

Support LDAP SSO Login

API7 Enterprise supports Single Sign-On (SSO) with LDAP implementations. Integrating API7 Enterprise with LDAP enables you to log your LDAP users into API7 Enterprise as part of API7 Enterprise' SSO infrastructure. For details about how to configure the LDAP SSO login method, see configure SSO with LDAP.

Support Adding Gateway Instances using Kubernetes

A gateway instance is a single proxy that handles traffic. In this release, API7 Enterprise supports adding gateway instances to a gateway group using Kubernetes. For details, see add gateway instances.