Skip to main content

Version: 3.2.16.4

API7 Enterprise Release Notes

Version 3.2.16.4

Release Date: 2024-11-01

New Features

Send Notification through Email

Alert policies can send notification through webhook and email at the same time by utilizing the new Contact Points. A Contact Point defines a set of email addresses or webhook URLs that can be used by multiple alert policies.

See Trigger Gateway Alerts for instruction.

note

Existing Webhook Templates will be migrated to new contact points and notifications, ensuring seamless transition and backward compatibility for alert policies.

New Limit Count Advanced Plugin

Enhanced the open-source limit count plugin with a sliding window algorithm for more accurate rate limiting.

New Exit Transformer Plugin

The exit-transformer plugin supports the customization of gateway responses based on the status codes, headers, and bodies returned from APISIX plugins. When configured as a global plugin, it also supports the response customization when a route that does not exist is requested.

Count Healthy Gateway Instances in a Gateway Group Through Alert Policy

If the number of healthy gateway instances in a gateway group falls below a critical threshold, it indicates potential service disruptions and impacts on traffic handling. This scenario is particularly relevant in Kubernetes deployments, where gateway instances may experience failures or be scaled down unexpectedly.

Create an alert policy for counting healthy gateway instances in a gateway group and send notifications to relevant personnel.

Utilized Expression Matching

Enable Expression Match in a route to match requests based on specific variables for greater precision, similar to nginx. Use expressions in the format [[var, operator, val], [var, operator, val], ...] to define matching criteria. Note that cookie name matching is case-sensitive.

See Expressions and lua-resty-expr for more details.

Security

Improvements

Bug Fixes

  • Resolved issue: CORS Plugin expose_headers default value should not be *.
  • Resolved issue: Successfully added first stream route when adding stream service.
  • Resolved issue: max_req_body_bytes limit does not take effect in logger plugins.
  • Resolved issue: Dynamic updates to rate limiting parameters in the Limit Count Plugin are now reflected in the data plane.
  • Resolved issue: Services deleted via API are now consistently removed from the data plane.

Version 3.2.16.3

Release Date: 2024-10-21

New Features

Reference Secrets in AWS Secrets Manager

A secret object is a piece of sensitive information that needs to be protected from unauthorized access, while a secret provider object is used to set up integration with an external secret manager(HashiCorp Vault, AWS Secret Manager, etc.), so that API7 Gateway can establish connections and fetch secrets from the secret manager dynamically at runtime.

See Reference Secrets in AWS Secrets Manager for more details.

Anonymous Consumers for API authentication

An anonymous consumer does not need to authenticate, but can be restricted by rate limiting. You should configure anonymous consumers in authentication plugins on the service/route, then combined with rate limiting plugins.

For details, see the following documentation:

Security

Improvements

  • Supported for 2 million consumers.
  • Sorted the consumer list by name.
  • Removed conf_server from API7 gateway.
  • Improved rate limiting related plugins to be more flexible, allowed for consumer-specific rate limits on a per-service/route basis. For details, see Limit Count Plugin and Limit Req Plugin.
  • Advanced request & response transformation:
    • During request transformation, support passing Lua code to obtain values.
    • Aligned the capabilities of Kong's Request Transformation and Response Transformation.
  • Displayed the total number of routes added in a service.
  • Changed plugin list configuration from data plane to control plane. Not compatible with version under 3.2.15.0
  • Added certificate expiration reminder in alert policies.
  • Displayed a notification explaining the logout reason before redirecting to the login page due to multi-device login.
  • Improved frontend page responsiveness and loading speed.
  • Optimized the "Use Upstream Timeout" UI.
  • Optimized API7 Portal(Beta) list page rendering speed.

Bug Fixes

  • Resolved issue: multiple paths can now be configured for a single route on the Dashboard.
  • Resolved issue:the OpenTelemetry Plugin did not support set_ngx_var.
  • Resolved issue: the ACL Plugin should not output warning logs during normal use.
  • Enhanced data plane lua_ssl_trusted_certificate configuration item.
  • Synchronized the Body Transformer Plugin code with the APISIX mainline version.
  • Resolve issue: when a plugin that is not available to the stream module is configured on a service, the data plane prints error logs.
  • Changed the Edit operation for Token to Edit Name.
  • Resolve issue: when editing a service registry, the service discovery type does not match the form.

Version 3.2.16.2

Release Date: 2024-10-11

Bug Fixes

  • Fixed the issue where plugin configuration updates in Consumer were not taking effect.

Version 3.2.16.1

Release Date: 2024-10-04

Improvements

  • Improved Developer Portal(Beta) performance.

Bug Fixes

  • Resolved panic issue in the radixtree_host_uri routing mode when deleting routes.
  • Resolved incompatibility between custom authentication type plugins and the multi-auth plugin.

Version 3.2.16.0

Release Date: 2024-09-30

New Features

Reference Secrets in HashiCorp Vault

info

This is a breaking change. The secrets resource has been renamed to secret provider to align with best practices and facilitate integration with external secret management tools. All associated APIs have been updated accordingly.

A secret object is a piece of sensitive information that needs to be protected from unauthorized access, while a secret provider object is used to set up integration with an external secret manager(HashiCorp Vault, AWS Secret Manager, etc.), so that API7 Gateway can establish connections and fetch secrets from the secret manager dynamically at runtime.

See Reference Secrets in HashiCorp Vault for more details.

Improvements

  • 【Breaking Change】Removed the JWT plugin's functionality for issuing tokens, and removed the ability to upload private keys. See JWT Plugin for details.
  • Added support for deleting offline gateway instances.
  • Added a sync_rate parameter to plugins that utilize Redis to control the frequency of counter synchronization with Redis. Real-time synchronization can put significant pressure on Redis.
  • Supported accessing specific route detail pages via URL.
  • Supported API online test for API7 Portal(Beta).
  • UI Improvement: shorten the custom host input box.
  • UI Improvement: change the load balancing algorithm dropdown to radio buttons.
  • UI Improvement: new style for creating labels.

Bug Fixes

  • Fixed issue: the data plane failed to start due to an improperly cleaned config_listen.sock.
  • Fixed issue: requests return a 404 error after disabling the service.
  • Added keepalive_timeout configuration to splunk-hec-logging plugin.
  • Removed whitespace before and after the delimiter after splitting consumer labels.
  • Fixed issue: the Skywalking plugin cannot be restarted after being destroyed.
  • Handled encryption and decryption correctly when non-authentication plugin configurations were applied to the consumer.
  • Fixed issue: built-in permission policies should not be able to deleted.
  • Fixed issue: ingress controller type gateway group should be able to delete.
  • Fixed issue: data plane now supports / as a path prefix.
  • Fixed UI issue: clicking on the label page jumps to the search bar.
  • Fixed UI issue: after creating and deleting a token, the new token prompt does not disappear.
  • Added Chinese translation for the plugin categories.
  • Enlarged the plugin description text box to fully display the plugin's introduction.
  • Fixed the issue where the new token prompt did not disappear after creating and deleting a token.

Version 3.2.15.2

Release Date: 2024-09-19

Bug Fixes

  • Adjusted the attach-consumer-label plugin to execute in the before_proxy phase.

Version 3.2.15.1

Release Date: 2024-09-18

Bug Fixes

  • Resolved issue: Using token to get instance_token returns 401.

Version 3.2.15.0

Release Date: 2024-09-14

New Features

Consumer Credentials

info

This is a breaking change. Creating new authentication plugins (key-auth, basic-auth, JWT-auth, or HMAC-auth) for consumers is no longer supported. Please use consumer credentials instead. Existing plugin configurations will remain accessible and editable until disabled.

Consumer credentials offer enhanced flexibility by allowing multiple credentials per consumer. They replace traditional authentication plugins like key-auth, basic-auth, JWT-auth, and HMAC-auth, providing a more user-friendly experience. See Manage Consumer Credentials for details.

Security

  • The root user, admin, becomes a protected account that cannot be modified by roles, permission policies, or other users. It cannot be deleted or have its password reset by other users.

Improvements

  • Sorted the service list alphabetically by name is now supported.
  • Added gateway group ID to every audit log, so you can search or filter audit logs by gateway group.
  • Recorded audit log for automatically deleted gateway instances that have been offline for more than 7 days.
  • Supported filtering published services on a gateway group by label.
  • Ensured control plane addresses do not end with a slash.
  • Supported annotations in Helm.
  • Provided configuration options to control the timeout for data plane heartbeat and telemetry requests, and adjust the default value to 30s.

Bug Fixes

  • Clarified the error message when a user logs in via SSO after SCIM is enabled, but the user does not exist in the system.
  • Fixed the issue of failed canary configuration adjustments after modifying no version published service.

Version 3.2.14.6

Release Date: 2024-08-28

New Features

ARM Installation

Standardized ARM installation packages are available since version 3.2.14.6.

Security

  • Resolved known CVE vulnerabilities.

Improvements

  • Reduced installation image size through component optimization.
  • Enabled mqtt-proxy plugin support for stream routes.
  • Enhanced alert policy trigger conditions to include Allowed license CPU quota exceeded.

Bug Fixes

  • Wrote data plane certificate to a fixed local file.
  • Fixed the issue of not being able to directly set the weight of the canary upstream to 100 when starting canary.
  • Adjusted the order of custom plugins in the init_worker phase to avoid printing warning logs when the data plane restarts.
  • Fixed UI display of blank route Methods when calling Admin API without methods.
  • Fixed the issue where the route name length limit was 100 characters when synchronizing with ADC.
  • Fixed the issue of alerts being sent even after the alert policy was disabled.

Version 3.2.14.5

Release Date: 2024-08-20

Bug Fixes

  • Fixed a body validation bug in the response-rewrite plugin when body_base64 is set to false.

Version 3.2.14.4

Release Date: 2024-08-14

New Features

Override Upstream Timeout for Each Route

API7 Gateway offers granular control over request handling by enabling the configuration of distinct upstream timeouts for individual routes, to override the timeout configuration at the upstream side.

User Permission Boundary

Permissions boundaries define the maximum allowable permissions for a user, acting as a safeguard against excessive privilege escalation.

Security

  • Upgraded frontend dependency.
  • Ensured single device login - new login will revoke previous active sessions.
  • Prohibited importing old license.
  • Upgraded OpenResty version to fix security vulnerabilities.

Improvements

  • Added service description in service hub list and published services list.
  • Added "Connecting" status for service registry to avoid misunderstanding.
  • Optimized custom plugin: Code Obfuscation and Encrypted Storage.
  • Displayed a notification when using a test environment license.
  • Implemented card-based UI for plugin management and modification.
  • Supported configuration of custom plugin metadata.
  • Minimized the image size of API7 Enterprise.

Bug Fixes

  • Fixed the issue of empty values for service runtime configuration parameters (e.g., host, path prefix) being lost when publishing a service version to a gateway group.
  • Eliminated unnecessary audit log generation for dry-run license uploads.
  • Resolved issue with incorrect route creation and modification timestamps.
  • Resolved plugin metadata schema validation errors.
  • Improved service search accuracy.
  • Resolved issue with plugin loss during service template publishing.

Version 3.2.14.3

Release Date: 2024-08-06

Bug Fixes

  • Supported referencing $env in SSL Certificates.
  • Resolved UI instability when labels contained periods.
  • Removed source code from frontend build artifacts.

Version 3.2.14.2

Release Date: 2024-07-30

Bug Fixes

  • Resolved UI error for viewing Ingress Controller routes on the Dashboard.
  • Fixed missing default Helm release name when installing gateway instance on Kubernetes.
  • Enhanced Microsoft Entra ID (Azure AD) integration through ID token utilization.
  • Fixed the issue that plugin inconsistencies may occur between service templates and published gateway groups.

Version 3.2.14.1

Release Date: 2024-07-22

Improvements

Import OpenAPI to Create Service on Gateway Group

Simply import your OpenAPI specification directly into a gateway group to have your new service and all its routes ready.

Unveiling Granular Access Control with API7 Portal

Leverage custom roles and permission policies for granular control over access to API Products.

Security

  • Control plane address must be HTTPs.
  • Removed the use of ngx.req.get_post_args(0), use the default value instead to avoid potential attacks.
  • Regenerate Ingress Controller deployment scripts now requires second confirmation.

Managing Published Service Basics without Versioning

Service name/description/labels now can be modified without publishing a new version.

First Route Creation During Service Setup

Allowing you to define the initial route right from the start. This eliminates the need for a separate step and simplifies your workflow.

Bug Fixes

  • Merged datadog plugin fix(https://github.com/apache/apisix/pull/11354) to API7 Enterprise.
  • Fixed the issue of DP being invisible on the console.
  • Fixed an issue: service registry status was always displayed as "disconnected" after changing the Prometheus data reporting method from remote-write to scrape.
  • Fixed issue: Data plane encountered errors after deploying a custom plugin through the Dashboard.
  • Fixed UI issue: you can not modify upstream of published service on a Ingress Controller gateway group.
  • Wrong notification: When switching to Nodes, even if health checks are enabled, the prompt for users to enable health checks still exists.
  • Fixed issue: When uploading a custom plugin, if there is a parsing error, the plugin name displayed in the error message does not match the actual file name.

Version 3.2.14.0

Release Date: 2024-07-08

New Features

Brand New Access Control

info

This is a breaking change. Roles from older versions can not be kept.

API7 Enterprise moves beyond traditional role-based permissions, adopting a permission policy architecture for granular access control through reusable policies assigned to roles. See roles and permission policies

Improvements

Configure Priority for Routes

In specific scenarios, you can configure same routes within two different services. With priority determining which route handles the request. The route with a higher assigned priority will be used first.

Harden mTLS Certificate Security

Improved following issues:

  • Overly Long Certificate: The certificate string is too long and should be shortened.
  • Unnecessary Tokens: The certificate contains unnecessary tokens that should be removed.
  • Shared CA: Using the same Certificate Authority (CA) for multiple certificates is insecure.
  • Mismatched Certificate Handling: When a certificate mismatch occurs, the handshake should immediately fail, rejecting the client's request instead of proceeding with further validation.

Include New Parameter lua_shared_dict in API7 Helm Chart

Introduced new parameter to Helm chart.

Bug Fixes

  • Upgrading from older version may cause missing upstream data or 404 errors.
  • UI error encountered during service request URL update.
  • Fixed Developer Portal library issue.
  • Fixed HTTP logger plugin memory leak.
  • Frontend and backend password policies are inconsistent.
  • The data-mask plugin reports an error when the GET request does not match any route.
  • The status field of the ApisixUpstream CRD is recorded incorrectly
  • Data Plane supports configuring the reporting interval for monitoring data.
  • Fixed warning logs after configuring plugin metadata.
  • Fixed plugin reload issue.
  • Reduced the number of PostgreSQL connections.
  • Optimized frontend resource consumption.
  • Removed trailing dot in FQDN.
  • Plugin Metadata should be able to be deleted.

Version 3.2.11.8

Release Date: 2024-06-26

Bug Fixes

  • Reduced API latency by minimizing etcd calls.
  • Kine database connection pool configuration can function normally.

Version 3.2.11.7

Release Date: 2024-06-24

Bug Fixes

  • Improve API performance.
  • Data Plane supports disabling telemetry data collection and configuring reporting intervals.
  • Custom plugins can function even without a schema definition.

Version 3.2.11.6

Release Date: 2024-06-24

Bug Fixes

  • Large data sets no longer cause etcd range API error.

Version 3.2.13.0

Release Date: 2024-06-19

Admin API Breaking Changes

  1. The service template API has been migrated to the "/api/services/template" path prefix.
  1. The original "/apisix/admin/services" endpoint now requires the gateway_group_id parameter.

New Features

Create/Update Service on Gateway Group without Publishing

If version control is not your requirement, you can now directly create services on the gateway group. These services become active immediately, eliminating the need for a separate publishing step. This simplifies the deployment process and saves you time.

However, it is important to consider the trade-off involved. By bypassing the publishing stage, you also lose the ability to easily roll back to a previous version or track the version changes.

See the latest starter tutorial for details: Launch your first API.

Integrate with Ingress Controller(UI Support)

API7 Gateway officially introduces Ingress Controllers, a new type of gateway group. While the dashboard offers convenient management for creating and viewing your Ingress Controller, configuration modifications require to declarative way for any configuration changes.

Improvement

Search for Gateway Group Name and Filter by Labels

Makes it easier to find the specific gateway group you are looking for within the gateway group list.

Secure Sensitive Data in Configuration File

The database's DSN configuration (including access address, username, and password) can be configured through environment variables and Helm chart.

Support Prometheus Authentication

Prometheus remote write now supports Basic Auth/mTLS.

Support Secret Feature for SSL Variables

Secure ssl.certs and ssl.keys with encrypted secrets.

Bug Fixes

  • The ctx.var variable will be updated promptly after setting headers.
  • Duplicate SSL certificates cannot be uploaded.

Version 3.2.11.5

Release Date: 2024-06-18

Bug Fixes

  • The ssl_verify configuration now works fine for the Login Option OIDC and LDAP protocols.

Version 3.2.11.4

Release Date: 2024-06-07

Bug Fixes

  • Protect sensitive fields within the login options related to API.

Version 3.2.12.0

Release Date: 2024-05-24

Admin API Breaking Changes

  1. The "service status" field has been changed from "0: enabled, 1: disabled" to "0: disabled, 1: enabled".
  1. The "ID" field has been removed from the consumer API. Queries and deletions are now performed using "gateway group ID" and "username".
  1. SSL-related APIs now require the "gateway group ID" parameter.

New Features

Stream Route

API7 Gateway extends beyond API management. It can also handle Layer 4 (L4) traffic, like database or Kafka connections. Add a stream service and several stream routes to Proxy TCP Traffic.

Custom Role (UI Support)

Design your own custom roles with granular permission control. See Add Custom Role.

Ingress Controller (Beta, API Support Only)

Integrate with Ingress Controller.

Improvement

Optimize Left Navigation Menu

  • Users will now see the gateway group menu as the primary landing page.
  • Change the Service menu item to Service Hub.

Bug Fixes

  • Avoid duplicate API keys when using key-auth plugin.
  • Enable allowlist and denylist at the same time in ua-restriction plugin.
  • Reset the password without expiring the access token.
  • Labels can be up to 64 characters long and include spaces.
  • Validate the configuration of loggly plugin successfully.
  • Force configuration synchronization to the data plane, even with schema validation errors. This prevents data loss and ensures uninterrupted workflow.
  • The meaning of API7 Gateway service status is consistent with the corresponding field in Apache APISIX.

Version 3.2.11.3

Release Date: 2024-05-20

Bug Fixes

  • etcd watch can pass SNI correctly.
  • API7 Enterprise will attempt to create a database automatically. If permission issues arise, it will launch using a pre-configured database provided by the user, preventing installation failure.

Version 3.2.11.2

Release Date: 2024-05-20

Bug Fixes

  • Labels can be up to 64 characters long and include spaces.
  • Force configuration synchronization to the data plane, even with schema validation errors. This prevents data loss and ensures uninterrupted workflow.

Version 3.2.11.1

Release Date: 2024-05-08

New Features

SSO Role Mapping

This automated role mapping eliminates the need for manual role assignment by Super Admins. Users who satisfy the defined key-value mapping rules will be automatically assigned the corresponding roles upon login. For details, see Set Role Mapping.

SCIM Provisioning

Streamline your identity management with SCIM Provisioning. It automatically synchronizes user data from your Identity Provider, ensuring consistent and effortless user management. For details, see Sync User Data from IdP.

Custom Role (Beta, API Support Only)

Design your own custom roles with granular permission control. UI support coming soon.

Improvement

Upgrade to OpenSSL 3

Improved Security, Performance, and Availability.

Plugin Global Rules Ordering

To streamline the management of global rules, API7 Enterprise merges multiple rules into a single rule, ensuring that plugin configurations are unique within each rule.

Bug Fixes

Settings Modal Add HTTP Protocol Detection

Not properly detecting whether HTTP or HTTPS is required, leading to errors when deploying gateway instances using the given script.

Error Uploading SSL Certificate

An issue exists where uploading an SSL certificate intended for gateway group A may inadvertently assign it to gateway group B.

Support Host Level Dynamic Setting of TLS Protocol Version

Incorporated the fix from the resolved Apache APISIX issue.

Version 3.2.10.1

Release Date: 2024-04-28

New Features

Support MySQL 5.7

API7 Enterprise now supports MySQL 5.7.

Version 3.2.10.0

Release Date: 2024-04-22

Breaking Changes

Bind Token with User

Tokens are bound to specific users and share the same permissions. When the user is deleted, the associated token will also be deleted.

Version 3.2.9.5

Release Date: 2024-04-16

New Features

Upstream mTLS(API Support Only)

API7 Enterprise now supports mutual TLS (mTLS) authentication between the gateway and upstream services. mTLS is a form of communication security that requires both parties to present certificates to each other. This ensures that both parties are who they claim to be and that the data transmitted between them is encrypted. UI support coming soon.

Version 3.2.9.4

Release Date: 2024-04-07

Bug Fixes

Assessment of CPU Core Limitations

Resolved the issue that occurs when the maximum number of CPU cores is reached.

Version 3.2.9.3

Release Date: 2024-04-03

New Features

Integrate with Vault (Beta)

You can store sensitive data securely in your Vault. Admin API support is available; UI support coming soon.

Version 3.2.9.2

Release Date: 2024-04-01

New Features

Support SAML SSO Login

API7 Enterprise supports Single Sign-On (SSO) with SAML implementations. For details about how to configure SAML SSO login method, see configure SSO with SAML.

New Plugin: Data Mask

The data-mask plugin provides the capability to remove or replace sensitive information in request headers, request bodies, and URL queries. Learn more about Data Mask.

Feature Enhancements

Skip Path Prefix

You can opt to skip the path prefix when sending requests to the upstream. This adjustment is imperceptible to users and may be useful when using different path prefixes to identify APIs sent to different gateway groups.

Better Health Check Configuration UI

Introduced a user-friendly and intuitive UI for your health check configuration in upstreams.

Upgraded Encryption Algorithm

Upgraded from AES128 to AES256 algorithm.

Performance Improvement

Eliminated the impact caused by disabling plugins.

Version 3.2.9.1

Release Date: 2024-03-19

New Features

Support Add Custom Plugin

API7 Enterprise now allows you to build custom plugins to add extra functionalities and manage API traffic with custom flow. See how to Add Custom Plugin

Support OIDC SSO Login

API7 Enterprise supports Single Sign-On (SSO) with OIDC implementations. For details about how to configure the LDAP SSO login method, see configure SSO with LDAP.

Use Service Labels as API Provider Scope

By assigning service labels as the scope for an API Provider, you can grant them access to all services with a specific label. It will help reduce the workload of the Super Admin. Typically, services can be grouped using a 'Department' label. Thus, users from that department will be able to access all services belonging to that department.

Version 3.2.8.1

Release Date: 2024-02-08

New Features

Support Nacos Service Discovery

API7 Enterprise uses service discovery to automatically detect available upstream services, keeping their addresses in a database (called a service registry). Therefore, an API gateway can always fetch the latest list of upstream addresses through the service registry, ensuring all requests are forwarded to healthy upstream nodes.

In this release, API7 Enterprise supports integrating with Nacos service discovery, which can be used to publish services and synchronize services between gateway groups.

Support LDAP SSO Login

API7 Enterprise supports Single Sign-On (SSO) with LDAP implementations. Integrating API7 Enterprise with LDAP enables you to log your LDAP users into API7 Enterprise as part of API7 Enterprise' SSO infrastructure. For details about how to configure the LDAP SSO login method, see configure SSO with LDAP.

Support Adding Gateway Instances using Kubernetes

A gateway instance is a single proxy that handles traffic. In this release, API7 Enterprise supports adding gateway instances to a gateway group using Kubernetes. For details, see add gateway instances.


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation