API7 Enterprise Release Notes
Version 3.2.16.4
Release Date: 2024-11-01
New Features
Send Notification through Email
Alert policies can send notification through webhook and email at the same time by utilizing the new Contact Points. A Contact Point defines a set of email addresses or webhook URLs that can be used by multiple alert policies.
See Trigger Gateway Alerts for instruction.
Existing Webhook Templates
will be migrated to new contact points and notifications, ensuring seamless transition and backward compatibility for alert policies.
New Limit Count Advanced Plugin
Enhanced the open-source limit count plugin with a sliding window algorithm for more accurate rate limiting.
New Exit Transformer Plugin
The exit-transformer plugin supports the customization of gateway responses based on the status codes, headers, and bodies returned from APISIX plugins. When configured as a global plugin, it also supports the response customization when a route that does not exist is requested.
Count Healthy Gateway Instances in a Gateway Group Through Alert Policy
If the number of healthy gateway instances in a gateway group falls below a critical threshold, it indicates potential service disruptions and impacts on traffic handling. This scenario is particularly relevant in Kubernetes deployments, where gateway instances may experience failures or be scaled down unexpectedly.
Create an alert policy for counting healthy gateway instances in a gateway group and send notifications to relevant personnel.
Utilized Expression Matching
Enable Expression Match
in a route to match requests based on specific variables for greater precision, similar to nginx. Use expressions in the format [[var, operator, val], [var, operator, val], ...] to define matching criteria. Note that cookie name matching is case-sensitive.
See Expressions and lua-resty-expr for more details.
Security
- Added a status interface for self health checks on the data plane. For details, see enable data plane health check for high availability.
Improvements
- JWT Auth Plugin now supports more algorithm.
- Enriched more metrics in Grafana Dashboard Template.
- Allowed users to log in by pressing Enter.
Bug Fixes
- Resolved issue: CORS Plugin
expose_header
s default value should not be*
. - Resolved issue: Successfully added first stream route when adding stream service.
- Resolved issue:
max_req_body_bytes
limit does not take effect in logger plugins. - Resolved issue: Dynamic updates to rate limiting parameters in the Limit Count Plugin are now reflected in the data plane.
- Resolved issue: Services deleted via API are now consistently removed from the data plane.
Version 3.2.16.3
Release Date: 2024-10-21
New Features
Reference Secrets in AWS Secrets Manager
A secret object is a piece of sensitive information that needs to be protected from unauthorized access, while a secret provider object is used to set up integration with an external secret manager(HashiCorp Vault, AWS Secret Manager, etc.), so that API7 Gateway can establish connections and fetch secrets from the secret manager dynamically at runtime.
See Reference Secrets in AWS Secrets Manager for more details.
Anonymous Consumers for API authentication
An anonymous consumer does not need to authenticate, but can be restricted by rate limiting. You should configure anonymous consumers in authentication plugins on the service/route, then combined with rate limiting plugins.
For details, see the following documentation:
- Key Authentication
- Basic Authentication
- JWT Authentication
- HMAC Authentication
- Rate Limit with Anonymous Consumers
Security
- Added a status interface for self health checks on the data plane. For details, see enable data plane health check for high availability.
Improvements
- Supported for 2 million consumers.
- Sorted the consumer list by name.
- Removed
conf_server
from API7 gateway. - Improved rate limiting related plugins to be more flexible, allowed for consumer-specific rate limits on a per-service/route basis. For details, see Limit Count Plugin and Limit Req Plugin.
- Advanced request & response transformation:
- During request transformation, support passing Lua code to obtain values.
- Aligned the capabilities of Kong's Request Transformation and Response Transformation.
- Displayed the total number of routes added in a service.
- Changed plugin list configuration from data plane to control plane. Not compatible with version under 3.2.15.0
- Added certificate expiration reminder in alert policies.
- Displayed a notification explaining the logout reason before redirecting to the login page due to multi-device login.
- Improved frontend page responsiveness and loading speed.
- Optimized the "Use Upstream Timeout" UI.
- Optimized API7 Portal(Beta) list page rendering speed.
Bug Fixes
- Resolved issue: multiple paths can now be configured for a single route on the Dashboard.
- Resolved issue:the OpenTelemetry Plugin did not support
set_ngx_var
. - Resolved issue: the ACL Plugin should not output warning logs during normal use.
- Enhanced data plane
lua_ssl_trusted_certificate
configuration item. - Synchronized the Body Transformer Plugin code with the APISIX mainline version.
- Resolve issue: when a plugin that is not available to the stream module is configured on a service, the data plane prints error logs.
- Changed the
Edit
operation for Token toEdit Name
. - Resolve issue: when editing a service registry, the service discovery type does not match the form.
Version 3.2.16.2
Release Date: 2024-10-11
Bug Fixes
- Fixed the issue where plugin configuration updates in Consumer were not taking effect.
Version 3.2.16.1
Release Date: 2024-10-04
Improvements
- Improved Developer Portal(Beta) performance.
Bug Fixes
- Resolved panic issue in the
radixtree_host_uri
routing mode when deleting routes. - Resolved incompatibility between custom authentication type plugins and the
multi-auth
plugin.
Version 3.2.16.0
Release Date: 2024-09-30
New Features
Reference Secrets in HashiCorp Vault
This is a breaking change. The secrets
resource has been renamed to secret provider
to align with best practices and facilitate integration with external secret management tools. All associated APIs have been updated accordingly.
A secret object is a piece of sensitive information that needs to be protected from unauthorized access, while a secret provider object is used to set up integration with an external secret manager(HashiCorp Vault, AWS Secret Manager, etc.), so that API7 Gateway can establish connections and fetch secrets from the secret manager dynamically at runtime.
See Reference Secrets in HashiCorp Vault for more details.
Improvements
- 【Breaking Change】Removed the JWT plugin's functionality for issuing tokens, and removed the ability to upload private keys. See JWT Plugin for details.
- Added support for deleting offline gateway instances.
- Added a
sync_rate
parameter to plugins that utilize Redis to control the frequency of counter synchronization with Redis. Real-time synchronization can put significant pressure on Redis. - Supported accessing specific route detail pages via URL.
- Supported API online test for API7 Portal(Beta).
- UI Improvement: shorten the custom host input box.
- UI Improvement: change the load balancing algorithm dropdown to radio buttons.
- UI Improvement: new style for creating labels.
Bug Fixes
- Fixed issue: the data plane failed to start due to an improperly cleaned
config_listen.sock
. - Fixed issue: requests return a 404 error after disabling the service.
- Added
keepalive_timeout
configuration tosplunk-hec-logging
plugin. - Removed whitespace before and after the delimiter after splitting consumer labels.
- Fixed issue: the
Skywalking
plugin cannot be restarted after being destroyed. - Handled encryption and decryption correctly when non-authentication plugin configurations were applied to the consumer.
- Fixed issue: built-in permission policies should not be able to deleted.
- Fixed issue: ingress controller type gateway group should be able to delete.
- Fixed issue: data plane now supports
/
as a path prefix. - Fixed UI issue: clicking on the label page jumps to the search bar.
- Fixed UI issue: after creating and deleting a token, the new token prompt does not disappear.
- Added Chinese translation for the plugin categories.
- Enlarged the plugin description text box to fully display the plugin's introduction.
- Fixed the issue where the new token prompt did not disappear after creating and deleting a token.
Version 3.2.15.2
Release Date: 2024-09-19
Bug Fixes
- Adjusted the
attach-consumer-label
plugin to execute in thebefore_proxy
phase.
Version 3.2.15.1
Release Date: 2024-09-18
Bug Fixes
- Resolved issue: Using token to get
instance_token
returns 401.
Version 3.2.15.0
Release Date: 2024-09-14
New Features
Consumer Credentials
This is a breaking change. Creating new authentication plugins (key-auth, basic-auth, JWT-auth, or HMAC-auth) for consumers is no longer supported. Please use consumer credentials instead. Existing plugin configurations will remain accessible and editable until disabled.
Consumer credentials offer enhanced flexibility by allowing multiple credentials per consumer. They replace traditional authentication plugins like key-auth, basic-auth, JWT-auth, and HMAC-auth, providing a more user-friendly experience. See Manage Consumer Credentials for details.
Security
- The root user,
admin
, becomes a protected account that cannot be modified by roles, permission policies, or other users. It cannot be deleted or have its password reset by other users.
Improvements
- Sorted the service list alphabetically by name is now supported.
- Added gateway group ID to every audit log, so you can search or filter audit logs by gateway group.
- Recorded audit log for automatically deleted gateway instances that have been offline for more than 7 days.
- Supported filtering published services on a gateway group by label.
- Ensured control plane addresses do not end with a slash.
- Supported annotations in Helm.
- Provided configuration options to control the timeout for data plane heartbeat and telemetry requests, and adjust the default value to 30s.
Bug Fixes
- Clarified the error message when a user logs in via SSO after SCIM is enabled, but the user does not exist in the system.
- Fixed the issue of failed canary configuration adjustments after modifying no version published service.
Version 3.2.14.6
Release Date: 2024-08-28
New Features
ARM Installation
Standardized ARM installation packages are available since version 3.2.14.6.
Security
- Resolved known CVE vulnerabilities.
Improvements
- Reduced installation image size through component optimization.
- Enabled
mqtt-proxy
plugin support for stream routes. - Enhanced alert policy trigger conditions to include
Allowed license CPU quota exceeded
.
Bug Fixes
- Wrote data plane certificate to a fixed local file.
- Fixed the issue of not being able to directly set the weight of the canary upstream to 100 when starting canary.
- Adjusted the order of custom plugins in the
init_worker
phase to avoid printing warning logs when the data plane restarts. - Fixed UI display of blank route
Methods
when calling Admin API without methods. - Fixed the issue where the route name length limit was 100 characters when synchronizing with ADC.
- Fixed the issue of alerts being sent even after the alert policy was disabled.
Version 3.2.14.5
Release Date: 2024-08-20
Bug Fixes
- Fixed a body validation bug in the
response-rewrite
plugin whenbody_base64
is set tofalse
.
Version 3.2.14.4
Release Date: 2024-08-14
New Features
Override Upstream Timeout for Each Route
API7 Gateway offers granular control over request handling by enabling the configuration of distinct upstream timeouts for individual routes, to override the timeout configuration at the upstream side.
User Permission Boundary
Permissions boundaries define the maximum allowable permissions for a user, acting as a safeguard against excessive privilege escalation.
Security
- Upgraded frontend dependency.
- Ensured single device login - new login will revoke previous active sessions.
- Prohibited importing old license.
- Upgraded OpenResty version to fix security vulnerabilities.
Improvements
- Added service description in service hub list and published services list.
- Added "Connecting" status for service registry to avoid misunderstanding.
- Optimized custom plugin: Code Obfuscation and Encrypted Storage.
- Displayed a notification when using a test environment license.
- Implemented card-based UI for plugin management and modification.
- Supported configuration of custom plugin metadata.
- Minimized the image size of API7 Enterprise.
Bug Fixes
- Fixed the issue of empty values for service runtime configuration parameters (e.g., host, path prefix) being lost when publishing a service version to a gateway group.
- Eliminated unnecessary audit log generation for dry-run license uploads.
- Resolved issue with incorrect route creation and modification timestamps.
- Resolved plugin metadata schema validation errors.
- Improved service search accuracy.
- Resolved issue with plugin loss during service template publishing.
Version 3.2.14.3
Release Date: 2024-08-06
Bug Fixes
- Supported referencing
$env
in SSL Certificates. - Resolved UI instability when labels contained periods.
- Removed source code from frontend build artifacts.
Version 3.2.14.2
Release Date: 2024-07-30
Bug Fixes
- Resolved UI error for viewing Ingress Controller routes on the Dashboard.
- Fixed missing default Helm release name when installing gateway instance on Kubernetes.
- Enhanced Microsoft Entra ID (Azure AD) integration through ID token utilization.
- Fixed the issue that plugin inconsistencies may occur between service templates and published gateway groups.
Version 3.2.14.1
Release Date: 2024-07-22
Improvements
Import OpenAPI to Create Service on Gateway Group
Simply import your OpenAPI specification directly into a gateway group to have your new service and all its routes ready.
Unveiling Granular Access Control with API7 Portal
Leverage custom roles and permission policies for granular control over access to API Products.
Security
- Control plane address must be HTTPs.
- Removed the use of ngx.req.get_post_args(0), use the default value instead to avoid potential attacks.
- Regenerate Ingress Controller deployment scripts now requires second confirmation.
Managing Published Service Basics without Versioning
Service name/description/labels now can be modified without publishing a new version.
First Route Creation During Service Setup
Allowing you to define the initial route right from the start. This eliminates the need for a separate step and simplifies your workflow.
Bug Fixes
- Merged datadog plugin fix(https://github.com/apache/apisix/pull/11354) to API7 Enterprise.
- Fixed the issue of DP being invisible on the console.
- Fixed an issue: service registry status was always displayed as "disconnected" after changing the Prometheus data reporting method from remote-write to scrape.
- Fixed issue: Data plane encountered errors after deploying a custom plugin through the Dashboard.
- Fixed UI issue: you can not modify upstream of published service on a Ingress Controller gateway group.
- Wrong notification: When switching to Nodes, even if health checks are enabled, the prompt for users to enable health checks still exists.
- Fixed issue: When uploading a custom plugin, if there is a parsing error, the plugin name displayed in the error message does not match the actual file name.
Version 3.2.14.0
Release Date: 2024-07-08
New Features
Brand New Access Control
This is a breaking change. Roles from older versions can not be kept.
API7 Enterprise moves beyond traditional role-based permissions, adopting a permission policy architecture for granular access control through reusable policies assigned to roles. See roles and permission policies
Improvements
Configure Priority for Routes
In specific scenarios, you can configure same routes within two different services. With priority determining which route handles the request. The route with a higher assigned priority will be used first.
Harden mTLS Certificate Security
Improved following issues:
- Overly Long Certificate: The certificate string is too long and should be shortened.
- Unnecessary Tokens: The certificate contains unnecessary tokens that should be removed.
- Shared CA: Using the same Certificate Authority (CA) for multiple certificates is insecure.
- Mismatched Certificate Handling: When a certificate mismatch occurs, the handshake should immediately fail, rejecting the client's request instead of proceeding with further validation.
Include New Parameter lua_shared_dict
in API7 Helm Chart
Introduced new parameter to Helm chart.
Bug Fixes
- Upgrading from older version may cause missing upstream data or 404 errors.
- UI error encountered during service request URL update.
- Fixed Developer Portal library issue.
- Fixed HTTP logger plugin memory leak.
- Frontend and backend password policies are inconsistent.
- The
data-mask
plugin reports an error when the GET request does not match any route. - The status field of the ApisixUpstream CRD is recorded incorrectly
- Data Plane supports configuring the reporting interval for monitoring data.
- Fixed warning logs after configuring plugin metadata.
- Fixed plugin reload issue.
- Reduced the number of PostgreSQL connections.
- Optimized frontend resource consumption.
- Removed trailing dot in FQDN.
- Plugin Metadata should be able to be deleted.
Version 3.2.11.8
Release Date: 2024-06-26
Bug Fixes
- Reduced API latency by minimizing etcd calls.
- Kine database connection pool configuration can function normally.
Version 3.2.11.7
Release Date: 2024-06-24
Bug Fixes
- Improve API performance.
- Data Plane supports disabling telemetry data collection and configuring reporting intervals.
- Custom plugins can function even without a schema definition.
Version 3.2.11.6
Release Date: 2024-06-24
Bug Fixes
- Large data sets no longer cause etcd range API error.
Version 3.2.13.0
Release Date: 2024-06-19
Admin API Breaking Changes
- The service template API has been migrated to the "/api/services/template" path prefix.
- The original "/apisix/admin/services" endpoint now requires the gateway_group_id parameter.
New Features
Create/Update Service on Gateway Group without Publishing
If version control is not your requirement, you can now directly create services on the gateway group. These services become active immediately, eliminating the need for a separate publishing step. This simplifies the deployment process and saves you time.
However, it is important to consider the trade-off involved. By bypassing the publishing stage, you also lose the ability to easily roll back to a previous version or track the version changes.
See the latest starter tutorial for details: Launch your first API.
Integrate with Ingress Controller(UI Support)
API7 Gateway officially introduces Ingress Controllers, a new type of gateway group. While the dashboard offers convenient management for creating and viewing your Ingress Controller, configuration modifications require to declarative way for any configuration changes.
Improvement
Search for Gateway Group Name and Filter by Labels
Makes it easier to find the specific gateway group you are looking for within the gateway group list.
Secure Sensitive Data in Configuration File
The database's DSN configuration (including access address, username, and password) can be configured through environment variables and Helm chart.
Support Prometheus Authentication
Prometheus remote write now supports Basic Auth/mTLS.
Support Secret Feature for SSL Variables
Secure ssl.certs
and ssl.keys
with encrypted secrets.
Bug Fixes
- The
ctx.var
variable will be updated promptly after setting headers. - Duplicate SSL certificates cannot be uploaded.
Version 3.2.11.5
Release Date: 2024-06-18
Bug Fixes
- The ssl_verify configuration now works fine for the Login Option OIDC and LDAP protocols.
Version 3.2.11.4
Release Date: 2024-06-07
Bug Fixes
- Protect sensitive fields within the login options related to API.
Version 3.2.12.0
Release Date: 2024-05-24
Admin API Breaking Changes
- The "service status" field has been changed from "0: enabled, 1: disabled" to "0: disabled, 1: enabled".
- Publish a service
- Update service runtime configurations by ID
- Get all published services in Gateway Group
- The "ID" field has been removed from the consumer API. Queries and deletions are now performed using "gateway group ID" and "username".
- SSL-related APIs now require the "gateway group ID" parameter.
New Features
Stream Route
API7 Gateway extends beyond API management. It can also handle Layer 4 (L4) traffic, like database or Kafka connections. Add a stream service and several stream routes to Proxy TCP Traffic.
Custom Role (UI Support)
Design your own custom roles with granular permission control. See Add Custom Role.
Ingress Controller (Beta, API Support Only)
Integrate with Ingress Controller.
Improvement
Optimize Left Navigation Menu
- Users will now see the gateway group menu as the primary landing page.
- Change the Service menu item to Service Hub.
Bug Fixes
- Avoid duplicate API keys when using key-auth plugin.
- Enable allowlist and denylist at the same time in ua-restriction plugin.
- Reset the password without expiring the access token.
- Labels can be up to 64 characters long and include spaces.
- Validate the configuration of loggly plugin successfully.
- Force configuration synchronization to the data plane, even with schema validation errors. This prevents data loss and ensures uninterrupted workflow.
- The meaning of API7 Gateway service status is consistent with the corresponding field in Apache APISIX.
Version 3.2.11.3
Release Date: 2024-05-20
Bug Fixes
- etcd watch can pass SNI correctly.
- API7 Enterprise will attempt to create a database automatically. If permission issues arise, it will launch using a pre-configured database provided by the user, preventing installation failure.
Version 3.2.11.2
Release Date: 2024-05-20
Bug Fixes
- Labels can be up to 64 characters long and include spaces.
- Force configuration synchronization to the data plane, even with schema validation errors. This prevents data loss and ensures uninterrupted workflow.
Version 3.2.11.1
Release Date: 2024-05-08
New Features
SSO Role Mapping
This automated role mapping eliminates the need for manual role assignment by Super Admins. Users who satisfy the defined key-value mapping rules will be automatically assigned the corresponding roles upon login. For details, see Set Role Mapping.
SCIM Provisioning
Streamline your identity management with SCIM Provisioning. It automatically synchronizes user data from your Identity Provider, ensuring consistent and effortless user management. For details, see Sync User Data from IdP.
Custom Role (Beta, API Support Only)
Design your own custom roles with granular permission control. UI support coming soon.
Improvement
Upgrade to OpenSSL 3
Improved Security, Performance, and Availability.
Plugin Global Rules Ordering
To streamline the management of global rules, API7 Enterprise merges multiple rules into a single rule, ensuring that plugin configurations are unique within each rule.
Bug Fixes
Settings Modal Add HTTP Protocol Detection
Not properly detecting whether HTTP or HTTPS is required, leading to errors when deploying gateway instances using the given script.
Error Uploading SSL Certificate
An issue exists where uploading an SSL certificate intended for gateway group A may inadvertently assign it to gateway group B.
Support Host Level Dynamic Setting of TLS Protocol Version
Incorporated the fix from the resolved Apache APISIX issue.
Version 3.2.10.1
Release Date: 2024-04-28
New Features
Support MySQL 5.7
API7 Enterprise now supports MySQL 5.7.
Version 3.2.10.0
Release Date: 2024-04-22
Breaking Changes
Bind Token with User
Tokens are bound to specific users and share the same permissions. When the user is deleted, the associated token will also be deleted.
Version 3.2.9.5
Release Date: 2024-04-16
New Features
Upstream mTLS(API Support Only)
API7 Enterprise now supports mutual TLS (mTLS) authentication between the gateway and upstream services. mTLS is a form of communication security that requires both parties to present certificates to each other. This ensures that both parties are who they claim to be and that the data transmitted between them is encrypted. UI support coming soon.
Version 3.2.9.4
Release Date: 2024-04-07
Bug Fixes
Assessment of CPU Core Limitations
Resolved the issue that occurs when the maximum number of CPU cores is reached.
Version 3.2.9.3
Release Date: 2024-04-03
New Features
Integrate with Vault (Beta)
You can store sensitive data securely in your Vault. Admin API support is available; UI support coming soon.
Version 3.2.9.2
Release Date: 2024-04-01
New Features
Support SAML SSO Login
API7 Enterprise supports Single Sign-On (SSO) with SAML implementations. For details about how to configure SAML SSO login method, see configure SSO with SAML.
New Plugin: Data Mask
The data-mask plugin provides the capability to remove or replace sensitive information in request headers, request bodies, and URL queries. Learn more about Data Mask.
Feature Enhancements
Skip Path Prefix
You can opt to skip the path prefix when sending requests to the upstream. This adjustment is imperceptible to users and may be useful when using different path prefixes to identify APIs sent to different gateway groups.
Better Health Check Configuration UI
Introduced a user-friendly and intuitive UI for your health check configuration in upstreams.
Upgraded Encryption Algorithm
Upgraded from AES128 to AES256 algorithm.
Performance Improvement
Eliminated the impact caused by disabling plugins.
Version 3.2.9.1
Release Date: 2024-03-19
New Features
Support Add Custom Plugin
API7 Enterprise now allows you to build custom plugins to add extra functionalities and manage API traffic with custom flow. See how to Add Custom Plugin
Support OIDC SSO Login
API7 Enterprise supports Single Sign-On (SSO) with OIDC implementations. For details about how to configure the LDAP SSO login method, see configure SSO with LDAP.
Use Service Labels as API Provider Scope
By assigning service labels as the scope for an API Provider, you can grant them access to all services with a specific label. It will help reduce the workload of the Super Admin. Typically, services can be grouped using a 'Department' label. Thus, users from that department will be able to access all services belonging to that department.
Version 3.2.8.1
Release Date: 2024-02-08
New Features
Support Nacos Service Discovery
API7 Enterprise uses service discovery to automatically detect available upstream services, keeping their addresses in a database (called a service registry). Therefore, an API gateway can always fetch the latest list of upstream addresses through the service registry, ensuring all requests are forwarded to healthy upstream nodes.
In this release, API7 Enterprise supports integrating with Nacos service discovery, which can be used to publish services and synchronize services between gateway groups.
Support LDAP SSO Login
API7 Enterprise supports Single Sign-On (SSO) with LDAP implementations. Integrating API7 Enterprise with LDAP enables you to log your LDAP users into API7 Enterprise as part of API7 Enterprise' SSO infrastructure. For details about how to configure the LDAP SSO login method, see configure SSO with LDAP.
Support Adding Gateway Instances using Kubernetes
A gateway instance is a single proxy that handles traffic. In this release, API7 Enterprise supports adding gateway instances to a gateway group using Kubernetes. For details, see add gateway instances.