Apache APISIX 2.13.0 released

It has been more than half a year since the last LTS version of Apache APISIX was released. Today, the Apache APISIX community has brought a brand new LTS version - 2.13.0. This LTS version not only has more stable performance, but also supports more observability, service discovery plug-ins and a more complete multi-language development system.

If you want to try out new features while pursuing overall stability, consider upgrading your existing Apache APISIX to 2.13.0. Subsequent communities will also release a series of patch versions based on version 2.13.0.

Feature update

New: API is no longer exposed by default

In versions prior to 2.13.0, we allowed plugins to register APIs that could be called by clients. For example, the jwt-auth plugin registers a JWT signing interface that clients can access to generate signatures for verification. But this design has a potential flaw - since the interface is exposed instead of the route, it cannot be secured as much as the route. Although the existing mechanism allows users to intercept interface access by writing the corresponding plugin interceptor, this method still has security risks.

So starting from version 2.13.0, we decided to make a breaking change and no longer expose API by default. If the user needs to expose the interface, he needs to bind the interface to the corresponding route through the public-api plugin. This approach brings two benefits:

1. The registered API will have higher visibility. Currently, the registered API will only take effect through the display configuration, and the access method is also customized by the user.
2. Allows more security protection options, registered APIs and routes have the same permission control.

Of course, there are other new changes in version 2.13.0, such as fixing the unreasonable behavior of historical versions. For specific optimization information, see 2.13.0 Changelog .

New feature: connect more monitoring systems at the observability level

As an API gateway, Apache APISIX has been committed to connecting more services and connecting more upstream and downstream observability. We build on this with every release, and 2.13.0 is no exception.

This time we added a tracing plugin: **opentelemetry** , which allows sending OpenTelemetry tracing data to the configured collector. Let's take a look at it simply through an example.

The collector is set in the static configuration:

plugin_attr:
  opentelemetry:
    resource:
      service.name: APISIX
      tenant.id: business_id
    collector:
      address: "127.0.0.1:4317"
    batch_span_processor:
      drop_on_queue_full: false
      max_queue_size: 6
      batch_timeout: 2
      inactive_timeout: 1
      max_export_batch_size: 2

Then you can enable tracing on a specific route:

curl http://127.0.0.1:9080/apisix/admin/routes/1  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "methods": ["GET"],
    "uris": [
        "/uid/*"
    ],
    "plugins": {
        "opentelemetry": {
            "sampler": {
                "name": "always_on"
            }
        }
    },
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:8089": 1
        }
    }
}'

Requests that hit this route will report OpenTelemetry data to the corresponding collector.

In addition, we have added two log plugins to support reporting logs to ClickHouse and Loggly.

ClickHouse is one of the fastest OLAP databases on the planet. Apache APISIX supports sending access log and error log to ClickHouse, examples are as follows:

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
      "plugins": {
            "clickhouse-logger": {
                "user": "default",
                "password": "a",
                "database": "default",
                "logtable": "test",
                "endpoint_addr": "http://127.0.0.1:8123"
            }
       },
      "upstream": {
           "type": "roundrobin",
           "nodes": {
               "127.0.0.1:1980": 1
           }
      },
      "uri": "/hello"
}'
curl http://127.0.0.1:9080/apisix/admin/plugin_metadata/error-log-logger -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
  "clickhouse": {
      "user": "default",
      "password": "a",
      "database": "error_log",
      "logtable": "t",
      "endpoint_addr": "http://127.0.0.1:8123"
  }
}'

Loggly is a log processing SaaS platform under SolarWinds. We support sending access logs through syslog or HTTP/HTTPS. An example is as follows:

Configure the reporting method

curl http://127.0.0.1:9080/apisix/admin/plugin_metadata/loggly -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
   "protocol": "http"
}'

Configure the route to be reported

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "plugins":{
        "loggly":{
            "customer_token":"xxx",
        }
    },
    "upstream":{
        "type":"roundrobin",
        "nodes":{
            "127.0.0.1:80":1
        }
    },
    "uri":"/index.html"
}'

A more complete multi-language development system

Apache APISIX has supported Wasm (Proxy Wasm SDK) since version 2.11, but LTS version has not provided corresponding support. In this release of Apache APISIX 2.13.0, we have added and improved this feature.

After six months of development of more than 10,000 lines of code (including tests and documentation), APISIX now fully supports running code in four stages of processing request headers, request bodies, response headers, and response bodies. Version 2.13.0 is the first LTS version to support Wasm, which can be said to be a new milestone.

In addition to Wasm, we are also developing a traditional, RPC-based polyglot plugin system. Not long ago, we released version 0.2.0 of Python Runner. In a few days, we will also release Go Runner 0.3.0.

bug fix

• SkyWalking and OpenTelemetry do not track authentication failures.
• log-rotate Cutting logs does not support completion on the hour.
• deepcopy does not replicate metatable .
• request-validate of duplicate keys in JSON.
• prometheus Duplicate calculation of indicators.
• proxy-rewrite in conf.method no effect when conf.headers is missing.
• traffic-split Failed to match when first rule failed.
• etcd timeout triggers resync_delay .
• proto Definition conflict.
• limit-count configuration unchanged, reset counter.
• Admin API has incorrect counts for plugin-metadata and global-rule .
• Labels are lost when merging route and service.

more details

In addition to the above features and components, the Apache APISIX 2.13.0 version also updates the following features:

• grpc-transcode supports processing proto definitions with import via .pb file.
• Support getting upstream nodes from K8s configuration.
• Added csrf plugin to provide cross-site request forgery protection.
• Added mocking plug-in to facilitate the generation of test data.