diff --git a/apisix/admin/init.lua b/apisix/admin/init.lua index 7aaf8f99f4e6..bdf19da38bee 100644 --- a/apisix/admin/init.lua +++ b/apisix/admin/init.lua @@ -63,8 +63,8 @@ local router local function check_token(ctx) local local_conf = core.config.local_conf() - if not local_conf or not local_conf.apisix - or not local_conf.apisix.admin_key then + local admin_key = core.table.try_read_attr(local_conf, "deployment", "admin", "admin_key") + if not admin_key then return true end @@ -75,7 +75,7 @@ local function check_token(ctx) end local admin - for i, row in ipairs(local_conf.apisix.admin_key) do + for i, row in ipairs(admin_key) do if req_token == row.key then admin = row break diff --git a/apisix/admin/v3_adapter.lua b/apisix/admin/v3_adapter.lua index 2bb03cbeb208..154efe463820 100644 --- a/apisix/admin/v3_adapter.lua +++ b/apisix/admin/v3_adapter.lua @@ -48,7 +48,7 @@ local function enable_v3() return false end - local api_ver = try_read_attr(local_conf, "apisix", "admin_api_version") + local api_ver = try_read_attr(local_conf, "deployment", "admin", "admin_api_version") if api_ver ~= "v3" then admin_api_version = "default" return false diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua index 320efb15f3c4..a362d111c48f 100644 --- a/apisix/cli/ops.lua +++ b/apisix/cli/ops.lua @@ -183,8 +183,10 @@ local function init(env) -- check the Admin API token local checked_admin_key = false - if yaml_conf.apisix.enable_admin and yaml_conf.apisix.allow_admin then - for _, allow_ip in ipairs(yaml_conf.apisix.allow_admin) do + local allow_admin = yaml_conf.deployment.admin and + yaml_conf.deployment.admin.allow_admin + if yaml_conf.apisix.enable_admin and allow_admin then + for _, allow_ip in ipairs(allow_admin) do if allow_ip == "127.0.0.0/24" then checked_admin_key = true end @@ -198,13 +200,17 @@ local function init(env) Please modify "admin_key" in conf/config.yaml . ]] - if type(yaml_conf.apisix.admin_key) ~= "table" or - #yaml_conf.apisix.admin_key == 0 + local admin_key = yaml_conf.deployment.admin + if admin_key then + admin_key = admin_key.admin_key + end + + if type(admin_key) ~= "table" or #admin_key == 0 then util.die(help:format("ERROR: missing valid Admin API token.")) end - for _, admin in ipairs(yaml_conf.apisix.admin_key) do + for _, admin in ipairs(admin_key) do if type(admin.key) == "table" then admin.key = "" else @@ -224,6 +230,19 @@ Please modify "admin_key" in conf/config.yaml . end end + if yaml_conf.deployment.admin then + local admin_api_mtls = yaml_conf.deployment.admin.admin_api_mtls + local https_admin = yaml_conf.deployment.admin.https_admin + if https_admin and not (admin_api_mtls and + admin_api_mtls.admin_ssl_cert and + admin_api_mtls.admin_ssl_cert ~= "" and + admin_api_mtls.admin_ssl_cert_key and + admin_api_mtls.admin_ssl_cert_key ~= "") + then + util.die("missing ssl cert for https admin") + end + end + if yaml_conf.apisix.enable_admin and yaml_conf.apisix.config_center == "yaml" then @@ -315,8 +334,8 @@ Please modify "admin_key" in conf/config.yaml . -- listen in admin use a separate port, support specific IP, compatible with the original style local admin_server_addr if yaml_conf.apisix.enable_admin then - local ip = yaml_conf.apisix.admin_listen.ip - local port = yaml_conf.apisix.admin_listen.port + local ip = yaml_conf.deployment.admin.admin_listen.ip + local port = yaml_conf.deployment.admin.admin_listen.port admin_server_addr = validate_and_get_listen_addr("admin port", "0.0.0.0", ip, 9180, port) end @@ -464,17 +483,6 @@ Please modify "admin_key" in conf/config.yaml . yaml_conf.apisix.ssl.ssl_trusted_certificate = cert_path end - local admin_api_mtls = yaml_conf.apisix.admin_api_mtls - if yaml_conf.apisix.https_admin and - not (admin_api_mtls and - admin_api_mtls.admin_ssl_cert and - admin_api_mtls.admin_ssl_cert ~= "" and - admin_api_mtls.admin_ssl_cert_key and - admin_api_mtls.admin_ssl_cert_key ~= "") - then - util.die("missing ssl cert for https admin") - end - -- enable ssl with place holder crt&key yaml_conf.apisix.ssl.ssl_cert = "cert/ssl_PLACE_HOLDER.crt" yaml_conf.apisix.ssl.ssl_cert_key = "cert/ssl_PLACE_HOLDER.key" @@ -570,6 +578,11 @@ Please modify "admin_key" in conf/config.yaml . for k,v in pairs(yaml_conf.nginx_config) do sys_conf[k] = v end + if yaml_conf.deployment.admin then + for k,v in pairs(yaml_conf.deployment.admin) do + sys_conf[k] = v + end + end sys_conf["wasm"] = yaml_conf.wasm @@ -588,10 +601,6 @@ Please modify "admin_key" in conf/config.yaml . sys_conf["worker_processes"] = "auto" end - if sys_conf.allow_admin and #sys_conf.allow_admin == 0 then - sys_conf.allow_admin = nil - end - local dns_resolver = sys_conf["dns_resolver"] if not dns_resolver or #dns_resolver == 0 then local dns_addrs, err = local_dns_resolver("/etc/resolv.conf") diff --git a/apisix/cli/schema.lua b/apisix/cli/schema.lua index dbf83ef78c28..1a501ca320d7 100644 --- a/apisix/cli/schema.lua +++ b/apisix/cli/schema.lua @@ -65,6 +65,7 @@ local etcd_schema = { }, required = {"prefix", "host"} } + local config_schema = { type = "object", properties = { @@ -133,19 +134,6 @@ local config_schema = { } } }, - https_admin = { - type = "boolean", - }, - admin_listen = { - properties = { - listen = { type = "string" }, - port = { type = "integer" }, - }, - default = { - listen = "0.0.0.0", - port = 9180, - } - }, stream_proxy = { type = "object", properties = { @@ -292,17 +280,51 @@ local config_schema = { type = "object", properties = { role = { - enum = {"traditional", "control_plane", "data_plane", "standalone"} + enum = {"traditional", "control_plane", "data_plane", "standalone"}, + default = "traditional" + } + }, + }, + }, + required = {"apisix", "deployment"}, +} + +local admin_schema = { + type = "object", + properties = { + admin_key = { + type = "array", + properties = { + items = { + properties = { + name = {type = "string"}, + key = {type = "string"}, + role = {type = "string"}, + } } + } + }, + admin_listen = { + properties = { + listen = { type = "string" }, + port = { type = "integer" }, }, - required = {"role"}, + default = { + listen = "0.0.0.0", + port = 9180, + } + }, + https_admin = { + type = "boolean", }, } } + local deployment_schema = { traditional = { properties = { etcd = etcd_schema, + admin = admin_schema, role_traditional = { properties = { config_provider = { @@ -402,13 +424,11 @@ function _M.validate(yaml_conf) end end - if yaml_conf.deployment then - local role = yaml_conf.deployment.role - local validator = jsonschema.generate_validator(deployment_schema[role]) - local ok, err = validator(yaml_conf.deployment) - if not ok then - return false, "invalid deployment " .. role .. " configuration: " .. err - end + local role = yaml_conf.deployment.role + local validator = jsonschema.generate_validator(deployment_schema[role]) + local ok, err = validator(yaml_conf.deployment) + if not ok then + return false, "invalid deployment " .. role .. " configuration: " .. err end return true diff --git a/apisix/init.lua b/apisix/init.lua index 80621432c03b..7f29fbc6b5b2 100644 --- a/apisix/init.lua +++ b/apisix/init.lua @@ -762,7 +762,7 @@ end local function cors_admin() local_conf = core.config.local_conf() - if local_conf.apisix and not local_conf.apisix.enable_admin_cors then + if not core.table.try_read_attr(local_conf, "deployment", "admin", "enable_admin_cors") then return end diff --git a/benchmark/run.sh b/benchmark/run.sh index 570d8e8fb7d9..f119afb84f48 100755 --- a/benchmark/run.sh +++ b/benchmark/run.sh @@ -68,11 +68,6 @@ else fi echo " -apisix: - admin_key: - - name: admin - key: edd1c9f034335f136f87ad84b625c8f1 - role: admin nginx_config: worker_processes: ${worker_cnt} " > conf/config.yaml diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 96a0e692b42f..287613a57229 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -29,7 +29,6 @@ apisix: # port: 9082 # enable_http2: true enable_admin: true - enable_admin_cors: true # Admin API support CORS response headers. enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true. show_upstream_status_in_response_header: false # when true all upstream status write to `X-APISIX-Upstream-Status` otherwise only 5xx code @@ -71,37 +70,6 @@ apisix: - name: memory_cache memory_size: 50m - allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow - - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default. - #- "::/64" - admin_listen: # use a separate port - ip: 0.0.0.0 # Specific IP, if not set, the default value is `0.0.0.0`. - port: 9180 # Specific port, which must be different from node_listen's port. - - #https_admin: true # enable HTTPS when use a separate port for Admin API. - # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. - admin_api_mtls: # Depends on `admin_listen` and `https_admin`. - admin_ssl_cert: "" # Path of your self-signed server side cert. - admin_ssl_cert_key: "" # Path of your self-signed server side key. - admin_ssl_ca_cert: "" # Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates. - - admin_api_version: v3 # The version of admin api, latest version is v3. - - # Default token when use API to call for Admin API. - # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. - # Disabling this configuration item means that the Admin API does not - # require any authentication. - admin_key: - - - name: admin - key: edd1c9f034335f136f87ad84b625c8f1 - role: admin # admin: manage all configuration data - # viewer: only can view configuration data - - - name: viewer - key: 4054f7cf07e344346cd3f287985e76a2 - role: viewer - delete_uri_tail_slash: false # delete the '/' at the end of the URI # The URI normalization in servlet is a little different from the RFC's. # See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization, @@ -543,6 +511,40 @@ deployment: role: traditional role_traditional: config_provider: etcd + admin: + # Default token when use API to call for Admin API. + # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. + # Disabling this configuration item means that the Admin API does not + # require any authentication. + admin_key: + - + name: admin + key: edd1c9f034335f136f87ad84b625c8f1 + role: admin # admin: manage all configuration data + # viewer: only can view configuration data + - + name: viewer + key: 4054f7cf07e344346cd3f287985e76a2 + role: viewer + + enable_admin_cors: true # Admin API support CORS response headers. + allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow + - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default. + #- "::/64" + admin_listen: # use a separate port + ip: 0.0.0.0 # Specific IP, if not set, the default value is `0.0.0.0`. + port: 9180 # Specific port, which must be different from node_listen's port. + + #https_admin: true # enable HTTPS when use a separate port for Admin API. + # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. + + admin_api_mtls: # Depends on `admin_listen` and `https_admin`. + admin_ssl_cert: "" # Path of your self-signed server side cert. + admin_ssl_cert_key: "" # Path of your self-signed server side key. + admin_ssl_ca_cert: "" # Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates. + + admin_api_version: v3 # The version of admin api, latest version is v3. + etcd: host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. - "http://127.0.0.1:2379" # multiple etcd address, if your etcd cluster enables TLS, please use https scheme, diff --git a/conf/config.yaml b/conf/config.yaml index 6a5f56205a36..a77ce21e6238 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -52,8 +52,12 @@ # # This will find environment variable `ETCD_HOST` first, and if it's not exist it will use `localhost` as default value. # -apisix: - admin_key: - - name: admin - key: edd1c9f034335f136f87ad84b625c8f1 # using fixed API token has security risk, please update it when you deploy to production environment - role: admin +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: + - name: admin + key: edd1c9f034335f136f87ad84b625c8f1 # using fixed API token has security risk, please update it when you deploy to production environment + role: admin diff --git a/docs/en/latest/FAQ.md b/docs/en/latest/FAQ.md index 169a03ffee46..8515c564eaae 100644 --- a/docs/en/latest/FAQ.md +++ b/docs/en/latest/FAQ.md @@ -365,10 +365,11 @@ You can follow the steps below to configure this: 1. Configure different ports for Apache APISIX proxy and Admin API. Or, disable the Admin API. ```yaml -apisix: - admin_listen: # use a separate port - ip: 127.0.0.1 - port: 9180 +deployment: + admin: + admin_listen: # use a separate port + ip: 127.0.0.1 + port: 9180 ``` 2. Add a proxy Route for the Apache APISIX dashboard: @@ -501,9 +502,10 @@ By default, Apache APISIX only allows IPs in the range `127.0.0.0/24` to access To allow IPs in all ranges, you can update your configuration file as show below and restart or reload Apache APISIX. ```yaml -apisix: - allow_admin: - - 0.0.0.0/0 +deployment: + admin: + allow_admin: + - 0.0.0.0/0 ``` **Note**: This should only be used in non-production environments to allow all clients to access Apache APISIX and is not safe for production environments. Always authorize specific IP addresses or address ranges for production environments. diff --git a/docs/en/latest/admin-api.md b/docs/en/latest/admin-api.md index 87191479dacc..ada9b9f4a83c 100644 --- a/docs/en/latest/admin-api.md +++ b/docs/en/latest/admin-api.md @@ -25,7 +25,7 @@ The Admin API lets users control their deployed Apache APISIX instance. The [arc By default, the Admin API listens to port `9180` when APISIX is launched. This can be changed by modifying your configuration file ([conf/config.yaml](https://github.com/apache/apisix/blob/master/conf/config.yaml)). -**Note**: Mentions of `X-API-KEY` in this document refers to `apisix.admin_key.key`—the access token for Admin API—in your configuration file. +**Note**: Mentions of `X-API-KEY` in this document refers to `deployment.admin.admin_key.key`—the access token for Admin API—in your configuration file. ## V3 diff --git a/docs/en/latest/certificate.md b/docs/en/latest/certificate.md index 94e74d722d11..4bcfa5ae240f 100644 --- a/docs/en/latest/certificate.md +++ b/docs/en/latest/certificate.md @@ -191,8 +191,8 @@ The following table details the configurations involved in this example and what | foo_ca.crt | CA cert | Issues the secondary certificate required for the client to communicate with the APISIX Admin API over mTLS. | | foo_client.crt | cert | A certificate issued by `foo_ca.crt` and used by the client to prove its identity when accessing the APISIX Admin API. | | foo_client.key | key | Issued by `foo_ca.crt`, used by the client, the key file required to access the APISIX Admin API. | -| foo_server.crt | cert | Issued by `foo_ca.crt`, used by APISIX, corresponding to the `apisix.admin_api_mtls.admin_ssl_cert` configuration entry. | -| foo_server.key | key | Issued by `foo_ca.crt`, used by APISIX, corresponding to the `apisix.admin_api_mtls.admin_ssl_cert_key` configuration entry. | +| foo_server.crt | cert | Issued by `foo_ca.crt`, used by APISIX, corresponding to the `admin_api_mtls.admin_ssl_cert` configuration entry. | +| foo_server.key | key | Issued by `foo_ca.crt`, used by APISIX, corresponding to the `admin_api_mtls.admin_ssl_cert_key` configuration entry. | | admin.apisix.dev | doname | Common Name used in issuing `foo_server.crt` certificate, through which the client accesses APISIX Admin API | | bar_ca.crt | CA cert | Issues the secondary certificate required for APISIX to communicate with ETCD over mTLS. | | bar_etcd.crt | cert | Issued by `bar_ca.crt` and used by ETCD, corresponding to the `-cert-file` option in the ETCD startup command. | @@ -228,21 +228,22 @@ goreman -f Procfile-single-enable-mtls start > goreman.log 2>&1 & 3. Update `config.yaml` ```yaml -apisix: - admin_key: - - name: admin - key: edd1c9f034335f136f87ad84b625c8f1 - role: admin - admin_listen: - ip: 127.0.0.1 - port: 9180 - https_admin: true - - admin_api_mtls: - admin_ssl_ca_cert: /path/to/apisix.ca-bundle - admin_ssl_cert: /path/to/foo_server.crt - admin_ssl_cert_key: /path/to/foo_server.key +deployment: + admin: + admin_key + - name: admin + key: edd1c9f034335f136f87ad84b625c8f1 + role: admin + admin_listen: + ip: 127.0.0.1 + port: 9180 + https_admin: true + admin_api_mtls: + admin_ssl_ca_cert: /path/to/apisix.ca-bundle + admin_ssl_cert: /path/to/foo_server.crt + admin_ssl_cert_key: /path/to/foo_server.key +apisix: ssl: ssl_trusted_certificate: /path/to/apisix.ca-bundle diff --git a/docs/en/latest/deployment-modes.md b/docs/en/latest/deployment-modes.md index d4180f419044..645782dcd88e 100644 --- a/docs/en/latest/deployment-modes.md +++ b/docs/en/latest/deployment-modes.md @@ -49,12 +49,13 @@ An example configuration of the traditional deployment mode is shown below: apisix: node_listen: - port: 9080 - admin_listen: - port: 9180 deployment: role: traditional role_traditional: config_provider: etcd + admin: + admin_listen: + port: 9180 etcd: host: - http://${IP}:${Port} diff --git a/docs/en/latest/installation-guide.md b/docs/en/latest/installation-guide.md index a383d2505196..837a34b7fdd6 100644 --- a/docs/en/latest/installation-guide.md +++ b/docs/en/latest/installation-guide.md @@ -272,12 +272,13 @@ It is recommended to modify the Admin API key to ensure security. You can update your configuration file as shown below: ```yaml title="conf/config.yaml" -apisix: - admin_key - - - name: "admin" - key: newsupersecurekey - role: admin +deployment: + admin: + admin_key + - + name: "admin" + key: newsupersecurekey + role: admin ``` Now, to access the Admin API, you can use the new key: diff --git a/docs/en/latest/plugin-develop.md b/docs/en/latest/plugin-develop.md index ca1d3a23f019..b47d9dfdf940 100644 --- a/docs/en/latest/plugin-develop.md +++ b/docs/en/latest/plugin-develop.md @@ -144,12 +144,6 @@ Note: the order of the plugins is not related to the order of execution. To enable your plugin, copy this plugin list into `conf/config.yaml`, and add your plugin name. For instance: ```yaml -apisix: - admin_key: - - name: "admin" - key: edd1c9f034335f136f87ad84b625c8f1 # using fixed API token has security risk, please update it when you deploy to production environment - role: admin - plugins: # copied from config-default.yaml ... - your-plugin diff --git a/docs/zh/latest/FAQ.md b/docs/zh/latest/FAQ.md index 2722d7dd73b4..3df0c44f9961 100644 --- a/docs/zh/latest/FAQ.md +++ b/docs/zh/latest/FAQ.md @@ -368,10 +368,11 @@ make: *** [deps] Error 1 1. 为 Apache APISIX 代理和 Admin API 配置不同的端口,或者禁用 Admin API。 ```yaml -apisix: - admin_listen: # use a separate port - ip: 127.0.0.1 - port: 9180 +deployment: + admin: + admin_listen: # use a separate port + ip: 127.0.0.1 + port: 9180 ``` 2、添加 APISIX Dashboard 的代理路由: @@ -457,17 +458,17 @@ curl http://127.0.0.1:9080/ip -i ## Admin API 的 `X-API-KEY` 指的是什么?是否可以修改? -Admin API 的 `X-API-KEY` 指的是 `./conf/config.yaml` 文件中的 `apisix.admin_key.key`,默认值是 `edd1c9f034335f136f87ad84b625c8f1`。它是 Admin API 的访问 token。 +Admin API 的 `X-API-KEY` 指的是 `./conf/config.yaml` 文件中的 `deployment.admin.admin_key.key`,默认值是 `edd1c9f034335f136f87ad84b625c8f1`。它是 Admin API 的访问 token。 默认情况下,它被设置为 `edd1c9f034335f136f87ad84b625c8f1`,也可以通过修改 `./conf/conf/config` 中的参数来修改,如下示例: ```yaml -apisix: - admin_key - - - name: "admin" - key: newkey - role: admin +deployment: + admin: + admin_key + - name: "admin" + key: newkey + role: admin ``` 然后访问 Admin API: @@ -502,9 +503,10 @@ Apache APISIX 默认只允许 `127.0.0.0/24` 的 IP 段范围访问 `Admin API` 如果你想允许所有的 IP 访问,只需在 `./conf/config.yaml` 配置文件中添加如下的配置,然后重启或重新加载 APISIX 就可以让所有 IP 访问 `Admin API`。 ```yaml -apisix: - allow_admin: - - 0.0.0.0/0 +deployment: + admin: + allow_admin: + - 0.0.0.0/0 ``` **注意**:你可以在非生产环境中使用此方法,以允许所有客户端从任何地方访问 Apache APISIX 实例,但是在生产环境中该设置并不安全。在生产环境中,请仅授权特定的 IP 地址或地址范围访问 Apache APISIX 实例。 diff --git a/docs/zh/latest/admin-api.md b/docs/zh/latest/admin-api.md index e1454ac7e416..a0dbceba2e5f 100644 --- a/docs/zh/latest/admin-api.md +++ b/docs/zh/latest/admin-api.md @@ -27,7 +27,7 @@ Admin API 是为 Apache APISIX 服务的一组 API,我们可以将参数传递 启动 Apache APISIX 时,默认情况下 Admin API 将监听 `9180` 端口。您可以通过修改 [conf/config.yaml](https://github.com/apache/apisix/blob/master/conf/config.yaml) 文件来改变默认监听的端口。 -在下面出现的 `X-API-KEY` 指的是 `conf/config.yaml` 文件中的 `apisix.admin_key.key`,它是 Admin API 的访问 token。 +在下面出现的 `X-API-KEY` 指的是 `conf/config.yaml` 文件中的 `deployment.admin.admin_key.key`,它是 Admin API 的访问 token。 ## V3 diff --git a/docs/zh/latest/certificate.md b/docs/zh/latest/certificate.md index 06f7933c2d84..310f53890dd3 100644 --- a/docs/zh/latest/certificate.md +++ b/docs/zh/latest/certificate.md @@ -188,8 +188,8 @@ APISIX 目前支持在多处设置 CA 证书,比如 [保护 Admin API](./mtls. | foo_ca.crt | CA 证书 | 签发客户端与 APISIX Admin API 进行 mTLS 通信所需的次级证书。 | | foo_client.crt | 证书 | 由 `foo_ca.crt` 签发,客户端使用,访问 APISIX Admin API 时证明自身身份的证书。 | | foo_client.key | 密钥文件 | 由 `foo_ca.crt` 签发,客户端使用,访问 APISIX Admin API 所需的密钥文件。 | -| foo_server.crt | 证书 | 由 `foo_ca.crt` 签发,APISIX 使用,对应 `apisix.admin_api_mtls.admin_ssl_cert` 配置项。 | -| foo_server.key | 密钥文件 | 由 `foo_ca.crt` 签发,APISIX 使用,对应 `apisix.admin_api_mtls.admin_ssl_cert_key` 配置项。 | +| foo_server.crt | 证书 | 由 `foo_ca.crt` 签发,APISIX 使用,对应 `admin_api_mtls.admin_ssl_cert` 配置项。 | +| foo_server.key | 密钥文件 | 由 `foo_ca.crt` 签发,APISIX 使用,对应 `admin_api_mtls.admin_ssl_cert_key` 配置项。 | | admin.apisix.dev | 域名 | 签发 `foo_server.crt` 证书时使用的 Common Name,客户端通过该域名访问 APISIX Admin API | | bar_ca.crt | CA 证书 | 签发 APISIX 与 ETCD 进行 mTLS 通信所需的次级证书。 | | bar_etcd.crt | 证书 | 由 `bar_ca.crt` 签发,ETCD 使用,对应 ETCD 启动命令中的 `--cert-file` 选项。 | @@ -225,21 +225,22 @@ goreman -f Procfile-single-enable-mtls start > goreman.log 2>&1 & 3. 更新 `config.yaml` ```yaml -apisix: - admin_key: - - name: admin - key: edd1c9f034335f136f87ad84b625c8f1 - role: admin - admin_listen: - ip: 127.0.0.1 - port: 9180 - https_admin: true - - admin_api_mtls: - admin_ssl_ca_cert: /path/to/apisix.ca-bundle - admin_ssl_cert: /path/to/foo_server.crt - admin_ssl_cert_key: /path/to/foo_server.key +deployment: + admin: + admin_key + - name: admin + key: edd1c9f034335f136f87ad84b625c8f1 + role: admin + admin_listen: + ip: 127.0.0.1 + port: 9180 + https_admin: true + admin_api_mtls: + admin_ssl_ca_cert: /path/to/apisix.ca-bundle + admin_ssl_cert: /path/to/foo_server.crt + admin_ssl_cert_key: /path/to/foo_server.key +apisix: ssl: ssl_trusted_certificate: /path/to/apisix.ca-bundle diff --git a/docs/zh/latest/installation-guide.md b/docs/zh/latest/installation-guide.md index 5b0ea80e3aed..2b19d15024f9 100644 --- a/docs/zh/latest/installation-guide.md +++ b/docs/zh/latest/installation-guide.md @@ -261,12 +261,13 @@ APISIX 的默认配置可以在 `./conf/config-default.yaml` 文件中看到, 请参考如下信息更新配置文件: ```yaml title="./conf/config.yaml" -apisix: - admin_key - - - name: "admin" - key: newsupersecurekey # 请修改 key 的值 - role: admin +deployment: + admin: + admin_key + - + name: "admin" + key: newsupersecurekey # 请修改 key 的值 + role: admin ``` 更新完成后,你可以使用新的 key 访问 Admin API: diff --git a/docs/zh/latest/plugins/aws-lambda.md b/docs/zh/latest/plugins/aws-lambda.md index fb0fdb960bc5..7398016e4e05 100644 --- a/docs/zh/latest/plugins/aws-lambda.md +++ b/docs/zh/latest/plugins/aws-lambda.md @@ -101,8 +101,6 @@ Content-Type: application/json ```yaml apisix: - admin_key: -... node_listen: # 支持监听多个端口 - 9080 - port: 9081 diff --git a/docs/zh/latest/plugins/azure-functions.md b/docs/zh/latest/plugins/azure-functions.md index 4664e09fa82e..8e1ae90d0142 100644 --- a/docs/zh/latest/plugins/azure-functions.md +++ b/docs/zh/latest/plugins/azure-functions.md @@ -116,8 +116,6 @@ Hello, APISIX ```yaml apisix: - admin_key: -... node_listen: # 支持监听多个端口 - 9080 - port: 9081 diff --git a/t/APISIX.pm b/t/APISIX.pm index 26bf7efe66ce..f416f845ef57 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -105,7 +105,6 @@ apisix: stream_proxy: tcp: - 9100 - admin_key: null enable_resolv_search_opt: false _EOC_ @@ -832,6 +831,19 @@ _EOC_ my $yaml_config = $block->yaml_config // $user_yaml_config; + my $default_deployment = <<_EOC_; +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: null +_EOC_ + + if ($yaml_config !~ m/deployment:/) { + $yaml_config = $default_deployment . $yaml_config; + } + if ($block->extra_yaml_config) { $yaml_config .= $block->extra_yaml_config; } diff --git a/t/admin/api.t b/t/admin/api.t index 71c924915435..43e5ac163c84 100644 --- a/t/admin/api.t +++ b/t/admin/api.t @@ -44,6 +44,12 @@ Server: APISIX/(.*) === TEST 2: Server header for admin API without token --- yaml_config +deployment: + admin: + admin_key: + - key: a + name: a + role: admin apisix: node_listen: 1984 enable_server_tokens: false @@ -55,6 +61,12 @@ Server: APISIX === TEST 3: Version header for admin API (without apikey) --- yaml_config +deployment: + admin: + admin_key: + - key: a + name: a + role: admin apisix: admin_api_version: default --- error_code: 401 @@ -65,8 +77,13 @@ apisix: === TEST 4: Version header for admin API (v2) --- yaml_config -apisix: - admin_api_version: v2 # default may change +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: ~ + admin_api_version: v2 --- more_headers X-API-KEY: edd1c9f034335f136f87ad84b625c8f1 --- response_headers @@ -76,9 +93,31 @@ X-API-VERSION: v2 === TEST 5: Version header for admin API (v3) --- yaml_config -apisix: - admin_api_version: v3 +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: ~ + admin_api_version: v3 --- more_headers X-API-KEY: edd1c9f034335f136f87ad84b625c8f1 --- response_headers X-API-VERSION: v3 + + + +=== TEST 6: CORS header for admin API +--- response_headers +Access-Control-Allow-Origin: * + + + +=== TEST 7: CORS header disabled for admin API +--- yaml_config +deployment: + admin: + admin_key: ~ + enable_admin_cors: false +--- response_headers +Access-Control-Allow-Origin: diff --git a/t/admin/filter.t b/t/admin/filter.t index 6173a8548f6a..98844b186d9a 100644 --- a/t/admin/filter.t +++ b/t/admin/filter.t @@ -25,10 +25,15 @@ add_block_preprocessor(sub { my ($block) = @_; my $user_yaml_config = <<_EOC_; +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: ~ + admin_api_version: v3 apisix: node_listen: 1984 - admin_key: null - admin_api_version: v3 _EOC_ $block->set_value("yaml_config", $user_yaml_config); diff --git a/t/admin/plugins-reload.t b/t/admin/plugins-reload.t index e4841f1bf808..c301acf194d4 100644 --- a/t/admin/plugins-reload.t +++ b/t/admin/plugins-reload.t @@ -95,9 +95,14 @@ location /t { ngx.sleep(0.5) local data = [[ +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: null apisix: node_listen: 1984 - admin_key: null plugins: - jwt-auth stream_plugins: @@ -133,7 +138,6 @@ filter(): [{"name":"jwt-auth"},{"name":"mqtt-proxy","stream":true}] --- yaml_config apisix: node_listen: 1984 - admin_key: null plugins: - example-plugin plugin_attr: @@ -145,9 +149,14 @@ location /t { local core = require "apisix.core" ngx.sleep(0.1) local data = [[ +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: null apisix: node_listen: 1984 - admin_key: null plugins: - example-plugin plugin_attr: @@ -165,9 +174,14 @@ plugin_attr: ngx.sleep(0.1) local data = [[ +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: null apisix: node_listen: 1984 - admin_key: null plugins: - example-plugin plugin_attr: @@ -207,7 +221,6 @@ example-plugin get plugin attr val: 1 --- yaml_config apisix: node_listen: 1984 - admin_key: null plugins: - public-api - prometheus @@ -238,9 +251,14 @@ location /t { ngx.say(code) local data = [[ +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: null apisix: node_listen: 1984 - admin_key: null plugins: - public-api - prometheus @@ -275,7 +293,6 @@ done --- yaml_config apisix: node_listen: 1984 - admin_key: null plugins: - skywalking plugin_attr: @@ -292,9 +309,14 @@ location /t { local t = require("lib.test_admin").test local data = [[ +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: null apisix: node_listen: 1984 - admin_key: null plugins: - prometheus ]] diff --git a/t/admin/plugins.t b/t/admin/plugins.t index cfa7173f66b2..2bd1a4703b59 100644 --- a/t/admin/plugins.t +++ b/t/admin/plugins.t @@ -375,10 +375,7 @@ qr/\{"properties":\{"password":\{"type":"string"\},"username":\{"type":"string"\ === TEST 12: confirm the scope of plugin ---- yaml_config -apisix: - node_listen: 1984 - admin_key: null +--- extra_yaml_config plugins: - batch-requests - error-log-logger diff --git a/t/admin/response_body_format.t b/t/admin/response_body_format.t index ae7431387172..86f4e5d809e4 100644 --- a/t/admin/response_body_format.t +++ b/t/admin/response_body_format.t @@ -26,10 +26,15 @@ add_block_preprocessor(sub { my ($block) = @_; my $user_yaml_config = <<_EOC_; +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: ~ + admin_api_version: v3 apisix: node_listen: 1984 - admin_key: null - admin_api_version: v3 _EOC_ $block->set_value("yaml_config", $user_yaml_config); diff --git a/t/admin/ssl2.t b/t/admin/ssl2.t index c1e1a9e4a626..da286db1a44b 100644 --- a/t/admin/ssl2.t +++ b/t/admin/ssl2.t @@ -431,7 +431,6 @@ qr/"snis":\["update1.com","update2.com"\]/ --- yaml_config apisix: node_listen: 1984 - admin_key: null ssl: key_encrypt_salt: "edd1c9f0985e76a2" --- config @@ -469,7 +468,6 @@ false --- yaml_config apisix: node_listen: 1984 - admin_key: null ssl: key_encrypt_salt: "edd1c9f0985e76a2" --- config diff --git a/t/admin/stream-routes-disable.t b/t/admin/stream-routes-disable.t index 7752663bf68e..7d7ffbb090ef 100644 --- a/t/admin/stream-routes-disable.t +++ b/t/admin/stream-routes-disable.t @@ -29,7 +29,6 @@ add_block_preprocessor(sub { my $user_yaml_config = <<_EOC_; apisix: node_listen: 1984 - admin_key: null _EOC_ $block->set_value("yaml_config", $user_yaml_config); diff --git a/t/admin/token.t b/t/admin/token.t index 22308e1c9016..43cdf3605fca 100644 --- a/t/admin/token.t +++ b/t/admin/token.t @@ -27,6 +27,13 @@ add_block_preprocessor(sub { my ($block) = @_; my $user_yaml_config = <<_EOC_; +deployment: + admin: + admin_key: + - name: admin + role: admin + key: edd1c9f034335f136f87ad84b625c8f1 + apisix: node_listen: 1984 _EOC_ diff --git a/t/cli/test_access_log.sh b/t/cli/test_access_log.sh index ad48dcb4c865..7c40b35a3b8a 100755 --- a/t/cli/test_access_log.sh +++ b/t/cli/test_access_log.sh @@ -187,13 +187,14 @@ echo "don't log uninitialized access log variable when the HTTP request is malfo # TLS upstream echo " -apisix: - admin_api_mtls: - admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt' - admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key' - admin_listen: - port: 9180 - https_admin: true +deployment: + admin: + admin_listen: + port: 9180 + https_admin: true + admin_api_mtls: + admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt' + admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key' nginx_config: http: access_log_format: '\"\$upstream_scheme://\$upstream_host\" \$ssl_server_name' diff --git a/t/cli/test_admin.sh b/t/cli/test_admin.sh index 960975417b61..bbca122701b2 100755 --- a/t/cli/test_admin.sh +++ b/t/cli/test_admin.sh @@ -24,13 +24,14 @@ git checkout conf/config.yaml echo " -apisix: - admin_api_mtls: - admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt' - admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key' - admin_listen: - port: 9180 - https_admin: true +deployment: + admin: + admin_listen: + port: 9180 + https_admin: true + admin_api_mtls: + admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt' + admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key' " > conf/config.yaml make init @@ -56,9 +57,11 @@ echo "passed: admin https enabled" echo ' apisix: enable_admin: true - admin_listen: - ip: 127.0.0.2 - port: 9181 +deployment: + admin: + admin_listen: + ip: 127.0.0.2 + port: 9181 ' > conf/config.yaml make init @@ -100,9 +103,10 @@ echo "passed: rollback to the default admin config" # set allow_admin in conf/config.yaml echo " -apisix: - allow_admin: - - 127.0.0.9 +deployment: + admin: + allow_admin: + - 127.0.0.9 " > conf/config.yaml make init @@ -114,8 +118,9 @@ if [ $count -eq 0 ]; then fi echo " -apisix: - allow_admin: ~ +deployment: + admin: + allow_admin: ~ " > conf/config.yaml make init @@ -133,9 +138,10 @@ echo "passed: empty allow_admin in conf/config.yaml" git checkout conf/config.yaml echo ' -apisix: - allow_admin: ~ - admin_key: ~ +deployment: + admin: + admin_key: ~ + allow_admin: ~ ' > conf/config.yaml make init > output.log 2>&1 | true @@ -151,13 +157,14 @@ echo "pass: missing admin key and show ERROR message" # admin api, allow any IP but use default key echo ' -apisix: - allow_admin: ~ - admin_key: - - - name: "admin" - key: edd1c9f034335f136f87ad84b625c8f1 - role: admin +deployment: + admin: + allow_admin: ~ + admin_key: + - + name: "admin" + key: edd1c9f034335f136f87ad84b625c8f1 + role: admin ' > conf/config.yaml make init > output.log 2>&1 | true @@ -172,9 +179,10 @@ echo "pass: show WARNING message if the user used default token and allow any IP # admin_listen set echo ' -apisix: - admin_listen: - port: 9180 +deployment: + admin: + admin_listen: + port: 9180 ' > conf/config.yaml rm logs/error.log @@ -258,7 +266,7 @@ code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} -X PUT http://127.0.0 \"public-api\": {} } }") -if [ ! $code -eq 201 ]; then +if [ ! $code -lt 300 ]; then echo "failed: initialize node status public API failed #1" exit 1 fi diff --git a/t/cli/test_admin_mtls.sh b/t/cli/test_admin_mtls.sh index 881530a66163..7bbad286e416 100755 --- a/t/cli/test_admin_mtls.sh +++ b/t/cli/test_admin_mtls.sh @@ -22,15 +22,15 @@ # The 'admin.apisix.dev' is injected by ci/common.sh@set_coredns echo ' -apisix: - admin_listen: - port: 9180 - https_admin: true - - admin_api_mtls: - admin_ssl_cert: "../t/certs/mtls_server.crt" - admin_ssl_cert_key: "../t/certs/mtls_server.key" - admin_ssl_ca_cert: "../t/certs/mtls_ca.crt" +deployment: + admin: + admin_listen: + port: 9180 + https_admin: true + admin_api_mtls: + admin_ssl_cert: "../t/certs/mtls_server.crt" + admin_ssl_cert_key: "../t/certs/mtls_server.key" + admin_ssl_ca_cert: "../t/certs/mtls_ca.crt" ' > conf/config.yaml diff --git a/t/cli/test_main.sh b/t/cli/test_main.sh index 6a0358405889..079d365785b6 100755 --- a/t/cli/test_main.sh +++ b/t/cli/test_main.sh @@ -525,13 +525,14 @@ echo "passed: worker_processes number is configurable" git checkout conf/config.yaml echo " -apisix: - admin_api_mtls: - admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt' - admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key' - admin_listen: - port: 9180 - https_admin: true +deployment: + admin: + admin_listen: + port: 9180 + https_admin: true + admin_api_mtls: + admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt' + admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key' " > conf/customized_config.yaml cp conf/config.yaml conf/config_original.yaml diff --git a/t/cli/test_makefile.sh b/t/cli/test_makefile.sh index 5b1ecd712ada..30a196d0067c 100755 --- a/t/cli/test_makefile.sh +++ b/t/cli/test_makefile.sh @@ -22,11 +22,13 @@ make run echo " +deployment: + admin: + admin_listen: + ip: 127.0.0.2 + port: 9181 apisix: enable_admin: true - admin_listen: - ip: 127.0.0.2 - port: 9181 " > conf/config.yaml make reload diff --git a/t/cli/test_snippet.sh b/t/cli/test_snippet.sh index ad55151f1c11..1b545dd9cf0a 100755 --- a/t/cli/test_snippet.sh +++ b/t/cli/test_snippet.sh @@ -25,8 +25,6 @@ echo ' apisix: node_listen: 9080 enable_admin: true - admin_listen: - port: 9180 stream_proxy: only: false tcp: diff --git a/t/cli/test_upstream_mtls.sh b/t/cli/test_upstream_mtls.sh index da5b5f864f7a..b93f1c68a356 100755 --- a/t/cli/test_upstream_mtls.sh +++ b/t/cli/test_upstream_mtls.sh @@ -28,10 +28,6 @@ exit_if_not_customed_nginx echo ' apisix: - admin_key: - - name: admin - key: edd1c9f034335f136f87ad84b625c8f1 - role: admin ssl: ssl_trusted_certificate: t/certs/apisix.crt nginx_config: @@ -91,10 +87,6 @@ echo "passed: connection to upstream with mTLS success" # test proxy_ssl_trusted_certificate and use incorrect ca cert echo ' apisix: - admin_key: - - name: admin - key: edd1c9f034335f136f87ad84b625c8f1 - role: admin ssl: ssl_trusted_certificate: t/certs/apisix_ecc.crt nginx_config: diff --git a/t/cli/test_validate_config.sh b/t/cli/test_validate_config.sh index 2fe5d40666ae..1c00360f1c30 100755 --- a/t/cli/test_validate_config.sh +++ b/t/cli/test_validate_config.sh @@ -75,11 +75,13 @@ make stop echo "passed: find the certificate correctly" echo ' +deployment: + admin: + admin_listen: + port: 9180 apisix: node_listen: 9080 enable_admin: true - admin_listen: - port: 9180 stream_proxy: tcp: - "localhost:9100" diff --git a/t/control/schema.t b/t/control/schema.t index ae9c676d7591..f3e9f7d6263e 100644 --- a/t/control/schema.t +++ b/t/control/schema.t @@ -110,10 +110,7 @@ passed === TEST 2: confirm the scope of plugin ---- yaml_config -apisix: - node_listen: 1984 - admin_key: null +--- extra_yaml_config plugins: - batch-requests - error-log-logger diff --git a/t/core/config-default.t b/t/core/config-default.t index 17ccedd5c285..a9546c97dbe3 100644 --- a/t/core/config-default.t +++ b/t/core/config-default.t @@ -32,7 +32,7 @@ __DATA__ ngx.say("node_listen: ", config.apisix.node_listen) ngx.say("stream_proxy: ", encode_json(config.apisix.stream_proxy)) - ngx.say("admin_key: ", encode_json(config.apisix.admin_key)) + ngx.say("admin_key: ", encode_json(config.deployment.admin.admin_key)) } } --- request @@ -56,15 +56,16 @@ failed to parse yaml config: failed to merge, path[apisix->node_listen] expect: === TEST 3: use `null` means delete --- yaml_config -apisix: - admin_key: null +deployment: + admin: + admin_key: null --- config location /t { content_by_lua_block { local encode_json = require("toolkit.json").encode local config = require("apisix.core").config.local_conf() - ngx.say("admin_key: ", encode_json(config.apisix.admin_key)) + ngx.say("admin_key: ", encode_json(config.deployment.admin.admin_key)) } } --- request @@ -76,15 +77,16 @@ admin_key: null === TEST 4: use `~` means delete --- yaml_config -apisix: - admin_key: ~ +deployment: + admin: + admin_key: null --- config location /t { content_by_lua_block { local encode_json = require("toolkit.json").encode local config = require("apisix.core").config.local_conf() - ngx.say("admin_key: ", encode_json(config.apisix.admin_key)) + ngx.say("admin_key: ", encode_json(config.deployment.admin.admin_key)) } } --- request diff --git a/t/core/config_etcd.t b/t/core/config_etcd.t index 5c1d590a14f5..a117689c3680 100644 --- a/t/core/config_etcd.t +++ b/t/core/config_etcd.t @@ -157,11 +157,12 @@ qr/(10:certificate has expired){1,}/ --- yaml_config apisix: node_listen: 1984 - admin_key: null deployment: role: traditional role_traditional: config_provider: etcd + admin: + admin_key: null etcd: host: - "https://127.0.0.1:12379" @@ -207,6 +208,8 @@ deployment: role: traditional role_traditional: config_provider: etcd + admin: + admin_key: ~ etcd: host: - "https://127.0.0.1:12379" diff --git a/t/core/utils.t b/t/core/utils.t index e6c4735d3b01..0d82c93152ad 100644 --- a/t/core/utils.t +++ b/t/core/utils.t @@ -128,8 +128,6 @@ qr/"address":.+,"name":"github.com"/ apisix: node_listen: 1984 enable_server_tokens: false - admin_key: null - --- config location /t { content_by_lua_block { diff --git a/t/deployment/conf_server.t b/t/deployment/conf_server.t index cd5353e373f8..b440591e947f 100644 --- a/t/deployment/conf_server.t +++ b/t/deployment/conf_server.t @@ -71,11 +71,13 @@ __DATA__ } --- response_body prev_index updated ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: config_provider: etcd + admin: + admin_key: ~ etcd: prefix: "/apisix" host: @@ -95,7 +97,7 @@ deployment: ngx.say(res.body.node.value) } } ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: @@ -139,7 +141,7 @@ foo ngx.say(res.body.node.value) } } ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: @@ -207,7 +209,7 @@ localhost is resolved to: 127.0.0.2 end } } ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: @@ -236,7 +238,7 @@ x.com is resolved to: 127.0.0.2 ngx.say(res.body.node.value) } } ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: @@ -281,7 +283,7 @@ server { } --- response_body foo ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: @@ -325,7 +327,7 @@ server { } --- response_body foo ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: @@ -365,7 +367,7 @@ server { } --- response_body foo ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: @@ -403,7 +405,7 @@ server { } --- response_body foo ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: @@ -434,7 +436,7 @@ Receive Host: localhost ngx.say(timeout) } } ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: diff --git a/t/deployment/conf_server2.t b/t/deployment/conf_server2.t index b8261c80c31b..02149053d593 100644 --- a/t/deployment/conf_server2.t +++ b/t/deployment/conf_server2.t @@ -46,7 +46,7 @@ server { proxy_pass http://127.0.0.1:2379; } } ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: @@ -89,7 +89,7 @@ server { proxy_pass http://127.0.0.1:2379; } } ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: @@ -133,7 +133,7 @@ server { proxy_pass http://127.0.0.1:2379; } } ---- extra_yaml_config +--- yaml_config deployment: role: traditional role_traditional: diff --git a/t/deployment/mtls.t b/t/deployment/mtls.t index 8826dd2dd030..a0e6cecfac8b 100644 --- a/t/deployment/mtls.t +++ b/t/deployment/mtls.t @@ -47,7 +47,7 @@ __DATA__ curl --cert t/certs/mtls_client.crt --key t/certs/mtls_client.key -k https://localhost:12345/version --- response_body eval qr/"etcdserver":/ ---- extra_yaml_config +--- yaml_config deployment: role: control_plane role_control_plane: @@ -73,7 +73,7 @@ deployment: curl -k https://localhost:12345/version --- response_body eval qr/No required SSL certificate was sent/ ---- extra_yaml_config +--- yaml_config deployment: role: control_plane role_control_plane: @@ -99,7 +99,7 @@ deployment: curl --cert t/certs/apisix.crt --key t/certs/apisix.key -k https://localhost:12345/version --- response_body eval qr/The SSL certificate error/ ---- extra_yaml_config +--- yaml_config deployment: role: control_plane role_control_plane: diff --git a/t/discovery/nacos2.t b/t/discovery/nacos2.t index 51365c79307d..755ce16e04c6 100644 --- a/t/discovery/nacos2.t +++ b/t/discovery/nacos2.t @@ -223,7 +223,6 @@ done --- yaml_config apisix: node_listen: 1984 - admin_key: null --- extra_yaml_config discovery: nacos: diff --git a/t/node/route-status.t b/t/node/route-status.t index 24ac4ca735e7..cad6a051ac74 100644 --- a/t/node/route-status.t +++ b/t/node/route-status.t @@ -27,7 +27,6 @@ apisix: node_listen: 1984 router: http: 'radixtree_host_uri' - admin_key: null _EOC_ run_tests(); diff --git a/t/node/upstream-mtls.t b/t/node/upstream-mtls.t index eaf3fe2fd15c..3ee1c28cce93 100644 --- a/t/node/upstream-mtls.t +++ b/t/node/upstream-mtls.t @@ -341,7 +341,6 @@ GET /t --- yaml_config apisix: node_listen: 1984 - admin_key: null ssl: key_encrypt_salt: null --- config diff --git a/t/plugin/dubbo-proxy/route.t b/t/plugin/dubbo-proxy/route.t index da8fd5383a10..46cf9e834f7b 100644 --- a/t/plugin/dubbo-proxy/route.t +++ b/t/plugin/dubbo-proxy/route.t @@ -162,7 +162,6 @@ dubbo success apisix: node_listen: 1984 enable_admin: true - admin_key: null plugins: - key-auth - dubbo-proxy @@ -230,7 +229,6 @@ passed apisix: node_listen: 1984 enable_admin: true - admin_key: null plugins: - key-auth - dubbo-proxy @@ -243,7 +241,6 @@ plugins: apisix: node_listen: 1984 enable_admin: true - admin_key: null plugins: - key-auth - dubbo-proxy diff --git a/t/plugin/error-log-logger-clickhouse.t b/t/plugin/error-log-logger-clickhouse.t index 2e7c14aa7bd0..02ad604baae7 100644 --- a/t/plugin/error-log-logger-clickhouse.t +++ b/t/plugin/error-log-logger-clickhouse.t @@ -32,6 +32,14 @@ add_block_preprocessor(sub { $block->set_value("request", "GET /t"); } + if (!defined $block->extra_yaml_config) { + my $extra_yaml_config = <<_EOC_; +plugins: + - error-log-logger +_EOC_ + $block->set_value("extra_yaml_config", $extra_yaml_config); + } + my $http_config = $block->http_config // <<_EOC_; server { listen 10420; @@ -88,12 +96,6 @@ done === TEST 2: test unreachable server ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /t { content_by_lua_block { @@ -128,12 +130,6 @@ clickhouse headers: x-clickhouse-database:default === TEST 3: put plugin metadata and log an error level message ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /t { content_by_lua_block { @@ -169,12 +165,6 @@ clickhouse headers: x-clickhouse-database:default === TEST 4: log a warn level message ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /t { content_by_lua_block { @@ -194,12 +184,6 @@ clickhouse headers: x-clickhouse-database:default === TEST 5: log some messages ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /t { content_by_lua_block { @@ -219,12 +203,6 @@ clickhouse headers: x-clickhouse-database:default === TEST 6: log an info level message ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /t { content_by_lua_block { @@ -240,12 +218,6 @@ this is an info message for test6 === TEST 7: delete metadata for the plugin, recover to the default ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /t { content_by_lua_block { diff --git a/t/plugin/error-log-logger-skywalking.t b/t/plugin/error-log-logger-skywalking.t index 289ac369e947..54354f34ea31 100644 --- a/t/plugin/error-log-logger-skywalking.t +++ b/t/plugin/error-log-logger-skywalking.t @@ -21,6 +21,19 @@ repeat_each(1); no_long_string(); no_root_location(); worker_connections(128); + +add_block_preprocessor(sub { + my ($block) = @_; + + if (!defined $block->extra_yaml_config) { + my $extra_yaml_config = <<_EOC_; +plugins: + - error-log-logger +_EOC_ + $block->set_value("extra_yaml_config", $extra_yaml_config); + } +}); + run_tests; __DATA__ @@ -56,12 +69,6 @@ done === TEST 2: test unreachable server ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -90,12 +97,6 @@ qr/Batch Processor\[error-log-logger\] failed to process entries: error while se === TEST 3: put plugin metadata and log an error level message ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -126,12 +127,6 @@ qr/.*\[\{\"body\":\{\"text\":\{\"text\":\".*this is an error message for test.*\ === TEST 4: log a warn level message ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -149,12 +144,6 @@ qr/.*\[\{\"body\":\{\"text\":\{\"text\":\".*this is a warning message for test.* === TEST 5: log some messages ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -173,12 +162,6 @@ qr/.*\[\{\"body\":\{\"text\":\{\"text\":\".*this is an error message for test.*\ === TEST 6: log an info level message ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -196,12 +179,6 @@ qr/.*\[\{\"body\":\{\"text\":\{\"text\":\".*this is an info message for test.*\" === TEST 7: delete metadata for the plugin, recover to the default ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { diff --git a/t/plugin/error-log-logger.t b/t/plugin/error-log-logger.t index 7aa37a422b16..451f85299703 100644 --- a/t/plugin/error-log-logger.t +++ b/t/plugin/error-log-logger.t @@ -63,6 +63,15 @@ _EOC_ _EOC_ $block->set_value("stream_server_config", $stream_default_server); + + if (!defined $block->extra_yaml_config) { + my $extra_yaml_config = <<_EOC_; +plugins: + - error-log-logger +_EOC_ + $block->set_value("extra_yaml_config", $extra_yaml_config); + } + }); run_tests; @@ -70,6 +79,7 @@ run_tests; __DATA__ === TEST 1: not enable the plugin +--- extra_yaml_config --- config location /tg { content_by_lua_block { @@ -87,9 +97,6 @@ error-log-logger === TEST 2: enable the plugin, but not init the metadata ---- yaml_config -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -107,12 +114,6 @@ qr/please set the correct plugin_metadata for error-log-logger/ === TEST 3: set a wrong metadata ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -145,12 +146,6 @@ qr/please set the correct plugin_metadata for error-log-logger/ === TEST 4: test unreachable server ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -180,12 +175,6 @@ qr/\[Server\] receive data:.*this is a warning message for test./ === TEST 5: log a warn level message ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -215,9 +204,6 @@ qr/\[Server\] receive data:.*this is a warning message for test./ === TEST 6: log an error level message ---- yaml_config -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -236,9 +222,6 @@ qr/\[Server\] receive data:.*this is an error message for test./ === TEST 7: log an info level message ---- yaml_config -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -257,12 +240,6 @@ qr/\[Server\] receive data:.*this is an info message for test./ === TEST 8: delete metadata for the plugin, recover to the default ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -288,12 +265,6 @@ passed === TEST 9: want to reload the plugin by route ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -336,12 +307,6 @@ qr/please set the correct plugin_metadata for error-log-logger/ === TEST 10: avoid sending stale error log ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -375,12 +340,6 @@ qr/\[Server\] receive data:.*this is an error message for test./ === TEST 11: delete the route ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -406,12 +365,6 @@ passed === TEST 12: log a warn level message (schema compatibility testing) ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -441,9 +394,6 @@ qr/\[Server\] receive data:.*this is a warning message for test./ === TEST 13: log an error level message (schema compatibility testing) ---- yaml_config -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -462,9 +412,6 @@ qr/\[Server\] receive data:.*this is an error message for test./ === TEST 14: log an info level message (schema compatibility testing) ---- yaml_config -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { @@ -483,12 +430,6 @@ qr/\[Server\] receive data:.*this is an info message for test./ === TEST 15: delete metadata for the plugin, recover to the default (schema compatibility testing) ---- yaml_config -apisix: - enable_admin: true - admin_key: null -plugins: - - error-log-logger --- config location /tg { content_by_lua_block { diff --git a/t/plugin/log-rotate.t b/t/plugin/log-rotate.t index 5e04be131d2d..8ce51dd5d8bb 100644 --- a/t/plugin/log-rotate.t +++ b/t/plugin/log-rotate.t @@ -25,11 +25,7 @@ no_root_location(); add_block_preprocessor(sub { my ($block) = @_; - my $user_yaml_config = <<_EOC_; -apisix: - node_listen: 1984 - admin_key: null - + my $extra_yaml_config = <<_EOC_; plugins: # plugin list - log-rotate @@ -39,7 +35,7 @@ plugin_attr: max_kept: 3 _EOC_ - $block->set_value("yaml_config", $user_yaml_config); + $block->set_value("extra_yaml_config", $extra_yaml_config); if ((!defined $block->error_log) && (!defined $block->no_error_log)) { diff --git a/t/plugin/log-rotate2.t b/t/plugin/log-rotate2.t index 1a28f33e8829..0be45166080c 100644 --- a/t/plugin/log-rotate2.t +++ b/t/plugin/log-rotate2.t @@ -25,11 +25,7 @@ no_root_location(); add_block_preprocessor(sub { my ($block) = @_; - if (!defined $block->yaml_config) { - my $yaml_config = <<_EOC_; -apisix: - node_listen: 1984 - admin_key: ~ + my $extra_yaml_config = <<_EOC_; plugins: - log-rotate plugin_attr: @@ -39,8 +35,7 @@ plugin_attr: enable_compression: true _EOC_ - $block->set_value("yaml_config", $yaml_config); - } + $block->set_value("extra_yaml_config", $extra_yaml_config); if ((!defined $block->error_log) && (!defined $block->no_error_log)) { $block->set_value("no_error_log", "[error]"); diff --git a/t/plugin/log-rotate3.t b/t/plugin/log-rotate3.t index bfab0f9b63e9..e6dbdd877e2c 100644 --- a/t/plugin/log-rotate3.t +++ b/t/plugin/log-rotate3.t @@ -25,11 +25,8 @@ no_root_location(); add_block_preprocessor(sub { my ($block) = @_; - if (!defined $block->yaml_config) { - my $yaml_config = <<_EOC_; -apisix: - node_listen: 1984 - admin_key: ~ + if (!defined $block->extra_yaml_config) { + my $extra_yaml_config = <<_EOC_; plugins: - log-rotate plugin_attr: @@ -40,7 +37,7 @@ plugin_attr: enable_compression: false _EOC_ - $block->set_value("yaml_config", $yaml_config); + $block->set_value("extra_yaml_config", $extra_yaml_config); } if ((!defined $block->error_log) && (!defined $block->no_error_log)) { diff --git a/t/router/radixtree-host-uri-priority.t b/t/router/radixtree-host-uri-priority.t index a05b619fa065..4190bb338399 100644 --- a/t/router/radixtree-host-uri-priority.t +++ b/t/router/radixtree-host-uri-priority.t @@ -29,7 +29,6 @@ apisix: enable_admin: false router: http: 'radixtree_host_uri' - admin_key: null _EOC_ run_tests(); diff --git a/t/router/radixtree-host-uri.t b/t/router/radixtree-host-uri.t index 63e07d4b118d..098a6c23b5af 100644 --- a/t/router/radixtree-host-uri.t +++ b/t/router/radixtree-host-uri.t @@ -27,7 +27,6 @@ apisix: node_listen: 1984 router: http: 'radixtree_host_uri' - admin_key: null _EOC_ run_tests(); diff --git a/t/router/radixtree-host-uri2.t b/t/router/radixtree-host-uri2.t index 313bc6a1444f..7573bf804cca 100644 --- a/t/router/radixtree-host-uri2.t +++ b/t/router/radixtree-host-uri2.t @@ -29,7 +29,6 @@ apisix: enable_admin: false router: http: 'radixtree_host_uri' - admin_key: null _EOC_ run_tests(); diff --git a/t/router/radixtree-host-uri3.t b/t/router/radixtree-host-uri3.t index 9fa14c22fbf8..2db4bb437c1e 100644 --- a/t/router/radixtree-host-uri3.t +++ b/t/router/radixtree-host-uri3.t @@ -21,7 +21,6 @@ apisix: node_listen: 1984 router: http: 'radixtree_host_uri' - admin_key: null _EOC_ add_block_preprocessor(sub { diff --git a/t/router/radixtree-uri-keep-end-slash.t b/t/router/radixtree-uri-keep-end-slash.t index d51ac0755e13..01225e43961e 100644 --- a/t/router/radixtree-uri-keep-end-slash.t +++ b/t/router/radixtree-uri-keep-end-slash.t @@ -26,7 +26,6 @@ our $yaml_config = <<_EOC_; apisix: node_listen: 1984 delete_uri_tail_slash: true - admin_key: null _EOC_ run_tests(); diff --git a/t/router/radixtree-uri-sanity.t b/t/router/radixtree-uri-sanity.t index d49285ff1c93..ac9ab5a1ee1e 100644 --- a/t/router/radixtree-uri-sanity.t +++ b/t/router/radixtree-uri-sanity.t @@ -25,7 +25,6 @@ no_shuffle(); our $servlet_yaml_config = <<_EOC_; apisix: node_listen: 1984 - admin_key: null normalize_uri_like_servlet: true _EOC_ diff --git a/t/router/radixtree-uri-with-parameter.t b/t/router/radixtree-uri-with-parameter.t index f591fab30b69..00686e996918 100644 --- a/t/router/radixtree-uri-with-parameter.t +++ b/t/router/radixtree-uri-with-parameter.t @@ -25,7 +25,6 @@ no_shuffle(); our $yaml_config = <<_EOC_; apisix: node_listen: 1984 - admin_key: null router: http: 'radixtree_uri_with_parameter' _EOC_