Merge branch 'upstream/master' into github/master

* upstream/master: (46 commits)
  docs: fix err in batch-processor (apache#7259)
  docs(deployment): sync design to online docs (apache#7256)
  feat(deployment): add structure of traditional role (apache#7249)
  fix(benchmark): write worker_processes into config.yaml (apache#7250)
  docs: correct the repo url (apache#7253)
  feat: Add support for capturing OIDC refresh tokens (apache#7220)
  feat(ssl): support get upstream cert from ssl object (apache#7221)
  chore: validate etcd conf strictly (apache#7245)
  fix(api-response): check response header format (apache#7238)
  fix: duplicate X-Forwarded-Proto will be sent as string (apache#7229)
  fix: distinguish different upstreams even they have the same addr (apache#7213)
  docs: make company on README more preciser (apache#7230)
  test: remove unused required etcd (apache#7225)
  fix: add debug yaml validation (apache#7201)
  change: remove upstream.enable_websocket which is deprecated since 2020 (apache#7222)
  docs: add re case on response-rewrite plugin (apache#7197)
  docs: add API Gateway keyword and AWS graviton3. (apache#7217)
  fix(response-rewrite): schema format error (apache#7212)
  docs(proxy-rewrite): remove empty space (apache#7210)
  chore: require http_stub_status_module exists (apache#7208)
  ...

.github/workflows/build.yml

@@ -93,7 +93,7 @@ jobs:
       - name: Build xDS library
         run: |
           cd t/xds-library
-          go build -o libxds.so -buildmode=c-shared main.go
+          go build -o libxds.so -buildmode=c-shared main.go export.go
 
       - name: Linux Before install
         run: sudo ./ci/${{ matrix.os_name }}_runner.sh before_install

.github/workflows/centos7-ci.yml

@@ -68,7 +68,7 @@ jobs:
     - name: Build xDS library
       run: |
         cd t/xds-library
-        go build -o libxds.so -buildmode=c-shared main.go
+        go build -o libxds.so -buildmode=c-shared main.go export.go
 
     - name: Run centos7 docker and mapping apisix into container
       env:

.github/workflows/chaos.yml

@@ -40,9 +40,8 @@ jobs:
       - name: Creating minikube cluster
         run: |
           bash ./t/chaos/utils/setup_chaos_utils.sh start_minikube
-          wget https://raw.githubusercontent.com/apache/apisix-docker/master/alpine-local/Dockerfile
           mkdir logs
-          docker build -t apache/apisix:alpine-local --build-arg APISIX_PATH=. -f Dockerfile .
+          docker build -t apache/apisix:alpine-local --build-arg APISIX_PATH=. -f ./t/chaos/utils/Dockerfile .
           minikube cache add apache/apisix:alpine-local -v 7 --alsologtostderr
 
       - name: Print cluster information

.github/workflows/doc-lint.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: 🚀 Use Node.js
-        uses: actions/setup-node@v3.2.0
+        uses: actions/setup-node@v3.3.0
         with:
           node-version: '12.x'
       - run: npm install -g markdownlint-cli@0.25.0

.github/workflows/lint.yml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Setup Nodejs env
-        uses: actions/setup-node@v3.2.0
+        uses: actions/setup-node@v3.3.0
         with:
           node-version: '12'
 

.gitignore

@@ -45,6 +45,7 @@ luac.out
 *.orig
 *.rej
 t/servroot
+t/xds-library/libxds.h
 conf/apisix.uid
 conf/nginx.conf
 deps

CHANGELOG.md

@@ -23,6 +23,7 @@ title: Changelog
 
 ## Table of Contents
 
+- [2.14.1](#2141)
 - [2.14.0](#2140)
 - [2.13.1](#2131)
 - [2.13.0](#2130)
@@ -57,6 +58,12 @@ title: Changelog
 - [0.7.0](#070)
 - [0.6.0](#060)
 
+## 2.14.1
+
+**This is an LTS maintenance release and you can see the CHANGELOG in `release/2.14` branch.**
+
+[https://github.com/apache/apisix/blob/release/2.14/CHANGELOG.md#2141](https://github.com/apache/apisix/blob/release/2.14/CHANGELOG.md#2141)
+
 ## 2.14.0
 
 ### Change

README.md

@@ -17,7 +17,7 @@
 #
 -->
 
-# Apache APISIX
+# Apache APISIX API Gateway
 
 <img src="https://svn.apache.org/repos/asf/comdev/project-logos/originals/apisix.svg" alt="APISIX logo" height="150px" align="right" />
 
@@ -27,11 +27,11 @@
 [![Average time to resolve an issue](http://isitmaintained.com/badge/resolution/apache/apisix.svg)](http://isitmaintained.com/project/apache/apisix "Average time to resolve an issue")
 [![Percentage of issues still open](http://isitmaintained.com/badge/open/apache/apisix.svg)](http://isitmaintained.com/project/apache/apisix "Percentage of issues still open")
 
-**Apache APISIX** is a dynamic, real-time, high-performance API gateway.
+**Apache APISIX** is a dynamic, real-time, high-performance API Gateway.
 
-APISIX provides rich traffic management features such as load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and more.
+APISIX API Gateway provides rich traffic management features such as load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and more.
 
-You can use Apache APISIX to handle traditional north-south traffic,
+You can use **APISIX API Gateway** to handle traditional north-south traffic,
 as well as east-west traffic between services.
 It can also be used as a [k8s ingress controller](https://github.com/apache/apisix-ingress-controller).
 
@@ -43,27 +43,20 @@ The technical architecture of Apache APISIX:
 
 - Mailing List: Mail to dev-subscribe@apisix.apache.org, follow the reply to subscribe to the mailing list.
 - QQ Group - 552030619, 781365357
-- Slack Workspace - join [`#apisix` channel](https://apisix.apache.org/docs/general/join/#join-the-slack-channel)
+- Slack Workspace - [invitation link](https://join.slack.com/t/the-asf/shared_invite/zt-vlfbf7ch-HkbNHiU_uDlcH_RvaHv9gQ) (Please open an [issue](https://apisix.apache.org/docs/general/submit-issue) if this link is expired), and then join the #apisix channel (Channels -> Browse channels -> search for "apisix").
 - ![Twitter Follow](https://img.shields.io/twitter/follow/ApacheAPISIX?style=social) - follow and interact with us using hashtag `#ApacheAPISIX`
-- **Good first issues**:
-  - [Apache APISIX®](https://github.com/apache/apisix/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22)
-  - [Apache APISIX® Ingress Controller](https://github.com/apache/apisix-ingress-controller/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22)
-  - [Apache APISIX® dashboard](https://github.com/apache/apisix-dashboard/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22)
-  - [Apache APISIX® Helm Chart](https://github.com/apache/apisix-helm-chart/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22)
-  - [Docker distribution for Apache APISIX®](https://github.com/apache/apisix-docker/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22)
-  - [Apache APISIX® Website](https://github.com/apache/apisix-website/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22)
-  - [Apache APISIX® Java Plugin Runner](https://github.com/apache/apisix-java-plugin-runner/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
-  - [Apache APISIX® Go Plugin Runner](https://github.com/apache/apisix-go-plugin-runner/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
-  - [Apache APISIX® Python Plugin Runner](https://github.com/apache/apisix-python-plugin-runner/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)
+- [Documentation](https://apisix.apache.org/docs/)
+- [Discussions](https://github.com/apache/apisix/discussions)
+- [Blog](https://apisix.apache.org/blog)
 
 ## Features
 
-You can use Apache APISIX as a traffic entrance to process all business data, including dynamic routing, dynamic upstream, dynamic certificates,
+You can use APISIX API Gateway as a traffic entrance to process all business data, including dynamic routing, dynamic upstream, dynamic certificates,
 A/B testing, canary release, blue-green deployment, limit rate, defense against malicious attacks, metrics, monitoring alarms, service observability, service governance, etc.
 
 - **All platforms**
 
-  - Cloud-Native: Platform agnostic, No vendor lock-in, APISIX can run from bare-metal to Kubernetes.
+  - Cloud-Native: Platform agnostic, No vendor lock-in, APISIX API Gateway can run from bare-metal to Kubernetes.
   - Supports ARM64: Don't worry about the lock-in of the infra technology.
 
 - **Multi protocols**
@@ -194,6 +187,8 @@ Using AWS's eight-core server, APISIX's QPS reaches 140,000 with a latency of on
 
 [Benchmark script](benchmark/run.sh) has been open sourced, welcome to try and contribute.
 
+[The APISIX APISIX Gateway also works perfectly in AWS graviton3 C7g.](https://apisix.apache.org/blog/2022/06/07/installation-performance-test-of-apigateway-apisix-on-aws-graviton3)
+
 ## Contributor Over Time
 
 > [visit here](https://www.apiseven.com/contributor-graph) to generate Contributor Over Time.
@@ -206,9 +201,9 @@ Using AWS's eight-core server, APISIX's QPS reaches 140,000 with a latency of on
 - [Copernicus Reference System Software](https://github.com/COPRS/infrastructure/wiki/Networking-trade-off)
 - [More Stories](https://apisix.apache.org/blog/tags/user-case)
 
-## Who Uses APISIX?
+## Who Uses APISIX API Gateway?
 
-A wide variety of companies and organizations use APISIX for research, production and commercial product, below are some of them:
+A wide variety of companies and organizations use APISIX API Gateway for research, production and commercial product, below are some of them:
 
 - Airwallex
 - Bilibili
@@ -224,7 +219,7 @@ A wide variety of companies and organizations use APISIX for research, productio
 - Tencent Game
 - Travelsky
 - VIVO
-- weibo
+- Sina Weibo
 - WPS
 
 ## Landscape

apisix/admin/ssl.lua

@@ -46,7 +46,7 @@ local function check_conf(id, conf, need_id)
     conf.id = id
 
     core.log.info("schema: ", core.json.delay_encode(core.schema.ssl))
-    core.log.info("conf  : ", core.json.delay_encode(conf))
+    core.log.info("conf: ", core.json.delay_encode(conf))
 
     local ok, err = apisix_ssl.check_ssl_conf(false, conf)
     if not ok then

apisix/cli/file.lua

@@ -237,6 +237,14 @@ function _M.read_yaml_conf(apisix_home)
         end
     end
 
+    if default_conf.deployment
+        and default_conf.deployment.role == "traditional"
+        and default_conf.deployment.etcd
+    then
+        default_conf.etcd = default_conf.deployment.etcd
+        default_conf.etcd.unix_socket_proxy = "unix:./conf/config_listen.sock"
+    end
+
     if default_conf.apisix.config_center == "yaml" then
         local apisix_conf_path = profile:yaml_path("apisix")
         local apisix_conf_yaml, _ = util.read_file(apisix_conf_path)

apisix/cli/ngx_tpl.lua

@@ -57,6 +57,48 @@ env {*name*};
 {% end %}
 {% end %}
 
+{% if use_apisix_openresty then %}
+lua {
+    {% if enabled_stream_plugins["prometheus"] then %}
+    lua_shared_dict prometheus-metrics {* meta.lua_shared_dict["prometheus-metrics"] *};
+    {% end %}
+}
+
+{% if (enabled_stream_plugins["prometheus"] or conf_server) and not enable_http then %}
+http {
+    {% if enabled_stream_plugins["prometheus"] then %}
+    init_worker_by_lua_block {
+        require("apisix.plugins.prometheus.exporter").http_init(true)
+    }
+
+    server {
+        listen {* prometheus_server_addr *};
+
+        access_log off;
+
+        location / {
+            content_by_lua_block {
+                local prometheus = require("apisix.plugins.prometheus.exporter")
+                prometheus.export_metrics(true)
+            }
+        }
+
+        location = /apisix/nginx_status {
+            allow 127.0.0.0/24;
+            deny all;
+            stub_status;
+        }
+    }
+    {% end %}
+
+    {% if conf_server then %}
+    {* conf_server *}
+    {% end %}
+}
+{% end %}
+
+{% end %}
+
 {% if stream_proxy then %}
 stream {
     lua_package_path  "{*extra_lua_path*}$prefix/deps/share/lua/5.1/?.lua;$prefix/deps/share/lua/5.1/?/init.lua;]=]
@@ -164,7 +206,7 @@ stream {
 }
 {% end %}
 
-{% if enable_admin or not (stream_proxy and stream_proxy.only ~= false) then %}
+{% if enable_http then %}
 http {
     # put extra_lua_path in front of the builtin path
     # so user can override the source code
@@ -211,7 +253,7 @@ http {
     lua_shared_dict plugin-limit-count-redis-cluster-slot-lock {* http.lua_shared_dict["plugin-limit-count-redis-cluster-slot-lock"] *};
     {% end %}
 
-    {% if enabled_plugins["prometheus"] then %}
+    {% if enabled_plugins["prometheus"] and not enabled_stream_plugins["prometheus"] then %}
     lua_shared_dict prometheus-metrics {* http.lua_shared_dict["prometheus-metrics"] *};
     {% end %}
 
@@ -460,18 +502,16 @@ http {
 
         location / {
             content_by_lua_block {
-                local prometheus = require("apisix.plugins.prometheus")
+                local prometheus = require("apisix.plugins.prometheus.exporter")
                 prometheus.export_metrics()
             }
         }
 
-        {% if with_module_status then %}
         location = /apisix/nginx_status {
             allow 127.0.0.0/24;
             deny all;
             stub_status;
         }
-        {% end %}
     }
     {% end %}
 
@@ -536,6 +576,10 @@ http {
     }
     {% end %}
 
+    {% if conf_server then %}
+    {* conf_server *}
+    {% end %}
+
     server {
         {% for _, item in ipairs(node_listen) do %}
         listen {* item.ip *}:{* item.port *} default_server {% if item.enable_http2 then %} http2 {% end %} {% if enable_reuseport then %} reuseport {% end %};
@@ -580,14 +624,12 @@ http {
         {% end %}
         # http server configuration snippet ends
 
-        {% if with_module_status then %}
         location = /apisix/nginx_status {
             allow 127.0.0.0/24;
             deny all;
             access_log off;
             stub_status;
         }
-        {% end %}
 
         {% if enable_admin and not admin_server_addr then %}
         location /apisix/admin {

apisix/cli/ops.lua

@@ -21,6 +21,7 @@ local file = require("apisix.cli.file")
 local schema = require("apisix.cli.schema")
 local ngx_tpl = require("apisix.cli.ngx_tpl")
 local cli_ip = require("apisix.cli.ip")
+local snippet = require("apisix.cli.snippet")
 local profile = require("apisix.core.profile")
 local template = require("resty.template")
 local argparse = require("argparse")
@@ -244,19 +245,23 @@ Please modify "admin_key" in conf/config.yaml .
     end
 
     local or_info = util.execute_cmd("openresty -V 2>&1")
-    local with_module_status = true
     if or_info and not or_info:find("http_stub_status_module", 1, true) then
-        stderr:write("'http_stub_status_module' module is missing in ",
-                     "your openresty, please check it out. Without this ",
-                     "module, there will be fewer monitoring indicators.\n")
-        with_module_status = false
+        util.die("'http_stub_status_module' module is missing in ",
+                 "your openresty, please check it out.\n")
     end
 
     local use_apisix_openresty = true
     if or_info and not or_info:find("apisix-nginx-module", 1, true) then
         use_apisix_openresty = false
     end
 
+    local enable_http = true
+    if not yaml_conf.apisix.enable_admin and yaml_conf.apisix.stream_proxy and
+        yaml_conf.apisix.stream_proxy.only ~= false
+    then
+        enable_http = false
+    end
+
     local enabled_discoveries = {}
     for name in pairs(yaml_conf.discovery or {}) do
         enabled_discoveries[name] = true
@@ -284,8 +289,10 @@ Please modify "admin_key" in conf/config.yaml .
         if real_ip_from then
             for _, ip in ipairs(real_ip_from) do
                 local _ip = cli_ip:new(ip)
-                if _ip and _ip:is_loopback() or _ip:is_unspecified() then
-                    pass_real_client_ip = true
+                if _ip then
+                    if _ip:is_loopback() or _ip:is_unspecified() then
+                        pass_real_client_ip = true
+                    end
                 end
             end
         end
@@ -344,6 +351,10 @@ Please modify "admin_key" in conf/config.yaml .
         end
     end
 
+    if enabled_stream_plugins["prometheus"] and not prometheus_server_addr then
+        util.die("L4 prometheus metric should be exposed via export server\n")
+    end
+
     local ip_port_to_check = {}
 
     local function listen_table_insert(listen_table, scheme, ip, port, enable_http2, enable_ipv6)
@@ -528,16 +539,18 @@ Please modify "admin_key" in conf/config.yaml .
         proxy_mirror_timeouts = yaml_conf.plugin_attr["proxy-mirror"].timeout
     end
 
+    local conf_server = snippet.generate_conf_server(yaml_conf)
+
     -- Using template.render
     local sys_conf = {
         use_openresty_1_17 = use_openresty_1_17,
         lua_path = env.pkg_path_org,
         lua_cpath = env.pkg_cpath_org,
         os_name = util.trim(util.execute_cmd("uname")),
         apisix_lua_home = env.apisix_home,
-        with_module_status = with_module_status,
         use_apisix_openresty = use_apisix_openresty,
         error_log = {level = "warn"},
+        enable_http = enable_http,
         enabled_discoveries = enabled_discoveries,
         enabled_plugins = enabled_plugins,
         enabled_stream_plugins = enabled_stream_plugins,
@@ -547,6 +560,7 @@ Please modify "admin_key" in conf/config.yaml .
         control_server_addr = control_server_addr,
         prometheus_server_addr = prometheus_server_addr,
         proxy_mirror_timeouts = proxy_mirror_timeouts,
+        conf_server = conf_server,
     }
 
     if not yaml_conf.apisix then