Cherry-pick commits from master to managed-service branch

.circleci/config.yml

@@ -98,15 +98,15 @@ executors:
   docker:
     working_directory: /opt/app-root/apicast
     docker:
-    - image: docker:23.0.2-cli-alpine3.17
+    - image: mirror.gcr.io/library/docker:23.0.2-cli-alpine3.17
     environment:
       COMPOSE_TLS_VERSION: "TLSv1_2"
 
   openresty:
     working_directory: /opt/app-root/apicast
     docker:
       - image: quay.io/3scale/apicast-ci:openresty-1.21.4-1
-      - image: redis:3.2.8-alpine
+      - image: mirror.gcr.io/library/redis
     environment:
       TEST_NGINX_BINARY: openresty
       LUA_BIN_PATH: /opt/app-root/bin
@@ -230,6 +230,7 @@ jobs:
             JUNIT_OUTPUT_FILE: tmp/junit/prove/report.xml
             TEST_NGINX_ERROR_LOG: tmp/junit/prove/error.log
             HARNESS: TAP::Harness::JUnit
+            NPROC: 2
       - report-codecov:
           suite: prove
           flags: -f 'luacov.report.*.out'

Brewfile

@@ -1,5 +1,3 @@
 tap "3scale/openresty"
-tap "3scale/opentracing"
 
-brew "3scale/opentracing/openresty", args: ["with-debug"], link: true
 brew "3scale/openresty/luarocks", link: true

CHANGELOG.md

@@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Fixed Mutual TLS between APIcast and the Backend API fails when using a Forward Proxy [PR #1499](https://github.com/3scale/APIcast/pull/1499) [THREESCALE-5105](https://issues.redhat.com/browse/THREESCALE-5105)
 - Fixed dns cache miss [PR #1500](https://github.com/3scale/APIcast/pull/1500) [THEESCALE-9301](https://issues.redhat.com/browse/THREESCALE-9301)
 - Fixed APIcast panic when parsing invalid base64 encoded value [PR #1505](https://github.com/3scale/APIcast/pull/1505) [THEESCALE-11435](https://issues.redhat.com/browse/THREESCALE-11435)
+- Fixed Financial-grade API (FAPI) policy not showing up in the admin portal [PR #1528](https://github.com/3scale/APIcast/pull/1528) [THREESCALE-11620](https://issues.redhat.com/browse/THREESCALE-11620)
 
 ### Added
 

Dockerfile

@@ -30,7 +30,7 @@ RUN dnf install -y 'dnf-command(config-manager)'
 
 RUN yum config-manager --add-repo http://packages.dev.3sca.net/dev_packages_3sca_net.repo
 
-RUN PKGS="openresty-resty-${OPENRESTY_RPM_VERSION} openresty-opentelemetry-${OPENRESTY_RPM_VERSION} openresty-opentracing-${OPENRESTY_RPM_VERSION} openresty-${OPENRESTY_RPM_VERSION} luarocks-${LUAROCKS_VERSION} opentracing-cpp-devel-1.3.0 libopentracing-cpp1-1.3.0 jaegertracing-cpp-client-${JAEGERTRACING_CPP_CLIENT_RPM_VERSION}" && \
+RUN PKGS="openresty-resty-${OPENRESTY_RPM_VERSION} openresty-opentelemetry-${OPENRESTY_RPM_VERSION} openresty-${OPENRESTY_RPM_VERSION} luarocks-${LUAROCKS_VERSION}" && \
     mkdir -p "$HOME" && \
     yum -y --setopt=tsflags=nodocs install $PKGS && \
     rpm -V $PKGS && \

Dockerfile.devel

@@ -1,8 +1,9 @@
 FROM registry.access.redhat.com/ubi8:8.5
 
 ARG OPENRESTY_RPM_VERSION="1.21.4-1.el8"
-ARG LUAROCKS_VERSION="2.3.0"
+ARG LUAROCKS_VERSION="3.11.1"
 ARG JAEGERTRACING_CPP_CLIENT_RPM_VERSION="0.3.1-13.el8"
+ARG LUAROVER_VERSION="0.2.1"
 
 WORKDIR /tmp
 
@@ -19,22 +20,19 @@ RUN dnf install -y 'dnf-command(config-manager)'
 
 RUN yum install -y \
         gcc make git which curl iputils bind-utils expat-devel kernel-headers openssl-devel m4 \
-        libyaml libyaml-devel perl-local-lib perl-App-cpanminus
+        libyaml libyaml-devel perl-local-lib perl-App-cpanminus perl-LWP-Protocol-https
 
 # perl-Test-Nginx
 RUN cpanm --notest IPC::Run && \
-    cpanm https://cpan.metacpan.org/authors/id/A/AG/AGENT/Test-Nginx-0.29.tar.gz
+    cpanm https://cpan.metacpan.org/authors/id/A/AG/AGENT/Test-Nginx-0.29.tar.gz && \
+    cpanm https://cpan.metacpan.org/authors/id/O/OA/OALDERS/LWP-Protocol-https-6.14.tar.gz
 
 RUN yum config-manager --add-repo http://packages.dev.3sca.net/dev_packages_3sca_net.repo
 
 RUN yum install -y \
         openresty-${OPENRESTY_RPM_VERSION} \
         openresty-resty-${OPENRESTY_RPM_VERSION} \
-        openresty-opentelemetry-${OPENRESTY_RPM_VERSION} \
-        openresty-opentracing-${OPENRESTY_RPM_VERSION} \
-        opentracing-cpp-devel-1.3.0 \
-        libopentracing-cpp1-1.3.0 \
-        jaegertracing-cpp-client-${JAEGERTRACING_CPP_CLIENT_RPM_VERSION}
+        openresty-opentelemetry-${OPENRESTY_RPM_VERSION}
 
 RUN ln -sf /dev/stdout /usr/local/openresty/nginx/logs/access.log \
     && ln -sf /dev/stderr /usr/local/openresty/nginx/logs/error.log \
@@ -49,16 +47,24 @@ ENV PATH="./lua_modules/bin:/usr/local/openresty/luajit/bin/:${PATH}" \
     LUA_CPATH="./lua_modules/lib/lua/5.1/?.so;/opt/app-root/lua_modules/lib64/lua/5.1/?.so;/opt/app-root/lua_modules/lib64/lua/5.1/?/?.so;;" \
     LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/opt/app-root/lib"
 
-RUN yum install -y luarocks-${LUAROCKS_VERSION} && \
-    luarocks install luaossl 20200709 --tree ${APP_ROOT}/lua_modules CFLAGS="-O2 -fPIC -DHAVE_EVP_KDF_CTX=1" && \
-    luarocks install http --tree ${APP_ROOT}/lua_modules && \
-    luarocks install --server=http://luarocks.org/dev lua-rover && \
-    rover -v && \
-    yum -y remove luarocks && \
-    ln -s /usr/bin/rover /usr/local/openresty/luajit/bin/ && \
-    chmod g+w "${HOME}/.cache" && \
-    rm -rf /var/cache/yum && yum clean all -y && \
-    rm -rf "${HOME}/.cache/luarocks" ./*
+RUN cd /tmp \
+    && curl -fSL https://luarocks.github.io/luarocks/releases/luarocks-${LUAROCKS_VERSION}.tar.gz -o luarocks-${LUAROCKS_VERSION}.tar.gz \
+    && tar xzf luarocks-${LUAROCKS_VERSION}.tar.gz \
+    && cd luarocks-${LUAROCKS_VERSION} \
+    && ./configure \
+        --prefix=/usr/local/openresty/luajit \
+        --with-lua=/usr/local/openresty/luajit \
+        --with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1 \
+    && make build \
+    && make install \
+    && cd /tmp \
+    && rm -rf luarocks-${LUAROCKS_VERSION} luarocks-${LUAROCKS_VERSION}.tar.gz \
+    && curl -fSL https://github.com/3scale/lua-rover/archive/refs/tags/v${LUAROVER_VERSION}.tar.gz -o lua-rover-v${LUAROVER_VERSION}.tar.gz \
+    && tar xzf lua-rover-v${LUAROVER_VERSION}.tar.gz \
+    && cd lua-rover-${LUAROVER_VERSION} \
+    && luarocks make \
+    && yum -y remove luarocks \
+    && rm -rf /var/cache/yum && yum clean all -y 
 
 # Directory with the sources is set as the working directory so all STI scripts
 # can execute relative to this path.

Makefile

@@ -70,7 +70,7 @@ export COMPOSE_PROJECT_NAME
 # * update .circleci/config.yaml openresty executor with the image URL
 .PHONY: dev-build
 dev-build: export OPENRESTY_RPM_VERSION?=1.21.4
-dev-build: export LUAROCKS_VERSION?=2.3.0
+dev-build: export LUAROCKS_VERSION?=3.11.1
 dev-build: IMAGE_NAME ?= apicast-development:latest
 dev-build: ## Build development image
 	$(DOCKER) build --platform linux/amd64 -t $(IMAGE_NAME) \
@@ -165,9 +165,6 @@ gateway-logs: export IMAGE_NAME = does-not-matter
 gateway-logs:
 	$(DOCKER) compose logs gateway
 
-opentracing-gateway: ## run gateway instrumented with opentracing
-	$(DOCKER) compose run opentracing-instrumented-gateway
-
 test-runtime-image: export IMAGE_NAME ?= $(RUNTIME_IMAGE)
 test-runtime-image: clean-containers ## Smoke test the runtime image. Pass any docker image in IMAGE_NAME parameter.
 	$(DOCKER) compose --version

README.md

@@ -59,7 +59,7 @@ oc new-app -f https://raw.githubusercontent.com/3scale/apicast/master/openshift/
 - Performance: it is fast because it's built on top of [NGINX](https://www.nginx.com/) and uses [LuaJIT](https://luajit.org/).
 - Scalability: APIcast is stateless, so it scales horizontally.
 - Request transformation: allows to modify the headers, the path and the arguments of a request.
-- Rate-limit: can apply limits based on a header, [JWT](https://jwt.io/) claims, the IP of the request and many more.
+- Rate-limit: can apply limits based on a header, [JWT](https://datatracker.ietf.org/doc/html/rfc7519) claims, the IP of the request and many more.
 - Modular and extensible: thanks to the APIcast [policies framework](doc/policies.md).
 - Monitoring with [Prometheus](https://prometheus.io/).
 - [NGINX instrumentation](https://github.com/open-telemetry/opentelemetry-cpp-contrib) using [OpenTelemetry](https://opentelemetry.io/). Works with [Jaeger](https://www.jaegertracing.io/).

dev-environments/camel-proxy/Makefile

@@ -24,12 +24,12 @@ $(WORKDIR)/cert/keystore.jks: ## use same JVM version as camel-netty-proxy, curr
 	$(DOCKER) run -t --rm \
 		-v $(WORKDIR)/cert:/tmp/cert \
 		--user $(USER):$(GROUP) \
-		openjdk:11.0.9 \
+		registry.access.redhat.com/ubi8/openjdk-11:1.21-1.1733300800 \
 		keytool -genkeypair -keystore /tmp/cert/keystore.jks -dname "CN=tls.camel.proxy" -keypass changeit -storepass changeit -alias camel -keyalg RSA -ext SAN=dns:tls.camel.proxy
 	$(DOCKER) run -t --rm \
 		-v $(WORKDIR)/cert:/tmp/cert \
 		--user $(USER):$(GROUP) \
-		openjdk:11.0.9 \
+		registry.access.redhat.com/ubi8/openjdk-11:1.21-1.1733300800 \
 		keytool -list -v -keystore /tmp/cert/keystore.jks -storepass changeit
 
 .PHONY: certs

dev-environments/camel-proxy/docker-compose.yml

@@ -27,12 +27,12 @@ services:
     volumes:
       - ./apicast-config.json:/tmp/config.json
   proxy.socat:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: proxy
     restart: unless-stopped
     command: "-d -v -d TCP-LISTEN:8080,reuseaddr,fork TCP:camel.proxy:8080"
   camel.proxy:
-    image: zregvart/camel-netty-proxy
+    image: quay.io/zregvart/camel-netty-proxy
     container_name: camel.proxy
     expose:
       - "8080:8080"
@@ -50,14 +50,14 @@ services:
     volumes:
       - ./cert/keystore.jks:/tls/keystore.jks
   example.com:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: example.com
-    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:actual.upstream:80"
+    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:actual.upstream:8080"
     expose:
       - "443"
     restart: unless-stopped
   actual.upstream:
-    image: kennethreitz/httpbin
+    image: quay.io/kuadrant/authorino-examples:talker-api
     container_name: actual.upstream
     expose:
-      - "80"
+      - "8080"

dev-environments/grpc/docker-compose.yml

@@ -28,7 +28,7 @@ services:
       - ./apicast-config.json:/tmp/config.json
       - ./gateway-cert:/var/run/secrets/apicast
   one.upstream:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: one.upstream
     command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/upstream.example.com.pem,verify=0,openssl-max-proto-version=TLS1.3 ssl:two.upstream:8005,verify=0"
     expose:
@@ -37,6 +37,8 @@ services:
     volumes:
       - ./upstream-cert/upstream.example.com.pem:/etc/pki/upstream.example.com.pem
   two.upstream:
-    image: kalmhq/echoserver
+    container_name: two.upstream
+    build:
+      dockerfile: ./echoserver.Dockerfile
     expose:
       - "8005"

dev-environments/grpc/echoserver.Dockerfile

@@ -0,0 +1,23 @@
+FROM registry.access.redhat.com/ubi8/go-toolset:1.13.4 as builder
+
+WORKDIR /workspace
+
+RUN cd /tmp \
+    && curl -fSL https://github.com/kalmhq/echoserver/archive/refs/tags/v0.1.1.tar.gz -o echoserver-v0.1.1.tar.gz \
+    && tar xzf echoserver-v0.1.1.tar.gz \
+    && cd echoserver-0.1.1 \
+    && go mod download \
+    && GOOS=linux GOARCH=amd64 go build -ldflags "-s -w" -o server . \
+    && cp server /workspace \
+    && cp default.key /workspace \
+    && cp default.pem /workspace
+
+FROM mirror.gcr.io/library/alpine
+RUN apk update && apk add --no-cache curl
+WORKDIR /workspace
+# Collect binaries and assets
+RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
+COPY --from=builder /workspace/server .
+COPY --from=builder /workspace/default.key .
+COPY --from=builder /workspace/default.pem .
+CMD /workspace/server

dev-environments/http-proxy-plain-http-upstream/docker-compose.yml

@@ -26,7 +26,7 @@ services:
     volumes:
       - ./apicast-config.json:/tmp/config.json
   proxy:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: proxy
     command: "-d -v -d TCP-LISTEN:8080,reuseaddr,fork TCP:actual.proxy:443"
     expose:
@@ -42,13 +42,13 @@ services:
     volumes:
       - ./tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf
   example.com:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: example.com
-    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:80"
+    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:8080"
     expose:
       - "443"
     restart: unless-stopped
   two.upstream:
-    image: kennethreitz/httpbin
+    image: quay.io/kuadrant/authorino-examples:talker-api
     expose:
-      - "80"
+      - "8080"

dev-environments/http-proxy-plain-http-upstream/tinyproxy.Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3
+FROM mirror.gcr.io/library/alpine:3
 
 LABEL summary="Forward proxy based on tinyproxy for development purposes" \
       description="Forward proxy based on tinyproxy for development purposes" \

dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml

@@ -33,15 +33,15 @@ services:
     volumes:
       - ./tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf
   example.com:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: example.com
-    command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80"
+    command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:8080"
     expose:
       - "443"
     restart: unless-stopped
     volumes:
       - ./cert/example.com.pem:/etc/pki/example.com.pem
   two.upstream:
-    image: kennethreitz/httpbin
+    image: quay.io/kuadrant/authorino-examples:talker-api
     expose:
-      - "80"
+      - "8080"

dev-environments/https-proxy-upstream-tlsv1.3/tinyproxy.Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3
+FROM mirror.gcr.io/library/alpine:3
 
 LABEL summary="Forward proxy based on tinyproxy for development purposes" \
       description="Forward proxy based on tinyproxy for development purposes" \

dev-environments/keycloak-env/docker-compose.yml

@@ -25,16 +25,16 @@ services:
     volumes:
       - ./apicast-config.json:/tmp/config.json
   example.com:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: example.com
-    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:80"
+    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:8080"
     expose:
       - "80"
     restart: unless-stopped
   two.upstream:
-    image: kennethreitz/httpbin
+    image: quay.io/kuadrant/authorino-examples:talker-api
     expose:
-      - "80"
+      - "8080"
   keycloak:
     image: quay.io/keycloak/keycloak:23.0.4
     container_name: keycloak

dev-environments/listen-tls/docker-compose.yml

@@ -28,13 +28,13 @@ services:
       - ./apicast-config.json:/tmp/config.json
       - ./cert:/var/run/secrets/apicast
   one.upstream:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: one.upstream
-    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:80"
+    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:8080"
     expose:
       - "80"
     restart: unless-stopped
   two.upstream:
-    image: kennethreitz/httpbin
+    image: quay.io/kuadrant/authorino-examples:talker-api
     expose:
-      - "80"
+      - "8080"

dev-environments/opentelemetry-instrumented-gateway/docker-compose.yml

@@ -28,18 +28,18 @@ services:
       - ./apicast-config.json:/tmp/config.json
       - ./otel.toml:/opt/app-root/src/tracing-configs/otel.toml
   example.com:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: example.com
-    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:80"
+    command: "-d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:8080"
     expose:
       - "80"
     restart: unless-stopped
   two.upstream:
-    image: kennethreitz/httpbin
+    image: quay.io/kuadrant/authorino-examples:talker-api
     expose:
-      - "80"
+      - "8080"
   jaeger:
-    image: jaegertracing/all-in-one:latest
+    image: quay.io/ducna/jaegertracing/all-in-one:1.60
     environment:
       JAEGER_DISABLED: "false"
       COLLECTOR_OTLP_ENABLED: "true"

dev-environments/plain-http-upstream/docker-compose.yml

@@ -24,7 +24,7 @@ services:
     volumes:
       - ./apicast-config.json:/tmp/config.json
   example.com:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: example.com
     command: "-d -d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:two.upstream:3000"
     expose:
@@ -37,7 +37,7 @@ services:
     expose:
       - "3000"
   backend:
-    image: alpine/socat:1.7.4.4
+    image: quay.io/openshift-logging/alpine-socat:1.8.0.0
     container_name: backend
     command: "-d -d -v -d TCP-LISTEN:80,reuseaddr,fork TCP:3scale.backend:3000"
     expose: