AlinsRan opened a new pull request, #2758:
URL: https://github.com/apache/apisix-ingress-controller/pull/2758
## Summary
This PR adds live ADC-backed admission validation to the existing webhook
validators for `ApisixRoute`, `ApisixConsumer`, `ApisixTls`, and `Consumer`
resources.
Previously the webhooks only emitted warnings for missing references
(services, secrets). With this change, resources are also structurally
validated against a live APISIX instance before being admitted.
## Changes
### Core infrastructure
- **`internal/types/error.go`**: Add `ADCValidationErrors`,
`ADCValidationError`, `ADCValidationServerAddrError`, and `ADCValidationDetail`
types to carry structured validation error details.
- **`internal/adc/client/executor.go`**:
- Add `Validate()` to the `ADCExecutor` interface and `HTTPADCExecutor`
- Implement `runHTTPValidate` / `runHTTPValidateForSingleServer` that POST
to the `/configs/validate` endpoint
- Refactor `buildHTTPRequest` to accept an HTTP method and path
(supporting both `/sync` and `/configs/validate`)
- Set TLS minimum version to 1.2
- Redact full request body from logs (log length only)
- **`internal/adc/client/client.go`**: Add `Client.Validate()` which calls
the executor's validate path and aggregates `ADCValidationErrors`.
### Webhook validation helpers
- **`internal/controller/webhook_validation.go`** *(new)*: Lightweight
`Prepare*ForValidation` helpers for each CRD type that build a
`TranslateContext` without running the full reconciler loop. Used by the
admission webhook to resolve references before translating.
### Admission validator
- **`internal/webhook/v1/adc_validation.go`** *(new)*:
`adcAdmissionValidator` that:
- Resolves the IngressClass / GatewayProxy for the resource
- Translates the resource into an ADC payload
- Posts the payload to APISIX via `client.Validate()`
- **Fails open** on infrastructure / transport errors (only
`ADCValidationErrors` cause denial)
- Populates `global_rules` and `plugin_metadata` in the validate payload
so plugin references can be resolved
### Webhook wiring
- **`apisixroute_webhook.go`**, **`apisixconsumer_webhook.go`**,
**`apisixtls_webhook.go`**, **`consumer_webhook.go`**: Wire
`adcAdmissionValidator`; ADC init errors are logged and ignored (fail-open).
- **`apisixtls_webhook.go`**: Skip ADC validation when secrets are missing
to preserve the existing warn-only behaviour for that case.
- **`consumer_webhook.go`**: Validate duplicate `key-auth` credential keys
scoped to the same `GatewayRef` using a field-index query (O(1) instead of O(N)
full list). Malformed inline JSON credentials are logged and skipped rather
than causing a hard denial.
## Behaviour notes
| Scenario | Before | After |
|---|---|---|
| Valid resource, ADC reachable | Admit with warnings | Admit (pass
validation) |
| Invalid resource, ADC reachable | Admit with warnings | Deny with
structured errors |
| ADC unreachable / init error | Admit with warnings | Admit with warnings
(fail-open) |
| ApisixTls with missing secrets | Admit with warnings | Admit with warnings
(unchanged) |
| Consumer with duplicate key-auth key | Admit | Deny |
| Consumer with malformed inline credential JSON | Admit | Admit (log + skip
duplicate check) |
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
