AlinsRan opened a new pull request, #2759: URL: https://github.com/apache/apisix-ingress-controller/pull/2759
## Summary `ApisixConsumer`'s `jwtAuth.value.private_key` was marked as `required` in the generated CRD schema, causing symmetric JWT configurations (e.g. HS256 + `secret`) to be rejected at the API server level before reaching the controller. ## Changes - **Make `private_key` optional**: add `omitempty` to the JSON tag so the field is removed from the CRD `required` list - **Add CEL validation rule** (`x-kubernetes-validations`): algorithms other than HS256/HS384/HS512 must supply at least one non-empty (non-whitespace) `public_key` or `private_key`; symmetric algorithms and unset/empty `algorithm` require neither - **Fix ADC payload**: `api/adc.JwtAuthConsumerConfig.PrivateKey` was also missing `omitempty`, causing an empty `private_key` to be sent to the data plane for symmetric configs - **Tests**: add unit tests that load the actual generated CRD YAML and validate `ApisixConsumer` objects through the real schema + CEL rules, covering symmetric, asymmetric, empty-algorithm, and whitespace-only key edge cases - Regenerate CRD manifest and reference docs ## Validation logic | `algorithm` value | Key requirement | |---|---| | unset or `""` | none (treated as symmetric) | | `HS256` / `HS384` / `HS512` | none | | any other value | at least one of `public_key` or `private_key` (non-whitespace) | -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
