[PR] feat: support plugins field in ApisixConsumer [apisix-ingress-controller]

Fri, 08 May 2026 20:24:33 -0700 


AlinsRan opened a new pull request, #2761:
URL: https://github.com/apache/apisix-ingress-controller/pull/2761

   ## Summary
   
   Add a generic `plugins` field to `ApisixConsumerSpec` so that 
consumer-scoped plugins (e.g. `limit-count`, `limit-req`) can be attached to an 
`ApisixConsumer` resource directly, without being limited to the auth plugins 
exposed through `authParameter`.
   
   ## Changes
   
   - **`ApisixConsumerSpec`** gains a `Plugins []ApisixRoutePlugin` field, 
following the same pattern as `ApisixRoute` and `ApisixGlobalRule`. Enabled 
plugins are merged after the auth plugin derived from `authParameter`; an 
enabled entry with the same name takes precedence.
   - **`authParameter` is now optional** (`omitempty`). A CEL `x-validation` 
rule enforces that at least one auth method within `authParameter` OR at least 
one enabled plugin in `plugins` must be specified:
     ```
     has(self.authParameter.basicAuth) || has(self.authParameter.keyAuth) || 
... || (has(self.plugins) && self.plugins.exists(p, p.enable))
     ```
   - **Translator** updated to process the new `Plugins` slice via the existing 
`buildPluginConfig` helper.
   - **Controller and indexer** extended to load and index Secrets referenced 
by `spec.plugins[].secretRef`, consistent with `ApisixRoute` and 
`ApisixGlobalRule` behavior.
   - **deepcopy** updated for the new `Plugins` slice (auto-generated by `make 
generate`).
   - **No webhook changes** required; validation is handled entirely by the 
CRD-level CEL rule.
   - **E2e tests** added for two scenarios:
     - `authParameter` + extra `plugins` (e.g. `limit-count` rate limiting at 
consumer level)
     - `plugins` only — no `authParameter` (e.g. `key-auth` configured directly 
via plugins)
   
   ## Example
   
   ```yaml
   apiVersion: apisix.apache.org/v2
   kind: ApisixConsumer
   metadata:
     name: my-consumer
   spec:
     ingressClassName: apisix
     authParameter:
       keyAuth:
         value:
           key: my-secret-key
     plugins:
     - name: limit-count
       enable: true
       config:
         count: 100
         time_window: 60
         rejected_code: 429
         policy: local
   ```
   
   Or, using `plugins` only (without `authParameter`):
   
   ```yaml
   apiVersion: apisix.apache.org/v2
   kind: ApisixConsumer
   metadata:
     name: key-auth-consumer
   spec:
     ingressClassName: apisix
     plugins:
     - name: key-auth
       enable: true
       config:
         key: my-secret-key
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to