feat: Implement the admission server and a validation webhook for plugins

[fgksgf]

Please answer these questions before submitting a pull request

• Why submit this pull request?

• Bugfix

• New feature provided

• Improve performance

• Backport patches

• Related issues
  Implement the admission server #244

---

New feature or improvement

• Describe the details and related test reports.
  Implement an admission server via kubewebhook to validate configurations like plugins.

TODO

• implement an admission server
• implement a validating webhook for plugins
• add YAML of webhook
• add e2e test

[codecov-commenter]

Codecov Report

Merging #573 (240ffae) into master (62b7590) will increase coverage by 0.40%.
The diff coverage is 50.64%.

@@            Coverage Diff             @@
##           master     #573      +/-   ##
==========================================
+ Coverage   34.31%   34.72%   +0.40%     
==========================================
  Files          57       60       +3     
  Lines        5746     5892     +146     
==========================================
+ Hits         1972     2046      +74     
- Misses       3527     3596      +69     
- Partials      247      250       +3     

Impacted Files	Coverage Δ
pkg/api/router/router.go	75.00% <ø> (ø)
pkg/api/validation/apisix_route.go	21.53% <21.53%> (ø)
pkg/api/validation/utils.go	46.15% <46.15%> (ø)
pkg/api/server.go	81.81% <79.31%> (+5.95%)	⬆️
cmd/ingress/ingress.go	77.27% <100.00%> (+0.26%)	⬆️
pkg/api/router/webhook.go	100.00% <100.00%> (ø)
pkg/config/config.go	86.44% <100.00%> (+0.72%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 62b7590...240ffae. Read the comment docs.

[gxthrj]

BTW, Need to add e2e test case to cover the logic of validating with the schema from APISIX.

[fgksgf]

BTW, Need to add e2e test case to cover the logic of validating with the schema from APISIX.

Ok, where should I put the code, test/e2e/features/ or test/e2e/ingress/?

[tokers]

Should it be optional? Only enable TLS if the certificate and private key are specified simultaneously.

[fgksgf]

Because cfg.CertFilePath and cfg.KeyFilePath have default values.

[tokers]

Then you should prepare the default certificate and private key, or it's difficult to start the server in the local environment.

[tokers]

Why fetch schema in the singleton way, schema is synchronized periodically.

[fgksgf]

I didn't get your point, it seems that the singleton will not interfere with the synchronization process.

[tokers]

Just ignore my comment as long as the schema cache is refreshed periodically.

[tokers]

@fgksgf After this PR was approved, we need to change helm chart so that people can use it.

[fgksgf]

@gxthrj @tokers @tao12345666333 PTAL

[tokers]

Then you should prepare the default certificate and private key, or it's difficult to start the server in the local environment.

[fgksgf]

reply: #573 (comment)

If we provide default TLS Certificates, they are not signed by CA, and the webhook still can't work. We can accomplish this after we have cert-manager.

I can help integrate cert-manager after webhooks are implemented.

[tokers]

reply: #573 (comment)

If we provide default TLS Certificates, they are not signed by CA, and the webhook still can't work. We can accomplish this after we have cert-manager.

I can help integrate cert-manager after webhooks are implemented.

We may use CertificateSigningRequest, and give documentation to guide people.

[fgksgf]

reply: #573 (comment)

If we provide default TLS Certificates, they are not signed by CA, and the webhook still can't work. We can accomplish this after we have cert-manager.
I can help integrate cert-manager after webhooks are implemented.

We may use CertificateSigningRequest, and give documentation to guide people.

Good idea. But how about file a new PR to do this, because the current PR is a bit huge.

[tokers]

reply: #573 (comment)

If we provide default TLS Certificates, they are not signed by CA, and the webhook still can't work. We can accomplish this after we have cert-manager.
I can help integrate cert-manager after webhooks are implemented.

We may use CertificateSigningRequest, and give documentation to guide people.

Good idea. But how about file a new PR to do this, because the current PR is a bit huge.

Sure.

[fgksgf]

Webhook E2E test: