Skip to content

feat: add secret/service resource checker for webhook (#2583) (ec81917) #294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 27, 2025
Merged

feat: add secret/service resource checker for webhook (#2583) (ec81917) #294

merged 3 commits into from
Oct 27, 2025
+1,513 −52

Conversation

@github-actions
Copy link
Contributor

🔄 Automated Backport

Please review and run the relevant validation before merging.

Created automatically by backport-bot.

@ronething @backport-bot
feat: add secret/service resource checker for webhook (#2583)
a82d55e 
Signed-off-by: Ashing Zheng <axingfly@gmail.com>
(cherry picked from commit ec819175cff42354a55525efc9cd28f1a9e52c18)
@github-actions github-actions bot added backport Automated backport automated Created by automation labels Oct 17, 2025
@ronething
Merge remote-tracking branch 'origin/master' into backport/ec81917-to…
54c0343 
…-master
@ronething
fix: r
d3ffe93 
Signed-off-by: Ashing Zheng <axingfly@gmail.com>
@github-actions
Copy link
Contributor Author

conformance test report - apisix-standalone mode

apiVersion: gateway.networking.k8s.io/v1
date: "2025-10-27T01:38:07Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    result: success
    statistics:
      Failed: 0
      Passed: 12
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests succeeded.
- core:
    result: partial
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 0
      Passed: 32
      Skipped: 1
  extended:
    result: partial
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 0
      Passed: 8
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePortRedirect
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRoutePathRewrite
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests partially succeeded with 1 test skips. Extended tests partially
    succeeded with 1 test skips.

@github-actions
Copy link
Contributor Author

conformance test report - apisix mode

apiVersion: gateway.networking.k8s.io/v1
date: "2025-10-27T01:38:46Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    result: success
    statistics:
      Failed: 0
      Passed: 12
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests succeeded.
- core:
    failedTests:
    - HTTPRouteInvalidBackendRefUnknownKind
    result: failure
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 1
      Passed: 31
      Skipped: 1
  extended:
    result: partial
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 0
      Passed: 8
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePortRedirect
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRoutePathRewrite
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests failed with 1 test failures. Extended tests partially succeeded
    with 1 test skips.

@github-actions
Copy link
Contributor Author

conformance test report

apiVersion: gateway.networking.k8s.io/v1
date: "2025-10-27T01:49:35Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    failedTests:
    - GRPCExactMethodMatching
    - GRPCRouteHeaderMatching
    - GRPCRouteListenerHostnameMatching
    result: failure
    statistics:
      Failed: 3
      Passed: 9
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests failed with 3 test failures.
- core:
    result: partial
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 0
      Passed: 32
      Skipped: 1
  extended:
    result: partial
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 0
      Passed: 8
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePortRedirect
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRoutePathRewrite
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests partially succeeded with 1 test skips. Extended tests partially
    succeeded with 1 test skips.

@ronething ronething requested review from AlinsRan and Copilot October 27, 2025 02:07
Copilot AI reviewed Oct 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds resource validation for Kubernetes Secrets and Services referenced in webhook validation across multiple resource types including Gateway, HTTPRoute, GRPCRoute, TCPRoute, Ingress, and various APISIX custom resources. The validation generates warnings when referenced resources are missing.

Key changes:

  • Implements reference checking for Services and Secrets across webhook validators
  • Adds ownership/management checks to ensure webhooks only validate resources managed by this controller
  • Integrates new webhooks for HTTPRoute, GRPCRoute, and TCPRoute resources

Reviewed Changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated no comments.

Show a summary per file
File Description
internal/webhook/v1/ownership.go New file implementing controller ownership checks for Gateway API resources
internal/webhook/v1/tcproute_webhook.go New TCPRoute webhook validator with service reference checking
internal/webhook/v1/httproute_webhook.go New HTTPRoute webhook validator with service reference checking including request mirror filters
internal/webhook/v1/grpcroute_webhook.go New GRPCRoute webhook validator with service reference checking including request mirror filters
internal/webhook/v1/gateway_webhook.go Enhanced Gateway webhook to check TLS certificate Secret references
internal/webhook/v1/ingress_webhook.go Enhanced Ingress webhook to check Service and TLS Secret references
internal/webhook/v1/consumer_webhook.go Added gateway reference matching for Consumer resources
internal/webhook/v1/apisix*.go Added ingress class matching for ApisixRoute, ApisixTls, and ApisixConsumer resources
internal/manager/webhooks.go Registered new HTTPRoute, GRPCRoute, and TCPRoute webhooks
config/webhook/manifests.yaml Added webhook configurations for HTTPRoute, GRPCRoute, and TCPRoute
Test files Comprehensive test coverage for all new webhook validators
Comments suppressed due to low confidence (1)

internal/controller/grpcroute_controller.go:293

  • [nitpick] Removed blank line appears to be an unrelated formatting change. Consider excluding unrelated formatting changes from feature commits to maintain clearer commit history.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ronething ronething merged commit 06c7baf into master Oct 27, 2025
22 of 23 checks passed
@ronething ronething deleted the backport/ec81917-to-master branch October 27, 2025 04:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@AlinsRan AlinsRan AlinsRan approved these changes

Assignees

No one assigned

Labels

automated Created by automation backport Automated backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AlinsRan @ronething