feat: add secret/service resource checker for webhook #2580
+1,514
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ashing Zheng <axingfly@gmail.com>
Signed-off-by: Ashing Zheng <axingfly@gmail.com>
Signed-off-by: Ashing Zheng <axingfly@gmail.com>
Signed-off-by: Ashing Zheng <axingfly@gmail.com>
Signed-off-by: Ashing Zheng <axingfly@gmail.com>
ronething
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR implements admission webhook validation for multiple APISIX resources to check for missing Service and Secret references. The validation provides warnings to users when referenced resources don't exist in the cluster, improving user experience and catching configuration errors early.
Key changes:
- Added a reusable reference checker utility for Service and Secret validation
- Implemented webhooks for GatewayProxy, ApisixConsumer, ApisixTls, ApisixRoute, and Consumer resources
- Added comprehensive unit tests for all webhook validators
Reviewed Changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
test/e2e/scaffold/grpc.go |
Minor import reorganization for better code formatting |
internal/webhook/v1/reference/checker.go |
Core utility for validating Service and Secret references with admission warnings |
internal/webhook/v1/*_webhook.go |
Webhook validators for GatewayProxy, Consumer, ApisixTls, ApisixRoute, and ApisixConsumer |
internal/webhook/v1/*_webhook_test.go |
Comprehensive unit tests for all webhook validators |
internal/manager/webhooks.go |
Registration of new webhooks with the manager |
config/webhook/manifests.yaml |
Webhook configuration manifests for Kubernetes admission controllers |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
AlinsRan
reviewed
Sep 28, 2025
AlinsRan
approved these changes
Sep 28, 2025
nic-6443
approved these changes
Sep 28, 2025
This was referenced Sep 28, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change:
What this PR does / why we need it:
Currently, resources such as GRPCRoute and HTTPRoute are still missing, and they will be handled in the next PR.
Then the logic of Ingress webhook and Gateway webhook needs to be expanded, and there is currently no support for checking missing Secret/Service.
Additionally, the current supplement is unit tests, while e2e tests have not been added yet. But these unit tests should be sufficient for this PR.
Pre-submission checklist: