feat: support webhook server for ingress

Signed-off-by: Ashing Zheng <axingfly@gmail.com>

Author: ronething

charts/apisix-ingress-controller/README.md

@@ -158,3 +158,8 @@ The same for container level, you need to set:
 | serviceMonitor.labels | object | `{}` | @param serviceMonitor.labels ServiceMonitor extra labels |
 | serviceMonitor.metricRelabelings | object | `{}` | @param serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion. ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs |
 | serviceMonitor.namespace | string | `"monitoring"` | @param serviceMonitor.namespace Namespace in which to create the ServiceMonitor |
+| webhook.certificate.provided | bool | `false` | Set to true if you want to provide your own certificate |
+| webhook.enabled | bool | `true` | Enable or disable admission webhook |
+| webhook.failurePolicy | string | `"Fail"` | Failure policy for the webhook (Fail or Ignore) |
+| webhook.port | int | `9443` | The port for the webhook server to listen on |
+| webhook.timeoutSeconds | int | `10` | Timeout in seconds for the webhook |

charts/apisix-ingress-controller/templates/_helpers.tpl

@@ -67,3 +67,23 @@ app.kubernetes.io/name: {{ include "apisix-ingress-controller-manager.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Webhook service name - ensure it stays within 63 character limit
+*/}}
+{{- define "apisix-ingress-controller-manager.webhook.serviceName" -}}
+{{- $suffix := "-webhook-svc" -}}
+{{- $maxLen := sub 63 (len $suffix) | int -}}
+{{- $baseName := include "apisix-ingress-controller-manager.name.fullname" . | trunc $maxLen | trimSuffix "-" -}}
+{{- printf "%s%s" $baseName $suffix -}}
+{{- end }}
+
+{{/*
+Webhook secret name - ensure it stays within 63 character limit
+*/}}
+{{- define "apisix-ingress-controller-manager.webhook.secretName" -}}
+{{- $suffix := "-webhook-cert" -}}
+{{- $maxLen := sub 63 (len $suffix) | int -}}
+{{- $baseName := include "apisix-ingress-controller-manager.name.fullname" . | trunc $maxLen | trimSuffix "-" -}}
+{{- printf "%s%s" $baseName $suffix -}}
+{{- end }}

charts/apisix-ingress-controller/templates/cluster_role.yaml

@@ -94,7 +94,6 @@ rules:
   - gateway.networking.k8s.io
   resources:
   - gatewayclasses
-  - gateways
   verbs:
   - get
   - list
@@ -105,6 +104,7 @@ rules:
   resources:
   - gatewayclasses/status
   - gateways/status
+  - grpcroutes/status
   - httproutes/status
   - referencegrants/status
   verbs:
@@ -113,43 +113,38 @@ rules:
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
+  - gateways
+  - grpcroutes
   - httproutes
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
   - referencegrants
   verbs:
+  - get
   - list
-  - update
   - watch
 - apiGroups:
   - networking.k8s.io
   resources:
   - ingressclasses
+  - ingresses
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - networking.k8s.io
   resources:
-  - ingresses
+  - ingresses/status
   verbs:
   - get
-  - list
   - update
-  - watch
 - apiGroups:
-  - networking.k8s.io
+  - ""
   resources:
-  - ingresses/status
+  - endpoints
   verbs:
   - get
-  - update
+  - list
+  - watch
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

charts/apisix-ingress-controller/templates/configmap.yaml

@@ -38,3 +38,11 @@ data:
       type: {{ .Values.config.provider.type | default "apisix" }}
       sync_period: {{ .Values.config.provider.syncPeriod | default "1s" }}
       init_sync_delay: {{ .Values.config.provider.initSyncDelay | default "20m" }}
+    {{- if .Values.webhook.enabled }}
+    webhook:
+      enable: true
+      port: {{ .Values.webhook.port }}
+      tls_cert_file: "tls.crt"
+      tls_key_file: "tls.key"
+      tls_cert_dir: "/certs"
+    {{- end }}

charts/apisix-ingress-controller/templates/deployment.yaml

@@ -58,10 +58,20 @@ spec:
         - containerPort: {{ splitList ":" .Values.config.metricsAddr | last | int }}
           name: metrics
           protocol: TCP
+        {{- if .Values.webhook.enabled }}
+        - containerPort: {{ .Values.webhook.port }}
+          name: webhook
+          protocol: TCP
+        {{- end }}
         volumeMounts:
         - name: {{ .Release.Name }}-ingress-config
           mountPath: /app/conf/config.yaml
           subPath: config.yaml
+        {{- if .Values.webhook.enabled }}
+        - name: webhook-certs
+          mountPath: /certs
+          readOnly: true
+        {{- end }}
         livenessProbe:
           httpGet:
             path: /healthz
@@ -136,6 +146,11 @@ spec:
       - name: {{ .Release.Name }}-ingress-config
         configMap:
           name: {{ .Release.Name }}-ingress-config
+      {{- if .Values.webhook.enabled }}
+      - name: webhook-certs
+        secret:
+          secretName: {{ include "apisix-ingress-controller-manager.webhook.secretName" . }}
+      {{- end }}
       securityContext:
         runAsNonRoot: false
       serviceAccountName: {{ .Release.Name }}