apache
diff --git a/‎internal/manager/webhooks.go‎
Lines changed: 6 additions & 0 deletions b/‎internal/manager/webhooks.go‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎internal/webhook/v1/gateway_webhook.go‎
Lines changed: 62 additions & 2 deletions b/‎internal/webhook/v1/gateway_webhook.go‎
Lines changed: 62 additions & 2 deletions
diff --git a/‎internal/webhook/v1/gateway_webhook_test.go‎
Lines changed: 113 additions & 0 deletions b/‎internal/webhook/v1/gateway_webhook_test.go‎
Lines changed: 113 additions & 0 deletions
diff --git a/‎internal/webhook/v1/grpcroute_webhook.go‎
Lines changed: 146 additions & 0 deletions b/‎internal/webhook/v1/grpcroute_webhook.go‎
Lines changed: 146 additions & 0 deletions
@@ -38,6 +38,12 @@ func setupWebhooks(_ context.Context, mgr manager.Manager) error {
 	if err := webhookv1.SetupGatewayProxyWebhookWithManager(mgr); err != nil {
 		return err
 	}
+	if err := webhookv1.SetupHTTPRouteWebhookWithManager(mgr); err != nil {
+		return err
+	}
+	if err := webhookv1.SetupGRPCRouteWebhookWithManager(mgr); err != nil {
+		return err
+	}
 	if err := webhookv1.SetupApisixConsumerWebhookWithManager(mgr); err != nil {
 		return err
 	}
 
@@ -19,8 +19,10 @@ import (
 	"context"
 	"fmt"
 
+	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -31,6 +33,7 @@ import (
 	v1alpha1 "github.com/apache/apisix-ingress-controller/api/v1alpha1"
 	"github.com/apache/apisix-ingress-controller/internal/controller/config"
 	internaltypes "github.com/apache/apisix-ingress-controller/internal/types"
+	"github.com/apache/apisix-ingress-controller/internal/webhook/v1/reference"
 )
 
 // nolint:unused
@@ -40,7 +43,7 @@ var gatewaylog = logf.Log.WithName("gateway-resource")
 // SetupGatewayWebhookWithManager registers the webhook for Gateway in the manager.
 func SetupGatewayWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).For(&gatewaynetworkingk8siov1.Gateway{}).
-		WithValidator(&GatewayCustomValidator{Client: mgr.GetClient()}).
+		WithValidator(NewGatewayCustomValidator(mgr.GetClient())).
 		Complete()
 }
 
@@ -54,11 +57,19 @@ func SetupGatewayWebhookWithManager(mgr ctrl.Manager) error {
 // NOTE: The +kubebuilder:object:generate=false marker prevents controller-gen from generating DeepCopy methods,
 // as this struct is used only for temporary operations and does not need to be deeply copied.
 type GatewayCustomValidator struct {
-	Client client.Client
+	Client  client.Client
+	checker reference.Checker
 }
 
 var _ webhook.CustomValidator = &GatewayCustomValidator{}
 
+func NewGatewayCustomValidator(c client.Client) *GatewayCustomValidator {
+	return &GatewayCustomValidator{
+		Client:  c,
+		checker: reference.NewChecker(c, gatewaylog),
+	}
+}
+
 // ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type Gateway.
 func (v *GatewayCustomValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	gateway, ok := obj.(*gatewaynetworkingk8siov1.Gateway)
@@ -68,6 +79,7 @@ func (v *GatewayCustomValidator) ValidateCreate(ctx context.Context, obj runtime
 	gatewaylog.Info("Validation for Gateway upon creation", "name", gateway.GetName())
 
 	warnings := v.warnIfMissingGatewayProxyForGateway(ctx, gateway)
+	warnings = append(warnings, v.collectReferenceWarnings(ctx, gateway)...)
 
 	return warnings, nil
 }
@@ -81,6 +93,7 @@ func (v *GatewayCustomValidator) ValidateUpdate(ctx context.Context, oldObj, new
 	gatewaylog.Info("Validation for Gateway upon update", "name", gateway.GetName())
 
 	warnings := v.warnIfMissingGatewayProxyForGateway(ctx, gateway)
+	warnings = append(warnings, v.collectReferenceWarnings(ctx, gateway)...)
 
 	return warnings, nil
 }
@@ -90,6 +103,53 @@ func (v *GatewayCustomValidator) ValidateDelete(_ context.Context, obj runtime.O
 	return nil, nil
 }
 
+func (v *GatewayCustomValidator) collectReferenceWarnings(ctx context.Context, gateway *gatewaynetworkingk8siov1.Gateway) admission.Warnings {
+	if gateway == nil {
+		return nil
+	}
+
+	var warnings admission.Warnings
+	secretVisited := make(map[types.NamespacedName]struct{})
+
+	addSecretWarning := func(nn types.NamespacedName) {
+		if nn.Name == "" || nn.Namespace == "" {
+			return
+		}
+		if _, seen := secretVisited[nn]; seen {
+			return
+		}
+		secretVisited[nn] = struct{}{}
+		warnings = append(warnings, v.checker.Secret(ctx, reference.SecretRef{
+			Object:         gateway,
+			NamespacedName: nn,
+		})...)
+	}
+
+	for _, listener := range gateway.Spec.Listeners {
+		if listener.TLS == nil {
+			continue
+		}
+		for _, ref := range listener.TLS.CertificateRefs {
+			if ref.Kind != nil && *ref.Kind != internaltypes.KindSecret {
+				continue
+			}
+			if ref.Group != nil && string(*ref.Group) != corev1.GroupName {
+				continue
+			}
+			nn := types.NamespacedName{
+				Namespace: gateway.GetNamespace(),
+				Name:      string(ref.Name),
+			}
+			if ref.Namespace != nil && *ref.Namespace != "" {
+				nn.Namespace = string(*ref.Namespace)
+			}
+			addSecretWarning(nn)
+		}
+	}
+
+	return warnings
+}
+
 func (v *GatewayCustomValidator) warnIfMissingGatewayProxyForGateway(ctx context.Context, gateway *gatewaynetworkingk8siov1.Gateway) admission.Warnings {
 	var warnings admission.Warnings
 
 
@@ -0,0 +1,113 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	gatewaynetworkingk8siov1 "sigs.k8s.io/gateway-api/apis/v1"
+
+	"github.com/apache/apisix-ingress-controller/internal/controller/config"
+)
+
+func buildGatewayValidator(t *testing.T, objects ...runtime.Object) *GatewayCustomValidator {
+	t.Helper()
+
+	scheme := runtime.NewScheme()
+	require.NoError(t, clientgoscheme.AddToScheme(scheme))
+	require.NoError(t, gatewaynetworkingk8siov1.Install(scheme))
+
+	builder := fake.NewClientBuilder().WithScheme(scheme)
+	if len(objects) > 0 {
+		builder = builder.WithRuntimeObjects(objects...)
+	}
+
+	return NewGatewayCustomValidator(builder.Build())
+}
+
+func TestGatewayCustomValidator_WarnsWhenTLSSecretMissing(t *testing.T) {
+	className := gatewaynetworkingk8siov1.ObjectName("apisix")
+	gatewayClass := &gatewaynetworkingk8siov1.GatewayClass{
+		ObjectMeta: metav1.ObjectMeta{Name: string(className)},
+		Spec: gatewaynetworkingk8siov1.GatewayClassSpec{
+			ControllerName: gatewaynetworkingk8siov1.GatewayController(config.ControllerConfig.ControllerName),
+		},
+	}
+	validator := buildGatewayValidator(t, gatewayClass)
+
+	gateway := &gatewaynetworkingk8siov1.Gateway{
+		ObjectMeta: metav1.ObjectMeta{Name: "example", Namespace: "default"},
+		Spec: gatewaynetworkingk8siov1.GatewaySpec{
+			GatewayClassName: className,
+			Listeners: []gatewaynetworkingk8siov1.Listener{{
+				Name:     "https",
+				Port:     443,
+				Protocol: gatewaynetworkingk8siov1.HTTPSProtocolType,
+				TLS: &gatewaynetworkingk8siov1.GatewayTLSConfig{
+					CertificateRefs: []gatewaynetworkingk8siov1.SecretObjectReference{{
+						Name: "missing-cert",
+					}},
+				},
+			}},
+		},
+	}
+
+	warnings, err := validator.ValidateCreate(context.Background(), gateway)
+	require.NoError(t, err)
+	require.Len(t, warnings, 1)
+	assert.Equal(t, warnings[0], "Referenced Secret 'default/missing-cert' not found")
+}
+
+func TestGatewayCustomValidator_NoWarningsWhenSecretExists(t *testing.T) {
+	className := gatewaynetworkingk8siov1.ObjectName("apisix")
+	gatewayClass := &gatewaynetworkingk8siov1.GatewayClass{
+		ObjectMeta: metav1.ObjectMeta{Name: string(className)},
+		Spec: gatewaynetworkingk8siov1.GatewayClassSpec{
+			ControllerName: gatewaynetworkingk8siov1.GatewayController(config.ControllerConfig.ControllerName),
+		},
+	}
+	secret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "tls-cert", Namespace: "default"}}
+	validator := buildGatewayValidator(t, gatewayClass, secret)
+
+	gateway := &gatewaynetworkingk8siov1.Gateway{
+		ObjectMeta: metav1.ObjectMeta{Name: "example", Namespace: "default"},
+		Spec: gatewaynetworkingk8siov1.GatewaySpec{
+			GatewayClassName: className,
+			Listeners: []gatewaynetworkingk8siov1.Listener{{
+				Name:     "https",
+				Port:     443,
+				Protocol: gatewaynetworkingk8siov1.HTTPSProtocolType,
+				TLS: &gatewaynetworkingk8siov1.GatewayTLSConfig{
+					CertificateRefs: []gatewaynetworkingk8siov1.SecretObjectReference{{
+						Name: "tls-cert",
+					}},
+				},
+			}},
+		},
+	}
+
+	warnings, err := validator.ValidateCreate(context.Background(), gateway)
+	require.NoError(t, err)
+	assert.Empty(t, warnings)
+}
@@ -0,0 +1,146 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+import (
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+	gatewaynetworkingk8siov1 "sigs.k8s.io/gateway-api/apis/v1"
+
+	internaltypes "github.com/apache/apisix-ingress-controller/internal/types"
+	"github.com/apache/apisix-ingress-controller/internal/webhook/v1/reference"
+)
+
+var grpcRouteLog = logf.Log.WithName("grpcroute-resource")
+
+func SetupGRPCRouteWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&gatewaynetworkingk8siov1.GRPCRoute{}).
+		WithValidator(NewGRPCRouteCustomValidator(mgr.GetClient())).
+		Complete()
+}
+
+// +kubebuilder:webhook:path=/validate-gateway-networking-k8s-io-v1-grpcroute,mutating=false,failurePolicy=fail,sideEffects=None,groups=gateway.networking.k8s.io,resources=grpcroutes,verbs=create;update,versions=v1,name=vgrpcroute-v1.kb.io,admissionReviewVersions=v1
+
+type GRPCRouteCustomValidator struct {
+	Client  client.Client
+	checker reference.Checker
+}
+
+var _ webhook.CustomValidator = &GRPCRouteCustomValidator{}
+
+func NewGRPCRouteCustomValidator(c client.Client) *GRPCRouteCustomValidator {
+	return &GRPCRouteCustomValidator{
+		Client:  c,
+		checker: reference.NewChecker(c, grpcRouteLog),
+	}
+}
+
+func (v *GRPCRouteCustomValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	route, ok := obj.(*gatewaynetworkingk8siov1.GRPCRoute)
+	if !ok {
+		return nil, fmt.Errorf("expected a GRPCRoute object but got %T", obj)
+	}
+	grpcRouteLog.Info("Validation for GRPCRoute upon creation", "name", route.GetName(), "namespace", route.GetNamespace())
+
+	return v.collectWarnings(ctx, route), nil
+}
+
+func (v *GRPCRouteCustomValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	route, ok := newObj.(*gatewaynetworkingk8siov1.GRPCRoute)
+	if !ok {
+		return nil, fmt.Errorf("expected a GRPCRoute object for the newObj but got %T", newObj)
+	}
+	grpcRouteLog.Info("Validation for GRPCRoute upon update", "name", route.GetName(), "namespace", route.GetNamespace())
+
+	return v.collectWarnings(ctx, route), nil
+}
+
+func (*GRPCRouteCustomValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (v *GRPCRouteCustomValidator) collectWarnings(ctx context.Context, route *gatewaynetworkingk8siov1.GRPCRoute) admission.Warnings {
+	serviceVisited := make(map[types.NamespacedName]struct{})
+	namespace := route.GetNamespace()
+
+	var warnings admission.Warnings
+
+	addServiceWarning := func(nn types.NamespacedName) {
+		if nn.Name == "" || nn.Namespace == "" {
+			return
+		}
+		if _, seen := serviceVisited[nn]; seen {
+			return
+		}
+		serviceVisited[nn] = struct{}{}
+		warnings = append(warnings, v.checker.Service(ctx, reference.ServiceRef{
+			Object:         route,
+			NamespacedName: nn,
+		})...)
+	}
+
+	addBackendRef := func(ns string, name string, group *gatewaynetworkingk8siov1.Group, kind *gatewaynetworkingk8siov1.Kind) {
+		if name == "" {
+			return
+		}
+		if group != nil && string(*group) != corev1.GroupName {
+			return
+		}
+		if kind != nil && *kind != internaltypes.KindService {
+			return
+		}
+		nn := types.NamespacedName{Namespace: ns, Name: name}
+		addServiceWarning(nn)
+	}
+
+	processFilters := func(filters []gatewaynetworkingk8siov1.GRPCRouteFilter) {
+		for _, filter := range filters {
+			if filter.RequestMirror != nil {
+				targetNamespace := namespace
+				if filter.RequestMirror.BackendRef.Namespace != nil && *filter.RequestMirror.BackendRef.Namespace != "" {
+					targetNamespace = string(*filter.RequestMirror.BackendRef.Namespace)
+				}
+				addBackendRef(targetNamespace, string(filter.RequestMirror.BackendRef.Name),
+					filter.RequestMirror.BackendRef.Group, filter.RequestMirror.BackendRef.Kind)
+			}
+		}
+	}
+
+	for _, rule := range route.Spec.Rules {
+		for _, backend := range rule.BackendRefs {
+			targetNamespace := namespace
+			if backend.Namespace != nil && *backend.Namespace != "" {
+				targetNamespace = string(*backend.Namespace)
+			}
+			addBackendRef(targetNamespace, string(backend.Name), backend.Group, backend.Kind)
+			processFilters(backend.Filters)
+		}
+
+		processFilters(rule.Filters)
+	}
+
+	return warnings
+}
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,12 @@ func setupWebhooks(_ context.Context, mgr manager.Manager) error {`
`38`	`38`	`if err := webhookv1.SetupGatewayProxyWebhookWithManager(mgr); err != nil {`
`39`	`39`	`return err`
`40`	`40`	`}`
	`41`	`+ if err := webhookv1.SetupHTTPRouteWebhookWithManager(mgr); err != nil {`
	`42`	`+ return err`
	`43`	`+ }`
	`44`	`+ if err := webhookv1.SetupGRPCRouteWebhookWithManager(mgr); err != nil {`
	`45`	`+ return err`
	`46`	`+ }`
`41`	`47`	`if err := webhookv1.SetupApisixConsumerWebhookWithManager(mgr); err != nil {`
`42`	`48`	`return err`
`43`	`49`	`}`