Skip to content

feat: support webhook server for ingress #213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ronething merged 6 commits into from
Oct 11, 2025
Merged

feat: support webhook server for ingress #213

ronething merged 6 commits into from
Oct 11, 2025

Conversation

@ronething
Copy link
Contributor

@ronething ronething commented Oct 11, 2025
edited
Loading

Since this version has not been officially released, I can only test it locally first.

NAMESPACE="webhook-test"
RELEASE_NAME="test-webhook"
CHART_PATH="."

helm upgrade --install $RELEASE_NAME $CHART_PATH \
  --namespace $NAMESPACE \
  --set webhook.enabled=true \
  --set deployment.image.tag="dev" \
  --wait --timeout=2m
  • gp1.yaml
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
  name: gp1
spec:
  provider:
    type: ControlPlane
    controlPlane:
      endpoints: 
       - http://127.0.0.1:9180
      auth:
        type: AdminKey
        adminKey:
          value: admin
  • gp2.yaml
apiVersion: apisix.apache.org/v1alpha1
kind: GatewayProxy
metadata:
  name: gp2
spec:
  provider:
    type: ControlPlane
    controlPlane:
      endpoints: 
       - http://127.0.0.1:9180
      auth:
        type: AdminKey
        adminKey:
          value: admin
  • test
$ k apply -f gp1.yaml -n webhook-test                                                             
gatewayproxy.apisix.apache.org/gp1 created

$ k apply -f gp2.yaml                
Error from server (Forbidden): error when creating "gp2.yaml": admission webhook "vgatewayproxy-v1alpha1.kb.io" denied the request: gateway proxy configuration conflict: GatewayProxy default/gp2 and webhook-test/gp1 both target control plane endpoints [http://127.0.0.1:9180] while sharing the same inline AdminKey value

Specific generated ingress-related configurations:

helm template test-webhook ./charts/ingress-controller \
  --set webhook.enabled=true \
  --debug
  • ValidatingWebhookConfiguration
# Source: api7-ingress-controller/templates/webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: test-webhook-api7-ingress-controller-webhook
  labels:
    helm.sh/chart: api7-ingress-controller-0.1.13
    
    app.kubernetes.io/name: api7-ingress-controller
    app.kubernetes.io/instance: test-webhook
    app.kubernetes.io/version: "2.0.7"
    app.kubernetes.io/managed-by: Helm
webhooks:
- name: vapisixtls-v2.kb.io
  admissionReviewVersions: ["v1"]
  clientConfig:
    caBundle: xxx==
    service:
      name: test-webhook-api7-ingress-controller-webhook-service
      namespace: default
      path: /validate-apisix-apache-org-v2-apisixtls
  failurePolicy: Fail
  timeoutSeconds: 10
  sideEffects: None
  rules:
  - operations: ["CREATE", "UPDATE"]
    apiGroups: ["apisix.apache.org"]
    apiVersions: ["v2"]
    resources: ["apisixtlses"]
- name: vconsumer-v1alpha1.kb.io
  admissionReviewVersions: ["v1"]
  clientConfig:
    caBundle: xxx==
    service:
      name: test-webhook-api7-ingress-controller-webhook-service
      namespace: default
      path: /validate-apisix-apache-org-v1alpha1-consumer
  failurePolicy: Fail
  timeoutSeconds: 10
  sideEffects: None
  rules:
  - operations: ["CREATE", "UPDATE"]
    apiGroups: ["apisix.apache.org"]
    apiVersions: ["v1alpha1"]
    resources: ["consumers"]
- name: vgatewayproxy-v1alpha1.kb.io
  admissionReviewVersions: ["v1"]
  clientConfig:
    caBundle: xxx==
    service:
      name: test-webhook-api7-ingress-controller-webhook-service
      namespace: default
      path: /validate-apisix-apache-org-v1alpha1-gatewayproxy
  failurePolicy: Fail
  timeoutSeconds: 10
  sideEffects: None
  rules:
  - operations: ["CREATE", "UPDATE"]
    apiGroups: ["apisix.apache.org"]
    apiVersions: ["v1alpha1"]
    resources: ["gatewayproxies"]

...
  • Deployment
# Source: api7-ingress-controller/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-webhook-api7-ingress-controller
  namespace: default
  annotations:
  labels:
    helm.sh/chart: api7-ingress-controller-0.1.13
    
    app.kubernetes.io/name: api7-ingress-controller
    app.kubernetes.io/instance: test-webhook
    app.kubernetes.io/version: "2.0.7"
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 1
  selector:
    matchLabels:
      
      app.kubernetes.io/name: api7-ingress-controller
      app.kubernetes.io/instance: test-webhook
  template:
    metadata:
      annotations:
        checksum/config: 6cfdb5604105d6abf6a14d38d265b8f19f66c97574e95d81b34ee7cfe34e0a84
      labels:
        
        app.kubernetes.io/name: api7-ingress-controller
        app.kubernetes.io/instance: test-webhook
    spec:
      containers:
      - env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        image: "api7/api7-ingress-controller:2.0.7"
        volumeMounts:
        - name: test-webhook-ingress-config
          mountPath: /app/conf/config.yaml
          subPath: config.yaml
        - name: webhook-certs
          mountPath: /certs
          readOnly: true
        ports:
        - name: webhook
          containerPort: 9443
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8081
          initialDelaySeconds: 15
          periodSeconds: 20
        name: manager
        readinessProbe:
          httpGet:
            path: /readyz
            port: 8081
          initialDelaySeconds: 5
          periodSeconds: 10
        resources:
          {}
        securityContext:
          {}
      - name: adc-server
        image: "ghcr.io/api7/adc:0.21.1"
        args:
        - "server"
        - "--listen"
        - "http://127.0.0.1:3000"
        - "--listen-status"
        - "3001"
        env:
        - name: ADC_RUNNING_MODE
          value: "ingress"
        - name: ADC_EXPERIMENTAL_FEATURE_FLAGS
          value: "remote-state-file,parallel-backend-request"
        ports:
        - name: http-status
          containerPort: 3001
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /healthz/ready
            port: 3001
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 10
        readinessProbe:
          httpGet:
            path: /healthz/ready
            port: 3001
          initialDelaySeconds: 5
          periodSeconds: 5
        resources:
          {}
        securityContext:
          {}
      volumes:
      - name: test-webhook-ingress-config
        configMap:
          name: test-webhook-ingress-config
      - name: webhook-certs
        secret:
          secretName: test-webhook-api7-ingress-controller-webhook-certs
      securityContext:
        runAsNonRoot: false
      serviceAccountName: test-webhook
      terminationGracePeriodSeconds: 10
---

@ronething
feat: support webhook server for ingress
494c6c5 
Signed-off-by: Ashing Zheng <[email protected]>
@ronething
fix: r
56fc84f 
Signed-off-by: Ashing Zheng <[email protected]>
@ronething ronething marked this pull request as ready for review October 11, 2025 09:28
@ronething ronething requested review from AlinsRan and Copilot October 11, 2025 09:29
Copilot AI reviewed Oct 11, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds webhook server support for the ingress controller Helm chart, enabling admission webhook functionality to validate Kubernetes resources. The changes introduce comprehensive webhook configuration options, certificate management, and integration with the deployment.

  • Adds webhook configuration section to values.yaml with options for enabling, port, failure policy, timeout, and certificate management
  • Creates webhook template with ValidatingWebhookConfiguration for multiple resource types (routes, consumers, TLS, gateway proxies, ingresses, etc.)
  • Updates deployment to mount webhook certificates and expose webhook port when enabled
  • Modifies RBAC permissions to support webhook operations

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
charts/ingress-controller/values.yaml Adds webhook configuration section with enable flag, port, policies, and certificate options
charts/ingress-controller/templates/webhook.yaml Creates new webhook template with ValidatingWebhookConfiguration, Service, and Secret resources
charts/ingress-controller/templates/deployment.yaml Updates deployment to mount webhook certificates and expose webhook port conditionally
charts/ingress-controller/templates/configmap.yaml Adds webhook configuration to the config map when webhook is enabled
charts/ingress-controller/templates/cluster_role.yaml Reorganizes RBAC permissions and adds new resource access patterns
charts/ingress-controller/README.md Documents new webhook configuration parameters
Comments suppressed due to low confidence (1)

charts/ingress-controller/templates/webhook.yaml:1

  • When webhook.certificate.provided is true, the code references a hardcoded secret name, but the values.yaml suggests users should provide their own secretName. The template should use .Values.webhook.certificate.secretName when provided is true.
{{- if .Values.webhook.enabled }}

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@ronething
fix: r
0e6073d 
Signed-off-by: Ashing Zheng <[email protected]>
@ronething
fix: r
827fba0 
Signed-off-by: Ashing Zheng <[email protected]>
@ronething
fix: r
15cca73 
Signed-off-by: Ashing Zheng <[email protected]>
AlinsRan
AlinsRan reviewed Oct 11, 2025
View reviewed changes
charts/ingress-controller/templates/deployment.yaml
- name: webhook-certs
mountPath: /certs
readOnly: true
ports:
Copy link
Contributor

@AlinsRan AlinsRan Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest moving the ports field outside the conditional block.
If ports is wrapped within the webhook.enabled condition, future contributors adding new container ports might overlook the conditional logic, which could lead to missing or inconsistent port configurations.

Copy link
Contributor Author

@ronething ronething Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, i will update it later.

@ronething
fix: r
00e544f 
Signed-off-by: Ashing Zheng <[email protected]>
@ronething ronething merged commit 756de76 into main Oct 11, 2025
2 checks passed
@ronething ronething deleted the feat/add_webhook branch October 11, 2025 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@AlinsRan AlinsRan AlinsRan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ronething @AlinsRan