Skip to content

feat: support webhook server for ingress #213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ronething merged 6 commits into from
Oct 11, 2025
Merged

feat: support webhook server for ingress #213

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
494c6c5
feat: support webhook server for ingress
ronething Oct 11, 2025
56fc84f
fix: r
ronething Oct 11, 2025
0e6073d
fix: r
ronething Oct 11, 2025
827fba0
fix: r
ronething Oct 11, 2025
15cca73
fix: r
ronething Oct 11, 2025
00e544f
fix: r
ronething Oct 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions charts/ingress-controller/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,4 +59,9 @@ Ingress Controller for API7
| podDisruptionBudget.enabled | bool | `false` | Enable or disable podDisruptionBudget |
| podDisruptionBudget.maxUnavailable | int | `1` | Set the maxUnavailable of podDisruptionBudget |
| podDisruptionBudget.minAvailable | string | `"90%"` | Set the `minAvailable` of podDisruptionBudget. You can specify only one of `maxUnavailable` and `minAvailable` in a single PodDisruptionBudget. See [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget) for more details |
| webhook.certificate.provided | bool | `false` | Set to true if you want to provide your own certificate |
| webhook.enabled | bool | `false` | Enable or disable admission webhook |
| webhook.failurePolicy | string | `"Fail"` | Failure policy for the webhook (Fail or Ignore) |
| webhook.port | int | `9443` | The port for the webhook server to listen on |
| webhook.timeoutSeconds | int | `10` | Timeout in seconds for the webhook |

27 changes: 10 additions & 17 deletions charts/ingress-controller/templates/cluster_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ rules:
- pods
- secrets
- services
- endpoints
verbs:
- get
- list
Expand Down Expand Up @@ -79,7 +78,6 @@ rules:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
verbs:
- get
- list
Expand All @@ -90,6 +88,7 @@ rules:
resources:
- gatewayclasses/status
- gateways/status
- grpcroutes/status
- httproutes/status
- referencegrants/status
verbs:
Expand All @@ -98,44 +97,38 @@ rules:
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways
- grpcroutes
- httproutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- referencegrants
verbs:
- get
- list
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingresses/status
verbs:
- get
- list
- update
- watch
- apiGroups:
- networking.k8s.io
- ""
resources:
- ingresses/status
- endpoints
verbs:
- get
- update

- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand Down
8 changes: 8 additions & 0 deletions charts/ingress-controller/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,11 @@ data:
type: {{ .Values.config.provider.type | default "api7ee" }}
sync_period: {{ .Values.config.provider.syncPeriod | default "0s" }}
init_sync_delay: {{ .Values.config.provider.initSyncDelay | default "20m" }}
{{- if .Values.webhook.enabled }}
webhook:
enable: true
port: {{ .Values.webhook.port }}
tls_cert_file: "tls.crt"
tls_key_file: "tls.key"
tls_cert_dir: "/certs"
{{- end }}
16 changes: 16 additions & 0 deletions charts/ingress-controller/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,17 @@ spec:
- name: {{ .Release.Name }}-ingress-config
mountPath: /app/conf/config.yaml
subPath: config.yaml
{{- if .Values.webhook.enabled }}
- name: webhook-certs
mountPath: /certs
readOnly: true
{{- end }}
{{- if .Values.webhook.enabled }}
ports:
Copy link
Contributor

@AlinsRan AlinsRan Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest moving the ports field outside the conditional block.
If ports is wrapped within the webhook.enabled condition, future contributors adding new container ports might overlook the conditional logic, which could lead to missing or inconsistent port configurations.

Copy link
Contributor Author

@ronething ronething Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, i will update it later.

- name: webhook
containerPort: {{ .Values.webhook.port }}
protocol: TCP
{{- end }}
livenessProbe:
httpGet:
path: /healthz
Expand Down Expand Up @@ -112,6 +123,11 @@ spec:
- name: {{ .Release.Name }}-ingress-config
configMap:
name: {{ .Release.Name }}-ingress-config
{{- if .Values.webhook.enabled }}
- name: webhook-certs
secret:
secretName: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-certs
{{- end }}
securityContext:
runAsNonRoot: false
serviceAccountName: {{ .Release.Name }}
Expand Down
238 changes: 238 additions & 0 deletions charts/ingress-controller/templates/webhook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,238 @@
{{- if .Values.webhook.enabled }}
{{- $certCert := "" -}}
{{- $certKey := "" -}}
{{- $caCert := "" -}}
{{- if not .Values.webhook.certificate.provided }}
{{- $cn := printf "%s-webhook-service.%s.svc" (include "api7-ingress-controller-manager.name.fullname" .) .Release.Namespace -}}
{{- $ca := genCA "api7-ingress-webhook-ca" 3650 -}}
{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
{{- $certCert = $cert.Cert -}}
{{- $certKey = $cert.Key -}}
{{- $caCert = $ca.Cert -}}

{{- $certSecret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-webhook-certs" (include "api7-ingress-controller-manager.name.fullname" .))) -}}
{{- if $certSecret }}
{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
{{- $caCert = (b64dec (get $certSecret.data "ca.crt")) -}}
{{- end }}
{{- end }}

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook
labels:
{{- include "api7-ingress-controller-manager.labels" . | nindent 4 }}
webhooks:
- name: vapisixroute-v2.kb.io
admissionReviewVersions: ["v1"]
clientConfig:
{{- if not .Values.webhook.certificate.provided }}
caBundle: {{ b64enc $caCert }}
{{- else }}
caBundle: {{ .Values.webhook.certificate.caBundle }}
{{- end }}
service:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-apisix-apache-org-v2-apisixroute
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.timeoutSeconds }}
timeoutSeconds: {{ . }}
{{- end }}
sideEffects: None
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["apisix.apache.org"]
apiVersions: ["v2"]
resources: ["apisixroutes"]
- name: vapisixconsumer-v2.kb.io
admissionReviewVersions: ["v1"]
clientConfig:
{{- if not .Values.webhook.certificate.provided }}
caBundle: {{ b64enc $caCert }}
{{- else }}
caBundle: {{ .Values.webhook.certificate.caBundle }}
{{- end }}
service:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-apisix-apache-org-v2-apisixconsumer
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.timeoutSeconds }}
timeoutSeconds: {{ . }}
{{- end }}
sideEffects: None
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["apisix.apache.org"]
apiVersions: ["v2"]
resources: ["apisixconsumers"]
- name: vapisixtls-v2.kb.io
admissionReviewVersions: ["v1"]
clientConfig:
{{- if not .Values.webhook.certificate.provided }}
caBundle: {{ b64enc $caCert }}
{{- else }}
caBundle: {{ .Values.webhook.certificate.caBundle }}
{{- end }}
service:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-apisix-apache-org-v2-apisixtls
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.timeoutSeconds }}
timeoutSeconds: {{ . }}
{{- end }}
sideEffects: None
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["apisix.apache.org"]
apiVersions: ["v2"]
resources: ["apisixtlses"]
- name: vconsumer-v1alpha1.kb.io
admissionReviewVersions: ["v1"]
clientConfig:
{{- if not .Values.webhook.certificate.provided }}
caBundle: {{ b64enc $caCert }}
{{- else }}
caBundle: {{ .Values.webhook.certificate.caBundle }}
{{- end }}
service:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-apisix-apache-org-v1alpha1-consumer
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.timeoutSeconds }}
timeoutSeconds: {{ . }}
{{- end }}
sideEffects: None
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["apisix.apache.org"]
apiVersions: ["v1alpha1"]
resources: ["consumers"]
- name: vgatewayproxy-v1alpha1.kb.io
admissionReviewVersions: ["v1"]
clientConfig:
{{- if not .Values.webhook.certificate.provided }}
caBundle: {{ b64enc $caCert }}
{{- else }}
caBundle: {{ .Values.webhook.certificate.caBundle }}
{{- end }}
service:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-apisix-apache-org-v1alpha1-gatewayproxy
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.timeoutSeconds }}
timeoutSeconds: {{ . }}
{{- end }}
sideEffects: None
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["apisix.apache.org"]
apiVersions: ["v1alpha1"]
resources: ["gatewayproxies"]
- name: vingress-v1.kb.io
admissionReviewVersions: ["v1"]
clientConfig:
{{- if not .Values.webhook.certificate.provided }}
caBundle: {{ b64enc $caCert }}
{{- else }}
caBundle: {{ .Values.webhook.certificate.caBundle }}
{{- end }}
service:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-networking-k8s-io-v1-ingress
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.timeoutSeconds }}
timeoutSeconds: {{ . }}
{{- end }}
sideEffects: None
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["networking.k8s.io"]
apiVersions: ["v1"]
resources: ["ingresses"]
- name: vingressclass-v1.kb.io
admissionReviewVersions: ["v1"]
clientConfig:
{{- if not .Values.webhook.certificate.provided }}
caBundle: {{ b64enc $caCert }}
{{- else }}
caBundle: {{ .Values.webhook.certificate.caBundle }}
{{- end }}
service:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-networking-k8s-io-v1-ingressclass
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.timeoutSeconds }}
timeoutSeconds: {{ . }}
{{- end }}
sideEffects: None
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["networking.k8s.io"]
apiVersions: ["v1"]
resources: ["ingressclasses"]
- name: vgateway-v1.kb.io
admissionReviewVersions: ["v1"]
clientConfig:
{{- if not .Values.webhook.certificate.provided }}
caBundle: {{ b64enc $caCert }}
{{- else }}
caBundle: {{ .Values.webhook.certificate.caBundle }}
{{- end }}
service:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-gateway-networking-k8s-io-v1-gateway
failurePolicy: {{ .Values.webhook.failurePolicy }}
{{- with .Values.webhook.timeoutSeconds }}
timeoutSeconds: {{ . }}
{{- end }}
sideEffects: None
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["gateway.networking.k8s.io"]
apiVersions: ["v1"]
resources: ["gateways"]

---
apiVersion: v1
kind: Service
metadata:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
labels:
{{- include "api7-ingress-controller-manager.labels" . | nindent 4 }}
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
{{- include "api7-ingress-controller-manager.selectorLabels" . | nindent 4 }}

{{- if not .Values.webhook.certificate.provided }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "api7-ingress-controller-manager.name.fullname" . }}-webhook-certs
namespace: {{ .Release.Namespace }}
labels:
{{- include "api7-ingress-controller-manager.labels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $certCert }}
tls.key: {{ b64enc $certKey }}
ca.crt: {{ b64enc $caCert }}
{{- end }}
{{- end }}
18 changes: 18 additions & 0 deletions charts/ingress-controller/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,3 +61,21 @@ config:
type: "api7ee"
syncPeriod: "0s"
initSyncDelay: "20m"

# Admission webhook configuration
webhook:
# -- Enable or disable admission webhook
enabled: false
# -- The port for the webhook server to listen on
port: 9443
# -- Failure policy for the webhook (Fail or Ignore)
failurePolicy: Fail
# -- Timeout in seconds for the webhook
timeoutSeconds: 10
certificate:
# -- Set to true if you want to provide your own certificate
provided: false
# -- Secret name containing the certificate (required if provided is true)
# secretName: "my-webhook-cert"
# -- CA bundle in base64 format (required if provided is true)
# caBundle: ""
Loading