-
Notifications
You must be signed in to change notification settings - Fork 350
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Implement the admission server and a validation webhook for plugins #573
Conversation
Codecov Report
@@ Coverage Diff @@
## master #573 +/- ##
==========================================
+ Coverage 34.31% 34.72% +0.40%
==========================================
Files 57 60 +3
Lines 5746 5892 +146
==========================================
+ Hits 1972 2046 +74
- Misses 3527 3596 +69
- Partials 247 250 +3
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, Need to add e2e test case to cover the logic of validating with the schema from APISIX.
Ok, where should I put the code, |
httpServer.GET("/debug/pprof/*profile", gin.WrapF(srv.pprofMu.ServeHTTP)) | ||
} | ||
|
||
cert, err := tls.LoadX509KeyPair(cfg.CertFilePath, cfg.KeyFilePath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should it be optional? Only enable TLS if the certificate and private key are specified simultaneously.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because cfg.CertFilePath
and cfg.KeyFilePath
have default values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then you should prepare the default certificate and private key, or it's difficult to start the server in the local environment.
pkg/api/validation/utils.go
Outdated
|
||
// GetSchemaClient returns a Schema client in the singleton way. | ||
// It can query the schema of objects from APISIX. | ||
func GetSchemaClient() (apisix.Schema, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why fetch schema in the singleton way, schema is synchronized periodically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't get your point, it seems that the singleton will not interfere with the synchronization process.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just ignore my comment as long as the schema cache is refreshed periodically.
@fgksgf After this PR was approved, we need to change helm chart so that people can use it. |
httpServer.GET("/debug/pprof/*profile", gin.WrapF(srv.pprofMu.ServeHTTP)) | ||
} | ||
|
||
cert, err := tls.LoadX509KeyPair(cfg.CertFilePath, cfg.KeyFilePath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then you should prepare the default certificate and private key, or it's difficult to start the server in the local environment.
If we provide default TLS Certificates, they are not signed by CA, and the webhook still can't work. We can accomplish this after we have cert-manager. I can help integrate cert-manager after webhooks are implemented. |
We may use |
Good idea. But how about file a new PR to do this, because the current PR is a bit huge. |
Sure. |
Please answer these questions before submitting a pull request
Why submit this pull request?
Bugfix
New feature provided
Improve performance
Backport patches
Related issues
Implement the admission server #244
New feature or improvement
Implement an admission server via kubewebhook to validate configurations like plugins.
TODO