feat: support plugins field in ApisixConsumer

Add a generic `plugins` field to ApisixConsumerSpec so that
consumer-scoped plugins (e.g. limit-count, limit-req) can be
attached to an ApisixConsumer resource directly, without being
limited to the auth plugins exposed through authParameter.

Key changes:
- ApisixConsumerSpec gains a Plugins []ApisixRoutePlugin field,
  following the same pattern as ApisixRoute and ApisixGlobalRule.
  Enabled plugins are merged after the auth plugin derived from
  authParameter; an enabled entry with the same name takes precedence.
- authParameter is now optional (omitempty). A CEL x-validation rule
  enforces that at least one auth method within authParameter OR at
  least one enabled plugin in plugins must be specified.
- Translator updated to process the new Plugins slice via the
  existing buildPluginConfig helper.
- Controller and indexer extended to load and index Secrets
  referenced by spec.plugins[].secretRef, consistent with
  ApisixRoute and ApisixGlobalRule behavior.
- deepcopy updated for the new Plugins slice.
- No webhook changes required; validation is handled entirely
  by the CRD-level CEL rule (x-kubernetes-validations).
- E2e tests added for authParameter+plugins and plugins-only consumers.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: AlinsRan

api/v2/apisixconsumer_types.go

@@ -23,13 +23,22 @@ import (
 )
 
 // ApisixConsumerSpec defines the desired state of ApisixConsumer.
+// +kubebuilder:validation:XValidation:rule="has(self.authParameter) || (has(self.plugins) && self.plugins.exists(p, p.enable))",message="at least one of authParameter (with an auth method) or an enabled plugin in plugins must be specified"
 type ApisixConsumerSpec struct {
 	// IngressClassName is the name of an IngressClass cluster resource.
 	// The controller uses this field to decide whether the resource should be managed.
 	IngressClassName string `json:"ingressClassName,omitempty" yaml:"ingressClassName,omitempty"`
 
 	// AuthParameter defines the authentication credentials and configuration for this consumer.
-	AuthParameter ApisixConsumerAuthParameter `json:"authParameter" yaml:"authParameter"`
+	// Either AuthParameter (with at least one auth method) or Plugins (or both) must be specified.
+	// +kubebuilder:validation:Optional
+	AuthParameter *ApisixConsumerAuthParameter `json:"authParameter,omitempty" yaml:"authParameter,omitempty"`
+
+	// Plugins lists additional consumer-scoped plugins to attach to this consumer.
+	// These plugins are applied alongside any authentication plugin derived from AuthParameter.
+	// Enabled plugins with the same name as the auth plugin derived from AuthParameter take precedence.
+	// Either AuthParameter (with at least one auth method) or Plugins (or both) must be specified.
+	Plugins []ApisixRoutePlugin `json:"plugins,omitempty" yaml:"plugins,omitempty"`
 }
 
 // ApisixConsumerStatus defines the observed state of ApisixConsumer.

api/v2/apisixconsumer_validation_test.go

@@ -109,7 +109,7 @@ func TestApisixConsumer_JwtAuth_SymmetricHS256(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:       "my-key",
@@ -130,7 +130,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricWithWhitespaceOnlyPublicKey(t *testing
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:       "my-key",
@@ -150,7 +150,7 @@ func TestApisixConsumer_JwtAuth_SymmetricHS512(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:       "my-key",
@@ -168,7 +168,7 @@ func TestApisixConsumer_JwtAuth_NoAlgorithmDefaultsToSymmetric(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:    "my-key",
@@ -185,7 +185,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithPublicKey(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:       "my-key",
@@ -203,7 +203,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithPrivateKey(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:        "my-key",
@@ -221,7 +221,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithBothKeys(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:        "my-key",
@@ -240,7 +240,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithoutAnyKey(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:       "my-key",
@@ -259,7 +259,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricES256WithoutAnyKey(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:       "my-key",
@@ -278,7 +278,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricEdDSAWithoutAnyKey(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:       "my-key",
@@ -297,7 +297,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricWithEmptyPublicKey(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:       "my-key",
@@ -321,7 +321,7 @@ func TestApisixConsumer_JwtAuth_EmptyAlgorithmTreatedAsSymmetric(t *testing.T) {
 	v := loadApisixConsumerSchema(t)
 	ac := &apisixv2.ApisixConsumer{
 		Spec: apisixv2.ApisixConsumerSpec{
-			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+			AuthParameter: &apisixv2.ApisixConsumerAuthParameter{
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:    "my-key",

api/v2/zz_generated.deepcopy.go

@@ -43,8 +43,9 @@ spec:
             description: ApisixConsumerSpec defines the consumer authentication configuration.
             properties:
               authParameter:
-                description: AuthParameter defines the authentication credentials
-                  and configuration for this consumer.
+                description: |-
+                  AuthParameter defines the authentication credentials and configuration for this consumer.
+                  Either AuthParameter (with at least one auth method) or Plugins (or both) must be specified.
                 properties:
                   basicAuth:
                     description: BasicAuth configures the basic authentication details.
@@ -319,9 +320,39 @@ spec:
                   IngressClassName is the name of an IngressClass cluster resource.
                   The controller uses this field to decide whether the resource should be managed.
                 type: string
-            required:
-            - authParameter
+              plugins:
+                description: |-
+                  Plugins lists additional consumer-scoped plugins to attach to this consumer.
+                  These plugins are applied alongside any authentication plugin derived from AuthParameter.
+                  Enabled plugins with the same name as the auth plugin derived from AuthParameter take precedence.
+                  Either AuthParameter (with at least one auth method) or Plugins (or both) must be specified.
+                items:
+                  description: ApisixRoutePlugin represents an APISIX plugin.
+                  properties:
+                    config:
+                      description: Plugin configuration.
+                      x-kubernetes-preserve-unknown-fields: true
+                    enable:
+                      default: true
+                      description: Whether this plugin is in use, default is true.
+                      type: boolean
+                    name:
+                      description: The plugin name.
+                      type: string
+                    secretRef:
+                      description: Plugin configuration secretRef.
+                      type: string
+                  required:
+                  - enable
+                  - name
+                  type: object
+                type: array
             type: object
+            x-kubernetes-validations:
+            - message: at least one of authParameter (with an auth method) or an enabled
+                plugin in plugins must be specified
+              rule: has(self.authParameter) || (has(self.plugins) && self.plugins.exists(p,
+                p.enable))
           status:
             description: ApisixStatus is the status report for Apisix ingress Resources
             properties:

config/crd/bases/apisix.apache.org_apisixconsumers.yaml

@@ -874,7 +874,8 @@ ApisixConsumerSpec defines the desired state of ApisixConsumer.
 | Field | Description |
 | --- | --- |
 | `ingressClassName` _string_ | IngressClassName is the name of an IngressClass cluster resource. The controller uses this field to decide whether the resource should be managed. |
-| `authParameter` _[ApisixConsumerAuthParameter](#apisixconsumerauthparameter)_ | AuthParameter defines the authentication credentials and configuration for this consumer. |
+| `authParameter` _[ApisixConsumerAuthParameter](#apisixconsumerauthparameter)_ | AuthParameter defines the authentication credentials and configuration for this consumer. Either AuthParameter (with at least one auth method) or Plugins (or both) must be specified. |
+| `plugins` _[ApisixRoutePlugin](#apisixrouteplugin) array_ | Plugins lists additional consumer-scoped plugins to attach to this consumer. These plugins are applied alongside any authentication plugin derived from AuthParameter. Enabled plugins with the same name as the auth plugin derived from AuthParameter take precedence. Either AuthParameter (with at least one auth method) or Plugins (or both) must be specified. |
 
 
 _Appears in:_
@@ -1163,6 +1164,7 @@ ApisixRoutePlugin represents an APISIX plugin.
 
 
 _Appears in:_
+- [ApisixConsumerSpec](#apisixconsumerspec)
 - [ApisixGlobalRuleSpec](#apisixglobalrulespec)
 - [ApisixPluginConfigSpec](#apisixpluginconfigspec)
 - [ApisixRouteHTTP](#apisixroutehttp)

docs/en/latest/reference/api-reference.md

@@ -55,42 +55,54 @@ const (
 func (t *Translator) TranslateApisixConsumer(tctx *provider.TranslateContext, ac *v2.ApisixConsumer) (*TranslateResult, error) {
 	result := &TranslateResult{}
 	plugins := make(adctypes.Plugins)
-	if ac.Spec.AuthParameter.KeyAuth != nil {
-		cfg, err := t.translateConsumerKeyAuthPlugin(tctx, ac.Namespace, ac.Spec.AuthParameter.KeyAuth)
-		if err != nil {
-			return nil, fmt.Errorf("invalid key auth config: %s", err)
+	if ap := ac.Spec.AuthParameter; ap != nil {
+		if ap.KeyAuth != nil {
+			cfg, err := t.translateConsumerKeyAuthPlugin(tctx, ac.Namespace, ap.KeyAuth)
+			if err != nil {
+				return nil, fmt.Errorf("invalid key auth config: %s", err)
+			}
+			plugins["key-auth"] = cfg
+		} else if ap.BasicAuth != nil {
+			cfg, err := t.translateConsumerBasicAuthPlugin(tctx, ac.Namespace, ap.BasicAuth)
+			if err != nil {
+				return nil, fmt.Errorf("invalid basic auth config: %s", err)
+			}
+			plugins["basic-auth"] = cfg
+		} else if ap.JwtAuth != nil {
+			cfg, err := t.translateConsumerJwtAuthPlugin(tctx, ac.Namespace, ap.JwtAuth)
+			if err != nil {
+				return nil, fmt.Errorf("invalid jwt auth config: %s", err)
+			}
+			plugins["jwt-auth"] = cfg
+		} else if ap.WolfRBAC != nil {
+			cfg, err := t.translateConsumerWolfRBACPlugin(tctx, ac.Namespace, ap.WolfRBAC)
+			if err != nil {
+				return nil, fmt.Errorf("invalid wolf rbac config: %s", err)
+			}
+			plugins["wolf-rbac"] = cfg
+		} else if ap.HMACAuth != nil {
+			cfg, err := t.translateConsumerHMACAuthPlugin(tctx, ac.Namespace, ap.HMACAuth)
+			if err != nil {
+				return nil, fmt.Errorf("invalid hmac auth config: %s", err)
+			}
+			plugins["hmac-auth"] = cfg
+		} else if ap.LDAPAuth != nil {
+			cfg, err := t.translateConsumerLDAPAuthPlugin(tctx, ac.Namespace, ap.LDAPAuth)
+			if err != nil {
+				return nil, fmt.Errorf("invalid ldap auth config: %s", err)
+			}
+			plugins["ldap-auth"] = cfg
 		}
-		plugins["key-auth"] = cfg
-	} else if ac.Spec.AuthParameter.BasicAuth != nil {
-		cfg, err := t.translateConsumerBasicAuthPlugin(tctx, ac.Namespace, ac.Spec.AuthParameter.BasicAuth)
-		if err != nil {
-			return nil, fmt.Errorf("invalid basic auth config: %s", err)
-		}
-		plugins["basic-auth"] = cfg
-	} else if ac.Spec.AuthParameter.JwtAuth != nil {
-		cfg, err := t.translateConsumerJwtAuthPlugin(tctx, ac.Namespace, ac.Spec.AuthParameter.JwtAuth)
-		if err != nil {
-			return nil, fmt.Errorf("invalid jwt auth config: %s", err)
-		}
-		plugins["jwt-auth"] = cfg
-	} else if ac.Spec.AuthParameter.WolfRBAC != nil {
-		cfg, err := t.translateConsumerWolfRBACPlugin(tctx, ac.Namespace, ac.Spec.AuthParameter.WolfRBAC)
-		if err != nil {
-			return nil, fmt.Errorf("invalid wolf rbac config: %s", err)
-		}
-		plugins["wolf-rbac"] = cfg
-	} else if ac.Spec.AuthParameter.HMACAuth != nil {
-		cfg, err := t.translateConsumerHMACAuthPlugin(tctx, ac.Namespace, ac.Spec.AuthParameter.HMACAuth)
-		if err != nil {
-			return nil, fmt.Errorf("invalid hmac auth config: %s", err)
-		}
-		plugins["hmac-auth"] = cfg
-	} else if ac.Spec.AuthParameter.LDAPAuth != nil {
-		cfg, err := t.translateConsumerLDAPAuthPlugin(tctx, ac.Namespace, ac.Spec.AuthParameter.LDAPAuth)
-		if err != nil {
-			return nil, fmt.Errorf("invalid ldap auth config: %s", err)
+	}
+
+	// Merge generic consumer-scoped plugins. Only enabled entries are merged;
+	// an enabled plugin with the same name as an auth plugin derived from authParameter takes precedence.
+	for _, plugin := range ac.Spec.Plugins {
+		if !plugin.Enable {
+			continue
 		}
-		plugins["ldap-auth"] = cfg
+		config := t.buildPluginConfig(plugin, ac.Namespace, tctx.Secrets)
+		plugins[plugin.Name] = config
 	}
 
 	username := adctypes.ComposeConsumerName(ac.Namespace, ac.Name)