fix: relax jwtAuth private_key requirement and add CEL validation

Previously, private_key was marked as required in the CRD schema, which
rejected symmetric JWT configurations (e.g. HS256 + secret) before they
reached the translator.

Changes:
- Add omitempty to PrivateKey JSON tag so the CRD schema no longer
  requires it unconditionally
- Add CEL validation rule: asymmetric algorithms (RS*/ES*/PS*/EdDSA)
  require at least one of public_key or private_key; symmetric algorithms
  (HS256/HS384/HS512 or unset) have no key requirement
- Regenerate CRD manifest

Fixes #400

Author: AlinsRan

api/v2/apisixconsumer_types.go

@@ -130,6 +130,11 @@ type ApisixConsumerJwtAuth struct {
 }
 
 // ApisixConsumerJwtAuthValue defines configuration for JWT authentication.
+// Exactly one of the following must be provided depending on the algorithm:
+//   - For symmetric algorithms (HS256, HS384, HS512): use secret. private_key and public_key are not required.
+//   - For asymmetric algorithms (RS*, ES*, PS*, EdDSA): at least one of public_key or private_key must be provided.
+//
+// +kubebuilder:validation:XValidation:rule="!has(self.algorithm) || self.algorithm in ['HS256','HS384','HS512'] || (has(self.public_key) && self.public_key != ”) || (has(self.private_key) && self.private_key != ”)",message="asymmetric JWT algorithms (RS*/ES*/PS*/EdDSA) require at least one of public_key or private_key"
 type ApisixConsumerJwtAuthValue struct {
 	// Key is the unique identifier for the JWT credential.
 	Key string `json:"key" yaml:"key"`
@@ -138,7 +143,7 @@ type ApisixConsumerJwtAuthValue struct {
 	// PublicKey is the public key used to verify JWT signatures (for asymmetric algorithms).
 	PublicKey string `json:"public_key,omitempty" yaml:"public_key,omitempty"`
 	// PrivateKey is the private key used to sign the JWT (for asymmetric algorithms).
-	PrivateKey string `json:"private_key" yaml:"private_key,omitempty"`
+	PrivateKey string `json:"private_key,omitempty" yaml:"private_key,omitempty"`
 	// Algorithm specifies the signing algorithm.
 	// Can be `HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`, `PS256`, `PS384`, `PS512`, or `EdDSA`.
 	// Currently APISIX only supports `HS256`, `HS512`, `RS256`, and `ES256`. API7 Enterprise supports all algorithms.

config/crd/bases/apisix.apache.org_apisixconsumers.yaml

@@ -210,8 +210,13 @@ spec:
                             type: string
                         required:
                         - key
-                        - private_key
                         type: object
+                        x-kubernetes-validations:
+                        - message: asymmetric JWT algorithms (RS*/ES*/PS*/EdDSA) require
+                            at least one of public_key or private_key
+                          rule: '!has(self.algorithm) || self.algorithm in [''HS256'',''HS384'',''HS512'']
+                            || (has(self.public_key) && self.public_key != ”) || (has(self.private_key)
+                            && self.private_key != ”)'
                     type: object
                   keyAuth:
                     description: KeyAuth configures the key authentication details.