fix: use validate API in webhook checks

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: AlinsRan

internal/adc/client/executor.go

@@ -262,7 +262,7 @@ func (e *HTTPADCExecutor) runHTTPValidateForSingleServer(ctx context.Context, se
 		req, err = e.buildAPISIXValidateRequest(ctx, serverAddr, config, resources)
 		httpClient = e.newBackendHTTPClient(config)
 	} else {
-		req, err = e.buildHTTPRequest(ctx, serverAddr, config, labels, types, resources, http.MethodPost, "/sync")
+		req, err = e.buildHTTPRequest(ctx, serverAddr, config, labels, types, resources, http.MethodPost, "/validate")
 	}
 	if err != nil {
 		return fmt.Errorf("failed to build validate request: %w", err)
@@ -367,7 +367,7 @@ func buildAPISIXValidatePayload(resources *adctypes.Resources) (*apisixValidateR
 		}
 
 		for _, route := range service.Routes {
-			routeMap, err := toMap(route)
+			routeMap, err := buildAPISIXRouteValidateObject(route)
 			if err != nil {
 				return nil, err
 			}
@@ -387,7 +387,7 @@ func buildAPISIXValidatePayload(resources *adctypes.Resources) (*apisixValidateR
 	}
 
 	for _, consumer := range resources.Consumers {
-		consumerMap, err := toMap(consumer)
+		consumerMap, err := buildAPISIXConsumerValidateObject(consumer)
 		if err != nil {
 			return nil, err
 		}
@@ -405,6 +405,40 @@ func buildAPISIXValidatePayload(resources *adctypes.Resources) (*apisixValidateR
 	return body, nil
 }
 
+func buildAPISIXRouteValidateObject(route *adctypes.Route) (map[string]any, error) {
+	routeMap, err := toMap(route)
+	if err != nil {
+		return nil, err
+	}
+
+	delete(routeMap, "description")
+	return routeMap, nil
+}
+
+func buildAPISIXConsumerValidateObject(consumer *adctypes.Consumer) (map[string]any, error) {
+	consumerMap, err := toMap(consumer)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(consumer.Credentials) == 0 {
+		return consumerMap, nil
+	}
+
+	plugins, ok := consumerMap["plugins"].(map[string]any)
+	if !ok || plugins == nil {
+		plugins = make(map[string]any, len(consumer.Credentials))
+	}
+
+	for _, credential := range consumer.Credentials {
+		plugins[credential.Type] = credential.Config
+	}
+
+	consumerMap["plugins"] = plugins
+	delete(consumerMap, "credentials")
+	return consumerMap, nil
+}
+
 func buildAPISIXSSLValidateObject(ssl *adctypes.SSL) (map[string]any, error) {
 	sslMap, err := toMap(ssl)
 	if err != nil {

internal/adc/client/executor_test.go

@@ -18,8 +18,9 @@ package client
 import (
 	"testing"
 
-	adctypes "github.com/apache/apisix-ingress-controller/api/adc"
 	"github.com/stretchr/testify/require"
+
+	adctypes "github.com/apache/apisix-ingress-controller/api/adc"
 )
 
 func TestBuildAPISIXValidatePayloadConvertsSSLCertificates(t *testing.T) {
@@ -80,3 +81,64 @@ func TestBuildAPISIXValidatePayloadConvertsSingleSSLCertificate(t *testing.T) {
 	_, ok = ssl["keys"]
 	require.False(t, ok)
 }
+
+func TestBuildAPISIXValidatePayloadStripsRouteDescription(t *testing.T) {
+	body, err := buildAPISIXValidatePayload(&adctypes.Resources{
+		Services: []*adctypes.Service{
+			{
+				Metadata: adctypes.Metadata{ID: "svc-1"},
+				Routes: []*adctypes.Route{
+					{
+						Metadata: adctypes.Metadata{
+							ID:   "route-1",
+							Desc: "should not be sent to standalone validate",
+						},
+						Uris: []string{"/test"},
+					},
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.Len(t, body.Routes, 1)
+
+	route := body.Routes[0]
+	require.Equal(t, "route-1", route["id"])
+	_, ok := route["description"]
+	require.False(t, ok)
+	require.Equal(t, "svc-1", route["service_id"])
+}
+
+func TestBuildAPISIXValidatePayloadConvertsConsumerCredentialsToPlugins(t *testing.T) {
+	body, err := buildAPISIXValidatePayload(&adctypes.Resources{
+		Consumers: []*adctypes.Consumer{
+			{
+				Metadata: adctypes.Metadata{ID: "consumer-1"},
+				Username: "demo",
+				Plugins: adctypes.Plugins{
+					"limit-count": map[string]any{"count": 10},
+				},
+				Credentials: []adctypes.Credential{
+					{
+						Type: "key-auth",
+						Config: adctypes.Plugins{
+							"key": "shared-key",
+						},
+					},
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.Len(t, body.Consumers, 1)
+
+	consumer := body.Consumers[0]
+	require.Equal(t, "demo", consumer["username"])
+	_, ok := consumer["credentials"]
+	require.False(t, ok)
+
+	plugins, ok := consumer["plugins"].(map[string]any)
+	require.True(t, ok)
+	require.Contains(t, plugins, "key-auth")
+	require.Contains(t, plugins, "limit-count")
+}

internal/webhook/v1/adc_validation_test.go

@@ -34,13 +34,17 @@ import (
 func withMockADCServer(t *testing.T, handler http.HandlerFunc) string {
 	t.Helper()
 
-	server := httptest.NewServer(http.HandlerFunc(handler))
+	server := httptest.NewServer(handler)
 	t.Setenv("ADC_SERVER_URL", server.URL)
 	t.Cleanup(server.Close)
 	return server.URL
 }
 
 func managedIngressClassWithGatewayProxy(endpoint string) []runtime.Object {
+	return managedIngressClassWithGatewayProxyMode(endpoint, "apisix-standalone")
+}
+
+func managedIngressClassWithGatewayProxyMode(endpoint, mode string) []runtime.Object {
 	namespace := "default"
 
 	return []runtime.Object{
@@ -65,7 +69,7 @@ func managedIngressClassWithGatewayProxy(endpoint string) []runtime.Object {
 				Provider: &apisixv1alpha1.GatewayProxyProvider{
 					Type: apisixv1alpha1.ProviderTypeControlPlane,
 					ControlPlane: &apisixv1alpha1.ControlPlaneProvider{
-						Mode:      "apisix-standalone",
+						Mode:      mode,
 						Endpoints: []string{endpoint},
 						Auth: apisixv1alpha1.ControlPlaneAuth{
 							Type: apisixv1alpha1.AuthTypeAdminKey,
@@ -86,3 +90,9 @@ func requireValidateRequest(t *testing.T, r *http.Request) {
 	require.Equal(t, "/apisix/admin/configs/validate", r.URL.Path)
 	require.Equal(t, "token", r.Header.Get("X-API-KEY"))
 }
+
+func requireADCServerValidateRequest(t *testing.T, r *http.Request) {
+	t.Helper()
+	require.Equal(t, http.MethodPost, r.Method)
+	require.Equal(t, "/validate", r.URL.Path)
+}

internal/webhook/v1/apisixconsumer_webhook_test.go

@@ -33,6 +33,8 @@ import (
 	"github.com/apache/apisix-ingress-controller/internal/controller/config"
 )
 
+const managedIngressClassName = "apisix"
+
 func buildApisixConsumerValidator(t *testing.T, objects ...runtime.Object) *ApisixConsumerCustomValidator {
 	t.Helper()
 
@@ -46,15 +48,15 @@ func buildApisixConsumerValidator(t *testing.T, objects ...runtime.Object) *Apis
 	hasManagedIngressClass := false
 	for _, obj := range objects {
 		ingressClass, ok := obj.(*networkingv1.IngressClass)
-		if ok && ingressClass.Name == "apisix" {
+		if ok && ingressClass.Name == managedIngressClassName {
 			hasManagedIngressClass = true
 			break
 		}
 	}
 	if !hasManagedIngressClass {
 		managed = append(managed, &networkingv1.IngressClass{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: "apisix",
+				Name: managedIngressClassName,
 				Annotations: map[string]string{
 					"ingressclass.kubernetes.io/is-default-class": "true",
 				},
@@ -203,3 +205,33 @@ func TestApisixConsumerValidator_DeniesOnADCValidationFailure(t *testing.T) {
 	require.Contains(t, err.Error(), "consumer rejected")
 	require.Empty(t, warnings)
 }
+
+func TestApisixConsumerValidator_UsesADCValidateEndpointForControlPlane(t *testing.T) {
+	serverURL := withMockADCServer(t, func(w http.ResponseWriter, r *http.Request) {
+		requireADCServerValidateRequest(t, r)
+		w.WriteHeader(http.StatusBadRequest)
+		_, _ = w.Write([]byte(`{"errorMessage":"consumer rejected","errors":[{"resource_type":"consumers","resource_name":"demo","message":"duplicate credential"}]}`))
+	})
+
+	consumer := &apisixv2.ApisixConsumer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "demo",
+			Namespace: "default",
+		},
+		Spec: apisixv2.ApisixConsumerSpec{
+			IngressClassName: managedIngressClassName,
+			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+				KeyAuth: &apisixv2.ApisixConsumerKeyAuth{
+					Value: &apisixv2.ApisixConsumerKeyAuthValue{Key: "shared-key"},
+				},
+			},
+		},
+	}
+
+	validator := buildApisixConsumerValidator(t, managedIngressClassWithGatewayProxyMode(serverURL, "apisix")...)
+
+	warnings, err := validator.ValidateCreate(context.Background(), consumer)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "consumer rejected")
+	require.Empty(t, warnings)
+}