fix: address PR review comments

- fail-open on ADC validator init error in ApisixRoute, ApisixConsumer, Consumer webhooks
- redact TLS payload from logs in buildAPISIXValidateRequest (log bodyLen only)
- set TLS MinVersion to 1.2 in newBackendHTTPClient
- return JSON unmarshal error in extractCredentialKey instead of swallowing it
- default supportsEndpointSlice to false in PrepareApisixRouteForValidation
- rename waitExponentialBackoffWithTimeout to waitConstantIntervalWithTimeout (Factor=1 is constant, not exponential)
- restore WaitPodsAvailable timeout to 2 minutes to match original behavior
- add cache-propagation sleep after recreating TLS Secret in e2e test
- tighten expectAdmissionDenied to assert NotFound error

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: AlinsRan

internal/adc/client/executor.go

@@ -312,7 +312,7 @@ func (e *HTTPADCExecutor) buildAPISIXValidateRequest(ctx context.Context, server
 		"url", validateURL,
 		"server", serverAddr,
 		"cacheKey", config.Name,
-		"body", body,
+		"bodyLen", len(jsonData),
 	)
 
 	req, err := http.NewRequestWithContext(ctx, http.MethodPost, validateURL, bytes.NewBuffer(jsonData))
@@ -327,10 +327,11 @@ func (e *HTTPADCExecutor) buildAPISIXValidateRequest(ctx context.Context, server
 
 func (e *HTTPADCExecutor) newBackendHTTPClient(config adctypes.Config) *http.Client {
 	transport := http.DefaultTransport.(*http.Transport).Clone()
+	if transport.TLSClientConfig == nil {
+		transport.TLSClientConfig = &tls.Config{}
+	}
+	transport.TLSClientConfig.MinVersion = tls.VersionTLS12
 	if !config.TlsVerify {
-		if transport.TLSClientConfig == nil {
-			transport.TLSClientConfig = &tls.Config{}
-		}
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	}
 

internal/controller/webhook_validation.go

@@ -45,7 +45,7 @@ func PrepareApisixRouteForValidation(ctx context.Context, c client.Client, log l
 		Client:                c,
 		Log:                   log,
 		ICGV:                  networkingv1.SchemeGroupVersion,
-		supportsEndpointSlice: true,
+		supportsEndpointSlice: false,
 	}
 	if err := reconciler.processApisixRoute(tctx, route); err != nil {
 		return nil, err

internal/webhook/v1/apisixconsumer_webhook.go

@@ -76,7 +76,8 @@ func (v *ApisixConsumerCustomValidator) ValidateCreate(ctx context.Context, obj
 
 	warnings := v.collectWarnings(ctx, consumer)
 	if v.initErr != nil {
-		return warnings, v.initErr
+		apisixConsumerLog.Error(v.initErr, "ADC validator init failed, skipping ADC validation")
+		return warnings, nil
 	}
 	return warnings, v.adcValidator.Validate(ctx, consumer)
 }
@@ -93,7 +94,8 @@ func (v *ApisixConsumerCustomValidator) ValidateUpdate(ctx context.Context, oldO
 
 	warnings := v.collectWarnings(ctx, consumer)
 	if v.initErr != nil {
-		return warnings, v.initErr
+		apisixConsumerLog.Error(v.initErr, "ADC validator init failed, skipping ADC validation")
+		return warnings, nil
 	}
 	return warnings, v.adcValidator.Validate(ctx, consumer)
 }

internal/webhook/v1/apisixroute_webhook.go

@@ -74,7 +74,8 @@ func (v *ApisixRouteCustomValidator) ValidateCreate(ctx context.Context, obj run
 
 	warnings := v.collectWarnings(ctx, route)
 	if v.initErr != nil {
-		return warnings, v.initErr
+		apisixRouteLog.Error(v.initErr, "ADC validator init failed, skipping ADC validation")
+		return warnings, nil
 	}
 	return warnings, v.adcValidator.Validate(ctx, route)
 }
@@ -91,7 +92,8 @@ func (v *ApisixRouteCustomValidator) ValidateUpdate(ctx context.Context, oldObj,
 
 	warnings := v.collectWarnings(ctx, route)
 	if v.initErr != nil {
-		return warnings, v.initErr
+		apisixRouteLog.Error(v.initErr, "ADC validator init failed, skipping ADC validation")
+		return warnings, nil
 	}
 	return warnings, v.adcValidator.Validate(ctx, route)
 }

internal/webhook/v1/consumer_webhook.go

@@ -77,7 +77,8 @@ func (v *ConsumerCustomValidator) ValidateCreate(ctx context.Context, obj runtim
 
 	warnings := v.collectWarnings(ctx, consumer)
 	if v.initErr != nil {
-		return warnings, v.initErr
+		consumerLog.Error(v.initErr, "ADC validator init failed, skipping ADC validation")
+		return warnings, nil
 	}
 	if err := v.validateDuplicateKeyAuthCredentials(ctx, consumer); err != nil {
 		return warnings, err
@@ -97,7 +98,8 @@ func (v *ConsumerCustomValidator) ValidateUpdate(ctx context.Context, oldObj, ne
 
 	warnings := v.collectWarnings(ctx, consumer)
 	if v.initErr != nil {
-		return warnings, v.initErr
+		consumerLog.Error(v.initErr, "ADC validator init failed, skipping ADC validation")
+		return warnings, nil
 	}
 	if err := v.validateDuplicateKeyAuthCredentials(ctx, consumer); err != nil {
 		return warnings, err
@@ -224,7 +226,7 @@ func (v *ConsumerCustomValidator) extractCredentialKey(ctx context.Context, cons
 		Key string `json:"key"`
 	}
 	if err := json.Unmarshal(credential.Config.Raw, &cfg); err != nil {
-		return "", nil
+		return "", err
 	}
 	return cfg.Key, nil
 }

test/e2e/framework/k8s.go

@@ -261,7 +261,7 @@ func (f *Framework) applySSLSecret(namespace, name string, cert, pkey, caCert []
 }
 
 func WaitPodsAvailable(t testing.TestingT, kubeOps *k8s.KubectlOptions, opts metav1.ListOptions) error {
-	return WaitPodsAvailableWithTimeout(t, kubeOps, opts, time.Minute)
+	return WaitPodsAvailableWithTimeout(t, kubeOps, opts, 2*time.Minute)
 }
 
 func WaitPodsAvailableWithTimeout(t testing.TestingT, kubeOps *k8s.KubectlOptions, opts metav1.ListOptions, timeout time.Duration) error {
@@ -295,7 +295,7 @@ func WaitPodsAvailableWithTimeout(t testing.TestingT, kubeOps *k8s.KubectlOption
 		}
 		return true, nil
 	}
-	err := waitExponentialBackoffWithTimeout(condFunc, timeout)
+	err := waitConstantIntervalWithTimeout(condFunc, timeout)
 	if err != nil && lastErr != nil {
 		return lastErr
 	}
@@ -329,7 +329,7 @@ func describePodStatus(pod corev1.Pod) string {
 	)
 }
 
-func waitExponentialBackoffWithTimeout(condFunc func() (bool, error), timeout time.Duration) error {
+func waitConstantIntervalWithTimeout(condFunc func() (bool, error), timeout time.Duration) error {
 	steps := int(timeout / (2 * time.Second))
 	if steps < 1 {
 		steps = 1

test/e2e/webhook/apisixtls.go

@@ -142,6 +142,9 @@ spec:
 		err = s.NewKubeTlsSecret(serverSecret, serverCert.String(), serverKey.String())
 		Expect(err).NotTo(HaveOccurred(), "creating valid server TLS secret")
 
+		// Wait for the webhook cache to reflect the recreated Secret before submitting ApisixTls.
+		time.Sleep(2 * time.Second)
+
 		By("creating corrected ApisixTls")
 		err = s.CreateResourceFromString(tlsYAML)
 		Expect(err).NotTo(HaveOccurred(), "creating corrected ApisixTls")

test/e2e/webhook/helpers.go

@@ -245,4 +245,5 @@ func expectAdmissionDenied(s *scaffold.Scaffold, resourceType, resourceName stri
 
 	_, getErr := s.GetOutputFromString(resourceType, resourceName, "-o", "yaml")
 	Expect(getErr).To(HaveOccurred(), fmt.Sprintf("resource %s/%s should not exist after admission rejection", resourceType, resourceName))
+	Expect(getErr.Error()).To(ContainSubstring("not found"), fmt.Sprintf("expected NotFound error for %s/%s", resourceType, resourceName))
 }