fix: use trim() in CEL rule to reject whitespace-only name for non-Path scopes

Addresses reviewer feedback: the previous rule 'size(self.name) > 0' would
accept names like '   ' which would produce an invalid APISIX variable
'post_arg.   '. Using trim() ensures blank-only names are rejected.

The has(self.name) guard is not needed because non-nullable string fields
resolve to "" (zero value) in Kubernetes CEL when omitted, as confirmed
by existing tests.

Author: AlinsRan

api/v2/apisixroute_types.go

@@ -411,7 +411,7 @@ type ApisixRouteAuthenticationLDAPAuth struct {
 }
 
 // ApisixRouteHTTPMatchExprSubject describes the subject of a route matching expression.
-// +kubebuilder:validation:XValidation:rule="self.scope == 'Path' || size(self.name) > 0",message="name is required when scope is not Path"
+// +kubebuilder:validation:XValidation:rule="self.scope == 'Path' || size(self.name.trim()) > 0",message="name is required and must not be blank when scope is not Path"
 type ApisixRouteHTTPMatchExprSubject struct {
 	// Scope specifies the subject scope.
 	// Supported values: `Header`, `Query`, `Path`, `Cookie`, `Variable`, `Body`.

api/v2/apisixroute_types_test.go

@@ -90,7 +90,16 @@ func TestApisixRoute_BodyScope_EmptyName(t *testing.T) {
 	v := loadApisixRouteSchema(t)
 	err := v.Validate(t, newRouteWithBodyExpr("apisix", "", "login"))
 	require.Error(t, err)
-	assert.Contains(t, err.Error(), "name is required when scope is not Path")
+	assert.Contains(t, err.Error(), "name is required and must not be blank when scope is not Path")
+}
+
+// TestApisixRoute_BodyScope_WhitespaceName verifies that a Body scope expr with
+// a whitespace-only name is rejected (trim() prevents blank names from passing).
+func TestApisixRoute_BodyScope_WhitespaceName(t *testing.T) {
+	v := loadApisixRouteSchema(t)
+	err := v.Validate(t, newRouteWithBodyExpr("apisix", "   ", "login"))
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "name is required and must not be blank when scope is not Path")
 }
 
 // TestApisixRoute_PathScope_EmptyName verifies that Path scope without a name

config/crd/bases/apisix.apache.org_apisixroutes.yaml

@@ -231,9 +231,10 @@ spec:
                                 - scope
                                 type: object
                                 x-kubernetes-validations:
-                                - message: name is required when scope is not Path
-                                  rule: self.scope == 'Path' || size(self.name) >
-                                    0
+                                - message: name is required and must not be blank
+                                    when scope is not Path
+                                  rule: self.scope == 'Path' || size(self.name.trim())
+                                    > 0
                               value:
                                 description: |-
                                   Value defines a single value to compare against the subject.

docs/en/latest/reference/api-reference.md

@@ -103,6 +103,66 @@ PluginConfig defines plugin configuration.
 ### Types
 
 This section describes the types used by the CRDs.
+#### ActiveHealthCheck
+
+
+ActiveHealthCheck defines the active upstream health check configuration.
+
+
+
+| Field | Description |
+| --- | --- |
+| `type` _string_ | Type is the health check type. Can be `http`, `https`, or `tcp`. |
+| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#duration-v1-meta)_ | Timeout sets health check timeout. |
+| `concurrency` _integer_ | Concurrency sets the number of targets to be checked at the same time. |
+| `host` _string_ | Host sets the upstream host used in the health check request. |
+| `port` _integer_ | Port sets the port on the upstream node to probe. |
+| `httpPath` _string_ | HTTPPath sets the HTTP path for the probe request. |
+| `strictTLS` _boolean_ | StrictTLS controls whether TLS certificate validation is enforced. |
+| `requestHeaders` _string array_ | RequestHeaders sets additional HTTP request headers for the probe. |
+| `healthy` _[ActiveHealthCheckHealthy](#activehealthcheckhealthy)_ | Healthy configures the thresholds for marking a node healthy. |
+| `unhealthy` _[ActiveHealthCheckUnhealthy](#activehealthcheckunhealthy)_ | Unhealthy configures the thresholds for marking a node unhealthy. |
+
+
+_Appears in:_
+- [HealthCheck](#healthcheck)
+
+#### ActiveHealthCheckHealthy
+
+
+ActiveHealthCheckHealthy defines thresholds for actively marking an upstream node healthy.
+
+
+
+| Field | Description |
+| --- | --- |
+| `httpCodes` _integer array_ | HTTPCodes is the list of HTTP status codes considered healthy. |
+| `successes` _integer_ | Successes is the number of consecutive successful responses required to mark a node healthy. |
+| `interval` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#duration-v1-meta)_ | Interval defines the time between health check probes. Minimum is 1s. |
+
+
+_Appears in:_
+- [ActiveHealthCheck](#activehealthcheck)
+
+#### ActiveHealthCheckUnhealthy
+
+
+ActiveHealthCheckUnhealthy defines thresholds for actively marking an upstream node unhealthy.
+
+
+
+| Field | Description |
+| --- | --- |
+| `httpCodes` _integer array_ | HTTPCodes is the list of HTTP status codes considered unhealthy. |
+| `httpFailures` _integer_ | HTTPFailures is the number of HTTP failures to mark a node unhealthy. |
+| `tcpFailures` _integer_ | TCPFailures is the number of TCP failures to mark a node unhealthy. |
+| `timeout` _integer_ | Timeouts is the number of timeouts to mark a node unhealthy. |
+| `interval` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#duration-v1-meta)_ | Interval defines the time between health check probes. Minimum is 1s. |
+
+
+_Appears in:_
+- [ActiveHealthCheck](#activehealthcheck)
+
 #### AdminKeyAuth
 
 
@@ -180,6 +240,7 @@ _Appears in:_
 | `timeout` _[Timeout](#timeout)_ | Timeout sets the read, send, and connect timeouts to the upstream. |
 | `passHost` _string_ | PassHost configures how the host header should be determined when a request is forwarded to the upstream. Default is `pass`. Can be `pass`, `node` or `rewrite`:<br /> • `pass`: preserve the original Host header<br /> • `node`: use the upstream node’s host<br /> • `rewrite`: set to a custom host via `upstreamHost` |
 | `upstreamHost` _[Hostname](#hostname)_ | UpstreamHost specifies the host of the Upstream request. Used only if passHost is set to `rewrite`. |
+| `healthCheck` _[HealthCheck](#healthcheck)_ | HealthCheck defines active and passive health check configuration for the upstream backends. When configured, APISIX will probe backends (active) or monitor live traffic (passive) to detect and bypass unhealthy nodes. |
 
 
 _Appears in:_
@@ -344,6 +405,22 @@ HTTPRoutePolicySpec defines the desired state of HTTPRoutePolicy.
 _Appears in:_
 - [HTTPRoutePolicy](#httproutepolicy)
 
+#### HealthCheck
+
+
+HealthCheck defines the active and passive health check configuration for upstream nodes.
+
+
+
+| Field | Description |
+| --- | --- |
+| `active` _[ActiveHealthCheck](#activehealthcheck)_ | Active health checks proactively send requests to upstream nodes to determine their availability. |
+| `passive` _[PassiveHealthCheck](#passivehealthcheck)_ | Passive health checks evaluate upstream health based on observed traffic (timeouts, errors). |
+
+
+_Appears in:_
+- [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
+
 #### Hostname
 _Base type:_ `string`
 
@@ -373,6 +450,59 @@ LoadBalancer describes the load balancing parameters.
 _Appears in:_
 - [BackendTrafficPolicySpec](#backendtrafficpolicyspec)
 
+#### PassiveHealthCheck
+
+
+PassiveHealthCheck defines passive health check configuration based on observed traffic.
+
+
+
+| Field | Description |
+| --- | --- |
+| `type` _string_ | Type is the passive health check type. Can be `http`, `https`, or `tcp`. |
+| `healthy` _[PassiveHealthCheckHealthy](#passivehealthcheckhealthy)_ | Healthy defines conditions under which a node is considered healthy. |
+| `unhealthy` _[PassiveHealthCheckUnhealthy](#passivehealthcheckunhealthy)_ | Unhealthy defines conditions under which a node is considered unhealthy. |
+
+
+_Appears in:_
+- [HealthCheck](#healthcheck)
+
+#### PassiveHealthCheckHealthy
+
+
+PassiveHealthCheckHealthy defines conditions for passively marking a node healthy.
+
+
+
+| Field | Description |
+| --- | --- |
+| `httpCodes` _integer array_ | HTTPCodes is the list of HTTP status codes considered healthy. |
+| `successes` _integer_ | Successes is the number of consecutive successful responses required to mark a node healthy. |
+
+
+_Appears in:_
+- [ActiveHealthCheckHealthy](#activehealthcheckhealthy)
+- [PassiveHealthCheck](#passivehealthcheck)
+
+#### PassiveHealthCheckUnhealthy
+
+
+PassiveHealthCheckUnhealthy defines conditions for passively marking a node unhealthy.
+
+
+
+| Field | Description |
+| --- | --- |
+| `httpCodes` _integer array_ | HTTPCodes is the list of HTTP status codes considered unhealthy. |
+| `httpFailures` _integer_ | HTTPFailures is the number of HTTP failures to mark a node unhealthy. |
+| `tcpFailures` _integer_ | TCPFailures is the number of TCP failures to mark a node unhealthy. |
+| `timeout` _integer_ | Timeouts is the number of timeouts to mark a node unhealthy. |
+
+
+_Appears in:_
+- [ActiveHealthCheckUnhealthy](#activehealthcheckunhealthy)
+- [PassiveHealthCheck](#passivehealthcheck)
+
 #### Plugin