fix: address PR review comments

- Reword doc comment: remove misleading 'Exactly one' phrasing; clarify
  that only asymmetric algorithms require at least one key
- Extend CEL rule to treat empty algorithm string (size == 0) as
  symmetric, consistent with APISIX's default of HS256
- Replace PEM-like key fixtures with simple placeholders to avoid
  secret scanner false positives
- Add TestApisixConsumer_JwtAuth_EmptyAlgorithmTreatedAsSymmetric
- Regenerate CRD manifest and reference docs

Author: AlinsRan

api/v2/apisixconsumer_types.go

@@ -130,11 +130,11 @@ type ApisixConsumerJwtAuth struct {
 }
 
 // ApisixConsumerJwtAuthValue defines configuration for JWT authentication.
-// Exactly one of the following must be provided depending on the algorithm:
-//   - For symmetric algorithms (HS256, HS384, HS512): use secret. private_key and public_key are not required.
-//   - For asymmetric algorithms (RS*, ES*, PS*, EdDSA): at least one of public_key or private_key must be provided.
+// For asymmetric algorithms (RS*, ES*, PS*, EdDSA), at least one of public_key
+// or private_key must be provided. Symmetric algorithms (HS256, HS384, HS512)
+// and unset algorithm do not require any key field.
 //
-// +kubebuilder:validation:XValidation:rule="!has(self.algorithm) || self.algorithm in ['HS256','HS384','HS512'] || (has(self.public_key) && size(self.public_key) > 0) || (has(self.private_key) && size(self.private_key) > 0)",message="asymmetric JWT algorithms (RS*/ES*/PS*/EdDSA) require at least one of public_key or private_key"
+// +kubebuilder:validation:XValidation:rule="!has(self.algorithm) || size(self.algorithm) == 0 || self.algorithm in ['HS256','HS384','HS512'] || (has(self.public_key) && size(self.public_key) > 0) || (has(self.private_key) && size(self.private_key) > 0)",message="asymmetric JWT algorithms (RS*/ES*/PS*/EdDSA) require at least one of public_key or private_key"
 type ApisixConsumerJwtAuthValue struct {
 	// Key is the unique identifier for the JWT credential.
 	Key string `json:"key" yaml:"key"`

api/v2/apisixconsumer_validation_test.go

@@ -184,7 +184,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithPublicKey(t *testing.T) {
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:       "my-key",
-						PublicKey: "-----BEGIN PUBLIC KEY-----\nMFww\n-----END PUBLIC KEY-----",
+						PublicKey: "test-public-key",
 						Algorithm: "RS256",
 					},
 				},
@@ -202,7 +202,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithPrivateKey(t *testing.T) {
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:        "my-key",
-						PrivateKey: "-----BEGIN RSA PRIVATE KEY-----\nMIIE\n-----END RSA PRIVATE KEY-----",
+						PrivateKey: "test-private-key",
 						Algorithm:  "RS256",
 					},
 				},
@@ -220,8 +220,8 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithBothKeys(t *testing.T) {
 				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
 					Value: &apisixv2.ApisixConsumerJwtAuthValue{
 						Key:        "my-key",
-						PublicKey:  "-----BEGIN PUBLIC KEY-----\nMFww\n-----END PUBLIC KEY-----",
-						PrivateKey: "-----BEGIN RSA PRIVATE KEY-----\nMIIE\n-----END RSA PRIVATE KEY-----",
+						PublicKey:  "test-public-key",
+						PrivateKey: "test-private-key",
 						Algorithm:  "RS256",
 					},
 				},
@@ -308,3 +308,25 @@ func TestApisixConsumer_JwtAuth_AsymmetricWithEmptyPublicKey(t *testing.T) {
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "asymmetric JWT algorithms")
 }
+
+// TestApisixConsumer_JwtAuth_EmptyAlgorithmTreatedAsSymmetric verifies that an
+// explicitly empty algorithm string is treated the same as an unset algorithm
+// (defaults to HS256) and does not require public_key or private_key.
+func TestApisixConsumer_JwtAuth_EmptyAlgorithmTreatedAsSymmetric(t *testing.T) {
+	v := loadApisixConsumerSchema(t)
+	ac := &apisixv2.ApisixConsumer{
+		Spec: apisixv2.ApisixConsumerSpec{
+			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
+					Value: &apisixv2.ApisixConsumerJwtAuthValue{
+						Key:    "my-key",
+						Secret: "my-secret",
+						// Algorithm is explicitly empty string — should be treated as
+						// unset and not require asymmetric keys.
+					},
+				},
+			},
+		},
+	}
+	assert.NoError(t, v.Validate(t, ac))
+}

config/crd/bases/apisix.apache.org_apisixconsumers.yaml

@@ -214,10 +214,10 @@ spec:
                         x-kubernetes-validations:
                         - message: asymmetric JWT algorithms (RS*/ES*/PS*/EdDSA) require
                             at least one of public_key or private_key
-                          rule: '!has(self.algorithm) || self.algorithm in [''HS256'',''HS384'',''HS512'']
-                            || (has(self.public_key) && size(self.public_key) > 0)
-                            || (has(self.private_key) && size(self.private_key) >
-                            0)'
+                          rule: '!has(self.algorithm) || size(self.algorithm) == 0
+                            || self.algorithm in [''HS256'',''HS384'',''HS512''] ||
+                            (has(self.public_key) && size(self.public_key) > 0) ||
+                            (has(self.private_key) && size(self.private_key) > 0)'
                     type: object
                   keyAuth:
                     description: KeyAuth configures the key authentication details.

docs/en/latest/reference/api-reference.md

@@ -781,9 +781,9 @@ _Appears in:_
 
 
 ApisixConsumerJwtAuthValue defines configuration for JWT authentication.
-Exactly one of the following must be provided depending on the algorithm:
-  - For symmetric algorithms (HS256, HS384, HS512): use secret. private_key and public_key are not required.
-  - For asymmetric algorithms (RS*, ES*, PS*, EdDSA): at least one of public_key or private_key must be provided.
+For asymmetric algorithms (RS*, ES*, PS*, EdDSA), at least one of public_key
+or private_key must be provided. Symmetric algorithms (HS256, HS384, HS512)
+and unset algorithm do not require any key field.