feat: add certificate conflict detection to admission webhooks #2603
+2,510
−73
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
ronething
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR introduces certificate conflict detection to admission webhooks to prevent SSL/TLS configuration mismatches across Gateway, Ingress, and ApisixTls resources that share the same GatewayProxy. The feature ensures that when multiple resources configure TLS for the same hostname, they must use identical certificates to avoid conflicting SSL configurations in APISIX.
- Adds reusable SSL utility functions for certificate extraction and validation
- Implements a comprehensive conflict detector that validates SSL configurations across resource types
- Integrates conflict detection into admission webhooks for all three resource types
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| test/e2e/webhook/ssl_conflict.go | Comprehensive e2e tests covering conflict scenarios between resources |
| internal/webhook/v1/ssl/conflict_detector_test.go | Unit tests for the conflict detection logic |
| internal/webhook/v1/ssl/conflict_detector.go | Core conflict detection implementation |
| internal/webhook/v1/ingress_webhook.go | Integration of SSL conflict detection into Ingress webhook |
| internal/webhook/v1/gateway_webhook.go | Integration of SSL conflict detection into Gateway webhook |
| internal/webhook/v1/apisixtls_webhook.go | Integration of SSL conflict detection into ApisixTls webhook |
| internal/ssl/util.go | Reusable SSL utility functions for certificate handling |
| internal/adc/translator/ingress.go | Updated to use new SSL utilities |
| internal/adc/translator/gateway.go | Refactored to use new SSL utilities, removing duplicate code |
| internal/adc/translator/apisixupstream.go | Updated to use new SSL utilities |
| internal/adc/translator/apisixtls.go | Updated to use new SSL utilities |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
license-eye has totally checked 349 files.
| Valid | Invalid | Ignored | Fixed |
|---|---|---|---|
| 252 | 1 | 96 | 0 |
Click to see the invalid file list
- internal/controller/indexer/ssl_host.go
Signed-off-by: Ashing Zheng <[email protected]>
AlinsRan
reviewed
Oct 16, 2025
| // existing resources that are associated with the same GatewayProxy. Best-effort: | ||
| // failures while enumerating existing resources or reading Secrets will be logged | ||
| // and result in no conflicts instead of blocking the admission. | ||
| func (d *ConflictDetector) DetectConflicts(ctx context.Context, obj client.Object, newMappings []HostCertMapping) ([]SSLConflict, error) { |
There was a problem hiding this comment.
I suggest adding this check:
if len(newMappings) == 0 { return }
AlinsRan
reviewed
Oct 16, 2025
| seen[mapping.Host] = mapping.CertificateHash | ||
| } | ||
|
|
||
| if len(seen) == 0 { |
AlinsRan
reviewed
Oct 16, 2025
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
AlinsRan
approved these changes
Oct 16, 2025
Signed-off-by: Ashing Zheng <[email protected]>
Signed-off-by: Ashing Zheng <[email protected]>
Revolyssup
approved these changes
Oct 16, 2025
Signed-off-by: Ashing Zheng <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change:
What this PR does / why we need it:
When the TLS configuration of the Gateway/Ingress/ApisixTls resources has the same host but uses different certificates, we should intercept.
Pre-submission checklist: