The final report about my Google Summer of Code 2021 work with Apache APISIX Ingress Controller
Currently, the basic structural verification of CRD has been completed in APISIX Ingress Controller, but more verification is still needed. For example, plug-in schema verification, dependency verification between APISIX objects, rule conflict verification, etc.
In this project, I will enhance the verification for APISIX Ingress Controller by implementing validation admission webhooks, which can avoid some errors caused by YAML when the user defines the CRD.
To validate the plugin, its schema is required. So I implement the schema interface that can get plugin's schema from APISIX admin API. When the APISIX Ingress Controller starts, it will fetch all names of plugins, query their schema and cache it. Besides, it will sync the schema from APISIX regularly.
The schema is like this:
type Schema interface {
GetPluginSchema(context.Context, string) (*v1.Schema, error)
}If we need get other objects' schema, we can just add a mehthod into the interface.
To implement validation webhooks, we need an amission server to process AdmissionReview and apply validating logic on it. After research and discussion (more details can be seen in this issue), I choose kubewebhook to implement the admission server. With the help of kubewebhook, it's much easier to write the actual business logic in the webhook.
During the process, I also encounted some certificates issues. Because Kubernetes only communicates through HTTPS, I have to config TLS certificates to start the admission server. Luckily, there are some scripts that can help this.
It took me a lot of time to debug the E2E test, because all componets work in Kubernetes cluster, and I don't know whether the webhook is triggered. Therefore I modify the E2E code and Makefile locally to make API objects not be deleted after the test. Then I can use kubectl to check logs of pods manually and locate the issue. In addition, I add more log statements for debugging.
- Implement the schema interface
- Implement an admission server
- Add E2E test cases for the admission webhook
- Implement a validation admission webhook for plugin
- Implement validation webhooks for route/upstream/consumer
I will continue to do the planned task that is not completed (unchecked in Deliverables). Besides, some issues and polish work need to be completed along with adding new features as we progress. Some of the essential tasks out of these are as follows:
- Learned about TLS certificates, APISIX obejects and APISIX Admin API
- Learned to develop and debug
GinkgoE2E tests - Learned to write unit tests with mocking
- Learned to create an admission validation webhook
- Improved my knowledge of Kubernetes
- Learned the importance of time management as well as perfect deliverables
It's very lucky to be one of the GSoC student, making me from a newbie to a contributor of the APISIX Ingress Controller project, with the help of the mentor. The project itself is very cool and I got to learn a lot from its code and reviewers' code review comments! I feel better about my abilities now than I did a few months back.
A big thank you to my mentor, Wei Jin, was never demanding and gave me a lot of help. Also, I would like to thank all other people that weren't official GSoC mentors but that had been helpful during the whole period. I will contribute the project continuously and try my best to become the APISIX committer.