chore: bump api7-ingress-controller to 2.1.0

[AlinsRan]

Changes

• Bump ingress-controller image tag: 2.0.16 → 2.1.0
• Bump chart appVersion: 2.0.16 → 2.1.0, version: 0.1.23 → 0.1.24
• Bump ADC image tag: 0.23.1 → 0.26.0
• Update CRDs (apisixconsumers, apisixroutes, backendtrafficpolicies) for new 2.1.0 features

Summary by CodeRabbit

• New Features

  • Stricter JWT auth validation (requires keys for non-HS algorithms).
  • Improved health checks with detailed active/passive monitoring.
  • Consumer plugin support added.
  • Expanded HTTP match scopes and related validations.
  • Immutability enforced for control-plane mode.

• Chores

  • Chart and app versions bumped; default controller updated to 2.1.0.
  • Ingress controller and ADC image tags updated (controller 2.1.0, ADC 0.26.0).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f70b6cf9-0562-48f6-a9e8-3b308c070a64

📥 Commits

Reviewing files that changed from the base of the PR and between 6e5d8ca and bbc5f0b.

📒 Files selected for processing (1)

• charts/ingress-controller/README.md

✅ Files skipped from review due to trivial changes (1)

• charts/ingress-controller/README.md

---

📝 Walkthrough

Walkthrough

Release update to Helm chart version 0.1.24 with appVersion 2.1.0. Multiple APISIX CustomResourceDefinition schemas enhanced with validation rules, new plugin configuration fields, and API contract refinements. Container image tags updated to corresponding versions.

Changes

Ingress Controller Release 2.1.0

Layer / File(s)	Summary
Chart version and image tag updates charts/ingress-controller/Chart.yaml, charts/ingress-controller/values.yaml, charts/ingress-controller/README.md	Chart version bumped to 0.1.24 and appVersion to 2.1.0. Ingress controller image tag updated to 2.1.0 and ADC image tag updated to 0.26.0; README badges/values updated accordingly.
ApisixConsumer auth and plugin schema updates charts/ingress-controller/crds/apisix-crds.yaml	Removed HMAC oneOf mutual-exclusion constraint. JWT auth docs updated and x-kubernetes-validations rule added requiring non-empty public_key or private_key when algorithm is not HS256/HS384/HS512. Added spec.plugins array with required enable and name, and config preserved via x-kubernetes-preserve-unknown-fields.
ApisixRoute HTTP match and stream rule enhancements charts/ingress-controller/crds/apisix-crds.yaml	Fixed CRD description text. Expanded HTTP match exprs[].subject.scope to include Header/Query/Path/Cookie/Variable/Body, updated name semantics (optional for Path), and added validation requiring name when scope != Path. Removed specific filter_func and stream-route unsupported wording.
BackendTrafficPolicy healthCheck schema expansion charts/ingress-controller/crds/apisix-crds.yaml	Reworked spec.healthCheck (v1alpha1) to define active and passive health checks with explicit fields; added unhealthy threshold fields including timeouts and made active required.
Consumer credentials schema simplification charts/ingress-controller/crds/apisix-crds.yaml	Consumer (v1alpha1) spec.credentials removed oneOf between config and secretRef, leaving a single credential object schema requiring only type.
GatewayProxy controlPlane.mode immutability charts/ingress-controller/crds/apisix-crds.yaml	Added controlPlane.provider.mode with constrained description and an x-kubernetes-validations immutability rule preventing changes after creation.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: bump api7-ingress-controller to 2.1.0' accurately describes the primary change - bumping the ingress-controller to version 2.1.0 across chart metadata, image tags, and associated CRDs.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
E2e Test Quality Review	✅ Passed	This PR contains no E2E tests or test code. It only updates Helm chart metadata, CRD definitions, image tags, and docs. The custom check is not applicable.
Security Check	✅ Passed	PR updates chart versions and CRD schemas without introducing sensitive data exposure, unencrypted storage, auth bypasses, or TLS misconfigurations. All secrets properly use secretRef alternatives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-ingress-controller-2.1.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

charts/ingress-controller/crds/apisix-crds.yaml (2)

2978-3013: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't allow credential entries with only type.

With the current schema, a credentials item can omit both config and secretRef, and it can also provide both at once. That weakens API validation and accepts objects the controller cannot meaningfully use.

Suggested schema guard

                 items:
                   properties:
                     config:
                       description: Config specifies the credential details for authentication.
                       x-kubernetes-preserve-unknown-fields: true
@@
                     type:
                       description: |-
                         Type specifies the type of authentication to configure credentials for.
                         Can be `jwt-auth`, `basic-auth`, `key-auth`, or `hmac-auth`.
                       enum:
                       - jwt-auth
                       - basic-auth
                       - key-auth
                       - hmac-auth
                       type: string
                   required:
                   - type
                   type: object
+                  x-kubernetes-validations:
+                  - message: exactly one of config or secretRef must be specified
+                    rule: has(self.config) != has(self.secretRef)
                 type: array

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/ingress-controller/crds/apisix-crds.yaml` around lines 2978 - 3013,
The credentials item schema currently allows objects with only type or both
config and secretRef; update the schema for credentials.items to enforce that
exactly one of config or secretRef is present by replacing the current
required/type block with a oneOf that has two alternatives: one requiring
"config" and the other requiring "secretRef" (keep
x-kubernetes-preserve-unknown-fields on config and the existing secretRef
properties), ensuring "type" remains required; this makes the schema
(credentials, config, secretRef, type) reject objects that provide neither or
both fields.

---

81-154: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restore the hmacAuth source exclusivity check.

This schema now admits hmacAuth: {} and other ambiguous combinations that used to be rejected at admission time. That pushes malformed auth config into reconciliation instead of failing fast at the CRD boundary.

Suggested schema guard

                   hmacAuth:
                     description: HMACAuth configures the HMAC authentication details.
                     properties:
                       secretRef:
                         description: SecretRef references a Kubernetes Secret containing
                           the HMAC credentials.
@@
                       value:
                         description: Value specifies HMAC authentication credentials.
@@
                         required:
                         - secret_key
                         type: object
                     type: object
+                    x-kubernetes-validations:
+                    - message: exactly one of secretRef or value must be specified
+                      rule: has(self.secretRef) != has(self.value)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/ingress-controller/crds/apisix-crds.yaml` around lines 81 - 154, The
CRD currently allows hmacAuth: {} which bypasses admission-time validation;
restore exclusivity by adding schema constraints on the hmacAuth object so it
requires either secretRef or value (and not both/empty). Concretely, inside the
hmacAuth schema add a oneOf (or oneOf-equivalent) with two subschemas: one that
requires secretRef (object) and disallows value, and another that requires value
with its required: ["secret_key"] (and disallows secretRef); also add
minProperties: 1 on hmacAuth to reject empty objects. Update the hmacAuth block
and its nested secretRef/value definitions to enforce these constraints so
malformed empty/ambiguous configs are rejected at CRD validation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/ingress-controller/values.yaml`:
- Line 37: values.yaml currently sets ingress-controller image tag at tag:
"2.1.0" while README.md documents defaults as deployment.image.tag: "2.0.16" and
adc.image.tag: "0.23.1", causing a mismatch and a likely missing upstream image;
update charts/ingress-controller/values.yaml to use a published
ingress-controller tag (or ensure tag "2.1.0" is actually published) and keep
adc.image.tag consistent with the published ADC tag, then update
charts/ingress-controller/README.md to reflect the same default values
(deployment.image.tag and adc.image.tag) and add a brief note about verified
compatibility between the chosen ingress-controller and ADC tags after staging
validation.

---

Outside diff comments:
In `@charts/ingress-controller/crds/apisix-crds.yaml`:
- Around line 2978-3013: The credentials item schema currently allows objects
with only type or both config and secretRef; update the schema for
credentials.items to enforce that exactly one of config or secretRef is present
by replacing the current required/type block with a oneOf that has two
alternatives: one requiring "config" and the other requiring "secretRef" (keep
x-kubernetes-preserve-unknown-fields on config and the existing secretRef
properties), ensuring "type" remains required; this makes the schema
(credentials, config, secretRef, type) reject objects that provide neither or
both fields.
- Around line 81-154: The CRD currently allows hmacAuth: {} which bypasses
admission-time validation; restore exclusivity by adding schema constraints on
the hmacAuth object so it requires either secretRef or value (and not
both/empty). Concretely, inside the hmacAuth schema add a oneOf (or
oneOf-equivalent) with two subschemas: one that requires secretRef (object) and
disallows value, and another that requires value with its required:
["secret_key"] (and disallows secretRef); also add minProperties: 1 on hmacAuth
to reject empty objects. Update the hmacAuth block and its nested
secretRef/value definitions to enforce these constraints so malformed
empty/ambiguous configs are rejected at CRD validation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b66f4e2b-7361-4093-87ad-024c6f3e2825

📥 Commits

Reviewing files that changed from the base of the PR and between c3d51ad and 2bcdef9.

📒 Files selected for processing (3)

• charts/ingress-controller/Chart.yaml
• charts/ingress-controller/crds/apisix-crds.yaml
• charts/ingress-controller/values.yaml