feat: support apisix provider type and add ingress docs

.github/workflows/apisix-conformance-test.yml

@@ -53,6 +53,11 @@ jobs:
     timeout-minutes: 60
     needs: 
       - prepare
+    strategy:
+      matrix:
+        provider_type:
+        - apisix-standalone
+        - apisix
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -96,6 +101,8 @@ jobs:
       - name: Run Conformance Test
         shell: bash
         continue-on-error: true
+        env:
+          PROVIDER_TYPE: ${{ matrix.provider_type }}
         run: |
           make conformance-test-standalone
 

.github/workflows/apisix-e2e-test.yml

@@ -52,6 +52,11 @@ jobs:
   e2e-test:
     needs: 
       - prepare
+    strategy:
+      matrix:
+        provider_type:
+        - apisix-standalone
+        - apisix
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -100,5 +105,6 @@ jobs:
         shell: bash
         env:
           TEST_DIR: "./test/e2e/apisix/"
+          PROVIDER_TYPE: ${{ matrix.provider_type }}
         run: |
           make e2e-test

api/v2/apisixtls_types.go

@@ -41,7 +41,7 @@ type ApisixTlsStatus = ApisixStatus
 
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
-// +kubebuilder:resource:shortName=atls
+// +kubebuilder:resource:shortName=atls,path=apisixtlses
 
 // ApisixTls is the Schema for the apisixtls API.
 type ApisixTls struct {

charts/templates/configmap.yaml

@@ -32,6 +32,8 @@ data:
     exec_adc_timeout: {{ .Values.config.execADCTimeout | default "15s" }}
 
     provider:
+      type: {{ .Values.config.provider.type | default "apisix-standalone" }}
+
       sync_period: {{ .Values.config.provider.syncPeriod | default "0s" }}
 
       init_sync_delay: {{ .Values.config.provider.initSyncDelay | default "20m" }}

charts/values.yaml

@@ -52,5 +52,6 @@ config:
   secureMetrics: ""
   execADCTimeout: "15s"
   provider:
+    type: "apisix-standalone"
     syncPeriod: "0s"
     initSyncDelay: "20m"

config/crd/bases/apisix.apache.org_apisixtls.yaml → config/crd/bases/apisix.apache.org_apisixtlses.yaml

@@ -4,13 +4,13 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.17.2
-  name: apisixtls.apisix.apache.org
+  name: apisixtlses.apisix.apache.org
 spec:
   group: apisix.apache.org
   names:
     kind: ApisixTls
     listKind: ApisixTlsList
-    plural: apisixtls
+    plural: apisixtlses
     shortNames:
     - atls
     singular: apisixtls

config/crd/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 - bases/apisix.apache.org_apisixroutes.yaml
 - bases/apisix.apache.org_apisixconsumers.yaml
 - bases/apisix.apache.org_apisixglobalrules.yaml
-- bases/apisix.apache.org_apisixtls.yaml
+- bases/apisix.apache.org_apisixtlses.yaml
 - bases/apisix.apache.org_apisixupstreams.yaml
 - bases/apisix.apache.org_apisixpluginconfigs.yaml
 # +kubebuilder:scaffold:crdkustomizeresource

config/rbac/role.yaml

@@ -29,7 +29,7 @@ rules:
   - apisixglobalrules
   - apisixpluginconfigs
   - apisixroutes
-  - apisixtls
+  - apisixtlses
   - apisixupstreams
   - backendtrafficpolicies
   - consumers
@@ -47,7 +47,7 @@ rules:
   - apisixglobalrules/status
   - apisixpluginconfigs/status
   - apisixroutes/status
-  - apisixtls/status
+  - apisixtlses/status
   - apisixupstreams/status
   - backendtrafficpolicies/status
   - consumers/status
@@ -91,6 +91,7 @@ rules:
   - gatewayclasses/status
   - gateways/status
   - httproutes/status
+  - referencegrants/status
   verbs:
   - get
   - update
@@ -102,6 +103,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - referencegrants
+  verbs:
+  - list
+  - update
+  - watch
 - apiGroups:
   - networking.k8s.io
   resources:

docs/upgrade-guide.md

@@ -0,0 +1,171 @@
+# APISIX Ingress Controller Upgrade Guide
+
+## Upgrading from 1.x.x to 2.0.0: Key Changes and Considerations
+
+This document outlines the major updates, configuration compatibility changes, API behavior differences, and critical considerations when upgrading the APISIX Ingress Controller from version 1.x.x to 2.0.0. Please read carefully and assess the impact on your existing system before proceeding with the upgrade.
+
+### APISIX Version Dependency (Data Plane)
+
+The `apisix-standalone` mode is supported only with **APISIX 3.13.0**. When using this mode, it is mandatory to upgrade the data plane APISIX instance along with the Ingress Controller.
+
+### Architecture Changes
+
+#### Architecture in 1.x.x
+
+There were two main deployment architectures in 1.x.x:
+
+| Mode           | Description                                                                            | Issue                                                                          |
+| -------------- | -------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ |
+| Admin API Mode | Runs a separate etcd instance, with APISIX Admin API managing data plane configuration | Complex to deploy; high maintenance overhead for etcd                          |
+| Mock-ETCD Mode | APISIX and the Ingress Controller are deployed in the same Pod, mocking etcd endpoints | Stateless Ingress cannot persist revision info; may lead to data inconsistency |
+
+#### Architecture in 2.0.0
+
+![upgrade to 2.0.0 architecture](./assets/images/upgrade-to-architecture.png)
+
+##### Mock-ETCD Mode Deprecated
+
+The mock-etcd architecture is no longer supported. This mode introduced significant reliability issues: stateless ingress controllers could not persist revision metadata, leading to memory pollution in the data plane and data inconsistencies.
+
+The following configuration block has been removed:
+
+```yaml
+etcdserver:
+  enabled: false
+  listen_address: ":12379"
+  prefix: /apisix
+  ssl_key_encrypt_salt: edd1c9f0985e76a2
+```
+
+##### Controller-Only Configuration Source
+
+In 2.0.0, all data plane configurations must originate from the Ingress Controller. Configurations via Admin API or any external methods are no longer supported and will be ignored or may cause errors.
+
+### Ingress Configuration Changes
+
+#### Configuration Path Changes
+
+| Old Path                 | New Path             |
+| ------------------------ | -------------------- |
+| `kubernetes.election_id` | `leader_election_id` |
+
+#### Removed Configuration Fields
+
+| Configuration Path   | Description                              |
+| -------------------- | ---------------------------------------- |
+| `kubernetes.*`       | Multi-namespace control / sync interval  |
+| `plugin_metadata_cm` | Plugin metadata ConfigMap                |
+| `log_rotation_*`     | Log rotation settings                    |
+| `apisix.*`           | Static Admin API configuration           |
+| `etcdserver.*`       | Configuration for mock-etcd (deprecated) |
+
+#### Example: Legacy Configuration Removed in 2.0.0
+
+```yaml
+apisix:
+  admin_api_version: v3
+  default_cluster_base_url: "http://127.0.0.1:9180/apisix/admin"
+  default_cluster_admin_key: ""
+  default_cluster_name: "default"
+```
+
+#### New Configuration via `GatewayProxy` CRD
+
+From version 2.0.0, the data plane must be connected via the `GatewayProxy` CRD:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: apisix
+spec:
+  controller: "apisix.apache.org/apisix-ingress-controller"
+  parameters:
+    apiGroup: "apisix.apache.org"
+    kind: "GatewayProxy"
+    name: "apisix-proxy-config"
+    namespace: "default"
+    scope: "Namespace"
+---
+apiVersion: apisix.apache.org/v1alpha1
+kind: GatewayProxy
+metadata:
+  name: apisix-proxy-config
+  namespace: default
+spec:
+  provider:
+    type: ControlPlane
+    controlPlane:
+      endpoints:
+      - https://127.0.0.1:9180
+      auth:
+        type: AdminKey
+        adminKey:
+          value: ""
+```
+
+### API Changes
+
+#### `ApisixUpstream`
+
+Due to current limitations in the ADC (API Definition Controller) component, the following fields are not yet supported:
+
+* `spec.discovery`: Service Discovery
+* `spec.healthCheck`: Health Checking
+
+More details: [ADC Backend Differences](https://github.com/api7/adc/blob/2449ca81e3c61169f8c1e59efb4c1173a766bce2/libs/backend-apisix-standalone/README.md#differences-in-upstream)
+
+#### Limited Support for Ingress Annotations
+
+Ingress annotations used in version 1.x.x are not fully supported in 2.0.0. If your existing setup relies on any of the following annotations, validate compatibility or consider delaying the upgrade.
+
+| Ingress Annotations                                    |
+| ------------------------------------------------------ |
+| `k8s.apisix.apache.org/use-regex`                      |
+| `k8s.apisix.apache.org/enable-websocket`               |
+| `k8s.apisix.apache.org/plugin-config-name`             |
+| `k8s.apisix.apache.org/upstream-scheme`                |
+| `k8s.apisix.apache.org/upstream-retries`               |
+| `k8s.apisix.apache.org/upstream-connect-timeout`       |
+| `k8s.apisix.apache.org/upstream-read-timeout`          |
+| `k8s.apisix.apache.org/upstream-send-timeout`          |
+| `k8s.apisix.apache.org/enable-cors`                    |
+| `k8s.apisix.apache.org/cors-allow-origin`              |
+| `k8s.apisix.apache.org/cors-allow-headers`             |
+| `k8s.apisix.apache.org/cors-allow-methods`             |
+| `k8s.apisix.apache.org/enable-csrf`                    |
+| `k8s.apisix.apache.org/csrf-key`                       |
+| `k8s.apisix.apache.org/http-to-https`                  |
+| `k8s.apisix.apache.org/http-redirect`                  |
+| `k8s.apisix.apache.org/http-redirect-code`             |
+| `k8s.apisix.apache.org/rewrite-target`                 |
+| `k8s.apisix.apache.org/rewrite-target-regex`           |
+| `k8s.apisix.apache.org/rewrite-target-regex-template`  |
+| `k8s.apisix.apache.org/enable-response-rewrite`        |
+| `k8s.apisix.apache.org/response-rewrite-status-code`   |
+| `k8s.apisix.apache.org/response-rewrite-body`          |
+| `k8s.apisix.apache.org/response-rewrite-body-base64`   |
+| `k8s.apisix.apache.org/response-rewrite-add-header`    |
+| `k8s.apisix.apache.org/response-rewrite-set-header`    |
+| `k8s.apisix.apache.org/response-rewrite-remove-header` |
+| `k8s.apisix.apache.org/auth-uri`                       |
+| `k8s.apisix.apache.org/auth-ssl-verify`                |
+| `k8s.apisix.apache.org/auth-request-headers`           |
+| `k8s.apisix.apache.org/auth-upstream-headers`          |
+| `k8s.apisix.apache.org/auth-client-headers`            |
+| `k8s.apisix.apache.org/allowlist-source-range`         |
+| `k8s.apisix.apache.org/blocklist-source-range`         |
+| `k8s.apisix.apache.org/http-allow-methods`             |
+| `k8s.apisix.apache.org/http-block-methods`             |
+| `k8s.apisix.apache.org/auth-type`                      |
+| `k8s.apisix.apache.org/svc-namespace`                  |
+
+### Summary
+
+| Category         | Description                                                                                          |
+| ---------------- | ---------------------------------------------------------------------------------------------------- |
+| Architecture     | The `mock-etcd` component has been removed. Configuration is now centralized through the Controller. |
+| Configuration    | Static configuration fields have been removed. Use `GatewayProxy` CRD to configure the data plane.   |
+| Data Plane       | Requires APISIX version 3.13.0 running in `standalone` mode.                                         |
+| API              | Some fields in `Ingress Annotations` and `ApisixUpstream` are not yet supported.                     |
+| Upgrade Strategy | Blue-green deployment or canary release is recommended before full switchover.                       |

internal/controller/config/config.go

@@ -118,7 +118,7 @@ func (c *Config) Validate() error {
 
 func validateProvider(config ProviderConfig) error {
 	switch config.Type {
-	case ProviderTypeStandalone:
+	case ProviderTypeStandalone, ProviderTypeAPISIX:
 		if config.SyncPeriod.Duration <= 0 {
 			return fmt.Errorf("sync_period must be greater than 0 for standalone provider")
 		}

internal/controller/config/types.go

@@ -26,6 +26,7 @@ type ProviderType string
 const (
 	ProviderTypeStandalone ProviderType = "apisix-standalone"
 	ProviderTypeAPI7EE     ProviderType = "api7ee"
+	ProviderTypeAPISIX     ProviderType = "apisix"
 )
 
 const (

internal/manager/controllers.go

@@ -43,15 +43,15 @@ import (
 // +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixglobalrules,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixpluginconfigs,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixroutes,verbs=get;list;watch
-// +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixtls,verbs=get;list;watch
+// +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixtlses,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixupstreams,verbs=get;list;watch
 
 // CustomResourceDefinition v2 status
 // +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixconsumers/status,verbs=get;update
 // +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixglobalrules/status,verbs=get;update
 // +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixpluginconfigs/status,verbs=get;update
 // +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixroutes/status,verbs=get;update
-// +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixtls/status,verbs=get;update
+// +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixtlses/status,verbs=get;update
 // +kubebuilder:rbac:groups=apisix.apache.org,resources=apisixupstreams/status,verbs=get;update
 
 // CustomResourceDefinition
@@ -71,6 +71,8 @@ import (
 // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=get;update
 // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes,verbs=get;list;watch
 // +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes/status,verbs=get;update
+// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=referencegrants,verbs=list;watch;update
+// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=referencegrants/status,verbs=get;update
 
 // Networking
 // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch;update

internal/provider/adc/adc.go

@@ -20,12 +20,12 @@ package adc
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"os"
 	"sync"
 	"time"
 
 	"github.com/api7/gopkg/pkg/log"
+	"github.com/pkg/errors"
 	"go.uber.org/zap"
 	networkingv1 "k8s.io/api/networking/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -53,6 +53,7 @@ type BackendMode string
 const (
 	BackendModeAPISIXStandalone string = "apisix-standalone"
 	BackendModeAPI7EE           string = "api7ee"
+	BackendModeAPISIX           string = "apisix"
 )
 
 type adcClient struct {
@@ -193,7 +194,7 @@ func (d *adcClient) Update(ctx context.Context, tctx *provider.TranslateContext,
 	// This mode is full synchronization,
 	// which only needs to be saved in cache
 	// and triggered by a timer for synchronization
-	if d.BackendMode == BackendModeAPISIXStandalone || apiv2.Is(obj) {
+	if d.BackendMode == BackendModeAPISIXStandalone || d.BackendMode == BackendModeAPISIX || apiv2.Is(obj) {
 		return nil
 	}
 
@@ -254,7 +255,7 @@ func (d *adcClient) Delete(ctx context.Context, obj client.Object) error {
 	log.Debugw("successfully deleted resources from store", zap.Any("object", obj))
 
 	switch d.BackendMode {
-	case BackendModeAPISIXStandalone:
+	case BackendModeAPISIXStandalone, BackendModeAPISIX:
 		// Full synchronization is performed on a gateway by gateway basis
 		// and it is not possible to perform scheduled synchronization
 		// on deleted gateway level resources