feat: support plugins field in ApisixConsumer by AlinsRan · Pull Request #2761 · apache/apisix-ingress-controller

AlinsRan · 2026-05-09T03:24:22Z

Summary

Add a generic plugins field to ApisixConsumerSpec so that consumer-scoped plugins (e.g. limit-count, limit-req) can be attached to an ApisixConsumer resource directly, without being limited to the auth plugins exposed through authParameter.

Changes

ApisixConsumerSpec gains a Plugins []ApisixRoutePlugin field, following the same pattern as ApisixRoute and ApisixGlobalRule. Enabled plugins are merged after the auth plugin derived from authParameter; an enabled entry with the same name takes precedence.
authParameter is now optional (omitempty). A CEL x-validation rule enforces that at least one auth method within authParameter OR at least one enabled plugin in plugins must be specified:
```
has(self.authParameter.basicAuth) || has(self.authParameter.keyAuth) || ... || (has(self.plugins) && self.plugins.exists(p, p.enable))
```
Translator updated to process the new Plugins slice via the existing buildPluginConfig helper.
Controller and indexer extended to load and index Secrets referenced by spec.plugins[].secretRef, consistent with ApisixRoute and ApisixGlobalRule behavior.
deepcopy updated for the new Plugins slice (auto-generated by make generate).
No webhook changes required; validation is handled entirely by the CRD-level CEL rule.
E2e tests added for two scenarios:
- authParameter + extra plugins (e.g. limit-count rate limiting at consumer level)
- plugins only — no authParameter (e.g. key-auth configured directly via plugins)

Example

apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
  name: my-consumer
spec:
  ingressClassName: apisix
  authParameter:
    keyAuth:
      value:
        key: my-secret-key
  plugins:
  - name: limit-count
    enable: true
    config:
      count: 100
      time_window: 60
      rejected_code: 429
      policy: local

Or, using plugins only (without authParameter):

apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
  name: key-auth-consumer
spec:
  ingressClassName: apisix
  plugins:
  - name: key-auth
    enable: true
    config:
      key: my-secret-key

Add a generic `plugins` field to ApisixConsumerSpec so that consumer-scoped plugins (e.g. limit-count, limit-req) can be attached to an ApisixConsumer resource directly, without being limited to the auth plugins exposed through authParameter. Key changes: - ApisixConsumerSpec gains a Plugins []ApisixRoutePlugin field, following the same pattern as ApisixRoute and ApisixGlobalRule. Enabled plugins are merged after the auth plugin derived from authParameter; an enabled entry with the same name takes precedence. - authParameter is now optional (omitempty). A CEL x-validation rule enforces that at least one auth method within authParameter OR at least one enabled plugin in plugins must be specified. - Translator updated to process the new Plugins slice via the existing buildPluginConfig helper. - Controller and indexer extended to load and index Secrets referenced by spec.plugins[].secretRef, consistent with ApisixRoute and ApisixGlobalRule behavior. - deepcopy updated for the new Plugins slice. - No webhook changes required; validation is handled entirely by the CRD-level CEL rule (x-kubernetes-validations). - E2e tests added for authParameter+plugins and plugins-only consumers. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: support plugins field in ApisixConsumer#2761

feat: support plugins field in ApisixConsumer#2761
AlinsRan wants to merge 1 commit intoapache:masterfrom
AlinsRan:feat/apisixconsumer-plugins-apache

AlinsRan commented May 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

AlinsRan commented May 9, 2026

Summary

Changes

Example

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant