feat: add Unix socket support for inter-container communication (#2587) (dc8b662) (#297)

github-actions[bot] · AlinsRan · ronething · web-flow · commit 154df5719a6b · 2025-10-27T20:50:56.000+08:00
Co-authored-by: AlinsRan &lt;alinsran@apache.org&gt;
Co-authored-by: Ashing Zheng &lt;axingfly@gmail.com&gt;
diff --git a/.github/workflows/apisix-conformance-test.yml b/.github/workflows/apisix-conformance-test.yml
@@ -64,10 +64,6 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Install kind
-        run: |
-          go install sigs.k8s.io/kind@v0.23.0
-
       - name: Build images
         env:
           TAG: dev
@@ -85,7 +81,7 @@ jobs:
 
       - name: Install And Run Cloud Provider KIND
         run: |
-          go install sigs.k8s.io/cloud-provider-kind@latest
+          go install sigs.k8s.io/cloud-provider-kind@v0.8.0
           nohup cloud-provider-kind > /tmp/kind-loadbalancer.log 2>&1 &
   
       - name: Install Gateway API And CRDs
diff --git a/.github/workflows/conformance-test.yml b/.github/workflows/conformance-test.yml
@@ -86,7 +86,7 @@ jobs:
 
       - name: Install And Run Cloud Provider KIND
         run: |
-          go install sigs.k8s.io/cloud-provider-kind@latest
+          go install sigs.k8s.io/cloud-provider-kind@v0.8.0
           nohup cloud-provider-kind > /tmp/kind-loadbalancer.log 2>&1 &
   
       - name: Install Gateway API And CRDs
diff --git a/internal/adc/client/executor.go b/internal/adc/client/executor.go
@@ -24,6 +24,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"os"
 	"os/exec"
@@ -227,13 +228,32 @@ type HTTPADCExecutor struct {
 	serverURL  string
 }
 
-// NewHTTPADCExecutor creates a new HTTPADCExecutor with the specified ADC Server URL
+// NewHTTPADCExecutor creates a new HTTPADCExecutor with the specified ADC Server URL.
+// serverURL can be "http(s)://host:port" or "unix:///path/to/socket" or "unix:/path/to/socket".
 func NewHTTPADCExecutor(serverURL string, timeout time.Duration) *HTTPADCExecutor {
+	httpClient := &http.Client{
+		Timeout: timeout,
+	}
+
+	if strings.HasPrefix(serverURL, "unix:") {
+		var socketPath string
+		if strings.HasPrefix(serverURL, "unix:///") {
+			socketPath = strings.TrimPrefix(serverURL, "unix://")
+		} else {
+			socketPath = strings.TrimPrefix(serverURL, "unix:")
+		}
+		transport := &http.Transport{
+			DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
+				return (&net.Dialer{}).DialContext(ctx, "unix", socketPath)
+			},
+		}
+		httpClient.Transport = transport
+		serverURL = "http://unix"
+	}
+
 	return &HTTPADCExecutor{
-		httpClient: &http.Client{
-			Timeout: timeout,
-		},
-		serverURL: serverURL,
+		httpClient: httpClient,
+		serverURL:  serverURL,
 	}
 }
 
diff --git a/test/e2e/framework/manifests/ingress.yaml b/test/e2e/framework/manifests/ingress.yaml
@@ -348,6 +348,8 @@ spec:
         app: apisix-ingress-controller
         control-plane: controller-manager
     spec:
+      securityContext:
+        fsGroup: 2000   
       containers:
       - image: api7/api7-ingress-controller:dev
         env:
@@ -359,10 +361,14 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
+        - name: ADC_SERVER_URL
+          value: "unix:/sockets/adc.sock"
         volumeMounts:
         - name: ingress-config
           mountPath: /app/conf/config.yaml
           subPath: config.yaml
+        - name: socket-volume
+          mountPath: /sockets
         {{ if .WebhookEnable -}}
         - name: webhook-certs
           mountPath: /tmp/certs
@@ -387,12 +393,7 @@ spec:
             path: /readyz
             port: 8081
           initialDelaySeconds: 5
-          periodSeconds: 10
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
+          periodSeconds: 10       
       - image: ghcr.io/api7/adc:dev
         env:
         - name: ADC_RUNNING_MODE
@@ -405,13 +406,10 @@ spec:
         args:
         - "server"
         - "--listen"
-        - "http://127.0.0.1:3000"
+        - "unix:/sockets/adc.sock"
         - "--listen-status"
         - "3001"
         ports:
-        - name: http
-          containerPort: 3000
-          protocol: TCP
         - name: http-status
           containerPort: 3001
           protocol: TCP
@@ -428,11 +426,15 @@ spec:
             port: 3001
           initialDelaySeconds: 5
           periodSeconds: 5
-        securityContext: {}
+        volumeMounts:
+        - name: socket-volume
+          mountPath: /sockets
       volumes:
       - name: ingress-config
         configMap:
           name: ingress-config
+      - name: socket-volume
+        emptyDir: {}
       {{ if .WebhookEnable -}}
       - name: webhook-certs
         secret:
