fix: use https_verify_certificate for standalone active health checks

[AlinsRan]

Summary

• rename the active health check verify field sent by the ingress controller to https_verify_certificate
• align the standalone payload with the schema change from fix: rename schema field https_verify_cert to https_verify_certificate adc#438

Why

The standalone dataplane rejects https_verify_cert in active health checks, which prevents the generated service config from syncing and leaves the upstream list empty in the affected e2e case.

Summary by CodeRabbit

• Refactor
  • Updated HTTPS certificate verification field naming in upstream health check configurations for improved consistency and clarity.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 222c978a-5a71-4d39-9cfd-874f6e455e81

📥 Commits

Reviewing files that changed from the base of the PR and between f507224 and 7250f04.

📒 Files selected for processing (2)

• .github/workflows/e2e-test-k8s.yml
• .github/workflows/e2e-test.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/e2e-test.yml

---

📝 Walkthrough

Walkthrough

This change renames the HTTPSVerifyCertificate struct field in the upstream active health check type and updates the translator to use the renamed field. Additionally, workflow environment variables for ADC version are introduced across two GitHub Actions workflows.

Changes

Cohort / File(s)	Summary
Struct Field Rename api/adc/types.go, internal/adc/translator/apisixupstream.go	Renames HTTPSVerifyCert to HTTPSVerifyCertificate in the UpstreamActiveHealthCheck struct, updating JSON and YAML serialization tags accordingly. Translator updated to reference the new field name.
Workflow Configuration .github/workflows/e2e-test-k8s.yml, .github/workflows/e2e-test.yml	Introduces top-level env.ADC_VERSION: dev environment variable in both E2E test workflows, making it available for conditional step execution.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
E2e Test Quality Review	⚠️ Warning	Code changes are correct but PR lacks E2E test coverage to validate the field renaming fix works end-to-end with the standalone dataplane.	Add E2E test cases verifying the new field is properly generated and that the standalone dataplane accepts the configuration without validation errors.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the main change: renaming the TLS certificate verification field from https_verify_cert to https_verify_certificate for standalone active health checks, which is the core of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	The PR is a straightforward field rename for health check TLS certificate verification with correct semantics and no sensitive data exposure across all security categories.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-standalone-healthcheck-verify-cert-field

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the ADC upstream active health check payload to use the standalone schema’s certificate verification field name, ensuring generated configs are accepted by the standalone dataplane and health checks can sync successfully.

Changes:

• Renamed the active health check verify field in the ADC payload from https_verify_cert to https_verify_certificate.
• Updated the upstream translator to set HTTPSVerifyCertificate based on ActiveHealthCheck.StrictTLS.
• Added unit test coverage for the default (strict TLS enabled) and explicit strict TLS disabled cases.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
internal/adc/translator/apisixupstream.go	Switches translator output from HTTPSVerifyCert to HTTPSVerifyCertificate when strict TLS is enabled/defaulted.
api/adc/types.go	Renames the ADC active health check field/tag to https_verify_certificate to match updated standalone schema.
internal/adc/translator/apisixupstream_test.go	Adds focused unit tests verifying default enablement and explicit disablement behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@api/adc/types.go`:
- Line 207: The HTTPSVerifyCertificate field in the ADC config struct is
currently a plain bool with `omitempty`, which causes explicit false to be
dropped and APISIX to default to true; change the field declaration for
HTTPSVerifyCertificate to be a pointer (*bool) so false is preserved (or
alternatively remove `omitempty` from its `json`/`yaml` tags) and update any
constructors or JSON/YAML marshalling assumptions that set or read
HTTPSVerifyCertificate to handle a nil vs. non-nil value (look for the
struct/type that declares HTTPSVerifyCertificate and any code paths that build
or serialize that struct).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 75aa56bc-9d4c-4dfe-b33e-ac1cab95bef3

📥 Commits

Reviewing files that changed from the base of the PR and between 15b2f39 and f507224.

📒 Files selected for processing (3)

• api/adc/types.go
• internal/adc/translator/apisixupstream.go
• internal/adc/translator/apisixupstream_test.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

In Go's encoding/json and common YAML marshalling, does omitemptyomit aboolfield when its value isfalse? Also, for APISIX upstream active health checks, what is the default behavior of https_verify_certificate when the field is omitted?

💡 Result:

1. Go encoding/json + common YAML marshalling: does omitempty omit a bool when it is false? Yes for Go’s encoding/json. In Go’s encoding/json, a struct field tagged with omitempty is omitted when the field has an “empty value”; for bool, that empty value is false. 2) For APISIX upstream active health checks: default behavior of https_verify_certificate when omitted When using APISIX active health checks with HTTPS probes, the field upstream.checks.active.https_verify_certificate defaults to true (i.e., certificate verification is performed).

Citations:

• 1: https://pkg.go.dev/encoding/json@go1.25.5
• 2: https://pkg.go.dev/encoding/json
• 3: https://apisix.apache.org/docs/apisix/next/tutorials/health-check
• 4: https://apisix.apache.org/docs/apisix/next/tutorials/health-check/

---

Fix the TLS verification field to prevent silent inversion of boolean state.

The HTTPSVerifyCertificate field is a plain bool with omitempty. When StrictTLS: false (intending to disable certificate verification), the field is set to false, which then gets omitted from the serialized output due to omitempty. APISIX defaults the missing https_verify_certificate field to true, inverting the intended behavior—users disabling verification end up with verification enabled instead.

Change this to *bool to preserve the explicit false state, or remove the omitempty tag to always emit the field. This is a security-relevant configuration issue.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@api/adc/types.go` at line 207, The HTTPSVerifyCertificate field in the ADC
config struct is currently a plain bool with `omitempty`, which causes explicit
false to be dropped and APISIX to default to true; change the field declaration
for HTTPSVerifyCertificate to be a pointer (*bool) so false is preserved (or
alternatively remove `omitempty` from its `json`/`yaml` tags) and update any
constructors or JSON/YAML marshalling assumptions that set or read
HTTPSVerifyCertificate to handle a nil vs. non-nil value (look for the
struct/type that declares HTTPSVerifyCertificate and any code paths that build
or serialize that struct).

[github-actions]

conformance test report - apisix mode

apiVersion: gateway.networking.k8s.io/v1
date: "2026-04-30T06:54:49Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    result: success
    statistics:
      Failed: 0
      Passed: 12
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests succeeded.
- core:
    failedTests:
    - HTTPRouteInvalidBackendRefUnknownKind
    result: failure
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 1
      Passed: 31
      Skipped: 1
  extended:
    result: partial
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 0
      Passed: 11
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePathRewrite
    - HTTPRoutePortRedirect
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests failed with 1 test failures. Extended tests partially succeeded
    with 1 test skips.
- core:
    result: partial
    skippedTests:
    - TLSRouteSimpleSameNamespace
    statistics:
      Failed: 0
      Passed: 10
      Skipped: 1
  name: GATEWAY-TLS
  summary: Core tests partially succeeded with 1 test skips.

[github-actions]

conformance test report - apisix-standalone mode

apiVersion: gateway.networking.k8s.io/v1
date: "2026-04-30T06:54:35Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    result: partial
    skippedTests:
    - TLSRouteSimpleSameNamespace
    statistics:
      Failed: 0
      Passed: 10
      Skipped: 1
  name: GATEWAY-TLS
  summary: Core tests partially succeeded with 1 test skips.
- core:
    result: success
    statistics:
      Failed: 0
      Passed: 12
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests succeeded.
- core:
    result: partial
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 0
      Passed: 32
      Skipped: 1
  extended:
    result: partial
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 0
      Passed: 11
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePathRewrite
    - HTTPRoutePortRedirect
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests partially succeeded with 1 test skips. Extended tests partially
    succeeded with 1 test skips.

[Copilot]

Pull request overview

This PR updates the ADC upstream active health-check TLS verification field naming to match the standalone dataplane schema so generated configs are accepted and upstreams sync correctly.

Changes:

• Rename the active health-check verify field in the ADC payload to https_verify_certificate (Go field HTTPSVerifyCertificate).
• Update upstream translation logic to set the new field when StrictTLS is enabled/defaulted.
• Set ADC_VERSION: dev in API7EE e2e workflows so the CI path that extracts/uses the dev ADC artifact is enabled.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
internal/adc/translator/apisixupstream.go	Switches active health-check TLS verify output to the new HTTPSVerifyCertificate field.
api/adc/types.go	Renames the serialized JSON/YAML field from https_verify_cert to https_verify_certificate for active health checks.
.github/workflows/e2e-test.yml	Sets ADC_VERSION: dev globally for the workflow.
.github/workflows/e2e-test-k8s.yml	Sets ADC_VERSION: dev globally for the workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

conformance test report

apiVersion: gateway.networking.k8s.io/v1
date: "2026-04-30T07:15:48Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    failedTests:
    - GRPCExactMethodMatching
    - GRPCRouteHeaderMatching
    - GRPCRouteListenerHostnameMatching
    - GatewayModifyListeners
    result: failure
    statistics:
      Failed: 4
      Passed: 8
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests failed with 4 test failures.
- core:
    failedTests:
    - GatewayModifyListeners
    result: failure
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 1
      Passed: 31
      Skipped: 1
  extended:
    result: partial
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 0
      Passed: 11
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePathRewrite
    - HTTPRoutePortRedirect
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests failed with 1 test failures. Extended tests partially succeeded
    with 1 test skips.
- core:
    failedTests:
    - GatewayModifyListeners
    - TLSRouteSimpleSameNamespace
    result: failure
    statistics:
      Failed: 2
      Passed: 9
      Skipped: 0
  name: GATEWAY-TLS
  summary: Core tests failed with 2 test failures.