feat(konnect): add KongCredentialSecretReconciler to reconcile consumer Secrets with basic-auth credentials and create KongCredentialBasicAuth in response (#1120)

* feat(konnect): add KongCredentialSecretReconciler to reconcile consumer Secrets and create Credential resources in response

* tests: fix mock matcher

* Apply suggestions from code review

Co-authored-by: Mattia Lavacca <lavacca.mattia@gmail.com>

* chore: fix typo in controller/konnect/ops/credenetialbasicauth.go

* Update controller/konnect/reconciler_credential_secrets.go

Co-authored-by: Mattia Lavacca <lavacca.mattia@gmail.com>

* Apply suggestions from code review

Co-authored-by: Mattia Lavacca <lavacca.mattia@gmail.com>

* chore: hardcode Secret entity name

* chore: add TODOs for other credential types

* chore: add TODOs for other credential types

* fix: add secret label selector for secrets to be reconciled in credential secrets reconciler

* fix: fix deleting credentials when consumer credential secret link is removed

* chore: add godoc for IndexFieldKongCredentialBasicAuthReferencesSecret

* fix: fix filterKongCredentials

---------

Co-authored-by: Mattia Lavacca <lavacca.mattia@gmail.com>

Author: pmalek

.golangci.yaml

@@ -162,3 +162,7 @@ issues:
     - linters:
         - forbidigo
       text: 'use of `.*(Create|Delete)Dataplane.+` forbidden because "Please use camel case'
+    - path: .*_test\.go
+      linters:
+        - gosec
+      text: 'Use of weak random number generator'

CHANGELOG.md

@@ -53,6 +53,10 @@
   It requires the experimental version of Gateway API (as of v1.2.x) installed in
   your cluster, and the flag `--enable-gateway-api-experimental` set.
   [#1010](https://github.com/Kong/gateway-operator/pull/1010)
+- Added support for `KongConsumer` `credentials` in Konnect entities support.
+  Users can now specify credentials for `KongConsumer`s in `Secret`s and reference
+  them in `KongConsumer`s' `credentials` field.
+  - `basic-auth` [#1120](https://github.com/Kong/gateway-operator/pull/1120)
 
 ### Changed
 

config/rbac/role/role.yaml

@@ -124,7 +124,6 @@ rules:
   - kongconsumers
   - kongcredentialacls
   - kongcredentialapikeys
-  - kongcredentialbasicauths
   - kongcredentialhmacs
   - kongcredentialjwts
   - kongdataplaneclientcertificates
@@ -202,6 +201,7 @@ rules:
 - apiGroups:
   - configuration.konghq.com
   resources:
+  - kongcredentialbasicauths
   - kongpluginbindings
   - kongplugins
   verbs:

config/samples/konnect_kongconsumer_basicauth_secret.yaml

@@ -0,0 +1,48 @@
+kind: KonnectAPIAuthConfiguration
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: konnect-api-auth-dev-1
+  namespace: default
+spec:
+  type: token
+  token: kpat_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  serverURL: us.api.konghq.com
+---
+kind: KonnectGatewayControlPlane
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: test-cp-basic-auth
+  namespace: default
+spec:
+  name: test-cp-basic-auth
+  labels:
+    app: test-cp-basic-auth
+    key1: test-cp-basic-auth
+  konnect:
+    authRef:
+      name: konnect-api-auth-dev-1
+---
+kind: KongConsumer
+apiVersion: configuration.konghq.com/v1
+metadata:
+  name: consumer1
+  namespace: default
+username: consumer1
+spec:
+  controlPlaneRef:
+    type: konnectNamespacedRef
+    konnectNamespacedRef:
+      name: test-cp-basic-auth
+credentials:
+- consumer1-basic-auth1
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: consumer1-basic-auth1
+  namespace: default
+  labels:
+    konghq.com/credential: basic-auth
+stringData:
+  username: username
+  password: pass

controller/konnect/constraints/constraints.go

@@ -10,6 +10,24 @@ import (
 	konnectv1alpha1 "github.com/kong/kubernetes-configuration/api/konnect/v1alpha1"
 )
 
+// SupportedCredentialType is a generic type constraint that all Kong credential
+// types must implement.
+type SupportedCredentialType interface {
+	configurationv1alpha1.KongCredentialBasicAuth
+	// TODO: add other credential types
+
+	GetTypeName() string
+}
+
+// KongCredential is a generic type constraint that all Kong credential types
+// must implement.
+type KongCredential[T SupportedCredentialType] interface {
+	*T
+	client.Object
+	GetConditions() []metav1.Condition
+	SetConditions([]metav1.Condition)
+}
+
 // SupportedKonnectEntityType is an interface that all Konnect entity types
 // must implement.
 type SupportedKonnectEntityType interface {

controller/konnect/index_credentials_basicauth.go

@@ -9,6 +9,8 @@ import (
 const (
 	// IndexFieldKongCredentialBasicAuthReferencesKongConsumer is the index name for KongCredentialBasicAuth -> Consumer.
 	IndexFieldKongCredentialBasicAuthReferencesKongConsumer = "kongCredentialsBasicAuthConsumerRef"
+	// IndexFieldKongCredentialBasicAuthReferencesSecret is the index name for KongCredentialBasicAuth -> Secret.
+	IndexFieldKongCredentialBasicAuthReferencesSecret = "kongCredentialsBasicAuthSecretRef"
 )
 
 // IndexOptionsForCredentialsBasicAuth returns required Index options for KongCredentialBasicAuth.
@@ -19,6 +21,11 @@ func IndexOptionsForCredentialsBasicAuth() []ReconciliationIndexOption {
 			IndexField:   IndexFieldKongCredentialBasicAuthReferencesKongConsumer,
 			ExtractValue: kongCredentialBasicAuthReferencesConsumer,
 		},
+		{
+			IndexObject:  &configurationv1alpha1.KongCredentialBasicAuth{},
+			IndexField:   IndexFieldKongCredentialBasicAuthReferencesSecret,
+			ExtractValue: kongCredentialBasicAuthReferencesSecret,
+		},
 	}
 }
 
@@ -30,3 +37,20 @@ func kongCredentialBasicAuthReferencesConsumer(obj client.Object) []string {
 	}
 	return []string{cred.Spec.ConsumerRef.Name}
 }
+
+// kongCredentialBasicAuthReferencesSecret returns the name of Secret which was
+// used to populate this (managed) credential resource.
+func kongCredentialBasicAuthReferencesSecret(obj client.Object) []string {
+	cred, ok := obj.(*configurationv1alpha1.KongCredentialBasicAuth)
+	if !ok {
+		return nil
+	}
+
+	var ret []string
+	for _, or := range cred.OwnerReferences {
+		if or.Kind == "Secret" {
+			ret = append(ret, or.Name)
+		}
+	}
+	return ret
+}

controller/konnect/index_kongconsumer.go

@@ -14,6 +14,8 @@ const (
 	IndexFieldKongConsumerOnPlugin = "consumerPluginRef"
 	// IndexFieldKongConsumerOnKonnectGatewayControlPlane is the index field for KongConsumer -> KonnectGatewayControlPlane.
 	IndexFieldKongConsumerOnKonnectGatewayControlPlane = "consumerKonnectGatewayControlPlaneRef"
+	// IndexFieldKongConsumerReferencesSecrets is the index field for Consumer -> Secret.
+	IndexFieldKongConsumerReferencesSecrets = "kongConsumerSecretRef"
 )
 
 // IndexOptionsForKongConsumer returns required Index options for KongConsumer reconciler.
@@ -34,6 +36,11 @@ func IndexOptionsForKongConsumer(cl client.Client) []ReconciliationIndexOption {
 			IndexField:   IndexFieldKongConsumerOnKonnectGatewayControlPlane,
 			ExtractValue: indexKonnectGatewayControlPlaneRef[configurationv1.KongConsumer](cl),
 		},
+		{
+			IndexObject:  &configurationv1.KongConsumer{},
+			IndexField:   IndexFieldKongConsumerReferencesSecrets,
+			ExtractValue: kongConsumerReferencesSecrets,
+		},
 	}
 }
 
@@ -52,3 +59,12 @@ func kongConsumerReferencesKongPluginsViaAnnotation(object client.Object) []stri
 	}
 	return metadata.ExtractPluginsWithNamespaces(consumer)
 }
+
+// kongConsumerReferencesSecret returns name of referenced Secrets.
+func kongConsumerReferencesSecrets(obj client.Object) []string {
+	consumer, ok := obj.(*configurationv1.KongConsumer)
+	if !ok {
+		return nil
+	}
+	return consumer.Credentials
+}