feat(konnect): add KongVault reconciler (#597)

* add KongVault reconciler * add unit tests for KongVault * add integration test * fix owner reference and add envtest * address comments * add watch for apiAuthConfiguration and controlPlane in KongVault reconciler * add comments on cpref namespace
Kong · Sep 25, 2024 · 23b649b · 23b649b
1 parent 7583a25
commit 23b649b
Show file tree

Hide file tree

Showing 20 changed files with 1,374 additions and 7 deletions.
diff --git a/.mockery.yaml b/.mockery.yaml
@@ -19,6 +19,7 @@ packages:
       PluginSDK:
       UpstreamsSDK:
       TargetsSDK:
+      VaultSDK:
       MeSDK:
       KongCredentialBasicAuthSDK:
       CACertificatesSDK:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -60,6 +60,8 @@
   [#513](https://github.com/Kong/gateway-operator/pull/513), [#535](https://github.com/Kong/gateway-operator/pull/535)
 - Add `KongTarget` reconciler for Konnect Targets.
   [#627](https://github.com/Kong/gateway-operator/pull/627)
+- Add `KongVault` reconciler for Konnect Vaults.
+  [#597](https://github.com/Kong/gateway-operator/pull/597)
 - The `DataPlaneKonnectExtension` CRD has been introduced. Such a CRD can be attached
   to a `DataPlane` via the extensions field to have a konnect-flavored `DataPlane`.
   [#453](https://github.com/Kong/gateway-operator/pull/453), [#578](https://github.com/Kong/gateway-operator/pull/578)

diff --git a/config/rbac/role/role.yaml b/config/rbac/role/role.yaml
@@ -134,7 +134,6 @@ rules:
   - kongingresses
   - konglicenses
   - kongupstreampolicies
-  - kongvaults
   - tcpingresses
   - udpingresses
   verbs:
@@ -185,6 +184,7 @@ rules:
   - kongservices
   - kongtargets
   - kongupstreams
+  - kongvaults
   verbs:
   - get
   - list

diff --git a/config/samples/konnect_kongvault.yaml b/config/samples/konnect_kongvault.yaml
@@ -0,0 +1,39 @@
+kind: KonnectAPIAuthConfiguration
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: konnect-api-auth-dev-1
+  namespace: default
+spec:
+  type: token
+  token: kpat_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  serverURL: us.api.konghq.com
+---
+kind: KonnectGatewayControlPlane
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: test1
+  namespace: default
+spec:
+  name: test1
+  labels:
+    app: test1
+    key1: test1
+  konnect:
+    authRef:
+      name: konnect-api-auth-dev-1
+---
+kind: KongVault
+apiVersion: configuration.konghq.com/v1alpha1
+metadata:
+  name: env-vault-1
+spec:
+  backend: env
+  prefix: env-vault
+  config:
+    prefix: "konnect_vault_test_"
+  controlPlaneRef:
+    type: konnectNamespacedRef
+    konnectNamespacedRef:
+      name: test1
+      # KongVault is cluster scoped currently, so we need to specify namespace of Konnect control plane.
+      namespace: default
diff --git a/controller/konnect/constraints/constraints.go b/controller/konnect/constraints/constraints.go
@@ -22,8 +22,8 @@ type SupportedKonnectEntityType interface {
 		configurationv1alpha1.KongCredentialBasicAuth |
 		configurationv1alpha1.KongUpstream |
 		configurationv1alpha1.KongCACertificate |
-		configurationv1alpha1.KongTarget
-
+		configurationv1alpha1.KongTarget |
+		configurationv1alpha1.KongVault
 	// TODO: add other types
 
 	GetTypeName() string

diff --git a/controller/konnect/ops/kongvault.go b/controller/konnect/ops/kongvault.go
@@ -0,0 +1,15 @@
+package ops
+
+import (
+	"context"
+
+	sdkkonnectcomp "github.com/Kong/sdk-konnect-go/models/components"
+	sdkkonnectops "github.com/Kong/sdk-konnect-go/models/operations"
+)
+
+// VaultSDK is the interface for Konnect Vault SDK.
+type VaultSDK interface {
+	CreateVault(ctx context.Context, controlPlaneID string, vault sdkkonnectcomp.VaultInput, opts ...sdkkonnectops.Option) (*sdkkonnectops.CreateVaultResponse, error)
+	UpsertVault(ctx context.Context, request sdkkonnectops.UpsertVaultRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.UpsertVaultResponse, error)
+	DeleteVault(ctx context.Context, controlPlaneID string, vaultID string, opts ...sdkkonnectops.Option) (*sdkkonnectops.DeleteVaultResponse, error)
+}
diff --git a/controller/konnect/ops/kongvault_mock.go b/controller/konnect/ops/kongvault_mock.go
diff --git a/controller/konnect/ops/ops.go b/controller/konnect/ops/ops.go
@@ -72,6 +72,8 @@ func Create[
 		return e, createCACertificate(ctx, sdk.GetCACertificatesSDK(), ent)
 	case *configurationv1alpha1.KongTarget:
 		return e, createTarget(ctx, sdk.GetTargetsSDK(), ent)
+	case *configurationv1alpha1.KongVault:
+		return e, createVault(ctx, sdk.GetVaultSDK(), ent)
 
 		// ---------------------------------------------------------------------
 		// TODO: add other Konnect types
@@ -118,6 +120,8 @@ func Delete[
 		return deleteCACertificate(ctx, sdk.GetCACertificatesSDK(), ent)
 	case *configurationv1alpha1.KongTarget:
 		return deleteTarget(ctx, sdk.GetTargetsSDK(), ent)
+	case *configurationv1alpha1.KongVault:
+		return deleteVault(ctx, sdk.GetVaultSDK(), ent)
 
 		// ---------------------------------------------------------------------
 		// TODO: add other Konnect types
@@ -209,6 +213,8 @@ func Update[
 		return ctrl.Result{}, updateCACertificate(ctx, sdk.GetCACertificatesSDK(), ent)
 	case *configurationv1alpha1.KongTarget:
 		return ctrl.Result{}, updateTarget(ctx, sdk.GetTargetsSDK(), ent)
+	case *configurationv1alpha1.KongVault:
+		return ctrl.Result{}, updateVault(ctx, sdk.GetVaultSDK(), ent)
 
 		// ---------------------------------------------------------------------
 		// TODO: add other Konnect types