feat(konnect): add KongCACertificate reconciler (#626)

* feat(konnect): add KongCACertificate reconciler

* convert to a standalone test

* apply review suggestions

* remove cases

* Update test/envtest/konnect_entities_cacertificate_test.go

Co-authored-by: Patryk Małek <[email protected]>

* extract deploy func

---------

Co-authored-by: Patryk Małek <[email protected]>

.mockery.yaml

@@ -20,3 +20,4 @@ packages:
       UpstreamsSDK:
       MeSDK:
       CredentialBasicAuthSDK:
+      CACertificatesSDK:

CHANGELOG.md

@@ -52,6 +52,8 @@
   [#506](https://github.com/Kong/gateway-operator/pull/506)
 - Add `KongConsumerGroup` reconciler for Konnect control planes.
   [#510](https://github.com/Kong/gateway-operator/pull/510)
+- Add `KongCACertificate` reconciler for Konnect CA certificates.
+  [#626](https://github.com/Kong/gateway-operator/pull/626)
 - Added command line flags to configure the certificate generator job's images.
   [#516](https://github.com/Kong/gateway-operator/pull/516)
 - Add `KongPluginBinding` reconciler for Konnect Plugins.

config/samples/konnect_cacertificate.yaml

@@ -0,0 +1,59 @@
+kind: KonnectAPIAuthConfiguration
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: konnect-api-auth-dev-1
+  namespace: default
+spec:
+  type: token
+  token: kpat_XXXXXXXXXXXXXXXXXXX
+  serverURL: us.api.konghq.tech
+---
+kind: KonnectGatewayControlPlane
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: test1
+  namespace: default
+spec:
+  name: test1
+  labels:
+    app: test1
+    key1: test1
+  konnect:
+    authRef:
+      name: konnect-api-auth-dev-1
+---
+kind: KongCACertificate
+apiVersion: configuration.konghq.com/v1alpha1
+metadata:
+  name: ca-cert-1
+  namespace: default
+  annotations:
+    konghq.com/tags: "infra"
+spec:
+  controlPlaneRef:
+    type: konnectNamespacedRef
+    konnectNamespacedRef:
+      name: test1
+  tags:
+    - production
+  cert: |
+    -----BEGIN CERTIFICATE-----
+    MIIDPTCCAiWgAwIBAgIUcNKAk2icWRJGwZ5QDpdSkkeF5kUwDQYJKoZIhvcNAQEL
+    BQAwLjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQKDAlLb25nIElu
+    Yy4wHhcNMjQwOTE5MDkwODEzWhcNMjkwOTE4MDkwODEzWjAuMQswCQYDVQQGEwJV
+    UzELMAkGA1UECAwCQ0ExEjAQBgNVBAoMCUtvbmcgSW5jLjCCASIwDQYJKoZIhvcN
+    AQEBBQADggEPADCCAQoCggEBAMvDhLM0vTw0QXmgE+sB6gvKx2PUWzvd2tRZoamH
+    h4RAxYRjgJsJe6WEeAk0tjWQqwAq0Y2MQioMCC4X+L13kpdtomI+4PKjBozg+iTd
+    ThyV0oQSVHHWzayUzcSODnGR524H9YxmkXV5ImrXwbEqXwiUESPVtjnf/ZzWS01v
+    gtbu4x3YW+z8kRoXOTpJHKcEoI90SU9F4yeuQsCtbJHeJZRqPr6Kz84ZuHsZ2MeU
+    os4j1GdMaH3dSysqFv6o1hJ2+6bsrE/ONiGtBb4+tyhivgf+u+ixQwqIERlEJzhI
+    z/csoAAnfMBY401j2NNUgPpwx5sTQdCz5aFDmanol5152M8CAwEAAaNTMFEwHQYD
+    VR0OBBYEFK2qd3oRF37acVvgfDeLakx66ioTMB8GA1UdIwQYMBaAFK2qd3oRF37a
+    cVvgfDeLakx66ioTMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
+    AAuul+rAztaueTpPIM63nrS4bSZsIatCgAQ5Pihm0+rZ+13BJk4K2GxkS+T0qkB5
+    34+F3eVhUB4cC+kVkWZrlEzD9BsJwWjnoJK+848znTg+ufTeaOQWslYNqFKjmy2k
+    K6NE7E6r+JLdNvafJzeDybSTXI1tCzDRWUdj5m+bgruX07B13KIJKrAweCTD1927
+    WvvfJYxsg8P7dYD9DPlcuOm22ggAaPPu4P/MsnApiq3kJEI/nSGSsboKyjBO2hcz
+    VF1CYr6Epfyw/47kwuJLCVHjlTgT4haOChW1S8rZILCLXfb8ukM/g3XVYIeEwzsr
+    KU74cm8lTFCdxlcXePbMdHc=
+    -----END CERTIFICATE-----

controller/konnect/constraints/constraints.go

@@ -20,7 +20,8 @@ type SupportedKonnectEntityType interface {
 		configurationv1beta1.KongConsumerGroup |
 		configurationv1alpha1.KongPluginBinding |
 		configurationv1alpha1.CredentialBasicAuth |
-		configurationv1alpha1.KongUpstream
+		configurationv1alpha1.KongUpstream |
+		configurationv1alpha1.KongCACertificate
 	// TODO: add other types
 
 	GetTypeName() string

controller/konnect/ops/kongcacertificate.go

@@ -0,0 +1,15 @@
+package ops
+
+import (
+	"context"
+
+	sdkkonnectcomp "github.com/Kong/sdk-konnect-go/models/components"
+	sdkkonnectops "github.com/Kong/sdk-konnect-go/models/operations"
+)
+
+// CACertificatesSDK is the interface for the CACertificatesSDK.
+type CACertificatesSDK interface {
+	CreateCaCertificate(ctx context.Context, controlPlaneID string, caCertificate sdkkonnectcomp.CACertificateInput, opts ...sdkkonnectops.Option) (*sdkkonnectops.CreateCaCertificateResponse, error)
+	UpsertCaCertificate(ctx context.Context, request sdkkonnectops.UpsertCaCertificateRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.UpsertCaCertificateResponse, error)
+	DeleteCaCertificate(ctx context.Context, controlPlaneID string, caCertificateID string, opts ...sdkkonnectops.Option) (*sdkkonnectops.DeleteCaCertificateResponse, error)
+}

controller/konnect/ops/ops.go

@@ -68,6 +68,8 @@ func Create[
 		return e, createUpstream(ctx, sdk.GetUpstreamsSDK(), ent)
 	case *configurationv1alpha1.CredentialBasicAuth:
 		return e, createCredentialBasicAuth(ctx, sdk.GetBasicAuthCredentials(), ent)
+	case *configurationv1alpha1.KongCACertificate:
+		return e, createCACertificate(ctx, sdk.GetCACertificatesSDK(), ent)
 
 		// ---------------------------------------------------------------------
 		// TODO: add other Konnect types
@@ -110,7 +112,8 @@ func Delete[
 		return deleteUpstream(ctx, sdk.GetUpstreamsSDK(), ent)
 	case *configurationv1alpha1.CredentialBasicAuth:
 		return deleteCredentialBasicAuth(ctx, sdk.GetBasicAuthCredentials(), ent)
-
+	case *configurationv1alpha1.KongCACertificate:
+		return deleteCACertificate(ctx, sdk.GetCACertificatesSDK(), ent)
 		// ---------------------------------------------------------------------
 		// TODO: add other Konnect types
 
@@ -177,7 +180,8 @@ func Update[
 		return ctrl.Result{}, updateUpstream(ctx, sdk.GetUpstreamsSDK(), ent)
 	case *configurationv1alpha1.CredentialBasicAuth:
 		return ctrl.Result{}, updateCredentialBasicAuth(ctx, sdk.GetBasicAuthCredentials(), ent)
-
+	case *configurationv1alpha1.KongCACertificate:
+		return ctrl.Result{}, updateCACertificate(ctx, sdk.GetCACertificatesSDK(), ent)
 		// ---------------------------------------------------------------------
 		// TODO: add other Konnect types