feat(konnect): add support for KongCredentialJWT

.mockery.yaml

@@ -24,6 +24,7 @@ packages:
       KongCredentialAPIKeySDK:
       KongCredentialACLSDK:
       KongCredentialBasicAuthSDK:
+      KongCredentialJWTSDK:
       CACertificatesSDK:
       CertificatesSDK:
       KeysSDK:

CHANGELOG.md

@@ -91,6 +91,7 @@
   - basic-auth [#625](https://github.com/Kong/gateway-operator/pull/625)
   - API key [#635](https://github.com/Kong/gateway-operator/pull/635)
   - ACL [#661](https://github.com/Kong/gateway-operator/pull/661)
+  - JWT [#678](https://github.com/Kong/gateway-operator/pull/678)
 - Add support for `KongRoute`s bound directly to `KonnectGatewayControlPlane`s (serviceless rotues).
   [#669](https://github.com/Kong/gateway-operator/pull/669)
 

config/samples/konnect_kongconsumer_jwt.yaml

@@ -0,0 +1,45 @@
+kind: KonnectAPIAuthConfiguration
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: konnect-api-auth-dev-1
+  namespace: default
+spec:
+  type: token
+  token: kpat_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  serverURL: us.api.konghq.com
+---
+kind: KonnectGatewayControlPlane
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: test-cp-basic-auth
+  namespace: default
+spec:
+  name: test-cp-basic-auth
+  labels:
+    app: test-cp-basic-auth
+    key1: test-cp-basic-auth
+  konnect:
+    authRef:
+      name: konnect-api-auth-dev-1
+---
+kind: KongConsumer
+apiVersion: configuration.konghq.com/v1
+metadata:
+  name: consumer-jwt-1
+  namespace: default
+username: consumer1
+spec:
+  controlPlaneRef:
+    type: konnectNamespacedRef
+    konnectNamespacedRef:
+      name: test-cp-basic-auth
+---
+apiVersion: configuration.konghq.com/v1alpha1
+kind: KongCredentialJWT
+metadata:
+  name: jwt-1
+  namespace: default
+spec:
+  consumerRef:
+    name: consumer-jwt-1
+  key: secretkey

controller/konnect/constraints/constraints.go

@@ -22,6 +22,7 @@ type SupportedKonnectEntityType interface {
 		configurationv1alpha1.KongCredentialBasicAuth |
 		configurationv1alpha1.KongCredentialAPIKey |
 		configurationv1alpha1.KongCredentialACL |
+		configurationv1alpha1.KongCredentialJWT |
 		configurationv1alpha1.KongUpstream |
 		configurationv1alpha1.KongCACertificate |
 		configurationv1alpha1.KongCertificate |

controller/konnect/constraints/entitytypename.go

@@ -1,14 +1,16 @@
 package constraints
 
+type typeWithName interface {
+	GetTypeName() string
+}
+
 // EntityTypeName returns the name of the entity type.
-func EntityTypeName[T SupportedKonnectEntityType]() string {
+func EntityTypeName[T typeWithName]() string {
 	var e T
 	return e.GetTypeName()
 }
 
 // EntityTypeNameForObj returns the name of the provided entity.
-func EntityTypeNameForObj[T interface {
-	GetTypeName() string
-}](obj T) string {
+func EntityTypeNameForObj[T typeWithName](obj T) string {
 	return obj.GetTypeName()
 }

controller/konnect/index.go

@@ -2,11 +2,6 @@ package konnect
 
 import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	"github.com/kong/gateway-operator/controller/konnect/constraints"
-
-	configurationv1 "github.com/kong/kubernetes-configuration/api/configuration/v1"
-	configurationv1alpha1 "github.com/kong/kubernetes-configuration/api/configuration/v1alpha1"
 )
 
 // ReconciliationIndexOption contains required options of index for a kind of object required for reconciliation.
@@ -15,26 +10,3 @@ type ReconciliationIndexOption struct {
 	IndexField   string
 	ExtractValue client.IndexerFunc
 }
-
-// ReconciliationIndexOptionsForEntity returns required index options for controller reconciliing the entity.
-func ReconciliationIndexOptionsForEntity[
-	TEnt constraints.EntityType[T],
-	T constraints.SupportedKonnectEntityType,
-]() []ReconciliationIndexOption {
-	var e TEnt
-	switch any(e).(type) {
-	case *configurationv1alpha1.KongPluginBinding:
-		return IndexOptionsForKongPluginBinding()
-	case *configurationv1alpha1.KongService:
-		return IndexOptionsForKongService()
-	case *configurationv1alpha1.KongRoute:
-		return IndexOptionsForKongRoute()
-	case *configurationv1alpha1.KongCredentialBasicAuth:
-		return IndexOptionsForCredentialsBasicAuth()
-	case *configurationv1.KongConsumer:
-		return IndexOptionsForKongConsumer()
-	case *configurationv1alpha1.KongSNI:
-		return IndexOptionsForKongSNI()
-	}
-	return nil
-}

controller/konnect/index_credentials_jwt.go

@@ -0,0 +1,32 @@
+package konnect
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	configurationv1alpha1 "github.com/kong/kubernetes-configuration/api/configuration/v1alpha1"
+)
+
+const (
+	// IndexFieldKongCredentialJWTReferencesKongConsumer is the index name for KongCredentialJWT -> Consumer.
+	IndexFieldKongCredentialJWTReferencesKongConsumer = "kongCredentialsJWTConsumerRef"
+)
+
+// IndexOptionsForCredentialsJWT returns required Index options for KongCredentialJWT.
+func IndexOptionsForCredentialsJWT() []ReconciliationIndexOption {
+	return []ReconciliationIndexOption{
+		{
+			IndexObject:  &configurationv1alpha1.KongCredentialJWT{},
+			IndexField:   IndexFieldKongCredentialJWTReferencesKongConsumer,
+			ExtractValue: kongCredentialJWTReferencesConsumer,
+		},
+	}
+}
+
+// kongCredentialJWTReferencesConsumer returns the name of referenced Consumer.
+func kongCredentialJWTReferencesConsumer(obj client.Object) []string {
+	cred, ok := obj.(*configurationv1alpha1.KongCredentialJWT)
+	if !ok {
+		return nil
+	}
+	return []string{cred.Spec.ConsumerRef.Name}
+}

controller/konnect/ops/credentialjwt.go

@@ -0,0 +1,14 @@
+package ops
+
+import (
+	"context"
+
+	sdkkonnectops "github.com/Kong/sdk-konnect-go/models/operations"
+)
+
+// KongCredentialJWTSDK is the interface for the Konnect KongCredentialJWTSDK.
+type KongCredentialJWTSDK interface {
+	CreateJwtWithConsumer(ctx context.Context, req sdkkonnectops.CreateJwtWithConsumerRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.CreateJwtWithConsumerResponse, error)
+	DeleteJwtWithConsumer(ctx context.Context, request sdkkonnectops.DeleteJwtWithConsumerRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.DeleteJwtWithConsumerResponse, error)
+	UpsertJwtWithConsumer(ctx context.Context, request sdkkonnectops.UpsertJwtWithConsumerRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.UpsertJwtWithConsumerResponse, error)
+}