From e3908da2bbc28c4ad366e9e2cc8cc649db73cc36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Wed, 31 Jul 2024 17:48:00 +0200 Subject: [PATCH 1/5] feat(konnect): support Secrets in KonnectAPIAuthConfiguration --- Makefile | 17 +- .../konnect_apiauth_configuration.yaml | 30 ++++ .../konnect/reconciler_konnectapiauth.go | 108 +++++++++++- .../konnect/reconciler_konnectapiauth_rbac.go | 2 + .../konnect/reconciler_konnectapiauth_test.go | 161 ++++++++++++++++++ .../reconciler_konnectapiauth_watch.go | 73 ++++++++ modules/manager/scheme/scheme.go | 9 +- 7 files changed, 394 insertions(+), 6 deletions(-) create mode 100644 config/samples/konnect_apiauth_configuration.yaml create mode 100644 controller/konnect/reconciler_konnectapiauth_test.go create mode 100644 controller/konnect/reconciler_konnectapiauth_watch.go diff --git a/Makefile b/Makefile index f57e9c424..21489423b 100644 --- a/Makefile +++ b/Makefile @@ -513,9 +513,18 @@ install: manifests kustomize install-gateway-api-crds $(KUSTOMIZE) build $(KIC_CRDS_URL) | kubectl apply -f - $(KUSTOMIZE) build config/crd | kubectl apply --server-side -f - +KUBERNETES_CONFIGURATION_CRDS_PACKAGE ?= github.com/kong/kubernetes-configuration +KUBERNETES_CONFIGURATION_CRDS_VERSION ?= $(shell go list -m -f '{{ .Version }}' $(KUBERNETES_CONFIGURATION_CRDS_PACKAGE)) +KUBERNETES_CONFIGURATION_CRDS_CRDS_LOCAL_PATH = $(shell go env GOPATH)/pkg/mod/$(KUBERNETES_CONFIGURATION_CRDS_PACKAGE)@$(KUBERNETES_CONFIGURATION_CRDS_VERSION)/config/crd + +# Install kubernetes-configuration CRDs into the K8s cluster specified in ~/.kube/config. +.PHONY: install.kubernetes-configuration-crds +install.kubernetes-configuration-crds: kustomize + $(KUSTOMIZE) build $(KUBERNETES_CONFIGURATION_CRDS_CRDS_LOCAL_PATH) | kubectl apply -f - + # Install standard and experimental CRDs into the K8s cluster specified in ~/.kube/config. .PHONY: install.all -install.all: manifests kustomize install-gateway-api-crds +install.all: manifests kustomize install-gateway-api-crds install.kubernetes-configuration-crds $(KUSTOMIZE) build $(KIC_CRDS_URL) | kubectl apply -f - kubectl apply --server-side -f $(PROJECT_DIR)/config/crd/bases/ kubectl get crd -ojsonpath='{.items[*].metadata.name}' | xargs -n1 kubectl wait --for condition=established crd @@ -527,10 +536,14 @@ uninstall: manifests kustomize uninstall-gateway-api-crds $(KUSTOMIZE) build $(KIC_CRDS_URL) | kubectl delete --ignore-not-found=$(ignore-not-found) -f - $(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: uninstall.kubernetes-configuration-crds +uninstall.kubernetes-configuration-crds: kustomize + $(KUSTOMIZE) build $(KUBERNETES_CONFIGURATION_CRDS_CRDS_LOCAL_PATH) | kubectl delete -f - + # Uninstall standard and experimental CRDs from the K8s cluster specified in ~/.kube/config. # Call with ignore-not-found=true to ignore resource not found errors during deletion. .PHONY: uninstall.all -uninstall.all: manifests kustomize uninstall-gateway-api-crds +uninstall.all: manifests kustomize uninstall-gateway-api-crds uninstall.kubernetes-configuration-crds $(KUSTOMIZE) build $(KIC_CRDS_URL) | kubectl apply -f - kubectl delete --ignore-not-found=$(ignore-not-found) -f $(PROJECT_DIR)/config/crd/bases/ diff --git a/config/samples/konnect_apiauth_configuration.yaml b/config/samples/konnect_apiauth_configuration.yaml new file mode 100644 index 000000000..a2bdbff9e --- /dev/null +++ b/config/samples/konnect_apiauth_configuration.yaml @@ -0,0 +1,30 @@ +kind: KonnectAPIAuthConfiguration +apiVersion: konnect.konghq.com/v1alpha1 +metadata: + name: konnect-api-auth-1 + namespace: default +spec: + type: token + token: kpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + serverURL: eu.api.konghq.com +--- +kind: KonnectAPIAuthConfiguration +apiVersion: konnect.konghq.com/v1alpha1 +metadata: + name: konnect-api-auth-2 + namespace: default +spec: + type: secretRef + secretRef: + name: konnect-api-auth-secret + serverURL: eu.api.konghq.com +--- +kind: Secret +apiVersion: v1 +metadata: + name: konnect-api-auth-secret + namespace: default + labels: + konghq.com/credential: konnect +stringData: + token: kpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx diff --git a/controller/konnect/reconciler_konnectapiauth.go b/controller/konnect/reconciler_konnectapiauth.go index b5322990b..431d2397d 100644 --- a/controller/konnect/reconciler_konnectapiauth.go +++ b/controller/konnect/reconciler_konnectapiauth.go @@ -6,10 +6,15 @@ import ( "time" sdkkonnectgoops "github.com/Kong/sdk-konnect-go/models/operations" + corev1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/handler" + "sigs.k8s.io/controller-runtime/pkg/predicate" "github.com/kong/gateway-operator/controller/pkg/log" k8sutils "github.com/kong/gateway-operator/pkg/utils/kubernetes" @@ -24,6 +29,17 @@ type KonnectAPIAuthConfigurationReconciler struct { Client client.Client } +const ( + // SecretTokenKey is the key used to store the token in the Secret. + SecretTokenKey = "token" + // SecretCredentialLabel is the label used to identify Secrets holding + // KonnectAPIAuthConfiguration tokens. + SecretCredentialLabel = "konghq.com/credential" //nolint:gosec + // SecretCredentialLabelValueKonnect is the value of the label used to + // identify Secrets holding KonnectAPIAuthConfiguration tokens. + SecretCredentialLabelValueKonnect = "konnect" +) + // NewKonnectAPIAuthConfigurationReconciler creates a new KonnectAPIAuthConfigurationReconciler. func NewKonnectAPIAuthConfigurationReconciler( sdkFactory SDKFactory, @@ -39,8 +55,26 @@ func NewKonnectAPIAuthConfigurationReconciler( // SetupWithManager sets up the controller with the Manager. func (r *KonnectAPIAuthConfigurationReconciler) SetupWithManager(mgr ctrl.Manager) error { + secretLabelPredicate, err := predicate.LabelSelectorPredicate( + metav1.LabelSelector{ + MatchLabels: map[string]string{ + SecretCredentialLabel: SecretCredentialLabelValueKonnect, + }, + }, + ) + if err != nil { + return fmt.Errorf("failed to create Secret label selector predicate: %w", err) + } + b := ctrl.NewControllerManagedBy(mgr). For(&konnectv1alpha1.KonnectAPIAuthConfiguration{}). + Watches( + &corev1.Secret{}, + handler.EnqueueRequestsFromMapFunc( + listKonnectAPIAuthConfigurationsReferencingSecret(mgr.GetClient()), + ), + builder.WithPredicates(secretLabelPredicate), + ). Named("KonnectAPIAuthConfiguration") return b.Complete(r) @@ -81,9 +115,30 @@ func (r *KonnectAPIAuthConfigurationReconciler) Reconcile( return ctrl.Result{}, nil } + token, err := getTokenFromKonnectAPIAuthConfiguration(ctx, r.Client, &apiAuth) + if err != nil { + k8sutils.SetCondition( + k8sutils.NewConditionWithGeneration( + KonnectEntityAPIAuthConfigurationValidConditionType, + metav1.ConditionFalse, + KonnectEntityAPIAuthConfigurationReasonInvalid, + err.Error(), + apiAuth.GetGeneration(), + ), + &apiAuth, + ) + if err := r.Client.Status().Update(ctx, &apiAuth); err != nil { + if k8serrors.IsConflict(err) { + return ctrl.Result{Requeue: true}, nil + } + return ctrl.Result{}, fmt.Errorf("failed to update status of %s: %w", entityTypeName, err) + } + return ctrl.Result{}, err + } + sdk := r.SDKFactory.NewKonnectSDK( "https://"+apiAuth.Spec.ServerURL, - SDKToken(apiAuth.Spec.Token), + SDKToken(token), ) // TODO(pmalek): check if api auth config has a valid status condition @@ -101,6 +156,7 @@ func (r *KonnectAPIAuthConfigurationReconciler) Reconcile( cond.Status != metav1.ConditionFalse || cond.Reason != KonnectEntityAPIAuthConfigurationReasonInvalid || cond.ObservedGeneration != apiAuth.GetGeneration() || + cond.Message != err.Error() || apiAuth.Status.OrganizationID != "" || apiAuth.Status.ServerURL != apiAuth.Spec.ServerURL { @@ -123,9 +179,20 @@ func (r *KonnectAPIAuthConfigurationReconciler) Reconcile( } // Update the status only if it would change to prevent unnecessary updates. + condMessage := "Token is valid" + if apiAuth.Spec.Type == konnectv1alpha1.KonnectAPIAuthTypeSecretRef { + nn := types.NamespacedName{ + Namespace: apiAuth.Spec.SecretRef.Namespace, + Name: apiAuth.Spec.SecretRef.Name, + } + if nn.Namespace == "" { + nn.Namespace = apiAuth.Namespace + } + condMessage = fmt.Sprintf("Token from Secret %s is valid", nn) + } if cond, ok := k8sutils.GetCondition(KonnectEntityAPIAuthConfigurationValidConditionType, &apiAuth); !ok || cond.Status != metav1.ConditionTrue || - cond.Message != "" || + cond.Message != condMessage || cond.Reason != KonnectEntityAPIAuthConfigurationReasonValid || cond.ObservedGeneration != apiAuth.GetGeneration() || apiAuth.Status.OrganizationID != *respOrg.MeOrganization.ID || @@ -139,7 +206,7 @@ func (r *KonnectAPIAuthConfigurationReconciler) Reconcile( KonnectEntityAPIAuthConfigurationValidConditionType, metav1.ConditionTrue, KonnectEntityAPIAuthConfigurationReasonValid, - fmt.Sprintf("Referenced KonnectAPIAuthConfiguration %s is valid", client.ObjectKeyFromObject(&apiAuth)), + condMessage, ) if err != nil || res.Requeue { return res, err @@ -149,3 +216,38 @@ func (r *KonnectAPIAuthConfigurationReconciler) Reconcile( return ctrl.Result{}, nil } + +// getTokenFromKonnectAPIAuthConfiguration returns the token from the secret reference or the token field. +func getTokenFromKonnectAPIAuthConfiguration( + ctx context.Context, cl client.Client, apiAuth *konnectv1alpha1.KonnectAPIAuthConfiguration, +) (string, error) { + switch apiAuth.Spec.Type { + case konnectv1alpha1.KonnectAPIAuthTypeToken: + return apiAuth.Spec.Token, nil + case konnectv1alpha1.KonnectAPIAuthTypeSecretRef: + var secret corev1.Secret + nn := types.NamespacedName{ + Namespace: apiAuth.Spec.SecretRef.Namespace, + Name: apiAuth.Spec.SecretRef.Name, + } + if nn.Namespace == "" { + nn.Namespace = apiAuth.Namespace + } + + if err := cl.Get(ctx, nn, &secret); err != nil { + return "", fmt.Errorf("failed to get Secret %s: %w", nn, err) + } + if secret.Labels == nil || secret.Labels[SecretCredentialLabel] != SecretCredentialLabelValueKonnect { + return "", fmt.Errorf("Secret %s does not have label %s: %s", nn, SecretCredentialLabel, SecretCredentialLabelValueKonnect) + } + if secret.Data == nil { + return "", fmt.Errorf("Secret %s has no data", nn) + } + if _, ok := secret.Data[SecretTokenKey]; !ok { + return "", fmt.Errorf("Secret %s does not have key %s", nn, SecretTokenKey) + } + return string(secret.Data[SecretTokenKey]), nil + } + + return "", fmt.Errorf("unknown KonnectAPIAuthType: %s", apiAuth.Spec.Type) +} diff --git a/controller/konnect/reconciler_konnectapiauth_rbac.go b/controller/konnect/reconciler_konnectapiauth_rbac.go index ae6d66fa3..49311c1a3 100644 --- a/controller/konnect/reconciler_konnectapiauth_rbac.go +++ b/controller/konnect/reconciler_konnectapiauth_rbac.go @@ -2,3 +2,5 @@ package konnect //+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectapiauthconfigurations,verbs=get;list;watch;update;patch //+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectapiauthconfigurations/status,verbs=get;update;patch + +//+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch diff --git a/controller/konnect/reconciler_konnectapiauth_test.go b/controller/konnect/reconciler_konnectapiauth_test.go new file mode 100644 index 000000000..193d6d9dd --- /dev/null +++ b/controller/konnect/reconciler_konnectapiauth_test.go @@ -0,0 +1,161 @@ +package konnect + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client/fake" + + konnectv1alpha1 "github.com/kong/kubernetes-configuration/api/konnect/v1alpha1" +) + +func TestGetTokenFromKonnectAPIAuthConfiguration(t *testing.T) { + tests := []struct { + name string + apiAuth *konnectv1alpha1.KonnectAPIAuthConfiguration + secret *corev1.Secret + expectedToken string + expectedError bool + }{ + { + name: "valid Token", + apiAuth: &konnectv1alpha1.KonnectAPIAuthConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-api-auth", + Namespace: "default", + }, + Spec: konnectv1alpha1.KonnectAPIAuthConfigurationSpec{ + Type: konnectv1alpha1.KonnectAPIAuthTypeToken, + Token: "kpat_xxxxxxxxxxxx", + }, + }, + expectedToken: "kpat_xxxxxxxxxxxx", + }, + { + name: "valid Secret Reference", + apiAuth: &konnectv1alpha1.KonnectAPIAuthConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-api-auth", + Namespace: "default", + }, + Spec: konnectv1alpha1.KonnectAPIAuthConfigurationSpec{ + Type: konnectv1alpha1.KonnectAPIAuthTypeSecretRef, + SecretRef: &corev1.SecretReference{ + Name: "test-secret", + Namespace: "default", + }, + }, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-secret", + Namespace: "default", + Labels: map[string]string{ + "konghq.com/credential": "konnect", + }, + }, + Data: map[string][]byte{ + "token": []byte("test-token"), + }, + }, + expectedToken: "test-token", + }, + { + name: "Secret is missing konghq.com/credential=konnect label", + apiAuth: &konnectv1alpha1.KonnectAPIAuthConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-api-auth", + Namespace: "default", + }, + Spec: konnectv1alpha1.KonnectAPIAuthConfigurationSpec{ + Type: konnectv1alpha1.KonnectAPIAuthTypeSecretRef, + SecretRef: &corev1.SecretReference{ + Name: "test-secret", + Namespace: "default", + }, + }, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-secret", + Namespace: "default", + }, + Data: map[string][]byte{ + "token": []byte("test-token"), + }, + }, + expectedError: true, + }, + { + name: "missing token from referred Secret", + apiAuth: &konnectv1alpha1.KonnectAPIAuthConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-api-auth", + Namespace: "default", + }, + Spec: konnectv1alpha1.KonnectAPIAuthConfigurationSpec{ + Type: konnectv1alpha1.KonnectAPIAuthTypeSecretRef, + SecretRef: &corev1.SecretReference{ + Name: "test-secret", + Namespace: "default", + }, + }, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-secret", + Namespace: "default", + Labels: map[string]string{ + "konghq.com/credential": "konnect", + }, + }, + Data: map[string][]byte{ + "random_key": []byte("dummy"), + }, + }, + expectedToken: "test-token", + expectedError: true, + }, + { + name: "Invalid Secret Reference", + apiAuth: &konnectv1alpha1.KonnectAPIAuthConfiguration{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-api-auth", + Namespace: "default", + }, + Spec: konnectv1alpha1.KonnectAPIAuthConfigurationSpec{ + Type: konnectv1alpha1.KonnectAPIAuthTypeSecretRef, + SecretRef: &corev1.SecretReference{ + Name: "non-existent-secret", + Namespace: "default", + }, + }, + }, + expectedError: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + clientBuilder := fake.NewClientBuilder() + + // Create the secret in the fake client + if tt.secret != nil { + clientBuilder.WithObjects(tt.secret) + } + cl := clientBuilder.Build() + + // Call the function under test + token, err := getTokenFromKonnectAPIAuthConfiguration(context.Background(), cl, tt.apiAuth) + if tt.expectedError { + assert.NotNil(t, err) + return + } + + assert.Equal(t, tt.expectedToken, token) + }) + } +} diff --git a/controller/konnect/reconciler_konnectapiauth_watch.go b/controller/konnect/reconciler_konnectapiauth_watch.go new file mode 100644 index 000000000..1f7b58bed --- /dev/null +++ b/controller/konnect/reconciler_konnectapiauth_watch.go @@ -0,0 +1,73 @@ +package konnect + +import ( + "context" + "fmt" + "reflect" + + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + + operatorerrors "github.com/kong/gateway-operator/internal/errors" + + konnectv1alpha1 "github.com/kong/kubernetes-configuration/api/konnect/v1alpha1" +) + +// listKonnectAPIAuthConfigurationsReferencingSecret returns a function that lists +// KonnectAPIAuthConfiguration resources that reference the given Secret. +// This function is intended to be used as a handler for the watch on Secrets. +// NOTE: The Secret has to have the konnect.konghq.com/credential=konnect set +// so that we can efficiently watch only the relevant Secrets' changes. +func listKonnectAPIAuthConfigurationsReferencingSecret(cl client.Client) func(ctx context.Context, obj client.Object) []reconcile.Request { + return func(ctx context.Context, obj client.Object) []reconcile.Request { + logger := log.FromContext(ctx) + + secret, ok := obj.(*corev1.Secret) + if !ok { + logger.Error( + operatorerrors.ErrUnexpectedObject, + "failed to run map funcs", + "expected", "Secret", "found", reflect.TypeOf(obj), + ) + return nil + } + + var konnectAPIAuthConfigList konnectv1alpha1.KonnectAPIAuthConfigurationList + if err := cl.List(ctx, &konnectAPIAuthConfigList); err != nil { + log.FromContext(ctx).Error( + fmt.Errorf("unexpected error occurred while listing KonnectAPIAuthConfiguration resources"), + "failed to run map funcs", + "error", err.Error(), + ) + return nil + } + + var recs []reconcile.Request + for _, apiAuth := range konnectAPIAuthConfigList.Items { + if apiAuth.Spec.Type != konnectv1alpha1.KonnectAPIAuthTypeSecretRef { + continue + } + + if apiAuth.Spec.SecretRef == nil || + apiAuth.Spec.SecretRef.Name != secret.Name { + continue + } + + if (apiAuth.Spec.SecretRef.Namespace != "" && apiAuth.Spec.SecretRef.Namespace != secret.Namespace) || + (apiAuth.Spec.SecretRef.Namespace == "" && secret.Namespace != apiAuth.Namespace) { + continue + } + + recs = append(recs, reconcile.Request{ + NamespacedName: types.NamespacedName{ + Namespace: apiAuth.Namespace, + Name: apiAuth.Name, + }, + }) + } + return recs + } +} diff --git a/modules/manager/scheme/scheme.go b/modules/manager/scheme/scheme.go index 8d234eaa0..f36a61f6f 100644 --- a/modules/manager/scheme/scheme.go +++ b/modules/manager/scheme/scheme.go @@ -13,18 +13,25 @@ import ( configurationv1 "github.com/kong/kubernetes-configuration/api/configuration/v1" configurationv1alpha1 "github.com/kong/kubernetes-configuration/api/configuration/v1alpha1" configurationv1beta1 "github.com/kong/kubernetes-configuration/api/configuration/v1beta1" + konnectv1alpha1 "github.com/kong/kubernetes-configuration/api/konnect/v1alpha1" ) // Get returns a scheme aware of all types the manager can interact with. func Get() *runtime.Scheme { scheme := runtime.NewScheme() utilruntime.Must(clientgoscheme.AddToScheme(scheme)) + utilruntime.Must(operatorv1alpha1.AddToScheme(scheme)) utilruntime.Must(operatorv1beta1.AddToScheme(scheme)) + utilruntime.Must(gatewayv1.Install(scheme)) utilruntime.Must(gatewayv1beta1.Install(scheme)) + utilruntime.Must(configurationv1.AddToScheme(scheme)) - utilruntime.Must(configurationv1beta1.AddToScheme(scheme)) utilruntime.Must(configurationv1alpha1.AddToScheme(scheme)) + utilruntime.Must(configurationv1beta1.AddToScheme(scheme)) + + utilruntime.Must(konnectv1alpha1.AddToScheme(scheme)) + return scheme } From d12cd80c09e2db41439290dd7febcbaeea04c608 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Tue, 6 Aug 2024 11:36:03 +0200 Subject: [PATCH 2/5] Apply suggestions from code review --- config/samples/konnect_apiauth_configuration.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/samples/konnect_apiauth_configuration.yaml b/config/samples/konnect_apiauth_configuration.yaml index a2bdbff9e..7a2dd584c 100644 --- a/config/samples/konnect_apiauth_configuration.yaml +++ b/config/samples/konnect_apiauth_configuration.yaml @@ -6,6 +6,7 @@ metadata: spec: type: token token: kpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + # For complete list of available API URLs see: https://docs.konghq.com/konnect/network/ serverURL: eu.api.konghq.com --- kind: KonnectAPIAuthConfiguration @@ -17,6 +18,7 @@ spec: type: secretRef secretRef: name: konnect-api-auth-secret + # For complete list of available API URLs see: https://docs.konghq.com/konnect/network/ serverURL: eu.api.konghq.com --- kind: Secret From f364273142014a1ce8b1012e1a0e042bb5f52821 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Tue, 6 Aug 2024 11:37:11 +0200 Subject: [PATCH 3/5] Update config/samples/konnect_apiauth_configuration.yaml --- config/samples/konnect_apiauth_configuration.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/samples/konnect_apiauth_configuration.yaml b/config/samples/konnect_apiauth_configuration.yaml index 7a2dd584c..804e6e656 100644 --- a/config/samples/konnect_apiauth_configuration.yaml +++ b/config/samples/konnect_apiauth_configuration.yaml @@ -27,6 +27,8 @@ metadata: name: konnect-api-auth-secret namespace: default labels: + # NOTE: this label is required on Konnect credential secrets to make + # Secret watch efficient in the operator. konghq.com/credential: konnect stringData: token: kpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx From 2a3bc348ababa48ac75e759af0b26dfe02915253 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Tue, 6 Aug 2024 11:38:10 +0200 Subject: [PATCH 4/5] Update controller/konnect/reconciler_konnectapiauth.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Grzegorz Burzyński --- controller/konnect/reconciler_konnectapiauth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controller/konnect/reconciler_konnectapiauth.go b/controller/konnect/reconciler_konnectapiauth.go index 431d2397d..8b45815d4 100644 --- a/controller/konnect/reconciler_konnectapiauth.go +++ b/controller/konnect/reconciler_konnectapiauth.go @@ -225,7 +225,6 @@ func getTokenFromKonnectAPIAuthConfiguration( case konnectv1alpha1.KonnectAPIAuthTypeToken: return apiAuth.Spec.Token, nil case konnectv1alpha1.KonnectAPIAuthTypeSecretRef: - var secret corev1.Secret nn := types.NamespacedName{ Namespace: apiAuth.Spec.SecretRef.Namespace, Name: apiAuth.Spec.SecretRef.Name, @@ -234,6 +233,7 @@ func getTokenFromKonnectAPIAuthConfiguration( nn.Namespace = apiAuth.Namespace } + var secret corev1.Secret if err := cl.Get(ctx, nn, &secret); err != nil { return "", fmt.Errorf("failed to get Secret %s: %w", nn, err) } From 9d0105b50170a894d22b9f1f53fed9c30be79616 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Tue, 6 Aug 2024 11:38:19 +0200 Subject: [PATCH 5/5] Update controller/konnect/reconciler_konnectapiauth_watch.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Grzegorz Burzyński --- controller/konnect/reconciler_konnectapiauth_watch.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controller/konnect/reconciler_konnectapiauth_watch.go b/controller/konnect/reconciler_konnectapiauth_watch.go index 1f7b58bed..7156ab7b6 100644 --- a/controller/konnect/reconciler_konnectapiauth_watch.go +++ b/controller/konnect/reconciler_konnectapiauth_watch.go @@ -37,7 +37,7 @@ func listKonnectAPIAuthConfigurationsReferencingSecret(cl client.Client) func(ct var konnectAPIAuthConfigList konnectv1alpha1.KonnectAPIAuthConfigurationList if err := cl.List(ctx, &konnectAPIAuthConfigList); err != nil { - log.FromContext(ctx).Error( + logger.Error( fmt.Errorf("unexpected error occurred while listing KonnectAPIAuthConfiguration resources"), "failed to run map funcs", "error", err.Error(),