Skip to content

Commit

Permalink
fix: require secretKeyRef in plugins' configFrom (#5103)
Browse files Browse the repository at this point in the history
  • Loading branch information
randmonkey authored Nov 14, 2023
1 parent d12fbef commit 21abc80
Show file tree
Hide file tree
Showing 20 changed files with 58 additions and 41 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,10 @@ Adding a new version? You'll need three changes:

### Changed

- `SecretKeyRef` of `ConfigFrom` field in `KongPlugin` and `KongClusterPlugin`
are `Required`. When `ConfigFrom` is specified, the validation of there CRDs
will require `SecretKeyRef` to be present.
[#5103](https://github.com/Kong/kubernetes-ingress-controller/pull/5103)
- CRD Validation Expressions
- `KongPlugin` and `KongClusterPlugin` now enforce only one of `config` and `configFrom`
to be set.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ spec:
- name
- namespace
type: object
required:
- secretKeyRef
type: object
consumerRef:
description: ConsumerRef is a reference to a particular consumer.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ spec:
metadata:
type: object
status:
description: Status represents the current status of the KongConsumer
description: Status represents the current status of the KongConsumerGroup
resource.
properties:
conditions:
Expand Down
2 changes: 2 additions & 0 deletions config/crd/bases/configuration.konghq.com_kongplugins.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ spec:
- key
- name
type: object
required:
- secretKeyRef
type: object
consumerRef:
description: ConsumerRef is a reference to a particular consumer.
Expand Down
19 changes: 7 additions & 12 deletions pkg/apis/configuration/v1/configsource.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,37 +4,32 @@ package v1
// +kubebuilder:object:generate=true
type ConfigSource struct {
// Specifies a name and a key of a secret to refer to. The namespace is implicitly set to the one of referring object.
SecretValue SecretValueFromSource `json:"secretKeyRef,omitempty"`
SecretValue SecretValueFromSource `json:"secretKeyRef"`
}

// NamespacedConfigSource is a wrapper around NamespacedSecretValueFromSource.
// +kubebuilder:object:generate=true
type NamespacedConfigSource struct {
// Specifies a name, a namespace, and a key of a secret to refer to.
SecretValue NamespacedSecretValueFromSource `json:"secretKeyRef,omitempty"`
SecretValue NamespacedSecretValueFromSource `json:"secretKeyRef"`
}

// SecretValueFromSource represents the source of a secret value.
// +kubebuilder:object:generate=true
type SecretValueFromSource struct {
// The secret containing the key.
// +kubebuilder:validation:Required
Secret string `json:"name,omitempty"`
Secret string `json:"name"`
// The key containing the value.
// +kubebuilder:validation:Required
Key string `json:"key,omitempty"`
Key string `json:"key"`
}

// NamespacedSecretValueFromSource represents the source of a secret value specifying the secret namespace.
// +kubebuilder:object:generate=true
type NamespacedSecretValueFromSource struct {
// The namespace containing the secret.
// +kubebuilder:validation:Required
Namespace string `json:"namespace,omitempty"`
Namespace string `json:"namespace"`
// The secret containing the key.
// +kubebuilder:validation:Required
Secret string `json:"name,omitempty"`
Secret string `json:"name"`
// The key containing the value.
// +kubebuilder:validation:Required
Key string `json:"key,omitempty"`
Key string `json:"key"`
}
3 changes: 1 addition & 2 deletions pkg/apis/configuration/v1/kongclusterplugin_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ import (
// +kubebuilder:resource:scope=Cluster,shortName=kcp,categories=kong-ingress-controller
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:validation:Optional
// +kubebuilder:printcolumn:name="Plugin-Type",type=string,JSONPath=`.plugin`,description="Name of the plugin"
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`,description="Age"
// +kubebuilder:printcolumn:name="Disabled",type=boolean,JSONPath=`.disabled`,description="Indicates if the plugin is disabled",priority=1
Expand Down Expand Up @@ -66,7 +65,7 @@ type KongClusterPlugin struct {

// PluginName is the name of the plugin to which to apply the config.
// +kubebuilder:validation:Required
PluginName string `json:"plugin,omitempty"`
PluginName string `json:"plugin"`

// RunOn configures the plugin to run on the first or the second or both
// nodes in case of a service mesh deployment.
Expand Down
1 change: 0 additions & 1 deletion pkg/apis/configuration/v1/kongconsumer_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ import (
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:resource:shortName=kc,categories=kong-ingress-controller
// +kubebuilder:validation:Optional
// +kubebuilder:printcolumn:name="Username",type=string,JSONPath=`.username`,description="Username of a Kong Consumer"
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`,description="Age"
// +kubebuilder:printcolumn:name="Programmed",type=string,JSONPath=`.status.conditions[?(@.type=="Programmed")].status`
Expand Down
1 change: 0 additions & 1 deletion pkg/apis/configuration/v1/kongingress_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ import (
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:resource:shortName=ki,categories=kong-ingress-controller
// +kubebuilder:validation:Optional
// +kubebuilder:validation:XValidation:rule="!has(self.proxy)", message="'proxy' field is no longer supported, use Service's annotations instead"
// +kubebuilder:validation:XValidation:rule="!has(self.route)", message="'route' field is no longer supported, use Ingress' annotations instead"

Expand Down
3 changes: 1 addition & 2 deletions pkg/apis/configuration/v1/kongplugin_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:resource:shortName=kp,categories=kong-ingress-controller
// +kubebuilder:validation:Optional
// +kubebuilder:printcolumn:name="Plugin-Type",type=string,JSONPath=`.plugin`,description="Name of the plugin"
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`,description="Age"
// +kubebuilder:printcolumn:name="Disabled",type=boolean,JSONPath=`.disabled`,description="Indicates if the plugin is disabled",priority=1
Expand Down Expand Up @@ -66,7 +65,7 @@ type KongPlugin struct {

// PluginName is the name of the plugin to which to apply the config.
// +kubebuilder:validation:Required
PluginName string `json:"plugin,omitempty"`
PluginName string `json:"plugin"`

// RunOn configures the plugin to run on the first or the second or both
// nodes in case of a service mesh deployment.
Expand Down
15 changes: 4 additions & 11 deletions pkg/apis/configuration/v1beta1/ingress_rules.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
package v1beta1

// +kubebuilder:validation:Optional

// UDPIngressRule represents a rule to apply against incoming requests
// wherein no Host matching is available for request routing, only the port
// is used to match requests.
Expand All @@ -11,17 +9,13 @@ type UDPIngressRule struct {
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=65535
// +kubebuilder:validation:Format=int32
// +kubebuilder:validation:Required
Port int `json:"port"`

// Backend defines the Kubernetes service which accepts traffic from the
// listening Port defined above.
// +kubebuilder:validation:Required
Backend IngressBackend `json:"backend"`
}

// +kubebuilder:validation:Optional

// IngressRule represents a rule to apply against incoming requests.
// Matching is performed based on an (optional) SNI and port.
type IngressRule struct {
Expand All @@ -32,25 +26,24 @@ type IngressRule struct {
// If a Host is specified, the protocol must be TLS over TCP.
// A plain-text TCP request cannot be routed based on Host. It can only
// be routed based on Port.
// +kubebuilder:validation:Optional
Host string `json:"host,omitempty"`

// Port is the port on which to accept TCP or TLS over TCP sessions and
// route. It is a required field. If a Host is not specified, the requested
// are routed based only on Port.
// +kubebuilder:validation:Required
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=65535
// +kubebuilder:validation:Format=int32
// +kubebuilder:validation:Required
Port int `json:"port,omitempty"`
Port int `json:"port"`

// Backend defines the referenced service endpoint to which the traffic
// will be forwarded to.
// +kubebuilder:validation:Required
Backend IngressBackend `json:"backend"`
}

// +kubebuilder:validation:Optional

// IngressBackend describes all endpoints for a given service and port.
type IngressBackend struct {
// Specifies the name of the referenced service.
Expand All @@ -59,9 +52,9 @@ type IngressBackend struct {
ServiceName string `json:"serviceName"`

// Specifies the port of the referenced service.
// +kubebuilder:validation:Required
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=65535
// +kubebuilder:validation:Format=int32
// +kubebuilder:validation:Required
ServicePort int `json:"servicePort"`
}
3 changes: 1 addition & 2 deletions pkg/apis/configuration/v1beta1/kongconsumergroup_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ import (
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:resource:shortName=kcg,categories=kong-ingress-controller
// +kubebuilder:validation:Optional
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`,description="Age"
// +kubebuilder:printcolumn:name="Programmed",type=string,JSONPath=`.status.conditions[?(@.type=="Programmed")].status`

Expand All @@ -35,7 +34,7 @@ type KongConsumerGroup struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

// Status represents the current status of the KongConsumer resource.
// Status represents the current status of the KongConsumerGroup resource.
Status KongConsumerGroupStatus `json:"status,omitempty"`
}

Expand Down
1 change: 0 additions & 1 deletion pkg/apis/configuration/v1beta1/tcpingress_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ import (
// +kubebuilder:resource:categories=kong-ingress-controller
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:validation:Optional
// +kubebuilder:printcolumn:name="Address",type=string,JSONPath=`.status.loadBalancer.ingress[*].ip`,description="Address of the load balancer"
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`,description="Age"

Expand Down
1 change: 0 additions & 1 deletion pkg/apis/configuration/v1beta1/udpingress_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ type UDPIngressList struct {
// +kubebuilder:resource:categories=kong-ingress-controller
// +kubebuilder:subresource:status
// +kubebuilder:storageversion
// +kubebuilder:validation:Optional
// +kubebuilder:printcolumn:name="Address",type=string,JSONPath=`.status.loadBalancer.ingress[*].ip`,description="Address of the load balancer"
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`,description="Age"

Expand Down
6 changes: 5 additions & 1 deletion test/e2e/manifests/all-in-one-dbless-k4k8s-enterprise.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion test/e2e/manifests/all-in-one-dbless-konnect-enterprise.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion test/e2e/manifests/all-in-one-dbless-konnect.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion test/e2e/manifests/all-in-one-dbless.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion test/e2e/manifests/all-in-one-postgres-enterprise.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 21abc80

Please sign in to comment.