add KongVault controller

config/crd/kustomization.yaml

@@ -13,6 +13,7 @@ resources:
 - bases/configuration.konghq.com_kongplugins.yaml
 - bases/configuration.konghq.com_ingressclassparameterses.yaml
 - bases/configuration.konghq.com_kongupstreampolicies.yaml
+- bases/configuration.konghq.com_kongvaults.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.

config/rbac/role.yaml

@@ -153,6 +153,22 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongvaults
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongvaults/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - configuration.konghq.com
   resources:

docs/cli-arguments.md

@@ -27,6 +27,7 @@
 | `--enable-controller-ingress-networkingv1` | `bool` | Enable the networking.k8s.io/v1 Ingress controller. | `true` |
 | `--enable-controller-kong-service-facade` | `bool` | Enable the KongServiceFacade controller. | `true` |
 | `--enable-controller-kong-upstream-policy` | `bool` | Enable the KongUpstreamPolicy controller. | `true` |
+| `--enable-controller-kong-vault` | `bool` | Enable the KongVault controller. | `true` |
 | `--enable-controller-kongclusterplugin` | `bool` | Enable the KongClusterPlugin controller. | `true` |
 | `--enable-controller-kongconsumer` | `bool` | Enable the KongConsumer controller. | `true` |
 | `--enable-controller-kongingress` | `bool` | Enable the KongIngress controller. | `true` |

hack/generators/controllers/networking/main.go

@@ -247,6 +247,23 @@ var inputControllersNeeded = &typesNeeded{
 		AcceptsIngressClassNameAnnotation: true,
 		RBACVerbs:                         []string{"get", "list", "watch"},
 	},
+	typeNeeded{
+		Group:                            "configuration.konghq.com",
+		Version:                          "v1alpha1",
+		Kind:                             "KongVault",
+		PackageImportAlias:               "kongv1alpha1",
+		PackageAlias:                     "KongV1Alpha1",
+		Package:                          kongv1alpha1,
+		Plural:                           "kongvaults",
+		CacheType:                        "KongVault",
+		NeedsStatusPermissions:           true,
+		ConfigStatusNotificationsEnabled: true,
+		ProgrammedCondition: ProgrammedConditionConfiguration{
+			UpdatesEnabled: true,
+		},
+		AcceptsIngressClassNameAnnotation: true,
+		RBACVerbs:                         []string{"get", "list", "watch"},
+	},
 }
 
 var inputRBACPermissionsNeeded = &rbacsNeeded{

internal/dataplane/deckgen/generate.go

@@ -203,6 +203,18 @@ func ToDeckContent(
 	sort.SliceStable(content.Consumers, func(i, j int) bool {
 		return strings.Compare(*content.Consumers[i].Username, *content.Consumers[j].Username) > 0
 	})
+
+	// convert vaults.
+	for _, v := range k8sState.Vaults {
+		vault := file.FVault{
+			Vault: v.Vault,
+		}
+		content.Vaults = append(content.Vaults, vault)
+	}
+	sort.SliceStable(content.Vaults, func(i, j int) bool {
+		return (*content.Vaults[i].Prefix) > (*content.Vaults[j].Prefix)
+	})
+
 	if len(params.SelectorTags) > 0 {
 		content.Info = &file.Info{
 			SelectorTags: params.SelectorTags,

internal/dataplane/kongstate/kongstate.go

@@ -31,6 +31,7 @@ type KongState struct {
 	Plugins        []Plugin
 	Consumers      []Consumer
 	ConsumerGroups []ConsumerGroup
+	Vaults         []Vault
 }
 
 // SanitizedCopy returns a shallow copy with sensitive values redacted best-effort.
@@ -59,6 +60,7 @@ func (ks *KongState) SanitizedCopy() *KongState {
 			return
 		}(),
 		ConsumerGroups: ks.ConsumerGroups,
+		Vaults:         ks.Vaults,
 	}
 }
 
@@ -239,6 +241,35 @@ func (ks *KongState) FillUpstreamOverrides(
 	}
 }
 
+func (ks *KongState) FillVaults(
+	logger logr.Logger,
+	s store.Storer,
+	failuresCollector *failures.ResourceFailuresCollector,
+) {
+	for _, vault := range s.ListKongVaults() {
+		config, err := rawConfigToConfiguration(vault.Spec.Config.Raw)
+		if err != nil {
+			logger.Error(err, "failed to parse configuration of vault to JSON", "name", vault.Name)
+			failuresCollector.PushResourceFailure(
+				fmt.Sprintf("failed to parse configuration of vault %s to JSON: %v", vault.Name, err),
+				vault,
+			)
+			continue
+		}
+		logger.V(util.DebugLevel).Info("add vault to kongstate", "name", vault.Name)
+		ks.Vaults = append(ks.Vaults, Vault{
+			Vault: kong.Vault{
+				Name:        kong.String(vault.Spec.Backend),
+				Description: kong.String(vault.Spec.Description),
+				Prefix:      kong.String(vault.Spec.Prefix),
+				Config:      config,
+				Tags:        util.GenerateTagsForObject(vault),
+			},
+			K8sKongVault: vault.DeepCopy(),
+		})
+	}
+}
+
 func (ks *KongState) getPluginRelations() map[string]util.ForeignRelations {
 	// KongPlugin key (KongPlugin's name:namespace) to corresponding associations
 	pluginRels := map[string]util.ForeignRelations{}
@@ -487,6 +518,8 @@ func (ks *KongState) FillIDs(logger logr.Logger) {
 			ks.ConsumerGroups[consumerGroupIndex] = consumerGroup
 		}
 	}
+
+	// TODO: Add FillID() for vaults in go-kong to fill IDs for vaults.
 }
 
 // maybeLogKongIngressDeprecationError iterates over services and logs a deprecation error if a service

internal/dataplane/kongstate/kongstate_test.go

@@ -55,6 +55,13 @@ func TestKongState_SanitizedCopy(t *testing.T) {
 				ConsumerGroups: []ConsumerGroup{{
 					ConsumerGroup: kong.ConsumerGroup{ID: kong.String("1"), Name: kong.String("consumer-group")},
 				}},
+				Vaults: []Vault{
+					{
+						Vault: kong.Vault{
+							Name: kong.String("test-vault"), Prefix: kong.String("test-vault"),
+						},
+					},
+				},
 			},
 			want: KongState{
 				Services:       []Service{{Service: kong.Service{ID: kong.String("1")}}},
@@ -69,6 +76,13 @@ func TestKongState_SanitizedCopy(t *testing.T) {
 				ConsumerGroups: []ConsumerGroup{{
 					ConsumerGroup: kong.ConsumerGroup{ID: kong.String("1"), Name: kong.String("consumer-group")},
 				}},
+				Vaults: []Vault{
+					{
+						Vault: kong.Vault{
+							Name: kong.String("test-vault"), Prefix: kong.String("test-vault"),
+						},
+					},
+				},
 			},
 		},
 	} {

internal/dataplane/kongstate/vault.go

@@ -0,0 +1,13 @@
+package kongstate
+
+import (
+	"github.com/kong/go-kong/kong"
+
+	kongv1alpha1 "github.com/kong/kubernetes-ingress-controller/v3/pkg/apis/configuration/v1alpha1"
+)
+
+type Vault struct {
+	kong.Vault
+
+	K8sKongVault *kongv1alpha1.KongVault
+}

internal/dataplane/translator/translator.go

@@ -180,6 +180,11 @@ func (t *Translator) BuildKongConfig() KongConfigBuildingResult {
 		t.registerSuccessfullyTranslatedObject(&result.Consumers[i].K8sKongConsumer)
 	}
 
+	result.FillVaults(t.logger, t.storer, t.failuresCollector)
+	for i := range result.Vaults {
+		t.registerSuccessfullyTranslatedObject(result.Vaults[i].K8sKongVault)
+	}
+
 	// process consumer groups
 	result.FillConsumerGroups(t.logger, t.storer)
 	for i := range result.ConsumerGroups {

internal/manager/config.go

@@ -109,6 +109,7 @@ type Config struct {
 	ServiceEnabled                bool
 	KongUpstreamPolicyEnabled     bool
 	KongServiceFacadeEnabled      bool
+	KongVaultEnabled              bool
 
 	// Gateway API toggling.
 	GatewayAPIGatewayController        bool
@@ -249,6 +250,7 @@ func (c *Config) FlagSet() *pflag.FlagSet {
 	flagSet.BoolVar(&c.GatewayAPIHTTPRouteController, "enable-controller-gwapi-httproute", true, "Enable the Gateway API HTTPRoute controller.")
 	flagSet.BoolVar(&c.GatewayAPIReferenceGrantController, "enable-controller-gwapi-reference-grant", true, "Enable the Gateway API ReferenceGrant controller.")
 	flagSet.BoolVar(&c.KongServiceFacadeEnabled, "enable-controller-kong-service-facade", true, "Enable the KongServiceFacade controller.")
+	flagSet.BoolVar(&c.KongVaultEnabled, "enable-controller-kong-vault", true, "Enable the KongVault controller.")
 
 	// Admission Webhook server config
 	flagSet.StringVar(&c.AdmissionServer.ListenAddr, "admission-webhook-listen", "off",