feat: implement KongCredentialACL reconciler (#661)

Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>

.mockery.yaml

@@ -22,6 +22,7 @@ packages:
       VaultSDK:
       MeSDK:
       KongCredentialAPIKeySDK:
+      KongCredentialACLSDK:
       KongCredentialBasicAuthSDK:
       CACertificatesSDK:
       CertificatesSDK:

CHANGELOG.md

@@ -92,6 +92,7 @@
 - Add support for `KongConsumer` credentials:
   - basic-auth [#625](https://github.com/Kong/gateway-operator/pull/625)
   - API key [#635](https://github.com/Kong/gateway-operator/pull/635)
+  - ACL [#661](https://github.com/Kong/gateway-operator/pull/661)
 
 ### Fixed
 

config/samples/konnect_kongconsumer_acl.yaml

@@ -0,0 +1,45 @@
+kind: KonnectAPIAuthConfiguration
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: konnect-api-auth-dev-1
+  namespace: default
+spec:
+  type: token
+  token: kpat_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  serverURL: us.api.konghq.com
+---
+kind: KonnectGatewayControlPlane
+apiVersion: konnect.konghq.com/v1alpha1
+metadata:
+  name: test-cp-acl
+  namespace: default
+spec:
+  name: test-cp-acl
+  labels:
+    app: test-cp-acl
+    key1: test-cp-acl
+  konnect:
+    authRef:
+      name: konnect-api-auth-dev-1
+---
+kind: KongConsumer
+apiVersion: configuration.konghq.com/v1
+metadata:
+  name: consumer-acl-1
+  namespace: default
+username: consumer1
+spec:
+  controlPlaneRef:
+    type: konnectNamespacedRef
+    konnectNamespacedRef:
+      name: test-cp-acl
+---
+apiVersion: configuration.konghq.com/v1alpha1
+kind: KongCredentialACL
+metadata:
+  name: acl-1
+  namespace: default
+spec:
+  consumerRef:
+    name: consumer-acl-1
+  group: group1

controller/konnect/constraints/constraints.go

@@ -21,6 +21,7 @@ type SupportedKonnectEntityType interface {
 		configurationv1alpha1.KongPluginBinding |
 		configurationv1alpha1.KongCredentialBasicAuth |
 		configurationv1alpha1.KongCredentialAPIKey |
+		configurationv1alpha1.KongCredentialACL |
 		configurationv1alpha1.KongUpstream |
 		configurationv1alpha1.KongCACertificate |
 		configurationv1alpha1.KongCertificate |

controller/konnect/index_credentials_acl.go

@@ -0,0 +1,32 @@
+package konnect
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	configurationv1alpha1 "github.com/kong/kubernetes-configuration/api/configuration/v1alpha1"
+)
+
+const (
+	// IndexFieldKongCredentialACLReferencesKongConsumer is the index name for KongCredentialACL -> Consumer.
+	IndexFieldKongCredentialACLReferencesKongConsumer = "kongCredentialsACLConsumerRef"
+)
+
+// IndexOptionsForCredentialsACL returns required Index options for KongCredentialACL.
+func IndexOptionsForCredentialsACL() []ReconciliationIndexOption {
+	return []ReconciliationIndexOption{
+		{
+			IndexObject:  &configurationv1alpha1.KongCredentialACL{},
+			IndexField:   IndexFieldKongCredentialACLReferencesKongConsumer,
+			ExtractValue: kongCredentialACLReferencesConsumer,
+		},
+	}
+}
+
+// kongCredentialACLReferencesConsumer returns the name of referenced Consumer.
+func kongCredentialACLReferencesConsumer(obj client.Object) []string {
+	cred, ok := obj.(*configurationv1alpha1.KongCredentialACL)
+	if !ok {
+		return nil
+	}
+	return []string{cred.Spec.ConsumerRef.Name}
+}

controller/konnect/ops/credentialacl.go

@@ -0,0 +1,14 @@
+package ops
+
+import (
+	"context"
+
+	sdkkonnectops "github.com/Kong/sdk-konnect-go/models/operations"
+)
+
+// KongCredentialACLSDK is the interface for the Konnect KongCredentialACLSDK.
+type KongCredentialACLSDK interface {
+	CreateACLWithConsumer(ctx context.Context, req sdkkonnectops.CreateACLWithConsumerRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.CreateACLWithConsumerResponse, error)
+	DeleteACLWithConsumer(ctx context.Context, request sdkkonnectops.DeleteACLWithConsumerRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.DeleteACLWithConsumerResponse, error)
+	UpsertACLWithConsumer(ctx context.Context, request sdkkonnectops.UpsertACLWithConsumerRequest, opts ...sdkkonnectops.Option) (*sdkkonnectops.UpsertACLWithConsumerResponse, error)
+}