feat(konnect entities): Support KongKey and KongConsumer to reference KonnectGatewayControlPlane in another namespace (#3086)

Author: randmonkey

CHANGELOG.md

@@ -100,7 +100,9 @@
   - `KongUpstream`
   - `KongCertificate`
   - `KongCACertificate`
+  - `KongConsumer`
   - `KongConsumerGroup`
+  - `KongKey`
   - `KongKeySet`
   - `KongVault`
   - `KongDataPlaneClientCertificate`
@@ -117,6 +119,7 @@
   [#3069](https://github.com/Kong/kong-operator/pull/3069)
   [#3052](https://github.com/Kong/kong-operator/pull/3052)
   [#3082](https://github.com/Kong/kong-operator/pull/3082)
+  [#3086](https://github.com/Kong/kong-operator/pull/3086)
 - Added support for cross namespace references between the following Konnect
   entities and `core` `Secret`
 

api/configuration/v1/kongconsumer_types.go

@@ -36,7 +36,6 @@ import (
 // +kubebuilder:printcolumn:name="Programmed",type=string,JSONPath=`.status.conditions[?(@.type=="Programmed")].status`
 // +kubebuilder:validation:XValidation:rule="has(self.username) || has(self.custom_id)", message="Need to provide either username or custom_id"
 // +kubebuilder:validation:XValidation:rule="(!has(oldSelf.spec) || !has(oldSelf.spec.controlPlaneRef)) || has(self.spec.controlPlaneRef)", message="controlPlaneRef is required once set"
-// +kubebuilder:validation:XValidation:rule="(!has(self.spec) || !has(self.spec.controlPlaneRef) || !has(self.spec.controlPlaneRef.konnectNamespacedRef)) ? true : !has(self.spec.controlPlaneRef.konnectNamespacedRef.__namespace__)", message="spec.controlPlaneRef cannot specify namespace for namespaced resource"
 // +kubebuilder:validation:XValidation:rule="(!has(self.spec) || !has(self.spec.controlPlaneRef)) ? true : (!has(self.status) || !self.status.conditions.exists(c, c.type == 'Programmed' && c.status == 'True')) ? true : oldSelf.spec.controlPlaneRef == self.spec.controlPlaneRef", message="spec.controlPlaneRef is immutable when an entity is already Programmed"
 // +apireference:kgo:include
 // +kong:channels=kong-operator

api/configuration/v1alpha1/kongkey_types.go

@@ -35,7 +35,6 @@ import (
 // +kubebuilder:printcolumn:name="Programmed",description="The Resource is Programmed on Konnect",type=string,JSONPath=`.status.conditions[?(@.type=='Programmed')].status`
 // +kubebuilder:validation:XValidation:rule="!has(oldSelf.spec.controlPlaneRef) || has(self.spec.controlPlaneRef)", message="controlPlaneRef is required once set"
 // +kubebuilder:validation:XValidation:rule="(!self.status.conditions.exists(c, c.type == 'Programmed' && c.status == 'True')) ? true : oldSelf.spec.controlPlaneRef == self.spec.controlPlaneRef", message="spec.controlPlaneRef is immutable when an entity is already Programmed"
-// +kubebuilder:validation:XValidation:rule="(!has(self.spec.controlPlaneRef) || !has(self.spec.controlPlaneRef.konnectNamespacedRef)) ? true : !has(self.spec.controlPlaneRef.konnectNamespacedRef.__namespace__)", message="spec.controlPlaneRef cannot specify namespace for namespaced resource"
 // +apireference:kgo:include
 // +kong:channels=kong-operator
 type KongKey struct {

api/configuration/v1alpha1/kongreferencegrant_types.go

@@ -91,7 +91,7 @@ type KongReferenceGrantSpec struct {
 
 // ReferenceGrantFrom describes trusted namespaces and kinds.
 //
-// +kubebuilder:validation:XValidation:rule="self.group != 'configuration.konghq.com' || self.kind in ['KongConsumerGroup', 'KongService', 'KongCertificate', 'KongCACertificate', 'KongDataPlaneClientCertificate', 'KongUpstream', 'KongKeySet', 'KongVault']",message="Only KongConsumerGroup, KongCertificate, KongCACertificate, KongDataPlaneClientCertificate, KongService, KongUpstream, KongKeySet, and KongVault kinds are supported for 'configuration.konghq.com' group"
+// +kubebuilder:validation:XValidation:rule="self.group != 'configuration.konghq.com' || self.kind in [ 'KongConsumer', 'KongConsumerGroup', 'KongService', 'KongCertificate', 'KongCACertificate', 'KongDataPlaneClientCertificate', 'KongUpstream', 'KongKey', 'KongKeySet', 'KongVault']",message="Only KongConsumer, KongConsumerGroup, KongCertificate, KongCACertificate, KongDataPlaneClientCertificate, KongService, KongUpstream, KongKey, KongKeySet, and KongVault kinds are supported for 'configuration.konghq.com' group"
 // +kubebuilder:validation:XValidation:rule="self.kind == 'KongVault' ? self.__namespace__ == \"\" : self.__namespace__ != \"\"",message="namespace must be empty for KongVault and non-empty for other kinds"
 type ReferenceGrantFrom struct {
 	// Group is the group of the referent.

charts/kong-operator/charts/ko-crds/templates/ko-crds.yaml

@@ -50477,9 +50477,6 @@ spec:
           rule: has(self.username) || has(self.custom_id)
         - message: controlPlaneRef is required once set
           rule: (!has(oldSelf.spec) || !has(oldSelf.spec.controlPlaneRef)) || has(self.spec.controlPlaneRef)
-        - message: spec.controlPlaneRef cannot specify namespace for namespaced resource
-          rule: '(!has(self.spec) || !has(self.spec.controlPlaneRef) || !has(self.spec.controlPlaneRef.konnectNamespacedRef))
-            ? true : !has(self.spec.controlPlaneRef.konnectNamespacedRef.__namespace__)'
         - message: spec.controlPlaneRef is immutable when an entity is already Programmed
           rule: '(!has(self.spec) || !has(self.spec.controlPlaneRef)) ? true : (!has(self.status)
             || !self.status.conditions.exists(c, c.type == ''Programmed'' && c.status
@@ -52688,9 +52685,6 @@ spec:
         - message: spec.controlPlaneRef is immutable when an entity is already Programmed
           rule: '(!self.status.conditions.exists(c, c.type == ''Programmed'' && c.status
             == ''True'')) ? true : oldSelf.spec.controlPlaneRef == self.spec.controlPlaneRef'
-        - message: spec.controlPlaneRef cannot specify namespace for namespaced resource
-          rule: '(!has(self.spec.controlPlaneRef) || !has(self.spec.controlPlaneRef.konnectNamespacedRef))
-            ? true : !has(self.spec.controlPlaneRef.konnectNamespacedRef.__namespace__)'
     served: true
     storage: true
     subresources:
@@ -54254,14 +54248,14 @@ spec:
                   - namespace
                   type: object
                   x-kubernetes-validations:
-                  - message: Only KongConsumerGroup, KongCertificate, KongCACertificate,
-                      KongDataPlaneClientCertificate, KongService, KongUpstream, KongKeySet,
-                      and KongVault kinds are supported for 'configuration.konghq.com'
-                      group
+                  - message: Only KongConsumer, KongConsumerGroup, KongCertificate,
+                      KongCACertificate, KongDataPlaneClientCertificate, KongService,
+                      KongUpstream, KongKey, KongKeySet, and KongVault kinds are supported
+                      for 'configuration.konghq.com' group
                     rule: self.group != 'configuration.konghq.com' || self.kind in
-                      ['KongConsumerGroup', 'KongService', 'KongCertificate', 'KongCACertificate',
-                      'KongDataPlaneClientCertificate', 'KongUpstream', 'KongKeySet',
-                      'KongVault']
+                      [ 'KongConsumer', 'KongConsumerGroup', 'KongService', 'KongCertificate',
+                      'KongCACertificate', 'KongDataPlaneClientCertificate', 'KongUpstream',
+                      'KongKey', 'KongKeySet', 'KongVault']
                   - message: namespace must be empty for KongVault and non-empty for
                       other kinds
                     rule: 'self.kind == ''KongVault'' ? self.__namespace__ == "" :