feat: add support for using KonnectGatewayControlPlane object of type group with KonnectExtension

pmalek · pmalek · commit d410f83ae287 · 2026-03-26T19:33:36.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -93,6 +93,8 @@
 - Added `managed-by:kong-operator` tag to all Konnect entities to allow
   filtering resources managed by Kong Operator in Konnect.
   [#3609](https://github.com/Kong/kong-operator/pull/3609)
+- Added support for using `KonnectGatewayControlPlane` of type group with `KonnectExtension`s.
+  [#3711](https://github.com/Kong/kong-operator/pull/3711)
 
 ### Changed
 
diff --git a/api/konnect/v1alpha2/konnect_extension_types.go b/api/konnect/v1alpha2/konnect_extension_types.go
@@ -221,6 +221,8 @@ const (
 	ClusterTypeControlPlane KonnectExtensionClusterType = "ControlPlane"
 	// ClusterTypeK8sIngressController is the type of the Kubernetes Control Plane.
 	ClusterTypeK8sIngressController KonnectExtensionClusterType = "K8SIngressController"
+	// ClusterTypeControlPlaneGroup is the type of the Control Plane Group.
+	ClusterTypeControlPlaneGroup KonnectExtensionClusterType = "ControlPlaneGroup"
 )
 
 // KonnectEndpoints defines the Konnect endpoints for the control plane.
@@ -249,7 +251,7 @@ type KonnectExtensionControlPlaneStatus struct {
 	// ClusterType is the type of the Konnect Control Plane.
 	//
 	// +required
-	// +kubebuilder:validation:Enum=ControlPlane;K8SIngressController
+	// +kubebuilder:validation:Enum=ControlPlane;K8SIngressController;ControlPlaneGroup
 	ClusterType KonnectExtensionClusterType `json:"clusterType"`
 
 	// Endpoints defines the Konnect endpoints for the control plane.
diff --git a/config/crd/kong-operator/konnect.konghq.com_konnectextensions.yaml b/config/crd/kong-operator/konnect.konghq.com_konnectextensions.yaml
@@ -763,6 +763,7 @@ spec:
                     enum:
                     - ControlPlane
                     - K8SIngressController
+                    - ControlPlaneGroup
                     type: string
                   controlPlaneID:
                     description: ControlPlaneID is the Konnect ID of the ControlPlane
diff --git a/controller/konnect/konnectextension_controller_utils.go b/controller/konnect/konnectextension_controller_utils.go
@@ -319,6 +319,8 @@ func konnectClusterTypeToCRDClusterType(clusterType sdkkonnectcomp.ControlPlaneC
 		return konnectv1alpha2.ClusterTypeControlPlane
 	case sdkkonnectcomp.ControlPlaneClusterTypeClusterTypeK8SIngressController:
 		return konnectv1alpha2.ClusterTypeK8sIngressController
+	case sdkkonnectcomp.ControlPlaneClusterTypeClusterTypeControlPlaneGroup:
+		return konnectv1alpha2.ClusterTypeControlPlaneGroup
 	default:
 		// default never happens as the validation is at the CRD level
 		return ""
diff --git a/controller/konnect/reconciler_controlplaneref.go b/controller/konnect/reconciler_controlplaneref.go
@@ -74,7 +74,12 @@ func handleControlPlaneRef[T constraints.SupportedKonnectEntityType, TEnt constr
 	// The configuration in control plane group type are read only so they are unsupported to attach entities to them:
 	// https://docs.konghq.com/konnect/gateway-manager/control-plane-groups/#limitations
 	if cp.GetKonnectClusterType() != nil &&
-		*cp.GetKonnectClusterType() == sdkkonnectcomp.CreateControlPlaneRequestClusterTypeClusterTypeControlPlaneGroup {
+		(*cp.GetKonnectClusterType() == sdkkonnectcomp.CreateControlPlaneRequestClusterTypeClusterTypeControlPlaneGroup &&
+			// We don't allow attaching to control plane group type as they are read only
+			// and don't have the configuration that can be used by the entities,
+			// but we want to allow attaching KongDataPlaneClientCertificate to them
+			// as they are used for CP/DP mTLS.
+			ent.GetObjectKind().GroupVersionKind().GroupKind().Kind != "KongDataPlaneClientCertificate") {
 		if res, errStatus := patch.StatusWithCondition(
 			ctx, cl, ent,
 			konnectv1alpha1.ControlPlaneRefValidConditionType,
diff --git a/controller/pkg/extensions/konnect/controlplane.go b/controller/pkg/extensions/konnect/controlplane.go
@@ -107,7 +107,7 @@ func kicInKonnectDefaults(ctx context.Context, cl client.Client, konnectExtensio
 			KonnectConfig: &konnectConfig,
 		}, nil
 
-	case konnectv1alpha2.ClusterTypeControlPlane:
+	case konnectv1alpha2.ClusterTypeControlPlane, konnectv1alpha2.ClusterTypeControlPlaneGroup:
 		return nil, fmt.Errorf("unsupported Konnect cluster type: %s", konnectExtension.Status.Konnect.ClusterType)
 	default:
 		// default never happens as the validation is at the CRD level
diff --git a/internal/utils/config/dataplane.go b/internal/utils/config/dataplane.go
@@ -81,7 +81,7 @@ func KongInKonnectDefaults(
 	var template map[string]string
 
 	switch konnectExtensionStatus.Konnect.ClusterType {
-	case konnectv1alpha2.ClusterTypeControlPlane:
+	case konnectv1alpha2.ClusterTypeControlPlane, konnectv1alpha2.ClusterTypeControlPlaneGroup:
 		template = kongInKonnectClusterTypeControlPlane
 	case konnectv1alpha2.ClusterTypeK8sIngressController:
 		template = kongInKonnectClusterTypeIngressController
diff --git a/test/crdsvalidation/common/testcase.go b/test/crdsvalidation/common/testcase.go
@@ -71,10 +71,16 @@ type TestCase[T client.Object] struct {
 	// ExpectedUpdateErrorMessage is the expected error message when updating the object.
 	ExpectedUpdateErrorMessage *string
 
+	// ExpectedStatusUpdateErrorMessage is the expected error message when updating the object status.
+	ExpectedStatusUpdateErrorMessage *string
+
 	// Update is a function that updates the object in the test case after it's created.
 	// It can be used to verify CEL rules that verify the previous object's version against the new one.
 	Update func(T)
 
+	// StatusUpdate is a function that updates the status of the object in the test case after it's created.
+	StatusUpdate func(T)
+
 	// WarningCollector (optional) collects API server warnings emitted during operations.
 	// If set together with ExpectedWarningMessage, the test will assert that a warning containing the
 	// expected message substring was produced.
@@ -228,6 +234,28 @@ func (tc *TestCase[T]) RunWithConfig(t *testing.T, cfg *rest.Config, scheme *run
 				require.NoError(c, err)
 			}, timeout, period)
 		}
+
+		// If the StatusUpdate function was defined, update the object status
+		// and check if the update is allowed.
+		if tc.StatusUpdate != nil {
+			require.EventuallyWithT(t, func(c *assert.CollectT) {
+				err := cl.Get(ctx, client.ObjectKeyFromObject(tc.TestObject), tc.TestObject)
+				require.NoError(c, err)
+				// Update the object status and push the update to the server.
+				tc.StatusUpdate(tc.TestObject)
+				err = cl.Status().Update(ctx, tc.TestObject)
+
+				// If the expected status update error message is defined,
+				// check if the error message contains the expected message
+				// and return. Otherwise, expect no error.
+				if tc.ExpectedStatusUpdateErrorMessage != nil {
+					require.Error(c, err)
+					assert.Contains(c, err.Error(), *tc.ExpectedStatusUpdateErrorMessage)
+					return
+				}
+				require.NoError(c, err)
+			}, timeout, period)
+		}
 	})
 }
 
diff --git a/test/crdsvalidation/konnect.konghq.com/konnectextension_test.go b/test/crdsvalidation/konnect.konghq.com/konnectextension_test.go
@@ -142,6 +142,124 @@ func TestKonnectExtension(t *testing.T) {
 		}.
 			RunWithConfig(t, cfg, scheme)
 	})
+	t.Run("status clusterType", func(t *testing.T) {
+		common.TestCasesGroup[*konnectv1alpha2.KonnectExtension]{
+			{
+				Name: "status clusterType ControlPlane",
+				TestObject: &konnectv1alpha2.KonnectExtension{
+					ObjectMeta: common.CommonObjectMeta(ns.Name),
+					Spec: konnectv1alpha2.KonnectExtensionSpec{
+						Konnect: konnectv1alpha2.KonnectExtensionKonnectSpec{
+							ControlPlane: konnectv1alpha2.KonnectExtensionControlPlane{
+								Ref: commonv1alpha1.KonnectExtensionControlPlaneRef{
+									Type: configurationv1alpha1.ControlPlaneRefKonnectNamespacedRef,
+									KonnectNamespacedRef: &commonv1alpha1.KonnectNamespacedRef{
+										Name: "test-konnect-control-plane",
+									},
+								},
+							},
+						},
+					},
+				},
+				StatusUpdate: func(ke *konnectv1alpha2.KonnectExtension) {
+					ke.Status.Konnect = &konnectv1alpha2.KonnectExtensionControlPlaneStatus{
+						ControlPlaneID: "cp-id",
+						ClusterType:    konnectv1alpha2.ClusterTypeControlPlane,
+						Endpoints: konnectv1alpha2.KonnectEndpoints{
+							TelemetryEndpoint:    "telemetry.example.com",
+							ControlPlaneEndpoint: "cp.example.com",
+						},
+					}
+				},
+			},
+			{
+				Name: "status clusterType K8SIngressController",
+				TestObject: &konnectv1alpha2.KonnectExtension{
+					ObjectMeta: common.CommonObjectMeta(ns.Name),
+					Spec: konnectv1alpha2.KonnectExtensionSpec{
+						Konnect: konnectv1alpha2.KonnectExtensionKonnectSpec{
+							ControlPlane: konnectv1alpha2.KonnectExtensionControlPlane{
+								Ref: commonv1alpha1.KonnectExtensionControlPlaneRef{
+									Type: configurationv1alpha1.ControlPlaneRefKonnectNamespacedRef,
+									KonnectNamespacedRef: &commonv1alpha1.KonnectNamespacedRef{
+										Name: "test-konnect-control-plane",
+									},
+								},
+							},
+						},
+					},
+				},
+				StatusUpdate: func(ke *konnectv1alpha2.KonnectExtension) {
+					ke.Status.Konnect = &konnectv1alpha2.KonnectExtensionControlPlaneStatus{
+						ControlPlaneID: "cp-id",
+						ClusterType:    konnectv1alpha2.ClusterTypeK8sIngressController,
+						Endpoints: konnectv1alpha2.KonnectEndpoints{
+							TelemetryEndpoint:    "telemetry.example.com",
+							ControlPlaneEndpoint: "cp.example.com",
+						},
+					}
+				},
+			},
+			{
+				Name: "status clusterType ControlPlaneGroup",
+				TestObject: &konnectv1alpha2.KonnectExtension{
+					ObjectMeta: common.CommonObjectMeta(ns.Name),
+					Spec: konnectv1alpha2.KonnectExtensionSpec{
+						Konnect: konnectv1alpha2.KonnectExtensionKonnectSpec{
+							ControlPlane: konnectv1alpha2.KonnectExtensionControlPlane{
+								Ref: commonv1alpha1.KonnectExtensionControlPlaneRef{
+									Type: configurationv1alpha1.ControlPlaneRefKonnectNamespacedRef,
+									KonnectNamespacedRef: &commonv1alpha1.KonnectNamespacedRef{
+										Name: "test-konnect-control-plane",
+									},
+								},
+							},
+						},
+					},
+				},
+				StatusUpdate: func(ke *konnectv1alpha2.KonnectExtension) {
+					ke.Status.Konnect = &konnectv1alpha2.KonnectExtensionControlPlaneStatus{
+						ControlPlaneID: "cp-id",
+						ClusterType:    konnectv1alpha2.ClusterTypeControlPlaneGroup,
+						Endpoints: konnectv1alpha2.KonnectEndpoints{
+							TelemetryEndpoint:    "telemetry.example.com",
+							ControlPlaneEndpoint: "cp.example.com",
+						},
+					}
+				},
+			},
+			{
+				Name: "status clusterType invalid",
+				TestObject: &konnectv1alpha2.KonnectExtension{
+					ObjectMeta: common.CommonObjectMeta(ns.Name),
+					Spec: konnectv1alpha2.KonnectExtensionSpec{
+						Konnect: konnectv1alpha2.KonnectExtensionKonnectSpec{
+							ControlPlane: konnectv1alpha2.KonnectExtensionControlPlane{
+								Ref: commonv1alpha1.KonnectExtensionControlPlaneRef{
+									Type: configurationv1alpha1.ControlPlaneRefKonnectNamespacedRef,
+									KonnectNamespacedRef: &commonv1alpha1.KonnectNamespacedRef{
+										Name: "test-konnect-control-plane",
+									},
+								},
+							},
+						},
+					},
+				},
+				StatusUpdate: func(ke *konnectv1alpha2.KonnectExtension) {
+					ke.Status.Konnect = &konnectv1alpha2.KonnectExtensionControlPlaneStatus{
+						ControlPlaneID: "cp-id",
+						ClusterType:    konnectv1alpha2.KonnectExtensionClusterType("InvalidType"),
+						Endpoints: konnectv1alpha2.KonnectEndpoints{
+							TelemetryEndpoint:    "telemetry.example.com",
+							ControlPlaneEndpoint: "cp.example.com",
+						},
+					}
+				},
+				ExpectedStatusUpdateErrorMessage: new(`Unsupported value: "InvalidType"`),
+			},
+		}.
+			RunWithConfig(t, cfg, scheme)
+	})
 	t.Run("dataPlane labels", func(t *testing.T) {
 		common.TestCasesGroup[*konnectv1alpha2.KonnectExtension]{
 			{
