feat: support secret for consumers

Author: AlinsRan

internal/controller/consumer_controller.go

@@ -59,9 +59,37 @@ func (r *ConsumerReconciler) SetupWithManager(mgr ctrl.Manager) error {
 				},
 			),
 		).
+		Watches(&corev1.Secret{},
+			handler.EnqueueRequestsFromMapFunc(r.listConsumersForSecret),
+		).
 		Complete(r)
 }
 
+func (r *ConsumerReconciler) listConsumersForSecret(ctx context.Context, obj client.Object) []reconcile.Request {
+	secret, ok := obj.(*corev1.Secret)
+	if !ok {
+		r.Log.Error(nil, "failed to convert to Secret", "object", obj)
+		return nil
+	}
+	consumerList := &v1alpha1.ConsumerList{}
+	if err := r.List(ctx, consumerList, client.MatchingFields{
+		indexer.SecretIndexRef: indexer.GenIndexKey(secret.GetNamespace(), secret.GetName()),
+	}); err != nil {
+		r.Log.Error(err, "failed to list consumers")
+		return nil
+	}
+	requests := make([]reconcile.Request, 0, len(consumerList.Items))
+	for _, consumer := range consumerList.Items {
+		requests = append(requests, reconcile.Request{
+			NamespacedName: client.ObjectKey{
+				Name:      consumer.Name,
+				Namespace: consumer.Namespace,
+			},
+		})
+	}
+	return requests
+}
+
 func (r *ConsumerReconciler) listConsumersForGateway(ctx context.Context, obj client.Object) []reconcile.Request {
 	gateway, ok := obj.(*gatewayv1.Gateway)
 	if !ok {
@@ -70,7 +98,7 @@ func (r *ConsumerReconciler) listConsumersForGateway(ctx context.Context, obj cl
 	}
 	consumerList := &v1alpha1.ConsumerList{}
 	if err := r.List(ctx, consumerList, client.MatchingFields{
-		indexer.ConsumerGatewayRef: indexer.GenIndexKey(gateway.Name, gateway.GetNamespace()),
+		indexer.ConsumerGatewayRef: indexer.GenIndexKey(gateway.GetNamespace(), gateway.GetName()),
 	}); err != nil {
 		r.Log.Error(err, "failed to list consumers")
 		return nil

internal/controller/indexer/indexer.go

@@ -58,8 +58,35 @@ func setupConsumerIndexer(mgr ctrl.Manager) error {
 	); err != nil {
 		return err
 	}
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&v1alpha1.Consumer{},
+		SecretIndexRef,
+		ConsumerSecretIndexFunc,
+	); err != nil {
+		return err
+	}
 	return nil
 }
+
+func ConsumerSecretIndexFunc(rawObj client.Object) []string {
+	consumer := rawObj.(*v1alpha1.Consumer)
+	secretKeys := make([]string, 0)
+
+	for _, credential := range consumer.Spec.Credentials {
+		if credential.SecretRef == nil {
+			continue
+		}
+		ns := consumer.GetNamespace()
+		if credential.SecretRef.Namespace != nil {
+			ns = *credential.SecretRef.Namespace
+		}
+		key := GenIndexKey(ns, credential.SecretRef.Name)
+		secretKeys = append(secretKeys, key)
+	}
+	return secretKeys
+}
+
 func ConsumerGatewayRefIndexFunc(rawObj client.Object) []string {
 	consumer := rawObj.(*v1alpha1.Consumer)
 

internal/provider/adc/translator/consumer.go

@@ -39,7 +39,7 @@ func (t *Translator) TranslateConsumerV1alpha1(tctx *provider.TranslateContext,
 			}
 			authConfig := make(map[string]any)
 			for k, v := range secret.Data {
-				authConfig[k] = v
+				authConfig[k] = string(v)
 			}
 			credential.Config = authConfig
 		} else {

test/e2e/crds/consumer.go

@@ -109,73 +109,97 @@ spec:
 		s.ResourceApplied("httproute", "httpbin", defaultHTTPRoute, 1)
 	}
 
-	Context("Consumer plugins", func() {
-		var keyAuthConsumer = `apiVersion: gateway.apisix.io/v1alpha1
+	Context("Credential", func() {
+		var defaultCredential = `apiVersion: gateway.apisix.io/v1alpha1
 kind: Consumer
 metadata:
   name: consumer-sample
 spec:
   gatewayRef:
     name: api7ee
-  plugins:
-    - name: key-auth
+  credentials:
+    - type: basic-auth
+      name: basic-auth-sample
+      config:
+        username: sample-user
+        password: sample-password
+    - type: key-auth
+      name: key-auth-sample
       config:
         key: sample-key
+    - type: key-auth
+      name: key-auth-sample2
+      config:
+        key: sample-key2
 `
-		var basicAuthConsumer = `apiVersion: gateway.apisix.io/v1alpha1
+		var updateCredential = `apiVersion: gateway.apisix.io/v1alpha1
 kind: Consumer
 metadata:
   name: consumer-sample
 spec:
   gatewayRef:
     name: api7ee
-  plugins:
-    - name: basic-auth
+  credentials:
+    - type: basic-auth
+      name: basic-auth-sample
       config:
         username: sample-user
         password: sample-password
+  plugins:
+    - name: key-auth
+      config:
+        key: consumer-key
 `
-
 		BeforeEach(beforeEachHTTP)
 
-		It("key-auth", func() {
-			s.ResourceApplied("Consumer", "consumer-sample", keyAuthConsumer, 1)
+		It("Create/Update/Delete", func() {
+			s.ResourceApplied("Consumer", "consumer-sample", defaultCredential, 1)
 
 			s.NewAPISIXClient().
 				GET("/get").
+				WithHeader("apikey", "sample-key").
 				WithHost("httpbin.org").
 				Expect().
-				Status(401)
+				Status(200)
 
 			s.NewAPISIXClient().
 				GET("/get").
-				WithHeader("apikey", "sample-key").
+				WithHeader("apikey", "sample-key2").
 				WithHost("httpbin.org").
 				Expect().
 				Status(200)
 
-			By("delete Consumer")
-			err := s.DeleteResourceFromString(keyAuthConsumer)
-			Expect(err).NotTo(HaveOccurred(), "deleting Consumer")
-			time.Sleep(5 * time.Second)
+			s.NewAPISIXClient().
+				GET("/get").
+				WithBasicAuth("sample-user", "sample-password").
+				WithHost("httpbin.org").
+				Expect().
+				Status(200)
+
+			By("update Consumer")
+			s.ResourceApplied("Consumer", "consumer-sample", updateCredential, 2)
 
 			s.NewAPISIXClient().
 				GET("/get").
 				WithHeader("apikey", "sample-key").
 				WithHost("httpbin.org").
 				Expect().
 				Status(401)
-		})
-
-		It("basic-auth", func() {
-			s.ResourceApplied("Consumer", "consumer-sample", basicAuthConsumer, 1)
 
 			s.NewAPISIXClient().
 				GET("/get").
+				WithHeader("apikey", "sample-key2").
 				WithHost("httpbin.org").
 				Expect().
 				Status(401)
 
+			s.NewAPISIXClient().
+				GET("/get").
+				WithHeader("apikey", "consumer-key").
+				WithHost("httpbin.org").
+				Expect().
+				Status(200)
+
 			s.NewAPISIXClient().
 				GET("/get").
 				WithBasicAuth("sample-user", "sample-password").
@@ -184,7 +208,7 @@ spec:
 				Status(200)
 
 			By("delete Consumer")
-			err := s.DeleteResourceFromString(basicAuthConsumer)
+			err := s.DeleteResourceFromString(updateCredential)
 			Expect(err).NotTo(HaveOccurred(), "deleting Consumer")
 			time.Sleep(5 * time.Second)
 
@@ -197,8 +221,26 @@ spec:
 		})
 	})
 
-	Context("Credential", func() {
-		var defaultCredential = `apiVersion: gateway.apisix.io/v1alpha1
+	Context("SecretRef", func() {
+		var keyAuthSecret = `
+apiVersion: v1
+kind: Secret
+metadata:
+  name: key-auth-secret
+data:
+  key: c2FtcGxlLWtleQ==
+`
+		var basicAuthSecret = `
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth-secret
+data:
+  username: c2FtcGxlLXVzZXI=
+  password: c2FtcGxlLXBhc3N3b3Jk
+`
+		var defaultConsumer = `
+apiVersion: gateway.apisix.io/v1alpha1
 kind: Consumer
 metadata:
   name: consumer-sample
@@ -208,40 +250,25 @@ spec:
   credentials:
     - type: basic-auth
       name: basic-auth-sample
-      config:
-        username: sample-user
-        password: sample-password
+      secretRef:
+        name: basic-auth-secret
     - type: key-auth
       name: key-auth-sample
-      config:
-        key: sample-key
+      secretRef:
+        name: key-auth-secret
     - type: key-auth
       name: key-auth-sample2
       config:
         key: sample-key2
-`
-		var updateCredential = `apiVersion: gateway.apisix.io/v1alpha1
-kind: Consumer
-metadata:
-  name: consumer-sample
-spec:
-  gatewayRef:
-    name: api7ee
-  credentials:
-    - type: basic-auth
-      name: basic-auth-sample
-      config:
-        username: sample-user
-        password: sample-password
-  plugins:
-    - name: key-auth
-      config:
-        key: consumer-key
 `
 		BeforeEach(beforeEachHTTP)
 
 		It("Create/Update/Delete", func() {
-			s.ResourceApplied("Consumer", "consumer-sample", defaultCredential, 1)
+			err := s.CreateResourceFromString(keyAuthSecret)
+			Expect(err).NotTo(HaveOccurred(), "creating key-auth secret")
+			err = s.CreateResourceFromString(basicAuthSecret)
+			Expect(err).NotTo(HaveOccurred(), "creating basic-auth secret")
+			s.ResourceApplied("Consumer", "consumer-sample", defaultConsumer, 1)
 
 			s.NewAPISIXClient().
 				GET("/get").
@@ -250,22 +277,17 @@ spec:
 				Expect().
 				Status(200)
 
-			s.NewAPISIXClient().
-				GET("/get").
-				WithHeader("apikey", "sample-key2").
-				WithHost("httpbin.org").
-				Expect().
-				Status(200)
-
 			s.NewAPISIXClient().
 				GET("/get").
 				WithBasicAuth("sample-user", "sample-password").
 				WithHost("httpbin.org").
 				Expect().
 				Status(200)
 
-			By("update Consumer")
-			s.ResourceApplied("Consumer", "consumer-sample", updateCredential, 2)
+			By("delete consumer")
+			err = s.DeleteResourceFromString(defaultConsumer)
+			Expect(err).NotTo(HaveOccurred(), "deleting consumer")
+			time.Sleep(5 * time.Second)
 
 			s.NewAPISIXClient().
 				GET("/get").
@@ -274,32 +296,6 @@ spec:
 				Expect().
 				Status(401)
 
-			s.NewAPISIXClient().
-				GET("/get").
-				WithHeader("apikey", "sample-key2").
-				WithHost("httpbin.org").
-				Expect().
-				Status(401)
-
-			s.NewAPISIXClient().
-				GET("/get").
-				WithHeader("apikey", "consumer-key").
-				WithHost("httpbin.org").
-				Expect().
-				Status(200)
-
-			s.NewAPISIXClient().
-				GET("/get").
-				WithBasicAuth("sample-user", "sample-password").
-				WithHost("httpbin.org").
-				Expect().
-				Status(200)
-
-			By("delete Consumer")
-			err := s.DeleteResourceFromString(updateCredential)
-			Expect(err).NotTo(HaveOccurred(), "deleting Consumer")
-			time.Sleep(5 * time.Second)
-
 			s.NewAPISIXClient().
 				GET("/get").
 				WithBasicAuth("sample-user", "sample-password").
@@ -308,7 +304,4 @@ spec:
 				Status(401)
 		})
 	})
-
-	PContext("SecretRef", func() {
-	})
 })

test/e2e/scaffold/scaffold.go

@@ -512,7 +512,6 @@ func (s *Scaffold) GetDeploymentLogs(name string) string {
 			Resource("pods").
 			Namespace(s.namespace).
 			Name(pod.Name).SubResource("log").
-			Param("container", name).
 			Do(context.TODO()).
 			Raw()
 		if err == nil {