Merge branch 'main' into dependabot/go_modules/k8s.io/apiextensions-a…

…piserver-0.32.1

.github/workflows/test.yaml

@@ -38,7 +38,7 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-      - uses: golangci/golangci-lint-action@v6.1.1
+      - uses: golangci/golangci-lint-action@v6.2.0
 
   build:
     timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Table of Contents
 
+- [v1.44.1](#v1441)
+- [v1.44.0](#v1440)
+- [v1.43.1](#v1431)
 - [v1.43.0](#v1430)
 - [v1.42.1](#v1421)
 - [v1.42.0](#v1420)
@@ -104,6 +107,47 @@
 - [v0.2.0](#v020)
 - [v0.1.0](#v010)
 
+## [v1.44.1]
+> Release date: 2025/02/11
+
+### Fixed
+- Fixed issue coming with using deck against open-source Kong 
+gateways where operations were getting stuck due to 
+custom-entities support. Custom Entities are now gated to
+Enterprise gateways only.
+[go-database-reconciler](https://github.com/Kong/go-database-reconciler/pull/202)
+[#1525](https://github.com/Kong/deck/pull/1525)
+
+## [v1.44.0]
+> Release date: 2025/02/10
+
+### Added
+- Added support for consumer-group policy overrides in Kong Gateway
+version 3.4+ (until next major version is released). This is enabled
+via flag `--consumer-group-policy-overrides` in sync, diff and dump
+commands. Consumer-group policy overrides, though supported, are a
+deprecated feature in the Kong Gateway and users should consider
+moving to Consumer-group scoped plugins instead. Mixing of the two
+approaches should be avoided.
+[#1518](https://github.com/Kong/deck/pull/1518)
+[go-database-reconciler #191](https://github.com/Kong/go-database-reconciler/pull/191)
+- Added support for managing `degraphql_routes` via deck for both
+Kong Gateway and Konnect.
+[#1505](https://github.com/Kong/deck/pull/1505)
+[go-database-reconciler #154](https://github.com/Kong/go-database-reconciler/pull/154)
+
+## [v1.43.1]
+> Release date: 2025/01/29
+
+### Fixed
+- The `deck gateway apply` command added in v1.43.0 added additional
+HTTP calls to discover which functions are enabled. This does not work 
+well when using an RBAC user with restricted permissions. This change 
+removes those additional checks and delegates the lookup of foreign 
+keys for partial applications to `go-database-reconciler`.
+[#1508](https://github.com/Kong/deck/pull/1508)
+[go-database-reconciler #182](https://github.com/Kong/go-database-reconciler/pull/182)
+
 ## [v1.43.0]
 > Release date: 2025/01/23
 
@@ -1965,6 +2009,9 @@ No breaking changes have been introduced in this release.
 
 Debut release of decK
 
+[v1.44.1]: https://github.com/Kong/deck/compare/v1.44.0...v1.44.1
+[v1.44.0]: https://github.com/Kong/deck/compare/v1.43.1...v1.44.0
+[v1.43.1]: https://github.com/Kong/deck/compare/v1.43.0...v1.43.1
 [v1.43.0]: https://github.com/Kong/deck/compare/v1.42.1...v1.43.0
 [v1.42.1]: https://github.com/Kong/deck/compare/v1.42.0...v1.42.1
 [v1.42.0]: https://github.com/Kong/deck/compare/v1.41.4...v1.42.0

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23.4 AS build
+FROM golang:1.23.5 AS build
 WORKDIR /deck
 COPY go.mod ./
 COPY go.sum ./

README.md

@@ -73,7 +73,7 @@ the GitHub [release page](https://github.com/kong/deck/releases)
 or install by downloading the binary:
 
 ```shell
-$ curl -sL https://github.com/kong/deck/releases/download/v1.43.0/deck_1.43.0_linux_amd64.tar.gz -o deck.tar.gz
+$ curl -sL https://github.com/kong/deck/releases/download/v1.44.1/deck_1.44.1_linux_amd64.tar.gz -o deck.tar.gz
 $ tar -xf deck.tar.gz -C /tmp
 $ sudo cp /tmp/deck /usr/local/bin/
 ```
@@ -84,7 +84,7 @@ If you are on Windows, you can download the binary from the GitHub
 [release page](https://github.com/kong/deck/releases) or via PowerShell:
 
 ```shell
-$ curl -sL https://github.com/kong/deck/releases/download/v1.43.0/deck_1.43.0_windows_amd64.tar.gz -o deck.tar.gz
+$ curl -sL https://github.com/kong/deck/releases/download/v1.44.1/deck_1.44.1_windows_amd64.tar.gz -o deck.tar.gz
 $ tar -xzvf deck.tar.gz
 ```
 

cmd/common.go

@@ -25,7 +25,6 @@ import (
 const exitCodeDiffDetection = 2
 
 var (
-	dumpConfig   dump.Config
 	assumeYes    bool
 	noMaskValues bool
 )
@@ -39,6 +38,13 @@ const (
 	modeLocal
 )
 
+type ApplyType int
+
+const (
+	ApplyTypeFull ApplyType = iota
+	ApplyTypePartial
+)
+
 var jsonOutput diff.JSONOutputObject
 
 func getMode(targetContent *file.Content) mode {
@@ -131,7 +137,7 @@ func RemoveConsumerPlugins(targetContentPlugins []file.FPlugin) []file.FPlugin {
 }
 
 func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
-	delay int, workspace string, enableJSONOutput bool, noDeletes bool,
+	delay int, workspace string, enableJSONOutput bool, applyType ApplyType,
 ) error {
 	// read target file
 	if enableJSONOutput {
@@ -157,11 +163,12 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
 	}
 
 	cmd := "sync"
-
-	isPartialApply := false
-	if noDeletes {
+	if applyType == ApplyTypePartial {
 		cmd = "apply"
-		isPartialApply = true
+		dumpConfig.IsPartialApply = true
+	} else {
+		// Explicitly set this here as dumpConfig is a global var
+		dumpConfig.IsPartialApply = false
 	}
 
 	if dry {
@@ -209,31 +216,14 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
 	// load Kong version after workspace
 	var kongVersion string
 	var parsedKongVersion semver.Version
-	isLicensedKongEnterprise := false
 	if mode == modeKonnect {
 		kongVersion = fetchKonnectKongVersion()
-		isLicensedKongEnterprise = true
 	} else {
 		kongVersion, err = fetchKongVersion(ctx, wsConfig)
 		if err != nil {
 			return fmt.Errorf("reading Kong version: %w", err)
 		}
-
-		// Are we running enterprise?
-		v, err := kong.ParseSemanticVersion(kongVersion)
-		if err != nil {
-			return fmt.Errorf("parsing Kong version: %w", err)
-		}
-
-		// Check if there's an active license for Consumer Group checks
-		if v.IsKongGatewayEnterprise() {
-			isLicensedKongEnterprise, err = isLicensed(ctx, wsConfig)
-			if err != nil {
-				return fmt.Errorf("checking if Kong is licensed: %w", err)
-			}
-		}
 	}
-
 	parsedKongVersion, err = reconcilerUtils.ParseKongVersion(kongVersion)
 	if err != nil {
 		return fmt.Errorf("parsing Kong version: %w", err)
@@ -267,29 +257,28 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
 		}
 	}
 
+	dumpConfig.IsConsumerGroupPolicyOverrideSet = determinePolicyOverride(*targetContent, dumpConfig)
+
 	dumpConfig.SelectorTags, err = determineSelectorTag(*targetContent, dumpConfig)
 	if err != nil {
 		return err
 	}
 
-	// Consumer groups are an enterprise 3.4+ feature
-	if parsedKongVersion.GTE(reconcilerUtils.Kong340Version) && isLicensedKongEnterprise {
-		dumpConfig.LookUpSelectorTagsConsumerGroups, err = determineLookUpSelectorTagsConsumerGroups(*targetContent)
+	dumpConfig.LookUpSelectorTagsConsumerGroups, err = determineLookUpSelectorTagsConsumerGroups(*targetContent)
+	if err != nil {
+		return fmt.Errorf("error determining lookup selector tags for consumer groups: %w", err)
+	}
+
+	if dumpConfig.LookUpSelectorTagsConsumerGroups != nil {
+		consumerGroupsGlobal, err := dump.GetAllConsumerGroups(ctx, kongClient, dumpConfig.LookUpSelectorTagsConsumerGroups)
 		if err != nil {
-			return fmt.Errorf("error determining lookup selector tags for consumer groups: %w", err)
+			return fmt.Errorf("error retrieving global consumer groups via lookup selector tags: %w", err)
 		}
-
-		if dumpConfig.LookUpSelectorTagsConsumerGroups != nil || isPartialApply {
-			consumerGroupsGlobal, err := dump.GetAllConsumerGroups(ctx, kongClient, dumpConfig.LookUpSelectorTagsConsumerGroups)
+		for _, c := range consumerGroupsGlobal {
+			targetContent.ConsumerGroups = append(targetContent.ConsumerGroups,
+				file.FConsumerGroupObject{ConsumerGroup: *c.ConsumerGroup})
 			if err != nil {
-				return fmt.Errorf("error retrieving global consumer groups via lookup selector tags: %w", err)
-			}
-			for _, c := range consumerGroupsGlobal {
-				targetContent.ConsumerGroups = append(targetContent.ConsumerGroups,
-					file.FConsumerGroupObject{ConsumerGroup: *c.ConsumerGroup})
-				if err != nil {
-					return fmt.Errorf("error adding global consumer group %v: %w", *c.ConsumerGroup.Name, err)
-				}
+				return fmt.Errorf("error adding global consumer group %v: %w", *c.ConsumerGroup.Name, err)
 			}
 		}
 	}
@@ -299,7 +288,7 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
 		return fmt.Errorf("error determining lookup selector tags for consumers: %w", err)
 	}
 
-	if dumpConfig.LookUpSelectorTagsConsumers != nil || isPartialApply {
+	if dumpConfig.LookUpSelectorTagsConsumers != nil {
 		consumersGlobal, err := dump.GetAllConsumers(ctx, kongClient, dumpConfig.LookUpSelectorTagsConsumers)
 		if err != nil {
 			return fmt.Errorf("error retrieving global consumers via lookup selector tags: %w", err)
@@ -317,7 +306,7 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
 		return fmt.Errorf("error determining lookup selector tags for routes: %w", err)
 	}
 
-	if dumpConfig.LookUpSelectorTagsRoutes != nil || isPartialApply {
+	if dumpConfig.LookUpSelectorTagsRoutes != nil {
 		routesGlobal, err := dump.GetAllRoutes(ctx, kongClient, dumpConfig.LookUpSelectorTagsRoutes)
 		if err != nil {
 			return fmt.Errorf("error retrieving global routes via lookup selector tags: %w", err)
@@ -335,7 +324,7 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
 		return fmt.Errorf("error determining lookup selector tags for services: %w", err)
 	}
 
-	if dumpConfig.LookUpSelectorTagsServices != nil || isPartialApply {
+	if dumpConfig.LookUpSelectorTagsServices != nil {
 		servicesGlobal, err := dump.GetAllServices(ctx, kongClient, dumpConfig.LookUpSelectorTagsServices)
 		if err != nil {
 			return fmt.Errorf("error retrieving global services via lookup selector tags: %w", err)
@@ -400,7 +389,9 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
 	}
 
 	totalOps, err := performDiff(
-		ctx, currentState, targetState, dry, parallelism, delay, kongClient, mode == modeKonnect, enableJSONOutput, noDeletes)
+		ctx, currentState, targetState, dry, parallelism, delay, kongClient, mode == modeKonnect,
+		enableJSONOutput, applyType,
+	)
 	if err != nil {
 		if enableJSONOutput {
 			var errs reconcilerUtils.ErrArray
@@ -431,6 +422,18 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
 	return nil
 }
 
+func determinePolicyOverride(targetContent file.Content, config dump.Config) bool {
+	if config.IsConsumerGroupPolicyOverrideSet {
+		return true
+	}
+
+	if targetContent.Info != nil && targetContent.Info.ConsumerGroupPolicyOverrides {
+		return targetContent.Info.ConsumerGroupPolicyOverrides
+	}
+
+	return false
+}
+
 func determineLookUpSelectorTagsConsumerGroups(targetContent file.Content) ([]string, error) {
 	if targetContent.Info != nil &&
 		targetContent.Info.LookUpSelectorTags != nil &&
@@ -529,16 +532,18 @@ func fetchCurrentState(ctx context.Context, client *kong.Client, dumpConfig dump
 
 func performDiff(ctx context.Context, currentState, targetState *state.KongState,
 	dry bool, parallelism int, delay int, client *kong.Client, isKonnect bool,
-	enableJSONOutput bool, noDeletes bool,
+	enableJSONOutput bool, applyType ApplyType,
 ) (int, error) {
+	shouldSkipDeletes := applyType == ApplyTypePartial
+
 	s, err := diff.NewSyncer(diff.SyncerOpts{
 		CurrentState:  currentState,
 		TargetState:   targetState,
 		KongClient:    client,
 		StageDelaySec: delay,
 		NoMaskValues:  noMaskValues,
 		IsKonnect:     isKonnect,
-		NoDeletes:     noDeletes,
+		NoDeletes:     shouldSkipDeletes,
 	})
 	if err != nil {
 		return 0, err
@@ -570,31 +575,6 @@ func performDiff(ctx context.Context, currentState, targetState *state.KongState
 	return int(totalOps), nil
 }
 
-func isLicensed(ctx context.Context, config reconcilerUtils.KongClientConfig) (bool, error) {
-	client, err := reconcilerUtils.GetKongClient(config)
-	if err != nil {
-		return false, err
-	}
-
-	req, err := http.NewRequest("GET",
-		reconcilerUtils.CleanAddress(config.Address)+"/",
-		nil)
-	if err != nil {
-		return false, err
-	}
-	var resp map[string]interface{}
-	_, err = client.Do(ctx, req, &resp)
-	if err != nil {
-		return false, err
-	}
-	_, ok := resp["license"]
-	if !ok {
-		return false, nil
-	}
-
-	return true, nil
-}
-
 func fetchKongVersion(ctx context.Context, config reconcilerUtils.KongClientConfig) (string, error) {
 	var version string
 

cmd/common_konnect.go

@@ -91,9 +91,7 @@ func GetKongClientForKonnectMode(
 
 	// set the kong control plane ID in the client
 	konnectClient.SetRuntimeGroupID(cpID)
-	konnectAddress = konnectConfig.Address + "/konnect-api/api/runtime_groups/" + cpID
-	// TODO: replace the above with the following once the Konnect API is updated
-	// konnectAddress = konnectConfig.Address + "/v2/control-planes/" + cpID
+	konnectAddress = konnectConfig.Address + "/v2/control-planes/" + cpID + "/core-entities"
 
 	// initialize kong client
 	return utils.GetKongClient(utils.KongClientConfig{
@@ -127,7 +125,7 @@ func resetKonnectV2(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	_, err = performDiff(ctx, currentState, targetState, false, 10, 0, client, true, resetJSONOutput, false)
+	_, err = performDiff(ctx, currentState, targetState, false, 10, 0, client, true, resetJSONOutput, ApplyTypeFull)
 	if err != nil {
 		return err
 	}
@@ -247,6 +245,7 @@ func syncKonnect(ctx context.Context,
 	}
 
 	stats, errs, _ := s.Solve(ctx, parallelism, dry, false)
+
 	// print stats before error to report completed operations
 	printStats(stats)
 	if errs != nil {

cmd/gateway_apply.go

@@ -15,7 +15,7 @@ var applyCmdKongStateFile []string
 
 func executeApply(cmd *cobra.Command, _ []string) error {
 	return syncMain(cmd.Context(), applyCmdKongStateFile, false,
-		applyCmdParallelism, applyCmdDBUpdateDelay, applyWorkspace, applyJSONOutput, true)
+		applyCmdParallelism, applyCmdDBUpdateDelay, applyWorkspace, applyJSONOutput, ApplyTypePartial)
 }
 
 func newApplyCmd() *cobra.Command {

cmd/gateway_diff.go

@@ -17,7 +17,7 @@ var (
 
 func executeDiff(cmd *cobra.Command, _ []string) error {
 	return syncMain(cmd.Context(), diffCmdKongStateFile, true,
-		diffCmdParallelism, 0, diffWorkspace, diffJSONOutput, false)
+		diffCmdParallelism, 0, diffWorkspace, diffJSONOutput, ApplyTypeFull)
 }
 
 // newDiffCmd represents the diff command
@@ -101,6 +101,10 @@ that will be created, updated, or deleted.
 		false, "do not diff CA certificates.")
 	diffCmd.Flags().BoolVar(&diffJSONOutput, "json-output",
 		false, "generate command execution report in a JSON format")
+	diffCmd.Flags().BoolVar(&dumpConfig.IsConsumerGroupPolicyOverrideSet, "consumer-group-policy-overrides",
+		false, "allow deck to diff consumer-group policy overrides.\n"+
+			"This allows policy overrides to work with Kong GW versions >= 3.4\n"+
+			"Warning: do not mix with consumer-group scoped plugins")
 	addSilenceEventsFlag(diffCmd.Flags())
 	return diffCmd
 }