feat: add --skip-ca-certificates flag

Since CA certificates are 'global' entities in Kong, they cannot be managed on a per-workspace basis, making it hard to be handled declaratively with decK. This introduces a new --skip-ca-certificates to sync/dump/diff/reset to make sure CA certs are ignored when needed.
Kong · Mar 16, 2022 · 9b2ddc8 · 9b2ddc8
1 parent 9892fdb
commit 9b2ddc8
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 8 deletions.
diff --git a/cmd/common.go b/cmd/common.go
@@ -73,6 +73,9 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism,
 	if dumpConfig.SkipConsumers {
 		targetContent.Consumers = []file.FConsumer{}
 	}
+	if dumpConfig.SkipCACerts {
+		targetContent.CACertificates = []file.FCACertificate{}
+	}
 
 	rootClient, err := utils.GetKongClient(rootConfig)
 	if err != nil {

diff --git a/cmd/diff.go b/cmd/diff.go
@@ -61,6 +61,8 @@ that will be created, updated, or deleted.
 		false, "return exit code 2 if there is a diff present,\n"+
 			"exit code 0 if no diff is found,\n"+
 			"and exit code 1 if an error occurs.")
+	diffCmd.Flags().BoolVar(&dumpConfig.SkipCACerts, "skip-ca-certificates",
+		false, "do not diff CA certificates.")
 	addSilenceEventsFlag(diffCmd.Flags())
 	return diffCmd
 }
diff --git a/cmd/dump.go b/cmd/dump.go
@@ -166,5 +166,7 @@ configure Kong.`,
 		false, "export only the RBAC resources (Kong Enterprise only).")
 	dumpCmd.Flags().BoolVar(&assumeYes, "yes",
 		false, "assume 'yes' to prompts and run non-interactively.")
+	dumpCmd.Flags().BoolVar(&dumpConfig.SkipCACerts, "skip-ca-certificates",
+		false, "do not dump CA certificates.")
 	return dumpCmd
 }
diff --git a/cmd/reset.go b/cmd/reset.go
@@ -118,6 +118,8 @@ By default, this command will ask for confirmation.`,
 			"When this setting has multiple tag values, entities must match every tag.")
 	resetCmd.Flags().BoolVar(&dumpConfig.RBACResourcesOnly, "rbac-resources-only",
 		false, "reset only the RBAC resources (Kong Enterprise only).")
+	resetCmd.Flags().BoolVar(&dumpConfig.SkipCACerts, "skip-ca-certificates",
+		false, "do not reset CA certificates.")
 
 	return resetCmd
 }
diff --git a/cmd/sync.go b/cmd/sync.go
@@ -58,6 +58,8 @@ to get Kong's state in sync with the input state.`,
 		0, "artificial delay (in seconds) that is injected between insert operations \n"+
 			"for related entities (usually for Cassandra deployments).\n"+
 			"See 'db_update_propagation' in kong.conf.")
+	syncCmd.Flags().BoolVar(&dumpConfig.SkipCACerts, "skip-ca-certificates",
+		false, "do not sync CA certificates.")
 	addSilenceEventsFlag(syncCmd.Flags())
 	return syncCmd
 }
diff --git a/dump/dump.go b/dump/dump.go
@@ -20,6 +20,9 @@ type Config struct {
 	// are not exported.
 	SkipConsumers bool
 
+	// If true, CA certificates are not exported.
+	SkipCACerts bool
+
 	// SelectorTags can be used to export entities tagged with only specific
 	// tags.
 	SelectorTags []string
@@ -185,14 +188,16 @@ func getProxyConfiguration(ctx context.Context, group *errgroup.Group,
 		return nil
 	})
 
-	group.Go(func() error {
-		caCerts, err := GetAllCACertificates(ctx, client, config.SelectorTags)
-		if err != nil {
-			return fmt.Errorf("ca-certificates: %w", err)
-		}
-		state.CACertificates = caCerts
-		return nil
-	})
+	if !config.SkipCACerts {
+		group.Go(func() error {
+			caCerts, err := GetAllCACertificates(ctx, client, config.SelectorTags)
+			if err != nil {
+				return fmt.Errorf("ca-certificates: %w", err)
+			}
+			state.CACertificates = caCerts
+			return nil
+		})
+	}
 
 	group.Go(func() error {
 		snis, err := GetAllSNIs(ctx, client, config.SelectorTags)