feat: add basic-auth with skip-hash in konnect (#342)

Prashansa-K · web-flow · commit 269294c0417e · 2025-09-30T11:52:17.000+05:30
* feat: add basic-auth with skip-hash in konnect

* fix: updated codegen

* fix: kong json schema additions

* style: removed stray comment

* chore: updated go-kong to v0.69.0

* fix: fixed file read and write for basic-auth skip-hash

* style: corrected linting

* fix: export IDs when basic-auth present to retain consumer-password mapping
diff --git a/go.mod b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/hexops/gotextdiff v1.0.3
 	github.com/kong/deck v1.51.1
-	github.com/kong/go-kong v0.68.0
+	github.com/kong/go-kong v0.69.0
 	github.com/samber/lo v1.50.0
 	github.com/shirou/gopsutil/v3 v3.24.5
 	github.com/ssgelm/cookiejarparser v1.0.1
diff --git a/go.sum b/go.sum
@@ -222,8 +222,8 @@ github.com/kong/deck v1.51.1 h1:TP/bJtcpahIhTPTUy78kzlEVx6RIXrPJlYAfCYqKYFg=
 github.com/kong/deck v1.51.1/go.mod h1:JeLiJp+Ffmuqhe5UaZr08sJVaUUbz7HFb+m28O2FEUM=
 github.com/kong/go-apiops v0.1.49 h1:/gjzH31qUUxvmg/lkePrh2b6trI5lrv7jJD2w9I7JPg=
 github.com/kong/go-apiops v0.1.49/go.mod h1:yPwbl3P2eQinVGAEA0d3legaYmzPJ+WtJf9fSeGF4b8=
-github.com/kong/go-kong v0.68.0 h1:rQrLYRKXD6/xf41GBXj9Ns+woAH9p6a4VvcXNMiPZPI=
-github.com/kong/go-kong v0.68.0/go.mod h1:J0vGB3wsZ2i99zly1zTRe3v7rOKpkhQZRwbcTFP76qM=
+github.com/kong/go-kong v0.69.0 h1:1LHU3y+i23X+RxxXT/bKml5bsxeUfKTfWFa3RK85cSU=
+github.com/kong/go-kong v0.69.0/go.mod h1:J0vGB3wsZ2i99zly1zTRe3v7rOKpkhQZRwbcTFP76qM=
 github.com/kong/go-slugify v1.0.0 h1:vCFAyf2sdoSlBtLcrmDWUFn0ohlpKiKvQfXZkO5vSKY=
 github.com/kong/go-slugify v1.0.0/go.mod h1:dbR2h3J2QKXQ1k0aww6cN7o4cIcwlWflr6RKRdcoaiw=
 github.com/kong/kubernetes-configuration v1.4.2 h1:/OafLbl2NucvgQV7Xf/uneIgjxmPPUeE92BrssfVAQY=
diff --git a/pkg/dump/dump.go b/pkg/dump/dump.go
@@ -77,6 +77,8 @@ type Config struct {
 	// We require it here to signal the Writer about the sanitization, so
 	// that referential integrity can be handled properly via IDs.
 	SanitizeContent bool
+
+	SkipHashForBasicAuth bool
 }
 
 func deduplicate(stringSlice []string) []string {
@@ -268,7 +270,14 @@ func getConsumerConfiguration(ctx context.Context, group *errgroup.Group,
 		if err != nil {
 			return fmt.Errorf("basic-auths: %w", err)
 		}
-		state.BasicAuths = basicAuths
+		var options []*kong.BasicAuthOptions
+		for _, basicAuth := range basicAuths {
+			option := &kong.BasicAuthOptions{
+				BasicAuth: *basicAuth,
+			}
+			options = append(options, option)
+		}
+		state.BasicAuths = options
 		return nil
 	})
 
diff --git a/pkg/file/builder.go b/pkg/file/builder.go
@@ -65,6 +65,8 @@ type stateBuilder struct {
 
 	isConsumerGroupPolicyOverrideSet bool
 
+	skipHashForBasicAuth bool
+
 	err error
 }
 
@@ -834,10 +836,12 @@ func (b *stateBuilder) consumers() {
 			return
 		}
 
-		var basicAuths []kong.BasicAuth
+		var basicAuths []kong.BasicAuthOptions
 		for _, cred := range c.BasicAuths {
 			cred.Consumer = utils.GetConsumerReference(c.Consumer)
-			basicAuths = append(basicAuths, *cred)
+			basicAuths = append(basicAuths, kong.BasicAuthOptions{
+				BasicAuth: *cred,
+			})
 		}
 		if err := b.ingestBasicAuths(basicAuths); err != nil {
 			b.err = err
@@ -948,7 +952,7 @@ func (b *stateBuilder) ingestKeyAuths(creds []kong.KeyAuth) error {
 	return nil
 }
 
-func (b *stateBuilder) ingestBasicAuths(creds []kong.BasicAuth) error {
+func (b *stateBuilder) ingestBasicAuths(creds []kong.BasicAuthOptions) error {
 	for _, cred := range creds {
 		existingCred, err := b.currentState.BasicAuths.Get(*cred.Username)
 		if utils.Empty(cred.ID) {
@@ -966,6 +970,10 @@ func (b *stateBuilder) ingestBasicAuths(creds []kong.BasicAuth) error {
 		if existingCred != nil {
 			cred.CreatedAt = existingCred.CreatedAt
 		}
+		if b.skipHashForBasicAuth {
+			cred.SkipHash = kong.Bool(true)
+		}
+
 		b.rawState.BasicAuths = append(b.rawState.BasicAuths, &cred)
 	}
 	return nil
diff --git a/pkg/file/builder_test.go b/pkg/file/builder_test.go
@@ -1448,14 +1448,16 @@ func Test_stateBuilder_consumers(t *testing.T) {
 						},
 					},
 				},
-				BasicAuths: []*kong.BasicAuth{
+				BasicAuths: []*kong.BasicAuthOptions{
 					{
-						ID:       kong.String("0cc0d614-4c88-4535-841a-cbe0709b0758"),
-						Username: kong.String("basic-username"),
-						Password: kong.String("basic-password"),
-						Consumer: &kong.Consumer{
-							ID:       kong.String("5b1484f2-5209-49d9-b43e-92ba09dd9d52"),
-							Username: kong.String("foo"),
+						BasicAuth: kong.BasicAuth{
+							ID:       kong.String("0cc0d614-4c88-4535-841a-cbe0709b0758"),
+							Username: kong.String("basic-username"),
+							Password: kong.String("basic-password"),
+							Consumer: &kong.Consumer{
+								ID:       kong.String("5b1484f2-5209-49d9-b43e-92ba09dd9d52"),
+								Username: kong.String("foo"),
+							},
 						},
 					},
 				},
@@ -1600,14 +1602,16 @@ func Test_stateBuilder_consumers(t *testing.T) {
 						},
 					},
 				},
-				BasicAuths: []*kong.BasicAuth{
+				BasicAuths: []*kong.BasicAuthOptions{
 					{
-						ID:       kong.String("92f4c849-960b-43af-aad3-f307051408d3"),
-						Username: kong.String("basic-username"),
-						Password: kong.String("basic-password"),
-						Consumer: &kong.Consumer{
-							ID:       kong.String("4bfcb11f-c962-4817-83e5-9433cf20b663"),
-							Username: kong.String("foo"),
+						BasicAuth: kong.BasicAuth{
+							ID:       kong.String("92f4c849-960b-43af-aad3-f307051408d3"),
+							Username: kong.String("basic-username"),
+							Password: kong.String("basic-password"),
+							Consumer: &kong.Consumer{
+								ID:       kong.String("4bfcb11f-c962-4817-83e5-9433cf20b663"),
+								Username: kong.String("foo"),
+							},
 						},
 					},
 				},
@@ -1739,14 +1743,16 @@ func Test_stateBuilder_consumers(t *testing.T) {
 						},
 					},
 				},
-				BasicAuths: []*kong.BasicAuth{
+				BasicAuths: []*kong.BasicAuthOptions{
 					{
-						ID:       kong.String("92f4c849-960b-43af-aad3-f307051408d3"),
-						Username: kong.String("basic-username"),
-						Password: kong.String("basic-password"),
-						Consumer: &kong.Consumer{
-							ID:       kong.String("4bfcb11f-c962-4817-83e5-9433cf20b663"),
-							Username: kong.String("foo"),
+						BasicAuth: kong.BasicAuth{
+							ID:       kong.String("92f4c849-960b-43af-aad3-f307051408d3"),
+							Username: kong.String("basic-username"),
+							Password: kong.String("basic-password"),
+							Consumer: &kong.Consumer{
+								ID:       kong.String("4bfcb11f-c962-4817-83e5-9433cf20b663"),
+								Username: kong.String("foo"),
+							},
 						},
 					},
 				},
diff --git a/pkg/file/kong_json_schema.json b/pkg/file/kong_json_schema.json
@@ -1536,6 +1536,9 @@
         },
         "consumer_group_policy_overrides": {
           "type": "boolean"
+        },
+        "skip_hash_for_basic_auth": {
+          "type": "boolean"
         }
       },
       "additionalProperties": false,
diff --git a/pkg/file/reader.go b/pkg/file/reader.go
@@ -83,6 +83,7 @@ func Get(ctx context.Context, fileContent *Content, opt RenderConfig, dumpConfig
 	builder.includeLicenses = dumpConfig.IncludeLicenses
 	builder.isPartialApply = dumpConfig.IsPartialApply
 	builder.isConsumerGroupPolicyOverrideSet = dumpConfig.IsConsumerGroupPolicyOverrideSet
+	builder.skipHashForBasicAuth = dumpConfig.SkipHashForBasicAuth
 
 	if len(dumpConfig.SelectorTags) > 0 {
 		builder.selectTags = dumpConfig.SelectorTags
diff --git a/pkg/file/types.go b/pkg/file/types.go
@@ -784,6 +784,7 @@ type Info struct {
 	LookUpSelectorTags           *LookUpSelectorTags `json:"default_lookup_tags,omitempty" yaml:"default_lookup_tags,omitempty"` //nolint
 	Defaults                     KongDefaults        `json:"defaults,omitempty" yaml:"defaults,omitempty"`
 	ConsumerGroupPolicyOverrides bool                `json:"consumer_group_policy_overrides,omitempty" yaml:"consumer_group_policy_overrides,omitempty"` //nolint
+	SkipHashForBasicAuth         bool                `json:"skip_hash_for_basic_auth,omitempty" yaml:"skip_hash_for_basic_auth,omitempty"`               //nolint
 }
 
 // LookUpSelectorTags contains tags to lookup
diff --git a/pkg/file/writer.go b/pkg/file/writer.go
@@ -10,6 +10,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/kong/go-database-reconciler/pkg/cprint"
 	"github.com/kong/go-database-reconciler/pkg/state"
 	"github.com/kong/go-database-reconciler/pkg/utils"
 	"github.com/kong/go-kong/kong"
@@ -45,6 +46,22 @@ func getFormatVersion(kongVersion string) (string, error) {
 	return formatVersion, nil
 }
 
+func exportIDsWithBasicAuth(kongState *state.KongState) bool {
+	basicAuths, err := kongState.BasicAuths.GetAll()
+	if err != nil {
+		return false
+	}
+
+	exportIDs := len(basicAuths) > 0
+
+	if exportIDs {
+		const idsWarning = "Warning: basic-auth credentials detected, IDs will be exported"
+		cprint.UpdatePrintlnStdErr(idsWarning)
+	}
+
+	return exportIDs
+}
+
 // KongStateToFile generates a state object to file.Content.
 // It will omit timestamps and IDs while writing.
 func KongStateToContent(kongState *state.KongState, config WriteConfig) (*Content, error) {
@@ -80,6 +97,10 @@ func KongStateToContent(kongState *state.KongState, config WriteConfig) (*Conten
 		}
 	}
 
+	if exportIDsWithBasicAuth(kongState) {
+		config.WithID = true
+	}
+
 	err = populateServices(kongState, file, config)
 	if err != nil {
 		return nil, err
diff --git a/pkg/state/basicauth.go b/pkg/state/basicauth.go
@@ -31,7 +31,10 @@ func (k *BasicAuthsCollection) Get(keyOrID string) (*BasicAuth, error) {
 	if !ok {
 		panic(unexpectedType)
 	}
-	return &BasicAuth{BasicAuth: *basicAuth.DeepCopy()}, nil
+	return &BasicAuth{
+		BasicAuth: *basicAuth.DeepCopy(),
+		SkipHash:  basicAuth.SkipHash,
+	}, nil
 }
 
 // GetAllByConsumerID returns all basic-auth credentials
@@ -50,7 +53,10 @@ func (k *BasicAuthsCollection) GetAllByConsumerID(id string) ([]*BasicAuth,
 		if !ok {
 			panic(unexpectedType)
 		}
-		res = append(res, &BasicAuth{BasicAuth: *r.DeepCopy()})
+		res = append(res, &BasicAuth{
+			BasicAuth: *r.DeepCopy(),
+			SkipHash:  r.SkipHash,
+		})
 	}
 	return res, nil
 }
@@ -79,7 +85,10 @@ func (k *BasicAuthsCollection) GetAll() ([]*BasicAuth, error) {
 		if !ok {
 			panic(unexpectedType)
 		}
-		res = append(res, &BasicAuth{BasicAuth: *r.DeepCopy()})
+		res = append(res, &BasicAuth{
+			BasicAuth: *r.DeepCopy(),
+			SkipHash:  r.SkipHash,
+		})
 	}
 	return res, nil
 }
diff --git a/pkg/state/builder.go b/pkg/state/builder.go
@@ -197,7 +197,10 @@ func buildKong(kongState *KongState, raw *utils.KongRawState) error {
 			continue
 		}
 		cred.Consumer = c
-		err = kongState.BasicAuths.Add(BasicAuth{BasicAuth: *cred})
+		err = kongState.BasicAuths.Add(BasicAuth{
+			BasicAuth: cred.BasicAuth,
+			SkipHash:  cred.SkipHash,
+		})
 		if err != nil {
 			return fmt.Errorf("inserting basic-auth into state: %w", err)
 		}
diff --git a/pkg/state/types.go b/pkg/state/types.go
@@ -1295,6 +1295,7 @@ func (j1 *JWTAuth) GetConsumer() string {
 // It adds some helper methods along with Meta to the original BasicAuth object.
 type BasicAuth struct {
 	kong.BasicAuth `yaml:",inline"`
+	SkipHash       *bool
 	Meta
 }
 
diff --git a/pkg/types/basicauth.go b/pkg/types/basicauth.go
@@ -27,10 +27,10 @@ func basicAuthFromStruct(arg crud.Event) *state.BasicAuth {
 	return basicAuth
 }
 
-// Create creates a Route in Kong.
+// Create creates a BasicAuth in Kong.
 // The arg should be of type crud.Event, containing the basicAuth to be created,
 // else the function will panic.
-// It returns a the created *state.Route.
+// It returns a the created *state.BasicAuth.
 func (s *basicAuthCRUD) Create(ctx context.Context, arg ...crud.Arg) (crud.Arg, error) {
 	event := crud.EventFromArg(arg[0])
 	basicAuth := basicAuthFromStruct(event)
@@ -41,18 +41,21 @@ func (s *basicAuthCRUD) Create(ctx context.Context, arg ...crud.Arg) (crud.Arg,
 	if !utils.Empty(basicAuth.Consumer.ID) {
 		cid = *basicAuth.Consumer.ID
 	}
-	createdBasicAuth, err := s.client.BasicAuths.Create(ctx, &cid,
-		&basicAuth.BasicAuth)
+	createdBasicAuth, err := s.client.BasicAuths.CreateWithOptions(ctx, &cid,
+		&kong.BasicAuthOptions{
+			BasicAuth: basicAuth.BasicAuth,
+			SkipHash:  basicAuth.SkipHash,
+		})
 	if err != nil {
 		return nil, err
 	}
 	return &state.BasicAuth{BasicAuth: *createdBasicAuth}, nil
 }
 
-// Delete deletes a Route in Kong.
+// Delete deletes a BasicAuth in Kong.
 // The arg should be of type crud.Event, containing the basicAuth to be deleted,
 // else the function will panic.
-// It returns a the deleted *state.Route.
+// It returns a the deleted *state.BasicAuth.
 func (s *basicAuthCRUD) Delete(ctx context.Context, arg ...crud.Arg) (crud.Arg, error) {
 	event := crud.EventFromArg(arg[0])
 	basicAuth := basicAuthFromStruct(event)
@@ -70,10 +73,10 @@ func (s *basicAuthCRUD) Delete(ctx context.Context, arg ...crud.Arg) (crud.Arg,
 	return basicAuth, nil
 }
 
-// Update updates a Route in Kong.
+// Update updates a BasicAuth in Kong.
 // The arg should be of type crud.Event, containing the basicAuth to be updated,
 // else the function will panic.
-// It returns a the updated *state.Route.
+// It returns a the updated *state.BasicAuth.
 func (s *basicAuthCRUD) Update(ctx context.Context, arg ...crud.Arg) (crud.Arg, error) {
 	event := crud.EventFromArg(arg[0])
 	basicAuth := basicAuthFromStruct(event)
@@ -85,7 +88,11 @@ func (s *basicAuthCRUD) Update(ctx context.Context, arg ...crud.Arg) (crud.Arg,
 	if !utils.Empty(basicAuth.Consumer.ID) {
 		cid = *basicAuth.Consumer.ID
 	}
-	updatedBasicAuth, err := s.client.BasicAuths.Create(ctx, &cid, &basicAuth.BasicAuth)
+	updatedBasicAuth, err := s.client.BasicAuths.CreateWithOptions(ctx, &cid,
+		&kong.BasicAuthOptions{
+			BasicAuth: basicAuth.BasicAuth,
+			SkipHash:  basicAuth.SkipHash,
+		})
 	if err != nil {
 		return nil, err
 	}
@@ -169,8 +176,14 @@ func (d *basicAuthDiffer) CreateAndUpdates(handler func(crud.Event) error) error
 }
 
 func (d *basicAuthDiffer) createUpdateBasicAuth(basicAuth *state.BasicAuth) (*crud.Event, error) {
-	d.warnBasicAuth()
-	basicAuth = &state.BasicAuth{BasicAuth: *basicAuth.DeepCopy()}
+	if basicAuth.SkipHash == nil {
+		d.warnBasicAuth()
+	}
+
+	basicAuth = &state.BasicAuth{
+		BasicAuth: *basicAuth.DeepCopy(),
+		SkipHash:  basicAuth.SkipHash,
+	}
 	currentBasicAuth, err := d.currentState.BasicAuths.Get(*basicAuth.ID)
 	if errors.Is(err, state.ErrNotFound) {
 		// basicAuth not present, create it
diff --git a/pkg/utils/types.go b/pkg/utils/types.go
@@ -50,7 +50,7 @@ type KongRawState struct {
 	KeyAuths    []*kong.KeyAuth
 	HMACAuths   []*kong.HMACAuth
 	JWTAuths    []*kong.JWTAuth
-	BasicAuths  []*kong.BasicAuth
+	BasicAuths  []*kong.BasicAuthOptions
 	ACLGroups   []*kong.ACLGroup
 	Oauth2Creds []*kong.Oauth2Credential
 	MTLSAuths   []*kong.MTLSAuth
diff --git a/tests/integration/sync_test.go b/tests/integration/sync_test.go
@@ -8913,7 +8913,7 @@ func Test_Sync_Consumers_Default_Lookup_Tag(t *testing.T) {
 		err = sync("testdata/sync/015-consumer-groups/kong-consumer-2.yaml")
 		require.NoError(t, err)
 
-		//re-sync with no error
+		// re-sync with no error
 		err = sync("testdata/sync/015-consumer-groups/kong-consumer-1.yaml")
 		require.NoError(t, err)
 		err = sync("testdata/sync/015-consumer-groups/kong-consumer-2.yaml")

Original file line number	Diff line number	Diff line change
`@@ -784,6 +784,7 @@ type Info struct {`
`784`	`784`	LookUpSelectorTags *LookUpSelectorTags `json:"default_lookup_tags,omitempty" yaml:"default_lookup_tags,omitempty"` //nolint
`785`	`785`	Defaults KongDefaults `json:"defaults,omitempty" yaml:"defaults,omitempty"`
`786`	`786`	ConsumerGroupPolicyOverrides bool `json:"consumer_group_policy_overrides,omitempty" yaml:"consumer_group_policy_overrides,omitempty"` //nolint
	`787`	+ SkipHashForBasicAuth bool `json:"skip_hash_for_basic_auth,omitempty" yaml:"skip_hash_for_basic_auth,omitempty"` //nolint
`787`	`788`	`}`
`788`	`789`
`789`	`790`	`// LookUpSelectorTags contains tags to lookup`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,10 @@ func (k BasicAuthsCollection) Get(keyOrID string) (BasicAuth, error) {`
`31`	`31`	`if !ok {`
`32`	`32`	`panic(unexpectedType)`
`33`	`33`	`}`
`34`		`- return &BasicAuth{BasicAuth: *basicAuth.DeepCopy()}, nil`
	`34`	`+ return &BasicAuth{`
	`35`	`+ BasicAuth: *basicAuth.DeepCopy(),`
	`36`	`+ SkipHash: basicAuth.SkipHash,`
	`37`	`+ }, nil`
`35`	`38`	`}`
`36`	`39`
`37`	`40`	`// GetAllByConsumerID returns all basic-auth credentials`
`@@ -50,7 +53,10 @@ func (k BasicAuthsCollection) GetAllByConsumerID(id string) ([]BasicAuth,`
`50`	`53`	`if !ok {`
`51`	`54`	`panic(unexpectedType)`
`52`	`55`	`}`
`53`		`- res = append(res, &BasicAuth{BasicAuth: *r.DeepCopy()})`
	`56`	`+ res = append(res, &BasicAuth{`
	`57`	`+ BasicAuth: *r.DeepCopy(),`
	`58`	`+ SkipHash: r.SkipHash,`
	`59`	`+ })`
`54`	`60`	`}`
`55`	`61`	`return res, nil`
`56`	`62`	`}`
`@@ -79,7 +85,10 @@ func (k BasicAuthsCollection) GetAll() ([]BasicAuth, error) {`
`79`	`85`	`if !ok {`
`80`	`86`	`panic(unexpectedType)`
`81`	`87`	`}`
`82`		`- res = append(res, &BasicAuth{BasicAuth: *r.DeepCopy()})`
	`88`	`+ res = append(res, &BasicAuth{`
	`89`	`+ BasicAuth: *r.DeepCopy(),`
	`90`	`+ SkipHash: r.SkipHash,`
	`91`	`+ })`
`83`	`92`	`}`
`84`	`93`	`return res, nil`
`85`	`94`	`}`