fix: #838

internal/domain/access.go

@@ -229,7 +229,7 @@ type AccessConfigForJDCloud struct {
 
 type AccessConfigForKong struct {
 	ServerUrl                string `json:"serverUrl"`
-	ApiToken                 string `json:"apiToken"`
+	ApiToken                 string `json:"apiToken,omitempty"`
 	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
 }
 

pkg/core/ssl-deployer/providers/kong/kong.go

@@ -7,8 +7,6 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
-	"net/url"
-	"strings"
 
 	"github.com/kong/go-kong/kong"
 
@@ -21,7 +19,7 @@ type SSLDeployerProviderConfig struct {
 	// Kong 服务地址。
 	ServerUrl string `json:"serverUrl"`
 	// Kong Admin API Token。
-	ApiToken string `json:"apiToken"`
+	ApiToken string `json:"apiToken,omitempty"`
 	// 是否允许不安全的连接。
 	AllowInsecureConnections bool `json:"allowInsecureConnections,omitempty"`
 	// 部署资源类型。
@@ -93,40 +91,25 @@ func (d *SSLDeployerProvider) deployToCertificate(ctx context.Context, certPEM s
 		return err
 	}
 
-	if d.config.Workspace == "" {
+	// 更新证书
-		// 更新证书
+	// REF: https://developer.konghq.com/api/gateway/admin-ee/3.10/#/operations/upsert-certificate
-		// REF: https://developer.konghq.com/api/gateway/admin-ee/3.10/#/operations/upsert-certificate
+	// REF: https://developer.konghq.com/api/gateway/admin-ee/3.10/#/operations/upsert-certificate-in-workspace
-		updateCertificateReq := &kong.Certificate{
+	updateCertificateReq := &kong.Certificate{
-			ID:   kong.String(d.config.CertificateId),
+		ID:   kong.String(d.config.CertificateId),
-			Cert: kong.String(certPEM),
+		Cert: kong.String(certPEM),
-			Key:  kong.String(privkeyPEM),
+		Key:  kong.String(privkeyPEM),
-			SNIs: kong.StringSlice(certX509.DNSNames...),
+		SNIs: kong.StringSlice(certX509.DNSNames...),
-		}
+	}
-		updateCertificateResp, err := d.sdkClient.Certificates.Update(context.TODO(), updateCertificateReq)
+	updateCertificateResp, err := d.sdkClient.Certificates.Update(context.TODO(), updateCertificateReq)
-		d.logger.Debug("sdk request 'kong.UpdateCertificate'", slog.String("sslId", d.config.CertificateId), slog.Any("request", updateCertificateReq), slog.Any("response", updateCertificateResp))
+	d.logger.Debug("sdk request 'kong.UpdateCertificate'", slog.String("sslId", d.config.CertificateId), slog.Any("request", updateCertificateReq), slog.Any("response", updateCertificateResp))
-		if err != nil {
+	if err != nil {
-			return fmt.Errorf("failed to execute sdk request 'kong.UpdateCertificate': %w", err)
+		return fmt.Errorf("failed to execute sdk request 'kong.UpdateCertificate': %w", err)
-		}
-	} else {
-		// 更新证书
-		// REF: https://developer.konghq.com/api/gateway/admin-ee/3.10/#/operations/upsert-certificate-in-workspace
-		updateCertificateReq := &kong.Certificate{
-			ID:   kong.String(d.config.CertificateId),
-			Cert: kong.String(certPEM),
-			Key:  kong.String(privkeyPEM),
-			SNIs: kong.StringSlice(certX509.DNSNames...),
-		}
-		updateCertificateResp, err := d.sdkClient.Certificates.Update(context.TODO(), updateCertificateReq)
-		d.logger.Debug("sdk request 'kong.UpdateCertificate'", slog.String("sslId", d.config.CertificateId), slog.Any("request", updateCertificateReq), slog.Any("response", updateCertificateResp))
-		if err != nil {
-			return fmt.Errorf("failed to execute sdk request 'kong.UpdateCertificate': %w", err)
-		}
 	}
 
 	return nil
 }
 
-func createSDKClient(serverUrl, workspace, apiKey string, skipTlsVerify bool) (*kong.Client, error) {
+func createSDKClient(serverUrl, workspace, apiToken string, skipTlsVerify bool) (*kong.Client, error) {
 	httpClient := &http.Client{
 		Transport: xhttp.NewDefaultTransport(),
 		Timeout:   http.DefaultClient.Timeout,
@@ -138,12 +121,23 @@ func createSDKClient(serverUrl, workspace, apiKey string, skipTlsVerify bool) (*
 		}
 		transport.TLSClientConfig.InsecureSkipVerify = true
 		httpClient.Transport = transport
+	} else {
+		httpClient.Transport = http.DefaultTransport
+	}
+
+	httpHeaders := http.Header{}
+	if apiToken != "" {
+		httpHeaders.Set("Kong-Admin-Token", apiToken)
+	}
+
+	client, err := kong.NewClient(kong.String(serverUrl), kong.HTTPClientWithHeaders(httpClient, httpHeaders))
+	if err != nil {
+		return nil, err
 	}
 
-	baseUrl := strings.TrimRight(serverUrl, "/")
 	if workspace != "" {
-		baseUrl = fmt.Sprintf("%s/%s", baseUrl, url.PathEscape(workspace))
+		client.SetWorkspace(workspace)
 	}
 
-	return kong.NewClient(kong.String(baseUrl), httpClient)
+	return client, nil
 }

ui/src/components/access/AccessFormKongConfig.tsx

@@ -27,7 +27,7 @@ const AccessFormKongConfig = ({ form: formInst, formName, disabled, initialValue
 
   const formSchema = z.object({
     serverUrl: z.url(t("common.errmsg.url_invalid")),
-    apiToken: z.string().nonempty(t("access.form.kong_api_token.placeholder")),
+    apiToken: z.string().nullish(),
     allowInsecureConnections: z.boolean().nullish(),
   });
   const formRule = createSchemaFieldRule(formSchema);
@@ -55,7 +55,7 @@ const AccessFormKongConfig = ({ form: formInst, formName, disabled, initialValue
         rules={[formRule]}
         tooltip={<span dangerouslySetInnerHTML={{ __html: t("access.form.kong_api_token.tooltip") }}></span>}
       >
-        <Input.Password autoComplete="new-password" placeholder={t("access.form.kong_api_token.placeholder")} />
+        <Input.Password allowClear autoComplete="new-password" placeholder={t("access.form.kong_api_token.placeholder")} />
       </Form.Item>
 
       <Form.Item name="allowInsecureConnections" label={t("access.form.common_allow_insecure_conns.label")} rules={[formRule]}>

ui/src/i18n/locales/en/nls.access.json

@@ -288,7 +288,7 @@
   "access.form.k8s_kubeconfig.tooltip": "For more information, see <a href=\"https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/\" target=\"_blank\">https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/</a><br><br>Leave it blank to use the Pod's ServiceAccount.",
   "access.form.kong_server_url.label": "Kong admin API server URL",
   "access.form.kong_server_url.placeholder": "Please enter Kong admin API server URL",
-  "access.form.kong_api_token.label": "Kong admin API token",
+  "access.form.kong_api_token.label": "Kong admin API token (Optional)",
   "access.form.kong_api_token.placeholder": "Please enter Kong admin API token",
   "access.form.kong_api_token.tooltip": "For more information, see <a href=\"https://developer.konghq.com/admin-api/\" target=\"_blank\">https://developer.konghq.com/admin-api/</a>",
   "access.form.larkbot_webhook_url.label": "Lark bot Webhook URL",

ui/src/i18n/locales/zh/nls.access.json

@@ -288,7 +288,7 @@
   "access.form.k8s_kubeconfig.tooltip": "这是什么？请参阅 <a href=\"https://kubernetes.io/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/\" target=\"_blank\">https://kubernetes.io/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/</a><br><br>为空时，将使用 Pod 的 ServiceAccount 作为凭证。",
   "access.form.kong_server_url.label": "Kong Admin API 服务地址",
   "access.form.kong_server_url.placeholder": "请输入 Kong Admin API 服务地址",
-  "access.form.kong_api_token.label": "Kong Admin API Token",
+  "access.form.kong_api_token.label": "Kong Admin API Token（可选）",
   "access.form.kong_api_token.placeholder": "请输入 Kong Admin API Token",
   "access.form.kong_api_token.tooltip": "这是什么？请参阅 <a href=\"https://developer.konghq.com/admin-api/\" target=\"_blank\">https://developer.konghq.com/admin-api/</a>",
   "access.form.larkbot_webhook_url.label": "飞书群机器人 Webhook 地址",