kgo: add KGO 1.5 guide for consumer credential Secrets

pmalek · pmalek · commit ffa1069703e2 · 2025-03-12T16:44:02.000+01:00
diff --git a/app/_src/gateway-operator/guides/konnect-entities/consumer-and-consumergroup.md b/app/_src/gateway-operator/guides/konnect-entities/consumer-and-consumergroup.md
@@ -44,19 +44,23 @@ At this point, you should see the consumer in the Gateway Manager UI.
 
 ## Associate the consumer with credentials
 
-Consumers can have credentials associated with them. You can create one of the supported credential types. Please refer
-to the below custom resource's documentation links to learn all the available fields for each credential type.
+Consumers can have credentials associated with them.
+In order to define credentials you can use the dedicated CRDs{% if_version gte: 1.5.x %} or define credentials in Secrets and link them using `KongConsumer` `credentials` field{% endif_version %}.
+
+### Using CRDs
+
+{{ site.kgo_product_name }} supports the following credential types, please refer to each type's documentation link to learn all the available fields for each credential type:
 
 - [KongCredentialBasicAuth](/gateway-operator/{{ page.release }}/reference/custom-resources/#kongcredentialbasicauth)
-- [KongCredentialKeyAuth](/gateway-operator/{{ page.release }}/reference/custom-resources/#kongcredentialkeyauth)
+- [KongCredentialAPIKey](/gateway-operator/{{ page.release }}/reference/custom-resources/#kongcredentialapikey)
 - [KongCredentialACL](/gateway-operator/{{ page.release }}/reference/custom-resources/#kongcredentialacl)
 - [KongCredentialJWT](/gateway-operator/{{ page.release }}/reference/custom-resources/#kongcredentialjwt)
 - [KongCredentialHMAC](/gateway-operator/{{ page.release }}/reference/custom-resources/#kongcredentialhmac)
 
 For example, you can create a `KongCredentialBasicAuth` associated with the `consumer` `KongConsumer` by applying the
 following YAML manifest:
 
-```yaml
+```bash
 echo '
 apiVersion: configuration.konghq.com/v1alpha1
 kind: KongCredentialBasicAuth
@@ -75,6 +79,89 @@ spec:
 
 At this point, you should see the credential in the consumer's credentials in the Gateway Manager UI.
 
+{% if_version gte: 1.5.x %}
+### Using Secrets
+
+To use Secrets as consumer credential definitions, you can create a Secret with the credentials and link it to the `KongConsumer` object using the `credentials` field:
+
+```bash
+echo '
+kind: KongConsumer
+apiVersion: configuration.konghq.com/v1
+metadata:
+  name: consumer1
+  namespace: default
+username: consumer1
+spec:
+  controlPlaneRef:
+    type: konnectNamespacedRef
+    konnectNamespacedRef:
+      name: cp
+credentials:
+- consumer1-basic-auth1
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: consumer1-basic-auth1
+  namespace: default
+  labels:
+    konghq.com/credential: basic-auth
+stringData:
+  username: username
+  password: pass
+  ' | kubectl apply -f -
+```
+
+This manifest should yield a consumer with a basic auth credential associated with it in {{ site.konnect_short_name }}.
+
+We can check the validity of the credential secret reference by looking at the `CredentialSecretRefsValid` `KongConsumer` condition:
+
+```bash
+kubectl get kongconsumer consumer1 -o=jsonpath='{.status.conditions[?(@.type=="CredentialSecretRefsValid")]}' | jq
+```
+
+Should give the following output:
+
+```yaml
+{
+  "lastTransitionTime": "2025-03-12T15:36:46Z",
+  "message": "",
+  "observedGeneration": 1,
+  "reason": "Valid",
+  "status": "True",
+  "type": "CredentialSecretRefsValid"
+}
+```
+
+#### Credential Secret Requirements
+
+Please note that `Secret`s used as credentials have to meet certain requirements:
+
+- each `Secret` has to be labeled using the `konghq.com/credential` label with the credential type as the value:
+  - basic auth credentials should have it set to `basic-auth`
+  - API key credentials should have it set to `key-auth`
+  - HMAC credentials should have it set to `hmac-auth`
+  - JWT credentials should have it set to `jwt`
+  - ACL credentials should have it set to `acl`
+
+- additionally each `Secret` has to contain the following fields:
+  - basic auth credentials:
+    - `username`: the username
+    - `password`: the password
+  - API key credentials:
+    - `key`: the API key
+  - HMAC credentials:
+    - `username`: the username
+    - `secret`: the secret
+  - JWT credentials
+    - `key`: the key
+    - `algorithm`: the algorithm (please consult the [JWT plugin reference](/hub/kong-inc/jwt/#create-a-jwt-credential) for the supported algorithms)
+    - `rsa_public_key`: the RSA public key (if the `algorithm` is requires it)
+  - ACL credentials
+    - `group`: the group
+{% endif_version %}
+
 ## Create a consumer group
 
 Creating the `KongConsumerGroup` object in your Kubernetes cluster will provision a {{site.konnect_product_name}} consumer group in
