feat: event gateway static keys

[harshadixit12]

Summary

In this PR, we are adding support for

1. Declarative management of Event Gateway Static Keys
2. Imperative GET for Static Keys
3. Dump for Static Keys
4. View for Static Keys

Example for GET

./kongctl get egw static-keys --gateway-id $EGW_ID
./kongctl get egw sk --gateway-id $EGW_ID --static-key-id $SKID
./kongctl get konnect egw sk --gateway-name $EGW_NAME --static-key-name $SKNAME

[harshadixit12]

Note: there is no update operation for static keys - only replace.
https://developer.konghq.com/api/konnect/event-gateway/v1/#/operations/create-event-gateway-static-key

[Copilot]

Pull request overview

Adds first-class support for Event Gateway Static Keys across kongctl’s declarative engine and Konnect CLI surface area (get/dump/view), plus accompanying e2e and unit coverage.

Changes:

• Introduces a new declarative resource type event_gateway_static_key with planner + executor support (including nested and root-level declarations).
• Adds imperative get event-gateway static-keys command and interactive child-view support.
• Extends declarative dump and multiple e2e workflows to include static keys.

Reviewed changes

Copilot reviewed 33 out of 33 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
test/e2e/scenarios/event-gateway/static-key/testdata/config.yaml	Adds baseline EGW + static key declarative config for new e2e scenario.
test/e2e/scenarios/event-gateway/static-key/scenario.yaml	New e2e scenario covering create/replace/delete + root-level declarations.
test/e2e/scenarios/event-gateway/static-key/overlays/001-update-fields/config.yaml	Overlay to force replace behavior (static keys don’t support update).
test/e2e/scenarios/event-gateway/static-key/overlays/002-sync-delete/config.yaml	Overlay to validate sync-mode deletion of nested static keys.
test/e2e/scenarios/event-gateway/static-key/overlays/003-root-level-declaration/config.yaml	Overlay validating root-level event_gateway_static_keys declarations.
test/e2e/scenarios/event-gateway/static-key/overlays/004-sync-delete-root-level-declaration/config.yaml	Overlay validating sync-mode deletion for root-level static keys.
test/e2e/scenarios/event-gateway/plan/sync-workflow/scenario.yaml	Extends plan/sync workflow e2e coverage to include static keys.
test/e2e/scenarios/event-gateway/plan/sync-workflow/overlays/011-static-key/config.yaml	Adds static key declaration to plan/sync workflow overlay.
test/e2e/scenarios/event-gateway/plan/apply-workflow/scenario.yaml	Extends plan/apply workflow e2e coverage to include static keys.
test/e2e/scenarios/event-gateway/plan/apply-workflow/overlays/011-static-key/config.yaml	Adds static key declaration to plan/apply workflow overlay.
test/e2e/scenarios/event-gateway/dump/testdata/config.yaml	Adds a static key to dump scenario input config.
test/e2e/scenarios/event-gateway/dump/scenario.yaml	Updates dump scenario assertions and round-trip idempotency expectations for static keys.
internal/konnect/helpers/sdk_mock.go	Extends Konnect SDK mock to provide an EventGatewayStaticKey API factory.
internal/konnect/helpers/sdk.go	Extends SDK interface + implementation to expose EventGatewayStaticKey API.
internal/konnect/helpers/event_gateway_static_keys.go	New helper interface/impl wrapping sdk-konnect-go static key operations.
internal/declarative/state/client.go	Adds state client list/get/create/delete operations for static keys.
internal/declarative/resources/types.go	Adds ResourceTypeEventGatewayStaticKey and root-level collection + helper lookup.
internal/declarative/resources/event_gateway_static_key.go	New declarative resource definition for static keys.
internal/declarative/resources/event_gateway_control_plane.go	Adds nested static_keys support under event gateways.
internal/declarative/protection/lookup.go	Marks static key resources as unprotectable (consistent with other EGW children).
internal/declarative/planner/event_gateway_static_key_planner.go	New planner implementing diff + sync deletion + replace-on-change behavior.
internal/declarative/planner/event_gateway_static_key_planner_test.go	Unit tests for static key change detection logic.
internal/declarative/planner/egw_control_plane_planner.go	Integrates static key planning into EGW control plane planning flow.
internal/declarative/planner/constants.go	Adds planner resource type constant for static keys.
internal/declarative/executor/executor.go	Wires static key executor into create/delete dispatch.
internal/declarative/executor/event_gateway_static_key_adapter.go	New executor adapter mapping plan fields to SDK create/delete/get operations.
internal/cmd/root/verbs/dump/declarative_children.go	Extends dump child population to include static keys.
internal/cmd/root/verbs/dump/declarative.go	Injects static key API into dump’s declarative state client.
internal/cmd/root/products/konnect/eventgateway/static_keys.go	New get event-gateway static-keys command implementation + rendering.
internal/cmd/root/products/konnect/eventgateway/interactive_children.go	Adds static keys as an interactive child resource under event gateways.
internal/cmd/root/products/konnect/eventgateway/getEventGateway.go	Registers the new static-keys child command under event-gateway get.
internal/cmd/root/products/konnect/eventgateway/child_common.go	Adds flag plumbing for --static-key-id / --static-key-name.
internal/cmd/root/products/konnect/declarative/declarative.go	Injects static key API into declarative state client creation.

[Copilot]

planStaticKeyCreate includes the static key value in change.Fields. The declarative text diff renderer only redacts fields whose key names look secret/token/password, so this will print static key material in cleartext in kongctl plan/diff output. Consider storing the value under a redaction-triggering key (e.g. static_key_secret), adding a resource-specific redaction rule, or otherwise preventing plaintext static keys from being displayed/logged.

Suggested change

	fields["value"] = key.Value
	fields["static_key_secret"] = key.Value

[harshadixit12]

@rspurgeon I wanted to understand if this feedback is relevant - "value" here could be sensitive information - is there an existing feature which redacts sensitive fields in plan / diff?

Also for visibility, another problem which I'm working on - !env tag is not being respected - plaintext for this field is leaking to plan. Adding do-not-merge label to PR till that is resolved.

[rspurgeon]

@harshadixit12 This is agent generated, but I studied and believe it is the proper analysis:

There is an existing key-name-based redaction feature in the declarative UX, but it is specific to the human-readable diff renderer, not a general “all plan output” safeguard. The relevant code is in internal/
cmd/root/products/konnect/declarative/declarative.go:60, internal/cmd/root/products/konnect/declarative/declarative.go:1064, and internal/cmd/root/products/konnect/declarative/declarative.go:1176. It redacts
fields whose normalized names match exact sensitive keys or contain segments like secret, password, credential, private_key, api_key, or token-like suffixes. value does not match any of those rules, so a static
key stored as fields["value"] would not be masked in text diff output.

That behavior is covered by tests in internal/cmd/root/products/konnect/declarative/declarative_test.go:148, which explicitly verify redaction for oidc_client_secret and custom_private_key. So Copilot was not
inventing the “key-name-based redaction” concept.

Where Copilot is right and where it is off

Copilot is right that the static-key planner currently stores plaintext in internal/declarative/planner/event_gateway_static_key_planner.go:151, specifically fields["value"] = key.Value, and that value will not
trigger the diff redactor.

Copilot is imprecise in two ways:

• kongctl plan does not use that text diff renderer at all. The plan command marshals the raw plan JSON directly in internal/cmd/root/products/konnect/declarative/declarative.go:540, so there is no key-name
  masking there.
• kongctl diff -o json|yaml also writes the raw plan in internal/cmd/root/products/konnect/declarative/declarative.go:793, so renaming the field to something secret-looking would only help text diff, not
  structured outputs.

So the risk Copilot flagged is real, but its explanation is only fully correct for diff text output.

What the codebase currently does

There are three separate redaction systems:

• Declarative diff text output: key-name-based masking plus !env placeholder sanitization. This is the most relevant path here.
• Deferred !env handling: the planner rewrites deferred env-backed values into placeholders before returning the plan in internal/declarative/planner/planner.go:389, and text renderers sanitize those
  placeholders to [redacted from !env] via internal/declarative/common/env_redaction.go:12. That is a separate mechanism from key-name masking.
• HTTP trace logging: request/response/query/header/body redaction is also key-name-based in internal/konnect/httpclient/logging.go:28. That likely informed Copilot’s intuition, but it is not the same output
  path as declarative plan artifacts.

Bottom line

Copilot’s comment is relevant and directionally accurate:

• value is not treated as sensitive by the declarative diff redactor.
• plaintext static key material can leak from this planner path.

But it is not fully accurate as written:

• the repo already has an existing sensitive-field redaction feature for diff text output
• plan output leaks for a different reason: it is raw JSON, not text-rendered
• Harsha’s !env concern is separate and also real; if !env handling is broken for this field, that is an additional bug, not a rebuttal to Copilot’s point