Kong · pmalek · Mar 3, 2026 · Mar 3, 2026
@@ -795,15 +795,20 @@ func getMatchingEntryFromListResponseData[
 ](
 	data []T,
 	entity entity,
-) (string, error) {
-	var id string
+) (T, string, error) {
+	var (
+		id  string
+		ret T
+	)
 	for _, entry := range data {
 		entryID := entry.GetID()
 		switch entryID := any(entryID).(type) {
 		case string:
 			if entryID != "" {
 				id = entryID
+				ret = entry
 				break
+
 			}
 		case *string:
 			if entryID != nil && *entryID != "" {
@@ -814,12 +819,12 @@ func getMatchingEntryFromListResponseData[
 	}
 
 	if id == "" {
-		return "", EntityWithMatchingUIDNotFoundError{
+		return ret, "", EntityWithMatchingUIDNotFoundError{
 			Entity: entity,
 		}
 	}
 
-	return id, nil
+	return ret, id, nil
 }
 
 // ClearInstanceFromError clears the instance field from the error.

@@ -11,10 +11,12 @@ import (
 	"github.com/sourcegraph/conc/iter"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 
 	commonv1alpha1 "github.com/kong/kong-operator/v2/api/common/v1alpha1"
 	konnectv1alpha1 "github.com/kong/kong-operator/v2/api/konnect/v1alpha1"
 	konnectv1alpha2 "github.com/kong/kong-operator/v2/api/konnect/v1alpha2"
+	"github.com/kong/kong-operator/v2/controller/pkg/patch"
 )
 
 // ensureControlPlane ensures that the Konnect ControlPlane exists in Konnect. It is created
@@ -40,8 +42,12 @@ func ensureControlPlane(
 		if err != nil {
 			return err
 		}
+		old := cp.DeepCopy()
 		cp.SetKonnectID(string(cp.Spec.Mirror.Konnect.ID))
-		cp.Status.ClusterType = resp.Config.ClusterType
+		if fillKonnectGatewayControlPlaneStatusFromResponse(cp, resp.Config) {
+			_, err = patch.ApplyStatusPatchIfNotEmpty(ctx, cl, ctrllog.FromContext(ctx), cp, old)
+			return err
+		}
 		return nil
 	default:
 		// This should never happen, as the source type is validated by CEL rules.
@@ -74,8 +80,14 @@ func createControlPlane(
 
 	// At this point, the ControlPlane has been created in Konnect.
 	id := resp.ControlPlane.ID
+	old := cp.DeepCopy()
 	cp.SetKonnectID(id)
-	cp.Status.ClusterType = resp.ControlPlane.Config.ClusterType
+	if fillKonnectGatewayControlPlaneStatusFromResponse(cp, resp.ControlPlane.Config) {
+		_, err = patch.ApplyStatusPatchIfNotEmpty(ctx, cl, ctrllog.FromContext(ctx), cp, old)
+		if err != nil {
+			return err
+		}
+	}
 
 	if err := setGroupMembers(ctx, cl, cp, id, sdkGroups); err != nil {
 		// If we failed to set group membership, we should return a specific error with a reason
@@ -145,8 +157,16 @@ func updateControlPlane(
 	if resp == nil || resp.ControlPlane == nil {
 		return fmt.Errorf("failed updating ControlPlane: %w", ErrNilResponse)
 	}
-	id = resp.ControlPlane.ID
 
+	old := cp.DeepCopy()
+	if fillKonnectGatewayControlPlaneStatusFromResponse(cp, resp.ControlPlane.Config) {
+		_, err = patch.ApplyStatusPatchIfNotEmpty(ctx, cl, ctrllog.FromContext(ctx), cp, old)
+		if err != nil {
+			return err
+		}
+	}
+
+	id = resp.ControlPlane.ID
 	if err := setGroupMembers(ctx, cl, cp, id, sdkGroups); err != nil {
 		// If we failed to set group membership, we should return a specific error with a reason
 		// so the downstream can handle it properly.
@@ -265,11 +285,19 @@ func getControlPlaneForUID(
 		return "", fmt.Errorf("failed listing %s: %w", cp.GetTypeName(), ErrNilResponse)
 	}
 
-	id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDSlice(resp.ListControlPlanesResponse.Data), cp)
+	entry, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDSlice(resp.ListControlPlanesResponse.Data), cp)
 	if err != nil {
 		return "", err
 	}
 
+	old := cp.DeepCopy()
+	if fillKonnectGatewayControlPlaneStatusFromResponse(cp, entry.Config) {
+		_, err = patch.ApplyStatusPatchIfNotEmpty(ctx, cl, ctrllog.FromContext(ctx), cp, old)
+		if err != nil {
+			return id, err
+		}
+	}
+
 	if err := setGroupMembers(ctx, cl, cp, id, sdkGroups); err != nil {
 		// If we failed to set group membership, we should return a specific error with a reason
 		// so the downstream can handle it properly.
@@ -313,3 +341,30 @@ func GetControlPlaneByID(
 
 	return &resp.ListControlPlanesResponse.Data[0], nil
 }
+
+func fillKonnectGatewayControlPlaneStatusFromResponse(
+	cp *konnectv1alpha2.KonnectGatewayControlPlane,
+	respConfig sdkkonnectcomp.ControlPlaneConfig,
+) bool {
+	if cp == nil {
+		return false
+	}
+
+	var updated bool
+	if respConfig.ClusterType != "" {
+		cp.Status.ClusterType = respConfig.ClusterType
+		updated = true
+	}
+	if respConfig.ControlPlaneEndpoint != "" &&
+		(cp.Status.Endpoints == nil || respConfig.ControlPlaneEndpoint != cp.Status.Endpoints.ControlPlaneEndpoint) ||
+		respConfig.TelemetryEndpoint != "" &&
+			(cp.Status.Endpoints == nil || respConfig.TelemetryEndpoint != cp.Status.Endpoints.TelemetryEndpoint) {
+		cp.Status.Endpoints = &konnectv1alpha2.KonnectEndpoints{
+			ControlPlaneEndpoint: respConfig.ControlPlaneEndpoint,
+			TelemetryEndpoint:    respConfig.TelemetryEndpoint,
+		}
+		updated = true
+	}
+
+	return updated
+}
@@ -204,7 +204,8 @@ func getKongCredentialACLForUID(
 	}
 	x := sliceToEntityWithIDPtrSlice(resp.Object.Data)
 
-	return getMatchingEntryFromListResponseData(x, cred)
+	_, id, err := getMatchingEntryFromListResponseData(x, cred)
+	return id, err
 }
 
 func credentialACLMatch(

@@ -201,7 +201,8 @@ func getKongCredentialAPIKeyForUID(
 		return "", fmt.Errorf("failed listing %s: %w", cred.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cred)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cred)
+	return id, err
 }
 
 func credentialAPIKeyMatch(

@@ -200,7 +200,8 @@ func getKongCredentialBasicAuthForUID(
 		return "", fmt.Errorf("failed listing %s: %w", cred.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cred)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cred)
+	return id, err
 }
 
 func credentialBasicAuthMatch(

@@ -205,7 +205,8 @@ func getKongCredentialHMACForUID(
 		return "", fmt.Errorf("failed listing %s: %w", cred.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cred)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cred)
+	return id, err
 }
 
 func credentialHMACMatch(

@@ -204,7 +204,8 @@ func getKongCredentialJWTForUID(
 		return "", fmt.Errorf("failed listing %s: %w", cred.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cred)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cred)
+	return id, err
 }
 
 func credentialJWTMatch(

@@ -239,7 +239,8 @@ func getKongCACertificateForUID(
 		return "", fmt.Errorf("failed listing %s: %w", cert.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cert)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cert)
+	return id, err
 }
 
 func caCertificateMatch(

@@ -289,7 +289,8 @@ func getKongCertificateForUID(
 		return "", fmt.Errorf("failed listing %s: %w", cert.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cert)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cert)
+	return id, err
 }
 
 func certificateMatch(

@@ -460,5 +460,6 @@ func getKongConsumerForUID(
 		return "", fmt.Errorf("failed listing %s: %w", consumer.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), consumer)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), consumer)
+	return id, err
 }
@@ -188,5 +188,6 @@ func getKongConsumerGroupForUID(
 		return "", fmt.Errorf("failed listing %s: %w", cg.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cg)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), cg)
+	return id, err
 }
@@ -202,7 +202,8 @@ func getKongKeyForUID(
 		return "", fmt.Errorf("failed to list KongKeys: %w", ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), key)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), key)
+	return id, err
 }
 
 func keyMatch(konnectKey *sdkkonnectcomp.Key, key *configurationv1alpha1.KongKey) bool {

@@ -178,7 +178,8 @@ func getKongKeySetForUID(
 		return "", fmt.Errorf("failed listing %s: %w", keySet.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), keySet)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), keySet)
+	return id, err
 }
 
 func keySetMatch(konnectKeySet *sdkkonnectcomp.KeySet, keySet *configurationv1alpha1.KongKeySet) bool {

@@ -139,7 +139,8 @@ func getPluginForUID(
 		return "", fmt.Errorf("failed listing %s: %w", pluginBinding.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), pluginBinding)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), pluginBinding)
+	return id, err
 }
 
 func adoptPluginBinding(

@@ -245,12 +245,13 @@ func getKongRouteForUID(
 		return "", fmt.Errorf("failed listing %s: %w", r.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(
+	_, id, err := getMatchingEntryFromListResponseData(
 		sliceToEntityWithIDPtrSlice(
 			lo.Map(resp.Object.Data, func(route sdkkonnectcomp.Route, _ int) sdkkonnectcomp.RouteJSON {
 				return *route.RouteJSON
 			}),
 		), r)
+	return id, err
 }
 
 // routeHeadersMatch compares two header matches in the two routes.

@@ -208,7 +208,8 @@ func getKongServiceForUID(
 		return "", fmt.Errorf("failed listing %s: %w", svc.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), svc)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), svc)
+	return id, err
 }
 
 // serviceMatch compares the existing service fetched from Konnect and the spec of the KongService

@@ -209,7 +209,8 @@ func getKongSNIForUID(ctx context.Context, sdk sdkkonnectgo.SNIsSDK, sni *config
 		return "", fmt.Errorf("failed listing %s: %w", sni.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), sni)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), sni)
+	return id, err
 }
 
 func sniMatch(konnectSNI *sdkkonnectcomp.Sni, sni *configurationv1alpha1.KongSNI) bool {

@@ -194,7 +194,8 @@ func getKongTargetForUID(
 		return "", fmt.Errorf("failed listing %s: %w", target.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), target)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), target)
+	return id, err
 }
 
 func targetMatch(konnectTarget *sdkkonnectcomp.Target, target *configurationv1alpha1.KongTarget) bool {

@@ -187,7 +187,8 @@ func getKongUpstreamForUID(
 		return "", fmt.Errorf("failed listing %s: %w", u.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), u)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), u)
+	return id, err
 }
 
 func upstreamMatch(konnectUpstream *sdkkonnectcomp.Upstream, upstream *configurationv1alpha1.KongUpstream) bool {

@@ -195,5 +195,6 @@ func getKongVaultForUID(
 		return "", fmt.Errorf("failed to list KongVaults: %w", ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), vault)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDPtrSlice(resp.Object.Data), vault)
+	return id, err
 }
@@ -109,7 +109,7 @@ func getKonnectNetworkMatchingSpecName(
 		return "", fmt.Errorf("failed listing %s: %w", n.GetTypeName(), ErrNilResponse)
 	}
 
-	id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDSlice(resp.ListNetworksResponse.Data), n)
+	_, id, err := getMatchingEntryFromListResponseData(sliceToEntityWithIDSlice(resp.ListNetworksResponse.Data), n)
 	if err != nil {
 		return "", err
 	}

@@ -139,7 +139,8 @@ func getKonnectTransitGatewayMatchingSpecName(
 		return "", fmt.Errorf("failed listing %s: %w", tg.GetTypeName(), ErrNilResponse)
 	}
 
-	return getMatchingEntryFromListResponseData(listTransitGatewayResponseDataToEntityWithIDSlice(resp.ListTransitGatewaysResponse.Data), tg)
+	_, id, err := getMatchingEntryFromListResponseData(listTransitGatewayResponseDataToEntityWithIDSlice(resp.ListTransitGatewaysResponse.Data), tg)
+	return id, err
 }
 
 var transitGatewayTypeToSDKTransitGatewayType = map[konnectv1alpha1.TransitGatewayType]sdkkonnectcomp.CreateTransitGatewayRequestType{

@@ -525,7 +525,7 @@ func (r *KonnectEntityReconciler[T, TEnt]) Reconcile(
 	// Handle type specific operations and stop reconciliation if needed.
 	// This can happen for instance when KongConsumer references credentials Secrets
 	// that do not exist or populate some Status fields based on Konnect API.
-	if stop, res, err := handleTypeSpecific(ctx, sdk, r.Client, ent); err != nil {
+	if stop, res, err := handleTypeSpecific(ctx, r.Client, ent); err != nil {
 		// If the error was a network error, handle it here, there's no need to proceed,
 		// as no state has changed.
 		// Status conditions are updated in handleOpsErr.