Kong
diff --git a/‎CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎api/common/v1alpha1/objectref_types.go‎
Lines changed: 0 additions & 3 deletions b/‎api/common/v1alpha1/objectref_types.go‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎api/configuration/v1alpha1/conditions.go‎
Lines changed: 3 additions & 3 deletions b/‎api/configuration/v1alpha1/conditions.go‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎api/configuration/v1alpha1/kongcacertificate_types.go‎
Lines changed: 0 additions & 1 deletion b/‎api/configuration/v1alpha1/kongcacertificate_types.go‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎api/configuration/v1alpha1/kongreferencegrant_types.go‎
Lines changed: 1 addition & 1 deletion b/‎api/configuration/v1alpha1/kongreferencegrant_types.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/konnect/v1alpha1/konnect_conditions.go‎
Lines changed: 12 additions & 0 deletions b/‎api/konnect/v1alpha1/konnect_conditions.go‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎charts/kong-operator/charts/ko-crds/templates/ko-crds.yaml‎
Lines changed: 3 additions & 7 deletions b/‎charts/kong-operator/charts/ko-crds/templates/ko-crds.yaml‎
Lines changed: 3 additions & 7 deletions
diff --git a/‎charts/kong-operator/ci/__snapshots__/affinity-values.snap‎
Lines changed: 2 additions & 4 deletions b/‎charts/kong-operator/ci/__snapshots__/affinity-values.snap‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎charts/kong-operator/ci/__snapshots__/controlplane-config-dump.snap‎
Lines changed: 2 additions & 4 deletions b/‎charts/kong-operator/ci/__snapshots__/controlplane-config-dump.snap‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎charts/kong-operator/ci/__snapshots__/disable-gateway-controller-values.snap‎
Lines changed: 2 additions & 4 deletions b/‎charts/kong-operator/ci/__snapshots__/disable-gateway-controller-values.snap‎
Lines changed: 2 additions & 4 deletions
@@ -71,6 +71,16 @@
   `KonnectGatewayControlPlane`.
   [#2892](https://github.com/Kong/kong-operator/pull/2892)
   [#2913](https://github.com/Kong/kong-operator/pull/2913)
+- Added support for cross namespace references between the following Konnect
+  entities and `core` `Secret`
+
+  - `KongCertificate`
+  - `KongCACertificate`
+
+  To allow these references, users need to define a `KongReferenceGrant` resource
+  in the namespace of the referenced resource, allowing access to the
+  `Secret`.
+  [#2904](https://github.com/Kong/kong-operator/pull/2904)
 - Hybrid Gateway: The operator now supports configuring TLS termination on Gateway listeners
   in hybrid mode.When you define a TLS listener on a Gateway resource, the operator will
   automatically create the necessary KongCertificate and KongSNI resources to configure the data plane.
 
@@ -61,9 +61,6 @@ type NamespacedRef struct {
 	// +kubebuilder:validation:MaxLength=253
 	Name string `json:"name,omitempty"`
 
-	// TODO: Implement cross namespace references:
-	// https://github.com/Kong/kubernetes-configuration/issues/36
-
 	// Namespace is the namespace of the referred resource.
 	//
 	// For namespace-scoped resources if no Namespace is provided then the
 
@@ -5,10 +5,10 @@ const (
 	// whether a KongReferenceGrant is valid for cross-namespace references.
 	KongReferenceGrantConditionTypeResolvedRefs = "ResolvedRefs"
 
+	// KongReferenceGrantReasonResolvedRefs is the reason used when a valid
+	// KongReferenceGrant is found and it permits for a cross-namespace reference.
+	KongReferenceGrantReasonResolvedRefs = "ResolvedRefs"
 	// KongReferenceGrantReasonRefNotPermitted is the reason used when a KongReferenceGrant
 	// is invalid or missing for a cross-namespace reference.
 	KongReferenceGrantReasonRefNotPermitted = "RefNotPermitted"
-	// KongReferenceGrantReasonResolvedRefs is the reason used when a valid
-	// KongReferenceGrant is found and it permits for a cross-namespace reference.
-	KongReferenceGrantReasonResolvedRefs = "RefNotPermitted"
 )
@@ -49,7 +49,6 @@ type KongCACertificate struct {
 // +kubebuilder:validation:XValidation:rule="self.type != 'inline' || (has(self.cert) && self.cert.size() != 0)", message="spec.cert is required when type is 'inline'"
 // +kubebuilder:validation:XValidation:rule="self.type != 'secretRef' || has(self.secretRef)", message="spec.secretRef is required when type is 'secretRef'"
 // +kubebuilder:validation:XValidation:rule="!(has(self.cert) && has(self.secretRef))", message="cert and secretRef cannot be set at the same time"
-// +kubebuilder:validation:XValidation:rule="!has(self.secretRef) || !has(self.secretRef.__namespace__) || self.secretRef.__namespace__.size() == 0", message="spec.secretRef.namespace is not allowed until ReferenceGrant support is implemented"
 // +apireference:kgo:include
 type KongCACertificateSpec struct {
 	// Type indicates the source of the CA certificate data.
 
@@ -91,7 +91,7 @@ type KongReferenceGrantSpec struct {
 
 // ReferenceGrantFrom describes trusted namespaces and kinds.
 //
-// +kubebuilder:validation:XValidation:rule=".self.group != 'configuration.konghq.com' || .self.kind in ['KongService', 'KongCertificate' ]",message="Only KongCertificate and KongService kinds are supported for 'configuration.konghq.com' group"
+// +kubebuilder:validation:XValidation:rule=".self.group != 'configuration.konghq.com' || .self.kind in ['KongService', 'KongCertificate', 'KongCACertificate' ]",message="Only KongCertificate, KongCACertificate, and KongService kinds are supported for 'configuration.konghq.com' group"
 type ReferenceGrantFrom struct {
 	// Group is the group of the referent.
 	//
 
@@ -137,6 +137,18 @@ const (
 	KongUpstreamRefReasonInvalid = "Invalid"
 )
 
+const (
+	// SecretRefValidConditionType is the type of the condition that indicates
+	// whether the Secret reference is valid and points to an existing Secret.
+	SecretRefValidConditionType = "SecretRefValid"
+	// SecretRefReasonValid is the reason used with the SecretRefValid
+	// condition type indicating that the Secret reference is valid.
+	SecretRefReasonValid = "Valid"
+	// SecretRefReasonInvalid is the reason used with the SecretRefValid
+	// condition type indicating that the Secret reference is invalid.
+	SecretRefReasonInvalid = "Invalid"
+)
+
 const (
 	// KeySetRefValidConditionType is the type of the condition that indicates
 	// whether the KeySet reference is valid and points to an existing
 
@@ -49042,10 +49042,6 @@ spec:
               rule: self.type != 'secretRef' || has(self.secretRef)
             - message: cert and secretRef cannot be set at the same time
               rule: '!(has(self.cert) && has(self.secretRef))'
-            - message: spec.secretRef.namespace is not allowed until ReferenceGrant
-                support is implemented
-              rule: '!has(self.secretRef) || !has(self.secretRef.__namespace__) ||
-                self.secretRef.__namespace__.size() == 0'
           status:
             default:
               conditions:
@@ -54424,10 +54420,10 @@ spec:
                   - namespace
                   type: object
                   x-kubernetes-validations:
-                  - message: Only KongCertificate and KongService kinds are supported
-                      for 'configuration.konghq.com' group
+                  - message: Only KongCertificate, KongCACertificate, and KongService
+                      kinds are supported for 'configuration.konghq.com' group
                     rule: .self.group != 'configuration.konghq.com' || .self.kind
-                      in ['KongService', 'KongCertificate' ]
+                      in ['KongService', 'KongCertificate', 'KongCACertificate' ]
                 maxItems: 16
                 minItems: 1
                 type: array