feat: add support for cross namespace references from KongRoute to KongService (#3125)

Co-authored-by: Francesco Giudici <fgiudici@foggy.day>

Author: pmalek

CHANGELOG.md

@@ -52,9 +52,13 @@
 - Support cross namespace references from `KongPluginBinding` to `KongPlugin`.
   For this reference to be allowed, a `KongReferenceGrant` resource must be created
   in the namespace of the `KongPlugin`, allowing access for the `KongPluginBinding`.
-  [#31038](https://github.com/Kong/kong-operator/pull/3108)
+  [#3108](https://github.com/Kong/kong-operator/pull/3108)
 - HybridGateway: Added support to PathPrefixMatch for the `RequestRedirect` `HTTPRoute` filter.
   [#3065](https://github.com/Kong/kong-operator/pull/3065)
+- Support cross namespace references from `KongRoute` to `KongService`.
+  For this reference to be allowed, a `KongReferenceGrant` resource must be created
+  in the namespace of the `KongService`, allowing access for the `KongRoute`.
+  [#3125](https://github.com/Kong/kong-operator/pull/3125)
 
 ### Fixes
 

api/configuration/v1alpha1/kongreferencegrant_types.go

@@ -91,7 +91,7 @@ type KongReferenceGrantSpec struct {
 
 // ReferenceGrantFrom describes trusted namespaces and kinds.
 //
-// +kubebuilder:validation:XValidation:rule="self.group != 'configuration.konghq.com' || self.kind in [ 'KongConsumer', 'KongConsumerGroup', 'KongService', 'KongCertificate', 'KongCACertificate', 'KongDataPlaneClientCertificate', 'KongUpstream', 'KongKey', 'KongKeySet', 'KongVault', 'KongPluginBinding']",message="Only KongConsumer, KongConsumerGroup, KongCertificate, KongCACertificate, KongDataPlaneClientCertificate, KongService, KongUpstream, KongKey, KongKeySet, KongVault and KongPluginBinding kinds are supported for 'configuration.konghq.com' group"
+// +kubebuilder:validation:XValidation:rule="self.group != 'configuration.konghq.com' || self.kind in [ 'KongConsumer', 'KongConsumerGroup', 'KongRoute', 'KongService', 'KongCertificate', 'KongCACertificate', 'KongDataPlaneClientCertificate', 'KongUpstream', 'KongKey', 'KongKeySet', 'KongVault', 'KongPluginBinding']",message="Only KongConsumer, KongConsumerGroup, KongRoute, KongCertificate, KongCACertificate, KongDataPlaneClientCertificate, KongService, KongUpstream, KongKey, KongKeySet, KongVault and KongPluginBinding kinds are supported for 'configuration.konghq.com' group"
 // +kubebuilder:validation:XValidation:rule="self.kind == 'KongVault' ? self.__namespace__ == \"\" : self.__namespace__ != \"\"",message="namespace must be empty for KongVault and non-empty for other kinds"
 type ReferenceGrantFrom struct {
 	// Group is the group of the referent.
@@ -117,7 +117,7 @@ type ReferenceGrantFrom struct {
 //
 // +kubebuilder:validation:XValidation:rule=".self.group != 'core' || .self.kind == 'Secret'",message="Only 'Secret' kind is supported for 'core' group"
 // +kubebuilder:validation:XValidation:rule=".self.group != 'konnect.konghq.com' || .self.kind in ['KonnectGatewayControlPlane', 'KonnectAPIAuthConfiguration']",message="Only 'KonnectGatewayControlPlane' and 'KonnectAPIAuthConfiguration' kinds are supported for 'konnect.konghq.com' group"
-// +kubebuilder:validation:XValidation:rule=".self.group != 'configuration.konghq.com' || .self.kind in ['KongPlugin']",message="Only 'KongPlugin' kind is supported for 'configuration.konghq.com' group"
+// +kubebuilder:validation:XValidation:rule=".self.group != 'configuration.konghq.com' || .self.kind in ['KongPlugin', 'KongService']",message="Only 'KongPlugin' and 'KongService' kinds are supported for 'configuration.konghq.com' group"
 type ReferenceGrantTo struct {
 	// Group is the group of the referent.
 	//

api/configuration/v1alpha1/service_ref.go

@@ -19,5 +19,12 @@ type ServiceRef struct {
 	Type string `json:"type,omitempty"`
 
 	// NamespacedRef is a reference to a KongService.
-	NamespacedRef *commonv1alpha1.NameRef `json:"namespacedRef,omitempty"`
+	// If namespace is not specified, the KongService in the same namespace
+	// as the referencing entity.
+	// Namespace can be specified to reference a KongService in a different namespace
+	// but this requires a KongReferenceGrant in the target namespace allowing
+	// the reference.
+	//
+	// +optional
+	NamespacedRef *commonv1alpha1.NamespacedRef `json:"namespacedRef,omitempty"`
 }

api/configuration/v1alpha1/zz_generated.deepcopy.go

@@ -304,7 +304,7 @@ func TestServiceRef(t *testing.T) {
 
 			serviceRef := &configurationv1alpha1.ServiceRef{
 				Type: configurationv1alpha1.ServiceRefNamespacedRef,
-				NamespacedRef: &commonv1alpha1.NameRef{
+				NamespacedRef: &commonv1alpha1.NamespacedRef{
 					Name: "test-service",
 				},
 			}

api/test/unit/konnect_funcs_test.go

@@ -54255,14 +54255,14 @@ spec:
                   - namespace
                   type: object
                   x-kubernetes-validations:
-                  - message: Only KongConsumer, KongConsumerGroup, KongCertificate,
+                  - message: Only KongConsumer, KongConsumerGroup, KongRoute, KongCertificate,
                       KongCACertificate, KongDataPlaneClientCertificate, KongService,
                       KongUpstream, KongKey, KongKeySet, KongVault and KongPluginBinding
                       kinds are supported for 'configuration.konghq.com' group
                     rule: self.group != 'configuration.konghq.com' || self.kind in
-                      [ 'KongConsumer', 'KongConsumerGroup', 'KongService', 'KongCertificate',
-                      'KongCACertificate', 'KongDataPlaneClientCertificate', 'KongUpstream',
-                      'KongKey', 'KongKeySet', 'KongVault', 'KongPluginBinding']
+                      [ 'KongConsumer', 'KongConsumerGroup', 'KongRoute', 'KongService',
+                      'KongCertificate', 'KongCACertificate', 'KongDataPlaneClientCertificate',
+                      'KongUpstream', 'KongKey', 'KongKeySet', 'KongVault', 'KongPluginBinding']
                   - message: namespace must be empty for KongVault and non-empty for
                       other kinds
                     rule: 'self.kind == ''KongVault'' ? self.__namespace__ == "" :
@@ -54315,10 +54315,10 @@ spec:
                       kinds are supported for 'konnect.konghq.com' group
                     rule: .self.group != 'konnect.konghq.com' || .self.kind in ['KonnectGatewayControlPlane',
                       'KonnectAPIAuthConfiguration']
-                  - message: Only 'KongPlugin' kind is supported for 'configuration.konghq.com'
-                      group
+                  - message: Only 'KongPlugin' and 'KongService' kinds are supported
+                      for 'configuration.konghq.com' group
                     rule: .self.group != 'configuration.konghq.com' || .self.kind
-                      in ['KongPlugin']
+                      in ['KongPlugin', 'KongService']
                 maxItems: 16
                 minItems: 1
                 type: array
@@ -54611,13 +54611,29 @@ spec:
                   specify a ServiceRef and be associated with a Service.
                 properties:
                   namespacedRef:
-                    description: NamespacedRef is a reference to a KongService.
+                    description: |-
+                      NamespacedRef is a reference to a KongService.
+                      If namespace is not specified, the KongService in the same namespace
+                      as the referencing entity.
+                      Namespace can be specified to reference a KongService in a different namespace
+                      but this requires a KongReferenceGrant in the target namespace allowing
+                      the reference.
                     properties:
                       name:
-                        description: Name is the name of the entity.
+                        description: Name is the name of the referred resource.
                         maxLength: 253
                         minLength: 1
                         type: string
+                      namespace:
+                        description: |-
+                          Namespace is the namespace of the referred resource.
+
+                          For namespace-scoped resources if no Namespace is provided then the
+                          namespace of the parent object MUST be used.
+
+                          This field MUST not be set when referring to cluster-scoped resources.
+                        maxLength: 253
+                        type: string
                     required:
                     - name
                     type: object