feat: support cross namespace references from KongPluginBinding to KongPlugin (#3108)

Author: pmalek

CHANGELOG.md

@@ -49,6 +49,10 @@
   [#3039](https://github.com/Kong/kong-operator/pull/3039)
 - HybridGateway: Added comprehensive HTTPRoute converter tests to improve translation stability.
   [#3111](https://github.com/Kong/kong-operator/pull/3111)
+- Support cross namespace references from `KongPluginBinding` to `KongPlugin`.
+  For this reference to be allowed, a `KongReferenceGrant` resource must be created
+  in the namespace of the `KongPlugin`, allowing access for the `KongPluginBinding`.
+  [#31038](https://github.com/Kong/kong-operator/pull/3108)
 
 ### Fixes
 

api/configuration/v1alpha1/kongpluginbinding_types.go

@@ -146,14 +146,17 @@ type KongPluginBindingTargets struct {
 
 // PluginRef is a reference to a KongPlugin or KongClusterPlugin resource.
 // +apireference:kgo:include
+// +kubebuilder:validation:XValidation:rule="self.kind == 'KongPlugin' || !has(self.__namespace__)", message="Namespace can be set only when kind is 'KongPlugin'"
 type PluginRef struct {
-	// TODO(mattia): cross-namespace references are not supported yet.
-	// https://github.com/Kong/kubernetes-configuration/issues/9
-
 	// Name is the name of the KongPlugin or KongClusterPlugin resource.
 	// +required
 	Name string `json:"name"`
 
+	// Namespace is the namespace of the referenced KongPlugin resource.
+	// Can only be set when Kind is KongPlugin.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
 	// Kind can be KongPlugin or KongClusterPlugin. If not set, it is assumed to be KongPlugin.
 	// +kubebuilder:validation:Enum=KongPlugin;KongClusterPlugin
 	// +kubebuilder:default:=KongPlugin

api/configuration/v1alpha1/kongreferencegrant_types.go

@@ -91,7 +91,7 @@ type KongReferenceGrantSpec struct {
 
 // ReferenceGrantFrom describes trusted namespaces and kinds.
 //
-// +kubebuilder:validation:XValidation:rule="self.group != 'configuration.konghq.com' || self.kind in [ 'KongConsumer', 'KongConsumerGroup', 'KongService', 'KongCertificate', 'KongCACertificate', 'KongDataPlaneClientCertificate', 'KongUpstream', 'KongKey', 'KongKeySet', 'KongVault']",message="Only KongConsumer, KongConsumerGroup, KongCertificate, KongCACertificate, KongDataPlaneClientCertificate, KongService, KongUpstream, KongKey, KongKeySet, and KongVault kinds are supported for 'configuration.konghq.com' group"
+// +kubebuilder:validation:XValidation:rule="self.group != 'configuration.konghq.com' || self.kind in [ 'KongConsumer', 'KongConsumerGroup', 'KongService', 'KongCertificate', 'KongCACertificate', 'KongDataPlaneClientCertificate', 'KongUpstream', 'KongKey', 'KongKeySet', 'KongVault', 'KongPluginBinding']",message="Only KongConsumer, KongConsumerGroup, KongCertificate, KongCACertificate, KongDataPlaneClientCertificate, KongService, KongUpstream, KongKey, KongKeySet, KongVault and KongPluginBinding kinds are supported for 'configuration.konghq.com' group"
 // +kubebuilder:validation:XValidation:rule="self.kind == 'KongVault' ? self.__namespace__ == \"\" : self.__namespace__ != \"\"",message="namespace must be empty for KongVault and non-empty for other kinds"
 type ReferenceGrantFrom struct {
 	// Group is the group of the referent.
@@ -117,6 +117,7 @@ type ReferenceGrantFrom struct {
 //
 // +kubebuilder:validation:XValidation:rule=".self.group != 'core' || .self.kind == 'Secret'",message="Only 'Secret' kind is supported for 'core' group"
 // +kubebuilder:validation:XValidation:rule=".self.group != 'konnect.konghq.com' || .self.kind in ['KonnectGatewayControlPlane', 'KonnectAPIAuthConfiguration']",message="Only 'KonnectGatewayControlPlane' and 'KonnectAPIAuthConfiguration' kinds are supported for 'konnect.konghq.com' group"
+// +kubebuilder:validation:XValidation:rule=".self.group != 'configuration.konghq.com' || .self.kind in ['KongPlugin']",message="Only 'KongPlugin' kind is supported for 'configuration.konghq.com' group"
 type ReferenceGrantTo struct {
 	// Group is the group of the referent.
 	//

charts/kong-operator/charts/ko-crds/templates/ko-crds.yaml

@@ -53389,12 +53389,19 @@ spec:
                     description: Name is the name of the KongPlugin or KongClusterPlugin
                       resource.
                     type: string
+                  namespace:
+                    description: |-
+                      Namespace is the namespace of the referenced KongPlugin resource.
+                      Can only be set when Kind is KongPlugin.
+                    type: string
                 required:
                 - name
                 type: object
                 x-kubernetes-validations:
                 - message: pluginRef name must be set
                   rule: self.name != ''
+                - message: Namespace can be set only when kind is 'KongPlugin'
+                  rule: self.kind == 'KongPlugin' || !has(self.__namespace__)
               scope:
                 default: OnlyTargets
                 description: Scope defines the scope of the plugin binding.
@@ -54250,12 +54257,12 @@ spec:
                   x-kubernetes-validations:
                   - message: Only KongConsumer, KongConsumerGroup, KongCertificate,
                       KongCACertificate, KongDataPlaneClientCertificate, KongService,
-                      KongUpstream, KongKey, KongKeySet, and KongVault kinds are supported
-                      for 'configuration.konghq.com' group
+                      KongUpstream, KongKey, KongKeySet, KongVault and KongPluginBinding
+                      kinds are supported for 'configuration.konghq.com' group
                     rule: self.group != 'configuration.konghq.com' || self.kind in
                       [ 'KongConsumer', 'KongConsumerGroup', 'KongService', 'KongCertificate',
                       'KongCACertificate', 'KongDataPlaneClientCertificate', 'KongUpstream',
-                      'KongKey', 'KongKeySet', 'KongVault']
+                      'KongKey', 'KongKeySet', 'KongVault', 'KongPluginBinding']
                   - message: namespace must be empty for KongVault and non-empty for
                       other kinds
                     rule: 'self.kind == ''KongVault'' ? self.__namespace__ == "" :
@@ -54308,6 +54315,10 @@ spec:
                       kinds are supported for 'konnect.konghq.com' group
                     rule: .self.group != 'konnect.konghq.com' || .self.kind in ['KonnectGatewayControlPlane',
                       'KonnectAPIAuthConfiguration']
+                  - message: Only 'KongPlugin' kind is supported for 'configuration.konghq.com'
+                      group
+                    rule: .self.group != 'configuration.konghq.com' || .self.kind
+                      in ['KongPlugin']
                 maxItems: 16
                 minItems: 1
                 type: array