feat: Add ReferenceGrant support and refactor backend reference handling

This commit introduces support for Gateway API ReferenceGrant CRD, enabling cross-namespace references for HTTPRoutes. It refactors backend reference handling to validate Service references and check ReferenceGrants. Also includes minor code cleanups, added cluster role permissions for ReferenceGrants, and adjustments to e2e manifests.

Author: dspo

api/v1alpha1/backendtrafficpolicy_types.go

@@ -22,8 +22,8 @@ type BackendTrafficPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-    // BackendTrafficPolicySpec defines traffic handling policies applied to backend services,
-    // such as load balancing strategy, connection settings, and failover behavior.
+	// BackendTrafficPolicySpec defines traffic handling policies applied to backend services,
+	// such as load balancing strategy, connection settings, and failover behavior.
 	Spec   BackendTrafficPolicySpec `json:"spec,omitempty"`
 	Status PolicyStatus             `json:"status,omitempty"`
 }

api/v1alpha1/consumer_types.go

@@ -23,19 +23,19 @@ type Consumer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-    // ConsumerSpec defines the configuration for a consumer, including consumer name,
+	// ConsumerSpec defines the configuration for a consumer, including consumer name,
 	// authentication credentials, and plugin settings.
 	Spec   ConsumerSpec `json:"spec,omitempty"`
 	Status Status       `json:"status,omitempty"`
 }
 
 type ConsumerSpec struct {
 	// GatewayRef specifies the gateway details.
-	GatewayRef  GatewayRef   `json:"gatewayRef,omitempty"`
+	GatewayRef GatewayRef `json:"gatewayRef,omitempty"`
 	// Credentials specifies the credential details of a consumer.
 	Credentials []Credential `json:"credentials,omitempty"`
 	// Plugins define the plugins associated with a consumer.
-	Plugins     []Plugin     `json:"plugins,omitempty"`
+	Plugins []Plugin `json:"plugins,omitempty"`
 }
 
 type GatewayRef struct {
@@ -48,7 +48,7 @@ type GatewayRef struct {
 	Kind *string `json:"kind,omitempty"`
 	// Group is the API group the resource belongs to. Default is `gateway.networking.k8s.io`.
 	// +kubebuilder:default=gateway.networking.k8s.io
-	Group     *string `json:"group,omitempty"`
+	Group *string `json:"group,omitempty"`
 	// Namespace is namespace of the resource.
 	Namespace *string `json:"namespace,omitempty"`
 }
@@ -58,18 +58,18 @@ type Credential struct {
 	// +kubebuilder:validation:Enum=jwt-auth;basic-auth;key-auth;hmac-auth;
 	// Type specifies the type of authentication to configure credentials for.
 	// Can be one of `jwt-auth`, `basic-auth`, `key-auth`, or `hmac-auth`.
-	Type      string               `json:"type"`
+	Type string `json:"type"`
 	// Config specifies the credential details for authentication.
-	Config    apiextensionsv1.JSON `json:"config,omitempty"`
+	Config apiextensionsv1.JSON `json:"config,omitempty"`
 	// SecretRef references to the Secret that contains the credentials.
-	SecretRef *SecretReference     `json:"secretRef,omitempty"`
+	SecretRef *SecretReference `json:"secretRef,omitempty"`
 	// Name is the name of the credential.
-	Name      string               `json:"name,omitempty"`
+	Name string `json:"name,omitempty"`
 }
 
 type SecretReference struct {
 	// Name is the name of the secret.
-	Name      string  `json:"name"`
+	Name string `json:"name"`
 	// Namespace is the namespace of the secret.
 	Namespace *string `json:"namespace,omitempty"`
 }

api/v1alpha1/gatewayproxy_types.go

@@ -27,14 +27,14 @@ type GatewayProxySpec struct {
 
 	// PublishService specifies the LoadBalancer-type Service whose external address the controller uses to
 	// update the status of Ingress resources.
-	PublishService string                          `json:"publishService,omitempty"`
+	PublishService string `json:"publishService,omitempty"`
 	// StatusAddress specifies the external IP addresses that the controller uses to populate the status field
 	// of GatewayProxy or Ingress resources for developers to access.
-	StatusAddress  []string                        `json:"statusAddress,omitempty"`
+	StatusAddress []string `json:"statusAddress,omitempty"`
 	// Provider configures the provider details.
-	Provider       *GatewayProxyProvider           `json:"provider,omitempty"`
+	Provider *GatewayProxyProvider `json:"provider,omitempty"`
 	// Plugins configure global plugins.
-	Plugins        []GatewayProxyPlugin            `json:"plugins,omitempty"`
+	Plugins []GatewayProxyPlugin `json:"plugins,omitempty"`
 	// PluginMetadata configures common configurations shared by all plugin instances of the same name.
 	PluginMetadata map[string]apiextensionsv1.JSON `json:"pluginMetadata,omitempty"`
 }
@@ -132,8 +132,8 @@ type GatewayProxy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-    // GatewayProxySpec defines the desired state and configuration of a GatewayProxy,
-    // including networking settings, global plugins, and plugin metadata.
+	// GatewayProxySpec defines the desired state and configuration of a GatewayProxy,
+	// including networking settings, global plugins, and plugin metadata.
 	Spec GatewayProxySpec `json:"spec,omitempty"`
 }
 
@@ -148,11 +148,11 @@ type GatewayProxyList struct {
 // GatewayProxyPlugin contains plugin configurations.
 type GatewayProxyPlugin struct {
 	// Name is the name of the plugin.
-	Name    string               `json:"name,omitempty"`
-	// Enabled defines whether the plugin is enabled. 
-	Enabled bool                 `json:"enabled,omitempty"`
+	Name string `json:"name,omitempty"`
+	// Enabled defines whether the plugin is enabled.
+	Enabled bool `json:"enabled,omitempty"`
 	// Config defines the plugin's configuration details.
-	Config  apiextensionsv1.JSON `json:"config,omitempty"`
+	Config apiextensionsv1.JSON `json:"config,omitempty"`
 }
 
 func init() {

api/v1alpha1/httproutepolicy_types.go

@@ -25,9 +25,9 @@ type HTTPRoutePolicySpec struct {
 	// +kubebuilder:validation:MaxItems=16
 	TargetRefs []gatewayv1alpha2.LocalPolicyTargetReferenceWithSectionName `json:"targetRefs"`
 	// Priority sets the priority for route. A higher value sets a higher priority in route matching.
-	Priority *int64                 `json:"priority,omitempty" yaml:"priority,omitempty"`
+	Priority *int64 `json:"priority,omitempty" yaml:"priority,omitempty"`
 	// Vars sets the request matching conditions.
-	Vars     []apiextensionsv1.JSON `json:"vars,omitempty" yaml:"vars,omitempty"`
+	Vars []apiextensionsv1.JSON `json:"vars,omitempty" yaml:"vars,omitempty"`
 }
 
 // +kubebuilder:object:root=true

charts/templates/cluster_role.yaml

@@ -170,6 +170,20 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - referencegrants
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - referencegrants/status
+  verbs:
+  - get
 - apiGroups:
   - networking.k8s.io
   resources: