feat: Add support for Gateway API ReferenceGrant resource

[dspo]

This commit introduces functionality to handle the ReferenceGrant resource in the Gateway API. It updates the Gateway controller logic, adds necessary permissions in RBAC manifests, and integrates condition handling for cross-namespace references. Additionally, skipped conformance tests related to ReferenceGrants are reinstated.

Type of change:

• Bugfix
• New feature provided
• Improve performance
• Backport patches
• Documentation
• Refactor
• Chore
• CI/CD or Tests

What this PR does / why we need it:

Pre-submission checklist:

• Did you explain what problem does this PR solve? Or what new features have been added?
• Have you added corresponding test cases?
• Have you modified the corresponding document?
• Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

[github-actions]

conformance test report

apiVersion: gateway.networking.k8s.io/v1
date: "2025-05-20T19:18:59Z"
gatewayAPIChannel: standard
gatewayAPIVersion: v1.2.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    result: partial
    skippedTests:
    - HTTPRouteHTTPSListener
    - HTTPRouteInvalidCrossNamespaceBackendRef
    - HTTPRouteInvalidReferenceGrant
    - HTTPRoutePartiallyInvalidViaInvalidReferenceGrant
    - HTTPRouteReferenceGrant
    statistics:
      Failed: 0
      Passed: 28
      Skipped: 5
  name: GATEWAY-HTTP
  summary: Core tests partially succeeded with 5 test skips.

[Copilot]

Pull Request Overview

Adds Gateway API ReferenceGrant support to the controller, ensuring RBAC, controller logic, and tests reflect cross-namespace reference permissions.

• Update RBAC manifests to allow referencegrants and referencegrants/status
• Reinstate conformance tests that were skipped for ReferenceGrant
• Enhance controller startup, watcher, status calculation, and permission checks for ReferenceGrant

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
test/e2e/framework/manifests/ingress.yaml	Add referencegrants and referencegrants/status verbs
test/conformance/conformance_test.go	Remove skips for ReferenceGrant tests
internal/manager/run.go	Install v1beta1 scheme and verify ReferenceGrant CRD
internal/controller/utils.go	Extend getListenerStatus and add checkReferenceGrantBetweenGatewayAndSecret
internal/controller/gateway_controller.go	Watch ReferenceGrant events and include grants in reconcile
charts/templates/cluster_role.yaml	Add referencegrants and referencegrants/status verbs

Comments suppressed due to low confidence (5)

internal/controller/utils.go:1098

• The new helper checkReferenceGrantBetweenGatewayAndSecret lacks unit tests; add tests to validate both permitted and denied cross-namespace scenarios.

func checkReferenceGrantBetweenGatewayAndSecret(gwNamespace string, certRef gatewayv1.SecretObjectReference, grants []v1beta1.ReferenceGrant) bool {

internal/controller/gateway_controller.go:380

• The code calls errors.New but the standard "errors" package is not imported; add import "errors" to avoid a compile error.

errors.New("unexpected object type")

internal/controller/gateway_controller.go:36

• [nitpick] The import of github.com/api7/gopkg/pkg/log appears unused in this file; consider removing it to keep imports tidy.

"github.com/api7/gopkg/pkg/log"

test/e2e/framework/manifests/ingress.yaml:232

• The new RBAC rules appear mis-indented under rules:; verify that - apiGroups: lines align correctly to ensure valid YAML.

- apiGroups:

charts/templates/cluster_role.yaml:173

• Ensure the inserted - apiGroups: for referencegrants is indented to match existing rule entries, otherwise the rendered ClusterRole may be invalid.

- apiGroups:

[ronething]

lgtm