diff --git a/changelogs/unreleased/4664-sunjayBhatia-small.md b/changelogs/unreleased/4664-sunjayBhatia-small.md new file mode 100644 index 00000000000..c8bc8e34547 --- /dev/null +++ b/changelogs/unreleased/4664-sunjayBhatia-small.md @@ -0,0 +1 @@ +Gateway Listeners with Secret references whose namespace is not covered by a ReferenceGrant should have their status reason set to RefNotPermitted. diff --git a/internal/dag/gatewayapi_processor.go b/internal/dag/gatewayapi_processor.go index 6be79f24f7b..26445238d72 100644 --- a/internal/dag/gatewayapi_processor.go +++ b/internal/dag/gatewayapi_processor.go @@ -675,7 +675,7 @@ func (p *GatewayAPIProcessor) resolveListenerSecret(certificateRefs []gatewayapi listenerName, gatewayapi_v1beta1.ListenerConditionResolvedRefs, metav1.ConditionFalse, - gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef, + gatewayapi_v1beta1.ListenerReasonRefNotPermitted, fmt.Sprintf("Spec.VirtualHost.TLS.CertificateRefs %q namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", certificateRef.Name), ) return nil diff --git a/internal/dag/status_test.go b/internal/dag/status_test.go index 519ee140288..6c34dee32a3 100644 --- a/internal/dag/status_test.go +++ b/internal/dag/status_test.go @@ -3871,7 +3871,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -4015,7 +4015,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -4103,7 +4103,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -4191,7 +4191,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -4279,7 +4279,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, }, @@ -4368,7 +4368,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) { { Type: string(gatewayapi_v1beta1.ListenerConditionResolvedRefs), Status: metav1.ConditionFalse, - Reason: string(gatewayapi_v1beta1.ListenerReasonInvalidCertificateRef), + Reason: string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted), Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", }, },