kubernetes-sigs
diff --git a/‎apis/v1alpha1/gateway_types.go
-9 b/‎apis/v1alpha1/gateway_types.go
-9
diff --git a/‎apis/v1alpha1/shared_types.go
+12-1 b/‎apis/v1alpha1/shared_types.go
+12-1
diff --git a/‎apis/v1alpha1/validation/validation.go
+15 b/‎apis/v1alpha1/validation/validation.go
+15
diff --git a/‎apis/v1alpha1/validation/validation_test.go
+75 b/‎apis/v1alpha1/validation/validation_test.go
+75
diff --git a/‎apis/v1alpha1/zz_generated.deepcopy.go
+1 b/‎apis/v1alpha1/zz_generated.deepcopy.go
+1
@@ -298,15 +298,6 @@ type TLSOverridePolicy struct {
 }
 
 // GatewayTLSConfig describes a TLS configuration.
-//
-// References:
-//
-// - nginx: https://nginx.org/en/docs/http/configuring_https_servers.html
-// - envoy: https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto
-// - haproxy: https://www.haproxy.com/documentation/aloha/9-5/traffic-management/lb-layer7/tls/
-// - gcp: https://cloud.google.com/load-balancing/docs/use-ssl-policies#creating_an_ssl_policy_with_a_custom_profile
-// - aws: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies
-// - azure: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-1112
 type GatewayTLSConfig struct {
 	// Mode defines the TLS behavior for the TLS session initiated by the client.
 	// There are two possible modes:
 
@@ -169,10 +169,21 @@ type RouteForwardTo struct {
 // RouteConditionType is a type of condition for a route.
 type RouteConditionType string
 
+// RouteConditionReason is a reason for a route condition.
+type RouteConditionReason string
+
 const (
 	// This condition indicates whether the route has been admitted
-	// or rejected by a Gateway, and why.
+	// or refused by a Gateway.
 	ConditionRouteAdmitted RouteConditionType = "Admitted"
+
+	// This reason is used with the "Admitted" condition when the Route has been
+	// admitted by the Gateway.
+	RouteReasonAdmitted RouteConditionReason = "Admitted"
+
+	// This reason is used with the "Admitted" condition when the Route has been
+	// refused by the Gateway.
+	RouteReasonRefused RouteConditionReason = "Refused"
 )
 
 // RouteGatewayStatus describes the status of a route with respect to an
 
@@ -122,3 +122,18 @@ func validateHTTPRouteUniqueFilters(rules []gatewayv1a1.HTTPRouteRule, path *fie
 
 	return errs
 }
+
+// ValidateGatewayClassUpdate validates an update to oldClass according to the
+// Gateway API specification. For additional details of the GatewayClass spec, refer to:
+// https://gateway-api.sigs.k8s.io/spec/#networking.x-k8s.io/v1alpha2.GatewayClass
+func ValidateGatewayClassUpdate(oldClass, newClass *gatewayv1a1.GatewayClass) field.ErrorList {
+	if oldClass == nil || newClass == nil {
+		return nil
+	}
+	var errs field.ErrorList
+	if oldClass.Spec.Controller != newClass.Spec.Controller {
+		errs = append(errs, field.Invalid(field.NewPath("spec.controller"), newClass.Spec.Controller,
+			"cannot update an immutable field"))
+	}
+	return errs
+}
@@ -17,11 +17,13 @@ limitations under the License.
 package validation
 
 import (
+	"reflect"
 	"testing"
 
 	gatewayv1a1 "sigs.k8s.io/gateway-api/apis/v1alpha1"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	utilpointer "k8s.io/utils/pointer"
 )
 
@@ -424,3 +426,76 @@ func portNumberPtr(p int) *gatewayv1a1.PortNumber {
 	result := gatewayv1a1.PortNumber(p)
 	return &result
 }
+
+func TestValidateGatewayClassUpdate(t *testing.T) {
+	type args struct {
+		oldClass *gatewayv1a1.GatewayClass
+		newClass *gatewayv1a1.GatewayClass
+	}
+	tests := []struct {
+		name string
+		args args
+		want field.ErrorList
+	}{
+		{
+			name: "changing parameters reference is allowed",
+			args: args{
+				oldClass: &gatewayv1a1.GatewayClass{
+					Spec: gatewayv1a1.GatewayClassSpec{
+						Controller: "foo",
+					},
+				},
+				newClass: &gatewayv1a1.GatewayClass{
+					Spec: gatewayv1a1.GatewayClassSpec{
+						Controller: "foo",
+						ParametersRef: &gatewayv1a1.ParametersReference{
+							Group: "example.com",
+							Kind:  "GatewayClassConfig",
+							Name:  "foo",
+						},
+					},
+				},
+			},
+			want: nil,
+		},
+		{
+			name: "changing controller field results in an error",
+			args: args{
+				oldClass: &gatewayv1a1.GatewayClass{
+					Spec: gatewayv1a1.GatewayClassSpec{
+						Controller: "foo",
+					},
+				},
+				newClass: &gatewayv1a1.GatewayClass{
+					Spec: gatewayv1a1.GatewayClassSpec{
+						Controller: "bar",
+					},
+				},
+			},
+			want: field.ErrorList{
+				{
+					Type:     field.ErrorTypeInvalid,
+					Field:    "spec.controller",
+					Detail:   "cannot update an immutable field",
+					BadValue: "bar",
+				},
+			},
+		},
+		{
+			name: "nil input result in no errors",
+			args: args{
+				oldClass: nil,
+				newClass: nil,
+			},
+			want: nil,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			if got := ValidateGatewayClassUpdate(tt.args.oldClass, tt.args.newClass); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("ValidateGatewayClassUpdate() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}