Merge pull request #1181 from hashicorp/ref-policy-spec-update

Update ReferenceGrant docs to include Gateway -> Secret use case

Author: k8s-ci-robot

apis/v1alpha2/object_reference_types.go

@@ -65,10 +65,10 @@ type SecretObjectReference struct {
 	// Namespace is the namespace of the backend. When unspecified, the local
 	// namespace is inferred.
 	//
-	// Note that when a namespace is specified, a ReferenceGrant object
-	// is required in the referent namespace to allow that namespace's
-	// owner to accept the reference. See the ReferenceGrant documentation
-	// for details.
+	// Note that when a different namespace is specified, a ReferenceGrant
+	// object with ReferenceGrantTo.Kind=Secret is required in the referent
+	// namespace to allow that namespace's owner to accept the reference.
+	// See the ReferenceGrant documentation for details.
 	//
 	// Support: Core
 	//
@@ -112,10 +112,10 @@ type BackendObjectReference struct {
 	// Namespace is the namespace of the backend. When unspecified, the local
 	// namespace is inferred.
 	//
-	// Note that when a namespace is specified, a ReferenceGrant object
-	// is required in the referent namespace to allow that namespace's
-	// owner to accept the reference. See the ReferenceGrant documentation
-	// for details.
+	// Note that when a different namespace is specified, a ReferenceGrant
+	// object with ReferenceGrantTo.Kind=Service is required in the referent
+	// namespace to allow that namespace's owner to accept the reference.
+	// See the ReferenceGrant documentation for details.
 	//
 	// Support: Core
 	//

apis/v1alpha2/referencegrant_types.go

@@ -92,8 +92,14 @@ type ReferenceGrantFrom struct {
 	Group Group `json:"group"`
 
 	// Kind is the kind of the referent. Although implementations may support
-	// additional resources, the following Route types are part of the "Core"
-	// support level for this field:
+	// additional resources, the following types are part of the "Core"
+	// support level for this field.
+	//
+	// When used to permit a SecretObjectReference:
+	//
+	// * Gateway
+	//
+	// When used to permit a BackendObjectReference:
 	//
 	// * HTTPRoute
 	// * TCPRoute
@@ -120,7 +126,8 @@ type ReferenceGrantTo struct {
 	// additional resources, the following types are part of the "Core"
 	// support level for this field:
 	//
-	// * Service
+	// * Secret when used to permit a SecretObjectReference
+	// * Service when used to permit a BackendObjectReference
 	Kind Kind `json:"kind"`
 
 	// Name is the name of the referent. When unspecified, this policy

config/crd/experimental/gateway.networking.k8s.io_gateways.yaml

@@ -121,14 +121,15 @@ safeguards are in place.
 ReferenceGrant support is a "CORE" conformance level requirement for
 cross-namespace references that originate from the following objects:
 
+- Gateway
 - HTTPRoute
 - TLSRoute
 - TCPRoute
 - UDPRoute
 
 That is, all implementations MUST use this flow for any cross namespace
-references in any of the core xRoute types, except as noted in the Exceptions
-section above.
+references in the Gateway and any of the core xRoute types, except as noted
+in the Exceptions section above.
 
 Other "ImplementationSpecific" objects and references MUST also use this flow
 for cross-namespace references, except as noted in the Exceptions section above.