drop support for ReferencePolicy (projectcontour#4830)

Drops support for ReferencePolicy which has been replaced by ReferenceGrant in Gateway API. Updates projectcontour#4555. Signed-off-by: Steve Kriss <krisss@vmware.com>
sunjayBhatia · Dec 14, 2022 · d2df138 · d2df138
1 parent ee13679
commit d2df138
Show file tree

Hide file tree

Showing 13 changed files with 19 additions and 72 deletions.
diff --git a/changelogs/unreleased/4830-skriss-deprecation.md b/changelogs/unreleased/4830-skriss-deprecation.md
@@ -0,0 +1,4 @@
+## Gateway API: ReferencePolicy no longer supported (use ReferenceGrant instead)
+
+In Gateway API, ReferencePolicy's rename to ReferenceGrant has been fully completed.
+Contour now only supports ReferenceGrant, and does not support ReferencePolicy resources in any way.
diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go
@@ -805,11 +805,6 @@ func (s *Server) setupGatewayAPI(contourConfiguration contour_api_v1alpha1.Conto
 			s.log.WithError(err).Fatal("failed to create tlsroute-controller")
 		}
 
-		// Inform on ReferencePolicies.
-		if err := informOnResource(&gatewayapi_v1alpha2.ReferencePolicy{}, eventHandler, mgr.GetCache()); err != nil {
-			s.log.WithError(err).WithField("resource", "referencepolicies").Fatal("failed to create informer")
-		}
-
 		// Inform on ReferenceGrants.
 		if err := informOnResource(&gatewayapi_v1alpha2.ReferenceGrant{}, eventHandler, mgr.GetCache()); err != nil {
 			s.log.WithError(err).WithField("resource", "referencegrants").Fatal("failed to create informer")

diff --git a/examples/contour/02-role-contour.yaml b/examples/contour/02-role-contour.yaml
@@ -26,7 +26,6 @@ rules:
   - gateways
   - httproutes
   - referencegrants
-  - referencepolicies
   - tlsroutes
   verbs:
   - get

diff --git a/examples/gateway-provisioner/01-roles.yaml b/examples/gateway-provisioner/01-roles.yaml
@@ -76,7 +76,6 @@ rules:
   - gateways
   - httproutes
   - referencegrants
-  - referencepolicies
   - tlsroutes
   verbs:
   - get

diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml
@@ -6986,7 +6986,6 @@ rules:
   - gateways
   - httproutes
   - referencegrants
-  - referencepolicies
   - tlsroutes
   verbs:
   - get

diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml
@@ -13911,7 +13911,6 @@ rules:
   - gateways
   - httproutes
   - referencegrants
-  - referencepolicies
   - tlsroutes
   verbs:
   - get

diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml
@@ -6992,7 +6992,6 @@ rules:
   - gateways
   - httproutes
   - referencegrants
-  - referencepolicies
   - tlsroutes
   verbs:
   - get

diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml
@@ -6986,7 +6986,6 @@ rules:
   - gateways
   - httproutes
   - referencegrants
-  - referencepolicies
   - tlsroutes
   verbs:
   - get

diff --git a/internal/dag/cache.go b/internal/dag/cache.go
@@ -67,7 +67,6 @@ type KubernetesCache struct {
 	gateway                   *gatewayapi_v1beta1.Gateway
 	httproutes                map[types.NamespacedName]*gatewayapi_v1beta1.HTTPRoute
 	tlsroutes                 map[types.NamespacedName]*gatewayapi_v1alpha2.TLSRoute
-	referencepolicies         map[types.NamespacedName]*gatewayapi_v1alpha2.ReferencePolicy
 	referencegrants           map[types.NamespacedName]*gatewayapi_v1alpha2.ReferenceGrant
 	extensions                map[types.NamespacedName]*contour_api_v1alpha1.ExtensionService
 
@@ -87,7 +86,6 @@ func (kc *KubernetesCache) init() {
 	kc.services = make(map[types.NamespacedName]*v1.Service)
 	kc.namespaces = make(map[string]*v1.Namespace)
 	kc.httproutes = make(map[types.NamespacedName]*gatewayapi_v1beta1.HTTPRoute)
-	kc.referencepolicies = make(map[types.NamespacedName]*gatewayapi_v1alpha2.ReferencePolicy)
 	kc.referencegrants = make(map[types.NamespacedName]*gatewayapi_v1alpha2.ReferenceGrant)
 	kc.tlsroutes = make(map[types.NamespacedName]*gatewayapi_v1alpha2.TLSRoute)
 	kc.extensions = make(map[types.NamespacedName]*contour_api_v1alpha1.ExtensionService)
@@ -192,9 +190,6 @@ func (kc *KubernetesCache) Insert(obj interface{}) bool {
 		case *gatewayapi_v1alpha2.TLSRoute:
 			kc.tlsroutes[k8s.NamespacedNameOf(obj)] = obj
 			return true
-		case *gatewayapi_v1alpha2.ReferencePolicy:
-			kc.referencepolicies[k8s.NamespacedNameOf(obj)] = obj
-			return true
 		case *gatewayapi_v1alpha2.ReferenceGrant:
 			kc.referencegrants[k8s.NamespacedNameOf(obj)] = obj
 			return true
@@ -317,11 +312,6 @@ func (kc *KubernetesCache) remove(obj interface{}) bool {
 		_, ok := kc.tlsroutes[m]
 		delete(kc.tlsroutes, m)
 		return ok
-	case *gatewayapi_v1alpha2.ReferencePolicy:
-		m := k8s.NamespacedNameOf(obj)
-		_, ok := kc.referencepolicies[m]
-		delete(kc.referencepolicies, m)
-		return ok
 	case *gatewayapi_v1alpha2.ReferenceGrant:
 		m := k8s.NamespacedNameOf(obj)
 		_, ok := kc.referencegrants[m]

diff --git a/internal/dag/gatewayapi_processor.go b/internal/dag/gatewayapi_processor.go
@@ -656,7 +656,7 @@ func (p *GatewayAPIProcessor) resolveListenerSecret(certificateRefs []gatewayapi
 	}
 
 	// If the secret is in a different namespace than the gateway, then we need to
-	// check for a ReferencePolicy or ReferenceGrant that allows the reference.
+	// check for a ReferenceGrant that allows the reference.
 	if certificateRef.Namespace != nil && string(*certificateRef.Namespace) != p.source.gateway.Namespace {
 		if !p.validCrossNamespaceRef(
 			crossNamespaceFrom{
@@ -676,7 +676,7 @@ func (p *GatewayAPIProcessor) resolveListenerSecret(certificateRefs []gatewayapi
 				gatewayapi_v1beta1.ListenerConditionResolvedRefs,
 				metav1.ConditionFalse,
 				gatewayapi_v1beta1.ListenerReasonRefNotPermitted,
-				fmt.Sprintf("Spec.VirtualHost.TLS.CertificateRefs %q namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant", certificateRef.Name),
+				fmt.Sprintf("Spec.VirtualHost.TLS.CertificateRefs %q namespace must match the Gateway's namespace or be covered by a ReferenceGrant", certificateRef.Name),
 			)
 			return nil
 		}
@@ -717,42 +717,6 @@ type crossNamespaceTo struct {
 }
 
 func (p *GatewayAPIProcessor) validCrossNamespaceRef(from crossNamespaceFrom, to crossNamespaceTo) bool {
-	for _, referencePolicy := range p.source.referencepolicies {
-		// The ReferencePolicy must be defined in the namespace of
-		// the "to" (the referent).
-		if referencePolicy.Namespace != to.namespace {
-			continue
-		}
-
-		// Check if the ReferencePolicy has a matching "from".
-		var fromAllowed bool
-		for _, refPolicyFrom := range referencePolicy.Spec.From {
-			if string(refPolicyFrom.Namespace) == from.namespace && string(refPolicyFrom.Group) == from.group && string(refPolicyFrom.Kind) == from.kind {
-				fromAllowed = true
-				break
-			}
-		}
-		if !fromAllowed {
-			continue
-		}
-
-		// Check if the ReferencePolicy has a matching "to".
-		var toAllowed bool
-		for _, refPolicyTo := range referencePolicy.Spec.To {
-			if string(refPolicyTo.Group) == to.group && string(refPolicyTo.Kind) == to.kind && (refPolicyTo.Name == nil || *refPolicyTo.Name == "" || string(*refPolicyTo.Name) == to.name) {
-				toAllowed = true
-				break
-			}
-		}
-		if !toAllowed {
-			continue
-		}
-
-		// If we got here, both the "from" and the "to" were allowed by this
-		// reference policy.
-		return true
-	}
-
 	for _, referenceGrant := range p.source.referencegrants {
 		// The ReferenceGrant must be defined in the namespace of
 		// the "to" (the referent).
@@ -1232,7 +1196,7 @@ func (p *GatewayAPIProcessor) validateBackendObjectRef(backendObjectRef gatewaya
 	}
 
 	// If the backend is in a different namespace than the route, then we need to
-	// check for a ReferencePolicy or ReferenceGrant that allows the reference.
+	// check for a ReferenceGrant that allows the reference.
 	if backendObjectRef.Namespace != nil && string(*backendObjectRef.Namespace) != routeNamespace {
 		if !p.validCrossNamespaceRef(
 			crossNamespaceFrom{
@@ -1247,7 +1211,7 @@ func (p *GatewayAPIProcessor) validateBackendObjectRef(backendObjectRef gatewaya
 				name:      string(backendObjectRef.Name),
 			},
 		) {
-			return nil, resolvedRefsFalse(gatewayapi_v1beta1.RouteReasonRefNotPermitted, fmt.Sprintf("%s.Namespace must match the route's namespace or be covered by a ReferencePolicy/ReferenceGrant", field))
+			return nil, resolvedRefsFalse(gatewayapi_v1beta1.RouteReasonRefNotPermitted, fmt.Sprintf("%s.Namespace must match the route's namespace or be covered by a ReferenceGrant", field))
 		}
 	}
 

diff --git a/internal/dag/status_test.go b/internal/dag/status_test.go
@@ -4846,7 +4846,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) {
 							Type:    string(gatewayapi_v1beta1.RouteConditionResolvedRefs),
 							Status:  contour_api_v1.ConditionFalse,
 							Reason:  string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted),
-							Message: "Spec.Rules.BackendRef.Namespace must match the route's namespace or be covered by a ReferencePolicy/ReferenceGrant",
+							Message: "Spec.Rules.BackendRef.Namespace must match the route's namespace or be covered by a ReferenceGrant",
 						},
 						{
 							Type:    string(gatewayapi_v1beta1.RouteConditionAccepted),
@@ -4982,7 +4982,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) {
 							Type:    string(gatewayapi_v1beta1.ListenerConditionResolvedRefs),
 							Status:  metav1.ConditionFalse,
 							Reason:  string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted),
-							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant",
+							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferenceGrant",
 						},
 					},
 				},
@@ -5126,7 +5126,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) {
 							Type:    string(gatewayapi_v1beta1.ListenerConditionResolvedRefs),
 							Status:  metav1.ConditionFalse,
 							Reason:  string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted),
-							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant",
+							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferenceGrant",
 						},
 					},
 				},
@@ -5214,7 +5214,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) {
 							Type:    string(gatewayapi_v1beta1.ListenerConditionResolvedRefs),
 							Status:  metav1.ConditionFalse,
 							Reason:  string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted),
-							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant",
+							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferenceGrant",
 						},
 					},
 				},
@@ -5302,7 +5302,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) {
 							Type:    string(gatewayapi_v1beta1.ListenerConditionResolvedRefs),
 							Status:  metav1.ConditionFalse,
 							Reason:  string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted),
-							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant",
+							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferenceGrant",
 						},
 					},
 				},
@@ -5390,7 +5390,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) {
 							Type:    string(gatewayapi_v1beta1.ListenerConditionResolvedRefs),
 							Status:  metav1.ConditionFalse,
 							Reason:  string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted),
-							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant",
+							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferenceGrant",
 						},
 					},
 				},
@@ -5479,7 +5479,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) {
 							Type:    string(gatewayapi_v1beta1.ListenerConditionResolvedRefs),
 							Status:  metav1.ConditionFalse,
 							Reason:  string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted),
-							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferencePolicy/ReferenceGrant",
+							Message: "Spec.VirtualHost.TLS.CertificateRefs \"secret\" namespace must match the Gateway's namespace or be covered by a ReferenceGrant",
 						},
 					},
 				},
@@ -6183,7 +6183,7 @@ func TestGatewayAPIHTTPRouteDAGStatus(t *testing.T) {
 							Type:    string(gatewayapi_v1beta1.RouteConditionResolvedRefs),
 							Status:  contour_api_v1.ConditionFalse,
 							Reason:  string(gatewayapi_v1beta1.ListenerReasonRefNotPermitted),
-							Message: "Spec.Rules.Filters.RequestMirror.BackendRef.Namespace must match the route's namespace or be covered by a ReferencePolicy/ReferenceGrant",
+							Message: "Spec.Rules.Filters.RequestMirror.BackendRef.Namespace must match the route's namespace or be covered by a ReferenceGrant",
 						},
 						{
 							Type:    string(gatewayapi_v1beta1.RouteConditionAccepted),

diff --git a/internal/k8s/rbac.go b/internal/k8s/rbac.go
@@ -19,7 +19,7 @@ package k8s
 // +kubebuilder:rbac:groups="projectcontour.io",resources=httpproxies;tlscertificatedelegations;extensionservices;contourconfigurations,verbs=get;list;watch
 // +kubebuilder:rbac:groups="projectcontour.io",resources=httpproxies/status;extensionservices/status;contourconfigurations/status,verbs=create;get;update
 
-// +kubebuilder:rbac:groups="gateway.networking.k8s.io",resources=gatewayclasses;gateways;httproutes;tlsroutes;referencepolicies;referencegrants,verbs=get;list;watch
+// +kubebuilder:rbac:groups="gateway.networking.k8s.io",resources=gatewayclasses;gateways;httproutes;tlsroutes;referencegrants,verbs=get;list;watch
 // +kubebuilder:rbac:groups="gateway.networking.k8s.io",resources=gatewayclasses/status;gateways/status;httproutes/status;tlsroutes/status,verbs=update
 
 // +kubebuilder:rbac:groups="",resources=secrets;endpoints;services;namespaces,verbs=get;list;watch

diff --git a/internal/provisioner/objects/rbac/clusterrole/cluster_role.go b/internal/provisioner/objects/rbac/clusterrole/cluster_role.go
@@ -76,8 +76,8 @@ func desiredClusterRole(name string, contour *model.Contour) *rbacv1.ClusterRole
 			policyRuleFor(corev1.GroupName, getListWatch, "secrets", "endpoints", "services", "namespaces"),
 
 			// Gateway API resources.
-			// Note, ReferencePolicy/ReferenceGrant does not currently have a .status field so it's omitted from the status rule.
-			policyRuleFor(gatewayv1alpha2.GroupName, getListWatch, "gatewayclasses", "gateways", "httproutes", "tlsroutes", "referencepolicies", "referencegrants"),
+			// Note, ReferenceGrant does not currently have a .status field so it's omitted from the status rule.
+			policyRuleFor(gatewayv1alpha2.GroupName, getListWatch, "gatewayclasses", "gateways", "httproutes", "tlsroutes", "referencegrants"),
 			policyRuleFor(gatewayv1alpha2.GroupName, update, "gatewayclasses/status", "gateways/status", "httproutes/status", "tlsroutes/status"),
 
 			// Ingress resources.