use RefNotPermitted reason for invalid cross-namespace TLS cert ref (e…

…nvoyproxy#580) * use RefNotPermitted reason for invalid cross-namespace TLS cert ref Closes envoyproxy#538. Signed-off-by: Steve Kriss <krisss@vmware.com>
danehans · Nov 3, 2022 · 8748446 · 8748446
1 parent 872342c
commit 8748446
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/...a/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml b/...a/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml
@@ -28,7 +28,7 @@ gateways:
           conditions:
             - type: ResolvedRefs
               status: "False"
-              reason: InvalidCertificateRef
+              reason: RefNotPermitted
               message: Certificate ref to secret default/tls-secret-1 not permitted by any ReferenceGrant
             - type: Ready
               status: "False"

diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go
@@ -431,7 +431,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
 						listener.SetCondition(
 							v1beta1.ListenerConditionResolvedRefs,
 							metav1.ConditionFalse,
-							v1beta1.ListenerReasonInvalidCertificateRef,
+							v1beta1.ListenerReasonRefNotPermitted,
 							fmt.Sprintf("Certificate ref to secret %s/%s not permitted by any ReferenceGrant", *certificateRef.Namespace, certificateRef.Name),
 						)
 						break

diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go
@@ -46,7 +46,7 @@ func TestGatewayAPIConformance(t *testing.T) {
 		Debug:                    *flags.ShowDebug,
 		CleanupBaseResources:     *flags.CleanupBaseResources,
 		ValidUniqueListenerPorts: validUniqueListenerPorts,
-		SupportedFeatures: []suite.SupportedFeature{suite.SupportReferenceGrant},
+		SupportedFeatures:        []suite.SupportedFeature{suite.SupportReferenceGrant},
 	})
 	cSuite.Setup(t)
 	egTests := []suite.ConformanceTest{
@@ -63,7 +63,7 @@ func TestGatewayAPIConformance(t *testing.T) {
 		tests.HTTPRouteInvalidCrossNamespaceBackendRef,
 		tests.GatewaySecretReferenceGrantAllInNamespace,
 		tests.GatewaySecretReferenceGrantSpecific,
-		// Uncomment when https://github.com/envoyproxy/gateway/issues/538 is fixed.
+		// Uncomment when https://github.com/envoyproxy/gateway/issues/539 is fixed.
 		/*tests.GatewaySecretMissingReferenceGrant,
 		tests.GatewaySecretInvalidReferenceGrant,*/
 	}