From 8748446a935ce64d6820aa77d3d41cb4bdff86b3 Mon Sep 17 00:00:00 2001
From: Steve Kriss <krisss@vmware.com>
Date: Mon, 17 Oct 2022 10:27:00 -0600
Subject: [PATCH] use RefNotPermitted reason for invalid cross-namespace TLS
 cert ref  (#580)

* use RefNotPermitted reason for invalid cross-namespace TLS cert ref

Closes #538.

Signed-off-by: Steve Kriss <krisss@vmware.com>
---
 ...valid-tls-configuration-secret-in-other-namespace.out.yaml | 2 +-
 internal/gatewayapi/translator.go                             | 2 +-
 test/conformance/conformance_test.go                          | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml
index 4dd99085ff91..757e4c695e97 100644
--- a/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml
+++ b/internal/gatewayapi/testdata/gateway-with-listener-with-invalid-tls-configuration-secret-in-other-namespace.out.yaml
@@ -28,7 +28,7 @@ gateways:
           conditions:
             - type: ResolvedRefs
               status: "False"
-              reason: InvalidCertificateRef
+              reason: RefNotPermitted
               message: Certificate ref to secret default/tls-secret-1 not permitted by any ReferenceGrant
             - type: Ready
               status: "False"
diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go
index 0d4db0be7e06..80ed034e8bab 100644
--- a/internal/gatewayapi/translator.go
+++ b/internal/gatewayapi/translator.go
@@ -431,7 +431,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap
 						listener.SetCondition(
 							v1beta1.ListenerConditionResolvedRefs,
 							metav1.ConditionFalse,
-							v1beta1.ListenerReasonInvalidCertificateRef,
+							v1beta1.ListenerReasonRefNotPermitted,
 							fmt.Sprintf("Certificate ref to secret %s/%s not permitted by any ReferenceGrant", *certificateRef.Namespace, certificateRef.Name),
 						)
 						break
diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go
index 9490e96bf5a3..b50613936b9d 100644
--- a/test/conformance/conformance_test.go
+++ b/test/conformance/conformance_test.go
@@ -46,7 +46,7 @@ func TestGatewayAPIConformance(t *testing.T) {
 		Debug:                    *flags.ShowDebug,
 		CleanupBaseResources:     *flags.CleanupBaseResources,
 		ValidUniqueListenerPorts: validUniqueListenerPorts,
-		SupportedFeatures: []suite.SupportedFeature{suite.SupportReferenceGrant},
+		SupportedFeatures:        []suite.SupportedFeature{suite.SupportReferenceGrant},
 	})
 	cSuite.Setup(t)
 	egTests := []suite.ConformanceTest{
@@ -63,7 +63,7 @@ func TestGatewayAPIConformance(t *testing.T) {
 		tests.HTTPRouteInvalidCrossNamespaceBackendRef,
 		tests.GatewaySecretReferenceGrantAllInNamespace,
 		tests.GatewaySecretReferenceGrantSpecific,
-		// Uncomment when https://github.com/envoyproxy/gateway/issues/538 is fixed.
+		// Uncomment when https://github.com/envoyproxy/gateway/issues/539 is fixed.
 		/*tests.GatewaySecretMissingReferenceGrant,
 		tests.GatewaySecretInvalidReferenceGrant,*/
 	}