Kuadrant · adam-cattermole · Jul 26, 2024 · Jul 24, 2024 · Jun 21, 2024
diff --git a/api/v1alpha1/dnspolicy_types.go b/api/v1alpha1/dnspolicy_types.go
@@ -18,7 +18,6 @@
 
 import (
 	"context"
-	"fmt"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
@@ -53,7 +52,7 @@
 	// TargetRef identifies an API object to apply policy to.
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
 	// +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'Gateway'"
-	TargetRef gatewayapiv1alpha2.PolicyTargetReference `json:"targetRef"`
+	TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"`
 
 	// +optional
 	HealthCheck *v1alpha1.HealthCheckSpec `json:"healthCheck,omitempty"`
@@ -173,7 +172,7 @@
 	return make([]string, 0)
 }
 
-func (p *DNSPolicy) GetTargetRef() gatewayapiv1alpha2.PolicyTargetReference {
+func (p *DNSPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference {
 	return p.Spec.TargetRef
 }
 
@@ -214,16 +213,6 @@
 	return DNSPolicyDirectReferenceAnnotationName
 }
 
-// Validate ensures the resource is valid. Compatible with the validating interface
-// used by webhooks
-func (p *DNSPolicy) Validate() error {
-	if p.Spec.TargetRef.Namespace != nil && string(*p.Spec.TargetRef.Namespace) != p.Namespace {
-		return fmt.Errorf("invalid targetRef.Namespace %s. Currently only supporting references to the same namespace", *p.Spec.TargetRef.Namespace)
-	}
-
-	return nil
-}
-
 //+kubebuilder:object:root=true
 
 // DNSPolicyList contains a list of DNSPolicy
@@ -259,7 +248,7 @@
 	}
 }
 
-func (p *DNSPolicy) WithTargetRef(targetRef gatewayapiv1alpha2.PolicyTargetReference) *DNSPolicy {
+func (p *DNSPolicy) WithTargetRef(targetRef gatewayapiv1alpha2.LocalPolicyTargetReference) *DNSPolicy {
 	p.Spec.TargetRef = targetRef
 	return p
 }
@@ -282,12 +271,10 @@
 //TargetRef
 
 func (p *DNSPolicy) WithTargetGateway(gwName string) *DNSPolicy {
-	typedNamespace := gatewayapiv1.Namespace(p.GetNamespace())
-	return p.WithTargetRef(gatewayapiv1alpha2.PolicyTargetReference{
-		Group:     gatewayapiv1.GroupName,
-		Kind:      "Gateway",
-		Name:      gatewayapiv1.ObjectName(gwName),
-		Namespace: &typedNamespace,
+	return p.WithTargetRef(gatewayapiv1alpha2.LocalPolicyTargetReference{
+		Group: gatewayapiv1.GroupName,
+		Kind:  "Gateway",
+		Name:  gatewayapiv1.ObjectName(gwName),
 	})
 }
 

diff --git a/api/v1alpha1/tlspolicy_types.go b/api/v1alpha1/tlspolicy_types.go
@@ -18,7 +18,6 @@
 
 import (
 	"context"
-	"fmt"
 
 	certmanv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	certmanmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
@@ -42,7 +41,7 @@
 	// TargetRef identifies an API object to apply policy to.
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
 	// +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'Gateway'"
-	TargetRef gatewayapiv1alpha2.PolicyTargetReference `json:"targetRef"`
+	TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"`
 
 	CertificateSpec `json:",inline"`
 }
@@ -179,7 +178,7 @@
 	return make([]string, 0)
 }
 
-func (p *TLSPolicy) GetTargetRef() gatewayapiv1alpha2.PolicyTargetReference {
+func (p *TLSPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference {
 	return p.Spec.TargetRef
 }
 
@@ -195,14 +194,6 @@
 	return TLSPolicyDirectReferenceAnnotationName
 }
 
-func (p *TLSPolicy) Validate() error {
-	if p.Spec.TargetRef.Namespace != nil && string(*p.Spec.TargetRef.Namespace) != p.Namespace {
-		return fmt.Errorf("invalid targetRef.Namespace %s. Currently only supporting references to the same namespace", *p.Spec.TargetRef.Namespace)
-	}
-
-	return nil
-}
-
 //+kubebuilder:object:root=true
 
 // TLSPolicyList contains a list of TLSPolicy
@@ -239,12 +230,10 @@
 }
 
 func (p *TLSPolicy) WithTargetGateway(gwName string) *TLSPolicy {
-	typedNamespace := gatewayapiv1.Namespace(p.GetNamespace())
-	p.Spec.TargetRef = gatewayapiv1alpha2.PolicyTargetReference{
-		Group:     gatewayapiv1.GroupName,
-		Kind:      "Gateway",
-		Name:      gatewayapiv1.ObjectName(gwName),
-		Namespace: &typedNamespace,
+	p.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReference{
+		Group: gatewayapiv1.GroupName,
+		Kind:  "Gateway",
+		Name:  gatewayapiv1.ObjectName(gwName),
 	}
 	return p
 }

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/api/v1beta2/authpolicy_types.go b/api/v1beta2/authpolicy_types.go
@@ -2,7 +2,6 @@ package v1beta2
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/go-logr/logr"
 	"github.com/google/go-cmp/cmp"
@@ -163,7 +162,7 @@ type AuthPolicySpec struct {
 	// TargetRef identifies an API object to apply policy to.
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
 	// +kubebuilder:validation:XValidation:rule="self.kind == 'HTTPRoute' || self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'"
-	TargetRef gatewayapiv1alpha2.PolicyTargetReference `json:"targetRef"`
+	TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"`
 
 	// Defaults define explicit default values for this policy and for policies inheriting this policy.
 	// Defaults are mutually exclusive with implicit defaults defined by AuthPolicyCommonSpec.
@@ -273,15 +272,7 @@ func (ap *AuthPolicy) IsAtomicOverride() bool {
 	return ap.Spec.Overrides != nil
 }
 
-func (ap *AuthPolicy) Validate() error {
-	if ap.Spec.TargetRef.Namespace != nil && string(*ap.Spec.TargetRef.Namespace) != ap.Namespace {
-		return fmt.Errorf("invalid targetRef.Namespace %s. Currently only supporting references to the same namespace", *ap.Spec.TargetRef.Namespace)
-	}
-
-	return nil
-}
-
-func (ap *AuthPolicy) GetTargetRef() gatewayapiv1alpha2.PolicyTargetReference {
+func (ap *AuthPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference {
 	return ap.Spec.TargetRef
 }
 

diff --git a/api/v1beta2/authpolicy_types_test.go b/api/v1beta2/authpolicy_types_test.go
@@ -6,7 +6,6 @@ import (
 	"reflect"
 	"testing"
 
-	authorinoapi "github.com/kuadrant/authorino/api/v1beta2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
@@ -71,7 +70,7 @@ func TestAuthPolicyGetRulesHostnames(t *testing.T) {
 			Namespace: "my-namespace",
 		},
 		Spec: AuthPolicySpec{
-			TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+			TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{
 				Group: gatewayapiv1.GroupName,
 				Kind:  "HTTPRoute",
 				Name:  "my-route",
@@ -213,72 +212,6 @@ func TestAuthPolicyGetRulesHostnames(t *testing.T) {
 	}
 }
 
-func TestAuthPolicyValidate(t *testing.T) {
-	testCases := []struct {
-		name    string
-		policy  *AuthPolicy
-		valid   bool
-		message string
-	}{
-		{
-			name: "invalid targetRef namespace",
-			policy: &AuthPolicy{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "my-policy",
-					Namespace: "my-namespace",
-				},
-				Spec: AuthPolicySpec{
-					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
-						Group:     gatewayapiv1.GroupName,
-						Kind:      "HTTPRoute",
-						Name:      "my-route",
-						Namespace: ptr.To(gatewayapiv1.Namespace("other-namespace")),
-					},
-					AuthPolicyCommonSpec: AuthPolicyCommonSpec{
-						AuthScheme: &AuthSchemeSpec{
-							Authentication: map[string]AuthenticationSpec{
-								"my-rule": {
-									AuthenticationSpec: authorinoapi.AuthenticationSpec{
-										AuthenticationMethodSpec: authorinoapi.AuthenticationMethodSpec{
-											AnonymousAccess: &authorinoapi.AnonymousAccessSpec{},
-										},
-									},
-									CommonAuthRuleSpec: CommonAuthRuleSpec{
-										RouteSelectors: []RouteSelector{
-											{
-												Hostnames: []gatewayapiv1.Hostname{"*.foo.io"},
-												Matches: []gatewayapiv1.HTTPRouteMatch{
-													{
-														Path: &gatewayapiv1.HTTPPathMatch{
-															Value: ptr.To("/foo"),
-														},
-													},
-												},
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			message: "invalid targetRef.Namespace other-namespace. Currently only supporting references to the same namespace",
-		},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			result := tc.policy.Validate()
-			if tc.valid && result != nil {
-				t.Errorf("Expected policy to be valid, got %t", result)
-			}
-			if !tc.valid && result == nil {
-				t.Error("Expected policy to be invalid, got no validation error")
-			}
-		})
-	}
-}
-
 func testBuildRouteSelector() RouteSelector {
 	return RouteSelector{
 		Hostnames: []gatewayapiv1.Hostname{"toystore.kuadrant.io"},

diff --git a/api/v1beta2/ratelimitpolicy_types.go b/api/v1beta2/ratelimitpolicy_types.go
@@ -132,7 +132,7 @@ type RateLimitPolicySpec struct {
 	// TargetRef identifies an API object to apply policy to.
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
 	// +kubebuilder:validation:XValidation:rule="self.kind == 'HTTPRoute' || self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'"
-	TargetRef gatewayapiv1alpha2.PolicyTargetReference `json:"targetRef"`
+	TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"`
 
 	// Defaults define explicit default values for this policy and for policies inheriting this policy.
 	// Defaults are mutually exclusive with implicit defaults defined by RateLimitPolicyCommonSpec.
@@ -226,14 +226,6 @@ type RateLimitPolicy struct {
 
 var _ kuadrantgatewayapi.Policy = &RateLimitPolicy{}
 
-func (r *RateLimitPolicy) Validate() error {
-	if r.Spec.TargetRef.Namespace != nil && string(*r.Spec.TargetRef.Namespace) != r.Namespace {
-		return fmt.Errorf("invalid targetRef.Namespace %s. Currently only supporting references to the same namespace", *r.Spec.TargetRef.Namespace)
-	}
-
-	return nil
-}
-
 func (r *RateLimitPolicy) GetObservedGeneration() int64  { return r.Status.GetObservedGeneration() }
 func (r *RateLimitPolicy) SetObservedGeneration(o int64) { r.Status.SetObservedGeneration(o) }
 
@@ -252,7 +244,7 @@ func (l *RateLimitPolicyList) GetItems() []kuadrant.Policy {
 	})
 }
 
-func (r *RateLimitPolicy) GetTargetRef() gatewayapiv1alpha2.PolicyTargetReference {
+func (r *RateLimitPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference {
 	return r.Spec.TargetRef
 }
 

diff --git a/api/v1beta2/ratelimitpolicy_types_test.go b/api/v1beta2/ratelimitpolicy_types_test.go
@@ -3,7 +3,6 @@
 package v1beta2
 
 import (
-	"strings"
 	"testing"
 
 	"gotest.tools/assert"
@@ -25,7 +24,7 @@ func testBuildBasicRLP(name string, kind gatewayapiv1.Kind, mutateFn func(*RateL
 			Namespace: "testNS",
 		},
 		Spec: RateLimitPolicySpec{
-			TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+			TargetRef: gatewayapiv1alpha2.LocalPolicyTargetReference{
 				Group: gatewayapiv1.GroupName,
 				Kind:  kind,
 				Name:  "some-name",
@@ -44,26 +43,6 @@ func testBuildBasicHTTPRouteRLP(name string, mutateFn func(*RateLimitPolicy)) *R
 	return testBuildBasicRLP(name, "HTTPRoute", mutateFn)
 }
 
-// TestRateLimitPolicyValidation calls rlp.Validate()
-// for a valid return value.
-func TestRateLimitPolicyValidation(t *testing.T) {
-	name := "httproute-a"
-
-	t.Run("Invalid - Different namespace", func(subT *testing.T) {
-		rlp := testBuildBasicHTTPRouteRLP(name, func(policy *RateLimitPolicy) {
-			otherNS := gatewayapiv1.Namespace(policy.GetNamespace() + "other")
-			policy.Spec.TargetRef.Namespace = &otherNS
-		})
-		err := rlp.Validate()
-		if err == nil {
-			subT.Fatal(`rlp.Validate() did not return error and should`)
-		}
-		if !strings.Contains(err.Error(), "invalid targetRef.Namespace") {
-			subT.Fatalf(`rlp.Validate() did not return expected error. Instead: %v`, err)
-		}
-	})
-}
-
 func TestRateLimitPolicyListGetItems(t *testing.T) {
 	list := &RateLimitPolicyList{}
 	if len(list.GetItems()) != 0 {

diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml
@@ -106,7 +106,7 @@ metadata:
     capabilities: Basic Install
     categories: Integration & Delivery
     containerImage: quay.io/kuadrant/kuadrant-operator:latest
-    createdAt: "2024-07-10T15:04:27Z"
+    createdAt: "2024-07-24T10:00:34Z"
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/Kuadrant/kuadrant-operator