feat(crd): add WatchNamespaceGrant CRD

Author: pmalek

CHANGELOG.md

@@ -28,6 +28,8 @@ Adding a new version? You'll need three changes:
   [#401](https://github.com/Kong/kubernetes-configuration/pull/401)
 - Added `scale` subresource to `DataPlane` CRD.
   [#402](https://github.com/Kong/kubernetes-configuration/pull/402)
+- Added `WatchNamespaceGrant` CRD.
+  [#403](https://github.com/Kong/kubernetes-configuration/pull/403)
 
 ### Changes
 

api/gateway-operator/v1alpha1/watchnamespacegrant_types.go

@@ -0,0 +1,73 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func init() {
+	SchemeBuilder.Register(&WatchNamespaceGrant{}, &WatchNamespaceGrantList{})
+}
+
+// WatchNamespaceGrant is a grant that allows a trusted namespace to watch
+// resources in the namespace this grant exists in.
+//
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +apireference:kgo:include
+// +kong:channels=gateway-operator
+type WatchNamespaceGrant struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec is the desired state of the WatchNamespaceGrant.
+	Spec WatchNamespaceGrantSpec `json:"spec,omitempty"`
+
+	// Status is not specified for WatchNamespaceGrant but it may be added in the future.
+}
+
+// WatchNamespaceGrantSpec defines the desired state of an WatchNamespaceGrant.
+//
+// +apireference:kgo:include
+type WatchNamespaceGrantSpec struct {
+	// From describes the trusted namespaces and kinds that can reference the
+	// namespace this grant exists in.
+	//
+	// Support: Core
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
+	From []WatchNamespaceGrantFrom `json:"from"`
+}
+
+// WatchNamespaceGrantFrom describes trusted namespaces.
+type WatchNamespaceGrantFrom struct {
+	// Group is the group of the referent.
+	//
+	// +kubebuilder:validation:Enum=gateway-operator.konghq.com
+	// +kubebuilder:validation:Required
+	Group string `json:"group"`
+
+	// Kind is the kind of the referent.
+	//
+	// +kubebuilder:validation:Enum=ControlPlane
+	// +kubebuilder:validation:Required
+	Kind string `json:"kind"`
+
+	// Namespace is the namespace of the referent.
+	//
+	// +kubebuilder:validation:Required
+	Namespace string `json:"namespace"`
+}
+
+// WatchNamespaceGrantList contains a list of WatchNamespaceGrants.
+//
+// +kubebuilder:object:root=true
+// +apireference:kgo:include
+type WatchNamespaceGrantList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	// Items is the list of WatchNamespaceGrants.
+	Items []WatchNamespaceGrant `json:"items"`
+}

api/gateway-operator/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,80 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    kubernetes-configuration.konghq.com/channels: gateway-operator
+    kubernetes-configuration.konghq.com/version: v1.3.1
+  name: watchnamespacegrants.gateway-operator.konghq.com
+spec:
+  group: gateway-operator.konghq.com
+  names:
+    kind: WatchNamespaceGrant
+    listKind: WatchNamespaceGrantList
+    plural: watchnamespacegrants
+    singular: watchnamespacegrant
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          WatchNamespaceGrant is a grant that allows a trusted namespace to watch
+          resources in the namespace this grant exists in.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec is the desired state of the WatchNamespaceGrant.
+            properties:
+              from:
+                description: |-
+                  From describes the trusted namespaces and kinds that can reference the
+                  namespace this grant exists in.
+
+                  Support: Core
+                items:
+                  description: WatchNamespaceGrantFrom describes trusted namespaces.
+                  properties:
+                    group:
+                      description: Group is the group of the referent.
+                      enum:
+                      - gateway-operator.konghq.com
+                      type: string
+                    kind:
+                      description: Kind is the kind of the referent.
+                      enum:
+                      - ControlPlane
+                      type: string
+                    namespace:
+                      description: Namespace is the namespace of the referent.
+                      type: string
+                  required:
+                  - group
+                  - kind
+                  - namespace
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+            required:
+            - from
+            type: object
+        type: object
+    served: true
+    storage: true

config/crd/gateway-operator/gateway-operator.konghq.com_watchnamespacegrants.yaml

@@ -30,6 +30,7 @@ resources:
   - gateway-operator.konghq.com_gatewayconfigurations.yaml
   - gateway-operator.konghq.com_kongplugininstallations.yaml
   - gateway-operator.konghq.com_konnectextensions.yaml
+  - gateway-operator.konghq.com_watchnamespacegrants.yaml
   - konnect.konghq.com_konnectapiauthconfigurations.yaml
   - konnect.konghq.com_konnectcloudgatewaydataplanegroupconfigurations.yaml
   - konnect.konghq.com_konnectcloudgatewaynetworks.yaml

config/crd/gateway-operator/kustomization.yaml

@@ -2069,6 +2069,7 @@ Package v1alpha1 contains API Schema definitions for the operator v1alpha1 API g
 - [DataPlaneMetricsExtension](#dataplanemetricsextension)
 - [KongPluginInstallation](#kongplugininstallation)
 - [KonnectExtension](#konnectextension)
+- [WatchNamespaceGrant](#watchnamespacegrant)
 ### AIGateway
 
 
@@ -2173,6 +2174,23 @@ deployment spec gets customized to include the konnect-related configuration.
 
 
 
+### WatchNamespaceGrant
+
+
+WatchNamespaceGrant is a grant that allows a trusted namespace to watch
+resources in the namespace this grant exists in.
+
+<!-- watch_namespace_grant description placeholder -->
+
+| Field | Description |
+| --- | --- |
+| `apiVersion` _string_ | `gateway-operator.konghq.com/v1alpha1`
+| `kind` _string_ | `WatchNamespaceGrant`
+| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` _[WatchNamespaceGrantSpec](#watchnamespacegrantspec)_ | Spec is the desired state of the WatchNamespaceGrant. |
+
+
+
 ### Types
 
 In this section you will find types that the CRDs rely on.
@@ -2537,6 +2555,38 @@ ServiceSelectorEntry holds the name of a service to match.
 _Appears in:_
 - [ServiceSelector](#serviceselector)
 
+#### WatchNamespaceGrantFrom
+
+
+WatchNamespaceGrantFrom describes trusted namespaces.
+
+
+
+| Field | Description |
+| --- | --- |
+| `group` _string_ | Group is the group of the referent. |
+| `kind` _string_ | Kind is the kind of the referent. |
+| `namespace` _string_ | Namespace is the namespace of the referent. |
+
+
+_Appears in:_
+- [WatchNamespaceGrantSpec](#watchnamespacegrantspec)
+
+#### WatchNamespaceGrantSpec
+
+
+WatchNamespaceGrantSpec defines the desired state of an WatchNamespaceGrant.
+
+
+
+| Field | Description |
+| --- | --- |
+| `from` _[WatchNamespaceGrantFrom](#watchnamespacegrantfrom) array_ | From describes the trusted namespaces and kinds that can reference the namespace this grant exists in.<br /><br /> Support: Core |
+
+
+_Appears in:_
+- [WatchNamespaceGrant](#watchnamespacegrant)
+
 
 ## gateway-operator.konghq.com/v1beta1