hashicorp · nathancoleman · May 27, 2022 · Apr 20, 2022 · Apr 20, 2022 · Apr 20, 2022
diff --git a/.changelog/154.txt b/.changelog/154.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+Added support for cross namespace Gateway certificateRefs with [ReferencePolicy](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io%2fv1alpha2.ReferencePolicy)
+```
diff --git a/internal/k8s/reconciler/config/errors.yaml b/internal/k8s/reconciler/config/errors.yaml
@@ -1,4 +1,4 @@
 - name: CertificateResolution
-  types: ["NotFound","Unsupported"]
+  types: ["NotFound","NotPermitted","Unsupported"]
 - name: Bind
   types: ["RouteKind","ListenerNamespacePolicy","HostnameMismatch","RouteInvalid"]
diff --git a/internal/k8s/reconciler/listener.go b/internal/k8s/reconciler/listener.go
@@ -11,12 +11,13 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	gw "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
+	"github.com/hashicorp/go-hclog"
+
 	"github.com/hashicorp/consul-api-gateway/internal/common"
 	"github.com/hashicorp/consul-api-gateway/internal/core"
 	"github.com/hashicorp/consul-api-gateway/internal/k8s/gatewayclient"
 	"github.com/hashicorp/consul-api-gateway/internal/k8s/utils"
 	"github.com/hashicorp/consul-api-gateway/internal/store"
-	"github.com/hashicorp/go-hclog"
 )
 
 var (
@@ -120,13 +121,27 @@ func (l *K8sListener) validateTLS(ctx context.Context) error {
 
 	// we only support a single certificate for now
 	ref := *l.listener.TLS.CertificateRefs[0]
+
+	// require ReferencePolicy for cross-namespace certificateRef
+	allowed, err := gatewayAllowedForSecretRef(ctx, l.gateway, ref, l.client)
+	if err != nil {
+		return err
+	} else if !allowed {
+		nsName := getNamespacedName(ref.Name, ref.Namespace, l.gateway.Namespace)
+		l.logger.Warn("Cross-namespace listener certificate not allowed without matching ReferencePolicy", "refName", nsName.Name, "refNamespace", nsName.Namespace)
+		l.status.ResolvedRefs.InvalidCertificateRef = NewCertificateResolutionErrorNotPermitted(
+			fmt.Sprintf("Cross-namespace listener certificate not allowed without matching ReferencePolicy for Secret %q", nsName))
+		return nil
+	}
+
 	resource, err := l.resolveCertificateReference(ctx, ref)
 	if err != nil {
 		var certificateErr CertificateResolutionError
 		if !errors.As(err, &certificateErr) {
 			return err
 		}
 		l.status.ResolvedRefs.InvalidCertificateRef = certificateErr
+		return nil
 	} else {
 		l.tls.Certificates = []string{resource}
 	}