ReferenceGrant deletion doesn't cause losing the grant for the reference

[mlavacca]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

If a resource has the cross-namespace reference granted by a specific ReferenceGrant, deleting that ReferenceGrant does not cause losing such a grant.

Expected Behavior

When a resource has a cross-namespace reference granted by a ReferenceGrant, deleting such a grant should cause that reference failing and the following should be happening:

• the resource status should be updated to reflect the current status
• the kong rules should be updated accordingly

Steps To Reproduce

1. create an HTTPRoute that references a service in another namespace
2. grant that reference through a `ReferenceGrant`
3. delete the `ReferenceGrant`
4. the cross-namespace reference is still valid even after the `ReferenceGrant` deletion

Kong Ingress Controller version

2.7

Kubernetes version

No response

Anything else?

No response

[pmalek]

I've looked at this and it seems to work just fine.

I've added an exemplar manifest in #3758 which shows how one can use the ReferenceGrant. After removing the ReferenceGrant from that manifest the Gateway returns: {"message":"no existing backendRef provided"} with a status code of 500. Not sure if that's intended. It seems to be:

kubernetes-ingress-controller/internal/dataplane/parser/translate_utils.go

Lines 121 to 136 in f628552

	// In the context of the gateway API conformance tests, if there is no service for the backend,
	// the response must have a status code of 500. Since The default behavior of Kong is returning 503
	// if there is no backend for a service, we inject a plugin that terminates all requests with 500
	// as status code
	if len(service.Backends) == 0 && len(backendRefs) != 0 {
	if service.Plugins == nil {
	service.Plugins = make([]kong.Plugin, 0)
	}
	service.Plugins = append(service.Plugins, kong.Plugin{
	Name: kong.String("request-termination"),
	Config: kong.Configuration{
	"status_code": 500,
	"message": "no existing backendRef provided",
	},
	})
	}

Having said that: do we consider this closed?

I can observe that route in question still has all the conditions set as if it was able to route to the requested backendRef.

@mlavacca are you aware of any particular requirements for route's status when it cannot route traffic to the designated backendRef or are we good to close this?

[pmalek]

Ok I seem I got it: in order to get the type: ResolvedRefs condition with reason: RefNotPermitted to status: "False" we need to enqueue the routes when reference grants change. This will be done in #3759.

[pmalek]

#3759 already landed in v2.9