in pkg/ingress/kube/gateway/istio/conversion.go [91:150]
func convertReferencePolicies(r GatewayResources) AllowedReferences {
res := map[Reference]map[Reference]*Grants{}
type namespacedGrant struct {
Namespace string
Grant *k8s.ReferenceGrantSpec
}
specs := make([]namespacedGrant, 0, len(r.ReferenceGrant))
for _, obj := range r.ReferenceGrant {
rp := obj.Spec.(*k8s.ReferenceGrantSpec)
specs = append(specs, namespacedGrant{Namespace: obj.Namespace, Grant: rp})
}
for _, ng := range specs {
rp := ng.Grant
for _, from := range rp.From {
fromKey := Reference{
Namespace: from.Namespace,
}
if string(from.Group) == gvk.KubernetesGateway.Group && string(from.Kind) == gvk.KubernetesGateway.Kind {
fromKey.Kind = gvk.KubernetesGateway
} else if string(from.Group) == gvk.HTTPRoute.Group && string(from.Kind) == gvk.HTTPRoute.Kind {
fromKey.Kind = gvk.HTTPRoute
} else if string(from.Group) == gvk.TLSRoute.Group && string(from.Kind) == gvk.TLSRoute.Kind {
fromKey.Kind = gvk.TLSRoute
} else if string(from.Group) == gvk.TCPRoute.Group && string(from.Kind) == gvk.TCPRoute.Kind {
fromKey.Kind = gvk.TCPRoute
} else {
// Not supported type. Not an error; may be for another controller
continue
}
for _, to := range rp.To {
toKey := Reference{
Namespace: k8s.Namespace(ng.Namespace),
}
if to.Group == "" && string(to.Kind) == gvk.Secret.Kind {
toKey.Kind = gvk.Secret
} else if to.Group == "" && string(to.Kind) == gvk.Service.Kind {
toKey.Kind = gvk.Service
} else {
// Not supported type. Not an error; may be for another controller
continue
}
if _, f := res[fromKey]; !f {
res[fromKey] = map[Reference]*Grants{}
}
if _, f := res[fromKey][toKey]; !f {
res[fromKey][toKey] = &Grants{
AllowedNames: sets.New[string](),
}
}
if to.Name != nil {
res[fromKey][toKey].AllowedNames.Insert(string(*to.Name))
} else {
res[fromKey][toKey].AllowAll = true
}
}
}
}
return res
}