Kong · shaneutt · Jul 14, 2022 · Jul 14, 2022 · Jul 14, 2022 · Jul 14, 2022
@@ -71,13 +71,19 @@
 
 #### Added
 
+- Updated Gateway API dependencies to [v0.5.0][gw-v0.5.0] and updated `examples`
+  directory to use `v1beta1` versions of APIs where applicable.
+  [#2691](https://github.com/Kong/kubernetes-ingress-controller/pull/2691)
 - Added support for Gateway Listener TLS configuration, to enable full use of
   TLSRoute and HTTPS HTTPRoutes.
   [#2580](https://github.com/Kong/kubernetes-ingress-controller/pull/2580)
 - Added information about service mesh deployment and distribution in telemetry data reported to Kong.
   [#2642](https://github.com/Kong/kubernetes-ingress-controller/pull/2642)
 
+[gw-v0.5.0]:https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.5.0
+
 #### Fixed
+
 - Fixed the problem that logs from reporter does not appear in the pod log.
   [#2645](https://github.com/Kong/kubernetes-ingress-controller/pull/2645)
 

@@ -339,35 +339,19 @@ run: install
 # Gateway API
 # ------------------------------------------------------------------------------
 
-GATEWAY_API_PACKAGE ?= sigs.k8s.io/gateway-api
-# TODO: Below hardcoded ref is a workaround for the fact that we're using an untagged version
-#       of sigs.k8s.io/gateway-api in go.mod - that occurred after v0.4.0 (which was tagged on master)
-#       but which contains a breaking change w.r.t to the file structure in said repo - and the
-#       fact that kustomize accepts only branch names, tags, or full commit hashes, i.e. short
-#       hashes or go pseudo versions are not supported [1].
-#       Please also note that kustomize fails silently when provided with an unsupported ref
-#       and downloads the manifests from the main branch.
-#
-#       [1]: https://github.com/kubernetes-sigs/kustomize/blob/master/examples/remoteBuild.md#remote-directories
-#
-#       This causes a problem where we cannot use go pseudo version from go.mod i.e.
-#       v0.4.1-0.20220306235253-71fee1c2808f and where we cannot update to a newer version
-#       sigs.k8s.io/gateway-api because v0.5.0 hasn't been released yet and v0.4.x versions
-#       do not contain the change in file structure that some of the code in this repo already
-#       relies on.
+# GATEWAY_API_VERSION will be processed by kustomize and therefore accepts
+# only branch names, tags, or full commit hashes, i.e. short hashes or go
+# pseudo versions are not supported [1].
+# Please also note that kustomize fails silently when provided with an
+# unsupported ref and downloads the manifests from the main branch.
 #
-#       In order to avoid unnecessary work we're just hardcoding the full SHA that
-#       corresponds to what's in go.mod - v0.4.1-0.20220306235253-71fee1c2808f - until
-#       v0.5.0 is released which we can then use in go.mod and scrape via go list ...
-# 
-#       Whenever the above happens the hardcoded SHA can be replaced with:
-#       $(shell go list -m -f "{{.Version}}" $(GATEWAY_API_PACKAGE))
-#
-#       Related issue: https://github.com/Kong/kubernetes-ingress-controller/issues/2595
-GATEWAY_API_VERSION ?= 71fee1c2808fa19a5f19d952d155fc072cf9324c
+# [1]: https://github.com/kubernetes-sigs/kustomize/blob/master/examples/remoteBuild.md#remote-directories
+GATEWAY_API_VERSION ?= v0.5.0
+GATEWAY_API_RELEASE_CHANNEL ?= experimental
+GATEWAY_API_PACKAGE ?= sigs.k8s.io/gateway-api
 GATEWAY_API_CRDS_LOCAL_PATH = $(shell go env GOPATH)/pkg/mod/$(GATEWAY_API_PACKAGE)@$(GATEWAY_API_VERSION)/config/crd
 GATEWAY_API_REPO ?= github.com/kubernetes-sigs/gateway-api
-GATEWAY_API_CRDS_URL = $(GATEWAY_API_REPO)/config/crd?ref=$(GATEWAY_API_VERSION)
+GATEWAY_API_CRDS_URL = $(GATEWAY_API_REPO)/config/crd/$(GATEWAY_API_RELEASE_CHANNEL)?ref=$(GATEWAY_API_VERSION)
 
 .PHONY: print-gateway-api-crds-url
 print-gateway-api-crds-url:

@@ -77,15 +77,15 @@ spec:
     app: nginx
   type: ClusterIP
 ---
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: GatewayClass
-apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: kong
 spec:
   controllerName: konghq.com/kic-gateway-controller
 ---
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: Gateway
-apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: kong
 spec:
@@ -95,7 +95,7 @@ spec:
     protocol: HTTP
     port: 80
 ---
-apiVersion: gateway.networking.k8s.io/v1alpha2
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:
   name: httproute-testing

@@ -42,15 +42,15 @@ spec:
     app: tcpecho
   type: ClusterIP
 ---
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: GatewayClass
-apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: kong
 spec:
   controllerName: konghq.com/kic-gateway-controller
 ---
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: Gateway
-apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: kong
 spec:

@@ -51,15 +51,15 @@ data:
   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JRzJBZ0VBTUJBR0J5cUdTTTQ5QWdFR0JTdUJCQUFpQklHZU1JR2JBZ0VCQkRERFJuZGdQWVphb25WdXFIaXUKNXV1WVdJK0ExNkJZTG9VQm5ZMC85Qkw5VTBzNDdHN0xDL2IwNXdFLzdVUEpFQktoWkFOaUFBUkI1eC9PekdZLwpBTFRxNDJ6ZVRLSXNOdnB1dWVBemhtMFplREJ3WVBmM2R4dGlacTZkOEU5RzNHcUh2cEVwMUwzRE9yaXI2Z0h4CjAreEFxQUUyR1VsT3Y2SVVmME9MdHNGa1Z4aXJINUtjMVJkblIwTTBGdGJpczlWTWtkQzkyaWM9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
 type: kubernetes.io/tls
 ---
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: GatewayClass
-apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: kong
 spec:
   controllerName: konghq.com/kic-gateway-controller
 ---
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: Gateway
-apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: kong
 spec:

@@ -82,15 +82,15 @@ spec:
     app: coredns
   type: ClusterIP
 ---
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: GatewayClass
-apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: kong
 spec:
   controllerName: konghq.com/kic-gateway-controller
 ---
+apiVersion: gateway.networking.k8s.io/v1beta1
 kind: Gateway
-apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: kong
 spec:

@@ -38,14 +38,20 @@ require (
 	knative.dev/networking v0.0.0-20220302134042-e8b2eb995165
 	knative.dev/pkg v0.0.0-20220301181942-2fdd5f232e77
 	sigs.k8s.io/controller-runtime v0.12.3
-	sigs.k8s.io/gateway-api v0.4.1-0.20220306235253-71fee1c2808f
+	sigs.k8s.io/gateway-api v0.5.0
 	sigs.k8s.io/kustomize/api v0.11.5
 	sigs.k8s.io/kustomize/kyaml v0.13.7
 	sigs.k8s.io/yaml v1.3.0
 )
 
 require (
 	cloud.google.com/go/compute v1.7.0 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.18 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
@@ -63,6 +69,7 @@ require (
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
+	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
@@ -128,6 +135,7 @@ require (
 	go.opencensus.io v0.23.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
+	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
 	golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 // indirect
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect

@@ -68,12 +68,19 @@ dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7
 github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+github.com/Azure/go-autorest/autorest v0.11.18 h1:90Y4srNYrwOtAgVo3ndrQkTYn6kf1Eg/AjTFJ8Is2aM=
 github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA=
+github.com/Azure/go-autorest/autorest/adal v0.9.13 h1:Mp5hbtOePIzM8pJVRa3YLrWWmZtoxRXqUEzCfJt3+/Q=
 github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
+github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
+github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
@@ -217,6 +224,7 @@ github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
+github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
@@ -835,6 +843,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4 h1:K3x+yU+fbot38x5bQbU2QqUAVyYLEktdNH2GxZLnM3U=
+golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4/go.mod h1:lgLbSvA5ygNOMpwM/9anMpWVlVJ7Z+cHWq/eFuinpGE=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1455,8 +1465,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyz
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw=
 sigs.k8s.io/controller-runtime v0.12.3 h1:FCM8xeY/FI8hoAfh/V4XbbYMY20gElh9yh+A98usMio=
 sigs.k8s.io/controller-runtime v0.12.3/go.mod h1:qKsk4WE6zW2Hfj0G4v10EnNB2jMG1C+NTb8h+DwCoU0=
-sigs.k8s.io/gateway-api v0.4.1-0.20220306235253-71fee1c2808f h1:5OAEIvquOkiENoXzSskD2jNBWI15dWHjNIIqn0VF/dY=
-sigs.k8s.io/gateway-api v0.4.1-0.20220306235253-71fee1c2808f/go.mod h1:Gj2je/oOS/22fEU/U4xJ/nRH0wuQ3/kcfJUmLqtqXV4=
+sigs.k8s.io/gateway-api v0.5.0 h1:ze+k9fJqvmL8s1t3e4q1ST8RnN+f09dEv+gfacahlAE=
+sigs.k8s.io/gateway-api v0.5.0/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=
 sigs.k8s.io/kustomize/api v0.11.5 h1:vLDp++YAX7iy2y2CVPJNy9pk9CY8XaUKgHkjbVtnWag=

@@ -376,7 +376,7 @@ func (r *HTTPRouteReconciler) ensureGatewayReferenceStatusAdded(ctx context.Cont
 			},
 			ControllerName: ControllerName,
 			Conditions: []metav1.Condition{{
-				Type:               string(gatewayv1alpha2.ConditionRouteAccepted),
+				Type:               string(gatewayv1alpha2.RouteConditionAccepted),
 				Status:             metav1.ConditionTrue,
 				ObservedGeneration: httproute.Generation,
 				LastTransitionTime: metav1.Now(),

@@ -376,7 +376,7 @@ func (r *TCPRouteReconciler) ensureGatewayReferenceStatusAdded(ctx context.Conte
 			},
 			ControllerName: ControllerName,
 			Conditions: []metav1.Condition{{
-				Type:               string(gatewayv1alpha2.ConditionRouteAccepted),
+				Type:               string(gatewayv1alpha2.RouteConditionAccepted),
 				Status:             metav1.ConditionTrue,
 				ObservedGeneration: tcproute.Generation,
 				LastTransitionTime: metav1.Now(),

@@ -376,7 +376,7 @@ func (r *TLSRouteReconciler) ensureGatewayReferenceStatusAdded(ctx context.Conte
 			},
 			ControllerName: ControllerName,
 			Conditions: []metav1.Condition{{
-				Type:               string(gatewayv1alpha2.ConditionRouteAccepted),
+				Type:               string(gatewayv1alpha2.RouteConditionAccepted),
 				Status:             metav1.ConditionTrue,
 				ObservedGeneration: tlsroute.Generation,
 				LastTransitionTime: metav1.Now(),

@@ -376,7 +376,7 @@ func (r *UDPRouteReconciler) ensureGatewayReferenceStatusAdded(ctx context.Conte
 			},
 			ControllerName: ControllerName,
 			Conditions: []metav1.Condition{{
-				Type:               string(gatewayv1alpha2.ConditionRouteAccepted),
+				Type:               string(gatewayv1alpha2.RouteConditionAccepted),
 				Status:             metav1.ConditionTrue,
 				ObservedGeneration: udproute.Generation,
 				LastTransitionTime: metav1.Now(),

@@ -462,7 +462,7 @@ func getGatewayCerts(log logrus.FieldLogger, s store.Storer) []certWrapper {
 						namespace = string(*ref.Namespace)
 					}
 					if namespace != gateway.Namespace {
-						allowed := getPermittedForReferencePolicyFrom(gatewayv1alpha2.ReferencePolicyFrom{
+						allowed := getPermittedForReferenceGrantFrom(gatewayv1alpha2.ReferenceGrantFrom{
 							Group:     gatewayv1alpha2.Group(gateway.GetObjectKind().GroupVersionKind().Group),
 							Kind:      gatewayv1alpha2.Kind(gateway.GetObjectKind().GroupVersionKind().Kind),
 							Namespace: gatewayv1alpha2.Namespace(gateway.GetNamespace()),

@@ -103,12 +103,6 @@ func generateKongRoutesFromTCPRouteRule(
 	objectInfo := util.FromK8sObject(tcproute)
 
 	var routes []kongstate.Route
-	if len(rule.Matches) > 0 {
-		// As of 2022-03-04, matches are supported only in experimental CRDs. if you apply a TCPRoute with matches against
-		// the stable CRDs, the matches disappear into the ether (only if doing it via client-go, kubectl rejects them)
-		// We do not intend to implement these until they are stable per https://github.com/Kong/kubernetes-ingress-controller/issues/2087#issuecomment-1079053290
-		return routes, fmt.Errorf("TCPRoute Matches are not yet supported")
-	}
 
 	if len(rule.BackendRefs) == 0 {
 		return routes, fmt.Errorf("TCPRoute rules must include at least one backendRef")

@@ -101,12 +101,6 @@ func generateKongRoutesFromUDPRouteRule(udproute *gatewayv1alpha2.UDPRoute, rule
 	objectInfo := util.FromK8sObject(udproute)
 
 	var routes []kongstate.Route
-	if len(rule.Matches) > 0 {
-		// As of 2022-03-04, matches are supported only in experimental CRDs. if you apply a UDPRoute with matches against
-		// the stable CRDs, the matches disappear into the ether (only if doing it via client-go, kubectl rejects them)
-		// We do not intend to implement these until they are stable per https://github.com/Kong/kubernetes-ingress-controller/issues/2087#issuecomment-1079053290
-		return routes, fmt.Errorf("UDPRoute Matches are not yet supported")
-	}
 
 	if len(rule.BackendRefs) == 0 {
 		return routes, fmt.Errorf("UDPRoute rules must include at least one backendRef")

@@ -51,15 +51,15 @@ func convertGatewayMatchHeadersToKongRouteMatchHeaders(headers []gatewayv1alpha2
 	return convertedHeaders, nil
 }
 
-// isRefAllowedByPolicy checks if backendRef is permitted by the provided namespace-indexed ReferencePolicyTo set,
+// isRefAllowedByPolicy checks if backendRef is permitted by the provided namespace-indexed ReferenceGrantTo set,
 // allowed. allowed is assumed to contain Tos that only match the backendRef's parent's From, as returned by
-// getPermittedForReferencePolicyFrom.
+// getPermittedForReferenceGrantFrom.
 func isRefAllowedByPolicy(
 	namespace *gatewayv1alpha2.Namespace,
 	name gatewayv1alpha2.ObjectName,
 	group *gatewayv1alpha2.Group,
 	kind *gatewayv1alpha2.Kind,
-	allowed map[gatewayv1alpha2.Namespace][]gatewayv1alpha2.ReferencePolicyTo,
+	allowed map[gatewayv1alpha2.Namespace][]gatewayv1alpha2.ReferenceGrantTo,
 ) bool {
 	if namespace == nil {
 		// local references are always fine
@@ -81,13 +81,13 @@ func isRefAllowedByPolicy(
 	return false
 }
 
-// getPermittedForReferencePolicyFrom takes a ReferencePolicy From (a namespace, group, and kind) and returns a map
-// from a namespace to a slice of ReferencePolicy Tos. When a To is included in the slice, the key namespace has a
+// getPermittedForReferenceGrantFrom takes a ReferenceGrant From (a namespace, group, and kind) and returns a map
+// from a namespace to a slice of ReferenceGrant Tos. When a To is included in the slice, the key namespace has a
 // ReferencePolicy with those Tos and the input From.
-func getPermittedForReferencePolicyFrom(from gatewayv1alpha2.ReferencePolicyFrom,
+func getPermittedForReferenceGrantFrom(from gatewayv1alpha2.ReferenceGrantFrom,
 	policies []*gatewayv1alpha2.ReferencePolicy,
-) map[gatewayv1alpha2.Namespace][]gatewayv1alpha2.ReferencePolicyTo {
-	allowed := make(map[gatewayv1alpha2.Namespace][]gatewayv1alpha2.ReferencePolicyTo)
+) map[gatewayv1alpha2.Namespace][]gatewayv1alpha2.ReferenceGrantTo {
+	allowed := make(map[gatewayv1alpha2.Namespace][]gatewayv1alpha2.ReferenceGrantTo)
 	// loop over all From values in all policies. if we find a match, add all Tos to the list of Tos allowed for the
 	// policy namespace. this technically could add duplicate copies of the Tos if there are duplicate Froms (it makes
 	// no sense to add them, but it's allowed), but duplicate Tos are harmless (we only care about having at least one
@@ -124,7 +124,7 @@ func (p *Parser) generateKongServiceFromBackendRef(
 	if err != nil {
 		return kongstate.Service{}, fmt.Errorf("could not retrieve ReferencePolicies for %s: %w", objName, err)
 	}
-	allowed := getPermittedForReferencePolicyFrom(gatewayv1alpha2.ReferencePolicyFrom{
+	allowed := getPermittedForReferenceGrantFrom(gatewayv1alpha2.ReferenceGrantFrom{
 		Group:     gatewayv1alpha2.Group(route.GetObjectKind().GroupVersionKind().Group),
 		Kind:      gatewayv1alpha2.Kind(route.GetObjectKind().GroupVersionKind().Kind),
 		Namespace: gatewayv1alpha2.Namespace(route.GetNamespace()),