From 429ef35ee0245ae1a9082fe4fcf1960fb46ec4bb Mon Sep 17 00:00:00 2001
From: Norwin Schnyder <norwin.schnyder+github@gmail.com>
Date: Fri, 13 Dec 2024 08:17:43 +0000
Subject: [PATCH] Add godoc for targetRef CEL validation in BackendTLSPolicy

Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
---
 apis/v1alpha3/backendtlspolicy_types.go                  | 9 +++++++++
 .../gateway.networking.k8s.io_backendtlspolicies.yaml    | 9 +++++++++
 pkg/generated/openapi/zz_generated.openapi.go            | 2 +-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/apis/v1alpha3/backendtlspolicy_types.go b/apis/v1alpha3/backendtlspolicy_types.go
index 1250c41453..77566a33e6 100644
--- a/apis/v1alpha3/backendtlspolicy_types.go
+++ b/apis/v1alpha3/backendtlspolicy_types.go
@@ -65,6 +65,15 @@ type BackendTLSPolicySpec struct {
 	// by default, but this default may change in the future to provide
 	// a more granular application of the policy.
 	//
+	// TargetRefs must be _distinct_. This means either that:
+	//
+	// * They select different objects. If this is the case, then targetRef
+	//   entries are distinct. In terms of fields, this means that the
+	//   multi-part key defined by `group`, `kind`, and `name` must
+	//   be unique across all targetRef entries in the BackendTLSPolicy.
+	// * They do not select different objects, each TargetRef that selects
+	//   the same object must set the sectionName to a different value.
+	//
 	// Support: Extended for Kubernetes Service
 	//
 	// Support: Implementation-specific for any other resource
diff --git a/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml b/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
index 21882624c0..b7834a6fb4 100644
--- a/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
+++ b/config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
@@ -85,6 +85,15 @@ spec:
                   by default, but this default may change in the future to provide
                   a more granular application of the policy.
 
+                  TargetRefs must be _distinct_. This means either that:
+
+                  * They select different objects.  If this is the case, then targetRef
+                    entries are distinct. In terms of fields, this means that the
+                    multi-part key defined by `group`, `kind`, and `name` must
+                    be unique across all targetRef entries in the BackendTLSPolicy.
+                  * They do not select different objects, each TargetRef that selects
+                    the same object must set the sectionName to a different value.
+
                   Support: Extended for Kubernetes Service
 
                   Support: Implementation-specific for any other resource
diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go
index 06ffb0389a..9300a831f8 100644
--- a/pkg/generated/openapi/zz_generated.openapi.go
+++ b/pkg/generated/openapi/zz_generated.openapi.go
@@ -6964,7 +6964,7 @@ func schema_sigsk8sio_gateway_api_apis_v1alpha3_BackendTLSPolicySpec(ref common.
 				Properties: map[string]spec.Schema{
 					"targetRefs": {
 						SchemaProps: spec.SchemaProps{
-							Description: "TargetRefs identifies an API object to apply the policy to. Only Services have Extended support. Implementations MAY support additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy.\n\nSupport: Extended for Kubernetes Service\n\nSupport: Implementation-specific for any other resource",
+							Description: "TargetRefs identifies an API object to apply the policy to. Only Services have Extended support. Implementations MAY support additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy.\n\nTargetRefs must be _distinct_. This means either that:\n\n* They select different objects.  If this is the case, then targetRef\n  entries are distinct. In terms of fields, this means that the\n  multi-part key defined by `group`, `kind`, and `name` must\n  be unique across all targetRef entries in the BackendTLSPolicy.\n* They do not select different objects, each TargetRef that selects\n  the same object must set the sectionName to a different value.\n\nSupport: Extended for Kubernetes Service\n\nSupport: Implementation-specific for any other resource",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{