Referencegrant support for backendref(s) in other namespaces than securitypolicy referencing them

[Havnevej]

Description:

What issue is being seen? Describe what should be happening instead of
the bug, for example: The expected value isn't returned, etc.
I am seeing: JWT: backend ref to Backend <other_namespace>/keycloak-backend-envoygateway-internal not permitted by any ReferenceGrant. even though i have a reference grant that should cover this like:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: allow-security-policy-to-backend
  namespace: gateway-api <- namespace of gateway and backend for keycloak
spec:
  from:
  - group: gateway.envoyproxy.io
    kind: SecurityPolicy
    namespace: platform-test <- namespace of httproute and security policy
  to:
  - group: gateway.envoyproxy.io
    kind: Backend

Repro steps:

Include sample requests, environment, etc. All data and inputs
required to reproduce the bug.
Reference grant that should allow security policies from "platform-test" namespace:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: allow-security-policy-to-backend
  namespace: gateway-api <- namespace of gateway and backend for keycloak
spec:
  from:
  - group: gateway.envoyproxy.io
    kind: SecurityPolicy
    namespace: platform-test <- namespace of httproute and security policy
  to:
  - group: gateway.envoyproxy.io
    kind: Backend

Backend for internal keycloak in other namespace

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  namespace: gateway-api
  name: keycloak-backend-envoygateway-internal
spec:
  endpoints:
  - fqdn:
      hostname: <internal_keycloak>
      port: 443

security policy

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: test-jwt-payload-securitypolicy-manual
  namespace: platform-test
spec:
  jwt:
    providers:
    - name: jwt-auth-test-jwt-payload
      remoteJWKS:
        backendRefs:
        - group: gateway.envoyproxy.io
          kind: Backend
          name: keycloak-backend-envoygateway-internal
          namespace: gateway-api
          port: 443
        uri: <internal keycloak fqdn>
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: test-jwt-payload-httproute-jwt
status:
  ancestors:
  - ancestorRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: envoygateway-internal
      namespace: gateway-api
    conditions:
    - lastTransitionTime: "2025-04-14T13:22:03Z"
      message: 'JWT: backend ref to Backend gateway-api/keycloak-backend-envoygateway-internal
        not permitted by any ReferenceGrant.'
      observedGeneration: 1
      reason: Invalid
      status: "False"
      type: Accepted
    controllerName: gateway.envoyproxy.io/gatewayclass-controller

Environment:

Include the environment like gateway version, envoy version and so on.

• envoygateway version: v1.3.2
• envoy version: distroless-v1.33.1
• gateway api crds from: https://gateway.envoyproxy.io/latest/install/install-yaml/#upgrading-from-v12

Logs:

Include the access logs and the Envoy logs.
nothing looks relevant for this