[Draft]feat: Add cross-namespace reference validation to generated code

[sapphirew]

Issue #, if available:

Description of changes:

Replace the legacy unconditional namespace-override block in ResolveReferencesForField with a call to the shared runtime helper ackrt.ValidateCrossNamespaceReference. This centralizes cross-namespace reference validation so that when --enable-cross-namespace is disabled, references targeting a different namespace are rejected with a terminal error.

The generated code captures three return values (namespace, isCrossNs, error) from the helper. The isCrossNs signal is suppressed in generated code since warning conditions are handled centrally by the reconciler.

Helm chart templates are updated to expose the --enable-cross-namespace flag (default: true for Phase 1 warning behavior) covering resource references, secret references, and field exports.

Changes:

• resource_reference.go: emit ValidateCrossNamespaceReference call with EnableCrossNamespace field and three return values
• resource_reference_test.go: update all expected output strings to match the new helper call shape
• deployment.yaml.tpl: add --enable-cross-namespace flag to container args
• values.yaml.tpl: add enableCrossNamespace: true with description
• values.schema.json.tpl: add enableCrossNamespace schema entry

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[ack-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sapphirew
Once this PR has been reviewed and has the lgtm label, please assign knottnt for approval by writing /assign @knottnt in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ack-prow]

@sapphirew: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
dynamodb-controller-test	0511503	link	true	/test dynamodb-controller-test
iam-controller-test	0511503	link	true	/test iam-controller-test
efs-controller-test	0511503	link	true	/test efs-controller-test
apigatewayv2-controller-test	0511503	link	true	/test apigatewayv2-controller-test
eventbridge-controller-test	0511503	link	true	/test eventbridge-controller-test
documentdb-controller-test	0511503	link	true	/test documentdb-controller-test
cloudfront-controller-test	0511503	link	true	/test cloudfront-controller-test
eks-controller-test	0511503	link	true	/test eks-controller-test
ecr-controller-test	0511503	link	true	/test ecr-controller-test
acm-controller-test	0511503	link	true	/test acm-controller-test
pipes-controller-test	0511503	link	true	/test pipes-controller-test
ec2-controller-test	0511503	link	true	/test ec2-controller-test
prometheusservice-controller-test	0511503	link	true	/test prometheusservice-controller-test
s3-controller-test	0511503	link	true	/test s3-controller-test
lambda-controller-test	0511503	link	true	/test lambda-controller-test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.