From b7c2d4a5fa0535e33bf3e090877b7e657fbac57d Mon Sep 17 00:00:00 2001 From: enxebre Date: Tue, 12 May 2026 13:57:49 +0200 Subject: [PATCH 1/4] fix(api): fix Azure private/topology CEL validation rules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The existing CEL rule on AzurePlatformSpec allowed setting the private field even when topology was not set, because `!has(self.topology)` short-circuited to true. Fix the rule to correctly forbid private when topology is absent or Public. Also add a CEL rule on AzurePrivateSpec to require the privateLink struct when type is PrivateLink — previously only the negative constraint (forbid privateLink when type is not PrivateLink) existed. Co-Authored-By: Claude Opus 4.6 (1M context) --- api/hypershift/v1beta1/azure.go | 3 +- ...stable.hostedclusters.azure.testsuite.yaml | 144 +++++++++++++++++- 2 files changed, 145 insertions(+), 2 deletions(-) diff --git a/api/hypershift/v1beta1/azure.go b/api/hypershift/v1beta1/azure.go index 309b58e5a4e..dde02010726 100644 --- a/api/hypershift/v1beta1/azure.go +++ b/api/hypershift/v1beta1/azure.go @@ -362,7 +362,7 @@ type AzureNodePoolOSDisk struct { // +kubebuilder:validation:XValidation:rule="has(self.private) == has(oldSelf.private)",message="private cannot be added or removed after cluster creation" // +kubebuilder:validation:XValidation:rule="!has(oldSelf.topology) || has(self.topology)",message="topology cannot be removed once set" // +kubebuilder:validation:XValidation:rule="!has(self.topology) || !has(oldSelf.topology) || (self.topology == 'Public') == (oldSelf.topology == 'Public')",message="transitions between Public and non-Public topology are not supported" -// +kubebuilder:validation:XValidation:rule="!has(self.topology) || ((self.topology == 'Private' || self.topology == 'PublicAndPrivate') ? has(self.private) : !has(self.private))",message="private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.topology) && (self.topology == 'Private' || self.topology == 'PublicAndPrivate') ? has(self.private) : !has(self.private)",message="private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="!has(self.private) || self.private.type != 'PrivateLink' || self.azureAuthenticationConfig.azureAuthenticationConfigType != 'WorkloadIdentities' || has(self.azureAuthenticationConfig.workloadIdentities.controlPlaneOperator)",message="workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication" type AzurePlatformSpec struct { // cloud is the cloud environment identifier, valid values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33 @@ -669,6 +669,7 @@ const ( // be added in the future. // // +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' ? !has(self.privateLink) : true",message="privateLink is forbidden when type is not PrivateLink" +// +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' || has(self.privateLink)",message="privateLink is required when type is PrivateLink" // +union type AzurePrivateSpec struct { // type specifies the private connectivity mechanism used for the hosted cluster's API server. diff --git a/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml b/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml index ed9896396e9..fcc57b19a30 100644 --- a/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml +++ b/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml @@ -548,7 +548,7 @@ tests: route: {} # --- Azure PrivateLink CEL validation --- - - name: When Azure PrivateLink type is set without privateLink config it should pass + - name: When Azure PrivateLink type is set without privateLink config it should fail initial: | apiVersion: hypershift.openshift.io/v1beta1 kind: HostedCluster @@ -613,6 +613,7 @@ tests: servicePublishingStrategy: type: Route route: {} + expectedError: "privateLink is required when type is PrivateLink" - name: When Azure PrivateLink type is set with privateLink config it should pass initial: | @@ -703,6 +704,8 @@ tests: topology: Private private: type: PrivateLink + privateLink: + natSubnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/nat-subnet" azureAuthenticationConfig: azureAuthenticationConfigType: WorkloadIdentities workloadIdentities: @@ -769,6 +772,8 @@ tests: topology: Private private: type: PrivateLink + privateLink: + natSubnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/nat-subnet" azureAuthenticationConfig: azureAuthenticationConfigType: WorkloadIdentities workloadIdentities: @@ -813,3 +818,140 @@ tests: type: Route route: {} expectedError: "workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication" + + - name: When Azure private is set without topology it should fail + initial: | + apiVersion: hypershift.openshift.io/v1beta1 + kind: HostedCluster + spec: + dns: + baseDomain: example.com + platform: + type: Azure + azure: + location: eastus + resourceGroupName: test-rg + vnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet" + subnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/test-subnet" + subscriptionID: "12345678-1234-5678-9012-123456789012" + securityGroupID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/test-nsg" + tenantID: "87654321-4321-8765-2109-876543210987" + private: + type: PrivateLink + privateLink: + natSubnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/nat-subnet" + azureAuthenticationConfig: + azureAuthenticationConfigType: WorkloadIdentities + workloadIdentities: + imageRegistry: + clientID: "12345678-1234-5678-9012-123456789012" + ingress: + clientID: "12345678-1234-5678-9012-123456789012" + file: + clientID: "12345678-1234-5678-9012-123456789012" + disk: + clientID: "12345678-1234-5678-9012-123456789012" + nodePoolManagement: + clientID: "12345678-1234-5678-9012-123456789012" + cloudProvider: + clientID: "12345678-1234-5678-9012-123456789012" + network: + clientID: "12345678-1234-5678-9012-123456789012" + controlPlaneOperator: + clientID: "12345678-1234-5678-9012-123456789012" + pullSecret: + name: secret + release: + image: quay.io/openshift-release-dev/ocp-release:4.15.11-x86_64 + secretEncryption: + aescbc: + activeKey: + name: key + type: aescbc + services: + - service: APIServer + servicePublishingStrategy: + type: Route + route: {} + - service: OAuthServer + servicePublishingStrategy: + type: Route + route: {} + - service: Konnectivity + servicePublishingStrategy: + type: Route + route: {} + - service: Ignition + servicePublishingStrategy: + type: Route + route: {} + expectedError: "private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" + + - name: When Azure private is set with Public topology it should fail + initial: | + apiVersion: hypershift.openshift.io/v1beta1 + kind: HostedCluster + spec: + dns: + baseDomain: example.com + platform: + type: Azure + azure: + location: eastus + resourceGroupName: test-rg + vnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet" + subnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/test-subnet" + subscriptionID: "12345678-1234-5678-9012-123456789012" + securityGroupID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/test-nsg" + tenantID: "87654321-4321-8765-2109-876543210987" + topology: Public + private: + type: PrivateLink + privateLink: + natSubnetID: "/subscriptions/12345678-1234-5678-9012-123456789012/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/nat-subnet" + azureAuthenticationConfig: + azureAuthenticationConfigType: WorkloadIdentities + workloadIdentities: + imageRegistry: + clientID: "12345678-1234-5678-9012-123456789012" + ingress: + clientID: "12345678-1234-5678-9012-123456789012" + file: + clientID: "12345678-1234-5678-9012-123456789012" + disk: + clientID: "12345678-1234-5678-9012-123456789012" + nodePoolManagement: + clientID: "12345678-1234-5678-9012-123456789012" + cloudProvider: + clientID: "12345678-1234-5678-9012-123456789012" + network: + clientID: "12345678-1234-5678-9012-123456789012" + controlPlaneOperator: + clientID: "12345678-1234-5678-9012-123456789012" + pullSecret: + name: secret + release: + image: quay.io/openshift-release-dev/ocp-release:4.15.11-x86_64 + secretEncryption: + aescbc: + activeKey: + name: key + type: aescbc + services: + - service: APIServer + servicePublishingStrategy: + type: Route + route: {} + - service: OAuthServer + servicePublishingStrategy: + type: Route + route: {} + - service: Konnectivity + servicePublishingStrategy: + type: Route + route: {} + - service: Ignition + servicePublishingStrategy: + type: Route + route: {} + expectedError: "private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" From 67b66415131bce61ce25dfacd43250cbdda9c341 Mon Sep 17 00:00:00 2001 From: enxebre Date: Tue, 12 May 2026 13:57:54 +0200 Subject: [PATCH 2/4] chore(api): regenerate CRD manifests Co-Authored-By: Claude Opus 4.6 (1M context) --- .../AAA_ungated.yaml | 8 +++++--- .../ClusterUpdateAcceptRisks.yaml | 8 +++++--- .../ClusterVersionOperatorConfiguration.yaml | 8 +++++--- .../ExternalOIDC.yaml | 8 +++++--- .../ExternalOIDCWithUIDAndExtraClaimMappings.yaml | 8 +++++--- .../ExternalOIDCWithUpstreamParity.yaml | 8 +++++--- .../GCPPlatform.yaml | 8 +++++--- .../HCPEtcdBackup.yaml | 8 +++++--- .../HyperShiftOnlyDynamicResourceAllocation.yaml | 8 +++++--- .../ImageStreamImportMode.yaml | 8 +++++--- .../KMSEncryptionProvider.yaml | 8 +++++--- .../hostedclusters.hypershift.openshift.io/OpenStack.yaml | 8 +++++--- .../TLSAdherence.yaml | 8 +++++--- .../AAA_ungated.yaml | 8 +++++--- .../ClusterUpdateAcceptRisks.yaml | 8 +++++--- .../ClusterVersionOperatorConfiguration.yaml | 8 +++++--- .../ExternalOIDC.yaml | 8 +++++--- .../ExternalOIDCWithUIDAndExtraClaimMappings.yaml | 8 +++++--- .../ExternalOIDCWithUpstreamParity.yaml | 8 +++++--- .../GCPPlatform.yaml | 8 +++++--- .../HCPEtcdBackup.yaml | 8 +++++--- .../HyperShiftOnlyDynamicResourceAllocation.yaml | 8 +++++--- .../ImageStreamImportMode.yaml | 8 +++++--- .../KMSEncryptionProvider.yaml | 8 +++++--- .../OpenStack.yaml | 8 +++++--- .../TLSAdherence.yaml | 8 +++++--- .../hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml | 8 +++++--- .../hostedclusters-Hypershift-Default.crd.yaml | 8 +++++--- ...ostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml | 8 +++++--- ...ostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml | 8 +++++--- .../hostedcontrolplanes-Hypershift-Default.crd.yaml | 8 +++++--- ...controlplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml | 8 +++++--- .../openshift/hypershift/api/hypershift/v1beta1/azure.go | 3 ++- 33 files changed, 162 insertions(+), 97 deletions(-) diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml index 1c41742b57a..cc09043ad43 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml @@ -5294,6 +5294,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5428,9 +5430,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml index 039f5cf6393..ccddf92f394 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml @@ -5285,6 +5285,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5419,9 +5421,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml index 3acebef0f14..9cffbe945aa 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml @@ -5305,6 +5305,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5439,9 +5441,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml index 4daf2de45fe..7905d4518ee 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml @@ -5617,6 +5617,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5751,9 +5753,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index a76def974bb..bfe1e545a0b 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -5757,6 +5757,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5891,9 +5893,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml index a9b7aa0f7d7..d132b606374 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -5748,6 +5748,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5882,9 +5884,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml index a4b7483426f..5cd80d09777 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml @@ -5285,6 +5285,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5419,9 +5421,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml index 6ae5927c542..3f6b97dcc9f 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml @@ -5350,6 +5350,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5484,9 +5486,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml index deca5394369..f8ec33b0081 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml @@ -5307,6 +5307,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5441,9 +5443,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml index 5e039ba658b..5b047b5b78a 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml @@ -5303,6 +5303,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5437,9 +5439,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml index 0658922050b..036f0f33d41 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml @@ -5361,6 +5361,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5495,9 +5497,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml index 2d3ea4fb777..8569398177a 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml @@ -5285,6 +5285,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5419,9 +5421,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml index 778d189b330..330df8308b7 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml @@ -5325,6 +5325,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5459,9 +5461,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml index 8915bf2fb64..1e82f6d96c0 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml @@ -5174,6 +5174,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5308,9 +5310,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml index 1540ec8d3d4..d86ea27746f 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml @@ -5165,6 +5165,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5299,9 +5301,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml index 4b5cea37472..4f3e96aa248 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml @@ -5185,6 +5185,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5319,9 +5321,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml index 8a5926d9a09..0a418db0ffe 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml @@ -5497,6 +5497,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5631,9 +5633,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index e0eb8d100ec..a89e3c54b10 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -5637,6 +5637,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5771,9 +5773,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml index 040e4977c09..ff355cd8ead 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -5628,6 +5628,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5762,9 +5764,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml index bcc6e44ccc1..9524e7a109d 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml @@ -5165,6 +5165,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5299,9 +5301,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml index db74c118d76..b6e5e232ca9 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml @@ -5230,6 +5230,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5364,9 +5366,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml index 1a0efedcce2..72908a81f76 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml @@ -5187,6 +5187,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5321,9 +5323,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml index 1f8d79dfc0a..607d252410f 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml @@ -5183,6 +5183,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5317,9 +5319,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml index a73adb34234..e19f8796d12 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml @@ -5241,6 +5241,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5375,9 +5377,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml index e2cff3fb651..9d9d8ccb16a 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml @@ -5165,6 +5165,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5299,9 +5301,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml index 6595c34e17c..b14cb6a2dc8 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml @@ -5205,6 +5205,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5339,9 +5341,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml index 31fe863e109..a692d9cf285 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml @@ -6136,6 +6136,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -6270,9 +6272,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml index 45bd439af93..b415596eb07 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml @@ -5786,6 +5786,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5920,9 +5922,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml index 85a9425723d..eed5c864aaa 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -6007,6 +6007,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -6141,9 +6143,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml index e267097b2bc..f5e573b6a8b 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml @@ -6016,6 +6016,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -6150,9 +6152,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml index 3dbb3485271..f0e741b5825 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml @@ -5666,6 +5666,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -5800,9 +5802,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml index 8b61ee5d386..59a120afb2b 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -5887,6 +5887,8 @@ spec: - message: privateLink is forbidden when type is not PrivateLink rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) : true' + - message: privateLink is required when type is PrivateLink + rule: self.type != 'PrivateLink' || has(self.privateLink) resourceGroup: default: default description: |- @@ -6021,9 +6023,9 @@ spec: == ''Public'') == (oldSelf.topology == ''Public'')' - message: private is required when topology is Private or PublicAndPrivate, and forbidden otherwise - rule: '!has(self.topology) || ((self.topology == ''Private'' - || self.topology == ''PublicAndPrivate'') ? has(self.private) - : !has(self.private))' + rule: 'has(self.topology) && (self.topology == ''Private'' || + self.topology == ''PublicAndPrivate'') ? has(self.private) + : !has(self.private)' - message: workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication rule: '!has(self.private) || self.private.type != ''PrivateLink'' diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go index 309b58e5a4e..dde02010726 100644 --- a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go +++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go @@ -362,7 +362,7 @@ type AzureNodePoolOSDisk struct { // +kubebuilder:validation:XValidation:rule="has(self.private) == has(oldSelf.private)",message="private cannot be added or removed after cluster creation" // +kubebuilder:validation:XValidation:rule="!has(oldSelf.topology) || has(self.topology)",message="topology cannot be removed once set" // +kubebuilder:validation:XValidation:rule="!has(self.topology) || !has(oldSelf.topology) || (self.topology == 'Public') == (oldSelf.topology == 'Public')",message="transitions between Public and non-Public topology are not supported" -// +kubebuilder:validation:XValidation:rule="!has(self.topology) || ((self.topology == 'Private' || self.topology == 'PublicAndPrivate') ? has(self.private) : !has(self.private))",message="private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.topology) && (self.topology == 'Private' || self.topology == 'PublicAndPrivate') ? has(self.private) : !has(self.private)",message="private is required when topology is Private or PublicAndPrivate, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="!has(self.private) || self.private.type != 'PrivateLink' || self.azureAuthenticationConfig.azureAuthenticationConfigType != 'WorkloadIdentities' || has(self.azureAuthenticationConfig.workloadIdentities.controlPlaneOperator)",message="workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication" type AzurePlatformSpec struct { // cloud is the cloud environment identifier, valid values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33 @@ -669,6 +669,7 @@ const ( // be added in the future. // // +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' ? !has(self.privateLink) : true",message="privateLink is forbidden when type is not PrivateLink" +// +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' || has(self.privateLink)",message="privateLink is required when type is PrivateLink" // +union type AzurePrivateSpec struct { // type specifies the private connectivity mechanism used for the hosted cluster's API server. From 1473bae54f3df75ad7c5112fc9c79abb6ec2a0e3 Mon Sep 17 00:00:00 2001 From: enxebre Date: Wed, 13 May 2026 10:32:38 +0200 Subject: [PATCH 3/4] fix(api): consolidate privateLink CEL rules into single bidirectional rule Co-Authored-By: Claude Opus 4.6 (1M context) --- api/hypershift/v1beta1/azure.go | 3 +-- .../stable.hostedclusters.azure.testsuite.yaml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/api/hypershift/v1beta1/azure.go b/api/hypershift/v1beta1/azure.go index dde02010726..76c9a3efbab 100644 --- a/api/hypershift/v1beta1/azure.go +++ b/api/hypershift/v1beta1/azure.go @@ -668,8 +668,7 @@ const ( // mechanism. Currently only PrivateLink is supported; additional mechanisms (e.g., Swift) may // be added in the future. // -// +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' ? !has(self.privateLink) : true",message="privateLink is forbidden when type is not PrivateLink" -// +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' || has(self.privateLink)",message="privateLink is required when type is PrivateLink" +// +kubebuilder:validation:XValidation:rule="self.type == 'PrivateLink' ? has(self.privateLink) : !has(self.privateLink)",message="privateLink is required when type is PrivateLink, and forbidden otherwise" // +union type AzurePrivateSpec struct { // type specifies the private connectivity mechanism used for the hosted cluster's API server. diff --git a/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml b/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml index fcc57b19a30..84fbbe40b96 100644 --- a/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml +++ b/cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml @@ -613,7 +613,7 @@ tests: servicePublishingStrategy: type: Route route: {} - expectedError: "privateLink is required when type is PrivateLink" + expectedError: "privateLink is required when type is PrivateLink, and forbidden otherwise" - name: When Azure PrivateLink type is set with privateLink config it should pass initial: | From 8716defaf203936af003bddfc74d7f7f4e9131d4 Mon Sep 17 00:00:00 2001 From: enxebre Date: Wed, 13 May 2026 10:32:44 +0200 Subject: [PATCH 4/4] chore(api): regenerate CRD manifests Co-Authored-By: Claude Opus 4.6 (1M context) --- .../AAA_ungated.yaml | 9 ++++----- .../ClusterUpdateAcceptRisks.yaml | 9 ++++----- .../ClusterVersionOperatorConfiguration.yaml | 9 ++++----- .../ExternalOIDC.yaml | 9 ++++----- .../ExternalOIDCWithUIDAndExtraClaimMappings.yaml | 9 ++++----- .../ExternalOIDCWithUpstreamParity.yaml | 9 ++++----- .../GCPPlatform.yaml | 9 ++++----- .../HCPEtcdBackup.yaml | 9 ++++----- .../HyperShiftOnlyDynamicResourceAllocation.yaml | 9 ++++----- .../ImageStreamImportMode.yaml | 9 ++++----- .../KMSEncryptionProvider.yaml | 9 ++++----- .../OpenStack.yaml | 9 ++++----- .../TLSAdherence.yaml | 9 ++++----- .../AAA_ungated.yaml | 9 ++++----- .../ClusterUpdateAcceptRisks.yaml | 9 ++++----- .../ClusterVersionOperatorConfiguration.yaml | 9 ++++----- .../ExternalOIDC.yaml | 9 ++++----- .../ExternalOIDCWithUIDAndExtraClaimMappings.yaml | 9 ++++----- .../ExternalOIDCWithUpstreamParity.yaml | 9 ++++----- .../GCPPlatform.yaml | 9 ++++----- .../HCPEtcdBackup.yaml | 9 ++++----- .../HyperShiftOnlyDynamicResourceAllocation.yaml | 9 ++++----- .../ImageStreamImportMode.yaml | 9 ++++----- .../KMSEncryptionProvider.yaml | 9 ++++----- .../OpenStack.yaml | 9 ++++----- .../TLSAdherence.yaml | 9 ++++----- .../hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml | 9 ++++----- .../hostedclusters-Hypershift-Default.crd.yaml | 9 ++++----- ...stedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml | 9 ++++----- ...stedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml | 9 ++++----- .../hostedcontrolplanes-Hypershift-Default.crd.yaml | 9 ++++----- ...ontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml | 9 ++++----- .../openshift/hypershift/api/hypershift/v1beta1/azure.go | 3 +-- 33 files changed, 129 insertions(+), 162 deletions(-) diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml index cc09043ad43..e5e928dc898 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml @@ -5291,11 +5291,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml index ccddf92f394..40083476fa4 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml @@ -5282,11 +5282,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml index 9cffbe945aa..955788dbad9 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml @@ -5302,11 +5302,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml index 7905d4518ee..fe08c90b5c2 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml @@ -5614,11 +5614,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index bfe1e545a0b..6afcef0d203 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -5754,11 +5754,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml index d132b606374..9faf2cdb0f5 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -5745,11 +5745,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml index 5cd80d09777..990cee3aae3 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml @@ -5282,11 +5282,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml index 3f6b97dcc9f..abe0886f01f 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml @@ -5347,11 +5347,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml index f8ec33b0081..76cee1f00bd 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml @@ -5304,11 +5304,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml index 5b047b5b78a..bf1e2c27397 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml @@ -5300,11 +5300,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml index 036f0f33d41..a1263ec4683 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml @@ -5358,11 +5358,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml index 8569398177a..93eee39d119 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml @@ -5282,11 +5282,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml index 330df8308b7..377f44044e1 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml @@ -5322,11 +5322,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml index 1e82f6d96c0..1d833e21ca6 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml @@ -5171,11 +5171,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml index d86ea27746f..8194e7799d5 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml @@ -5162,11 +5162,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml index 4f3e96aa248..ee97b0bf9ea 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml @@ -5182,11 +5182,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml index 0a418db0ffe..03882677840 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml @@ -5494,11 +5494,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml index a89e3c54b10..31cb9e39a95 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml @@ -5634,11 +5634,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml index ff355cd8ead..dac1ead4844 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml @@ -5625,11 +5625,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml index 9524e7a109d..a862e1dc02f 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml @@ -5162,11 +5162,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml index b6e5e232ca9..f8dc77d0c2e 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml @@ -5227,11 +5227,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml index 72908a81f76..667923bb2e9 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml @@ -5184,11 +5184,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml index 607d252410f..55a2555f888 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml @@ -5180,11 +5180,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml index e19f8796d12..4dcb4e6c362 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml @@ -5238,11 +5238,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml index 9d9d8ccb16a..da6e7167b43 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml @@ -5162,11 +5162,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml index b14cb6a2dc8..75d60b7d459 100644 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml +++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml @@ -5202,11 +5202,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml index a692d9cf285..742c4609575 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml @@ -6133,11 +6133,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml index b415596eb07..b70562b4dbf 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml @@ -5783,11 +5783,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml index eed5c864aaa..c56f7d18bce 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -6004,11 +6004,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml index f5e573b6a8b..8fed73ad00d 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml @@ -6013,11 +6013,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml index f0e741b5825..ac2928451c8 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml @@ -5663,11 +5663,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml index 59a120afb2b..a2f47dbfdca 100644 --- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml +++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml @@ -5884,11 +5884,10 @@ spec: - type type: object x-kubernetes-validations: - - message: privateLink is forbidden when type is not PrivateLink - rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink) - : true' - - message: privateLink is required when type is PrivateLink - rule: self.type != 'PrivateLink' || has(self.privateLink) + - message: privateLink is required when type is PrivateLink, + and forbidden otherwise + rule: 'self.type == ''PrivateLink'' ? has(self.privateLink) + : !has(self.privateLink)' resourceGroup: default: default description: |- diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go index dde02010726..76c9a3efbab 100644 --- a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go +++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go @@ -668,8 +668,7 @@ const ( // mechanism. Currently only PrivateLink is supported; additional mechanisms (e.g., Swift) may // be added in the future. // -// +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' ? !has(self.privateLink) : true",message="privateLink is forbidden when type is not PrivateLink" -// +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' || has(self.privateLink)",message="privateLink is required when type is PrivateLink" +// +kubebuilder:validation:XValidation:rule="self.type == 'PrivateLink' ? has(self.privateLink) : !has(self.privateLink)",message="privateLink is required when type is PrivateLink, and forbidden otherwise" // +union type AzurePrivateSpec struct { // type specifies the private connectivity mechanism used for the hosted cluster's API server.