Skip to content

NO-JIRA: Fix Azure private/topology CEL validation rules #8490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 4 commits into from
Jun 3, 2026
Merged

NO-JIRA: Fix Azure private/topology CEL validation rules #8490

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b7c2d4a
fix(api): fix Azure private/topology CEL validation rules
enxebre May 12, 2026
67b6641
chore(api): regenerate CRD manifests
enxebre May 12, 2026
1473bae
fix(api): consolidate privateLink CEL rules into single bidirectional…
enxebre May 13, 2026
8716def
chore(api): regenerate CRD manifests
enxebre May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions api/hypershift/v1beta1/azure.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,7 +362,7 @@ type AzureNodePoolOSDisk struct {
// +kubebuilder:validation:XValidation:rule="has(self.private) == has(oldSelf.private)",message="private cannot be added or removed after cluster creation"
// +kubebuilder:validation:XValidation:rule="!has(oldSelf.topology) || has(self.topology)",message="topology cannot be removed once set"
// +kubebuilder:validation:XValidation:rule="!has(self.topology) || !has(oldSelf.topology) || (self.topology == 'Public') == (oldSelf.topology == 'Public')",message="transitions between Public and non-Public topology are not supported"
// +kubebuilder:validation:XValidation:rule="!has(self.topology) || ((self.topology == 'Private' || self.topology == 'PublicAndPrivate') ? has(self.private) : !has(self.private))",message="private is required when topology is Private or PublicAndPrivate, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.topology) && (self.topology == 'Private' || self.topology == 'PublicAndPrivate') ? has(self.private) : !has(self.private)",message="private is required when topology is Private or PublicAndPrivate, and forbidden otherwise"
// +kubebuilder:validation:XValidation:rule="!has(self.private) || self.private.type != 'PrivateLink' || self.azureAuthenticationConfig.azureAuthenticationConfigType != 'WorkloadIdentities' || has(self.azureAuthenticationConfig.workloadIdentities.controlPlaneOperator)",message="workloadIdentities.controlPlaneOperator is required when Private Link is configured with WorkloadIdentities authentication"
type AzurePlatformSpec struct {
// cloud is the cloud environment identifier, valid values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33
Expand Down Expand Up @@ -668,7 +668,7 @@ const (
// mechanism. Currently only PrivateLink is supported; additional mechanisms (e.g., Swift) may
// be added in the future.
//
// +kubebuilder:validation:XValidation:rule="self.type != 'PrivateLink' ? !has(self.privateLink) : true",message="privateLink is forbidden when type is not PrivateLink"
// +kubebuilder:validation:XValidation:rule="self.type == 'PrivateLink' ? has(self.privateLink) : !has(self.privateLink)",message="privateLink is required when type is PrivateLink, and forbidden otherwise"
// +union

@muraee muraee May 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can't those 2 rules be combined?

// +kubebuilder:validation:XValidation:rule="(self.type == 'PrivateLink') == has(self.privateLink)",message="privateLink must be set if and only if type is PrivateLink"

@enxebre enxebre May 12, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sgtm, @JoelSpeed is there any preference / convention for this? what's the impact on budget?

@JoelSpeed JoelSpeed May 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The one we typically use for this is

// +kubebuilder:validation:XValidation:rule="self.type == 'PrivateLink' ? has(self.privateLink) : !has(self.privateLink)",message="privateLink is required when type is PrivateLink, and forbidden otherwise"

type AzurePrivateSpec struct {
// type specifies the private connectivity mechanism used for the hosted cluster's API server.
Expand Down
13 changes: 7 additions & 6 deletions ...erated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5291,9 +5291,10 @@ spec:
- type
type: object
x-kubernetes-validations:
- message: privateLink is forbidden when type is not PrivateLink
rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink)
: true'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
resourceGroup:
default: default
description: |-
Expand Down Expand Up @@ -5428,9 +5429,9 @@ spec:
== ''Public'') == (oldSelf.topology == ''Public'')'
- message: private is required when topology is Private or PublicAndPrivate,
and forbidden otherwise
rule: '!has(self.topology) || ((self.topology == ''Private''
|| self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private))'
rule: 'has(self.topology) && (self.topology == ''Private'' ||
self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private)'
- message: workloadIdentities.controlPlaneOperator is required
when Private Link is configured with WorkloadIdentities authentication
rule: '!has(self.private) || self.private.type != ''PrivateLink''
Expand Down
13 changes: 7 additions & 6 deletions ...egated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5282,9 +5282,10 @@ spec:
- type
type: object
x-kubernetes-validations:
- message: privateLink is forbidden when type is not PrivateLink
rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink)
: true'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
resourceGroup:
default: default
description: |-
Expand Down Expand Up @@ -5419,9 +5420,9 @@ spec:
== ''Public'') == (oldSelf.topology == ''Public'')'
- message: private is required when topology is Private or PublicAndPrivate,
and forbidden otherwise
rule: '!has(self.topology) || ((self.topology == ''Private''
|| self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private))'
rule: 'has(self.topology) && (self.topology == ''Private'' ||
self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private)'
- message: workloadIdentities.controlPlaneOperator is required
when Private Link is configured with WorkloadIdentities authentication
rule: '!has(self.private) || self.private.type != ''PrivateLink''
Expand Down
13 changes: 7 additions & 6 deletions ...manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5302,9 +5302,10 @@ spec:
- type
type: object
x-kubernetes-validations:
- message: privateLink is forbidden when type is not PrivateLink
rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink)
: true'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
resourceGroup:
default: default
description: |-
Expand Down Expand Up @@ -5439,9 +5440,9 @@ spec:
== ''Public'') == (oldSelf.topology == ''Public'')'
- message: private is required when topology is Private or PublicAndPrivate,
and forbidden otherwise
rule: '!has(self.topology) || ((self.topology == ''Private''
|| self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private))'
rule: 'has(self.topology) && (self.topology == ''Private'' ||
self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private)'
- message: workloadIdentities.controlPlaneOperator is required
when Private Link is configured with WorkloadIdentities authentication
rule: '!has(self.private) || self.private.type != ''PrivateLink''
Expand Down
13 changes: 7 additions & 6 deletions ...rated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5614,9 +5614,10 @@ spec:
- type
type: object
x-kubernetes-validations:
- message: privateLink is forbidden when type is not PrivateLink
rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink)
: true'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
resourceGroup:
default: default
description: |-
Expand Down Expand Up @@ -5751,9 +5752,9 @@ spec:
== ''Public'') == (oldSelf.topology == ''Public'')'
- message: private is required when topology is Private or PublicAndPrivate,
and forbidden otherwise
rule: '!has(self.topology) || ((self.topology == ''Private''
|| self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private))'
rule: 'has(self.topology) && (self.topology == ''Private'' ||
self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private)'
- message: workloadIdentities.controlPlaneOperator is required
when Private Link is configured with WorkloadIdentities authentication
rule: '!has(self.private) || self.private.type != ''PrivateLink''
Expand Down
13 changes: 7 additions & 6 deletions ...ests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5754,9 +5754,10 @@ spec:
- type
type: object
x-kubernetes-validations:
- message: privateLink is forbidden when type is not PrivateLink
rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink)
: true'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
resourceGroup:
default: default
description: |-
Expand Down Expand Up @@ -5891,9 +5892,9 @@ spec:
== ''Public'') == (oldSelf.topology == ''Public'')'
- message: private is required when topology is Private or PublicAndPrivate,
and forbidden otherwise
rule: '!has(self.topology) || ((self.topology == ''Private''
|| self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private))'
rule: 'has(self.topology) && (self.topology == ''Private'' ||
self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private)'
- message: workloadIdentities.controlPlaneOperator is required
when Private Link is configured with WorkloadIdentities authentication
rule: '!has(self.private) || self.private.type != ''PrivateLink''
Expand Down
13 changes: 7 additions & 6 deletions ...-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5745,9 +5745,10 @@ spec:
- type
type: object
x-kubernetes-validations:
- message: privateLink is forbidden when type is not PrivateLink
rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink)
: true'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
resourceGroup:
default: default
description: |-
Expand Down Expand Up @@ -5882,9 +5883,9 @@ spec:
== ''Public'') == (oldSelf.topology == ''Public'')'
- message: private is required when topology is Private or PublicAndPrivate,
and forbidden otherwise
rule: '!has(self.topology) || ((self.topology == ''Private''
|| self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private))'
rule: 'has(self.topology) && (self.topology == ''Private'' ||
self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private)'
- message: workloadIdentities.controlPlaneOperator is required
when Private Link is configured with WorkloadIdentities authentication
rule: '!has(self.private) || self.private.type != ''PrivateLink''
Expand Down
13 changes: 7 additions & 6 deletions ...erated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5282,9 +5282,10 @@ spec:
- type
type: object
x-kubernetes-validations:
- message: privateLink is forbidden when type is not PrivateLink
rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink)
: true'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
resourceGroup:
default: default
description: |-
Expand Down Expand Up @@ -5419,9 +5420,9 @@ spec:
== ''Public'') == (oldSelf.topology == ''Public'')'
- message: private is required when topology is Private or PublicAndPrivate,
and forbidden otherwise
rule: '!has(self.topology) || ((self.topology == ''Private''
|| self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private))'
rule: 'has(self.topology) && (self.topology == ''Private'' ||
self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private)'
- message: workloadIdentities.controlPlaneOperator is required
when Private Link is configured with WorkloadIdentities authentication
rule: '!has(self.private) || self.private.type != ''PrivateLink''
Expand Down
13 changes: 7 additions & 6 deletions ...ated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5347,9 +5347,10 @@ spec:
- type
type: object
x-kubernetes-validations:
- message: privateLink is forbidden when type is not PrivateLink
rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink)
: true'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
resourceGroup:
default: default
description: |-
Expand Down Expand Up @@ -5484,9 +5485,9 @@ spec:
== ''Public'') == (oldSelf.topology == ''Public'')'
- message: private is required when topology is Private or PublicAndPrivate,
and forbidden otherwise
rule: '!has(self.topology) || ((self.topology == ''Private''
|| self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private))'
rule: 'has(self.topology) && (self.topology == ''Private'' ||
self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private)'
- message: workloadIdentities.controlPlaneOperator is required
when Private Link is configured with WorkloadIdentities authentication
rule: '!has(self.private) || self.private.type != ''PrivateLink''
Expand Down
13 changes: 7 additions & 6 deletions ...fests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5304,9 +5304,10 @@ spec:
- type
type: object
x-kubernetes-validations:
- message: privateLink is forbidden when type is not PrivateLink
rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink)
: true'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
resourceGroup:
default: default
description: |-
Expand Down Expand Up @@ -5441,9 +5442,9 @@ spec:
== ''Public'') == (oldSelf.topology == ''Public'')'
- message: private is required when topology is Private or PublicAndPrivate,
and forbidden otherwise
rule: '!has(self.topology) || ((self.topology == ''Private''
|| self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private))'
rule: 'has(self.topology) && (self.topology == ''Private'' ||
self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private)'
- message: workloadIdentities.controlPlaneOperator is required
when Private Link is configured with WorkloadIdentities authentication
rule: '!has(self.private) || self.private.type != ''PrivateLink''
Expand Down
13 changes: 7 additions & 6 deletions ...turegated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5300,9 +5300,10 @@ spec:
- type
type: object
x-kubernetes-validations:
- message: privateLink is forbidden when type is not PrivateLink
rule: 'self.type != ''PrivateLink'' ? !has(self.privateLink)
: true'
- message: privateLink is required when type is PrivateLink,
and forbidden otherwise
rule: 'self.type == ''PrivateLink'' ? has(self.privateLink)
: !has(self.privateLink)'
resourceGroup:
default: default
description: |-
Expand Down Expand Up @@ -5437,9 +5438,9 @@ spec:
== ''Public'') == (oldSelf.topology == ''Public'')'
- message: private is required when topology is Private or PublicAndPrivate,
and forbidden otherwise
rule: '!has(self.topology) || ((self.topology == ''Private''
|| self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private))'
rule: 'has(self.topology) && (self.topology == ''Private'' ||
self.topology == ''PublicAndPrivate'') ? has(self.private)
: !has(self.private)'
- message: workloadIdentities.controlPlaneOperator is required
when Private Link is configured with WorkloadIdentities authentication
rule: '!has(self.private) || self.private.type != ''PrivateLink''
Expand Down
Loading