Require APIExcludedFields Versions to be set

[JoelSpeed]

Through discussion, we've realised that having this field optional creates ambiguity around the expected behaviour. We would rather this be completely declarative and require users to set which versions they want the exclusion to apply to.

Since this API is new in 4.22 and only shipped in tech preview, this is not actually a breaking change so should be fine to merge (looking at you crdify)

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @JoelSpeed! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

📝 Walkthrough

Walkthrough

The change makes the Versions field mandatory for API excluded fields by updating the kubebuilder validation marker from +optional to +required. The CRD schema is updated to include versions in the required list for excluded-field items. Test manifests were updated to add v1 entries under excludedFields versions in multiple test cases.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: making the APIExcludedFields Versions field required instead of optional.
Description check	✅ Passed	The description clearly explains the rationale for the change and why it is not a breaking change, directly addressing the purpose of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apiextensions/v1alpha1/types_compatibilityrequirement.go (1)

157-170: ⚠️ Potential issue | 🟡 Minor

Update versions field documentation to match required validation.

The comment still says “When not specified...” but Line 169 makes versions mandatory. Please align docs to avoid contradictory API guidance.

✏️ Suggested doc fix

 	// versions are the API versions the field is excluded from.
-	// When not specified, the field is excluded from all versions.
+	// This field is required and must explicitly list the API versions
+	// the field is excluded from.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apiextensions/v1alpha1/types_compatibilityrequirement.go` around lines 157 -
170, The comment for the Versions field contradicts its validation: update the
documentation for the Versions []APIVersionString field (symbol: Versions, type:
APIVersionString) to remove the “When not specified, the field is excluded from
all versions.” language and instead state that Versions is required and must
contain 1–32 items (each ≤63 chars, lowercase alphanumeric and hyphens, starts
with a letter, ends with alphanumeric), reflecting the
+kubebuilder:validation:MinItems=1, MaxItems=32 and +required tags so the doc
and validation match.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apiextensions/v1alpha1/types_compatibilityrequirement.go`:
- Around line 169-170: The change made Versions (the field Versions
[]APIVersionString on the CompatibilityRequirement struct) required by adding //
+required, which breaks backward compatibility for legacy objects that omit
versions; revert the // +required tag on Versions (or alternatively implement a
defaulting step in the API defaulting webhook that supplies a sensible default
like "all versions") so existing CRs with excludedFields that only specify path
remain valid; update the CompatibilityRequirement field annotation for Versions
accordingly and, if you choose defaulting, implement the logic in the defaulting
routine tied to CompatibilityRequirement to populate Versions when nil.

---

Outside diff comments:
In `@apiextensions/v1alpha1/types_compatibilityrequirement.go`:
- Around line 157-170: The comment for the Versions field contradicts its
validation: update the documentation for the Versions []APIVersionString field
(symbol: Versions, type: APIVersionString) to remove the “When not specified,
the field is excluded from all versions.” language and instead state that
Versions is required and must contain 1–32 items (each ≤63 chars, lowercase
alphanumeric and hyphens, starts with a letter, ends with alphanumeric),
reflecting the +kubebuilder:validation:MinItems=1, MaxItems=32 and +required
tags so the doc and validation match.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8713f3f and 7e1fe9a.

⛔ Files ignored due to path filters (3)

• apiextensions/v1alpha1/zz_generated.crd-manifests/0000_20_crd-compatibility-checker_01_compatibilityrequirements.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests/compatibilityrequirements.apiextensions.openshift.io/CRDCompatibilityRequirementOperator.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**

📒 Files selected for processing (2)

• apiextensions/v1alpha1/types_compatibilityrequirement.go
• payload-manifests/crds/0000_20_crd-compatibility-checker_01_compatibilityrequirements.crd.yaml

[coderabbitai]

🧹 Nitpick comments (1)

apiextensions/v1alpha1/tests/compatibilityrequirements.apiextensions.openshift.io/CRDCompatibilityRequirementOperator.yaml (1)

168-174: Consider adding a negative test for omitting versions on an excludedFields entry.

The PR makes versions required, but there is no test case that verifies the server rejects an excludedFields entry without versions. A test like the following would directly validate the new constraint:

- name: Should not be able to create CompatibilityRequirement with excludedFields missing versions
  initial: |
    apiVersion: apiextensions.openshift.io/v1alpha1
    kind: CompatibilityRequirement
    metadata:
      name: test-requirement
    spec:
      compatibilitySchema:
        customResourceDefinition:
          type: YAML
          data: |
            ...
        requiredVersions:
          defaultSelection: StorageOnly
        excludedFields:
        - path: spec.fieldToExclude
  expectedError: "spec.compatibilitySchema.excludedFields[0].versions: Required value"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@apiextensions/v1alpha1/tests/compatibilityrequirements.apiextensions.openshift.io/CRDCompatibilityRequirementOperator.yaml`
around lines 168 - 174, Add a negative test that attempts to create a
CompatibilityRequirement resource with spec.compatibilitySchema.excludedFields
entries missing the required versions field and assert the server rejects it;
specifically add a test case named like "Should not be able to create
CompatibilityRequirement with excludedFields missing versions" that posts a
CompatibilityRequirement (kind: CompatibilityRequirement, apiVersion:
apiextensions.openshift.io/v1alpha1) whose
spec.compatibilitySchema.customResourceDefinition/data contains excludedFields
with an entry that has only path: spec.fieldToExclude and no versions, and set
expectedError to contain "spec.compatibilitySchema.excludedFields[0].versions:
Required value" to validate the new versions-required constraint.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@apiextensions/v1alpha1/tests/compatibilityrequirements.apiextensions.openshift.io/CRDCompatibilityRequirementOperator.yaml`:
- Around line 168-174: Add a negative test that attempts to create a
CompatibilityRequirement resource with spec.compatibilitySchema.excludedFields
entries missing the required versions field and assert the server rejects it;
specifically add a test case named like "Should not be able to create
CompatibilityRequirement with excludedFields missing versions" that posts a
CompatibilityRequirement (kind: CompatibilityRequirement, apiVersion:
apiextensions.openshift.io/v1alpha1) whose
spec.compatibilitySchema.customResourceDefinition/data contains excludedFields
with an entry that has only path: spec.fieldToExclude and no versions, and set
expectedError to contain "spec.compatibilitySchema.excludedFields[0].versions:
Required value" to validate the new versions-required constraint.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7e1fe9a and 3cfb57e.

⛔ Files ignored due to path filters (3)

• apiextensions/v1alpha1/zz_generated.crd-manifests/0000_20_crd-compatibility-checker_01_compatibilityrequirements.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests/compatibilityrequirements.apiextensions.openshift.io/CRDCompatibilityRequirementOperator.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**

📒 Files selected for processing (3)

• apiextensions/v1alpha1/tests/compatibilityrequirements.apiextensions.openshift.io/CRDCompatibilityRequirementOperator.yaml
• apiextensions/v1alpha1/types_compatibilityrequirement.go
• payload-manifests/crds/0000_20_crd-compatibility-checker_01_compatibilityrequirements.crd.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• apiextensions/v1alpha1/types_compatibilityrequirement.go
• payload-manifests/crds/0000_20_crd-compatibility-checker_01_compatibilityrequirements.crd.yaml

[JoelSpeed]

/override ci/prow/verify-crd-schema
/override ci/prow/verify-crdify

As this is a tech preview feature, we are happy to make this technically breaking change

[openshift-ci]

@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/verify-crd-schema, ci/prow/verify-crdify

Details

In response to this:

/override ci/prow/verify-crd-schema
/override ci/prow/verify-crdify

As this is a tech preview feature, we are happy to make this technically breaking change

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mdbooth]

/lgtm

We discussed this at length. It wasn't the original plan, but we think the producer can add this information without undue toil. The upside is better UX if you specify it incorrectly.

[qodo-code-review]

ⓘ Your monthly quota for Qodo has expired. Upgrade your plan

ⓘ Paying users. Check that your Qodo account is linked with this Git user account

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[JoelSpeed]

/approve
/verified by integration tests

[openshift-ci-robot]

@JoelSpeed: This PR has been marked as verified by integration tests.

Details

In response to this:

/approve
/verified by integration tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed, mdbooth

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[JoelSpeed]

/retest

[theobarberbany]

https://redhat-internal.slack.com/archives/GE2HQ9QP4/p1772028728668839 discussion overview

[openshift-ci]

@JoelSpeed: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-hypershift-conformance	3cfb57e	link	true	/test e2e-aws-ovn-hypershift-conformance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[JoelSpeed]

/retest