CORS-4341: Allow DNSType in Infra CR's Platform Status to be updated Day-2

[sadasu]

Currently, the DNSType is immutable once set. ARO needs to enable this capability of starting in-cluster DNS on Day-2. That would require changing the value of DNSType on Day-2 to ClusterHosted. Similarly, they would also like the option to disable this feature on Day-2 as well.
Currently, limiting this capability to Azure. DNSType is still left as immutable for AWS and GCP.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @sadasu! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

@sadasu: This pull request references CORS-4341 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Currently, the DNSType is immutable once set. ARO needs to enable this capability of starting in-cluster DNS on Day-2. That would require changing the value of DNSType on Day-2 to ClusterHosted. Similarly, they would also like the option to disable this feature on Day-2 as well.
Currently, limiting this capability to Azure. DNSType is still left as immutable for AWS and GCP.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sadasu]

/jira refresh

[openshift-ci-robot]

@sadasu: This pull request references CORS-4341 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request makes dnsType immutability platform-specific by moving validation from a top-level dnsType rule to a nested cloudLoadBalancerConfig.dnsType rule. AWS and GCP retain dnsType immutability after install; Azure allows updates after the field is set. Changes touch tests (expected error paths/messages), Go types with per-platform XValidation annotations, generated Swagger docs, and multiple CRD variants (descriptions and validation rules). An Azure test was changed to expect a successful update instead of an immutability error.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: allowing DNSType in Infrastructure CR's Platform Status to be updated on Day-2, which is the core objective of this PR.
Description check	✅ Passed	The description is directly related to the changeset, explaining the motivation for allowing DNSType updates on Day-2 for Azure while keeping it immutable for AWS/GCP.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sadasu]

/jira refresh

[openshift-ci-robot]

@sadasu: This pull request references CORS-4341 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 13

🧹 Nitpick comments (1)

payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml (1)

1544-1559: Azure dnsType description duplicates AWS/GCP copy — consider platform-specific wording

The dnsType description under status.platformStatus.azure.cloudLoadBalancerConfig (lines 1550-1551) is identical to the AWS/GCP copy: it says the value is immutable for AWS and GCP but mutable for Azure. Placing AWS/GCP-specific immutability language inside an Azure-only field description is mildly confusing to readers introspecting the Azure status. A tighter description stating only that this field can be updated after initial set (without cross-referencing other platforms) would improve clarity.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml`
around lines 1544 - 1559, Update the description for
status.platformStatus.azure.cloudLoadBalancerConfig.dnsType to remove the
AWS/GCP-specific immutability wording and instead state only Azure-relevant
behavior: explain that dnsType indicates the cluster DNS solution, list the enum
values (PlatformDefault, ClusterHosted), and note that for Azure this field can
be updated after initial set (without referencing other platforms or
immutability rules for AWS/GCP); modify the description text in the dnsType
property under status.platformStatus.azure.cloudLoadBalancerConfig accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_infrastructure.go`:
- Line 562: The XValidation CEL rule attached to the cloudLoadBalancerConfig
field incorrectly references self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType even though at field-level scope self is
already the CloudLoadBalancerConfig object; update the
+kubebuilder:validation:XValidation rule(s) for cloudLoadBalancerConfig (the
annotation using the immutability check for dnsType) to use self.dnsType and
oldSelf.dnsType (remove the cloudLoadBalancerConfig. prefix) for both
occurrences so the immutability check works at field scope.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml`:
- Around line 1355-1361: The CEL immutability rules under
x-kubernetes-validations wrongly reference self.cloudLoadBalancerConfig (which
inside the cloudLoadBalancerConfig block makes self already equal to
cloudLoadBalancerConfig), causing has(self.cloudLoadBalancerConfig) to always be
false; fix the rule expressions in the cloudLoadBalancerConfig
x-kubernetes-validations by removing the redundant prefix and referencing
dnsType directly (use has(self.dnsType) and has(oldSelf.dnsType) and compare
oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType), and apply the
identical change to the GCP copy of the rule (the rule blocks around the
cloudLoadBalancerConfig for AWS and GCP).

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml`:
- Around line 1599-1605: The CEL immutability rule currently referenced nested
paths that are out-of-scope (it uses self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType while the rule is evaluated in the
cloudLoadBalancerConfig scope); update the rule to reference the local fields
instead (use self.dnsType and oldSelf.dnsType) so the CEL expression can
evaluate correctly, and apply the same change to the two other occurrences in
the TechPreviewNoUpgrade variant as well so all three immutability checks in
both Default and TechPreviewNoUpgrade use the in-scope field names.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml`:
- Around line 1355-1361: The CEL immutability rule inside the
cloudLoadBalancerConfig schema is using fully-qualified paths
(self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType) but must use the current object scope;
update the rule expressions for the cloudLoadBalancerConfig.dnsType immutability
checks (the rule entries under the cloudLoadBalancerConfig schema at the two
occurrences) to reference self.dnsType and oldSelf.dnsType instead, mirroring
how clusterHosted validation uses the local scope.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml`:
- Around line 1599-1605: The CEL immutability rule is using the wrong scope
(referencing self.cloudLoadBalancerConfig.dnsType) inside the
cloudLoadBalancerConfig validation block; update the predicate to use
self.dnsType (and oldSelf.dnsType) instead. Edit the immutability rule
definition in the AWSPlatformStatus and GCPPlatformStatus types (the
cloudLoadBalancerConfig validation for dnsType in the types that generate the
CRDs) to replace occurrences of self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType with self.dnsType and oldSelf.dnsType so
the rule matches the local object scope and regenerates the CRDs.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml`:
- Around line 1355-1361: The CEL immutability rule is scoped to the
cloudLoadBalancerConfig object so references to self.cloudLoadBalancerConfig and
oldSelf.cloudLoadBalancerConfig are incorrect and make the check always skip;
update the rule under the cloudLoadBalancerConfig x-kubernetes-validations (the
rule string currently referencing cloudLoadBalancerConfig.dnsType) to instead
reference self.dnsType and oldSelf.dnsType (and the corresponding has(...)
checks) so the expression becomes conditional on has(self.dnsType) &&
has(oldSelf.dnsType) and enforces oldSelf.dnsType == '' || self.dnsType ==
oldSelf.dnsType, applying the same fix for both the AWS and GCP rules (and the
Default.crd.yaml occurrence).

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml`:
- Around line 1641-1648: The CEL immutability rule inside the
cloudLoadBalancerConfig validation block is using the wrong scope (it references
self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType), so the
has(self.cloudLoadBalancerConfig) check is always false and the rule is skipped;
update the rule to reference the local object fields directly (use self.dnsType
and oldSelf.dnsType) and adjust the has() predicates accordingly (e.g.,
has(self.dnsType) && has(oldSelf.dnsType)) so the immutability condition
actually compares oldSelf.dnsType == self.dnsType, and apply the same fix to
both the AWS and GCP cloudLoadBalancerConfig validation blocks referenced in the
CRD.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml`:
- Line 1762: Update the confusing cross-platform immutability wording in the
description for cloudLoadBalancerConfig.dnsType so the Azure-specific behavior
is clear; specifically, edit the dnsType description under the Azure
cloudLoadBalancerConfig block to either state only the Azure behavior (e.g.,
"This value can be updated after it has been set.") or at minimum place the
Azure sentence first and then mention AWS/GCP immutability, and apply the same
change to the other dnsType description occurrence (both
cloudLoadBalancerConfig.dnsType entries referenced in the CRD).
- Around line 1636-1648: The immutability CEL rule under
x-kubernetes-validations for cloudLoadBalancerConfig is using
has(self.cloudLoadBalancerConfig) which is always false because the validation
is scoped to cloudLoadBalancerConfig; change the predicate to reference the
fields on the current scope directly (use has(self.dnsType) &&
has(oldSelf.dnsType) and compare oldSelf.dnsType to self.dnsType) so the ternary
checks the actual dnsType presence and enforces immutability for dnsType within
cloudLoadBalancerConfig.
- Around line 2228-2240: The immutability CEL under x-kubernetes-validations for
the GCP cloudLoadBalancerConfig block is scoped to the cloudLoadBalancerConfig
object but references
self.cloudLoadBalancerConfig/oldSelf.cloudLoadBalancerConfig (which don’t exist
in that scope), so update the rule to use the local field names (compare
self.dnsType to oldSelf.dnsType) or move the entire validation up to the parent
scope where cloudLoadBalancerConfig/oldSelf.cloudLoadBalancerConfig exist;
adjust the rule expression accordingly so it actually guards immutability of
cloudLoadBalancerConfig.dnsType.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml`:
- Around line 1885-1892: The validation rule inside the cloudLoadBalancerConfig
x-kubernetes-validations is checking has(self.cloudLoadBalancerConfig) and
has(oldSelf.cloudLoadBalancerConfig) which is wrong because self is already
cloudLoadBalancerConfig; change the condition to check the dnsType fields
directly (e.g., has(self.dnsType) && has(oldSelf.dnsType)) and make the ternary
compare oldSelf.dnsType and self.dnsType (or simply reference self.dnsType and
oldSelf.dnsType), updating the rule string accordingly for the
cloudLoadBalancerConfig block and then search other CRD variants for the same
broken pattern (has(self.cloudLoadBalancerConfig) /
has(oldSelf.cloudLoadBalancerConfig)) to apply the same fix where present.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml`:
- Around line 2233-2240: The validation rule for cloudLoadBalancerConfig.dnsType
uses the wrong self path (it references self.cloudLoadBalancerConfig) so the
immutability check never runs; update the rule expression to check
has(self.dnsType) and has(oldSelf.dnsType) and compare oldSelf.dnsType and
self.dnsType (mirroring the AWS fix) so it becomes: has(self) && has(oldSelf) &&
has(self.dnsType) && has(oldSelf.dnsType) ? (oldSelf.dnsType == '' ||
self.dnsType == oldSelf.dnsType) : true, ensuring the immutability of
cloudLoadBalancerConfig.dnsType is enforced.
- Around line 1641-1648: The CEL immutability rule incorrectly references a
nested field (self.cloudLoadBalancerConfig.dnsType) causing the check to always
short-circuit; update the rule to reference the fields on the object itself (use
self.dnsType and oldSelf.dnsType) and replace has(self.cloudLoadBalancerConfig)
/ has(oldSelf.cloudLoadBalancerConfig) with has(self.dnsType) /
has(oldSelf.dnsType) (or just has(self) checks appropriate to the schema) so the
ternary expression actually compares oldSelf.dnsType == '' || self.dnsType ==
oldSelf.dnsType and enforces immutability for dnsType on
cloudLoadBalancerConfig.

---

Nitpick comments:
In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml`:
- Around line 1544-1559: Update the description for
status.platformStatus.azure.cloudLoadBalancerConfig.dnsType to remove the
AWS/GCP-specific immutability wording and instead state only Azure-relevant
behavior: explain that dnsType indicates the cluster DNS solution, list the enum
values (PlatformDefault, ClusterHosted), and note that for Azure this field can
be updated after initial set (without referencing other platforms or
immutability rules for AWS/GCP); modify the description text in the dnsType
property under status.platformStatus.azure.cloudLoadBalancerConfig accordingly.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 64dddb8 and 26e1385.

⛔ Files ignored due to path filters (17)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.featuregated-crd-manifests/infrastructures.config.openshift.io/AWSClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.featuregated-crd-manifests/infrastructures.config.openshift.io/AzureClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.featuregated-crd-manifests/infrastructures.config.openshift.io/GCPClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.featuregated-crd-manifests/controllerconfigs.machineconfiguration.openshift.io/AWSClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• machineconfiguration/v1/zz_generated.featuregated-crd-manifests/controllerconfigs.machineconfiguration.openshift.io/AzureClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• machineconfiguration/v1/zz_generated.featuregated-crd-manifests/controllerconfigs.machineconfiguration.openshift.io/GCPClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**

📒 Files selected for processing (17)

• config/v1/tests/infrastructures.config.openshift.io/AWSClusterHostedDNS.yaml
• config/v1/tests/infrastructures.config.openshift.io/AWSClusterHostedDNSInstall.yaml
• config/v1/tests/infrastructures.config.openshift.io/AzureClusterHostedDNSInstall.yaml
• config/v1/tests/infrastructures.config.openshift.io/GCPClusterHostedDNS.yaml
• config/v1/tests/infrastructures.config.openshift.io/GCPClusterHostedDNSInstall.yaml
• config/v1/types_infrastructure.go
• config/v1/zz_generated.swagger_doc_generated.go
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, check the file structure and locate the lines in question
wc -l config/v1/types_infrastructure.go

Repository: openshift/api

Length of output: 95

---

🏁 Script executed:

# Inspect lines around 562 to see the context and XValidation
sed -n '555,575p' config/v1/types_infrastructure.go | cat -n

Repository: openshift/api

Length of output: 1554

---

🏁 Script executed:

# Inspect lines around 792 to see the second occurrence
sed -n '785,805p' config/v1/types_infrastructure.go | cat -n

Repository: openshift/api

Length of output: 1659

---

🏁 Script executed:

# Search for the exact pattern to understand its scope
rg -n "cloudLoadBalancerConfig.*dnsType is immutable" config/v1/types_infrastructure.go

Repository: openshift/api

Length of output: 900

---

🏁 Script executed:

# Check the struct definition to understand field attachment
rg -B10 -A5 "cloudLoadBalancerConfig \*CloudLoadBalancerConfig" config/v1/types_infrastructure.go | head -40

Repository: openshift/api

Length of output: 39

---

🏁 Script executed:

# Check the CRD file mentioned in the review
fd "0000_80_machine-config_01_controllerconfigs" --type f

Repository: openshift/api

Length of output: 1094

---

🏁 Script executed:

# Get the struct definition that contains the cloudLoadBalancerConfig field
sed -n '540,580p' config/v1/types_infrastructure.go | cat -n

Repository: openshift/api

Length of output: 2565

---

🏁 Script executed:

# Search for the struct name that contains this field
rg -B50 "CloudLoadBalancerConfig \*CloudLoadBalancerConfig" config/v1/types_infrastructure.go | grep "^type " | head -1

Repository: openshift/api

Length of output: 86

---

🏁 Script executed:

# Get broader context - find the struct definition
rg -B100 "^\s+CloudLoadBalancerConfig \*CloudLoadBalancerConfig" config/v1/types_infrastructure.go | grep -E "^type |^}" | head -10

Repository: openshift/api

Length of output: 215

---

🏁 Script executed:

# Search for all structs that have CloudLoadBalancerConfig field
rg -B5 "CloudLoadBalancerConfig \*CloudLoadBalancerConfig" config/v1/types_infrastructure.go | grep "^type"

Repository: openshift/api

Length of output: 39

---

🏁 Script executed:

# Check one of the CRD files to see how the validation appears in the generated output
grep -A10 -B10 "cloudLoadBalancerConfig.*dnsType is immutable" payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml | head -30

Repository: openshift/api

Length of output: 1531

---

🏁 Script executed:

# Find what struct contains the cloudLoadBalancerConfig field at line 562
sed -n '500,565p' config/v1/types_infrastructure.go | grep -E "^type |CloudLoadBalancerConfig"

Repository: openshift/api

Length of output: 143

---

🏁 Script executed:

# Find the GCP struct that has the validation at line 792
sed -n '750,800p' config/v1/types_infrastructure.go | grep -E "^type |CloudLoadBalancerConfig"

Repository: openshift/api

Length of output: 181

---

🏁 Script executed:

# Look for all AWSPlatformSpec and GCPPlatformSpec definitions to understand the structure
rg -n "^type (AWSPlatformSpec|GCPPlatformSpec)" config/v1/types_infrastructure.go

Repository: openshift/api

Length of output: 124

---

🏁 Script executed:

# Get the full context for AWSPlatformSpec around line 562
sed -n '470,580p' config/v1/types_infrastructure.go | cat -n

Repository: openshift/api

Length of output: 6001

---

🏁 Script executed:

# Get the exact structure - find where line 562 and 792 are in relation to struct definitions
grep -n "^type" config/v1/types_infrastructure.go | tail -20

Repository: openshift/api

Length of output: 861

---

🏁 Script executed:

# Look at the entire AWSPlatformStatus struct definition
sed -n '523,650p' config/v1/types_infrastructure.go | cat -n

Repository: openshift/api

Length of output: 8412

---

🏁 Script executed:

# Find GCPPlatformStatus struct definition
rg -A100 "^type GCPPlatformStatus struct" config/v1/types_infrastructure.go | head -120

Repository: openshift/api

Length of output: 6166

---

🏁 Script executed:

# Find the CloudLoadBalancerConfig struct definition to verify it has dnsType field
rg -n "^type CloudLoadBalancerConfig struct" config/v1/types_infrastructure.go

Repository: openshift/api

Length of output: 98

---

🏁 Script executed:

# Get the CloudLoadBalancerConfig struct definition
sed -n '400,500p' config/v1/types_infrastructure.go | grep -A30 "type CloudLoadBalancerConfig"

Repository: openshift/api

Length of output: 39

---

🏁 Script executed:

# Search for the CloudLoadBalancerConfig type definition more broadly
rg -B2 -A20 "type CloudLoadBalancerConfig struct" config/v1/types_infrastructure.go

Repository: openshift/api

Length of output: 1723

---

🏁 Script executed:

# Verify how the validation rule appears in the generated CRD
sed -n '250,300p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml | grep -A20 "cloudLoadBalancerConfig" | head -40

Repository: openshift/api

Length of output: 39

---

🏁 Script executed:

# Check the structure of x-kubernetes-validations in the CRD to understand the scope
grep -B5 -A10 "cloudLoadBalancerConfig.dnsType is immutable" payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml

Repository: openshift/api

Length of output: 1289

---

🏁 Script executed:

# Let me check the exact location where the validation appears in the CRD
# First find the context - what struct does this validation belong to
rg -B30 "cloudLoadBalancerConfig.dnsType is immutable" payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml | head -50

Repository: openshift/api

Length of output: 2689

---

🏁 Script executed:

# Let's understand the indentation and hierarchy in the CRD
rg -B50 "cloudLoadBalancerConfig.dnsType is immutable" payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml | grep -E "properties:|type: object" | tail -10

Repository: openshift/api

Length of output: 150

---

🏁 Script executed:

# Get the full YAML structure around the validation to understand the scope
sed -n '1,3000p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml | grep -B100 "cloudLoadBalancerConfig.dnsType is immutable" | tail -120

Repository: openshift/api

Length of output: 7709

---

🏁 Script executed:

# Verify the CEL semantics by checking if there are any similar field-level validations 
# that correctly reference nested fields
rg -n "XValidation.*rule=" config/v1/types_infrastructure.go | head -20

Repository: openshift/api

Length of output: 4185

---

🏁 Script executed:

# Check one of the working validations to see proper CEL pattern
sed -n '564,570p' config/v1/types_infrastructure.go

Repository: openshift/api

Length of output: 401

---

🏁 Script executed:

# Verify the exact structure of the validation in the Go file one more time
sed -n '560,575p' config/v1/types_infrastructure.go | cat -n

Repository: openshift/api

Length of output: 1290

---

🌐 Web query:

kubebuilder XValidation field-level vs struct-level CEL scope validation

💡 Result:

In Kubebuilder, +kubebuilder:validation:XValidation compiles to CRD x-kubernetes-validations at the schema node where you attach the marker. That node determines the CEL “scope” (what self / oldSelf mean).

Field-level XValidation (marker on a struct field)

• Where it lands: on that property’s schema.
• CEL scope: self (and oldSelf on updates) is the field value itself (scalar/object/list/map), not the whole parent object. (kubernetes.io)
• Best for: single-field rules (immutability, regex-like logic, list/map constraints on that field).
• Example (immutability of one field):

  // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="field is immutable"
  VHost string `json:"vhost"`

  (stackoverflow.com)

Struct-level (type-level) XValidation (marker on the struct/type)

• Where it lands: on the object schema for that struct/type.
• CEL scope: self is the whole object of that type, so you can do cross-field validation like self.max > self.min. (kubernetes.io)
• Best for: relationships between fields, conditional presence/absence, and transition rules that depend on multiple fields.
• Example (cross-field / conditional):

  // +kubebuilder:validation:XValidation:
  //   rule="self.advertisementType != 'PodCIDR' || !has(self.selector)",
  //   message="selector not allowed for PodCIDR"
  type BGPAdvertisement struct { ... }

  (fossies.org)

Error location for struct-level rules (fieldPath)

Because struct-level rules validate “the whole object”, you often set fieldPath so the API server reports the error on a specific field path. The marker supports fieldPath. (book.kubebuilder.io)

Lists: item-level scope (+kubebuilder:validation:items:XValidation)

Controller-tools also generates “items” variants of validation markers; when you apply :items:XValidation to a slice field, the rule is scoped to each element (self is the element). (pkg.go.dev)

If you share your struct snippet, I can tell you exactly which scope you’re currently in and how to rewrite the rule for the other scope.

Citations:

• 1: https://kubernetes.io/docs/reference/using-api/cel?utm_source=openai
• 2: https://stackoverflow.com/questions/56740758/enforcing-immutability-of-kubernetes-custom-resource-spec-fields?utm_source=openai
• 3: https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel?utm_source=openai
• 4: https://fossies.org/linux/cilium/pkg/k8s/apis/cilium.io/v2/bgp_advert_types.go?utm_source=openai
• 5: https://book.kubebuilder.io/reference/markers/crd-validation?utm_source=openai
• 6: https://pkg.go.dev/sigs.k8s.io/controller-tools/pkg/crd/markers?utm_source=openai

---

🏁 Script executed:

# Check the CloudLoadBalancerConfig struct definition completely
sed -n '877,950p' config/v1/types_infrastructure.go | cat -n

Repository: openshift/api

Length of output: 4513

---

🏁 Script executed:

# Look for any validations on the CloudLoadBalancerConfig struct itself
rg -B5 "^type CloudLoadBalancerConfig struct" config/v1/types_infrastructure.go

Repository: openshift/api

Length of output: 540

---

Fix CEL scope in XValidation for cloudLoadBalancerConfig.dnsType immutability.

Lines 562 and 792 attach field-level validation to cloudLoadBalancerConfig, but the rule incorrectly dereferences self.cloudLoadBalancerConfig.*. At field-level scope, self is already the CloudLoadBalancerConfig object. Remove the cloudLoadBalancerConfig. prefix so the rule uses self.dnsType and oldSelf.dnsType directly.

🐛 Proposed fix (apply to both AWS and GCP annotations)

- // +kubebuilder:validation:XValidation:rule="has(self.cloudLoadBalancerConfig) && has(oldSelf.cloudLoadBalancerConfig) && has(self.cloudLoadBalancerConfig.dnsType) && has(oldSelf.cloudLoadBalancerConfig.dnsType) ? (oldSelf.cloudLoadBalancerConfig.dnsType == '' || self.cloudLoadBalancerConfig.dnsType == oldSelf.cloudLoadBalancerConfig.dnsType) : true",message="cloudLoadBalancerConfig.dnsType is immutable once set"
+ // +kubebuilder:validation:XValidation:rule="has(self.dnsType) && has(oldSelf.dnsType) ? (oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType) : true",message="cloudLoadBalancerConfig.dnsType is immutable once set"

Also applies to: 792-792

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/v1/types_infrastructure.go` at line 562, The XValidation CEL rule
attached to the cloudLoadBalancerConfig field incorrectly references
self.cloudLoadBalancerConfig.dnsType and oldSelf.cloudLoadBalancerConfig.dnsType
even though at field-level scope self is already the CloudLoadBalancerConfig
object; update the +kubebuilder:validation:XValidation rule(s) for
cloudLoadBalancerConfig (the annotation using the immutability check for
dnsType) to use self.dnsType and oldSelf.dnsType (remove the
cloudLoadBalancerConfig. prefix) for both occurrences so the immutability check
works at field scope.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

CEL rules reference wrong scope — immutability constraint is a no-op for AWS and GCP

Both new rules are placed under x-kubernetes-validations on the cloudLoadBalancerConfig object itself (same level as the existing clusterHosted is permitted only when dnsType is ClusterHosted rule, which correctly uses self.dnsType). Within that scope self is cloudLoadBalancerConfig, so self.cloudLoadBalancerConfig references a field named cloudLoadBalancerConfig nested inside cloudLoadBalancerConfig — a field that does not exist.

As a result, has(self.cloudLoadBalancerConfig) always evaluates to false, the ternary short-circuits to true, and the immutability check never fires. DNSType would be freely mutable on AWS and GCP, directly contradicting the PR's stated objective.

The fix is to drop the redundant cloudLoadBalancerConfig path prefix and reference dnsType directly:

🐛 Proposed fix (AWS, lines 1355-1361)

-        - message: cloudLoadBalancerConfig.dnsType is immutable once
-            set
-          rule: 'has(self.cloudLoadBalancerConfig) && has(oldSelf.cloudLoadBalancerConfig)
-            && has(self.cloudLoadBalancerConfig.dnsType) && has(oldSelf.cloudLoadBalancerConfig.dnsType)
-            ? (oldSelf.cloudLoadBalancerConfig.dnsType == '''' ||
-            self.cloudLoadBalancerConfig.dnsType == oldSelf.cloudLoadBalancerConfig.dnsType)
-            : true'
+        - message: cloudLoadBalancerConfig.dnsType is immutable once
+            set
+          rule: '!has(oldSelf.dnsType) || oldSelf.dnsType == '''' ||
+            self.dnsType == oldSelf.dnsType'

Apply the same fix to the identical GCP rule at lines 1941–1947.

Also applies to: 1941-1947

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml`
around lines 1355 - 1361, The CEL immutability rules under
x-kubernetes-validations wrongly reference self.cloudLoadBalancerConfig (which
inside the cloudLoadBalancerConfig block makes self already equal to
cloudLoadBalancerConfig), causing has(self.cloudLoadBalancerConfig) to always be
false; fix the rule expressions in the cloudLoadBalancerConfig
x-kubernetes-validations by removing the redundant prefix and referencing
dnsType directly (use has(self.dnsType) and has(oldSelf.dnsType) and compare
oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType), and apply the
identical change to the GCP copy of the rule (the rule blocks around the
cloudLoadBalancerConfig for AWS and GCP).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First, check if the file exists and get its line count
if [ -f "payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml" ]; then
  echo "=== File exists. Getting context around lines 1599-1605 ==="
  # Get a wider context to understand the nesting structure
  sed -n '1580,1620p' "payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml"
else
  echo "File not found in repository root. Searching for it..."
  find . -name "*infrastructures-Default.crd.yaml" -type f 2>/dev/null | head -5
fi

Repository: openshift/api

Length of output: 3262

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Get wider context to see the parent field and structure
sed -n '1550,1610p' "payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml" | cat -n

Repository: openshift/api

Length of output: 4777

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking for out-of-scope CEL paths ==="
rg -n -C2 "self\.cloudLoadBalancerConfig\.dnsType|oldSelf\.cloudLoadBalancerConfig\.dnsType" \
  payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml \
  payload-manifests/crds/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml

Repository: openshift/api

Length of output: 3695

---

Fix CEL field scope: immutability rule references non-existent nested paths.

At lines 1602-1604, this validation runs in cloudLoadBalancerConfig scope, so self.cloudLoadBalancerConfig.dnsType / oldSelf.cloudLoadBalancerConfig.dnsType are out-of-scope. The rule references a path that doesn't exist in the current object, causing the immutability validation to silently fail. AWS/GCP immutability enforcement will be unenforced.

This same issue appears in two additional locations in the TechPreviewNoUpgrade variant (lines 1358-1360 and 1944-1946).

🔧 Proposed fix

-                          rule: 'has(self.cloudLoadBalancerConfig) && has(oldSelf.cloudLoadBalancerConfig)
-                            && has(self.cloudLoadBalancerConfig.dnsType) && has(oldSelf.cloudLoadBalancerConfig.dnsType)
-                            ? (oldSelf.cloudLoadBalancerConfig.dnsType == '''' ||
-                            self.cloudLoadBalancerConfig.dnsType == oldSelf.cloudLoadBalancerConfig.dnsType)
+                          rule: 'has(self.dnsType) && has(oldSelf.dnsType)
+                            ? (oldSelf.dnsType == '''' || self.dnsType == oldSelf.dnsType)

Apply this fix to all three occurrences in both Default and TechPreviewNoUpgrade CRD files.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- message: cloudLoadBalancerConfig.dnsType is immutable once
	set
	rule: 'has(self.cloudLoadBalancerConfig) && has(oldSelf.cloudLoadBalancerConfig)
	&& has(self.cloudLoadBalancerConfig.dnsType) && has(oldSelf.cloudLoadBalancerConfig.dnsType)
	? (oldSelf.cloudLoadBalancerConfig.dnsType == '''' ||
	self.cloudLoadBalancerConfig.dnsType == oldSelf.cloudLoadBalancerConfig.dnsType)
	: true'
	- message: cloudLoadBalancerConfig.dnsType is immutable once
	set
	rule: 'has(self.dnsType) && has(oldSelf.dnsType)
	? (oldSelf.dnsType == '''' || self.dnsType == oldSelf.dnsType)
	: true'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml`
around lines 1599 - 1605, The CEL immutability rule currently referenced nested
paths that are out-of-scope (it uses self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType while the rule is evaluated in the
cloudLoadBalancerConfig scope); update the rule to reference the local fields
instead (use self.dnsType and oldSelf.dnsType) so the CEL expression can
evaluate correctly, and apply the same change to the two other occurrences in
the TechPreviewNoUpgrade variant as well so all three immutability checks in
both Default and TechPreviewNoUpgrade use the in-scope field names.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the structure around line 1355-1361
sed -n '1340,1375p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 2746

---

🏁 Script executed:

# And around line 1943 for the second occurrence
sed -n '1928,1960p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 2614

---

🏁 Script executed:

# Let's also check a broader context to understand the schema structure
sed -n '1320,1380p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 4639

---

🏁 Script executed:

# Get context to understand which platform section contains these validations
sed -n '1300,1340p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 3146

---

🏁 Script executed:

# Check around line 1943 for the second occurrence
sed -n '1900,1960p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 4925

---

🏁 Script executed:

# Also verify exact line numbers where cloudLoadBalancerConfig is defined
rg -n "cloudLoadBalancerConfig:" payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml

Repository: openshift/api

Length of output: 212

---

🏁 Script executed:

# Let's get more context around line 1253 to see the structure
sed -n '1240,1280p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 2754

---

🏁 Script executed:

# And check around 1464 and 1839
sed -n '1450,1480p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 2174

---

🏁 Script executed:

# Get the structure leading up to the validation rule to confirm where it sits
sed -n '1265,1365p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 7630

---

🏁 Script executed:

# Verify exact line 1357 and 1943 for the validation rules
sed -n '1355,1365p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 911

---

🏁 Script executed:

# Check exact line 1943
sed -n '1941,1950p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 877

---

Fix CEL field scope in AWS/GCP cloudLoadBalancerConfig immutability rules.

At lines 1357 and 1943, the cloudLoadBalancerConfig.dnsType immutability rule is nested within the cloudLoadBalancerConfig schema, so self.cloudLoadBalancerConfig.* / oldSelf.cloudLoadBalancerConfig.* is incorrectly scoped. The rule should reference self.dnsType and oldSelf.dnsType directly, matching the scope pattern used in the adjacent clusterHosted validation rule on the same object.

🔧 Proposed fix

-                        - message: cloudLoadBalancerConfig.dnsType is immutable once
-                            set
-                          rule: 'has(self.cloudLoadBalancerConfig) && has(oldSelf.cloudLoadBalancerConfig)
-                            && has(self.cloudLoadBalancerConfig.dnsType) && has(oldSelf.cloudLoadBalancerConfig.dnsType)
-                            ? (oldSelf.cloudLoadBalancerConfig.dnsType == '''' ||
-                            self.cloudLoadBalancerConfig.dnsType == oldSelf.cloudLoadBalancerConfig.dnsType)
-                            : true'
+                        - message: cloudLoadBalancerConfig.dnsType is immutable once
+                            set
+                          rule: 'has(self.dnsType) && has(oldSelf.dnsType)
+                            ? (oldSelf.dnsType == '''' || self.dnsType == oldSelf.dnsType)
+                            : true'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml`
around lines 1355 - 1361, The CEL immutability rule inside the
cloudLoadBalancerConfig schema is using fully-qualified paths
(self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType) but must use the current object scope;
update the rule expressions for the cloudLoadBalancerConfig.dnsType immutability
checks (the rule entries under the cloudLoadBalancerConfig schema at the two
occurrences) to reference self.dnsType and oldSelf.dnsType instead, mirroring
how clusterHosted validation uses the local scope.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

target="payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml"

echo "=== Context around the changed GCP cloudLoadBalancerConfig rule ==="
nl -ba "$target" | sed -n '1570,1615p'

echo
echo "=== Find all dnsType immutability rules and scoped field references ==="
rg -n -C3 "cloudLoadBalancerConfig\.dnsType is immutable once set|self\.cloudLoadBalancerConfig|oldSelf\.cloudLoadBalancerConfig" payload-manifests/crds config/v1/tests || echo "No matches found"

echo
echo "=== Current expected error paths in AWS/GCP fixtures ==="
rg -n "expectedStatusError: \".*cloudLoadBalancerConfig\.dnsType is immutable once set" config/v1/tests/ || echo "No test fixtures with this error path found"

Repository: openshift/api

Length of output: 184

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

target="payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml"

echo "=== Verify file exists ==="
ls -la "$target"

echo
echo "=== Context around the changed GCP cloudLoadBalancerConfig rule (lines 1570-1615) ==="
cat -n "$target" | sed -n '1570,1615p'

echo
echo "=== Find all dnsType immutability rules and scoped field references ==="
rg -n "dnsType is immutable" . || echo "No dnsType immutability rules found"

echo
echo "=== Look for cloudLoadBalancerConfig validation rules ==="
rg -n -B5 -A5 "cloudLoadBalancerConfig" "$target" | head -100 || echo "No matches found"

Repository: openshift/api

Length of output: 15260

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Check GCP struct definition in types_infrastructure.go ==="
grep -n "type.*GCP\|CloudLoadBalancerConfig\|dnsType" config/v1/types_infrastructure.go | head -50

echo
echo "=== Show the kubebuilder annotation around line 562 ==="
sed -n '558,575p' config/v1/types_infrastructure.go

echo
echo "=== Show the kubebuilder annotation around line 792 ==="
sed -n '788,805p' config/v1/types_infrastructure.go

Repository: openshift/api

Length of output: 4908

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

target="payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml"

echo "=== Full nesting context from gcp to cloudLoadBalancerConfig ==="
sed -n '1493,1610p' "$target" | cat -n

echo
echo "=== Check CloudLoadBalancerConfig struct definition ==="
sed -n '871,920p' config/v1/types_infrastructure.go

echo
echo "=== Check test fixtures to see if validation works ==="
grep -A5 -B5 "dnsType is immutable once set" config/v1/tests/infrastructures.config.openshift.io/*.yaml 2>/dev/null | head -50

Repository: openshift/api

Length of output: 17324

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Verify AWS platform has the same issue ==="
grep -A10 "cloudLoadBalancerConfig.dnsType is immutable once" config/v1/types_infrastructure.go | head -20

echo
echo "=== Check if GCP/AWS platformStatus structures use same validation ==="
rg -n "type.*Status struct" config/v1/types_infrastructure.go | grep -E "AWS|GCP"

echo
echo "=== Validate the proposed fix by checking first rule in same block ==="
sed -n '1594,1606p' payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml

Repository: openshift/api

Length of output: 2842

---

Fix CEL scope in the dnsType immutability rule across all platform statuses.

The validation rule at cloudLoadBalancerConfig object scope incorrectly references self.cloudLoadBalancerConfig.dnsType when self is already scoped to cloudLoadBalancerConfig. The first rule in the same block demonstrates the correct pattern using self.dnsType directly. This scope mismatch affects both AWS and GCP platform status validations and appears in 44+ generated CRD files.

🔧 Proposed fix

-                        - message: cloudLoadBalancerConfig.dnsType is immutable once
-                            set
-                          rule: 'has(self.cloudLoadBalancerConfig) && has(oldSelf.cloudLoadBalancerConfig)
-                            && has(self.cloudLoadBalancerConfig.dnsType) && has(oldSelf.cloudLoadBalancerConfig.dnsType)
-                            ? (oldSelf.cloudLoadBalancerConfig.dnsType == '''' ||
-                            self.cloudLoadBalancerConfig.dnsType == oldSelf.cloudLoadBalancerConfig.dnsType)
-                            : true'
+                        - message: cloudLoadBalancerConfig.dnsType is immutable once set
+                          rule: "!has(oldSelf.dnsType) || oldSelf.dnsType == '' || (has(self.dnsType) && self.dnsType == oldSelf.dnsType)"

Apply the same fix to both AWSPlatformStatus (config/v1/types_infrastructure.go line 562) and GCPPlatformStatus (line 792), which will regenerate all affected CRD manifests.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml`
around lines 1599 - 1605, The CEL immutability rule is using the wrong scope
(referencing self.cloudLoadBalancerConfig.dnsType) inside the
cloudLoadBalancerConfig validation block; update the predicate to use
self.dnsType (and oldSelf.dnsType) instead. Edit the immutability rule
definition in the AWSPlatformStatus and GCPPlatformStatus types (the
cloudLoadBalancerConfig validation for dnsType in the types that generate the
CRDs) to replace occurrences of self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType with self.dnsType and oldSelf.dnsType so
the rule matches the local object scope and regenerates the CRDs.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Read the target YAML file around the lines in question
sed -n '1630,1660p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 2375

---

🏁 Script executed:

# Search for the pattern claiming to be broken
rg -n 'self\.cloudLoadBalancerConfig\.dnsType' --type yaml

Repository: openshift/api

Length of output: 15804

---

🏁 Script executed:

# Look for the prior rule cited as correct
rg -B5 -A5 'self\.dnsType.*self\.clusterHosted' --type yaml | head -50

Repository: openshift/api

Length of output: 39

---

🏁 Script executed:

# Check if similar pattern exists in other CRD files
fd '\.crd\.yaml$' payload-manifests/crds/ | xargs -I {} rg -l 'cloudLoadBalancerConfig' {}

Repository: openshift/api

Length of output: 951

---

🏁 Script executed:

# Search Go source for the validation rule definition
find . -name '*.go' -type f | xargs rg -n 'cloudLoadBalancerConfig.*dnsType' | head -20

Repository: openshift/api

Length of output: 2162

---

🏁 Script executed:

# Get more context around the validation rules in the target file
sed -n '1600,1700p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | cat -n

Repository: openshift/api

Length of output: 8702

---

🏁 Script executed:

# Look for the parent schema object containing these rules
sed -n '1500,1650p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | grep -E '^\s+(cloudLoadBalancerConfig|dnsType|clusterHosted|properties|type:.*object)' | head -40

Repository: openshift/api

Length of output: 962

---

🏁 Script executed:

# Check the Go source to see which struct this validation is attached to
sed -n '550,570p' ./config/v1/types_infrastructure.go

Repository: openshift/api

Length of output: 1440

---

🏁 Script executed:

# Also check around line 792 mentioned in the Go search
sed -n '780,810p' ./machineconfiguration/v1/types_controllerconfig.go 2>/dev/null || sed -n '1,30p' ./machineconfiguration/v1/types_controllerconfig.go 2>/dev/null

Repository: openshift/api

Length of output: 39

---

🏁 Script executed:

# Search for the ControllerConfig struct definition with the validation rule
rg -B10 'cloudLoadBalancerConfig.dnsType is immutable' --type go | head -40

Repository: openshift/api

Length of output: 2609

---

🏁 Script executed:

# Extract the exact structure with indentation to identify nesting levels
sed -n '1620,1680p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | cat -A

Repository: openshift/api

Length of output: 5024

---

🏁 Script executed:

# Find the properties structure to understand which fields own these validation rules
sed -n '1400,1660p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | grep -E '^(.*)(properties|cloudLoadBalancerConfig|x-kubernetes-validations):' | head -20

Repository: openshift/api

Length of output: 627

---

🏁 Script executed:

# Get the complete context with indentation preserved - show the actual structure
sed -n '1630,1655p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | head -30

Repository: openshift/api

Length of output: 1926

---

🏁 Script executed:

# Verify the nesting by checking what properties are at this schema level
sed -n '1550,1660p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | grep -B30 'x-kubernetes-validations:' | tail -35

Repository: openshift/api

Length of output: 2869

---

🏁 Script executed:

# Test CEL behavior: does has(self.cloudLoadBalancerConfig) evaluate correctly when self IS cloudLoadBalancerConfig?
# Check by looking at the exact indentation of the object and its validations
python3 << 'EOF'
import yaml

with open('payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml', 'r') as f:
    content = f.read()
    
# Find lines 1630-1655 to understand the nesting
lines = content.split('\n')[1629:1655]
for i, line in enumerate(lines, start=1630):
    print(f"{i}: {repr(line)}")
EOF

Repository: openshift/api

Length of output: 2134

---

🏁 Script executed:

# Let me find the parent object to understand the full context
sed -n '1400,1550p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | tail -100

Repository: openshift/api

Length of output: 5535

---

🏁 Script executed:

# Search for where cloudLoadBalancerConfig properties are defined
rg -B20 'dnsType:' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | grep -E '(properties|cloudLoadBalancerConfig|AWSPlatformStatus)' | head -20

Repository: openshift/api

Length of output: 341

---

🏁 Script executed:

# Check the infrastructure config to find the parent struct
rg -B5 'CloudLoadBalancerConfig.*cloudLoadBalancerConfig' config/v1/types_infrastructure.go | head -30

Repository: openshift/api

Length of output: 1648

---

🏁 Script executed:

# Check if this validation rule might be on a different object - look for where it says "properties:"
sed -n '1500,1660p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | grep -n -E '^\s{0,40}(cloudLoadBalancerConfig|properties|description):'

Repository: openshift/api

Length of output: 1208

---

🏁 Script executed:

# Let me get the full structure around cloudLoadBalancerConfig with line numbers to understand parent relationships
sed -n '1470,1660p' payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml | cat -n | head -200

Repository: openshift/api

Length of output: 13910

---

Bug: CEL validation rule references non-existent field — dnsType immutability is not enforced.

At this schema level, self refers to the cloudLoadBalancerConfig object itself. The first rule correctly uses self.dnsType to validate constraints on that object. However, the second rule references self.cloudLoadBalancerConfig.dnsType, which attempts to access a cloudLoadBalancerConfig field nested within itself — a path that does not exist.

Because has(self.cloudLoadBalancerConfig) always evaluates to false, the ternary expression unconditionally returns true, bypassing the immutability check entirely. The dnsType field remains mutable despite the intent to lock it after initial configuration.

This bug appears in the Go source at config/v1/types_infrastructure.go (on the parent struct field) and propagates to 50+ generated CRD files.

🐛 Proposed fix — use `self.dnsType` / `oldSelf.dnsType` directly

                                - message: cloudLoadBalancerConfig.dnsType is immutable
                                    once set
-                                  rule: 'has(self.cloudLoadBalancerConfig) && has(oldSelf.cloudLoadBalancerConfig)
-                                    && has(self.cloudLoadBalancerConfig.dnsType) &&
-                                    has(oldSelf.cloudLoadBalancerConfig.dnsType) ?
-                                    (oldSelf.cloudLoadBalancerConfig.dnsType == ''''
-                                    || self.cloudLoadBalancerConfig.dnsType == oldSelf.cloudLoadBalancerConfig.dnsType)
-                                    : true'
+                                  rule: 'has(self.dnsType) && has(oldSelf.dnsType)
+                                    ? (oldSelf.dnsType == ''''
+                                    || self.dnsType == oldSelf.dnsType)
+                                    : true'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- message: cloudLoadBalancerConfig.dnsType is immutable
	once set
	rule: 'has(self.cloudLoadBalancerConfig) && has(oldSelf.cloudLoadBalancerConfig)
	&& has(self.cloudLoadBalancerConfig.dnsType) &&
	has(oldSelf.cloudLoadBalancerConfig.dnsType) ?
	(oldSelf.cloudLoadBalancerConfig.dnsType == ''''
	|| self.cloudLoadBalancerConfig.dnsType == oldSelf.cloudLoadBalancerConfig.dnsType)
	: true'
	- message: cloudLoadBalancerConfig.dnsType is immutable
	once set
	rule: 'has(self.dnsType) && has(oldSelf.dnsType)
	? (oldSelf.dnsType == ''''
	|| self.dnsType == oldSelf.dnsType)
	: true'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml`
around lines 1641 - 1648, The CEL immutability rule incorrectly references a
nested field (self.cloudLoadBalancerConfig.dnsType) causing the check to always
short-circuit; update the rule to reference the fields on the object itself (use
self.dnsType and oldSelf.dnsType) and replace has(self.cloudLoadBalancerConfig)
/ has(oldSelf.cloudLoadBalancerConfig) with has(self.dnsType) /
has(oldSelf.dnsType) (or just has(self) checks appropriate to the schema) so the
ternary expression actually compares oldSelf.dnsType == '' || self.dnsType ==
oldSelf.dnsType and enforces immutability for dnsType on
cloudLoadBalancerConfig.

[coderabbitai]

♻️ Duplicate comments (10)

payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml (1)

1355-1358: ⚠️ Potential issue | 🔴 Critical

Fix CEL scope in DNSType immutability rules (currently no-op).

At Line [1357] and Line [1940], the rule references self.cloudLoadBalancerConfig.* / oldSelf.cloudLoadBalancerConfig.* inside the cloudLoadBalancerConfig object scope. That path is out of scope, so the immutability guard does not evaluate as intended for AWS/GCP.

🐛 Proposed fix

-                        - message: cloudLoadBalancerConfig.dnsType is immutable once
-                            set
-                          rule: oldSelf.cloudLoadBalancerConfig.dnsType == '' || self.cloudLoadBalancerConfig.dnsType
-                            == oldSelf.cloudLoadBalancerConfig.dnsType
+                        - message: cloudLoadBalancerConfig.dnsType is immutable once
+                            set
+                          rule: '!has(oldSelf.dnsType) || oldSelf.dnsType == '' ||
+                            self.dnsType == oldSelf.dnsType'
...
-                        - message: cloudLoadBalancerConfig.dnsType is immutable once
-                            set
-                          rule: oldSelf.cloudLoadBalancerConfig.dnsType == '' || self.cloudLoadBalancerConfig.dnsType
-                            == oldSelf.cloudLoadBalancerConfig.dnsType
+                        - message: cloudLoadBalancerConfig.dnsType is immutable once
+                            set
+                          rule: '!has(oldSelf.dnsType) || oldSelf.dnsType == '' ||
+                            self.dnsType == oldSelf.dnsType'

#!/bin/bash
set -euo pipefail

file="payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml"

echo "Checking for out-of-scope CEL references:"
rg -n "self\.cloudLoadBalancerConfig\.dnsType|oldSelf\.cloudLoadBalancerConfig\.dnsType" "$file"

echo
echo "Showing immutability rule blocks:"
rg -n "cloudLoadBalancerConfig\.dnsType is immutable once set" -A3 "$file"

Also applies to: 1938-1941

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml`
around lines 1355 - 1358, The CEL immutability rule inside the
cloudLoadBalancerConfig object is referencing out-of-scope paths
(self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType) so it never evaluates; update the CEL
expression in the cloudLoadBalancerConfig validation rule to refer to the local
field names (use self.dnsType and oldSelf.dnsType) so the rule becomes e.g.
oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType (and apply the same
change for the duplicate rule elsewhere), ensuring the message about dnsType
immutability remains unchanged.

payload-manifests/crds/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml (2)

1355-1358: ⚠️ Potential issue | 🔴 Critical

AWS immutability CEL rule references a non-existent path and is completely ineffective.

This x-kubernetes-validations block is scoped to the cloudLoadBalancerConfig object (line 1349 type: object), so self is the cloudLoadBalancerConfig instance. Referencing self.cloudLoadBalancerConfig.dnsType tries to access a nested cloudLoadBalancerConfig property that doesn't exist within cloudLoadBalancerConfig. The rule will either error out or be silently bypassed, meaning dnsType is not actually immutable on AWS.

Use self.dnsType / oldSelf.dnsType instead:

🐛 Proposed fix

                         - message: cloudLoadBalancerConfig.dnsType is immutable once
                             set
-                          rule: oldSelf.cloudLoadBalancerConfig.dnsType == '' || self.cloudLoadBalancerConfig.dnsType
-                            == oldSelf.cloudLoadBalancerConfig.dnsType
+                          rule: oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml`
around lines 1355 - 1358, The CEL immutability rule inside the
x-kubernetes-validations for the cloudLoadBalancerConfig object incorrectly
references self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType (which don't exist because self is
already the cloudLoadBalancerConfig), so the dnsType immutability check is
ineffective; update the rule to use self.dnsType and oldSelf.dnsType (i.e.,
replace both occurrences of self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType with self.dnsType and oldSelf.dnsType)
so the dnsType immutability is actually enforced for cloudLoadBalancerConfig.

---

1938-1941: ⚠️ Potential issue | 🔴 Critical

GCP immutability CEL rule has the same incorrect scoping — dnsType is not actually immutable on GCP.

Same issue as the AWS rule. At this scope, self is the cloudLoadBalancerConfig object; self.cloudLoadBalancerConfig doesn't exist.

🐛 Proposed fix

                         - message: cloudLoadBalancerConfig.dnsType is immutable once
                             set
-                          rule: oldSelf.cloudLoadBalancerConfig.dnsType == '' || self.cloudLoadBalancerConfig.dnsType
-                            == oldSelf.cloudLoadBalancerConfig.dnsType
+                          rule: oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml`
around lines 1938 - 1941, The CEL immutability rule is using incorrect scoping
(it references self.cloudLoadBalancerConfig which doesn't exist at this scope);
update the rule for cloudLoadBalancerConfig.dnsType to compare dnsType directly
on self and oldSelf, e.g. replace "oldSelf.cloudLoadBalancerConfig.dnsType == ''
|| self.cloudLoadBalancerConfig.dnsType ==
oldSelf.cloudLoadBalancerConfig.dnsType" with "oldSelf.dnsType == '' ||
self.dnsType == oldSelf.dnsType" so the rule uses self.dnsType and
oldSelf.dnsType.

payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml (1)

1355-1358: ⚠️ Potential issue | 🔴 Critical

Fix CEL field scope in AWS and GCP cloudLoadBalancerConfig immutability rules.

The x-kubernetes-validations block at Lines 1350–1358 (AWS) and 1933–1941 (GCP) are attached to the cloudLoadBalancerConfig object schema, so self/oldSelf already refers to cloudLoadBalancerConfig itself. The new immutability rule incorrectly uses self.cloudLoadBalancerConfig.dnsType / oldSelf.cloudLoadBalancerConfig.dnsType, which tries to traverse a non-existent sub-field and will never match. Compare to the adjacent sibling rule on the same object (Line 1353 / 1936) which correctly uses self.dnsType / has(self.dnsType).

🔧 Proposed fix — AWS (Lines 1355–1358)

-                        - message: cloudLoadBalancerConfig.dnsType is immutable once
-                            set
-                          rule: oldSelf.cloudLoadBalancerConfig.dnsType == '' || self.cloudLoadBalancerConfig.dnsType
-                            == oldSelf.cloudLoadBalancerConfig.dnsType
+                        - message: cloudLoadBalancerConfig.dnsType is immutable once
+                            set
+                          rule: oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType

🔧 Proposed fix — GCP (Lines 1938–1941)

-                        - message: cloudLoadBalancerConfig.dnsType is immutable once
-                            set
-                          rule: oldSelf.cloudLoadBalancerConfig.dnsType == '' || self.cloudLoadBalancerConfig.dnsType
-                            == oldSelf.cloudLoadBalancerConfig.dnsType
+                        - message: cloudLoadBalancerConfig.dnsType is immutable once
+                            set
+                          rule: oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType

Also applies to: 1938-1941

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml`
around lines 1355 - 1358, The CEL immutability rule attached to the
cloudLoadBalancerConfig object incorrectly references
self.cloudLoadBalancerConfig.dnsType and oldSelf.cloudLoadBalancerConfig.dnsType
(which do not exist at that scope); update the rule expressions in the
x-kubernetes-validations for both AWS and GCP to use self.dnsType and
oldSelf.dnsType respectively so the immutability check runs against the dnsType
field of cloudLoadBalancerConfig itself (look for the validation entries with
message "cloudLoadBalancerConfig.dnsType is immutable once set" and the
associated rule).

payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml (1)

1641-1645: ⚠️ Potential issue | 🔴 Critical

Fix unresolved CEL path bug in dnsType immutability rules (AWS/GCP).

This is still using self.cloudLoadBalancerConfig.dnsType at the cloudLoadBalancerConfig object scope, so the immutability check does not evaluate the intended field path.

🐛 Proposed fix

-                                - message: cloudLoadBalancerConfig.dnsType is immutable
-                                    once set
-                                  rule: oldSelf.cloudLoadBalancerConfig.dnsType ==
-                                    '' || self.cloudLoadBalancerConfig.dnsType ==
-                                    oldSelf.cloudLoadBalancerConfig.dnsType
+                                - message: cloudLoadBalancerConfig.dnsType is immutable
+                                    once set
+                                  rule: 'has(self.dnsType) && has(oldSelf.dnsType)
+                                    ? (oldSelf.dnsType == '''' || self.dnsType == oldSelf.dnsType)
+                                    : true'

#!/bin/bash
# Verify unresolved invalid CEL field paths in this CRD
rg -n -C2 "self\.cloudLoadBalancerConfig\.dnsType|oldSelf\.cloudLoadBalancerConfig\.dnsType" \
  payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml

# Optional: confirm all similar CRDs are clean after regeneration/fix
rg -n -C2 "self\.cloudLoadBalancerConfig\.dnsType|oldSelf\.cloudLoadBalancerConfig\.dnsType" \
  payload-manifests/crds/*.crd.yaml

Also applies to: 2230-2234

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml`
around lines 1641 - 1645, The CEL immutability rule is referencing
self.cloudLoadBalancerConfig.dnsType and oldSelf.cloudLoadBalancerConfig.dnsType
from within the cloudLoadBalancerConfig object scope, which makes the path
invalid; update the expressions to use the correct relative field paths (e.g.
replace self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType with self.dnsType and oldSelf.dnsType)
so the rule on cloudLoadBalancerConfig.dnsType evaluates the intended field
(also apply the same change for the duplicated occurrences around lines
2230-2234).

payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml (2)

1641-1645: ⚠️ Potential issue | 🔴 Critical

Fix CEL scope: immutability rule references a non-existent nested object.

At Line 1643 and Line 2232, self is already cloudLoadBalancerConfig, so self.cloudLoadBalancerConfig.* / oldSelf.cloudLoadBalancerConfig.* are out of scope and the rule won’t enforce dnsType immutability correctly.

🐛 Proposed fix (apply in both AWS and GCP blocks)

-                                - message: cloudLoadBalancerConfig.dnsType is immutable
-                                    once set
-                                  rule: oldSelf.cloudLoadBalancerConfig.dnsType ==
-                                    '' || self.cloudLoadBalancerConfig.dnsType ==
-                                    oldSelf.cloudLoadBalancerConfig.dnsType
+                                - message: dnsType is immutable once set
+                                  rule: '!has(oldSelf.dnsType) || oldSelf.dnsType == '''' || self.dnsType == oldSelf.dnsType'

#!/bin/bash
set -euo pipefail

file="payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml"

echo "Current problematic references (expect matches before fix, none after fix):"
rg -n -C3 "oldSelf\.cloudLoadBalancerConfig\.dnsType|self\.cloudLoadBalancerConfig\.dnsType" "$file"

echo
echo "Post-fix sanity pattern (expect immutable rules to use oldSelf.dnsType/self.dnsType):"
rg -n -C2 "dnsType is immutable once set|oldSelf\.dnsType|self\.dnsType" "$file"

Also applies to: 2230-2234

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml`
around lines 1641 - 1645, The CEL immutability rule inside the
cloudLoadBalancerConfig block incorrectly references nested fields
(self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType) which are out of scope; update the rule
in both AWS and GCP cloudLoadBalancerConfig blocks so it compares dnsType
directly (use self.dnsType and oldSelf.dnsType) and keep the rest of the
expression (e.g., oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType)
intact to enforce immutability once set.

---

1835-1836: ⚠️ Potential issue | 🟡 Minor

Keep dnsType descriptions platform-local to avoid cross-platform confusion.

At Line 1835 and Line 2214, the Azure/GCP section text still embeds other platform behavior. This makes each platform block harder to scan.

✍️ Suggested wording adjustment

# Azure dnsType description block
-                                      The value is immutable after it has been set at install time for AWS and GCP platforms.
-                                      For Azure platform, this value can be updated after it has been set.
+                                      For Azure platform, this value can be updated after it has been set.

# GCP dnsType description block
-                                      The value is immutable after it has been set at install time for AWS and GCP platforms.
-                                      For Azure platform, this value can be updated after it has been set.
+                                      For GCP platform, this value is immutable after it has been set at install time.

Also applies to: 2214-2215

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml`
around lines 1835 - 1836, The dnsType description currently mixes platform
behaviors across blocks; update the dnsType description entries so each platform
block only states that platform's behavior: in the Azure dnsType description
remove the sentence about AWS/GCP immutability and state only that Azure values
can be updated after install, and in the GCP (and AWS) dnsType descriptions
remove any mention of Azure updateability and state only that the value is
immutable after install for those platforms; locate the descriptions by
searching for the dnsType CRD description text and the Azure/GCP platform
headings to make the edits.

payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml (1)

1885-1889: ⚠️ Potential issue | 🔴 Critical

Fix CEL scope: immutability rule dereferences a non-existent nested object.

In this validation scope, self/oldSelf already are cloudLoadBalancerConfig; referencing self.cloudLoadBalancerConfig.* breaks the check and can fail to enforce immutability.

🐛 Proposed fix

-                                - message: cloudLoadBalancerConfig.dnsType is immutable
-                                    once set
-                                  rule: oldSelf.cloudLoadBalancerConfig.dnsType ==
-                                    '' || self.cloudLoadBalancerConfig.dnsType ==
-                                    oldSelf.cloudLoadBalancerConfig.dnsType
+                                - message: cloudLoadBalancerConfig.dnsType is immutable
+                                    once set
+                                  rule: 'has(self.dnsType) && has(oldSelf.dnsType)
+                                    ? (oldSelf.dnsType == '''' || self.dnsType == oldSelf.dnsType)
+                                    : true'

#!/bin/bash
# Verify broken CEL field paths in CRD manifests
rg -n "self\\.cloudLoadBalancerConfig\\.dnsType|oldSelf\\.cloudLoadBalancerConfig\\.dnsType" --type yaml

# Inspect this exact validation block with context
rg -n -A8 -B4 "cloudLoadBalancerConfig\\.dnsType is immutable" payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml`
around lines 1885 - 1889, The CEL immutability rule incorrectly dereferences
cloudLoadBalancerConfig inside a scope where self/oldSelf already refer to
cloudLoadBalancerConfig; update the rule that currently uses
self.cloudLoadBalancerConfig.dnsType and oldSelf.cloudLoadBalancerConfig.dnsType
to reference dnsType directly (e.g., rule: oldSelf.dnsType == '' || self.dnsType
== oldSelf.dnsType) so the check correctly enforces immutability of dnsType
within the cloudLoadBalancerConfig validation block.

payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml (1)

1641-1645: ⚠️ Potential issue | 🔴 Critical

CEL immutability rules use wrong self scope — check is silently skipped.

Both the AWS (lines 1641–1645) and GCP (lines 2230–2234) x-kubernetes-validations blocks are placed on the cloudLoadBalancerConfig object itself, meaning self already is the cloudLoadBalancerConfig object. The rules reference self.cloudLoadBalancerConfig.dnsType / oldSelf.cloudLoadBalancerConfig.dnsType, but cloudLoadBalancerConfig has no child field named cloudLoadBalancerConfig. As a result, has(self.cloudLoadBalancerConfig) is always false, the ternary short-circuits to true, and the immutability constraint is never enforced.

The first rule in each block (clusterHosted guard) correctly uses self.dnsType — the new immutability rules must follow the same pattern.

🔧 Fix (apply to both AWS block lines 1641-1645 and GCP block lines 2230-2234)

-                               - message: cloudLoadBalancerConfig.dnsType is immutable
-                                   once set
-                                 rule: oldSelf.cloudLoadBalancerConfig.dnsType ==
-                                   '' || self.cloudLoadBalancerConfig.dnsType ==
-                                   oldSelf.cloudLoadBalancerConfig.dnsType
+                               - message: cloudLoadBalancerConfig.dnsType is immutable
+                                   once set
+                                 rule: 'has(self.dnsType) && has(oldSelf.dnsType)
+                                   ? (oldSelf.dnsType == '''' || self.dnsType ==
+                                   oldSelf.dnsType) : true'

Also applies to: 2230-2234

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml`
around lines 1641 - 1645, The CEL immutability rule in the
cloudLoadBalancerConfig x-kubernetes-validations block is referencing
nonexistent nested fields (self.cloudLoadBalancerConfig.dnsType /
oldSelf.cloudLoadBalancerConfig.dnsType) so the guard always short-circuits;
update the rule to use the correct scope by replacing
self.cloudLoadBalancerConfig.dnsType with self.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType with oldSelf.dnsType (mirror the
existing clusterHosted guard pattern) in both the AWS and GCP
cloudLoadBalancerConfig validation blocks so the immutability check actually
enforces dnsType.

config/v1/types_infrastructure.go (1)

562-562: ⚠️ Potential issue | 🔴 Critical

Fix CEL scope in cloudLoadBalancerConfig immutability rule.

At Line 562 and Line 792, this is a field-scoped XValidation; self/oldSelf already refer to CloudLoadBalancerConfig. Using self.cloudLoadBalancerConfig.* is out-of-scope and breaks AWS/GCP immutability enforcement.

🔧 Proposed fix

- // +kubebuilder:validation:XValidation:rule=oldSelf.cloudLoadBalancerConfig.dnsType == '' || self.cloudLoadBalancerConfig.dnsType == oldSelf.cloudLoadBalancerConfig.dnsType,message="cloudLoadBalancerConfig.dnsType is immutable once set"
+ // +kubebuilder:validation:XValidation:rule="oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType",message="cloudLoadBalancerConfig.dnsType is immutable once set"
...
- // +kubebuilder:validation:XValidation:rule="oldSelf.cloudLoadBalancerConfig.dnsType == '' || self.cloudLoadBalancerConfig.dnsType == oldSelf.cloudLoadBalancerConfig.dnsType",message="cloudLoadBalancerConfig.dnsType is immutable once set"
+ // +kubebuilder:validation:XValidation:rule="oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType",message="cloudLoadBalancerConfig.dnsType is immutable once set"

Run this read-only check after patching/regenerating:

#!/bin/bash
set -euo pipefail

echo "Checking for out-of-scope CEL references (should return no matches):"
rg -n 'self\.cloudLoadBalancerConfig\.dnsType|oldSelf\.cloudLoadBalancerConfig\.dnsType' \
  config/v1/types_infrastructure.go \
  payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml

echo
echo "Checking for in-scope CEL references (should match AWS/GCP source + generated CRD):"
rg -n 'oldSelf\.dnsType == .*\|\| self\.dnsType == oldSelf\.dnsType' \
  config/v1/types_infrastructure.go \
  payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml

Also applies to: 792-792

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/v1/types_infrastructure.go` at line 562, The CEL XValidation for
cloudLoadBalancerConfig is using out-of-scope qualifiers
(self.cloudLoadBalancerConfig.* / oldSelf.cloudLoadBalancerConfig.*) which
breaks immutability checks; update the XValidation annotation on the
CloudLoadBalancerConfig field (the +kubebuilder:validation:XValidation rule for
dnsType) to reference the field-scoped names (oldSelf.dnsType and self.dnsType)
instead of
self.cloudLoadBalancerConfig.dnsType/oldSelf.cloudLoadBalancerConfig.dnsType so
the rule reads the in-scope comparison (oldSelf.dnsType == '' || self.dnsType ==
oldSelf.dnsType). Ensure you apply the same change to the duplicate rule at the
other occurrence.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@config/v1/types_infrastructure.go`:
- Line 562: The CEL XValidation for cloudLoadBalancerConfig is using
out-of-scope qualifiers (self.cloudLoadBalancerConfig.* /
oldSelf.cloudLoadBalancerConfig.*) which breaks immutability checks; update the
XValidation annotation on the CloudLoadBalancerConfig field (the
+kubebuilder:validation:XValidation rule for dnsType) to reference the
field-scoped names (oldSelf.dnsType and self.dnsType) instead of
self.cloudLoadBalancerConfig.dnsType/oldSelf.cloudLoadBalancerConfig.dnsType so
the rule reads the in-scope comparison (oldSelf.dnsType == '' || self.dnsType ==
oldSelf.dnsType). Ensure you apply the same change to the duplicate rule at the
other occurrence.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml`:
- Around line 1355-1358: The CEL immutability rule inside the
cloudLoadBalancerConfig object is referencing out-of-scope paths
(self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType) so it never evaluates; update the CEL
expression in the cloudLoadBalancerConfig validation rule to refer to the local
field names (use self.dnsType and oldSelf.dnsType) so the rule becomes e.g.
oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType (and apply the same
change for the duplicate rule elsewhere), ensuring the message about dnsType
immutability remains unchanged.

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml`:
- Around line 1355-1358: The CEL immutability rule attached to the
cloudLoadBalancerConfig object incorrectly references
self.cloudLoadBalancerConfig.dnsType and oldSelf.cloudLoadBalancerConfig.dnsType
(which do not exist at that scope); update the rule expressions in the
x-kubernetes-validations for both AWS and GCP to use self.dnsType and
oldSelf.dnsType respectively so the immutability check runs against the dnsType
field of cloudLoadBalancerConfig itself (look for the validation entries with
message "cloudLoadBalancerConfig.dnsType is immutable once set" and the
associated rule).

In
`@payload-manifests/crds/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml`:
- Around line 1355-1358: The CEL immutability rule inside the
x-kubernetes-validations for the cloudLoadBalancerConfig object incorrectly
references self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType (which don't exist because self is
already the cloudLoadBalancerConfig), so the dnsType immutability check is
ineffective; update the rule to use self.dnsType and oldSelf.dnsType (i.e.,
replace both occurrences of self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType with self.dnsType and oldSelf.dnsType)
so the dnsType immutability is actually enforced for cloudLoadBalancerConfig.
- Around line 1938-1941: The CEL immutability rule is using incorrect scoping
(it references self.cloudLoadBalancerConfig which doesn't exist at this scope);
update the rule for cloudLoadBalancerConfig.dnsType to compare dnsType directly
on self and oldSelf, e.g. replace "oldSelf.cloudLoadBalancerConfig.dnsType == ''
|| self.cloudLoadBalancerConfig.dnsType ==
oldSelf.cloudLoadBalancerConfig.dnsType" with "oldSelf.dnsType == '' ||
self.dnsType == oldSelf.dnsType" so the rule uses self.dnsType and
oldSelf.dnsType.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml`:
- Around line 1641-1645: The CEL immutability rule in the
cloudLoadBalancerConfig x-kubernetes-validations block is referencing
nonexistent nested fields (self.cloudLoadBalancerConfig.dnsType /
oldSelf.cloudLoadBalancerConfig.dnsType) so the guard always short-circuits;
update the rule to use the correct scope by replacing
self.cloudLoadBalancerConfig.dnsType with self.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType with oldSelf.dnsType (mirror the
existing clusterHosted guard pattern) in both the AWS and GCP
cloudLoadBalancerConfig validation blocks so the immutability check actually
enforces dnsType.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml`:
- Around line 1641-1645: The CEL immutability rule inside the
cloudLoadBalancerConfig block incorrectly references nested fields
(self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType) which are out of scope; update the rule
in both AWS and GCP cloudLoadBalancerConfig blocks so it compares dnsType
directly (use self.dnsType and oldSelf.dnsType) and keep the rest of the
expression (e.g., oldSelf.dnsType == '' || self.dnsType == oldSelf.dnsType)
intact to enforce immutability once set.
- Around line 1835-1836: The dnsType description currently mixes platform
behaviors across blocks; update the dnsType description entries so each platform
block only states that platform's behavior: in the Azure dnsType description
remove the sentence about AWS/GCP immutability and state only that Azure values
can be updated after install, and in the GCP (and AWS) dnsType descriptions
remove any mention of Azure updateability and state only that the value is
immutable after install for those platforms; locate the descriptions by
searching for the dnsType CRD description text and the Azure/GCP platform
headings to make the edits.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml`:
- Around line 1885-1889: The CEL immutability rule incorrectly dereferences
cloudLoadBalancerConfig inside a scope where self/oldSelf already refer to
cloudLoadBalancerConfig; update the rule that currently uses
self.cloudLoadBalancerConfig.dnsType and oldSelf.cloudLoadBalancerConfig.dnsType
to reference dnsType directly (e.g., rule: oldSelf.dnsType == '' || self.dnsType
== oldSelf.dnsType) so the check correctly enforces immutability of dnsType
within the cloudLoadBalancerConfig validation block.

In
`@payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml`:
- Around line 1641-1645: The CEL immutability rule is referencing
self.cloudLoadBalancerConfig.dnsType and oldSelf.cloudLoadBalancerConfig.dnsType
from within the cloudLoadBalancerConfig object scope, which makes the path
invalid; update the expressions to use the correct relative field paths (e.g.
replace self.cloudLoadBalancerConfig.dnsType and
oldSelf.cloudLoadBalancerConfig.dnsType with self.dnsType and oldSelf.dnsType)
so the rule on cloudLoadBalancerConfig.dnsType evaluates the intended field
(also apply the same change for the duplicated occurrences around lines
2230-2234).

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 26e1385 and 45ce17c.

⛔ Files ignored due to path filters (18)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.featuregated-crd-manifests/infrastructures.config.openshift.io/AWSClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.featuregated-crd-manifests/infrastructures.config.openshift.io/AzureClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.featuregated-crd-manifests/infrastructures.config.openshift.io/GCPClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.featuregated-crd-manifests/controllerconfigs.machineconfiguration.openshift.io/AWSClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• machineconfiguration/v1/zz_generated.featuregated-crd-manifests/controllerconfigs.machineconfiguration.openshift.io/AzureClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• machineconfiguration/v1/zz_generated.featuregated-crd-manifests/controllerconfigs.machineconfiguration.openshift.io/GCPClusterHostedDNSInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (17)

• config/v1/tests/infrastructures.config.openshift.io/AWSClusterHostedDNS.yaml
• config/v1/tests/infrastructures.config.openshift.io/AWSClusterHostedDNSInstall.yaml
• config/v1/tests/infrastructures.config.openshift.io/AzureClusterHostedDNSInstall.yaml
• config/v1/tests/infrastructures.config.openshift.io/GCPClusterHostedDNS.yaml
• config/v1/tests/infrastructures.config.openshift.io/GCPClusterHostedDNSInstall.yaml
• config/v1/types_infrastructure.go
• config/v1/zz_generated.swagger_doc_generated.go
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-Default.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-OKD.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-TechPreviewNoUpgrade.crd.yaml

🚧 Files skipped from review as they are similar to previous changes (7)

• config/v1/tests/infrastructures.config.openshift.io/AWSClusterHostedDNS.yaml
• config/v1/tests/infrastructures.config.openshift.io/GCPClusterHostedDNS.yaml
• config/v1/tests/infrastructures.config.openshift.io/AzureClusterHostedDNSInstall.yaml
• config/v1/zz_generated.swagger_doc_generated.go
• payload-manifests/crds/0000_10_config-operator_01_infrastructures-OKD.crd.yaml
• config/v1/tests/infrastructures.config.openshift.io/GCPClusterHostedDNSInstall.yaml
• payload-manifests/crds/0000_80_machine-config_01_controllerconfigs-Default.crd.yaml

[openshift-ci]

@sadasu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-crd-schema	45ce17c	link	true	/test verify-crd-schema
ci/prow/integration	45ce17c	link	true	/test integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[JoelSpeed]

Why not put this directly on the CloudLoadBalancerConfig struct?