There are multiple unhandled changes found by OLMv1's CRD upgrade check. This bug is specifically focused on the `spec.config.MetaIssuers[].CIProvider` addition being reported as an unhandled change. This is an optional field being added, so this error should not be reported.
This is incorrectly being reported as an issue because crdify is not correctly handling fields that are a list of items.
I have hit the following error during upgrade validation on OCP 4.20 ( https://issues.redhat.com/browse/SECURESIGN-2708 ).
conditions: - lastTransitionTime: "2025-08-01T11:26:22Z" message: "error for resolved bundle \"rhtas-operator.v1.3.0\" with version \"1.3.0\": validating upgrade for CRD \"fulcios.rhtas.redhat.com\": v1alpha1: ^.spec.config.MetaIssuers: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 21 identical fields\n \tMinProperties: nil,\n \tRequired: nil,\n \tItems: &v1.JSONSchemaPropsOrArray{\n \t\tSchema: &v1.JSONSchemaProps{\n \t\t\t... // 26 identical fields\n \t\t\tAnyOf: nil,\n \t\t\tNot: nil,\n \t\t\tProperties: map[string]v1.JSONSchemaProps{\n+ \t\t\t\t\"CIProvider\": {\n+ \t\t\t\t\tDescription: \"CIProvider is an optional configuration to map token claims to extensions for CI workflows\",\n+ \t\t\t\t\tType: \"string\",\n+ \t\t\t\t},\n \ \t\t\t\t\"ChallengeClaim\": {Description: \"Optional, the challenge claim expected for the issuer\\nSet if usi\"..., Type: \"string\"},\n \t\t\t\t\"ClientID\": \ {Type: \"string\"},\n \t\t\t\t... // 6 identical entries\n \t\t\t},\n \ \t\t\tAdditionalProperties: nil,\n \t\t\tPatternProperties: nil,\n \t\t\t... // 13 identical fields\n \t\t},\n \t\tJSONSchemas: nil,\n \t},\n \tAllOf: nil,\n \tOneOf: nil,\n \t... // 18 identical fields\n }\n\nv1alpha1: ^.spec.config.OIDCIssuers: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 21 identical fields\n \tMinProperties: nil,\n \tRequired: nil,\n \tItems: &v1.JSONSchemaPropsOrArray{\n \t\tSchema: &v1.JSONSchemaProps{\n \t\t\t... // 26 identical fields\n \t\t\tAnyOf: nil,\n \t\t\tNot: nil,\n \t\t\tProperties: map[string]v1.JSONSchemaProps{\n+ \t\t\t\t\"CIProvider\": {\n+ \t\t\t\t\tDescription: \"CIProvider is an optional configuration to map token claims to extensions for CI workflows\",\n+ \t\t\t\t\tType: \"string\",\n+ \t\t\t\t},\n \ \t\t\t\t\"ChallengeClaim\": {Description: \"Optional, the challenge claim expected for the issuer\\nSet if usi\"..., Type: \"string\"},\n \t\t\t\t\"ClientID\": \ {Type: \"string\"},\n \t\t\t\t... // 6 identical entries\n \t\t\t},\n \ \t\t\tAdditionalProperties: nil,\n \t\t\tPatternProperties: nil,\n \t\t\t... // 13 identical fields\n \t\t},\n \t\tJSONSchemas: nil,\n \t},\n \tAllOf: nil,\n \tOneOf: nil,\n \t... // 18 identical fields\n }\n\nv1alpha1: ^.spec.ctlog.port: default: default value removed : \"80\"\nv1alpha1: ^.spec.externalAccess.routeSelectorLabels: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"(oldSelf.size() == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't be modified\",\n+ \t\t},\n+ \t},\n }\n\nv1alpha1: ^.spec.ctlog: default: default value changed : \"{\\\"port\\\":80,\\\"prefix\\\":\\\"trusted-artifact-signer\\\"}\" -> \"{\\\"prefix\\\":\\\"trusted-artifact-signer\\\"}\"\nvalidating upgrade for CRD \"timestampauthorities.rhtas.redhat.com\": v1alpha1: ^.spec.externalAccess.routeSelectorLabels: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"(oldSelf.size() == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't be modified\",\n+ \t\t},\n+ \t},\n }\n\nvalidating upgrade for CRD \"securesigns.rhtas.redhat.com\": v1alpha1: ^.spec.rekor.externalAccess.routeSelectorLabels: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \ \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"(oldSelf.size() == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't be modified\",\n+ \t\t},\n+ \t},\n }\n\nv1alpha1: ^.spec.tuf.externalAccess.routeSelectorLabels: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"(oldSelf.size() == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't be modified\",\n+ \t\t},\n+ \t},\n }\n\nv1alpha1: ^.spec: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \ \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"(has(self.rekor.attestations.enabled) && !self.rekor.attestation\"...,\n+ \t\t\tMessage: \"When Rekor's rich attestation storage is enabled, and it's URL s\"...,\n+ \t\t},\n+ \t\t{\n+ \t\t\tRule: \ \"!(self.tuf.replicas > 1) || ('ReadWriteMany' in self.tuf.pvc.acc\"...,\n+ \t\t\tMessage: \"For TUF deployments with more than 1 replica, tuf.pvc.accessMode\"...,\n+ \t\t},\n+ \t},\n }\n\nv1alpha1: ^.spec.fulcio.config.MetaIssuers: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 21 identical fields\n \tMinProperties: nil,\n \tRequired: nil,\n \tItems: &v1.JSONSchemaPropsOrArray{\n \ \t\tSchema: &v1.JSONSchemaProps{\n \t\t\t... // 26 identical fields\n \t\t\tAnyOf: nil,\n \t\t\tNot: nil,\n \t\t\tProperties: map[string]v1.JSONSchemaProps{\n+ \t\t\t\t\"CIProvider\": {\n+ \t\t\t\t\tDescription: \"CIProvider is an optional configuration to map token claims to extensions for CI workflows\",\n+ \t\t\t\t\tType: \ \"string\",\n+ \t\t\t\t},\n \t\t\t\t\"ChallengeClaim\": {Description: \"Optional, the challenge claim expected for the issuer\\nSet if usi\"..., Type: \"string\"},\n \t\t\t\t\"ClientID\": {Type: \"string\"},\n \t\t\t\t... // 6 identical entries\n \t\t\t},\n \t\t\tAdditionalProperties: nil,\n \t\t\tPatternProperties: \ nil,\n \t\t\t... // 13 identical fields\n \t\t},\n \t\tJSONSchemas: nil,\n \t},\n \tAllOf: nil,\n \tOneOf: nil,\n \t... // 18 identical fields\n \ }\n\nv1alpha1: ^.spec.fulcio.config.OIDCIssuers: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 21 identical fields\n \tMinProperties: nil,\n \tRequired: nil,\n \tItems: &v1.JSONSchemaPropsOrArray{\n \t\tSchema: &v1.JSONSchemaProps{\n \t\t\t... // 26 identical fields\n \t\t\tAnyOf: nil,\n \ \t\t\tNot: nil,\n \t\t\tProperties: map[string]v1.JSONSchemaProps{\n+ \t\t\t\t\"CIProvider\": {\n+ \t\t\t\t\tDescription: \"CIProvider is an optional configuration to map token claims to extensions for CI workflows\",\n+ \t\t\t\t\tType: \ \"string\",\n+ \t\t\t\t},\n \t\t\t\t\"ChallengeClaim\": {Description: \"Optional, the challenge claim expected for the issuer\\nSet if usi\"..., Type: \"string\"},\n \t\t\t\t\"ClientID\": {Type: \"string\"},\n \t\t\t\t... // 6 identical entries\n \t\t\t},\n \t\t\tAdditionalProperties: nil,\n \t\t\tPatternProperties: \ nil,\n \t\t\t... // 13 identical fields\n \t\t},\n \t\tJSONSchemas: nil,\n \t},\n \tAllOf: nil,\n \tOneOf: nil,\n \t... // 18 identical fields\n \ }\n\nv1alpha1: ^.spec.fulcio.ctlog.port: default: default value removed : \"80\"\nv1alpha1: ^.spec.tsa.externalAccess.routeSelectorLabels: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"(oldSelf.size() == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't be modified\",\n+ \t\t},\n+ \t},\n }\n\nv1alpha1: ^.spec.fulcio.externalAccess.routeSelectorLabels: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"(oldSelf.size() == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't be modified\",\n+ \t\t},\n+ \t},\n }\n\nv1alpha1: ^.spec.fulcio.ctlog: default: default value changed : \"{\\\"port\\\":80,\\\"prefix\\\":\\\"trusted-artifact-signer\\\"}\" -> \"{\\\"prefix\\\":\\\"trusted-artifact-signer\\\"}\"\nvalidating upgrade for CRD \"rekors.rhtas.redhat.com\": v1alpha1: ^.spec.externalAccess.routeSelectorLabels: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"(oldSelf.size() == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't be modified\",\n+ \t\t},\n+ \t},\n }\n\nv1alpha1: ^: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \ \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"(has(self.spec.attestations.enabled) && !self.spec.attestations.\"...,\n+ \t\t\tMessage: \"When rich attestation storage is enabled, and it's URL starts wi\"...,\n+ \t\t},\n+ \t},\n }\n\nvalidating upgrade for CRD \"tufs.rhtas.redhat.com\": v1alpha1: ^.spec.externalAccess.routeSelectorLabels: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"(oldSelf.size() == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't be modified\",\n+ \t\t},\n+ \t},\n }\n\nv1alpha1: ^: unhandled: unhandled changes found :\n &v1.JSONSchemaProps{\n \t... // 41 identical fields\n \ \tXListType: nil,\n \tXMapType: nil,\n- \tXValidations: nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule: \"!(self.spec.replicas > 1) || ('ReadWriteMany' in self.spec.pvc.a\"...,\n+ \t\t\tMessage: \"For deployments with more than 1 replica, pvc.accessModes must i\"...,\n+ \t\t},\n+ \t},\n }\n"
- is cloned by
-
OCPBUGS-60962 OLMv1 fails due to unhandled XValidations changes
-
- New
-
- links to