Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60962

OLMv1 fails due to unhandled XValidations changes

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.20
    • OLM
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • Rejected
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      There are multiple unhandled changes found by OLMv1's CRD upgrade check. This bug is specifically focused on the `.spec.externalAccess.routeSelectorLabels` XValidations addition being reported as an unhandled change. We need crdify to understand changes to XValidations. Note that this particular change, where validation rules are being added, is likely to be reported by crdify as a breaking change, since it ratchets validation and makes the API more restrictive.

       

        I have hit the following error during upgrade validation on OCP 4.20 ( https://issues.redhat.com/browse/SECURESIGN-2708 ).

       conditions:
    - lastTransitionTime: "2025-08-01T11:26:22Z"
      message: "error for resolved bundle \"rhtas-operator.v1.3.0\" with version \"1.3.0\":
        validating upgrade for CRD \"fulcios.rhtas.redhat.com\": v1alpha1: ^.spec.config.MetaIssuers:
        unhandled: unhandled changes found :\n  &v1.JSONSchemaProps{\n  \t... // 21
        identical fields\n  \tMinProperties: nil,\n  \tRequired:      nil,\n  \tItems:
        &v1.JSONSchemaPropsOrArray{\n  \t\tSchema: &v1.JSONSchemaProps{\n  \t\t\t...
        // 26 identical fields\n  \t\t\tAnyOf: nil,\n  \t\t\tNot:   nil,\n  \t\t\tProperties:
        map[string]v1.JSONSchemaProps{\n+ \t\t\t\t\"CIProvider\": {\n+ \t\t\t\t\tDescription:
        \"CIProvider is an optional configuration to map token claims to extensions
        for CI workflows\",\n+ \t\t\t\t\tType:        \"string\",\n+ \t\t\t\t},\n
        \ \t\t\t\t\"ChallengeClaim\": {Description: \"Optional, the challenge claim
        expected for the issuer\\nSet if usi\"..., Type: \"string\"},\n  \t\t\t\t\"ClientID\":
        \      {Type: \"string\"},\n  \t\t\t\t... // 6 identical entries\n  \t\t\t},\n
        \ \t\t\tAdditionalProperties: nil,\n  \t\t\tPatternProperties:    nil,\n  \t\t\t...
        // 13 identical fields\n  \t\t},\n  \t\tJSONSchemas: nil,\n  \t},\n  \tAllOf:
        nil,\n  \tOneOf: nil,\n  \t... // 18 identical fields\n  }\n\nv1alpha1: ^.spec.config.OIDCIssuers:
        unhandled: unhandled changes found :\n  &v1.JSONSchemaProps{\n  \t... // 21
        identical fields\n  \tMinProperties: nil,\n  \tRequired:      nil,\n  \tItems:
        &v1.JSONSchemaPropsOrArray{\n  \t\tSchema: &v1.JSONSchemaProps{\n  \t\t\t...
        // 26 identical fields\n  \t\t\tAnyOf: nil,\n  \t\t\tNot:   nil,\n  \t\t\tProperties:
        map[string]v1.JSONSchemaProps{\n+ \t\t\t\t\"CIProvider\": {\n+ \t\t\t\t\tDescription:
        \"CIProvider is an optional configuration to map token claims to extensions
        for CI workflows\",\n+ \t\t\t\t\tType:        \"string\",\n+ \t\t\t\t},\n
        \ \t\t\t\t\"ChallengeClaim\": {Description: \"Optional, the challenge claim
        expected for the issuer\\nSet if usi\"..., Type: \"string\"},\n  \t\t\t\t\"ClientID\":
        \      {Type: \"string\"},\n  \t\t\t\t... // 6 identical entries\n  \t\t\t},\n
        \ \t\t\tAdditionalProperties: nil,\n  \t\t\tPatternProperties:    nil,\n  \t\t\t...
        // 13 identical fields\n  \t\t},\n  \t\tJSONSchemas: nil,\n  \t},\n  \tAllOf:
        nil,\n  \tOneOf: nil,\n  \t... // 18 identical fields\n  }\n\nv1alpha1: ^.spec.ctlog.port:
        default: default value removed : \"80\"\nv1alpha1: ^.spec.externalAccess.routeSelectorLabels:
        unhandled: unhandled changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41
        identical fields\n  \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations:
        nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"(oldSelf.size()
        == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't
        be modified\",\n+ \t\t},\n+ \t},\n  }\n\nv1alpha1: ^.spec.ctlog: default:
        default value changed : \"{\\\"port\\\":80,\\\"prefix\\\":\\\"trusted-artifact-signer\\\"}\"
        -> \"{\\\"prefix\\\":\\\"trusted-artifact-signer\\\"}\"\nvalidating upgrade
        for CRD \"timestampauthorities.rhtas.redhat.com\": v1alpha1: ^.spec.externalAccess.routeSelectorLabels:
        unhandled: unhandled changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41
        identical fields\n  \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations:
        nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"(oldSelf.size()
        == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't
        be modified\",\n+ \t\t},\n+ \t},\n  }\n\nvalidating upgrade for CRD \"securesigns.rhtas.redhat.com\":
        v1alpha1: ^.spec.rekor.externalAccess.routeSelectorLabels: unhandled: unhandled
        changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41 identical fields\n
        \ \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations: nil,\n+
        \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"(oldSelf.size()
        == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't
        be modified\",\n+ \t\t},\n+ \t},\n  }\n\nv1alpha1: ^.spec.tuf.externalAccess.routeSelectorLabels:
        unhandled: unhandled changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41
        identical fields\n  \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations:
        nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"(oldSelf.size()
        == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't
        be modified\",\n+ \t\t},\n+ \t},\n  }\n\nv1alpha1: ^.spec: unhandled: unhandled
        changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41 identical fields\n
        \ \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations: nil,\n+
        \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"(has(self.rekor.attestations.enabled)
        && !self.rekor.attestation\"...,\n+ \t\t\tMessage: \"When Rekor's rich attestation
        storage is enabled, and it's URL s\"...,\n+ \t\t},\n+ \t\t{\n+ \t\t\tRule:
        \   \"!(self.tuf.replicas > 1) || ('ReadWriteMany' in self.tuf.pvc.acc\"...,\n+
        \t\t\tMessage: \"For TUF deployments with more than 1 replica, tuf.pvc.accessMode\"...,\n+
        \t\t},\n+ \t},\n  }\n\nv1alpha1: ^.spec.fulcio.config.MetaIssuers: unhandled:
        unhandled changes found :\n  &v1.JSONSchemaProps{\n  \t... // 21 identical
        fields\n  \tMinProperties: nil,\n  \tRequired:      nil,\n  \tItems: &v1.JSONSchemaPropsOrArray{\n
        \ \t\tSchema: &v1.JSONSchemaProps{\n  \t\t\t... // 26 identical fields\n  \t\t\tAnyOf:
        nil,\n  \t\t\tNot:   nil,\n  \t\t\tProperties: map[string]v1.JSONSchemaProps{\n+
        \t\t\t\t\"CIProvider\": {\n+ \t\t\t\t\tDescription: \"CIProvider is an optional
        configuration to map token claims to extensions for CI workflows\",\n+ \t\t\t\t\tType:
        \       \"string\",\n+ \t\t\t\t},\n  \t\t\t\t\"ChallengeClaim\": {Description:
        \"Optional, the challenge claim expected for the issuer\\nSet if usi\"...,
        Type: \"string\"},\n  \t\t\t\t\"ClientID\":       {Type: \"string\"},\n  \t\t\t\t...
        // 6 identical entries\n  \t\t\t},\n  \t\t\tAdditionalProperties: nil,\n  \t\t\tPatternProperties:
        \   nil,\n  \t\t\t... // 13 identical fields\n  \t\t},\n  \t\tJSONSchemas:
        nil,\n  \t},\n  \tAllOf: nil,\n  \tOneOf: nil,\n  \t... // 18 identical fields\n
        \ }\n\nv1alpha1: ^.spec.fulcio.config.OIDCIssuers: unhandled: unhandled changes
        found :\n  &v1.JSONSchemaProps{\n  \t... // 21 identical fields\n  \tMinProperties:
        nil,\n  \tRequired:      nil,\n  \tItems: &v1.JSONSchemaPropsOrArray{\n  \t\tSchema:
        &v1.JSONSchemaProps{\n  \t\t\t... // 26 identical fields\n  \t\t\tAnyOf: nil,\n
        \ \t\t\tNot:   nil,\n  \t\t\tProperties: map[string]v1.JSONSchemaProps{\n+
        \t\t\t\t\"CIProvider\": {\n+ \t\t\t\t\tDescription: \"CIProvider is an optional
        configuration to map token claims to extensions for CI workflows\",\n+ \t\t\t\t\tType:
        \       \"string\",\n+ \t\t\t\t},\n  \t\t\t\t\"ChallengeClaim\": {Description:
        \"Optional, the challenge claim expected for the issuer\\nSet if usi\"...,
        Type: \"string\"},\n  \t\t\t\t\"ClientID\":       {Type: \"string\"},\n  \t\t\t\t...
        // 6 identical entries\n  \t\t\t},\n  \t\t\tAdditionalProperties: nil,\n  \t\t\tPatternProperties:
        \   nil,\n  \t\t\t... // 13 identical fields\n  \t\t},\n  \t\tJSONSchemas:
        nil,\n  \t},\n  \tAllOf: nil,\n  \tOneOf: nil,\n  \t... // 18 identical fields\n
        \ }\n\nv1alpha1: ^.spec.fulcio.ctlog.port: default: default value removed
        : \"80\"\nv1alpha1: ^.spec.tsa.externalAccess.routeSelectorLabels: unhandled:
        unhandled changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41 identical
        fields\n  \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations:
        nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"(oldSelf.size()
        == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't
        be modified\",\n+ \t\t},\n+ \t},\n  }\n\nv1alpha1: ^.spec.fulcio.externalAccess.routeSelectorLabels:
        unhandled: unhandled changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41
        identical fields\n  \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations:
        nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"(oldSelf.size()
        == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't
        be modified\",\n+ \t\t},\n+ \t},\n  }\n\nv1alpha1: ^.spec.fulcio.ctlog: default:
        default value changed : \"{\\\"port\\\":80,\\\"prefix\\\":\\\"trusted-artifact-signer\\\"}\"
        -> \"{\\\"prefix\\\":\\\"trusted-artifact-signer\\\"}\"\nvalidating upgrade
        for CRD \"rekors.rhtas.redhat.com\": v1alpha1: ^.spec.externalAccess.routeSelectorLabels:
        unhandled: unhandled changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41
        identical fields\n  \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations:
        nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"(oldSelf.size()
        == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't
        be modified\",\n+ \t\t},\n+ \t},\n  }\n\nv1alpha1: ^: unhandled: unhandled
        changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41 identical fields\n
        \ \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations: nil,\n+
        \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"(has(self.spec.attestations.enabled)
        && !self.spec.attestations.\"...,\n+ \t\t\tMessage: \"When rich attestation
        storage is enabled, and it's URL starts wi\"...,\n+ \t\t},\n+ \t},\n  }\n\nvalidating
        upgrade for CRD \"tufs.rhtas.redhat.com\": v1alpha1: ^.spec.externalAccess.routeSelectorLabels:
        unhandled: unhandled changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41
        identical fields\n  \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations:
        nil,\n+ \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"(oldSelf.size()
        == 0 || self == oldSelf)\",\n+ \t\t\tMessage: \"RouteSelectorLabels can't
        be modified\",\n+ \t\t},\n+ \t},\n  }\n\nv1alpha1: ^: unhandled: unhandled
        changes found :\n  &v1.JSONSchemaProps{\n  \t... // 41 identical fields\n
        \ \tXListType:    nil,\n  \tXMapType:     nil,\n- \tXValidations: nil,\n+
        \tXValidations: v1.ValidationRules{\n+ \t\t{\n+ \t\t\tRule:    \"!(self.spec.replicas
        > 1) || ('ReadWriteMany' in self.spec.pvc.a\"...,\n+ \t\t\tMessage: \"For
        deployments with more than 1 replica, pvc.accessModes must i\"...,\n+ \t\t},\n+
        \t},\n  }\n"

              rh-ee-cchantse Catherine Chan-Tse
              jlanford@redhat.com Joe Lanford
              None
              None
              Xia Zhao Xia Zhao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: