Upgrade v1 criocp payload resource

[QiWang19]

No description provided.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @QiWang19! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces CRIOCredentialProviderConfig as a GA type in the config/v1 package. New Go structs define the singleton cluster-scoped resource with a matchImages field accepting lowercase FQDN patterns with optional ports and paths, a status.conditions slice, and exported condition type/reason constants. The types are registered into the scheme. A new manual-override CRD manifest provides the v1alpha1 schema with CEL validations for wildcard restrictions and the singleton name requirement. The existing payload CRD for v1 receives an expanded OpenAPI schema and has its storage flag changed to false. CRD validation tests cover valid and invalid matchImages patterns. The default CR manifest apiVersion is updated from v1alpha1 to v1, and the CRD copy script glob for this resource is removed.

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is empty, which is completely off-topic and fails to describe any part of the changeset.	Add a meaningful description explaining the purpose of upgrading the CRIOCredentialProviderConfig to v1 and what changes are involved.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: upgrading the CRIOCredentialProviderConfig resource from v1alpha1 to v1 in the payload.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR contains no Ginkgo test files. The test file added (CRIOCredentialProviderConfig.yaml) is a Kubernetes CRD validation test configuration. All 8 test names are static, descriptive strings wit...
Test Structure And Quality	✅ Passed	Test structure meets quality requirements: (1) Single responsibility - 8 onCreate tests each verify one behavior; (2) Setup/cleanup - Ginkgo BeforeEach/AfterEach blocks install/uninstall CRDs and c...
Microshift Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests. Files added are: 3 YAML CRD/test manifests (not Ginkgo tests), 2 Go files with type defs/registration (no tests), 1 bash script, 1 YAML resource. No Ginkgo test pattern...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests (It(), Describe(), Context(), When(), etc.) found in this PR. The PR only adds CRD definitions, type definitions, and YAML-based CRD validation tests. SNO compatibility check is...
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only CRD definitions and API types, with no deployment manifests, operators, or scheduling constraints that would affect OpenShift topology compatibility.
Ote Binary Stdout Contract	✅ Passed	The PR adds Go type definitions and test YAML files with no process-level code or stdout writes. The new files (types_crio_credential_provider_config.go and register.go) contain only type definitio...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The test file added is a CRD validation test in YAML format using the declarative tests.onCreate framework, not Ginkgo tests. The check does not apply.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms, custom crypto implementations, or non-constant-time secret comparisons found. PR only adds CRD type definitions and manifests without cryptographic code.
Container-Privileges	✅ Passed	PR contains only CRD definitions, Go type definitions, and configuration instances—no container specifications with privileged settings (privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN,...
No-Sensitive-Data-In-Logs	✅ Passed	No logging code found in the PR. The changes introduce new Kubernetes API types and CRD manifests that define configuration for CRI-O credential provider matching patterns. No logging statements, p...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

config/v1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml (1)

8-106: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Add a negative onCreate case for singleton name enforcement.

The suite validates spec.matchImages well, but it doesn’t assert rejection when metadata.name is not cluster. Since singleton-name enforcement is part of the CRD contract, adding this case will protect against validation regressions.

✅ Suggested test case

 tests:
   onCreate:
+    - name: Should reject CRIOCredentialProviderConfig with non-cluster name
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: CRIOCredentialProviderConfig
+        metadata:
+          name: not-cluster
+        spec: {}
+      expectedError: "metadata.name: Invalid value: \"not-cluster\": must be 'cluster'"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@config/v1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml`
around lines 8 - 106, Add a new negative test case in the onCreate section to
validate singleton name enforcement for the CRIOCredentialProviderConfig
resource. Create a test case similar to the existing negative validation cases
(e.g., "Should reject matchImages with invalid characters") that attempts to
create a CRIOCredentialProviderConfig with metadata.name set to something other
than "cluster" and include an expectedError that reflects the singleton name
requirement. This will ensure that the validation rejects any name that is not
"cluster" and prevent future regressions in singleton enforcement.

config/v1/types_crio_credential_provider_config.go (1)

45-47: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

+kubebuilder:validation:MinProperties=0 is a no-op.

MinProperties=0 imposes no constraint and only adds noise to the generated schema. Drop it, or set it to 1 if the intent was to require at least one property in spec.

♻️ Proposed change

 // CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.
-// +kubebuilder:validation:MinProperties=0
 type CRIOCredentialProviderConfigSpec struct {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/v1/types_crio_credential_provider_config.go` around lines 45 - 47,
Remove the `+kubebuilder:validation:MinProperties=0` annotation from the
CRIOCredentialProviderConfigSpec struct definition since MinProperties=0 does
not impose any constraint and only adds noise to the generated schema. If the
intent was to require at least one property in the spec, replace it with
`+kubebuilder:validation:MinProperties=1` instead; otherwise, simply delete the
annotation line entirely.

payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs.crd.yaml (1)

211-212: 🗄️ Data Integrity & Integration | 🔵 Trivial | 💤 Low value

Storage version moved from v1alpha1 to v1 — confirm migration of any persisted objects.

After this change v1 is the single storage version (storage: true) and v1alpha1 becomes storage: false, which is the correct invariant. Since the storage version is switching, any objects previously persisted as v1alpha1 will remain stored at that version until a storage migration runs, and status.storedVersions must converge to v1 before v1alpha1 can ever be removed. For this new TechPreview singleton there is likely no GA-persisted data, but please verify no in-cluster consumer still writes/reads v1alpha1 and that a storage migration is planned. Schemas for both versions are identical, so identity conversion is sufficient.

Based on learnings: replacing/changing a CRD version is acceptable only if all in-cluster consumers and tooling are switched over atomically and no consumer still references the removed/old version afterward.

Also applies to: 407-407

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs.crd.yaml`
around lines 211 - 212, The storage version has been moved from v1alpha1 to v1,
which requires ensuring the v1alpha1 version definition has storage set to false
(at the location also applies to line 407). Verify that all in-cluster consumers
and tooling have been atomically switched to use the v1 version instead of
v1alpha1 and confirm that no code or configurations still reference v1alpha1 for
reads or writes. Additionally, ensure a storage migration plan exists to migrate
any persisted v1alpha1 objects to v1 (note that since the schemas for both
versions are identical, identity conversion can be used for this migration), and
validate that status.storedVersions will converge to v1 before v1alpha1 can be
removed in the future.

Source: Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/v1/types_crio_credential_provider_config.go`:
- Around line 117-132: The comment for the Conditions field in
CRIOCredentialProviderConfigStatus is incomplete regarding validation
constraints. Update the comment to document the MinItems=1 constraint that is
already specified in the kubebuilder validation marker, as per coding guidelines
requiring array length constraints to be documented in field comments.
Additionally, clarify in the comment that due to the struct-level
MinProperties=1 constraint on CRIOCredentialProviderConfigStatus and the
Conditions field being the only property in the struct, this creates a
requirement that the controller MUST include at least one condition whenever it
writes the status.
- Around line 28-42: Remove the redundant `omitempty` JSON tag from both the
Spec and Status fields in the CRIOCredentialProviderConfig struct. For the Spec
field with type CRIOCredentialProviderConfigSpec, change the tag from
`json:"spec,omitempty,omitzero"` to `json:"spec,omitzero"`. For the Status field
with type CRIOCredentialProviderConfigStatus, change the tag from
`json:"status,omitzero,omitempty"` to `json:"status,omitzero"`. This removes the
redundancy since `omitzero` already handles omitting nil pointers (for Spec) and
struct zero values (for Status), and aligns with the pattern already used for
the metadata field.

---

Nitpick comments:
In
`@config/v1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml`:
- Around line 8-106: Add a new negative test case in the onCreate section to
validate singleton name enforcement for the CRIOCredentialProviderConfig
resource. Create a test case similar to the existing negative validation cases
(e.g., "Should reject matchImages with invalid characters") that attempts to
create a CRIOCredentialProviderConfig with metadata.name set to something other
than "cluster" and include an expectedError that reflects the singleton name
requirement. This will ensure that the validation rejects any name that is not
"cluster" and prevent future regressions in singleton enforcement.

In `@config/v1/types_crio_credential_provider_config.go`:
- Around line 45-47: Remove the `+kubebuilder:validation:MinProperties=0`
annotation from the CRIOCredentialProviderConfigSpec struct definition since
MinProperties=0 does not impose any constraint and only adds noise to the
generated schema. If the intent was to require at least one property in the
spec, replace it with `+kubebuilder:validation:MinProperties=1` instead;
otherwise, simply delete the annotation line entirely.

In
`@payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs.crd.yaml`:
- Around line 211-212: The storage version has been moved from v1alpha1 to v1,
which requires ensuring the v1alpha1 version definition has storage set to false
(at the location also applies to line 407). Verify that all in-cluster consumers
and tooling have been atomically switched to use the v1 version instead of
v1alpha1 and confirm that no code or configurations still reference v1alpha1 for
reads or writes. Additionally, ensure a storage migration plan exists to migrate
any persisted v1alpha1 objects to v1 (note that since the schemas for both
versions are identical, identity conversion can be used for this migration), and
validate that status.storedVersions will converge to v1 before v1alpha1 can be
removed in the future.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ea5c75e9-c6f6-4149-b40c-7fa46e2f02ba

📥 Commits

Reviewing files that changed from the base of the PR and between 5346161 and 7f9d122.

⛔ Files ignored due to path filters (7)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.model_name.go is excluded by !**/zz_generated*
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*

📒 Files selected for processing (7)

• config/v1/manual-override-crd-manifests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
• config/v1/register.go
• config/v1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
• config/v1/types_crio_credential_provider_config.go
• hack/update-payload-crds.sh
• payload-command/empty-resources/0000_05_config-operator_02_criocredentialproviderconfig.cr.yaml
• payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs.crd.yaml

💤 Files with no reviewable changes (1)

• hack/update-payload-crds.sh

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Does Kubernetes apimachinery v0.35 / Go 1.24 support the json "omitzero" struct tag for ObjectMeta and status serialization?

💡 Result:

Yes, Kubernetes apimachinery v0.35 and Go 1.24+ (and later) support the omitzero JSON struct tag option [1][2]. This support is a result of the upstream Go proposal for omitzero in encoding/json [3], which Kubernetes has integrated into its serialization stack to improve API efficiency and correctness, particularly for fields like creationTimestamp [4][2]. Key details regarding this support include: 1. Functionality: The omitzero tag option instructs the serializer to omit a struct field if the value is the zero Go value (or reports true for an IsZero() method if present) [3]. Unlike the traditional omitempty tag—which does not work as expected for nested structs or certain types—omitzero correctly handles these cases, including omitting nested structs when they are empty [1]. 2. Kubernetes Integration: Kubernetes has backported and implemented omitzero support across its core libraries, including k8s.io/apimachinery and its serialization helpers (such as ToUnstructured converters), to ensure consistent behavior across JSON, YAML, and CBOR serialization [5][2]. 3. Use Cases: One of the primary drivers for this adoption was resolving issues where fields like creationTimestamp were being serialized as explicit null values even when empty [4]. With omitzero, these fields are now correctly omitted from the serialized output, which aligns with Kubernetes API conventions for optional fields [6][2]. 4. Tooling and Linting: Modern Go linters and Kubernetes tooling (e.g., Kubebuilder scaffolds) have been updated to recognize omitzero. In many cases, it is now preferred over omitempty for nested structs, as omitzero is more semantically accurate and avoids misleading linter warnings [1][7].

Citations:

• 1: 🐛 (go/v4;deploy-image/v1-alpha): Remove omitempty from nested struct JSON tags in API scaffolds kubernetes-sigs/kubebuilder#5212
• 2: Omit null creationTimestamp kubernetes/kubernetes#130989
• 3: encoding/json: add omitzero option golang/go#45669
• 4: Avoid serializing creationTimestamp: null kubernetes/kubernetes#67610
• 5: Make ToUnstructured match stdlib omitempty and anonymous behavior kubernetes/kubernetes#131029
• 6: https://github.com/kubernetes/community/blob/main/contributors/devel/sig-architecture/api-conventions.md
• 7: x/tools/go/analysis/passes/modernize: omitzero: don't modify kubebuilder structs golang/go#76649

---

🏁 Script executed:

# First, let's examine the actual file to see the context
cat -n config/v1/types_crio_credential_provider_config.go

Repository: openshift/api

Length of output: 12244

---

🏁 Script executed:

# Check patterns of similar field declarations in the codebase
rg -A 2 'json:.*omitzero.*omitempty|json:.*omitempty.*omitzero' --type go

Repository: openshift/api

Length of output: 151

---

🏁 Script executed:

# Look for how other stable APIs handle metadata, spec, and status fields
rg -B 2 -A 1 'metav1\.ObjectMeta.*json:.*omitzero' --type go | head -30

Repository: openshift/api

Length of output: 151

---

Remove redundant omitempty tags from Spec and Status fields; retain only omitzero.

omitzero is properly supported in Go 1.24+ and k8s.io/apimachinery v0.35. The combined omitempty,omitzero on line 36 (Spec) is redundant—both omit a nil pointer. For the Status struct on line 42, omitempty has no effect on struct types (per Go's encoding/json specification), making the combination odd. Simplify to:

• Line 36: json:"spec,omitzero"
• Line 42: json:"status,omitzero"

This aligns with the pattern already used for metadata on line 31 and improves consistency.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/v1/types_crio_credential_provider_config.go` around lines 28 - 42,
Remove the redundant `omitempty` JSON tag from both the Spec and Status fields
in the CRIOCredentialProviderConfig struct. For the Spec field with type
CRIOCredentialProviderConfigSpec, change the tag from
`json:"spec,omitempty,omitzero"` to `json:"spec,omitzero"`. For the Status field
with type CRIOCredentialProviderConfigStatus, change the tag from
`json:"status,omitzero,omitempty"` to `json:"status,omitzero"`. This removes the
redundancy since `omitzero` already handles omitting nil pointers (for Spec) and
struct zero values (for Status), and aligns with the pattern already used for
the metadata field.

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Document MinItems=1 and the MinProperties=1 interaction on status.

The conditions comment documents the max (16) but not the +kubebuilder:validation:MinItems=1 constraint. Per coding guidelines, array length constraints must be documented in the field comment. Also note that CRIOCredentialProviderConfigStatus carries MinProperties=1 while conditions is its only property and is +optional with MinItems=1; the net effect is that whenever the controller writes status, it MUST include at least one condition. Confirm this is intended and reflect it in the comment.

📝 Suggested comment update

 	// conditions represent the latest available observations of the configuration state.
 	// When omitted, it indicates that no conditions have been reported yet.
+	// When present, at least one condition must be set (minimum 1).
 	// The maximum number of conditions is 16.
 	// Conditions are stored as a map keyed by condition type, ensuring uniqueness.

As per coding guidelines: "String/array length constraints must be documented in field comments when using ... +kubebuilder:validation:MinItems ... markers".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/v1/types_crio_credential_provider_config.go` around lines 117 - 132,
The comment for the Conditions field in CRIOCredentialProviderConfigStatus is
incomplete regarding validation constraints. Update the comment to document the
MinItems=1 constraint that is already specified in the kubebuilder validation
marker, as per coding guidelines requiring array length constraints to be
documented in field comments. Additionally, clarify in the comment that due to
the struct-level MinProperties=1 constraint on
CRIOCredentialProviderConfigStatus and the Conditions field being the only
property in the struct, this creates a requirement that the controller MUST
include at least one condition whenever it writes the status.

Source: Coding guidelines