From 1057ced80401fd5db0e7f2c7b3f4cc0943016e31 Mon Sep 17 00:00:00 2001 From: Grzegorz Piotrowski Date: Thu, 5 Feb 2026 15:40:00 +0000 Subject: [PATCH] OCPBUGS-32275: Add ingress.spec.domain validation This commit fixes OCPBUGS-32275. https://issues.redhat.com/browse/OCPBUGS-32275 Adds `spec.domain` field in the Ingress config CRD validation to make it immutable and match the documentation. Prior to this commit the domain value could be changed and cause degraded state of some cluster operators. --- .../AAA_ungated.yaml | 57 +++++++++++++++++++ config/v1/types_ingress.go | 2 + ...0_10_config-operator_01_ingresses.crd.yaml | 3 + .../AAA_ungated.yaml | 3 + .../generated_openapi/zz_generated.openapi.go | 1 - ...0_10_config-operator_01_ingresses.crd.yaml | 3 + 6 files changed, 68 insertions(+), 1 deletion(-) diff --git a/config/v1/tests/ingresses.config.openshift.io/AAA_ungated.yaml b/config/v1/tests/ingresses.config.openshift.io/AAA_ungated.yaml index 6c66ee6fded..8a15baad55c 100644 --- a/config/v1/tests/ingresses.config.openshift.io/AAA_ungated.yaml +++ b/config/v1/tests/ingresses.config.openshift.io/AAA_ungated.yaml @@ -12,3 +12,60 @@ tests: apiVersion: config.openshift.io/v1 kind: Ingress spec: {} + - name: Should be able to create an Ingress with domain set + initial: | + apiVersion: config.openshift.io/v1 + kind: Ingress + spec: + domain: apps.example.com + expected: | + apiVersion: config.openshift.io/v1 + kind: Ingress + spec: + domain: apps.example.com + onUpdate: + - name: Should be able to set domain initially when empty + initial: | + apiVersion: config.openshift.io/v1 + kind: Ingress + spec: {} + updated: | + apiVersion: config.openshift.io/v1 + kind: Ingress + spec: + domain: apps.example.com + expected: | + apiVersion: config.openshift.io/v1 + kind: Ingress + spec: + domain: apps.example.com + - name: Should not be able to change domain once set + initial: | + apiVersion: config.openshift.io/v1 + kind: Ingress + spec: + domain: apps.example.com + updated: | + apiVersion: config.openshift.io/v1 + kind: Ingress + spec: + domain: test.example.com + expectedError: "domain is immutable once set" + - name: Should be able to update other fields without changing domain + initial: | + apiVersion: config.openshift.io/v1 + kind: Ingress + spec: + domain: apps.example.com + updated: | + apiVersion: config.openshift.io/v1 + kind: Ingress + spec: + domain: apps.example.com + appsDomain: custom.example.com + expected: | + apiVersion: config.openshift.io/v1 + kind: Ingress + spec: + domain: apps.example.com + appsDomain: custom.example.com diff --git a/config/v1/types_ingress.go b/config/v1/types_ingress.go index f70fe8f4405..b8c1a3b6a5a 100644 --- a/config/v1/types_ingress.go +++ b/config/v1/types_ingress.go @@ -43,6 +43,8 @@ type IngressSpec struct { // default ingresscontroller domain will follow this pattern: "*.". // // Once set, changing domain is not currently supported. + // +kubebuilder:validation:XValidation:rule="oldSelf == '' || self == oldSelf",message="domain is immutable once set" + // +optional Domain string `json:"domain"` // appsDomain is an optional domain to use instead of the one specified diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses.crd.yaml index 34f2c0a8233..afa806f320d 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses.crd.yaml @@ -129,6 +129,9 @@ spec: Once set, changing domain is not currently supported. type: string + x-kubernetes-validations: + - message: domain is immutable once set + rule: oldSelf == '' || self == oldSelf loadBalancer: description: |- loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure diff --git a/config/v1/zz_generated.featuregated-crd-manifests/ingresses.config.openshift.io/AAA_ungated.yaml b/config/v1/zz_generated.featuregated-crd-manifests/ingresses.config.openshift.io/AAA_ungated.yaml index faaa4396f91..7e6bb53161e 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/ingresses.config.openshift.io/AAA_ungated.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/ingresses.config.openshift.io/AAA_ungated.yaml @@ -130,6 +130,9 @@ spec: Once set, changing domain is not currently supported. type: string + x-kubernetes-validations: + - message: domain is immutable once set + rule: oldSelf == '' || self == oldSelf loadBalancer: description: |- loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index b3a94e903fb..d06b019a935 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -15969,7 +15969,6 @@ func schema_openshift_api_config_v1_IngressSpec(ref common.ReferenceCallback) co }, }, }, - Required: []string{"domain"}, }, }, Dependencies: []string{ diff --git a/payload-manifests/crds/0000_10_config-operator_01_ingresses.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_ingresses.crd.yaml index 34f2c0a8233..afa806f320d 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_ingresses.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_ingresses.crd.yaml @@ -129,6 +129,9 @@ spec: Once set, changing domain is not currently supported. type: string + x-kubernetes-validations: + - message: domain is immutable once set + rule: oldSelf == '' || self == oldSelf loadBalancer: description: |- loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure