Fix CEL validation error when provider field is missing in VolumeSpec#1850
Open
gabrielm-splunk wants to merge 3 commits intodevelopfrom
Open
Fix CEL validation error when provider field is missing in VolumeSpec#1850gabrielm-splunk wants to merge 3 commits intodevelopfrom
gabrielm-splunk wants to merge 3 commits intodevelopfrom
Conversation
Version 3.0.0 was inadvertently removed by automated PR (commit 1139fcf) when 3.1.0 was added. Customers reported the version missing from `helm search repo` results. Changes: - Restored 3.0.0 packaged chart from git tag - Added 3.0.0 entries to docs/index.yaml for both splunk-enterprise and splunk-operator charts - Chart digest: db5890e3bcc95f9ca7298873cc08b4a5d1ee86ccb4ad4e5334a0ab5d7a5fdb5e Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update index.yaml with correct SHA256 digests matching actual tarballs: - splunk-enterprise-3.0.0: ae82f6c8edee4d827817fe6c9c6447c422a03c59595a0f6e779cef847a83b611 - splunk-operator-3.0.0: bd318b1f4022421a3fd429b186ca344c61d04a3c2bbdd5cc535d960773558e44 Resolves comment from vivekr-splunk on PR #1832 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
## Problem After upgrading to v3.1.0, customers encountered validation errors when updating existing Standalone CRs that were created with previous versions: ``` The Standalone "standalone" is invalid: status.smartstore.volumes[0]: Invalid value: "object": no such key: provider evaluating rule: region is required when provider is aws ``` This error occurred because the CEL validation rule added in #1740 attempted to access `self.provider` without first checking if the field exists. In upgrade scenarios, status fields populated by older operator versions may not include the `provider` field, causing the validation to fail with "no such key: provider". ## Root Cause The original CEL validation rule was: ``` self.provider != 'aws' || size(self.region) > 0 ``` This rule evaluates `self.provider` even when the field doesn't exist, violating CEL's requirement to check field existence with `has()` before accessing optional fields. ## Solution Updated the CEL validation rule to: ``` !has(self.provider) || self.provider != 'aws' || (has(self.region) && size(self.region) > 0) ``` This change: 1. First checks if `provider` field exists with `!has(self.provider)` 2. If it doesn't exist, validation passes (allows backward compatibility) 3. Only validates the AWS region requirement when provider is explicitly set to 'aws' 4. Also checks `has(self.region)` before accessing the region field ## Testing Reproduced the issue by: 1. Creating a Standalone CR with the v3.1.0 CRDs 2. Patching the status to remove the provider field (simulating upgrade scenario) 3. Confirmed the error: "no such key: provider evaluating rule" 4. Applied the fix and verified the same operation succeeds ## Impact - Fixes upgrade path from pre-3.1.0 versions where status fields were populated without the provider field - Maintains the validation requirement that AWS volumes must have a region - No impact on new deployments as they will include the provider field Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
After upgrading to v3.1.0, customers encountered validation errors when updating existing Standalone CRs that were created with previous versions:
This error occurred because the CEL validation rule added in #1740 attempted to access
self.providerwithout first checking if the field exists. In upgrade scenarios, status fields populated by older operator versions may not include theproviderfield, causing the validation to fail with "no such key: provider".Root Cause
The original CEL validation rule was:
This rule evaluates
self.providereven when the field doesn't exist, violating CEL's requirement to check field existence withhas()before accessing optional fields.Solution
Updated the CEL validation rule in
api/v4/common_types.goto:This change:
providerfield exists with!has(self.provider)has(self.region)before accessing the region fieldTesting
Reproduced the issue by:
providerfield (simulating an upgrade scenario)The Standalone "standalone" is invalid: status.smartstore.volumes[0]: Invalid value: "object": no such key: provider evaluating rule: region is required when provider is awsImpact
Checklist
make manifests🤖 Generated with Claude Code