NE-2411: Add Template field to DNS operator

[grzpiotrowski]

Add coreDNS template plugin API support to enable custom DNS query handling coreDNS. The main use case is filtering AAAA queries in IPv4-only clusters to reduce DNS latency and upstream load.

Example usage:

  apiVersion: operator.openshift.io/v1
  kind: DNS
  metadata:
    name: default
  spec:
    template:
      zones: ["example.com", "abc.com"]
      queryType: AAAA
      queryClass: IN
      action:
           rcode: NOERROR

Intruducing new types:

• Template - Template configuration with zones, query type, query class, and actions
• QueryType - DNS query types (AAAA initially, the goal is to have it extensible to A, CNAME etc. in the future, same for other types)
• QueryClass - DNS query classes (only IN initially)
• ResponseCode - DNS response codes (NOERROR initially)
• TemplateAction - Discriminated union for template actions
• ReturnEmptyAction - initial action for returning empty DNS responses

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @grzpiotrowski! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new exported feature gate variable DNSTemplatePlugin (features/features.go) and documents it in features.md. Marks the dnses.operator.openshift.io CRD as feature-gated and updates payload feature-gate manifests (enabled in DevPreviewNoUpgrade variants, listed disabled in others). Extends the DNS API with an optional Template field on DNSSpec and new exported types Template, TemplateAction, QueryType, QueryClass, and ResponseCode. Regenerates deepcopy and Swagger docs and adds a CRD test manifest for the gate.

🚥 Pre-merge checks | ✅ 7 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to evaluate relatedness to the changeset.	Add a description explaining the purpose, motivation, and details of the templates field addition to the DNS operator.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This pull request does not contain any Ginkgo test files or test patterns. The modifications are limited to feature gate and DNS type definitions.
Test Structure And Quality	✅ Passed	The pull request contains only API type definitions and feature gate declarations, with no Ginkgo test code present, making this check not applicable.
Microshift Test Compatibility	✅ Passed	The pull request does not introduce any new Ginkgo e2e tests. The changes consist exclusively of API/CRD type definitions: a new feature gate variable in features/features.go and new DNS template types in operator/v1/types_dns.go. No test files were added or modified according to the git diff. Since the MicroShift Test Compatibility check applies only to new Ginkgo e2e tests (It(), Describe(), Context(), When(), etc.), and this PR contains no such tests, the check is not applicable and therefore passes.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The pull request does not introduce any new Ginkgo e2e tests. The PR only modifies two API definition files: features/features.go and operator/v1/types_dns.go, neither containing test code patterns.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not introduce any new Ginkgo e2e tests. The changes consist solely of API type definitions and a feature gate declaration. Since no test files or e2e test functions are present, the check is not applicable.
Title check	✅ Passed	The title accurately describes the main change: adding a templates field to the DNS operator, which is reflected in both the feature gate introduction and the new Templates field in DNSSpec.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[grzpiotrowski]

/retitle [WIP] NE-2411: Add templates field to DNS operator

[openshift-ci-robot]

@grzpiotrowski: This pull request references NE-2411 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@operator/v1/types_dns.go`:
- Around line 528-535: The Zones slice lacks per-item format validation; update
the Zones field in operator/v1/types_dns.go to add a kubebuilder validation
Pattern that enforces RFC1123 DNS names or the literal ".". Specifically, add a
comment like //
+kubebuilder:validation:Pattern="^(\\.|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$"
immediately above the Zones []string `json:"zones"` declaration so each entry is
validated as either "." or an RFC1123-compliant name. Ensure the annotation is
placed alongside the existing Required/MinItems tags.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 964b4669-8aa2-4d3f-bc4d-79f2a6924c53

📥 Commits

Reviewing files that changed from the base of the PR and between 5e946e2 and 23bfcb6.

📒 Files selected for processing (2)

• features/features.go
• operator/v1/types_dns.go

[openshift-ci-robot]

@grzpiotrowski: This pull request references NE-2411 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Add template plugin API support to enable custom DNS query handling coreDNS. The main use case is filtering AAAA queries in IPv4-only clusters to reduce DNS latency and upstream load.

Example usage:

 apiVersion: operator.openshift.io/v1
 kind: DNS
 metadata:
   name: default
 spec:
   template:
     zones: ["example.com", "abc.com"]
     queryType: AAAA
     queryClass: IN
     actions:
       - returnEmpty:
           rcode: NOERROR

Intruducing new types:

• Template - Template configuration with zones, query type, query class, and actions
• QueryType - DNS query types (AAAA initially, the goal is to have it extensible to A, CNAME etc. in the future, same for other types)
• QueryClass - DNS query classes (only IN initially)
• ResponseCode - DNS response codes (NOERROR initially)
• TemplateAction - Discriminated union for template actions
• ReturnEmptyAction - initial action for returning empty DNS responses

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

Just now I realized that with a slice we may have some duplicates which may be contradictory. Especially when the API will be enhanced to other actions (answer, authority, additional):

spec:
   template:
      actions:
      - returnEmpty:
            rcode: NOERRROR
      - returnEmpty:
            rcode: NXDOMAIN

[grzpiotrowski]

Changed the action to a struct.
So now the spec example would be:

  spec:
    template:
      zones: ["example.com", "abc.com"]
      queryType: AAAA
      queryClass: IN
      action:
           rcode: NOERROR

[openshift-ci-robot]

@grzpiotrowski: This pull request references NE-2411 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Add coreDNS template plugin API support to enable custom DNS query handling coreDNS. The main use case is filtering AAAA queries in IPv4-only clusters to reduce DNS latency and upstream load.

Example usage:

 apiVersion: operator.openshift.io/v1
 kind: DNS
 metadata:
   name: default
 spec:
   template:
     zones: ["example.com", "abc.com"]
     queryType: AAAA
     queryClass: IN
     actions:
       - returnEmpty:
           rcode: NOERROR

Intruducing new types:

• Template - Template configuration with zones, query type, query class, and actions
• QueryType - DNS query types (AAAA initially, the goal is to have it extensible to A, CNAME etc. in the future, same for other types)
• QueryClass - DNS query classes (only IN initially)
• ResponseCode - DNS response codes (NOERROR initially)
• TemplateAction - Discriminated union for template actions
• ReturnEmptyAction - initial action for returning empty DNS responses

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@grzpiotrowski: This pull request references NE-2411 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Add coreDNS template plugin API support to enable custom DNS query handling coreDNS. The main use case is filtering AAAA queries in IPv4-only clusters to reduce DNS latency and upstream load.

Example usage:

 apiVersion: operator.openshift.io/v1
 kind: DNS
 metadata:
   name: default
 spec:
   template:
     zones: ["example.com", "abc.com"]
     queryType: AAAA
     queryClass: IN
     action:
          rcode: NOERROR

Intruducing new types:

• Template - Template configuration with zones, query type, query class, and actions
• QueryType - DNS query types (AAAA initially, the goal is to have it extensible to A, CNAME etc. in the future, same for other types)
• QueryClass - DNS query classes (only IN initially)
• ResponseCode - DNS response codes (NOERROR initially)
• TemplateAction - Discriminated union for template actions
• ReturnEmptyAction - initial action for returning empty DNS responses

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

operator/v1/types_dns.go (1)

513-531: ⚠️ Potential issue | 🟠 Major

Validate each zones entry against the documented DNS format.

Right now the schema only checks count and length. Values like bad_domain or example.com. will be accepted here and only fail later when the CoreDNS config is rendered.

Suggested schema guard

 	// +listType=set
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=15
 	// +kubebuilder:validation:items:MinLength=1
 	// +kubebuilder:validation:items:MaxLength=253
+	// +kubebuilder:validation:items:Pattern=`^(\.|([a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.([a-z0-9]([-a-z0-9]*[a-z0-9])?))*)$`
 	// +required
 	Zones []string `json:"zones,omitempty"`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@operator/v1/types_dns.go` around lines 513 - 531, The Zones slice currently
only validates count and length; add an items-level pattern validation so each
entry must be either the single root string "." or a RFC1123-compliant DNS name
(no trailing dot, labels 1–63 chars, letters/numbers/hyphen, labels cannot start
or end with hyphen, full name max 253). Modify the Zones declaration in
operator/v1/types_dns.go (the Zones []string field) to include a
+kubebuilder:validation:items:Pattern tag that enforces "either '.' OR a valid
DNS name" and update the field comment to note the stricter validation; this
prevents invalid values like "bad_domain" or names with a trailing dot from
being accepted.

🧹 Nitpick comments (1)

operator/v1/tests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml (1)

4-5: Add a companion disabled-gate suite for spec.template.

The suite-level featureGates filter means this file only exercises CRDs where DNSTemplatePlugin is enabled (tests/types.go, tests/crd_filter.go). That leaves the disabled variants untested, so an accidental ungate/pruning regression would still pass.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@operator/v1/tests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml` around
lines 4 - 5, Add a companion test suite that covers the
DNSTemplatePlugin-disabled variant of spec.template so the CRD behavior when
DNSTemplatePlugin is off is exercised; specifically, create a copy of the
current DNSTemplatePlugin suite YAML but remove or clear the featureGates entry
(so it does not list DNSTemplatePlugin) and save it as a separate suite (e.g.,
DNSTemplatePlugin.disabled.yaml), ensuring the new suite targets the same
spec.template tests; this will let the existing tests/crd_filter.go suite-level
featureGates filter run the disabled-case and catch gating/pruning regressions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@operator/v1/types_dns.go`:
- Around line 128-130: The CRD is missing RFC1123 pattern validation for the
zones slice; update the struct that defines the Zones field (Zones []string) to
include a kubebuilder validation Pattern annotation using the same DNS name
regex used elsewhere in this file (the regex around line 243) so each item is
RFC1123-compliant; keep the existing MinItems/MaxItems/MaxLength annotations and
add the kubebuilder:validation:Pattern line above the Zones field declaration to
enforce the per-item DNS name format.

---

Duplicate comments:
In `@operator/v1/types_dns.go`:
- Around line 513-531: The Zones slice currently only validates count and
length; add an items-level pattern validation so each entry must be either the
single root string "." or a RFC1123-compliant DNS name (no trailing dot, labels
1–63 chars, letters/numbers/hyphen, labels cannot start or end with hyphen, full
name max 253). Modify the Zones declaration in operator/v1/types_dns.go (the
Zones []string field) to include a +kubebuilder:validation:items:Pattern tag
that enforces "either '.' OR a valid DNS name" and update the field comment to
note the stricter validation; this prevents invalid values like "bad_domain" or
names with a trailing dot from being accepted.

---

Nitpick comments:
In `@operator/v1/tests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml`:
- Around line 4-5: Add a companion test suite that covers the
DNSTemplatePlugin-disabled variant of spec.template so the CRD behavior when
DNSTemplatePlugin is off is exercised; specifically, create a copy of the
current DNSTemplatePlugin suite YAML but remove or clear the featureGates entry
(so it does not list DNSTemplatePlugin) and save it as a separate suite (e.g.,
DNSTemplatePlugin.disabled.yaml), ensuring the new suite targets the same
spec.template tests; this will let the existing tests/crd_filter.go suite-level
featureGates filter run the disabled-case and catch gating/pruning regressions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 95a71bcf-4a81-42a3-a7bb-55f27a83bf9b

📥 Commits

Reviewing files that changed from the base of the PR and between cb219ec and 2587c6b.

⛔ Files ignored due to path filters (7)

• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**
• operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.featuregated-crd-manifests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**

📒 Files selected for processing (15)

• features.md
• features/features.go
• operator/v1/tests/dnses.operator.openshift.io/DNSTemplatePlugin.yaml
• operator/v1/types_dns.go
• operator/v1/zz_generated.deepcopy.go
• operator/v1/zz_generated.featuregated-crd-manifests.yaml
• operator/v1/zz_generated.swagger_doc_generated.go
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

✅ Files skipped from review due to trivial changes (5)

• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• features.md
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml

🚧 Files skipped from review as they are similar to previous changes (5)

• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• operator/v1/zz_generated.featuregated-crd-manifests.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• operator/v1/zz_generated.swagger_doc_generated.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

gomod=$(fd -a '^go\.mod$' | head -n1)

echo "== toolchain =="
sed -n '/^go /p;/^toolchain /p' "$gomod"
echo

echo "== relevant dependency versions =="
sed -n '/k8s\.io\/apimachinery/p;/sigs\.k8s\.io\/json/p' "$gomod" || true
echo

tmpdir=$(mktemp -d)
python - "$gomod" "$tmpdir" <<'PY'
import io, pathlib, re, sys, urllib.request, zipfile

gomod_text = pathlib.Path(sys.argv[1]).read_text()
tmpdir = pathlib.Path(sys.argv[2])
downloaded = {}

def find_version(text, mod):
    m = re.search(rf'^\s*{re.escape(mod)}\s+(v[^\s]+)', text, re.M)
    return m.group(1) if m else None

def download(mod, ver):
    if not ver or mod in downloaded:
        return
    data = urllib.request.urlopen(f"https://proxy.golang.org/{mod}/@v/{ver}.zip").read()
    out = tmpdir / mod.replace("/", "_")
    out.mkdir(parents=True, exist_ok=True)
    with zipfile.ZipFile(io.BytesIO(data)) as zf:
        zf.extractall(out)
    downloaded[mod] = out
    print(f"{mod} {ver} -> {out}")

api_ver = find_version(gomod_text, "k8s.io/apimachinery")
json_ver = find_version(gomod_text, "sigs.k8s.io/json")

download("k8s.io/apimachinery", api_ver)

if not json_ver and "k8s.io/apimachinery" in downloaded:
    api_gomod = next(downloaded["k8s.io/apimachinery"].rglob("go.mod"), None)
    if api_gomod:
        json_ver = find_version(api_gomod.read_text(), "sigs.k8s.io/json")

download("sigs.k8s.io/json", json_ver)
PY
echo

echo "== omitzero support in downloaded modules =="
rg -n "omitzero" "$tmpdir" || true
echo

echo "== serializer JSON implementation references =="
rg -n "sigs\.k8s\.io/json|encoding/json" "$tmpdir" || true

Repository: openshift/api

Length of output: 2852

---

🏁 Script executed:

# First, locate and examine the types_dns.go file
fd -a 'types_dns\.go$' | head -n5

Repository: openshift/api

Length of output: 142

---

🏁 Script executed:

# Examine the Template field and surrounding context (lines around 128-130)
sed -n '120,140p' operator/v1/types_dns.go

Repository: openshift/api

Length of output: 1243

---

🏁 Script executed:

# Examine the Template struct definition (lines 482-564)
sed -n '480,570p' operator/v1/types_dns.go

Repository: openshift/api

Length of output: 3254

---

🏁 Script executed:

# Search for existing omitzero usage in the codebase
rg -n 'omitzero' --type go

Repository: openshift/api

Length of output: 50369

---

🏁 Script executed:

# Search for other optional value-type fields with similar patterns
rg -n 'json:"[^"]*,omitempty"' operator/v1/types_dns.go -A 1

Repository: openshift/api

Length of output: 1977

---

🏁 Script executed:

# Check for tests related to Template field
fd -a '.*test.*\.go$' | xargs grep -l "Template" | head -5

Repository: openshift/api

Length of output: 122

---

🏁 Script executed:

# Check if there are any GitHub issues or comments about omitzero handling
rg -n "omitzero" operator/v1/types_dns.go -B 2 -A 2

Repository: openshift/api

Length of output: 293

---

🏁 Script executed:

# Verify zone validation specifically - check if there's a pattern constraint
sed -n '510,535p' operator/v1/types_dns.go

Repository: openshift/api

Length of output: 1274

---

🏁 Script executed:

# Check if there's a pattern validation elsewhere for zones or DNS names
rg -n "pattern.*dns|pattern.*zone|kubebuilder:validation:Pattern" operator/v1/types_dns.go

Repository: openshift/api

Length of output: 481

---

🏁 Script executed:

# Look for RFC 1123 validation patterns in the codebase
rg -n "RFC|1123|dns.*pattern" operator/v1/ --type go | head -20

Repository: openshift/api

Length of output: 5596

---

🏁 Script executed:

# Check if structured merge diff or other serializers respect omitzero for nested structs
grep -r "omitzero" vendor/sigs.k8s.io/structured-merge-diff/v6/value/ -A 3 | head -30

Repository: openshift/api

Length of output: 2618

---

Add pattern validation for zones to enforce RFC 1123 compliance.

The zones field documentation states entries must conform to RFC 1123, but the CRD schema only validates item length and count. Add a kubebuilder:validation:Pattern constraint matching the DNS name pattern used elsewhere in this file (e.g., line 243).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@operator/v1/types_dns.go` around lines 128 - 130, The CRD is missing RFC1123
pattern validation for the zones slice; update the struct that defines the Zones
field (Zones []string) to include a kubebuilder validation Pattern annotation
using the same DNS name regex used elsewhere in this file (the regex around line
243) so each item is RFC1123-compliant; keep the existing
MinItems/MaxItems/MaxLength annotations and add the
kubebuilder:validation:Pattern line above the Zones field declaration to enforce
the per-item DNS name format.

[alebedev87]

/assign

[yuqi-zhang]

As we discussed on slack, this is fine to start in Dev Preview. If we'd like to move to TP, we do require the attached enhancement to be merged.

[yuqi-zhang]

I think the default listtype is atomic, so this technically could be a breaking change, since it makes the validation more restrictive. Would you foresee any situation where this could be a problem?

[yuqi-zhang]

(minor) I think the omitzero is sufficient enough, and the omitempty is redundant.

[yuqi-zhang]

Out of curiosity, are you planning on making all legacy fields more conformant with API standards? I think there's some more things we would need to do (example, validations for the syntax here, min/max length, etc.) so maybe it's worth it to separately update old fields and focus this PR on the template field.

Generally also applies to other existing fields.

[grzpiotrowski]

This was in response to the failing CI verify-crd-schema with the ListsMustHaveSSATags error and some following errors.
I believe this is because between this PR and the last merged one to this CRD, there were some additional requirements added in the tests.

I kept these as a separate commit, but probably better if these kind of changes were separated into another PR altogether like you said.

[yuqi-zhang]

restrictions on the list should also be in the godoc itself (e.g. here // At least 1 and at most 15 zones may be specified.)

[grzpiotrowski]

Added the comment in godoc.

[yuqi-zhang]

The field is required, so the when set comment is a bit confusing. I think we should remove any conditional statements

[yuqi-zhang]

Should we consider making this slightly less generic? (e.g. DNSTemplate, like we have DNSCache above)

[yuqi-zhang]

I'm a bit confused on why each of these are a required, set string field that only has 1 option. Do you believe that this will be expanded on in the future? Can these be optional and have the controller set a reasonable default if the user doesn't set them?

[grzpiotrowski]

Yes this was with the intention of making it expandable in the future with other query types.
And making it and the other fields required as to ensure that the configuration applied is clear to the user.
Though I reckon a default value could be also considered, but then I imagine we would need to stick to that default (AAAA in this case) in the future, also when other types are added to the available ones.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@grzpiotrowski: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit	933b737	link	true	/test unit
ci/prow/verify-crd-schema	933b737	link	true	/test verify-crd-schema
ci/prow/lint	933b737	link	true	/test lint
ci/prow/verify	933b737	link	true	/test verify
ci/prow/okd-scos-images	933b737	link	true	/test okd-scos-images
ci/prow/images	933b737	link	true	/test images
ci/prow/verify-crdify	933b737	link	true	/test verify-crdify
ci/prow/build	933b737	link	true	/test build
ci/prow/minor-images	933b737	link	true	/test minor-images
ci/prow/verify-hypershift-integration	933b737	link	true	/test verify-hypershift-integration
ci/prow/verify-feature-promotion	933b737	link	true	/test verify-feature-promotion
ci/prow/verify-client-go	933b737	link	true	/test verify-client-go
ci/prow/verify-deps	933b737	link	true	/test verify-deps
ci/prow/integration	933b737	link	true	/test integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.