Skip to content

refactor(api): deprecate Calico networkType enum value #7224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

refactor(api): deprecate Calico networkType enum value #7224

wants to merge 1 commit into from

Conversation

@mgencur
Copy link
Contributor

@mgencur mgencur commented Nov 13, 2025
edited
Loading

What this PR does / why we need it:

Remove the Calico enum value from NetworkType while maintaining support for third-party network providers by accepting any string value.

Changes:

  • Remove Calico from NetworkType enum in hostedcluster_types.go
  • Change NetworkType from constrained enum to open string type
  • Update CEL validation to check against OpenShiftSDN and OVNKubernetes
    instead of requiring networkType == 'Other'
  • Update disableMultiNetwork validation messages to reference "third-party" instead of "Other"
  • Regenerate all CRD manifests and API documentation
  • Update tests to reflect new validation logic
  • Add a new test that accepts custom value (Cilium)

The NetworkType field now accepts any string value to support third-party network providers, while OpenShiftSDN and OVNKubernetes continue to receive special handling by HyperShift.
This is closer to how ClusterNetworkOperator handles the values. It accepts any value and handles OVNKubernetes and OpenShiftSDN specifically.
This also allows passing a specific value such as "Cilium" or "Calico" and use this value in tests to install the specific stack.

This is a backward-compatible change as existing "Other" values remain valid, and the validation logic is now more flexible.

🤖 Generated with Claude Code

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 13, 2025
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 13, 2025
edited
Loading

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)
  • do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This change systematically refactors NetworkType validation across the HyperShift API and configurations. It removes explicit enum constraints on networkType fields (previously: OpenShiftSDN, Calico, OVNKubernetes, Other), replacing them with maxLength: 255 string constraints. Simultaneously, disableMultiNetwork validation logic transitions from allowing when networkType equals "Other" to allowing when networkType is "third-party," with corresponding terminology and rule updates.

Changes

Cohort / File(s) Summary
Go API Types
api/hypershift/v1beta1/hosted_controlplane.go, api/hypershift/v1beta1/hostedcluster_types.go, api/hypershift/v1beta1/operator.go		 Updated XValidation rules and comments for disableMultiNetwork. Changed condition from allowing when networkType is "Other" to allowing when networkType is third-party (not OpenShiftSDN or OVNKubernetes). Removed Calico and Other from public NetworkType constants, leaving only OpenShiftSDN and OVNKubernetes.
HostedCluster CRD Manifests (Featuregated)
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/*		 Removed enum constraints on spec.networking.networkType across all feature gate variants (AAA_ungated, AutoNodeKarpenter, ClusterVersionOperatorConfiguration, DynamicResourceAllocation, ExternalOIDC, ExternalOIDCWithUIDAndExtraClaimMappings, GCPPlatform, ImageStreamImportMode, KMSEncryptionProvider, NetworkDiagnosticsConfig, OpenStack). Replaced with maxLength: 255. Updated disableMultiNetwork validation messages and rules from "Other" to "third-party" terminology.
HostedControlPlane CRD Manifests (Featuregated)
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/*		 Removed enum constraints on spec.networking.networkType across all feature gate variants (AAA_ungated, AutoNodeKarpenter, ClusterVersionOperatorConfiguration, DynamicResourceAllocation, ExternalOIDC, ExternalOIDCWithUIDAndExtraClaimMappings, GCPPlatform, ImageStreamImportMode, KMSEncryptionProvider, NetworkDiagnosticsConfig, OpenStack). Replaced with maxLength: 255. Updated disableMultiNetwork validation logic and terminology from "Other" to "third-party".
HostedCluster CRD Manifests (Installed)
cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-*.crd.yaml		 Removed enum constraints on networking.networkType and replaced with maxLength: 255 across CustomNoUpgrade, Default, and TechPreviewNoUpgrade variants. Updated disableMultiNetwork validation conditions and error messages to reference "third-party" instead of "Other".
HostedControlPlane CRD Manifests (Installed)
cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-*.crd.yaml		 Removed enum constraints on networking.networkType and replaced with maxLength: 255 across CustomNoUpgrade, Default, and TechPreviewNoUpgrade variants. Updated disableMultiNetwork validation conditions and error messages to reference "third-party" instead of "Other".
CLI Code
cmd/cluster/core/create.go		 Updated network-type flag help text to be permissive, noting that OVNKubernetes and OpenShiftSDN are handled specially. Narrowed DisableMultiNetwork validation to reject when networkType is OVNKubernetes or OpenShiftSDN, with updated error message referencing "third-party networks".
CLI Tests
cmd/cluster/core/create_test.go		 Updated test to use hyperv1 constants instead of hard-coded strings for NetworkType values. Removed test case for Calico with disable-multi-network. Updated expected error messages to reference "third-party" network type terminology.
Controller Tests
control-plane-operator/hostedclusterconfigoperator/controllers/resources/network/reconcile_test.go, hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go		 Updated test inputs to use hyperv1 API type constants for networkType values instead of string literals. Adjusted reconciler test expectations to align with public type definitions.
E2E Tests
test/e2e/create_cluster_test.go, test/e2e/v2/tests/api_ux_validation_test.go		 Removed validation tests for unsupported/arbitrary networkType values. Updated test cases to use Calico and Cilium as third-party networkType examples. Updated disableMultiNetwork test expectations to reflect new "third-party" semantics instead of "Other".
Documentation
docs/content/reference/api.md		 Updated NetworkType description to indicate support for third-party network providers via any string value. Removed Calico and Other from documented options, retaining OpenShiftSDN and OVNKubernetes with notation of special handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

  • High-volume generated manifests: The majority of files affected are generated CRD manifests across multiple feature gate variants and installed versions, following a consistent pattern. However, the large count (~20+ manifest files) requires systematic verification that the refactoring was applied uniformly.
  • Validation logic semantics: The shift from networkType == 'Other' to !(networkType in ['OpenShiftSDN','OVNKubernetes']) represents a subtle but significant logic change. Verify the negation logic is correctly implemented across all CRD files and Go code to ensure no behavioral regressions.
  • API type changes: Review the removal of Calico and Other constants from hostedcluster_types.go to confirm no breaking changes to downstream consumers that may depend on these enum values.
  • Test coverage: Verify that removed test cases (e.g., Calico with disable-multi-network, unsupported networkType values) represent intentional scope narrowing and not unintended coverage gaps.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 13, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 13, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mgencur
Once this PR has been reviewed and has the lgtm label, please assign jparrill for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added area/api Indicates the PR includes changes for the API area/cli Indicates the PR includes changes for CLI area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/documentation Indicates the PR includes changes for documentation area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release area/testing Indicates the PR includes changes for e2e testing and removed do-not-merge/needs-area labels Nov 13, 2025
@mgencur
Copy link
Contributor Author

mgencur commented Nov 13, 2025

@coderabbitai review

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 13, 2025

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai[bot]
coderabbitai bot reviewed Nov 13, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 19

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (31)
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml (1)

2664-2672: Immutability not enforced (only documented). Add CEL x-kubernetes-validations.

networking.networkType claims immutability in the description but lacks an actual CEL rule; updates won’t be blocked. Please enforce immutability with x-kubernetes-validations (in source types, then regenerate CRDs).

Apply conceptually (update Go type kubebuilder tag and regenerate; YAML below illustrates target CRD):

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
-      This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+      This field is required and immutable.
     maxLength: 255
     type: string
+    x-kubernetes-validations:
+    - message: networkType is immutable
+      rule: self == oldSelf
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml (1)

2890-2898: Restore immutability and enforce non-empty for networking.networkType.

Dropping the enum removed hard guarantees; right now a day‑2 change or empty string would be accepted. Add minLength and an explicit immutability CEL to keep previous safety while allowing third‑party values.

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+    minLength: 1
     maxLength: 255
     type: string
+    x-kubernetes-validations:
+    - message: networkType is immutable
+      rule: self == oldSelf
+    - message: networkType must be non-empty
+      rule: size(self) > 0
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml (1)

3138-3144: networking.networkType immutability is documented but not enforced

You removed the enum (good) but the immutability is now only in the description; there’s no x-kubernetes-validations for this field. This is a behavioral regression: users can change networkType post‑create.

Add an explicit CEL immutability rule on the field.

                   networkType:
                     default: OVNKubernetes
                     description: |-
                       networkType specifies the SDN provider used for cluster networking.
                       Defaults to OVNKubernetes.
-                      This field is required and immutable.
-                      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+                      This field is required and immutable.
                     maxLength: 255
                     type: string
+                    x-kubernetes-validations:
+                    - message: networkType is immutable
+                      rule: self == oldSelf
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml (1)

2814-2821: Fix the kubebuilder marker in source: add missing + prefix and include minLength constraint.

The kubebuilder marker on NetworkType is missing the + prefix at api/hypershift/v1beta1/hostedcluster_types.go:1034. Without it, the marker is treated as plain comment text and appears in the generated CRD's description field instead of as a proper x-kubernetes-validations rule. Compare with machineNetwork in the same struct—it has // +kubebuilder:validation:XValidation:... and correctly generates x-kubernetes-validations in the YAML. Also add minLength: 1 to prevent empty strings from being treated as third-party SDN.

	// networkType specifies the SDN provider used for cluster networking.
	// Defaults to OVNKubernetes.
	// This field is required and immutable.
-	// kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+	// +kubebuilder:validation:MinLength=1
	// +optional
	// +kubebuilder:default:="OVNKubernetes"
	// +immutable
	NetworkType NetworkType `json:"networkType,omitempty"`
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml (1)

2646-2653: Add explicit immutability for networking.networkType (enum removal lost this).

Switching to a free-form string removed the enum’s implicit immutability. The note in the description isn’t enforced. Add an x-kubernetes-validations rule here.

Apply this diff:

                   networkType:
                     default: OVNKubernetes
                     description: |-
                       networkType specifies the SDN provider used for cluster networking.
                       Defaults to OVNKubernetes.
                       This field is required and immutable.
                       kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
                     maxLength: 255
                     type: string
+                    x-kubernetes-validations:
+                    - message: networkType is immutable
+                      rule: self == oldSelf
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml (1)

2982-2990: networking.networkType immutability not enforced (x-kubernetes-validations missing).

The enum was removed, but the immutability guarantee is now only mentioned in prose. Add an explicit validation or day‑2 edits will be allowed.

Apply:

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
     maxLength: 255
     type: string
+    x-kubernetes-validations:
+    - message: networkType is immutable
+      rule: self == oldSelf
cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-TechPreviewNoUpgrade.crd.yaml (1)

3456-3464: Immutability for networking.networkType is no longer enforced (regression).

The enum was removed (OK), but the immutability guarantee is only in the description (and a literal kubebuilder note), not as an actual validation. This allows day‑2 changes to networkType, which can break clusters.

Add x-kubernetes-validations at the field:

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+    maxLength: 255
+    type: string
+    x-kubernetes-validations:
+    - message: networkType is immutable
+      rule: self == oldSelf
-    maxLength: 255
-    type: string
cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-CustomNoUpgrade.crd.yaml (1)

3453-3461: networkType immutability not enforced; add explicit x-kubernetes-validations

The description claims “required and immutable,” but there’s no active validation. Add an explicit rule so day‑2 changes are rejected by the API server.

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
     maxLength: 255
     type: string
+    x-kubernetes-validations:
+    - rule: self == oldSelf
+      message: networkType is immutable

Note: since this file is generated, ensure the corresponding Go type has the kubebuilder XValidation so the generator emits this stanza.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml (1)

2738-2746: networkType immutability not enforced in generated CRDs—only documented.

The Go source contains a kubebuilder annotation for immutability validation, but the generated CRD manifests render it as description text rather than as a proper x-kubernetes-validations rule. This allows day-2 SDN provider changes via the API.

To fix: ensure the kubebuilder annotation is properly positioned and formatted in the Go type definition so CRD generation converts it to a top-level x-kubernetes-validations field in the schema—not as part of the description string.

cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-TechPreviewNoUpgrade.crd.yaml (1)

3364-3372: Immutability for networking.networkType is not enforced (only documented).

The field’s description mentions an XValidation rule, but there’s no x-kubernetes-validations entry, so the API server won’t enforce immutability.

Apply this diff to enforce immutability at the schema level:

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+    maxLength: 255
+    type: string
+    x-kubernetes-validations:
+    - message: networkType is immutable
+      rule: self == oldSelf
-    maxLength: 255
-    type: string
test/e2e/v2/tests/api_ux_validation_test.go (1)

1103-1116: Update expected error message to use "third-party" terminology.

The PR objectives state that validation messages should be updated from 'Other' to 'third-party', but this test still expects the old message format. This will cause the test to fail.

Update the expected error substring:

 		Expect(err).To(HaveOccurred())
-		Expect(err.Error()).To(ContainSubstring("disableMultiNetwork can only be set to true when networkType is 'Other'"))
+		Expect(err.Error()).To(ContainSubstring("disableMultiNetwork can only be set to true when networkType is third-party"))
test/e2e/create_cluster_test.go (1)

1568-1580: Update test name and expected error message to reflect new terminology.

Two issues here:

  1. The test name still references "not Other" which is inconsistent with the refactored validation logic that checks whether the networkType is a first-party provider (OpenShiftSDN/OVNKubernetes) vs third-party.
  2. The expected error message still uses 'Other' terminology, which contradicts the PR's stated goal to update validation messages to use "third-party".

Apply these changes:

 			{
-				name: "when disableMultiNetwork is true and networkType is not Other it should fail",
+				name: "when disableMultiNetwork is true and networkType is OVNKubernetes it should fail",
 				mutateInput: func(hc *hyperv1.HostedCluster) {
 					hc.Spec.Networking = hyperv1.ClusterNetworking{
 						NetworkType: hyperv1.OVNKubernetes,
 					}
 					hc.Spec.OperatorConfiguration = &hyperv1.OperatorConfiguration{
 						ClusterNetworkOperator: &hyperv1.ClusterNetworkOperatorSpec{
 							DisableMultiNetwork: ptr.To(true),
 						},
 					}
 				},
-				expectedErrorSubstring: "disableMultiNetwork can only be set to true when networkType is 'Other'",
+				expectedErrorSubstring: "disableMultiNetwork can only be set to true when networkType is third-party",
 			},
docs/content/reference/api.md (1)

4618-4623: Required vs Optional mismatch for networking.networkType

Header shows “(Optional)” but description says “This field is required and immutable.” Align these. Either mark the field as required (remove “(Optional)”) or drop the “required” sentence. This inconsistency will confuse users and downstream generators. Please fix at the source comments/validation so generated docs are consistent.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml (1)

2759-2767: networking.networkType immutability is not enforced

The schema lost the enum and now lacks an x-kubernetes-validations rule to enforce immutability (it’s only mentioned in the description). Add an explicit CEL check.

Apply this diff at networking.spec.networking.networkType:

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+    x-kubernetes-validations:
+    - rule: self == oldSelf
+      message: networkType is immutable
     maxLength: 255
     type: string
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml (1)

2738-2746: networking.networkType immutability not enforced (CEL missing).

The “kubebuilder:validation…” line sits inside description and is a no-op. As written, day‑2 mutation of spec.networking.networkType is allowed. Add a field‑level CEL to enforce immutability (and consider removing the stray doc line to avoid confusion).

Apply this diff:

-                      This field is required and immutable.
-                      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+                      This field is required and immutable.
                     maxLength: 255
+                    x-kubernetes-validations:
+                    - message: networkType is immutable
+                      rule: self == oldSelf
                     type: string
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml (1)

2738-2746: networkType immutability not enforced; add x-kubernetes-validations and non-empty constraint

The YAML contains a kubebuilder XValidation note in the description, but the CRD lacks an actual x-kubernetes-validations block for immutability. Also, without minLength, an explicit empty string is allowed and will be treated as “third‑party” by the CEL below.

Add immutability and minLength:

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+    minLength: 1
+    x-kubernetes-validations:
+    - message: networkType is immutable
+      rule: self == oldSelf
     maxLength: 255
     type: string
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/DynamicResourceAllocation.yaml (1)

2667-2675: networkType immutability not enforced (only described).

The field is documented “immutable,” but there is no x-kubernetes-validations rule here to enforce it at runtime. Add an explicit CEL immutability check at the field to prevent day-2 changes.

Apply this diff:

                   networkType:
                     default: OVNKubernetes
                     description: |-
                       networkType specifies the SDN provider used for cluster networking.
                       Defaults to OVNKubernetes.
                       This field is required and immutable.
-                      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
                     maxLength: 255
                     type: string
+                    x-kubernetes-validations:
+                    - message: networkType is immutable
+                      rule: self == oldSelf
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml (1)

2747-2754: Immutability for networking.networkType is not enforced (regression).

The kubebuilder XValidation appears inside the description, but there’s no x-kubernetes-validations entry. This drops the immutability guard and allows day‑2 networkType changes. Add an explicit CEL rule on the property.

                   networkType:
                     default: OVNKubernetes
                     description: |-
                       networkType specifies the SDN provider used for cluster networking.
                       Defaults to OVNKubernetes.
                       This field is required and immutable.
-                      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+                    x-kubernetes-validations:
+                    - message: networkType is immutable
+                      rule: self == oldSelf
                     maxLength: 255
                     type: string
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml (1)

3228-3236: Enforce immutability and non-empty for spec.networking.networkType

The CRD only declares maxLength. The "kubebuilder:validation:XValidation…" text inside description is not enforced by the API server. Add explicit x-kubernetes-validations for immutability and minLength: 1 to prevent empty strings.

Apply this diff:

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
       kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
-    maxLength: 255
-    type: string
+    maxLength: 255
+    minLength: 1
+    type: string
+    x-kubernetes-validations:
+    - message: networkType is immutable
+      rule: self == oldSelf

This pattern is already used elsewhere in the same CRD (lines 5779-5787 for disableMultiNetwork validation).

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml (1)

2756-2764: Fix malformed kubebuilder marker in Go source; immutability not enforced in generated CRD.

The kubebuilder validation marker for networkType immutability is malformed in the Go source and therefore not processed by the code generator. It appears as narrative text in the generated YAML description instead of being converted to a proper x-kubernetes-validations block. This allows the API to accept day-2 changes to networkType, destabilizing clusters.

The marker at api/hypershift/v1beta1/hostedcluster_types.go line 1034 is missing the + prefix:

  // networkType specifies the SDN provider used for cluster networking.
  // Defaults to OVNKubernetes.
  // This field is required and immutable.
- // kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+ // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
  // +optional
  // +kubebuilder:default:="OVNKubernetes"
  // +immutable
  NetworkType NetworkType `json:"networkType,omitempty"`

Regenerate the CRD manifests after this fix (likely via make generate or similar).

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml (1)

2646-2654: NetworkType immutability enforcement missing (regression).

Description claims “immutable” but there is no x-kubernetes-validations rule on this field. Day‑2 mutations could slip through. Add explicit immutability CEL at the property level.

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+    x-kubernetes-validations:
+    - message: networkType is immutable
+      rule: self == oldSelf
     maxLength: 255
     type: string
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml (1)

2785-2793: Add missing + prefix to kubebuilder marker to enforce networkType immutability.

The immutability validation is not processed into the CRD because the kubebuilder marker at api/hypershift/v1beta1/hostedcluster_types.go:1034 is missing the + prefix. Without it, the marker is ignored during code generation, and immutability is only documented—not enforced. This permits day-2 changes to the SDN provider, risking cluster breakage.

Fix: Change line 1034 from:

	// kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"

to:

	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"

This will regenerate the CRD with the correct x-kubernetes-validations block.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml (1)

3074-3082: Immutability for spec.networking.networkType is not enforced (regression).

The kubebuilder hint appears inside the description, not as an actual x-kubernetes-validations rule. This won’t be enforced by the API server. Please add a real CEL immutability rule to the property.

Apply this diff to the CRD (ideally by fixing the Go type so generation emits it):

                   This field is required and immutable.
-                  kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+                x-kubernetes-validations:
+                - message: networkType is immutable
+                  rule: self == oldSelf
                 maxLength: 255
                 type: string
cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml (1)

3409-3417: networking.networkType immutability lost; enforce with x-kubernetes-validations and disallow empty string.

The immutability hint is embedded in the description and won’t be enforced. Add field-scoped x-kubernetes-validations and minLength: 1 to avoid treating "" as “third‑party”.

Apply this diff under spec.networking.networkType:

                   description: |-
                     networkType specifies the SDN provider used for cluster networking.
                     Defaults to OVNKubernetes.
                     This field is required and immutable.
-                    kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+                    kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
                   maxLength: 255
+                  minLength: 1
+                  x-kubernetes-validations:
+                  - message: networkType is immutable
+                    rule: self == oldSelf
                   type: string
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml (1)

2655-2663: Immutability for spec.networking.networkType is not enforced (XValidation text landed in description).

The immutability note is inside description and won’t be applied. Add an actual x-kubernetes-validations rule to enforce immutability.

Apply this diff:

   networking:
     description: |-
       networking specifies network configuration for the cluster.
       Temporarily optional for backward compatibility, required in future releases.
     properties:
       …
       networkType:
         default: OVNKubernetes
         description: |-
           networkType specifies the SDN provider used for cluster networking.
           Defaults to OVNKubernetes.
           This field is required and immutable.
-          kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
         maxLength: 255
         type: string
+        x-kubernetes-validations:
+        - message: networkType is immutable
+          rule: self == oldSelf
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AutoNodeKarpenter.yaml (1)

2693-2701: Enforce immutability for networking.networkType (description claims it, schema doesn’t).

networkType is described as immutable but lacks x-kubernetes-validations. Add a property-level CEL to actually enforce it.

                   networkType:
                     default: OVNKubernetes
                     description: |-
                       networkType specifies the SDN provider used for cluster networking.
                       Defaults to OVNKubernetes.
                       This field is required and immutable.
-                      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
                     maxLength: 255
                     type: string
+                    x-kubernetes-validations:
+                    - message: networkType is immutable
+                      rule: self == oldSelf
cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Default.crd.yaml (1)

3317-3325: Immutability of networking.networkType is no longer enforced (x-kubernetes-validations missing).

In the generated schema, the kubebuilder annotation appears as a literal field and won’t enforce immutability. Add an explicit x-kubernetes-validations rule and remove the stray kubebuilder line.

                   networkType:
                     default: OVNKubernetes
                     description: |-
                       networkType specifies the SDN provider used for cluster networking.
                       Defaults to OVNKubernetes.
-                      This field is required and immutable.
-                      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+                      This field is required and immutable.
+                    x-kubernetes-validations:
+                    - message: networkType is immutable
+                      rule: self == oldSelf
                     maxLength: 255
                     type: string

Note: If “required” is intended, also ensure spec.networking itself is present or add a root-level required/ defaulting strategy; otherwise the field isn’t truly required.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml (2)

2798-2805: networkType immutability not enforced (XValidation ended up in description).

The immutability rule is only in description text; the property lacks an x-kubernetes-validations guard, so updates would be accepted by the API.

Apply this diff under spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.networking.properties.networkType:

   description: |-
     networkType specifies the SDN provider used for cluster networking.
     Defaults to OVNKubernetes.
     This field is required and immutable.
-    kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+    kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+  x-kubernetes-validations:
+  - message: networkType is immutable
+    rule: self == oldSelf
   maxLength: 255
   type: string

5266-5276: CEL rule can dereference missing .networking; add has() guard.

If disableMultiNetwork is true and .networking is omitted, the rule reads .networking.networkType without guarding, risking evaluation errors. Guard access explicitly.

- rule: '!has(self.operatorConfiguration) || !has(self.operatorConfiguration.clusterNetworkOperator)
-   || !has(self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork)
-   || !self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork
-   || !(self.networking.networkType in [''OpenShiftSDN'',''OVNKubernetes''])'
+ rule: '!has(self.operatorConfiguration) || !has(self.operatorConfiguration.clusterNetworkOperator)
+   || !has(self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork)
+   || !self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork
+   || (has(self.networking) && has(self.networking.networkType)
+       && !(self.networking.networkType in [''OpenShiftSDN'',''OVNKubernetes'']))'
cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-CustomNoUpgrade.crd.yaml (1)

3545-3553: Restore immutability enforcement for networking.networkType (enum → string regression).

You removed the enum and added maxLength, but the field is no longer actually immutable (the kubebuilder line here is not an effective schema rule). Add an explicit x-kubernetes-validations guard so day‑2 mutations are rejected.

Apply this diff under spec.properties.networking.properties.networkType:

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+    # Enforce immutability at the schema level
+    x-kubernetes-validations:
+    - message: networkType is immutable
+      rule: self == oldSelf
+    # Keep the open string with a sane upper bound
     maxLength: 255
     type: string
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml (1)

2646-2654: Immutability of networking.networkType appears unenforced after enum removal

The CRD now shows only a description note about immutability; there’s no x-kubernetes-validations enforcing it. This is a behavior regression vs. the enum era. Please add an explicit field-level immutability check.

Apply this diff under spec.networking.networkType:

   networkType:
     default: OVNKubernetes
     description: |-
       networkType specifies the SDN provider used for cluster networking.
       Defaults to OVNKubernetes.
       This field is required and immutable.
-      kubebuilder:validation:XValidation:rule="self == oldSelf", message="networkType is immutable"
+    x-kubernetes-validations:
+    - message: networkType is immutable
+      rule: self == oldSelf
     maxLength: 255
     type: string
🧹 Nitpick comments (27)
cmd/cluster/core/create_test.go (1)

369-369: Consider using a constant for consistency.

This test case uses the literal string "Other" while other test cases (lines 381, 393, 405) now use constants like string(hyperv1.OVNKubernetes). For consistency and maintainability, consider using a constant if one exists for third-party network types, or add a comment explaining why a literal is used here.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml (1)

2747-2749: Clarify “third-party” semantics in the field docs.

Spell out what “third-party” means to users/operators: “any value other than OpenShiftSDN or OVNKubernetes.” This avoids ambiguity and matches the CEL rule below.

-  This field can only be set to true when NetworkType is third-party. Setting it to true
-  with NetworkType OpenShiftSDN or OVNKubernetes will result in a validation error during cluster creation.
+  This field can only be set to true when NetworkType is “third-party” (i.e., any value other than
+  OpenShiftSDN or OVNKubernetes). Setting it to true with NetworkType OpenShiftSDN or OVNKubernetes
+  will result in a validation error during cluster creation.
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml (2)

2981-2983: Doc tweak (optional) to mirror the rule semantics.

“third-party” is fine, but consider “neither OpenShiftSDN nor OVNKubernetes” to exactly match the validation.

5442-5447: CEL gate looks correct; prevent empty string unless schema enforces it.

As written, "" would satisfy “third‑party.” If you don’t add minLength:1 on networking.networkType, extend the rule to exclude empty.

-  || !(self.networking.networkType in ['OpenShiftSDN','OVNKubernetes'])'
+  || (self.networking.networkType != '' && !(self.networking.networkType in ['OpenShiftSDN','OVNKubernetes']))'
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml (1)

2900-2907: Clarify “third‑party” in the description.

Spell out what “third‑party” means to avoid ambiguity for users.

-  This field can only be set to true when NetworkType is third-party. Setting it to true
-  with NetworkType OpenShiftSDN or OVNKubernetes will result in a validation error during cluster creation.
+  This field can only be set to true when spec.networking.networkType is a third‑party value
+  (i.e., any value other than 'OpenShiftSDN' or 'OVNKubernetes'). Setting it to true with
+  networkType 'OpenShiftSDN' or 'OVNKubernetes' will fail validation during cluster creation.
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml (1)

3065-3067: Clarify “third‑party” in message to match the rule.

Be explicit so users know what qualifies.

Apply:

- This field can only be set to true when NetworkType is third-party. Setting it to true
- with NetworkType OpenShiftSDN or OVNKubernetes will result in a validation error during cluster creation.
+ This field can only be set to true when networking.networkType is not OpenShiftSDN or OVNKubernetes (i.e., a third‑party CNI). Setting it to true with OpenShiftSDN or OVNKubernetes will be rejected during cluster creation.
cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-TechPreviewNoUpgrade.crd.yaml (1)

3547-3549: Tighten wording to align with the rule.

Consider clarifying “third-party” as “any value other than OpenShiftSDN or OVNKubernetes,” and reference the exact field path (networking.networkType) for precision.

- This field can only be set to true when NetworkType is third-party. Setting it to true
- with NetworkType OpenShiftSDN or OVNKubernetes will result in a validation error during cluster creation.
+ This field can only be set to true when networking.networkType is a third‑party value
+ (i.e., any value other than OpenShiftSDN or OVNKubernetes). Setting it to true with
+ networking.networkType of OpenShiftSDN or OVNKubernetes results in a validation error at creation time.
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml (2)

2829-2831: Docs updated to “third‑party” look good; define it explicitly.

Wording is fine, but for clarity consider stating that “third‑party” means any networkType other than OpenShiftSDN or OVNKubernetes, matching the CEL rule below. Optional.

5310-5315: CEL rule matches intent; minor message precision (optional).

The rule correctly allows disableMultiNetwork only when networking.networkType ∉ {OpenShiftSDN, OVNKubernetes}. Consider aligning the message to say “when networkType is not OpenShiftSDN or OVNKubernetes” to exactly mirror the predicate. Functional LGTM.

cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-TechPreviewNoUpgrade.crd.yaml (1)

3447-3449: Clarify user-facing text: define “third‑party” precisely.

Replace with explicit condition to avoid ambiguity.

- This field can only be set to true when NetworkType is third-party. Setting it to true
- with NetworkType OpenShiftSDN or OVNKubernetes will result in a validation error during cluster creation.
+ This field can only be set to true when networking.networkType is neither OpenShiftSDN nor OVNKubernetes (i.e., a third‑party CNI).
+ Setting it to true with networking.networkType OpenShiftSDN or OVNKubernetes will result in a validation error during cluster creation.
control-plane-operator/hostedclusterconfigoperator/controllers/resources/network/reconcile_test.go (1)

203-217: Add a case with a real third‑party value (e.g., "Cilium").

"Other" still works, but adding a second test using a custom value better validates the open string semantics.

Example diff to add a parallel case:

@@
 		{
 			name:                "DisableMultiNetwork sets disableMultiNetwork to true",
 			inputNetwork:        NetworkOperator(),
-			inputNetworkType:    "Other",
+			inputNetworkType:    "Other",
 			inputPlatformType:   hyperv1.AWSPlatform,
 			disableMultiNetwork: true,
 			expectedNetwork: &operatorv1.Network{
@@
 		},
+		{
+			name:                "DisableMultiNetwork with third-party network (Cilium)",
+			inputNetwork:        NetworkOperator(),
+			inputNetworkType:    "Cilium",
+			inputPlatformType:   hyperv1.AWSPlatform,
+			disableMultiNetwork: true,
+			expectedNetwork: &operatorv1.Network{
+				ObjectMeta: NetworkOperator().ObjectMeta,
+				Spec: operatorv1.NetworkSpec{
+					OperatorSpec: operatorv1.OperatorSpec{ManagementState: "Managed"},
+					DisableMultiNetwork: ptr.To(true),
+				},
+			},
+		},

Also applies to: 219-232

api/hypershift/v1beta1/hosted_controlplane.go (1)

43-44: Harden CEL guard with explicit presence checks for networking.

Add presence checks to avoid edge-case evaluation on absent fields and make intent explicit.

-// +kubebuilder:validation:XValidation:rule="!has(self.operatorConfiguration) || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork) || !self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork || !(self.networking.networkType in ['OpenShiftSDN','OVNKubernetes'])",message="disableMultiNetwork can only be set to true when networkType is third-party"
+// +kubebuilder:validation:XValidation:rule="!has(self.operatorConfiguration) || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork) || !self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork || !has(self.networking) || !has(self.networking.networkType) || !(self.networking.networkType in ['OpenShiftSDN','OVNKubernetes'])",message="disableMultiNetwork can only be set to true when networkType is third-party"
cmd/cluster/core/create.go (2)

73-73: Clarify flag help (examples, case-sensitivity).

Small UX win: point out canonical values and that others are treated as third‑party.

-flags.StringVar(&opts.NetworkType, "network-type", opts.NetworkType, "Sets the cluster SDN provider. Any value is allowed, but OVNKubernetes and OpenShiftSDN are handled specifically.")
+flags.StringVar(&opts.NetworkType, "network-type", opts.NetworkType, "Sets the cluster SDN provider. OVNKubernetes and OpenShiftSDN have special handling; any other value (e.g., Cilium, Calico) is treated as third-party. Values are case-sensitive.")

771-773: Make the OVN/SDN check case-insensitive and whitespace-tolerant.

Prevents accidental bypass (e.g., "ovnkubernetes"). Aligns CLI with user expectations; API still enforces canonical values.

-	if opts.DisableMultiNetwork && (opts.NetworkType == string(hyperv1.OVNKubernetes) || opts.NetworkType == string(hyperv1.OpenShiftSDN)) {
-		return nil, fmt.Errorf("disableMultiNetwork is only allowed when networkType is third-party (got '%s')", opts.NetworkType)
-	}
+	if opts.DisableMultiNetwork {
+		nt := strings.ToLower(strings.TrimSpace(opts.NetworkType))
+		if nt == strings.ToLower(string(hyperv1.OVNKubernetes)) || nt == strings.ToLower(string(hyperv1.OpenShiftSDN)) {
+			return nil, fmt.Errorf("disableMultiNetwork is only allowed when networkType is third-party (got %q)", opts.NetworkType)
+		}
+	}
docs/content/reference/api.md (2)

4515-4517: Clarify “third-party” condition for disableMultiNetwork

“when NetworkType is third-party” is ambiguous (not a literal value). Spell out the rule explicitly to match CEL: only when networking.networkType is not OVNKubernetes or OpenShiftSDN. Suggested wording:

-This field can only be set to true when NetworkType is third-party. Setting it to true
-with NetworkType OpenShiftSDN or OVNKubernetes will result in a validation error during cluster creation.
+This field can only be set to true when networking.networkType is a third‑party provider
+that is not "OVNKubernetes" or "OpenShiftSDN". Setting it to true with "OVNKubernetes"
+or "OpenShiftSDN" will result in a validation error during cluster creation.

9654-9671: NetworkType is now open string — make scope explicit and add examples

Good update. To reduce confusion with the remaining table, add a note that:

  • Any string up to the schema limit is accepted; values other than “OVNKubernetes” and “OpenShiftSDN” are treated as third‑party providers.
  • Examples: “Cilium”, “Calico”, “WeaveNet”.

Also add a one‑liner linking the disableMultiNetwork rule, e.g., “When using a third‑party network type (any value other than OVNKubernetes/OpenShiftSDN), disableMultiNetwork may be set to true.” This keeps the two docs in sync.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml (1)

2843-2852: Clarify disableMultiNetwork description

Text says “validation error during cluster creation,” but the CEL rule applies on any admission (create/update). Recommend dropping “during cluster creation” to avoid confusion.

- This field can only be set to true when NetworkType is third-party. Setting it to true
- with NetworkType OpenShiftSDN or OVNKubernetes will result in a validation error during cluster creation.
+ This field can only be set to true when NetworkType is third‑party. Setting it to true
+ with NetworkType OpenShiftSDN or OVNKubernetes will be rejected by validation.
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml (1)

2829-2831: Clarify “third‑party” phrasing to list the disallowed set

The message reads well, but “third‑party” isn’t a literal value. Consider explicitly stating “when networking.networkType is neither 'OpenShiftSDN' nor 'OVNKubernetes'” to avoid confusion in UX/docs.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/DynamicResourceAllocation.yaml (1)

2750-2752: Clarify “third-party” wording.

Consider making the description explicit: “can only be set to true when networkType is neither OpenShiftSDN nor OVNKubernetes,” which matches the validation semantics.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml (1)

2805-2807: Doc text OK; verify consistency across CRDs and user-facing messages.

Terminology shift to “third‑party” looks good. Please ensure all CRDs, CLI validations, and tests use identical phrasing and reserved set {OpenShiftSDN, OVNKubernetes}.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml (1)

2847-2849: Clarify “third‑party” phrasing with explicit examples.

Good direction. To reduce ambiguity for users, append examples like “(e.g., Cilium, Calico)” to this description line.

api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml (1)

2876-2878: Clarify “third‑party” wording to match the rule.

Say “when networkType is not OpenShiftSDN or OVNKubernetes” to avoid ambiguity for users.

cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml (1)

3500-3502: Clarify doc wording to match actual rule and field path.

Make the condition explicit to reduce ambiguity for users.

-                          This field can only be set to true when NetworkType is third-party. Setting it to true
-                          with NetworkType OpenShiftSDN or OVNKubernetes will result in a validation error during cluster creation.
+                          This field can only be true when networking.networkType is neither 'OpenShiftSDN' nor 'OVNKubernetes'
+                          (i.e., a third‑party provider). Otherwise, validation fails during cluster creation.
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml (1)

2738-2740: Clarify wording: “third‑party” is a concept, not a literal value.

Avoid implying a literal networkType value. Suggest:

-                          This field can only be set to true when NetworkType is third-party. Setting it to true
-                          with NetworkType OpenShiftSDN or OVNKubernetes will result in a validation error during cluster creation.
+                          This field can only be set to true when networking.networkType is neither "OpenShiftSDN" nor "OVNKubernetes".
+                          Setting it to true with "OpenShiftSDN" or "OVNKubernetes" will result in a validation error during cluster creation.
api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml (1)

2881-2883: Clarify “third-party” wording to match the rule.

Minor: say “when networkType is neither OpenShiftSDN nor OVNKubernetes” to align message with the CEL check.

cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-CustomNoUpgrade.crd.yaml (2)

3636-3638: Doc clarity: avoid implying “third-party” is a literal value.

Rephrase to “can only be set to true when networkType is neither OpenShiftSDN nor OVNKubernetes (i.e., a third‑party provider such as Cilium or Calico).” Keeps intent clear without suggesting a specific string value.

6751-6756: File is auto-generated; apply case-insensitive guard to source template.

Since this file is auto-generated (indicated by zz_generated prefix), the refactor should be made to the source template that generates this CRD manifest, not directly in this file.

Kubernetes CEL for CRD x-kubernetes-validations supports lowerAscii() for case-insensitive comparisons. The suggested refactor is valid and recommended to make the networkType validation more robust against casing variations:

rule: "!has(self.operatorConfiguration) || !has(self.operatorConfiguration.clusterNetworkOperator) || !has(self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork) || !self.operatorConfiguration.clusterNetworkOperator.disableMultiNetwork || !(lowerAscii(self.networking.networkType) in ['openshiftsdn','ovnkubernetes'])"

Locate and update the source template file (likely in a non-generated location) that produces this manifest, then regenerate the CRD file.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between f919037 and 9be9a88.

⛔ Files ignored due to path filters (3)
  • vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hosted_controlplane.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/operator.go is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (38)
  • api/hypershift/v1beta1/hosted_controlplane.go (1 hunks)
  • api/hypershift/v1beta1/hostedcluster_types.go (2 hunks)
  • api/hypershift/v1beta1/operator.go (1 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AutoNodeKarpenter.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/DynamicResourceAllocation.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml (3 hunks)
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml (3 hunks)
  • cmd/cluster/core/create.go (2 hunks)
  • cmd/cluster/core/create_test.go (3 hunks)
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-CustomNoUpgrade.crd.yaml (3 hunks)
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml (3 hunks)
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-TechPreviewNoUpgrade.crd.yaml (3 hunks)
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-CustomNoUpgrade.crd.yaml (3 hunks)
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Default.crd.yaml (3 hunks)
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-TechPreviewNoUpgrade.crd.yaml (3 hunks)
  • control-plane-operator/hostedclusterconfigoperator/controllers/resources/network/reconcile_test.go (2 hunks)
  • docs/content/reference/api.md (3 hunks)
  • hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go (2 hunks)
  • test/e2e/create_cluster_test.go (2 hunks)
  • test/e2e/v2/tests/api_ux_validation_test.go (3 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml
  • cmd/cluster/core/create_test.go
  • cmd/cluster/core/create.go
  • api/hypershift/v1beta1/hostedcluster_types.go
  • api/hypershift/v1beta1/operator.go
  • docs/content/reference/api.md
  • test/e2e/create_cluster_test.go
  • api/hypershift/v1beta1/hosted_controlplane.go
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AutoNodeKarpenter.yaml
  • control-plane-operator/hostedclusterconfigoperator/controllers/resources/network/reconcile_test.go
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml
  • hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/DynamicResourceAllocation.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-CustomNoUpgrade.crd.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-TechPreviewNoUpgrade.crd.yaml
  • test/e2e/v2/tests/api_ux_validation_test.go
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-TechPreviewNoUpgrade.crd.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-CustomNoUpgrade.crd.yaml
  • api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml
  • cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Default.crd.yaml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Red Hat Konflux / hypershift-cli-mce-211-on-pull-request

@mgencur mgencur force-pushed the deprecate_calico branch 2 times, most recently from aff25a5 to ef2b51c Compare November 13, 2025 13:23
@mgencur
refactor(api): deprecate Calico networkType enum value
0dee6f2 
Remove the Calico enum value from NetworkType while maintaining support
  for third-party network providers by accepting any string value.

  Changes:
  - Remove Calico from NetworkType enum in hostedcluster_types.go
  - Change NetworkType from constrained enum to open string type
- Update CEL validation to check against OpenShiftSDN and
OVNKubernetes
    instead of requiring networkType == 'Other'
- Update disableMultiNetwork validation messages to reference
"third-party"
    instead of "Other"
  - Regenerate all CRD manifests and API documentation
  - Update tests to reflect new validation logic

The NetworkType field now accepts any string value to support
third-party
  network providers, while OpenShiftSDN and OVNKubernetes continue to
  receive special handling by HyperShift.

  This is a backward-compatible change as existing "Other" values remain
  valid, and the validation logic is now more flexible.

  🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

area/api Indicates the PR includes changes for the API area/cli Indicates the PR includes changes for CLI area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/documentation Indicates the PR includes changes for documentation area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release area/testing Indicates the PR includes changes for e2e testing do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mgencur