Fix CEL validation error when provider field is missing in VolumeSpec#1850
Open
gabrielm-splunk wants to merge 1 commit intodevelopfrom
Open
Fix CEL validation error when provider field is missing in VolumeSpec#1850gabrielm-splunk wants to merge 1 commit intodevelopfrom
gabrielm-splunk wants to merge 1 commit intodevelopfrom
Conversation
gabrielm-splunk
requested review from
Igor-splunk,
kasiakoziol,
kubabuczak,
minjieqiu,
patrykw-splunk,
qingw-splunk,
rlieberman-splunk and
vivekr-splunk
kasiakoziol
reviewed
Apr 21, 2026
## Problem After upgrading to v3.1.0, customers encountered validation errors when updating existing Standalone CRs that were created with previous versions: ``` The Standalone "standalone" is invalid: status.smartstore.volumes[0]: Invalid value: "object": no such key: provider evaluating rule: region is required when provider is aws ``` This error occurred because the CEL validation rule added in #1740 attempted to access `self.provider` without first checking if the field exists. In upgrade scenarios, status fields populated by older operator versions may not include the `provider` field, causing the validation to fail with "no such key: provider". ## Root Cause The original CEL validation rule was: ``` self.provider != 'aws' || size(self.region) > 0 ``` This rule evaluates `self.provider` even when the field doesn't exist, violating CEL's requirement to check field existence with `has()` before accessing optional fields. ## Solution Updated the CEL validation rule to: ``` !has(self.provider) || self.provider != 'aws' || (has(self.region) && size(self.region) > 0) ``` This change: 1. First checks if `provider` field exists with `!has(self.provider)` 2. If it doesn't exist, validation passes (allows backward compatibility) 3. Only validates the AWS region requirement when provider is explicitly set to 'aws' 4. Also checks `has(self.region)` before accessing the region field ## Testing Reproduced the issue by: 1. Creating a Standalone CR with the v3.1.0 CRDs 2. Patching the status to remove the provider field (simulating upgrade scenario) 3. Confirmed the error: "no such key: provider evaluating rule" 4. Applied the fix and verified the same operation succeeds ## Impact - Fixes upgrade path from pre-3.1.0 versions where status fields were populated without the provider field - Maintains the validation requirement that AWS volumes must have a region - No impact on new deployments as they will include the provider field Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
gabrielm-splunk
force-pushed
the
fix-cel-validation-provider-field
branch
from
e3c9931 to
5e44be1
Compare
rlieberman-splunk
approved these changes
Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
After upgrading to v3.1.0, customers encountered validation errors when updating existing Standalone CRs that were created with previous versions:
This error occurred because the CEL validation rule added in #1740 attempted to access
self.providerwithout first checking if the field exists. In upgrade scenarios, status fields populated by older operator versions may not include theproviderfield, causing the validation to fail with "no such key: provider".Root Cause
The original CEL validation rule was:
This rule evaluates
self.providereven when the field doesn't exist, violating CEL's requirement to check field existence withhas()before accessing optional fields.Solution
Updated the CEL validation rule in
api/v4/common_types.goto:This change:
providerfield exists with!has(self.provider)has(self.region)before accessing the region fieldTesting
Reproduced the issue by:
providerfield (simulating an upgrade scenario)The Standalone "standalone" is invalid: status.smartstore.volumes[0]: Invalid value: "object": no such key: provider evaluating rule: region is required when provider is awsImpact
Checklist
make manifests🤖 Generated with Claude Code