Skip to content

DNM: test patch for inline review comments#2912

Draft
theobarberbany wants to merge 1 commit into
openshift:masterfrom
theobarberbany:tb/test-inline-review
Draft

DNM: test patch for inline review comments#2912
theobarberbany wants to merge 1 commit into
openshift:masterfrom
theobarberbany:tb/test-inline-review

Conversation

@theobarberbany

Copy link
Copy Markdown
Contributor

Do not merge — throwaway PR for testing CI inline comment posting.

Applies the kms-vault-config eval integration test patch to exercise the /api-review inline commenting flow.

Do not merge — throwaway PR for testing CI inline comment posting.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Hello @theobarberbany! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@openshift-ci openshift-ci Bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@theobarberbany theobarberbany changed the title WIP: test patch for inline review comments DNM: test patch for inline review comments Jul 3, 2026

// ExternalSecretStoreConfig defines the configuration for integration with an
// external secret store.
// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Vault' ? has(self.vault) : !has(self.vault)",message="vault configuration is required when type is Vault, and forbidden otherwise"

@openshift-api-review-bot openshift-api-review-bot Bot Jul 7, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: Redundant has() guard on required field (CEL simplification)

The has(self.type) guard is unnecessary because type is a +required field — it is always present when XValidation runs. This makes the CEL expression more verbose than needed.

Current:

// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Vault' ? has(self.vault) : !has(self.vault)",message="vault configuration is required when type is Vault, and forbidden otherwise"

Suggested:

// +kubebuilder:validation:XValidation:rule="self.type == 'Vault' ? has(self.vault) : !has(self.vault)",message="vault configuration is required when type is Vault, and forbidden otherwise"

Since type is +required, has(self.type) is always true. The guard adds no protection and makes the expression harder to read.

// type specifies the type of external secret store to use.
// Currently supported values:
// - Vault
// +required

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: Enum value meaning not explained in field comment

The type field lists "Vault" as a supported value but does not explain what it means. Enum meanings must appear in the field's own comment (not just the type definition) since that is what users see in generated docs.

Current:

// type specifies the type of external secret store to use.
// Currently supported values:
// - Vault
// +required
Type ExternalSecretStoreType `json:"type"`

Suggested:

// type specifies the type of external secret store to use.
// Currently supported values:
// - Vault: HashiCorp Vault is used as the external secret store.
// +required
Type ExternalSecretStoreType `json:"type"`

Each enum value must be listed AND its meaning explained in the field's own comment using a descriptive pattern.

// VaultSecretStoreConfig defines the configuration for HashiCorp Vault integration.
type VaultSecretStoreConfig struct {
// serverAddress specifies the address of the Vault server.
// Must be a valid URL starting with https://.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issues: Documented constraint not enforced + MinLength/MaxLength not documented

Two problems with this field:

1) Documented constraint not enforced: The comment states "Must be a valid URL starting with https://" but there is no +kubebuilder:validation:Pattern marker to enforce this. The API will silently accept values that are not HTTPS URLs.

2) MinLength/MaxLength not documented: The field has MinLength=1 and MaxLength=512 markers but the comment does not document these length constraints.

Current:

// serverAddress specifies the address of the Vault server.
// Must be a valid URL starting with https://.
// +required
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=512
ServerAddress string `json:"serverAddress"`

Suggested:

// serverAddress specifies the address of the Vault server.
// Must be a valid URL starting with https://.
// The address must be between 1 and 512 characters long.
// +required
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=512
// +kubebuilder:validation:Pattern=`^https://`
ServerAddress string `json:"serverAddress"`

Either add a Pattern marker to enforce the HTTPS URL constraint, or remove the claim from the comment. All constraint markers must also be documented in the field's comment.

ServerAddress string `json:"serverAddress"`

// transitKeyName specifies the name of the transit encryption key in Vault.
// The name must not exceed 253 characters.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issues: Documented constraint not enforced + MinLength not documented

Two problems with this field:

1) Documented constraint not enforced: The comment states "The name must not exceed 253 characters" but there is no +kubebuilder:validation:MaxLength=253 marker to enforce this constraint.

2) MinLength not documented: The field has MinLength=1 but the comment does not mention that empty strings are rejected.

Current:

// transitKeyName specifies the name of the transit encryption key in Vault.
// The name must not exceed 253 characters.
// +required
// +kubebuilder:validation:MinLength=1
TransitKeyName string `json:"transitKeyName"`

Suggested:

// transitKeyName specifies the name of the transit encryption key in Vault.
// The name must be at least 1 character and must not exceed 253 characters.
// +required
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
TransitKeyName string `json:"transitKeyName"`

The claimed 253-character max must be enforced with a MaxLength marker, not just documented.


// transitMountPath specifies the mount path for the transit secrets engine.
// +required
// +kubebuilder:validation:MinLength=1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: MinLength not documented

The field has MinLength=1 but the comment does not mention that the value must be at least 1 character (i.e., empty strings are rejected).

Current:

// transitMountPath specifies the mount path for the transit secrets engine.
// +required
// +kubebuilder:validation:MinLength=1
TransitMountPath string `json:"transitMountPath"`

Suggested:

// transitMountPath specifies the mount path for the transit secrets engine.
// The path must be at least 1 character long.
// +required
// +kubebuilder:validation:MinLength=1
TransitMountPath string `json:"transitMountPath"`

All constraint markers must be documented in the field's comment so users know the validation rules without reading the markers.

TransitMountPath string `json:"transitMountPath"`

// namespace specifies the Vault namespace to use.
// +optional

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issues: Optional field missing omitted behavior + MinLength/MaxLength not documented

Two problems with this field:

1) Optional field does not explain omitted behavior: The namespace field is +optional but the comment does not explain what happens when the field is omitted.

2) MinLength/MaxLength not documented: The field has MinLength=1 and MaxLength=256 markers but the comment does not document these length constraints.

Current:

// namespace specifies the Vault namespace to use.
// +optional
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=256
Namespace string `json:"namespace,omitempty"`

Suggested:

// namespace specifies the Vault namespace to use.
// When omitted, the root namespace is used.
// The namespace must be between 1 and 256 characters long.
// +optional
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=256
Namespace string `json:"namespace,omitempty"`

Every optional field must explain the behavior when it is not provided. All constraint markers must also be documented in the field comment.


// caCertificate contains the PEM-encoded CA certificate for TLS verification
// of the Vault server connection.
// When omitted, the system's trusted CA certificates are used.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: MinLength and MaxLength not documented

The field has MinLength=1 and MaxLength=65536 markers but the comment does not document these length constraints.

Current:

// caCertificate contains the PEM-encoded CA certificate for TLS verification
// of the Vault server connection.
// When omitted, the system's trusted CA certificates are used.
// +optional
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=65536
CACertificate string `json:"caCertificate,omitempty"`

Suggested:

// caCertificate contains the PEM-encoded CA certificate for TLS verification
// of the Vault server connection.
// When omitted, the system's trusted CA certificates are used.
// The certificate must be between 1 and 65536 characters long.
// +optional
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=65536
CACertificate string `json:"caCertificate,omitempty"`

All constraint markers must be documented in the field comment so users understand validation without reading the markers.

@openshift-api-review-bot

Copy link
Copy Markdown

API Review

Issues were found and posted as inline comments on this PR.


Run locally: claude -p "/api-review" from a clone of this PR.
Iterate locally before pushing — it's faster and doesn't use CI budget.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant