bindata,ovn-k,cudn: Validate excludeSubnet match specified subnets

ormergi · ormergi · commit 197d80675ed6 · 2025-04-23T13:39:06.000+03:00
Add CEL validation on OVN-K CUDN CRD for localnet to topology, to ensure the specified excludeSubnetes match the specified subnets. This change make the CRD diverge from the CRD on U/S due to a bug [1] that its fix is available on D/S [2] [3] but not available on U/S yet. [1] https://issues.redhat.com/browse/OCPBUGS-54426 [2] openshift/kubernetes#2263 [3] openshift/kubernetes#2267 Signed-off-by: Or Mergi <ormergi@redhat.com>
diff --git a/bindata/network/ovn-kubernetes/common/001-crd.yaml b/bindata/network/ovn-kubernetes/common/001-crd.yaml
@@ -4032,6 +4032,11 @@ spec:
                         IPv6 subnet is used
                       rule: '!has(self.subnets) || !has(self.mtu) || !self.subnets.exists_one(i,
                         isCIDR(i) && cidr(i).ip().family() == 6) || self.mtu >= 1280'
+                    - fieldPath: .excludeSubnets
+                      message: excludeSubnets must be subnetworks of the networks
+                        specified in the subnets field
+                      rule: '!has(self.excludeSubnets) || self.excludeSubnets.all(e,
+                        self.subnets.exists(s, cidr(s).containsCIDR(cidr(e))))'
                   topology:
                     description: |-
                       Topology describes network configuration.
