OCPBUGS-60693,OCPBUGS-60958: Synchronize From Upstream Repositories

.bingo/Variables.mk

@@ -35,11 +35,11 @@ $(CONTROLLER_GEN): $(BINGO_DIR)/controller-gen.mod
 	@echo "(re)installing $(GOBIN)/controller-gen-v0.20.1"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=controller-gen.mod -o=$(GOBIN)/controller-gen-v0.20.1 "sigs.k8s.io/controller-tools/cmd/controller-gen"
 
-CRD_DIFF := $(GOBIN)/crd-diff-v0.5.0
+CRD_DIFF := $(GOBIN)/crd-diff-v0.5.1-0.20260309184313-54162f2e3097
 $(CRD_DIFF): $(BINGO_DIR)/crd-diff.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
-	@echo "(re)installing $(GOBIN)/crd-diff-v0.5.0"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=crd-diff.mod -o=$(GOBIN)/crd-diff-v0.5.0 "sigs.k8s.io/crdify"
+	@echo "(re)installing $(GOBIN)/crd-diff-v0.5.1-0.20260309184313-54162f2e3097"
+	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=crd-diff.mod -o=$(GOBIN)/crd-diff-v0.5.1-0.20260309184313-54162f2e3097 "sigs.k8s.io/crdify"
 
 CRD_REF_DOCS := $(GOBIN)/crd-ref-docs-v0.3.0
 $(CRD_REF_DOCS): $(BINGO_DIR)/crd-ref-docs.mod

.bingo/crd-diff.mod

@@ -2,4 +2,4 @@ module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
 
 go 1.24.6
 
-require sigs.k8s.io/crdify v0.5.0
+require sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097

.bingo/crd-diff.sum

@@ -251,6 +251,8 @@ sigs.k8s.io/controller-runtime v0.16.2 h1:mwXAVuEk3EQf478PQwQ48zGOXvW27UJc8NHktQ
 sigs.k8s.io/controller-runtime v0.16.2/go.mod h1:vpMu3LpI5sYWtujJOa2uPK61nB5rbwlN7BAB8aSLvGU=
 sigs.k8s.io/crdify v0.5.0 h1:mrMH9CgXQPTZUpTU6Klqfnlys8bggv/7uvLT2lXSP7A=
 sigs.k8s.io/crdify v0.5.0/go.mod h1:ZIFxaYNgKYmFtZCLPysncXQ8oqwnNlHQbRUfxJHZwzU=
+sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097 h1:gwDRFCc64lhEpxY944IJFW+CrmMFXWH+JjpE0JHp42Y=
+sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097/go.mod h1:ZIFxaYNgKYmFtZCLPysncXQ8oqwnNlHQbRUfxJHZwzU=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

.bingo/variables.env

@@ -14,7 +14,7 @@ CONFTEST="${GOBIN}/conftest-v0.62.0"
 
 CONTROLLER_GEN="${GOBIN}/controller-gen-v0.20.1"
 
-CRD_DIFF="${GOBIN}/crd-diff-v0.5.0"
+CRD_DIFF="${GOBIN}/crd-diff-v0.5.1-0.20260309184313-54162f2e3097"
 
 CRD_REF_DOCS="${GOBIN}/crd-ref-docs-v0.3.0"
 

commitchecker.yaml

@@ -1,3 +1,4 @@
+expectedMergeBase: ba1e4cb6e9705f0182c60c66889db00b0523b10f
 upstreamBranch: main
 upstreamOrg: operator-framework
 upstreamRepo: operator-controller

docs/concepts/large-bundle-support.md

@@ -139,12 +139,19 @@ follow for consistency and safe lifecycle management.
 
 Recommended conventions:
 
-1. **Immutability**: Secrets should set `immutable: true`. Because COS phases
+1. **Secret type**: Secrets should use the dedicated type
+   `olm.operatorframework.io/object-data` to distinguish them from user-created
+   Secrets and enable easy identification. The system always sets this type on
+   Secrets it creates. The reconciler does not enforce the type when resolving
+   refs — Secrets with any type are accepted — but producers should set it for
+   consistency.
+
+2. **Immutability**: Secrets should set `immutable: true`. Because COS phases
    are immutable, the content backing a ref should not change after creation.
    Mutable referenced Secrets are not rejected, but modifying them after the
    COS is created leads to undefined behavior.
 
-2. **Owner references**: Referenced Secrets should carry an ownerReference to
+3. **Owner references**: Referenced Secrets should carry an ownerReference to
    the COS so that Kubernetes garbage collection removes them when the COS is
    deleted:
    ```yaml
@@ -159,7 +166,7 @@ Recommended conventions:
    Secret when the COS is deleted. The reconciler does not delete referenced
    Secrets itself.
 
-3. **Revision label**: A label identifying the owning revision aids discovery,
+4. **Revision label**: A label identifying the owning revision aids discovery,
    debugging, and bulk cleanup:
    ```
    olm.operatorframework.io/revision-name: <COS-name>
@@ -237,6 +244,7 @@ metadata:
       uid: <revision-uid>
       controller: true
 immutable: true
+type: olm.operatorframework.io/object-data
 data:
   service-account: <base64(JSON ServiceAccount manifest)>
   cluster-role:    <base64(JSON ClusterRole manifest)>
@@ -255,6 +263,7 @@ metadata:
       uid: <revision-uid>
       controller: true
 immutable: true
+type: olm.operatorframework.io/object-data
 data:
   my-crd: <base64(JSON CRD manifest)>
 ---
@@ -272,6 +281,7 @@ metadata:
       uid: <revision-uid>
       controller: true
 immutable: true
+type: olm.operatorframework.io/object-data
 data:
   deployment: <base64(JSON Deployment manifest)>
 ```
@@ -653,7 +663,7 @@ rollout semantics are unchanged.
 | **Crash safety** | 3-step: Secrets → COS → patch ownerRefs; orphan cleanup via revision label                            | 2-step: COS → Secrets with ownerRefs; simpler but reconciler may see missing Secrets temporarily |
 | **Flexibility** | Mixed inline/ref per object within the same phase is possible                                         | All-or-nothing — either all phases inline or all externalized                                    |
 | **Storage efficiency** | Per-object compression misses cross-object redundancy; potentially more Secrets created in edge cases | Better compression from cross-phase redundancy; fewer Secrets                                    |
-| **Resource type** | Secret only                                                                                          | Secret only (with dedicated type)                                                                |
+| **Resource type** | Secret with dedicated type `olm.operatorframework.io/object-data`                                     | Secret with dedicated type `olm.operatorframework.io/revision-phase-data`                        |
 | **Phases structure** | Unchanged — phases array preserved as-is; only individual objects gain a new resolution path          | Replaced at the top level — phases field swapped for phasesRef                                   |
 | **Content addressability** | Content hash as Secret data key — key changes when content changes                                    | Content hash embedded in Secret name — detects changes without fetching contents                 |
 

go.mod

@@ -48,7 +48,7 @@ require (
 	pkg.package-operator.run/boxcutter v0.12.0
 	sigs.k8s.io/controller-runtime v0.23.3
 	sigs.k8s.io/controller-tools v0.20.1
-	sigs.k8s.io/crdify v0.5.0
+	sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2
 	sigs.k8s.io/yaml v1.6.0
 )

go.sum

@@ -804,8 +804,8 @@ sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4i
 sigs.k8s.io/controller-runtime v0.23.3/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0=
 sigs.k8s.io/controller-tools v0.20.1 h1:gkfMt9YodI0K85oT8rVi80NTXO/kDmabKR5Ajn5GYxs=
 sigs.k8s.io/controller-tools v0.20.1/go.mod h1:b4qPmjGU3iZwqn34alUU5tILhNa9+VXK+J3QV0fT/uU=
-sigs.k8s.io/crdify v0.5.0 h1:mrMH9CgXQPTZUpTU6Klqfnlys8bggv/7uvLT2lXSP7A=
-sigs.k8s.io/crdify v0.5.0/go.mod h1:ZIFxaYNgKYmFtZCLPysncXQ8oqwnNlHQbRUfxJHZwzU=
+sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097 h1:gwDRFCc64lhEpxY944IJFW+CrmMFXWH+JjpE0JHp42Y=
+sigs.k8s.io/crdify v0.5.1-0.20260309184313-54162f2e3097/go.mod h1:ZIFxaYNgKYmFtZCLPysncXQ8oqwnNlHQbRUfxJHZwzU=
 sigs.k8s.io/gateway-api v1.5.0 h1:duoo14Ky/fJXpjpmyMISE2RTBGnfCg8zICfTYLTnBJA=
 sigs.k8s.io/gateway-api v1.5.0/go.mod h1:GvCETiaMAlLym5CovLxGjS0NysqFk3+Yuq3/rh6QL2o=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=

internal/operator-controller/applier/secretpacker.go

@@ -143,6 +143,7 @@ func (p *SecretPacker) newSecret(data map[string][]byte) corev1.Secret {
 			},
 		},
 		Immutable: ptr.To(true),
+		Type:      labels.SecretTypeObjectData,
 		Data:      data,
 	}
 }

internal/operator-controller/applier/secretpacker_test.go

@@ -46,6 +46,7 @@ func TestSecretPacker_Pack(t *testing.T) {
 		assert.True(t, strings.HasPrefix(result.Secrets[0].Name, "my-ext-3-"), "Secret name should be content-addressable with revision prefix")
 		assert.Equal(t, "olmv1-system", result.Secrets[0].Namespace)
 		assert.True(t, *result.Secrets[0].Immutable)
+		assert.Equal(t, labels.SecretTypeObjectData, result.Secrets[0].Type)
 		assert.Equal(t, "my-ext-3", result.Secrets[0].Labels[labels.RevisionNameKey])
 		assert.Equal(t, "my-ext", result.Secrets[0].Labels[labels.OwnerNameKey])
 

internal/operator-controller/labels/labels.go

@@ -1,6 +1,13 @@
 package labels
 
+import corev1 "k8s.io/api/core/v1"
+
 const (
+	// SecretTypeObjectData is the custom Secret type used for Secrets that store
+	// externalized object content referenced by ClusterObjectSet ref entries.
+	// It distinguishes OLM-managed ref Secrets from user-created Secrets.
+	SecretTypeObjectData corev1.SecretType = "olm.operatorframework.io/object-data" //nolint:gosec // G101 false positive: this is a Kubernetes Secret type identifier, not a credential
+
 	// OwnerKindKey is the label key used to record the kind of the owner
 	// resource responsible for creating or managing a ClusterObjectSet.
 	OwnerKindKey = "olm.operatorframework.io/owner-kind"

internal/operator-controller/rukpak/preflights/crdupgradesafety/crdupgradesafety.go

@@ -160,15 +160,15 @@ func sameVersionErrors(results *runner.Results) []error {
 	}
 
 	errs := []error{}
-	for version, propertyResults := range results.SameVersionValidation {
-		for property, comparisonResults := range propertyResults {
-			for _, result := range comparisonResults {
+	for _, versionResult := range results.SameVersionValidation {
+		for _, propertyResult := range versionResult.PropertyComparisons {
+			for _, result := range propertyResult.ComparisonResults {
 				for _, err := range result.Errors {
 					msg := err
 					if result.Name == "unhandled" {
 						msg = conciseUnhandledMessage(err)
 					}
-					errs = append(errs, fmt.Errorf("%s: %s: %s: %s", version, property, result.Name, msg))
+					errs = append(errs, fmt.Errorf("%s: %s: %s: %s", versionResult.Version, propertyResult.Property, result.Name, msg))
 				}
 			}
 		}
@@ -183,15 +183,15 @@ func servedVersionErrors(results *runner.Results) []error {
 	}
 
 	errs := []error{}
-	for version, propertyResults := range results.ServedVersionValidation {
-		for property, comparisonResults := range propertyResults {
-			for _, result := range comparisonResults {
+	for _, versionResult := range results.ServedVersionValidation {
+		for _, propertyResult := range versionResult.PropertyComparisons {
+			for _, result := range propertyResult.ComparisonResults {
 				for _, err := range result.Errors {
 					msg := err
 					if result.Name == "unhandled" {
 						msg = conciseUnhandledMessage(err)
 					}
-					errs = append(errs, fmt.Errorf("%s: %s: %s: %s", version, property, result.Name, msg))
+					errs = append(errs, fmt.Errorf("%s: %s: %s: %s", versionResult.Version, propertyResult.Property, result.Name, msg))
 				}
 			}
 		}

internal/operator-controller/rukpak/preflights/crdupgradesafety/crdupgradesafety_test.go

@@ -191,6 +191,14 @@ func TestInstall(t *testing.T) {
 				Manifest: getManifestString(t, "crd-description-changed.json"),
 			},
 		},
+		{
+			name:       "optional field addition should not fail",
+			oldCrdPath: "crd-optional-field-old.json",
+			release: &release.Release{
+				Name:     "test-release",
+				Manifest: getManifestString(t, "crd-optional-field-new.json"),
+			},
+		},
 	}
 
 	for _, tc := range tests {
@@ -370,6 +378,35 @@ func TestUpgrade(t *testing.T) {
 				)
 			},
 		},
+		{
+			name:       "optional field addition should not fail",
+			oldCrdPath: "crd-optional-field-old.json",
+			release: &release.Release{
+				Name:     "test-release",
+				Manifest: getManifestString(t, "crd-optional-field-new.json"),
+			},
+		},
+		{
+			name:       "complex breaking changes should fail",
+			oldCrdPath: "crd-complex-breaking-changes-old.json",
+			release: &release.Release{
+				Name:     "test-release",
+				Manifest: getManifestString(t, "crd-complex-breaking-changes-new.json"),
+			},
+			// This test verifies detection of multiple breaking changes in a single CRD upgrade:
+			// 1. Type changed from "object" to "" - Properly detected by type validator
+			// 2. Nullable changed from false to true - Properly detected by nullable validator
+			// 3. OneOf constraint added - Reported as "unhandled" (needs crdify support)
+			//    See: https://github.com/kubernetes-sigs/crdify/issues/25
+			// The upgrade is correctly blocked, but OneOf changes need better categorization.
+			requireErr: wantErrorMsgs([]string{
+				`validating upgrade for CRD "services.networking.example.com"`,
+				`type: type changed`,
+				`nullable: nullable added`,
+				`unhandled: unhandled changes found`,
+				`OneOf`,
+			}),
+		},
 	}
 
 	for _, tc := range tests {

internal/operator-controller/rukpak/preflights/crdupgradesafety/testdata/manifests/crd-complex-breaking-changes-new.json

@@ -0,0 +1,106 @@
+{
+    "apiVersion": "apiextensions.k8s.io/v1",
+    "kind": "CustomResourceDefinition",
+    "metadata": {
+        "name": "services.networking.example.com"
+    },
+    "spec": {
+        "group": "networking.example.com",
+        "versions": [
+            {
+                "name": "v1beta1",
+                "served": true,
+                "storage": true,
+                "schema": {
+                    "openAPIV3Schema": {
+                        "type": "object",
+                        "properties": {
+                            "spec": {
+                                "type": "object",
+                                "properties": {
+                                    "ingress": {
+                                        "type": "object",
+                                        "properties": {
+                                            "gateway": {
+                                                "type": "object",
+                                                "properties": {
+                                                    "servers": {
+                                                        "type": "array",
+                                                        "items": {
+                                                            "type": "object",
+                                                            "properties": {
+                                                                "hosts": {
+                                                                    "description": "One or more hosts exposed by this gateway",
+                                                                    "type": "array",
+                                                                    "items": {
+                                                                        "type": "string"
+                                                                    }
+                                                                },
+                                                                "port": {
+                                                                    "type": "object",
+                                                                    "properties": {
+                                                                        "name": {
+                                                                            "description": "Label assigned to the port",
+                                                                            "type": "string"
+                                                                        },
+                                                                        "number": {
+                                                                            "description": "Port number",
+                                                                            "type": "integer"
+                                                                        }
+                                                                    }
+                                                                },
+                                                                "tls": {
+                                                                    "nullable": true,
+                                                                    "oneOf": [
+                                                                        {
+                                                                            "required": ["mode", "credentialName"]
+                                                                        },
+                                                                        {
+                                                                            "required": ["httpsRedirect"]
+                                                                        }
+                                                                    ],
+                                                                    "properties": {
+                                                                        "credentialName": {
+                                                                            "description": "TLS certificate name",
+                                                                            "type": "string"
+                                                                        },
+                                                                        "httpsRedirect": {
+                                                                            "description": "If set to true, the load balancer will send a 301 redirect to HTTPS",
+                                                                            "type": "boolean"
+                                                                        },
+                                                                        "mode": {
+                                                                            "description": "TLS mode",
+                                                                            "type": "string"
+                                                                        }
+                                                                    }
+                                                                }
+                                                            }
+                                                        }
+                                                    }
+                                                }
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        ],
+        "scope": "Namespaced",
+        "names": {
+            "plural": "services",
+            "singular": "service",
+            "kind": "Service",
+            "shortNames": [
+                "svc"
+            ]
+        }
+    },
+    "status": {
+        "storedVersions": [
+            "v1beta1"
+        ]
+    }
+}