datum-cloud
diff --git a/‎.github/workflows/test-environment-validation.yaml‎
Lines changed: 20 additions & 0 deletions b/‎.github/workflows/test-environment-validation.yaml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎.tmp/local-search-kubeconfig.yaml‎
Lines changed: 19 additions & 0 deletions b/‎.tmp/local-search-kubeconfig.yaml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎Taskfile.yaml‎
Lines changed: 118 additions & 33 deletions b/‎Taskfile.yaml‎
Lines changed: 118 additions & 33 deletions
diff --git a/‎cmd/search/main.go‎
Lines changed: 32 additions & 9 deletions b/‎cmd/search/main.go‎
Lines changed: 32 additions & 9 deletions
@@ -86,6 +86,26 @@ jobs:
           echo "⏳ Waiting for controller manager to be ready..."
           task test-infra:kubectl -- wait --for=condition=Ready pod -l app.kubernetes.io/name=search-controller-manager -n search-system --timeout=120s
 
+          # Wait for API server to be ready
+          echo "⏳ Waiting for API server to be ready..."
+          task test-infra:kubectl -- wait --for=condition=Ready pod -l app.kubernetes.io/name=search-apiserver -n search-system --timeout=120s
+
+          # Verify Aggregated API Availability (CA Injection)
+          echo "⏳ Verifying Aggregated API Availability..."
+          for i in {1..30}; do
+            CA_LEN=$(task test-infra:kubectl -- get apiservice v1alpha1.policy.search.miloapis.com -o jsonpath='{len(.spec.caBundle)}' 2>/dev/null || echo "0")
+            if [ "$CA_LEN" -gt "0" ]; then
+              echo "✅ CA Bundle injected into APIService."
+              break
+            fi
+            echo "Waiting for CA injection into APIService..."
+            sleep 2
+          done
+          
+          # Verify Discovery works
+          echo "Verifying API Discovery..."
+          task test-infra:kubectl -- get resourceindexpolicies
+          
           echo "✓ Search components verification complete"
 
       - name: Run end-to-end tests
 
@@ -0,0 +1,19 @@
+apiVersion: v1
+clusters:
+- cluster:
+    insecure-skip-tls-verify: true
+    server: https://127.0.0.1:9443
+  name: kind-test-infra
+contexts:
+- context:
+    cluster: kind-test-infra
+    user: kind-test-infra
+  name: kind-test-infra
+current-context: kind-test-infra
+kind: Config
+preferences: {}
+users:
+- name: kind-test-infra
+  user:
+    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLVENDQWhHZ0F3SUJBZ0lJVTJwbEZvY1dVN1F3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TmpBeU1EVXlNREV5TlRSYUZ3MHlOekF5TURVeU1ERTNOVFJhTUR3eApIekFkQmdOVkJBb1RGbXQxWW1WaFpHMDZZMngxYzNSbGNpMWhaRzFwYm5NeEdUQVhCZ05WQkFNVEVHdDFZbVZ5CmJtVjBaWE10WVdSdGFXNHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFERktIMFIKcnJEanNXdjMzbHhQWlA5eDZYNnEzWENiZnJjdWhkSUxTbHhuVUQrcEpQZkx3T2pmVW04NDBpZnlDcWRNbDJUQwpnb1pXQXBnM1ZmMHZYeERYdjBaVHlSSWFMWHBkY1ZQcTBCVCs3OFFiRzF6TWRpYUNvZ3dsenRHZ1dlcElXdVUzCjdMOGNaL2pKeWJtZGZXdVMyVnhPYit4cVBIODVwWVMySDVvdDN4cVdqb3Y2Ri9Ya294VGFFT2F4WXkrWTd5QjEKUllDdytiaGFOa3Z5R2pxVWh4UTUzVWg5L3VtVHRUajRtWVplWkRxTWJqTU5ZQ3BDZGlzTFhhOVl3bzM0WC9aSApjS0Zhd3UzN0k5SHRjQnFxOXk3eU1pQlVZV2x1QTRQTWRRTFJqOEZUQlhkd2YvbUx4NnYwcHpEczd0VGt2M2trCjRxRVE4aHpXK09SZ09jZjdBZ01CQUFHalZqQlVNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUsKQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkVBVGpXT1pMRnRJMmpDZgo5eUh6ODc4ZEU0cTFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUEvUWFNMWJrSTRQRnovdmxoUEg4RkNOQ1FpClBHdnI0VVMxVUJJck53cTg3djBSelQ5SzhLNTJ4dTVkbmtNWVhsTkYzT1Q0ZG9ocGRxQmxFR3ovMXNvTG94WUwKMk5jOE5BN2Ixb0FrUGNGVXZFbW9TWDkweHRFa0NPT1pGUFJRYThsTzM3bElNZkFiNnl4VlJsYXVGdVdpaTBGNwpNd3BaczVCRWI0MFZrcTYxYXQ5Vnk5Nm1NQ1JERDFpenJmcENhNlQ1bEk3SG9OeVk4Z1ZES1pPRmx6RTArY0FaCmdBSUZpQ05sYlF1WWxSSnBZRktoUk1wQk5JOFdKQjM0WXlWVjNBUVlKb053SWdIWE5ueitmUENaTG5KangxNHgKZlhFQ2xjNFVBZEYwNnVvZE0zRlY0aVRnNFl5VzduQjA0UFFUcmsyQm81WEdwSVp4MDMvcmVucGloU3J6Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeFNoOUVhNnc0N0ZyOTk1Y1QyVC9jZWwrcXQxd20zNjNMb1hTQzBwY1oxQS9xU1QzCnk4RG8zMUp2T05JbjhncW5USmRrd29LR1ZnS1lOMVg5TDE4UTE3OUdVOGtTR2kxNlhYRlQ2dEFVL3UvRUd4dGMKekhZbWdxSU1KYzdSb0ZucVNGcmxOK3kvSEdmNHljbTVuWDFya3RsY1RtL3NhangvT2FXRXRoK2FMZDhhbG82TAoraGYxNUtNVTJoRG1zV012bU84Z2RVV0FzUG00V2paTDhobzZsSWNVT2QxSWZmN3BrN1U0K0ptR1htUTZqRzR6CkRXQXFRbllyQzEydldNS04rRi8yUjNDaFdzTHQreVBSN1hBYXF2Y3U4aklnVkdGcGJnT0R6SFVDMFkvQlV3VjMKY0gvNWk4ZXI5S2N3N083VTVMOTVKT0toRVBJYzF2amtZRG5IK3dJREFRQUJBb0lCQURXbDI4cDQ5NGN0bXd4NgpoREhTY0xQbGJtTStHRXNuZ3Q3MDZQL0xmek5ab2NqNzF6V3BTM1NoTU1TTVl2UTRzK2RpZHJkNjN1VCtsYjdRCjlqRHl0Rm1Rb2FsZzJEMHBUTmVxWThSTVZMbytNZVdTWDREL1VXRlFpTytzeEZ2V3U2cHVtVnJMWUFGeHhUL2IKVlZlbWJpUXFZelN3dmVyMmhVUUJad2hMdHg5dHo5T05WU2VTakhDaGx5YzRmdFR5MnN2emFWQWloclFZZWRBawpQTXhIL1dvcS9sYmg1d1hYc2xlU2FOaFpBQ2NzUGl0WjBuOVlydFFweEkySjZ0WUxrKzl5Y0FkUlRWbkZYQ3Z6CmRiaFZUeFlNRUl4aS9LWmtYdjhWWDBjeEN2OEdMZEFwNWhSbjRYNWowUGtWdXhqcUFvVk9nVVFvNHlKSGJWS2oKMG5oZmJpRUNnWUVBL2grbkJOUUZVRGtsZGJvbzJ0bGJNRjZhK2lXRjZtZjJveFBidDRQdlNrcGkvRldIS3pTQgo4NzkzaVlZSytseUxJc0xoZURLSVpLTDBicUZvcHBpYkx1L2t4WFVCdVFhSlJEZHZXWUJqUUdVc1pYbmFPYlBoClFHYm1meGZtMmtXVHdIdDJ3a0dPMUhzZDgzZlJkcTNlVlNjd0lMUE1vcTdNQ2hLbjQ5d1gxNHNDZ1lFQXhwMG8KeHdnYVhzUVV3aWVRR3JJQ0hXdUpPMjlSZUJLUE5TS00rNFlBTVUyUTZoWHFuMW5KR1VUS2Vpbm9CRmliUHJKQQpRc1Q2RzRyYTZuWXVaSnlFaWNFazBsM3ZNVFhhZFhwRW1ucmZ3WnJjTVFteTA5ZzZYNEFDWWtlMVB0YjlKM0JVCjg5TjBuUEYyMXdJM0dQOUVlVUw2anN2UFZRZStva3FRN05GV1gxRUNnWUVBeEpDdE8xSFk3azNWeVBOL1NKRWEKTlJib241ZEl0NkZGS0sxaXBkZjZ6eWNzMit3NFN0WXBzdVltUzQwUWpzbm9vYkhHZjVmdTRwRWRxemxVM3BCcQpjT3NFdFN1bGNuNDR6VGhuKy80UVI2NDZvaCtZQ2t3MmJ2OXBTV091b0tWeS9VOUM5RTJMY3BYcysvZHhZWEJwCjZzb09NeTJBbTFIRDZBSzROTXQ0OGJNQ2dZQmtTWThCa1BIZjBCcTdQc2JnOCtsbGVaczl5NlBUZ1d1V1pPL1QKUVlKdllyODlzL3RZb3ptTDdOUmdnekNJb1VVaWoxY3JYOUw2ZlU2MC9SL0g1ZEIyem5RTlZTa21MQTgzS3BuaApkeEhzN0lrcXFiOEdnVFJZYkliSG9YVy9XVWRTMXNIT3JJTkJqQnQ1emNDTWVyalVraUY2WVNjN3hFRmFLVlNzCmY3ZWhRUUtCZ0FOSTB1aTNnbXZDQzIrUDZUekRzMmJNN0JIRFkwd3p2aE1WQzQ5SDY2amdScGNVTkNiODRwamIKM0NKVlhUZHpNMDdVRzJ1aVZ1RFQ0MEVZa2p5NFp3RW5wc3hKSWpHcTcrR1FQZ05DTk03VG1QMzI0ajhXWU1uMQpYaUxUT2d0aWR2VFY3QyszU1BRRzFTbUkyaWxJdGhYWTg3MXk0eGd0NFhyaXZSczdWdkhRCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
@@ -119,20 +119,42 @@ tasks:
     cmds:
       - echo "Generating deepcopy and object files..."
       - "\"{{.TOOL_DIR}}/controller-gen\" object paths=\"./pkg/apis/...\""
-      - echo "Generating CRD manifests for each package..."
-      - |
-        set -e
-        for package_dir in pkg/apis/*/; do
-          package_name=$(basename "$package_dir")
-          echo "Generating CRDs for package: $package_name"
-          mkdir -p "config/crd/bases/$package_name"
-          "{{.TOOL_DIR}}/controller-gen" crd paths="./$package_dir..." output:dir="./config/crd/bases/$package_name"
-        done
-      - echo "Generating webhook files..."
-      - "\"{{.TOOL_DIR}}/controller-gen\" webhook paths=\"./internal/webhooks/...\" output:dir=\"./config/webhook\""
       # Generate RBAC rules for the controllers.
       - echo "Generating RBAC rules for the controllers..."
       - "\"{{.TOOL_DIR}}/controller-gen\" rbac:roleName=milo-controller-manager paths=\"./internal/controllers/...\" output:dir=\"./config/controller-manager/overlays/core-control-plane/rbac\""
+      - task: generate:openapi
+    silent: true
+
+  generate:openapi:
+    desc: Generate OpenAPI definitions for search API types
+    deps:
+      - task: install-go-tool
+        vars:
+          NAME: openapi-gen
+          PACKAGE: k8s.io/code-generator/cmd/openapi-gen
+          VERSION: v0.23.0
+    cmds:
+      - echo "Generating OpenAPI definitions..."
+      - |
+        set -e
+        # Packages to generate OpenAPI for
+        PACKAGES=(
+          "pkg/apis/policy/v1alpha1"
+          "pkg/apis/search/v1alpha1"
+        )
+        
+        for REL_DIR in "${PACKAGES[@]}"; do
+          PKG="go.miloapis.net/search/$REL_DIR"
+          echo "Generating OpenAPI for $PKG..."
+          
+          "{{.TOOL_DIR}}/openapi-gen" \
+            --input-dirs "$PKG,k8s.io/apimachinery/pkg/apis/meta/v1,k8s.io/apimachinery/pkg/runtime,k8s.io/apimachinery/pkg/version" \
+            --output-package "$REL_DIR" \
+            --output-base "." \
+            --output-file-base "zz_generated.openapi" \
+            --go-header-file "hack/boilerplate.go.txt" \
+            --report-filename "$REL_DIR/api_violations.report"
+        done
     silent: true
 
   # Test tasks
@@ -191,6 +213,26 @@ tasks:
         echo "📦 Installing infrastructure dependencies..."
         echo ""
 
+        # ============================================================
+        # Install Etcd
+        # ============================================================
+        echo "📦 Installing Etcd..."
+
+        echo "Applying Etcd resources..."
+        task test-infra:kubectl -- apply -k config/dependencies/etcd
+
+        echo "Waiting for Etcd namespace to be created..."
+        task test-infra:kubectl -- wait --for=jsonpath='{.status.phase}'=Active namespace/etcd-system --timeout=30s 2>/dev/null || echo "⚠️  Namespace not ready yet"
+
+        echo "Waiting for Etcd HelmRelease to be ready..."
+        task test-infra:kubectl -- wait --for=condition=ready helmrelease/etcd -n etcd-system --timeout=300s 2>/dev/null || echo "⚠️  Etcd HelmRelease not ready yet"
+
+        echo "Waiting for Etcd pods to be ready..."
+        task test-infra:kubectl -- wait --for=condition=ready pod -l app.kubernetes.io/name=etcd -n etcd-system --timeout=120s 2>/dev/null || echo "⚠️  Etcd pods not ready yet"
+
+        echo "✅ Etcd installed"
+        echo ""
+
         # ============================================================
         # Install NATS
         # ============================================================
@@ -269,24 +311,36 @@ tasks:
         task test-infra:kubectl -- apply -k config/components/nats-streams
 
         echo "⏳ Waiting for NATS stream to be ready..."
-        task test-infra:kubectl -- wait --for=condition=ready stream/audit-events -n nats-system --timeout=60s 2>/dev/null || echo "⚠️  Stream not ready yet"
+        task test-infra:kubectl -- wait --for=condition=ready stream/audit-events -n nats-system --timeout=120s 2>/dev/null || echo "⚠️  Stream not ready yet"
 
         echo ""
         echo "📋 Deploying Search server and components..."
         task test-infra:kubectl -- apply -k config/overlays/dev
 
-        echo ""
+        echo "⏳ Waiting for Search API Server to be ready..."
+        task test-infra:kubectl -- wait --for=condition=available deployment/search-apiserver -n search-system --timeout=120s 2>/dev/null || echo "⚠️  Search API Server not ready yet"
+
+        echo "⏳ Waiting for Search Controller Manager to be ready..."
+        task test-infra:kubectl -- wait --for=condition=available deployment/search-controller-manager -n search-system --timeout=120s 2>/dev/null || echo "⚠️  Search Controller Manager not ready yet"
+        
         echo "✅ Search server and all dependencies deployed successfully!"
         echo ""
         echo "📊 Check status:"
         echo "  All resources:     task test-infra:kubectl -- get all -n search-system"
         echo "  Vector pods:       task test-infra:kubectl -- get pods -l app.kubernetes.io/instance=vector-sidecar -n search-system"
         echo "  NATS pods:         task test-infra:kubectl -- get pods -n nats-system"
         echo "  NATS streams:      task test-infra:kubectl -- get streams -n nats-system"
+        echo "  Meilisearch pods:  task test-infra:kubectl -- get pods -n meilisearch-system"
+        echo "  Etcd pods:         task test-infra:kubectl -- get pods -n etcd-system"
+        echo "  Search Server pods: task test-infra:kubectl -- get pods -n search-system"
         echo ""
         echo "📋 View logs:"
         echo "  Vector:            task test-infra:kubectl -- logs -l app.kubernetes.io/instance=vector-sidecar -n search-system -f"
         echo "  NATS:              task test-infra:kubectl -- logs -l app.kubernetes.io/name=nats -n nats-system -f"
+        echo "  Meilisearch:       task test-infra:kubectl -- logs -l app.kubernetes.io/name=meilisearch -n meilisearch-system -f"
+        echo "  Etcd:              task test-infra:kubectl -- logs -l app.kubernetes.io/name=etcd -n etcd-system -f"
+        echo "  Search API Server:     task test-infra:kubectl -- logs -l app.kubernetes.io/name=search-apiserver -n search-system -f"
+        echo "  Search Controller:     task test-infra:kubectl -- logs -l app.kubernetes.io/name=search-controller-manager -n search-system -f"
 
   dev:generate-webhook-certs:
     desc: Generate all certificates for webhook server
@@ -297,34 +351,64 @@ tasks:
         export CA_BUNDLE
         # Dynamically patch the generated manifest to use local host url and injected CA bundle
         perl -0777 -pe 's/(\s*)clientConfig:\n\s+service:\n\s+name: webhook-service\n\s+namespace: system\n\s+path: (.*)/$1clientConfig:\n$1  url: https:\/\/host.docker.internal:9443$2\n$1  caBundle: $ENV{CA_BUNDLE}/' config/webhook/manifests.yaml | task test-infra:kubectl -- apply -f -
-  
+
   dev:run-controller:
-    desc: Run the controller manager locally (requires kubeconfig)
-    deps:
-      - dev:apply-crd
-      - dev:generate-webhook-certs
+    desc: Run the controller manager against the LOCAL Search API server (127.0.0.1:9443)
     cmds:
+      - |
+        # Generate a temporary kubeconfig pointing to localhost:9443
+        mkdir -p .tmp
+        kubectl config view --minify --raw | \
+          sed "s|server:.*|server: https://127.0.0.1:9443|g" | \
+          sed "s|certificate-authority-data:.*|insecure-skip-tls-verify: true|g" \
+          > .tmp/local-search-kubeconfig.yaml
+      - |
+        echo "🚀 Running controller against local Search API server..."
+        KUBECONFIG=.tmp/local-search-kubeconfig.yaml go run ./cmd/search controller-manager \
+          --metrics-bind-address=:8085 \
+          --health-probe-bind-address=:8086 \
+          --leader-elect=false
+    silent: true
+
+  dev:pf-etcd:
+    desc: Port forward Etcd for local development
+    cmds:
+      - echo "Port forwarding Etcd to localhost:2379..."
+      - task test-infra:kubectl -- port-forward -n etcd-system svc/etcd 2379:2379
+
+  dev:run-apiserver:
+    desc: Run the API server locally (requires dev:pf-etcd running)
+    cmds:
+      - |
+        # Ensure kubeconfig is up to date with the current Kind cluster port
+        echo "Syncing kubeconfig for cluster '{{.TEST_INFRA_CLUSTER_NAME}}'..."
+        kind export kubeconfig --name "{{.TEST_INFRA_CLUSTER_NAME}}"
       - |
         current_context=$(kubectl config current-context)
-        if [ "$current_context" != "kind-test-infra" ]; then
-          echo "❌ Error: Wrong context! You are in '$current_context', but must be in 'kind-test-infra'." 
+        if [ "$current_context" != "kind-{{.TEST_INFRA_CLUSTER_NAME}}" ]; then
+          echo "❌ Error: Wrong context! You are in '$current_context', but must be in 'kind-{{.TEST_INFRA_CLUSTER_NAME}}'." 
           echo "Please run context switch command first."
           exit 1
         fi
+      - mkdir -p "{{.CERTS_DIR}}"
       - |
-        go run ./cmd/search controller-manager \
-          --metrics-bind-address=:8082 \
-          --health-probe-bind-address=:8083 \
-          --webhook-cert-path={{.CERTS_DIR}} \
-          --webhook-cert-name=server.crt \
-          --webhook-cert-key=server.key
-    silent: true
-
-  dev:apply-crd:
-    desc: Apply all CRDs from config/crd/bases to the cluster
-    cmds:
-      - task test-infra:kubectl -- apply -R -f config/crd/bases
-    silent: true
+        # Extract Kind CA to allowed local kubectl to authenticate via client certs
+        kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 -d > "{{.CERTS_DIR}}/kind-ca.crt"
+      - echo "Running Search API Server locally..."
+      - echo "Ensure you are running 'task dev:pf-etcd' in another terminal!"
+      - |
+        # Use KUBECONFIG if set, otherwise fallback to default
+        KCFG=${KUBECONFIG:-$HOME/.kube/config}
+        go run ./cmd/search serve \
+          --etcd-servers http://127.0.0.1:2379 \
+          --secure-port 9443 \
+          --bind-address 127.0.0.1 \
+          --authentication-skip-lookup=true \
+          --authentication-kubeconfig="$KCFG" \
+          --authorization-kubeconfig="$KCFG" \
+          --kubeconfig="$KCFG" \
+          --client-ca-file="{{.CERTS_DIR}}/kind-ca.crt" \
+          --authorization-always-allow-paths=/healthz,/readyz,/livez,/openapi,/openapi/v2,/openapi/v3,/apis,/api
 
   dev:undeploy:
     desc: Undeploy Search server from test-infra cluster
@@ -489,6 +573,7 @@ tasks:
         echo "Redeploying Search controller manager..."
 
         # Restart the deployment to pick up new image
+        task test-infra:kubectl -- rollout restart deployment/search-apiserver -n search-system
         task test-infra:kubectl -- rollout restart deployment/search-controller-manager -n search-system
 
         # Wait for rollout to complete
 
@@ -4,12 +4,14 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	searchapiserver "go.miloapis.net/search/internal/apiserver"
 	"go.miloapis.net/search/internal/version"
-	"go.miloapis.net/search/pkg/generated/openapi"
+	policyv1alpha1 "go.miloapis.net/search/pkg/apis/policy/v1alpha1"
+	searchv1alpha1 "go.miloapis.net/search/pkg/apis/search/v1alpha1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	apiopenapi "k8s.io/apiserver/pkg/endpoints/openapi"
 	genericapiserver "k8s.io/apiserver/pkg/server"
@@ -20,6 +22,7 @@ import (
 	"k8s.io/component-base/logs"
 	logsapi "k8s.io/component-base/logs/api/v1"
 	"k8s.io/klog/v2"
+	"k8s.io/kube-openapi/pkg/common"
 
 	"go.miloapis.net/search/cmd/search/manager"
 
@@ -33,6 +36,32 @@ func init() {
 	utilfeature.DefaultMutableFeatureGate.Set("RemoteRequestHeaderUID=true")
 }
 
+func GetOpenAPIDefinitions(cb common.ReferenceCallback) map[string]common.OpenAPIDefinition {
+	defs := make(map[string]common.OpenAPIDefinition)
+
+	merge := func(pkgDefs map[string]common.OpenAPIDefinition) {
+		for k, v := range pkgDefs {
+			// For k8s.io types, store both the original key and the transformed key
+			// because the namer behavior is inconsistent across different types
+			if strings.HasPrefix(k, "k8s.io/") {
+				// Store original key (with slashes)
+				defs[k] = v
+				// Also store transformed key (io.k8s with dots)
+				newK := "io.k8s." + k[7:]
+				newK = strings.ReplaceAll(newK, "/", ".")
+				defs[newK] = v
+			} else {
+				// For non-k8s.io types, keep as-is
+				defs[k] = v
+			}
+		}
+	}
+
+	merge(policyv1alpha1.GetOpenAPIDefinitions(cb))
+	merge(searchv1alpha1.GetOpenAPIDefinitions(cb))
+	return defs
+}
+
 func main() {
 	cmd := NewSearchServerCommand()
 	code := cli.Run(cmd)
@@ -125,12 +154,6 @@ func NewSearchServerOptions() *SearchServerOptions {
 		Logs: logsapi.NewLoggingConfiguration(),
 	}
 
-	// Disable etcd since storage implementation is external
-	o.RecommendedOptions.Etcd = nil
-
-	// Disable admission plugins since this server doesn't mutate or validate resources.
-	o.RecommendedOptions.Admission = nil
-
 	return o
 }
 
@@ -161,12 +184,12 @@ func (o *SearchServerOptions) Config() (*searchapiserver.Config, error) {
 	genericConfig.EffectiveVersion = basecompatibility.NewEffectiveVersionFromString("1.34", "", "")
 
 	namer := apiopenapi.NewDefinitionNamer(searchapiserver.Scheme)
-	genericConfig.OpenAPIV3Config = genericapiserver.DefaultOpenAPIV3Config(openapi.GetOpenAPIDefinitions, namer)
+	genericConfig.OpenAPIV3Config = genericapiserver.DefaultOpenAPIV3Config(GetOpenAPIDefinitions, namer)
 	genericConfig.OpenAPIV3Config.Info.Title = "Search"
 	genericConfig.OpenAPIV3Config.Info.Version = version.Version
 
 	// Configure OpenAPI v2
-	genericConfig.OpenAPIConfig = genericapiserver.DefaultOpenAPIConfig(openapi.GetOpenAPIDefinitions, namer)
+	genericConfig.OpenAPIConfig = genericapiserver.DefaultOpenAPIConfig(GetOpenAPIDefinitions, namer)
 	genericConfig.OpenAPIConfig.Info.Title = "Search"
 	genericConfig.OpenAPIConfig.Info.Version = version.Version