markers/OneOf: make order deterministic relative to XValidation

shashankram · shashankram · commit f7be064a9132 · 2025-06-26T10:28:31.000-07:00
Currently, if both XValidation and AtMostOneOf/ExactlyOneOf constraints
are specified, the ordering of CEL rules can change due to both
sets of markers have the same apply priority. This change ensures that
OneOf markers always run **after** XValidation markers.
diff --git a/pkg/crd/markers/validation.go b/pkg/crd/markers/validation.go
@@ -672,6 +672,11 @@ func (fields AtMostOneOf) ApplyToSchema(schema *apiext.JSONSchemaProps) error {
 	return xvalidation.ApplyToSchema(schema)
 }
 
+func (_ AtMostOneOf) ApplyPriority() ApplyPriority {
+	// explicitly go after XValidation markers so that the ordering is deterministic
+	return ApplyPriorityDefault + 1
+}
+
 func (fields ExactlyOneOf) ApplyToSchema(schema *apiext.JSONSchemaProps) error {
 	if len(fields) == 0 {
 		return nil
@@ -684,6 +689,11 @@ func (fields ExactlyOneOf) ApplyToSchema(schema *apiext.JSONSchemaProps) error {
 	return xvalidation.ApplyToSchema(schema)
 }
 
+func (_ ExactlyOneOf) ApplyPriority() ApplyPriority {
+	// explicitly go after XValidation markers so that the ordering is deterministic
+	return ApplyPriorityDefault + 1
+}
+
 // fieldsToOneOfCelRuleStr converts a slice of field names to a string representation
 // [has(self.field1),has(self.field1),...].filter(x, x == true).size()
 func fieldsToOneOfCelRuleStr(fields []string) string {
diff --git a/pkg/crd/testdata/oneof/types.go b/pkg/crd/testdata/oneof/types.go
@@ -34,6 +34,7 @@ type OneofSpec struct {
 	SecondTypeWithExactOneof *TypeWithMultipleExactOneofs `json:"secondTypeWithExactOneof,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:message="only one of foo|bar may be set",rule="!(has(self.foo) && has(self.bar))"
 // +kubebuilder:validation:AtMostOneOf=foo;bar
 type TypeWithOneofs struct {
 	Foo *string `json:"foo,omitempty"`
diff --git a/pkg/crd/testdata/testdata.kubebuilder.io_oneofs.yaml b/pkg/crd/testdata/testdata.kubebuilder.io_oneofs.yaml
@@ -56,6 +56,8 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-validations:
+                - message: only one of foo|bar may be set
+                  rule: '!(has(self.foo) && has(self.bar))'
                 - message: at most one of the fields in [foo bar] may be set
                   rule: '[has(self.foo),has(self.bar)].filter(x,x==true).size() <=
                     1'

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ type OneofSpec struct {`
`34`	`34`	SecondTypeWithExactOneof *TypeWithMultipleExactOneofs `json:"secondTypeWithExactOneof,omitempty"`
`35`	`35`	`}`
`36`	`36`
	`37`	`+// +kubebuilder:validation:XValidation:message="only one of foo\|bar may be set",rule="!(has(self.foo) && has(self.bar))"`
`37`	`38`	`// +kubebuilder:validation:AtMostOneOf=foo;bar`
`38`	`39`	`type TypeWithOneofs struct {`
`39`	`40`	Foo *string `json:"foo,omitempty"`