fix: move enum validation to items level for v1alpha1 operations field

[JaydipGabani]

Bug

In the ConstraintTemplate CRD, the v1alpha1 operations field has enum on the array instead of on each item. This means v1alpha1 won't reject invalid operation values (e.g. "INVALID") at the API server level, unlike v1 and v1beta1 which correctly validate each item.

See: https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml#L3220-L3231

Affected: Gatekeeper v3.21.0+, master, and all release branches. No functional impact for valid values.

Root Cause

Wrong kubebuilder marker in constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go:

-// +kubebuilder:validation:Enum="*";CREATE;DELETE;UPDATE;CONNECT
+// +kubebuilder:validation:items:Enum=*;CREATE;DELETE;UPDATE;CONNECT

+kubebuilder:validation:Enum applies the enum to the array field itself (meaningless), while +kubebuilder:validation:items:Enum correctly applies it to each item in the array — matching v1 and v1beta1.

Changes

• Fixed the kubebuilder marker on v1alpha1 Target.Operations field
• Regenerated CRD manifests via make manifests

[Copilot]

Pull request overview

Fixes v1alpha1 ConstraintTemplate CRD validation so invalid operations array values are rejected by the API server (aligning behavior with v1/v1beta1).

Changes:

• Corrected the kubebuilder marker on v1alpha1.Target.Operations to apply the enum to each array item.
• Regenerated CRD manifests so the enum is emitted under items for operations.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go	Moves enum validation from the array field to per-item validation via kubebuilder marker.
constraint/deploy/crds.yaml	Regenerated CRD output reflecting per-item enum for v1alpha1 operations.
constraint/config/crds/templates.gatekeeper.sh_constrainttemplates.yaml	Regenerated CRD output reflecting per-item enum for v1alpha1 operations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.98%. Comparing base (76869f8) to head (d4a829d).
⚠️ Report is 183 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master     #691       +/-   ##
===========================================
- Coverage   54.68%   43.98%   -10.70%     
===========================================
  Files          71       97       +26     
  Lines        5241     5461      +220     
===========================================
- Hits         2866     2402      -464     
- Misses       2073     2749      +676     
- Partials      302      310        +8     

Flag	Coverage Δ
unittests	43.98% <ø> (-10.70%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.