CONSOLE-5163: Add labels field to Ingress componentRoutes

[Leo6Leo]

Summary

Add a labels field (map[string]string) to ComponentRouteSpec in the Ingress config API (config/v1). This allows cluster admins to specify labels on component routes that IngressControllers use for route selection and sharding.

Motivation

When running multiple IngressControllers (e.g., for internal vs. external traffic), each controller uses route labels/selectors to determine which routes it manages. Currently, componentRoutes entries have no way to specify labels, so component routes (like the console) always land on the default IngressController. This makes it impossible to route console traffic through a specific shard without manual post-creation patching.

Changes

• Add labels field to ComponentRouteSpec with: - +optional, +mapType=granular for proper strategic merge patch
• maxProperties=8 upper bound
• CEL validation enforcing Kubernetes label key/value format
• Regenerated CRD manifests, OpenAPI, deepcopy, and swagger docs
• Unit tests covering valid labels, empty map, invalid key/value rejection, maxProperties overflow, and update scenarios

Example

spec:
    componentRoutes:
    - name: console-2
      namespace: openshift-console
      hostname: console.internal.corp.example.com
      labels:
        ingress: shard-console2
    - name: console-3
      namespace: openshift-console
      hostname: console.private.corp.example.com
      labels:
        ingress: shard-console3

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@Leo6Leo: This pull request references CONSOLE-5163 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Add a labels field (map[string]string) to ComponentRouteSpec in the Ingress config API (config/v1). This allows cluster admins to specify labels on component routes that IngressControllers use for route selection and sharding.

Motivation

When running multiple IngressControllers (e.g., for internal vs. external traffic), each controller uses route labels/selectors to determine which routes it manages. Currently, componentRoutes entries have no way to specify labels, so component routes (like the console) always land on the default IngressController. This makes it impossible to route console traffic through a specific shard without manual post-creation patching.

Changes

• Add labels field to ComponentRouteSpec with: - +optional, +mapType=granular for proper strategic merge patch
• maxProperties=8 upper bound
• CEL validation enforcing Kubernetes label key/value format
• Regenerated CRD manifests, OpenAPI, deepcopy, and swagger docs
• Unit tests covering valid labels, empty map, invalid key/value rejection, maxProperties overflow, and update scenarios

Example

spec:
   componentRoutes:
   - name: [console-2](https://redhat.atlassian.net/browse/console-2)
     namespace: openshift-console
     hostname: console.internal.corp.example.com
     labels:
       ingress: shard-console2
   - name: [console-3](https://redhat.atlassian.net/browse/console-3)
     namespace: openshift-console
     hostname: console.private.corp.example.com
     labels:
       ingress: shard-console3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @Leo6Leo! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR introduces the IngressComponentRouteLabels feature, enabling optional labels on component-managed Ingress routes. It adds a Labels map field to ComponentRouteSpec with kubebuilder constraints (MaxProperties=8, MinProperties=1) and XValidation rules enforcing Kubernetes label format, excluding reserved kubernetes.io/ and k8s.io/ prefixes. The feature is declared as a tech preview and dev preview gate, defined across multiple CRD variants for different feature sets, and configured in platform-specific feature gate manifests for Hypershift and SelfManagedHA environments. Comprehensive tests validate creation, updates, and removal of labels, along with boundary cases and validation failures.

Suggested reviewers

• JoelSpeed
• everettraven
• knobunc

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	New tests use config.openshift.io/v1 API (unavailable on MicroShift) without [Skipped:MicroShift] or [apigroup:config.openshift.io] protection tags.	Add [apigroup:config.openshift.io] tag to test names in IngressComponentRouteLabels.yaml to enable MicroShift CI auto-skip.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a labels field to Ingress componentRoutes, which aligns with the primary objective of the changeset.
Description check	✅ Passed	The description provides relevant context for the changeset, including summary, motivation, technical changes, and an example—all directly related to the labels field addition to ComponentRouteSpec.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 16 Ginkgo test names in IngressComponentRouteLabels.yaml are stable and deterministic, containing no dynamic values, generated suffixes, timestamps, or random identifiers.
Test Structure And Quality	✅ Passed	Tests satisfy requirements: 16 tests with single responsibility, BeforeEach/AfterEach setup/cleanup, 5s timeouts on operations, assertion messages, consistent with repository test patterns.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds CRD validation tests using a generic framework testing API rules against an embedded envtest server. No multi-node cluster assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds labels field to ComponentRouteSpec API; contains only schema definitions and feature gate configs, no deployment manifests or scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR adds type definitions and feature gate declarations only. No process-level functions or stdout writes detected in modified Go files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added; the test file is YAML-based CRD validation, not a Go e2e test, so the check does not apply.
No-Weak-Crypto	✅ Passed	PR adds labels field to ComponentRouteSpec with Kubernetes label validation; no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto, or non-constant-time secret comparisons detected.
Container-Privileges	✅ Passed	PR contains no container/pod specs or security context configurations. Changes are API type definitions, CRD schemas, feature gates, tests, and documentation only.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements that could expose sensitive data. Validation messages are generic. Test data uses safe operational metadata only.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/v1/types_ingress.go`:
- Around line 249-260: The comment for the Labels field is missing the behavior
when omitted and doesn't document the MaxProperties=8 kubebuilder constraint;
update the comment for the Labels (the map with +optional, +mapType=granular and
+kubebuilder:validation:MaxProperties=8) to state that the field is optional,
what happens when it is omitted (e.g., no additional labels will be applied to
the created route), and explicitly document the MaxProperties=8 limit (maximum
of 8 user-supplied labels) along with the existing label key/value validation
rules so all kubebuilder markers are reflected in the field documentation.
- Around line 249-261: Add an OpenShift feature-gate annotation above the new
Labels field so the stable API field is gated; specifically, add a
kubebuilder/openShift annotation like
"+openshift:enable:FeatureGate=MyFeatureGate" immediately before the "Labels
map[string]string `json:\"labels,omitempty\"`" declaration in types_ingress.go
(replace MyFeatureGate with the chosen gate name, e.g., IngressLabels) so the
new Labels field is activated only when that feature gate is enabled.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b6586099-0cdf-4a7c-bbfb-fe467ed6e955

📥 Commits

Reviewing files that changed from the base of the PR and between 73d7ca9 and 1fde3f0.

⛔ Files ignored due to path filters (5)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/ingresses.config.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*

📒 Files selected for processing (3)

• config/v1/tests/ingresses.config.openshift.io/AAA_ungated.yaml
• config/v1/types_ingress.go
• payload-manifests/crds/0000_10_config-operator_01_ingresses.crd.yaml

[saschagrunert]

Thanks for working on this, the use case for label-based route sharding makes sense. See inline comments for details.

[saschagrunert]

What is the rationale for limiting to 8 labels? Please document the reasoning.

[Leo6Leo]

The limit of 8 was chosen as a practical upper bound — in typical route sharding scenarios, IngressController selectors only need 1-2 labels, so 8 seemed generous while preventing unbounded growth. That said, there is no strong technical justification for this specific number.

Would you prefer we remove the limit entirely, or do you have a recommended ceiling for map fields like this? Happy to adjust. @saschagrunert

[saschagrunert]

8 is fine. Maps need a bound for CEL cost estimation and to prevent unbounded growth. For route sharding where 1-2 labels is typical, 8 is generous enough. No need to change it.

[saschagrunert]

Consider using CEL Kubernetes library functions (format.qualifiedName() for keys, format.labelValue() for values) instead of hand-rolled regexes. They are more maintainable, cover the full Kubernetes label spec (including the 253-char prefix limit the current regex misses), and provide better error messages.

Also consider whether keys with reserved prefixes (kubernetes.io/, k8s.io/) should be rejected, since those are reserved for system use.

[saschagrunert]

Two issues here:

1. FeatureGate required. New fields on stable (compatibility-level-1) APIs must be behind a FeatureGate. Add a gate in features/features.go and mark this field with +openshift:enable:FeatureGate=<GateName>.

2. make lint fails. Add +kubebuilder:validation:MinProperties=1 to prevent semantically meaningless labels: {}.

[saschagrunert]

Once the FeatureGate is added, these tests should move to a gate-specific file (e.g., ComponentRouteLabels.yaml) instead of AAA_ungated.yaml.

Also, please add the following test cases:

• Label key with DNS prefix (e.g., example.com/my-label: value), since the prefix path is the most complex part of the key regex
• Keys and values at the maximum allowed length (63 characters) to verify boundary behavior
• Update to remove labels (labels present -> no labels)
• Update to change an existing label's value

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

config/v1/tests/ingresses.config.openshift.io/IngressComponentRouteLabels.yaml (1)

7-183: ⚡ Quick win

Add an explicit labels: {} rejection test.

This suite validates most constraints, but it does not lock in the MinProperties=1 behavior for an explicitly empty labels map.

🧪 Suggested test addition

   onCreate:
+    - name: Should reject componentRoutes with empty labels map
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Ingress
+        spec:
+          domain: apps.example.com
+          componentRoutes:
+            - name: console
+              namespace: openshift-console
+              hostname: console.example.com
+              labels: {}
+      expectedError: "Too few properties"

As per coding guidelines, **/tests/**/*.yaml: “Add validation tests for new stable APIs in <group>/<version>/tests/<crd-name>/ directories.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@config/v1/tests/ingresses.config.openshift.io/IngressComponentRouteLabels.yaml`
around lines 7 - 183, Add a new onCreate test case that ensures an explicitly
empty labels map is rejected: add a test named like "Should reject
componentRoutes with empty labels map" under onCreate (alongside the other
componentRoutes label tests) whose initial manifest includes labels: {} for the
componentRoute and which sets expectedError to the validator message for
MinProperties=1 (e.g. "Too few properties" or the project’s standard "Too few
properties" string). Place it near the other negative label tests (e.g. after
the "Should reject componentRoutes with invalid label value") so the suite
asserts that labels: {} is invalid.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/v1/types_ingress.go`:
- Around line 253-262: Update the field comment for the labels map to document
the kubebuilder validation markers: state that when the labels field is present
it must be a non-empty map (labels: {} is invalid) due to
+kubebuilder:validation:MinProperties=1, and note the maximum of 8 entries
enforced by +kubebuilder:validation:MaxProperties=8; keep the existing guidance
about Kubernetes-reserved prefixes and the FeatureGate
(+openshift:enable:FeatureGate=IngressComponentRouteLabels) and mark the field
as optional.

---

Nitpick comments:
In
`@config/v1/tests/ingresses.config.openshift.io/IngressComponentRouteLabels.yaml`:
- Around line 7-183: Add a new onCreate test case that ensures an explicitly
empty labels map is rejected: add a test named like "Should reject
componentRoutes with empty labels map" under onCreate (alongside the other
componentRoutes label tests) whose initial manifest includes labels: {} for the
componentRoute and which sets expectedError to the validator message for
MinProperties=1 (e.g. "Too few properties" or the project’s standard "Too few
properties" string). Place it near the other negative label tests (e.g. after
the "Should reject componentRoutes with invalid label value") so the suite
asserts that labels: {} is invalid.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: cafd3e64-cebb-4ddf-81fb-31f009795a25

📥 Commits

Reviewing files that changed from the base of the PR and between b5a6dab and 0935778.

⛔ Files ignored due to path filters (9)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_ingresses-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/ingresses.config.openshift.io/IngressComponentRouteLabels.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*

📒 Files selected for processing (5)

• config/v1/tests/ingresses.config.openshift.io/IngressComponentRouteLabels.yaml
• config/v1/types_ingress.go
• features.md
• features/features.go
• payload-manifests/crds/0000_10_config-operator_01_ingresses.crd.yaml

[saschagrunert]

Thanks for the updates, good progress addressing the earlier feedback. A few remaining items.

[saschagrunert]

Placeholder URL. This needs a real enhancement PR before merge.

[Leo6Leo]

Just got a go ahead from our team's architect, so I will draft a enhancement soon and update the PR link whenever it is available.

[saschagrunert]

This looks manually edited. With the FeatureGate splitting the CRD into feature-set variants under zz_generated.crd-manifests/, running make update (which calls hack/update-payload-crds.sh) should produce separate payload-manifest files per feature set (like authentications does). Run the full make update and let the script handle this.

[saschagrunert]

The tests cover basic CRUD and some negatives but the CEL validations need more coverage. Please add:

• Empty string value (ingress: "") accepted (valid per K8s label spec, non-obvious edge case)
• Key name part over 63 characters rejected (tests format.qualifiedName() enforcement)
• Value with valid characters in invalid position (e.g., -starts-with-dash) rejected
• Non-reserved prefix accepted (e.g., openshift.io/my-label), confirms the reserved check is not overly broad

The MinProperties/MaxProperties boundary tests are basic OpenAPI and do not need separate test cases.

[openshift-ci]

@Leo6Leo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/integration	a58bd90	link	unknown	/test integration
ci/prow/verify-crd-schema	a58bd90	link	unknown	/test verify-crd-schema

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.