OTA-1966: sync lightspeed agentic CRDs with upstream lightspeed-agentic-operator

[jrangelramos]

Summary

Sync lightspeed agentic CRDs with the upstream definitions from
openshift/lightspeed-agentic-operator
(config/crd/bases). The CRDs in this repository had drifted from the
canonical source.

Key changes

LLMProviders (_47_lightspeed-crd-llmproviders.yaml)

• Move model field from LLMProvider to Agent CR — one provider can now serve multiple agents with different models
• Move url from top-level to per-provider config (anthropic, googleCloudVertex, openAI, azureOpenAI, awsBedrock)
• Remove namespace from credential secret references — secrets must now exist in the operator namespace
• Add modelProvider enum (Anthropic/Google/OpenAI) to Google Cloud Vertex config
• Rename project to projectID in Vertex config with stricter validation (6-30 chars)
• Add DNS subdomain validation on secret names, region format validation, URL validation rules
• Expand type field description with per-value documentation

Agents (_46_lightspeed-crd-agents.yaml)

• Add required model field (moved from LLMProvider) with validation
• Replace providerSettings freeform map with the explicit model field
• Add DNS subdomain validation on llmProvider.name
• Add minProperties: 1 on status, minItems: 1 on status conditions
• Update examples to reflect model-on-agent pattern (vertex-opus → vertex-ai + claude-opus-4-6)

Proposals (_45_lightspeed-crd-proposals.yaml)

• Replace outputSchema with structured analysisOutput (mode: Default/Minimal + schema)
• Add validation: schema required when mode is Minimal; Minimal only for analysis-only proposals
• Make paths required on SkillsSource — entire-image mounting no longer supported
• Update secret namespace semantics: secrets must exist in operator namespace, not proposal namespace
• Rename skills image references from acs-lightspeed-skills to acs-agentic-skills
• Increase status conditions maxItems from 8 to 9

AnalysisResults (_47_lightspeed-crd-analysisresults.yaml)

• Update RemediationOption: diagnosis and proposal no longer unconditionally required
• Add cross-field validation: diagnosis and proposal must be present together
• Update components description to reference analysisOutput.schema instead of outputSchema
• Clarify approval flow: operator trims to approved option (was: user selects)

All CRDs

• Downgrade controller-gen.kubebuilder.io/version annotation from v0.20.1 to v0.19.0

Test plan

• Verify CRDs match upstream openshift/lightspeed-agentic-operator config/crd/bases
• Run make verify-yaml to validate YAML manifests
• Confirm no regressions in CVO build: make build

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

Summary by CodeRabbit

• New Features

  • Added analysis output modes (Default and Minimal) for enhanced control over result generation.
  • Added model field to Agent specification with enhanced validation.

• Bug Fixes

  • Strengthened validation rules for credential management and provider configurations to improve security and reliability.

• Documentation

  • Updated schema documentation and examples across Proposal, Agent, AnalysisResult, and LLMProvider resources.

[openshift-ci-robot]

@jrangelramos: This pull request references OTA-1966 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Sync lightspeed agentic CRDs with the upstream definitions from
openshift/lightspeed-agentic-operator
(config/crd/bases). The CRDs in this repository had drifted from the
canonical source.

Key changes

LLMProviders (_47_lightspeed-crd-llmproviders.yaml)

• Move model field from LLMProvider to Agent CR — one provider can now serve multiple agents with different models
• Move url from top-level to per-provider config (anthropic, googleCloudVertex, openAI, azureOpenAI, awsBedrock)
• Remove namespace from credential secret references — secrets must now exist in the operator namespace
• Add modelProvider enum (Anthropic/Google/OpenAI) to Google Cloud Vertex config
• Rename project to projectID in Vertex config with stricter validation (6-30 chars)
• Add DNS subdomain validation on secret names, region format validation, URL validation rules
• Expand type field description with per-value documentation

Agents (_46_lightspeed-crd-agents.yaml)

• Add required model field (moved from LLMProvider) with validation
• Replace providerSettings freeform map with the explicit model field
• Add DNS subdomain validation on llmProvider.name
• Add minProperties: 1 on status, minItems: 1 on status conditions
• Update examples to reflect model-on-agent pattern (vertex-opus → vertex-ai + claude-opus-4-6)

Proposals (_45_lightspeed-crd-proposals.yaml)

• Replace outputSchema with structured analysisOutput (mode: Default/Minimal + schema)
• Add validation: schema required when mode is Minimal; Minimal only for analysis-only proposals
• Make paths required on SkillsSource — entire-image mounting no longer supported
• Update secret namespace semantics: secrets must exist in operator namespace, not proposal namespace
• Rename skills image references from acs-lightspeed-skills to acs-agentic-skills
• Increase status conditions maxItems from 8 to 9

AnalysisResults (_47_lightspeed-crd-analysisresults.yaml)

• Update RemediationOption: diagnosis and proposal no longer unconditionally required
• Add cross-field validation: diagnosis and proposal must be present together
• Update components description to reference analysisOutput.schema instead of outputSchema
• Clarify approval flow: operator trims to approved option (was: user selects)

All CRDs

• Downgrade controller-gen.kubebuilder.io/version annotation from v0.20.1 to v0.19.0

Test plan

• Verify CRDs match upstream openshift/lightspeed-agentic-operator config/crd/bases
• Run make verify-yaml to validate YAML manifests
• Confirm no regressions in CVO build: make build

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Four CRD YAML files are updated: the Proposal CRD replaces outputSchema with a new analysisOutput field (mode/schema) and adds CEL immutability and analysis-only constraints; the LLMProvider CRD switches all provider credentialsSecret references to operator-namespace-only name fields with new URL/DNS validation; the Agent CRD adds a model field and printer column with validation; and the AnalysisResult CRD enforces mutual diagnosis/proposal presence on RemediationOption.

Changes

Agentic CRD Schema Updates

Layer / File(s)	Summary
LLMProvider CRD: operator-namespace secrets and per-provider validation install/0000_00_cluster-version-operator_47_lightspeed-crd-llmproviders.yaml	Bumps controller-gen annotation, removes the Model printer column, rewrites spec description, and for each provider (anthropic, awsBedrock, azureOpenAI, googleCloudVertex, openAI) switches credentialsSecret to operator-namespace-only name-only references and adds DNS subdomain and URL format x-kubernetes-validations rules.
Agent CRD: model field, llmProvider validation, status constraints install/0000_00_cluster-version-operator_46_lightspeed-crd-agents.yaml	Bumps controller-gen annotation, adds a Model printer column from .spec.model, reworks spec.llmProvider with DNS name validation and a constrained model field, adds model to spec.required, and sets status.minProperties: 1 and status.conditions.minItems: 1.
Proposal CRD: analysisOutput schema and CEL rules install/0000_00_cluster-version-operator_45_lightspeed-crd-proposals.yaml	Introduces the analysisOutput OpenAPI schema (mode=Default|Minimal, optional schema object) with a validation rule requiring schema when mode=Minimal; adds CEL rules making analysisOutput immutable and forbidding mode=Minimal unless the proposal has no execution or verification; raises status.conditions.maxItems from 8 to 9.
Proposal CRD: repeated skills and requiredSecrets doc updates install/0000_00_cluster-version-operator_45_lightspeed-crd-proposals.yaml	Across analysis, execution, and verification tool sections, updates all requiredSecrets/SecretRequirement descriptions to reference the operator namespace, rewrites SkillsSource descriptions and examples to use acs-agentic-skills with explicit paths, and makes paths explicitly required in each repeated schema block.
AnalysisResult CRD: RemediationOption mutual validation install/0000_00_cluster-version-operator_47_lightspeed-crd-analysisresults.yaml	Updates RemediationOption, components, diagnosis, and proposal field descriptions to reference spec.analysisOutput.schema and Minimal mode behavior; adds x-kubernetes-validations rules requiring each of diagnosis and proposal to be present when the other is present.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the main objective: syncing upstream Lightspeed agentic CRDs across multiple CRD files (Proposals, Agents, LLMProviders, AnalysisResults), which matches the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only YAML CRD definition files with no Ginkgo test code, making the stable test names check not applicable.
Test Structure And Quality	✅ Passed	PR contains only YAML CRD manifest files, not Ginkgo test code. Test structure check is not applicable to YAML configurations.
Microshift Test Compatibility	✅ Passed	This PR contains only YAML CRD manifest changes and no new Ginkgo e2e tests, so the MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only YAML CRD manifest files; no Ginkgo e2e tests are added. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only CRD schema definitions, Namespace, and ConfigMap. No deployment manifests, operator code, controllers, pod templates, or scheduling constraints found. Check not applicable.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML CRD manifest files with no Go source code changes, making the OTE Binary Stdout Contract check inapplicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The PR only modifies YAML CRD definition files, making the IPv6/disconnected network compatibility check inapplicable.
No-Weak-Crypto	✅ Passed	No weak crypto indicators found. PR modifies only Kubernetes CRD YAML schema definitions, not executable code. Check not applicable to declarative manifests.
Container-Privileges	✅ Passed	PR modifies only CRD schema definition files with no container/pod specifications, security contexts, or privilege escalation settings present.
No-Sensitive-Data-In-Logs	✅ Passed	No actual sensitive data, passwords, tokens, API keys, PII, or customer data found in CRD files; only reference secret key names (ANTHROPIC_API_KEY, etc.) and example secret names (acs-api-token, p...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jrangelramos
Once this PR has been reviewed and has the lgtm label, please assign fao89 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@install/0000_00_cluster-version-operator_45_lightspeed-crd-proposals.yaml`:
- Around line 239-240: The CRD contains conflicting namespace semantics for the
`requiredSecrets` field. The item descriptions now correctly state that secrets
must be in the operator namespace where sandbox pods run, but the parent
`requiredSecrets` field descriptions at lines 233-236, 650-653, 1066-1069, and
1444-1447 still incorrectly state "same namespace as the Proposal". Update all
four parent-level descriptions of the `requiredSecrets` field to consistently
specify that secrets must exist in the operator namespace, not in the Proposal's
namespace, to align with the item-level descriptions that were already
corrected.
- Around line 38-39: Update all embedded Proposal examples that contain skills
entries to include the now-required SkillsSource.paths field alongside the
existing image field. For each skills block shown in the examples (at the
locations referenced), add the paths configuration to make the examples show
valid manifest definitions. Ensure that every example demonstrating skills
configuration includes both the image and paths fields so users see correct,
complete manifests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 65f589a5-69c5-4651-bb11-be66ed1948a2

📥 Commits

Reviewing files that changed from the base of the PR and between 810bfc1 and 5dc04a3.

📒 Files selected for processing (4)

• install/0000_00_cluster-version-operator_45_lightspeed-crd-proposals.yaml
• install/0000_00_cluster-version-operator_46_lightspeed-crd-agents.yaml
• install/0000_00_cluster-version-operator_47_lightspeed-crd-analysisresults.yaml
• install/0000_00_cluster-version-operator_47_lightspeed-crd-llmproviders.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update top-level Proposal examples to include required skills.paths.

SkillsSource.paths is now required (Line 440, Line 857, Line 1271, Line 1651), but several embedded examples still show skills entries with only image. These examples now describe invalid manifests and will mislead users.

Also applies to: 44-45, 354-355, 770-772, 1181-1187, 1564-1566

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@install/0000_00_cluster-version-operator_45_lightspeed-crd-proposals.yaml`
around lines 38 - 39, Update all embedded Proposal examples that contain skills
entries to include the now-required SkillsSource.paths field alongside the
existing image field. For each skills block shown in the examples (at the
locations referenced), add the paths configuration to make the examples show
valid manifest definitions. Ensure that every example demonstrating skills
configuration includes both the image and paths fields so users see correct,
complete manifests.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Resolve namespace semantics contradiction for requiredSecrets.

The updated item descriptions say secrets must be in the operator namespace, but the parent requiredSecrets descriptions still say “same namespace as the Proposal” (Line 233-236, Line 650-653, Line 1066-1069, Line 1444-1447). This creates conflicting API guidance in the same CRD.

Also applies to: 656-657, 1073-1074, 1450-1451

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@install/0000_00_cluster-version-operator_45_lightspeed-crd-proposals.yaml`
around lines 239 - 240, The CRD contains conflicting namespace semantics for the
`requiredSecrets` field. The item descriptions now correctly state that secrets
must be in the operator namespace where sandbox pods run, but the parent
`requiredSecrets` field descriptions at lines 233-236, 650-653, 1066-1069, and
1444-1447 still incorrectly state "same namespace as the Proposal". Update all
four parent-level descriptions of the `requiredSecrets` field to consistently
specify that secrets must exist in the operator namespace, not in the Proposal's
namespace, to align with the item-level descriptions that were already
corrected.

[openshift-ci]

@jrangelramos: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-techpreview	5dc04a3	link	true	/test e2e-aws-ovn-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.