fix bug preventing the creation of CRD in virtual workspace

Signed-off-by: olalekan odukoya <odukoyaonline@gmail.com>

Author: olamilekan000

pkg/virtual/framework/dynamic/apiserver/crd_helpers.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2026 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apiserver
+
+import (
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+
+	apisv1alpha1 "github.com/kcp-dev/sdk/apis/apis/v1alpha1"
+)
+
+// isCRDResource checks if a CustomResourceDefinition is for the CRD type itself
+// (apiextensions.k8s.io/v1.CustomResourceDefinition).
+//
+// This is used to trigger special handling for CRD's deeply nested, recursive schema structure.
+// Without this, the OpenAPI builder would generate an incomplete schema where nested fields like
+// spec.versions[].schema.openAPIV3Schema.properties are truncated to <Object> instead of showing
+// their actual types.
+//
+// When this returns true, ensureCompleteSchemaGeneration() is called to set
+// XPreserveUnknownFields=false on the CRD's schema, forcing the OpenAPI builder to generate
+// the complete schema tree
+//
+// See: https://github.com/kcp-dev/kcp/issues/3389
+func isCRDResource(crd *apiextensionsv1.CustomResourceDefinition) bool {
+	return crd.Spec.Group == "apiextensions.k8s.io" && crd.Spec.Names.Kind == "CustomResourceDefinition"
+}
+
+func isCRDAPIResourceSchema(apiResourceSchema *apisv1alpha1.APIResourceSchema) bool {
+	return apiResourceSchema.Spec.Group == "apiextensions.k8s.io" && apiResourceSchema.Spec.Names.Kind == "CustomResourceDefinition"
+}

pkg/virtual/framework/dynamic/apiserver/openapi.go

@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"net/http"
 	"sort"
+	"strings"
 	"time"
 
 	"github.com/emicklei/go-restful/v3"
@@ -42,6 +43,7 @@ import (
 	"k8s.io/kube-openapi/pkg/common/restfuladapter"
 	"k8s.io/kube-openapi/pkg/handler3"
 	"k8s.io/kube-openapi/pkg/spec3"
+	validationspec "k8s.io/kube-openapi/pkg/validation/spec"
 	"k8s.io/utils/keymutex"
 	"k8s.io/utils/lru"
 
@@ -305,12 +307,20 @@ func apiResourceSchemaToSpec(apiResourceSchema *apisv1alpha1.APIResourceSchema)
 		},
 	}
 
-	for _, ver := range versions {
+	if isCRDResource(crd) {
+		ensureCompleteSchemaGeneration(crd)
+	}
+
+	for i, ver := range versions {
 		spec, err := builder.BuildOpenAPIV3(crd, ver.Name, builder.Options{V2: false})
 		if err != nil {
 			return nil, err
 		}
 
+		if isCRDResource(crd) {
+			patchCRDSchemaForOpenAPI(spec, &apiResourceSchema.Spec.Versions[i])
+		}
+
 		gv := schema.GroupVersion{Group: crd.Spec.Group, Version: ver.Name}
 		gvPath := groupVersionToOpenAPIV3Path(gv)
 		specs[gvPath] = append(specs[gvPath], spec)
@@ -319,6 +329,112 @@ func apiResourceSchemaToSpec(apiResourceSchema *apisv1alpha1.APIResourceSchema)
 	return specs, nil
 }
 
+// This is used to trigger special handling for CRD's recursive schema structure, ensuring
+// the OpenAPI builder generates a complete schema instead of a shallow one (due to
+// XPreserveUnknownFields behavior) and allowing validation of OpenAPI keywords.
+func ensureCompleteSchemaGeneration(crd *apiextensionsv1.CustomResourceDefinition) {
+	falseVal := false
+	for i := range crd.Spec.Versions {
+		if crd.Spec.Versions[i].Schema != nil && crd.Spec.Versions[i].Schema.OpenAPIV3Schema != nil {
+			crd.Spec.Versions[i].Schema.OpenAPIV3Schema.XPreserveUnknownFields = &falseVal
+		}
+	}
+}
+
+func patchCRDSchemaForOpenAPI(spec *spec3.OpenAPI, ver *apisv1alpha1.APIResourceVersion) {
+	if spec.Components == nil || spec.Components.Schemas == nil {
+		return
+	}
+
+	for name, s := range spec.Components.Schemas {
+		if !strings.HasSuffix(name, "CustomResourceDefinition") {
+			continue
+		}
+		if _, hasSpec := s.Properties["spec"]; hasSpec {
+			continue
+		}
+
+		sourceSchema, err := ver.GetSchema()
+		if err != nil || sourceSchema == nil {
+			continue
+		}
+
+		patchedSchema, err := convertToOpenAPISchema(sourceSchema)
+		if err != nil {
+			continue
+		}
+
+		patchedSchema.VendorExtensible.Extensions = s.VendorExtensible.Extensions
+		enhanceOpenAPIV3SchemaProperty(&patchedSchema)
+		spec.Components.Schemas[name] = &patchedSchema
+	}
+}
+
+func convertToOpenAPISchema(source *apiextensionsv1.JSONSchemaProps) (validationspec.Schema, error) {
+	bs, err := json.Marshal(source)
+	if err != nil {
+		return validationspec.Schema{}, err
+	}
+
+	var result validationspec.Schema
+	if err := json.Unmarshal(bs, &result); err != nil {
+		return validationspec.Schema{}, err
+	}
+
+	return result, nil
+}
+
+func enhanceOpenAPIV3SchemaProperty(schema *validationspec.Schema) {
+	specProp, ok := schema.Properties["spec"]
+	if !ok {
+		return
+	}
+
+	versionsProp, ok := specProp.Properties["versions"]
+	if !ok {
+		return
+	}
+
+	if versionsProp.Items == nil || versionsProp.Items.Schema == nil {
+		return
+	}
+
+	itemSchema := versionsProp.Items.Schema
+	schemaProp, ok := itemSchema.Properties["schema"]
+	if !ok {
+		return
+	}
+
+	oaProp, ok := schemaProp.Properties["openAPIV3Schema"]
+	if !ok {
+		return
+	}
+
+	if len(oaProp.Properties) > 0 {
+		return
+	}
+	if oaProp.Properties == nil {
+		oaProp.Properties = make(map[string]validationspec.Schema)
+	}
+
+	oaProp.Properties["type"] = validationspec.Schema{
+		SchemaProps: validationspec.SchemaProps{Type: []string{"string"}},
+	}
+	oaProp.Properties["properties"] = validationspec.Schema{
+		SchemaProps: validationspec.SchemaProps{
+			Type:                 []string{"object"},
+			AdditionalProperties: &validationspec.SchemaOrBool{Allows: true},
+		},
+	}
+
+	oaProp.AdditionalProperties = &validationspec.SchemaOrBool{Allows: true}
+	schemaProp.Properties["openAPIV3Schema"] = oaProp
+	itemSchema.Properties["schema"] = schemaProp
+	versionsProp.Items.Schema = itemSchema
+	specProp.Properties["versions"] = versionsProp
+	schema.Properties["spec"] = specProp
+}
+
 func groupVersionToOpenAPIV3Path(gv schema.GroupVersion) string {
 	if gv.Group == "" {
 		return "api/" + gv.Version

pkg/virtual/framework/dynamic/apiserver/serving_info.go

@@ -73,6 +73,11 @@ func CreateServingInfoFor(genericConfig genericapiserver.CompletedConfig, apiRes
 	if err := apiextensionsv1.Convert_v1_JSONSchemaProps_To_apiextensions_JSONSchemaProps(openapiSchema, internalSchema, nil); err != nil {
 		return nil, fmt.Errorf("failed converting CRD validation to internal version: %w", err)
 	}
+
+	if isCRDAPIResourceSchema(apiResourceSchema) {
+		patchCRDValidationSchema(internalSchema)
+	}
+
 	structuralSchema, err := structuralschema.NewStructural(internalSchema)
 	if err != nil {
 		// This should never happen. If it does, it is a programming error.
@@ -404,3 +409,36 @@ func (c unstructuredCreator) New(kind schema.GroupVersionKind) (runtime.Object,
 	ret.SetGroupVersionKind(kind)
 	return ret, nil
 }
+
+func patchCRDValidationSchema(schema *apiextensionsinternal.JSONSchemaProps) {
+	trueVal := true
+
+	specProp, ok := schema.Properties["spec"]
+	if !ok {
+		return
+	}
+
+	versionsProp, ok := specProp.Properties["versions"]
+	if !ok {
+		return
+	}
+
+	if versionsProp.Items == nil || versionsProp.Items.Schema == nil {
+		return
+	}
+
+	itemSchema := versionsProp.Items.Schema
+	schemaProp, ok := itemSchema.Properties["schema"]
+	if !ok {
+		return
+	}
+
+	oaProp, ok := schemaProp.Properties["openAPIV3Schema"]
+	if !ok {
+		return
+	}
+
+	oaProp.XPreserveUnknownFields = &trueVal
+	schemaProp.Properties["openAPIV3Schema"] = oaProp
+	itemSchema.Properties["schema"] = schemaProp
+}

staging/src/github.com/kcp-dev/sdk/testing/workspaces.go

@@ -136,7 +136,7 @@ func NewLowLevelWorkspaceFixture[O WorkspaceOption](t TestingT, createClusterCli
 		var err error
 		ws, err = createClusterClient.Cluster(parent).TenancyV1alpha1().Workspaces().Create(ctx, tmpl, metav1.CreateOptions{})
 		return err == nil, fmt.Sprintf("error creating workspace under %s: %v", parent, err)
-	}, wait.ForeverTestTimeout, time.Millisecond*100, "failed to create %s workspace under %s", tmpl.Spec.Type.Name, parent)
+	}, wait.ForeverTestTimeout*2, time.Millisecond*500, "failed to create %s workspace under %s", tmpl.Spec.Type.Name, parent)
 
 	wsName := ws.Name
 	t.Cleanup(func() {