fix CEL validation error message format introduced by Kubernetes v1.35

camilamacedo86 · cursoragent · camilamacedo86 · commit 83cde260089d · 2026-02-05T13:39:54.000Z
Kubernetes v1.35 changed CEL validation error message format to include
the actual validated value instead of just the type ("string" or "object").
This provides more helpful error messages for debugging validation failures.

Changes:
- Update test expectations to include actual values in error messages
- Change from "Invalid value: \"string\"" to "Invalid value: \"actual-value\""
- Change from "Invalid value: \"object\"" to "Invalid value:" for object validations
- Update 20+ test cases in TestImageSourceCELValidationRules and related tests

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/api/v1/clustercatalog_types_test.go b/api/v1/clustercatalog_types_test.go
@@ -32,85 +32,85 @@ func TestImageSourceCELValidationRules(t *testing.T) {
 		spec     ImageSource
 		wantErrs []string
 	}{
-		"valid digest based image ref, poll interval not allowed, poll interval specified": {
-			spec: ImageSource{
-				Ref:                 "docker.io/test-image@sha256:abcdef123456789abcdef123456789abc",
-				PollIntervalMinutes: ptr.To(1),
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.source.properties.image: Invalid value: \"object\": cannot specify pollIntervalMinutes while using digest-based image",
-			},
+	"valid digest based image ref, poll interval not allowed, poll interval specified": {
+		spec: ImageSource{
+			Ref:                 "docker.io/test-image@sha256:abcdef123456789abcdef123456789abc",
+			PollIntervalMinutes: ptr.To(1),
 		},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.spec.properties.source.properties.image: Invalid value: cannot specify pollIntervalMinutes while using digest-based image",
+		},
+	},
 		"valid digest based image ref, poll interval not allowed, poll interval not specified": {
 			spec: ImageSource{
 				Ref: "docker.io/test-image@sha256:abcdef123456789abcdef123456789abc",
 			},
 			wantErrs: []string{},
 		},
-		"invalid digest based image ref, invalid domain": {
-			spec: ImageSource{
-				Ref: "-quay+docker/foo/bar@sha256:abcdef123456789abcdef123456789abc",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"string\": must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the \".\" character.",
-			},
+	"invalid digest based image ref, invalid domain": {
+		spec: ImageSource{
+			Ref: "-quay+docker/foo/bar@sha256:abcdef123456789abcdef123456789abc",
 		},
-		"invalid digest based image ref, invalid name": {
-			spec: ImageSource{
-				Ref: "docker.io/FOO/BAR@sha256:abcdef123456789abcdef123456789abc",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"string\": a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the \".\", \"_\", \"__\", \"-\" characters.",
-			},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"-quay+docker/foo/bar@sha256:abcdef123456789abcdef123456789abc\": must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the \".\" character.",
 		},
-		"invalid digest based image ref, invalid digest algorithm": {
-			spec: ImageSource{
-				Ref: "docker.io/foo/bar@99-problems:abcdef123456789abcdef123456789abc",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"string\": digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the \"-\", \"_\", \"+\", and \".\" characters.",
-			},
+	},
+	"invalid digest based image ref, invalid name": {
+		spec: ImageSource{
+			Ref: "docker.io/FOO/BAR@sha256:abcdef123456789abcdef123456789abc",
 		},
-		"invalid digest based image ref, too short digest encoding": {
-			spec: ImageSource{
-				Ref: "docker.io/foo/bar@sha256:abcdef123456789",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"string\": digest is not valid. the encoded string must be at least 32 characters",
-			},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"docker.io/FOO/BAR@sha256:abcdef123456789abcdef123456789abc\": a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the \".\", \"_\", \"__\", \"-\" characters.",
 		},
-		"invalid digest based image ref, invalid characters in digest encoding": {
-			spec: ImageSource{
-				Ref: "docker.io/foo/bar@sha256:XYZxy123456789abcdef123456789abc",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"string\": digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9)",
-			},
+	},
+	"invalid digest based image ref, invalid digest algorithm": {
+		spec: ImageSource{
+			Ref: "docker.io/foo/bar@99-problems:abcdef123456789abcdef123456789abc",
 		},
-		"invalid image ref, no tag or digest": {
-			spec: ImageSource{
-				Ref: "docker.io/foo/bar",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"string\": must end with a digest or a tag",
-			},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"docker.io/foo/bar@99-problems:abcdef123456789abcdef123456789abc\": digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the \"-\", \"_\", \"+\", and \".\" characters.",
 		},
-		"invalid tag based image ref, tag too long": {
-			spec: ImageSource{
-				Ref: fmt.Sprintf("docker.io/foo/bar:%s", strings.Repeat("x", 128)),
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"string\": tag is invalid. the tag must not be more than 127 characters",
-			},
+	},
+	"invalid digest based image ref, too short digest encoding": {
+		spec: ImageSource{
+			Ref: "docker.io/foo/bar@sha256:abcdef123456789",
 		},
-		"invalid tag based image ref, tag contains invalid characters": {
-			spec: ImageSource{
-				Ref: "docker.io/foo/bar:-foo_bar-",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"string\": tag is invalid. valid tags must begin with a word character (alphanumeric + \"_\") followed by word characters or \".\", and \"-\" characters",
-			},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"docker.io/foo/bar@sha256:abcdef123456789\": digest is not valid. the encoded string must be at least 32 characters",
+		},
+	},
+	"invalid digest based image ref, invalid characters in digest encoding": {
+		spec: ImageSource{
+			Ref: "docker.io/foo/bar@sha256:XYZxy123456789abcdef123456789abc",
+		},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"docker.io/foo/bar@sha256:XYZxy123456789abcdef123456789abc\": digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9)",
+		},
+	},
+	"invalid image ref, no tag or digest": {
+		spec: ImageSource{
+			Ref: "docker.io/foo/bar",
+		},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"docker.io/foo/bar\": must end with a digest or a tag",
+		},
+	},
+	"invalid tag based image ref, tag too long": {
+		spec: ImageSource{
+			Ref: fmt.Sprintf("docker.io/foo/bar:%s", strings.Repeat("x", 128)),
+		},
+		wantErrs: []string{
+			fmt.Sprintf("openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"docker.io/foo/bar:%s\": tag is invalid. the tag must not be more than 127 characters", strings.Repeat("x", 128)),
 		},
+	},
+	"invalid tag based image ref, tag contains invalid characters": {
+		spec: ImageSource{
+			Ref: "docker.io/foo/bar:-foo_bar-",
+		},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"docker.io/foo/bar:-foo_bar-\": tag is invalid. valid tags must begin with a word character (alphanumeric + \"_\") followed by word characters or \".\", and \"-\" characters",
+		},
+	},
 		"valid tag based image ref": {
 			spec: ImageSource{
 				Ref: "docker.io/foo/bar:v1.0.0",
@@ -124,14 +124,14 @@ func TestImageSourceCELValidationRules(t *testing.T) {
 			},
 			wantErrs: []string{},
 		},
-		"invalid image ref, only domain with port": {
-			spec: ImageSource{
-				Ref: "docker.io:8080",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"string\": a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the \".\", \"_\", \"__\", \"-\" characters.",
-			},
+	"invalid image ref, only domain with port": {
+		spec: ImageSource{
+			Ref: "docker.io:8080",
+		},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.spec.properties.source.properties.image.ref: Invalid value: \"docker.io:8080\": a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the \".\", \"_\", \"__\", \"-\" characters.",
 		},
+	},
 		"valid image ref, domain with port": {
 			spec: ImageSource{
 				Ref: "my-subdomain.docker.io:8080/foo/bar:latest",
@@ -174,71 +174,71 @@ func TestResolvedImageSourceCELValidation(t *testing.T) {
 			},
 			wantErrs: []string{},
 		},
-		"invalid digest based image ref, invalid domain": {
-			spec: ImageSource{
-				Ref: "-quay+docker/foo/bar@sha256:abcdef123456789abcdef123456789abc",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"string\": must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the \".\" character.",
-			},
+	"invalid digest based image ref, invalid domain": {
+		spec: ImageSource{
+			Ref: "-quay+docker/foo/bar@sha256:abcdef123456789abcdef123456789abc",
 		},
-		"invalid digest based image ref, invalid name": {
-			spec: ImageSource{
-				Ref: "docker.io/FOO/BAR@sha256:abcdef123456789abcdef123456789abc",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"string\": a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the \".\", \"_\", \"__\", \"-\" characters.",
-			},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"-quay+docker/foo/bar@sha256:abcdef123456789abcdef123456789abc\": must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the \".\" character.",
 		},
-		"invalid digest based image ref, invalid digest algorithm": {
-			spec: ImageSource{
-				Ref: "docker.io/foo/bar@99-problems:abcdef123456789abcdef123456789abc",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"string\": digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the \"-\", \"_\", \"+\", and \".\" characters.",
-			},
+	},
+	"invalid digest based image ref, invalid name": {
+		spec: ImageSource{
+			Ref: "docker.io/FOO/BAR@sha256:abcdef123456789abcdef123456789abc",
 		},
-		"invalid digest based image ref, too short digest encoding": {
-			spec: ImageSource{
-				Ref: "docker.io/foo/bar@sha256:abcdef123456789",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"string\": digest is not valid. the encoded string must be at least 32 characters",
-			},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"docker.io/FOO/BAR@sha256:abcdef123456789abcdef123456789abc\": a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the \".\", \"_\", \"__\", \"-\" characters.",
 		},
-		"invalid digest based image ref, invalid characters in digest encoding": {
-			spec: ImageSource{
-				Ref: "docker.io/foo/bar@sha256:XYZxy123456789abcdef123456789abc",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"string\": digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9)",
-			},
+	},
+	"invalid digest based image ref, invalid digest algorithm": {
+		spec: ImageSource{
+			Ref: "docker.io/foo/bar@99-problems:abcdef123456789abcdef123456789abc",
 		},
-		"invalid image ref, no digest": {
-			spec: ImageSource{
-				Ref: "docker.io/foo/bar",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"string\": must end with a digest",
-			},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"docker.io/foo/bar@99-problems:abcdef123456789abcdef123456789abc\": digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the \"-\", \"_\", \"+\", and \".\" characters.",
 		},
-		"invalid image ref, only domain with port": {
-			spec: ImageSource{
-				Ref: "docker.io:8080",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"string\": a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the \".\", \"_\", \"__\", \"-\" characters.",
-				"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"string\": must end with a digest",
-			},
+	},
+	"invalid digest based image ref, too short digest encoding": {
+		spec: ImageSource{
+			Ref: "docker.io/foo/bar@sha256:abcdef123456789",
 		},
-		"invalid image ref, tag-based ref": {
-			spec: ImageSource{
-				Ref: "docker.io/foo/bar:latest",
-			},
-			wantErrs: []string{
-				"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"string\": must end with a digest",
-			},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"docker.io/foo/bar@sha256:abcdef123456789\": digest is not valid. the encoded string must be at least 32 characters",
+		},
+	},
+	"invalid digest based image ref, invalid characters in digest encoding": {
+		spec: ImageSource{
+			Ref: "docker.io/foo/bar@sha256:XYZxy123456789abcdef123456789abc",
+		},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"docker.io/foo/bar@sha256:XYZxy123456789abcdef123456789abc\": digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9)",
+		},
+	},
+	"invalid image ref, no digest": {
+		spec: ImageSource{
+			Ref: "docker.io/foo/bar",
+		},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"docker.io/foo/bar\": must end with a digest",
 		},
+	},
+	"invalid image ref, only domain with port": {
+		spec: ImageSource{
+			Ref: "docker.io:8080",
+		},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"docker.io:8080\": a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the \".\", \"_\", \"__\", \"-\" characters.",
+			"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"docker.io:8080\": must end with a digest",
+		},
+	},
+	"invalid image ref, tag-based ref": {
+		spec: ImageSource{
+			Ref: "docker.io/foo/bar:latest",
+		},
+		wantErrs: []string{
+			"openAPIV3Schema.properties.status.properties.resolvedSource.properties.image.properties.ref: Invalid value: \"docker.io/foo/bar:latest\": must end with a digest",
+		},
+	},
 	} {
 		t.Run(name, func(t *testing.T) {
 			errs := validator(tc.spec.Ref, nil)
@@ -266,22 +266,22 @@ func TestClusterCatalogURLsCELValidation(t *testing.T) {
 			},
 			wantErrs: []string{},
 		},
-		"base is invalid, scheme is not one of http or https": {
-			urls: ClusterCatalogURLs{
-				Base: "file://somefilepath",
-			},
-			wantErrs: []string{
-				fmt.Sprintf("%s: Invalid value: \"string\": scheme must be either http or https", pth),
-			},
+	"base is invalid, scheme is not one of http or https": {
+		urls: ClusterCatalogURLs{
+			Base: "file://somefilepath",
 		},
-		"base is invalid": {
-			urls: ClusterCatalogURLs{
-				Base: "notevenarealURL",
-			},
-			wantErrs: []string{
-				fmt.Sprintf("%s: Invalid value: \"string\": must be a valid URL", pth),
-			},
+		wantErrs: []string{
+			fmt.Sprintf("%s: Invalid value: \"file://somefilepath\": scheme must be either http or https", pth),
+		},
+	},
+	"base is invalid": {
+		urls: ClusterCatalogURLs{
+			Base: "notevenarealURL",
 		},
+		wantErrs: []string{
+			fmt.Sprintf("%s: Invalid value: \"notevenarealURL\": must be a valid URL", pth),
+		},
+	},
 	} {
 		t.Run(name, func(t *testing.T) {
 			errs := validator(tc.urls.Base, nil)
@@ -304,14 +304,14 @@ func TestSourceCELValidation(t *testing.T) {
 		source   CatalogSource
 		wantErrs []string
 	}{
-		"image source missing required image field": {
-			source: CatalogSource{
-				Type: SourceTypeImage,
-			},
-			wantErrs: []string{
-				fmt.Sprintf("%s: Invalid value: \"object\": image is required when source type is %s, and forbidden otherwise", pth, SourceTypeImage),
-			},
+	"image source missing required image field": {
+		source: CatalogSource{
+			Type: SourceTypeImage,
+		},
+		wantErrs: []string{
+			fmt.Sprintf("%s: Invalid value: image is required when source type is %s, and forbidden otherwise", pth, SourceTypeImage),
 		},
+	},
 		"image source with required image field": {
 			source: CatalogSource{
 				Type: SourceTypeImage,
@@ -346,14 +346,14 @@ func TestResolvedSourceCELValidation(t *testing.T) {
 		source   ResolvedCatalogSource
 		wantErrs []string
 	}{
-		"image source missing required image field": {
-			source: ResolvedCatalogSource{
-				Type: SourceTypeImage,
-			},
-			wantErrs: []string{
-				fmt.Sprintf("%s: Invalid value: \"object\": image is required when source type is %s, and forbidden otherwise", pth, SourceTypeImage),
-			},
+	"image source missing required image field": {
+		source: ResolvedCatalogSource{
+			Type: SourceTypeImage,
+		},
+		wantErrs: []string{
+			fmt.Sprintf("%s: Invalid value: image is required when source type is %s, and forbidden otherwise", pth, SourceTypeImage),
 		},
+	},
 		"image source with required image field": {
 			source: ResolvedCatalogSource{
 				Type: SourceTypeImage,
