implement opaque declarative validation marker

itzPranshul · itzPranshul · commit b0f283f9291e · 2026-03-08T18:30:51.000+05:30
This commit introduces , a field-level marker that suppresses type-level validation inheritance for a specific field, while still allowing field-level markers
diff --git a/pkg/crd/markers/validation.go b/pkg/crd/markers/validation.go
@@ -35,6 +35,8 @@ const (
 	ValidationExactlyOneOfPrefix = validationPrefix + "ExactlyOneOf"
 	ValidationAtMostOneOfPrefix  = validationPrefix + "AtMostOneOf"
 	ValidationAtLeastOneOfPrefix = validationPrefix + "AtLeastOneOf"
+
+	OpaqueFieldName = "k8s:opaque"
 )
 
 // ValidationMarkers lists all available markers that affect CRD schema generation,
@@ -123,6 +125,9 @@ var FieldOnlyMarkers = []*definitionWithHelp{
 
 	must(markers.MakeDefinition(SchemalessName, markers.DescribesField, Schemaless{})).
 		WithHelp(Schemaless{}.Help()),
+
+	must(markers.MakeDefinition(OpaqueFieldName, markers.DescribesField, Opaque{})).
+		WithHelp(markers.SimpleHelp("CRD validation", "suppresses type-level validation inheritance for this field; field-level markers still apply.")),
 }
 
 // ValidationIshMarkers are field-and-type markers that don't fall under the
@@ -568,6 +573,10 @@ type XIntOrString struct{}
 // +controllertools:marker:generateHelp:category="CRD validation"
 type Schemaless struct{}
 
+// Opaque instructs the CRD generator to suppress inheritance of type-level
+// validation for this field. Field-level markers still apply.
+type Opaque struct{}
+
 func hasNumericType(schema *apiextensionsv1.JSONSchemaProps) bool {
 	return schema.Type == string(Integer) || schema.Type == string(Number)
 }
diff --git a/pkg/crd/schema.go b/pkg/crd/schema.go
@@ -73,6 +73,7 @@ type schemaContext struct {
 
 	allowDangerousTypes    bool
 	ignoreUnexportedFields bool
+	opaque                 bool
 }
 
 // newSchemaContext constructs a new schemaContext for the given package and schema requester.
@@ -99,6 +100,16 @@ func (c *schemaContext) ForInfo(info *markers.TypeInfo) *schemaContext {
 	}
 }
 
+// ForInfoOpaque produces a new schemaContext with containing the same information
+// as this one, except with the given type information and marked as opaque.
+// An opaque context prevents the emission of $ref to the type's schema, suppressing
+// inherited type-level validations.
+func (c *schemaContext) ForInfoOpaque(info *markers.TypeInfo) *schemaContext {
+	ctx := c.ForInfo(info)
+	ctx.opaque = true
+	return ctx
+}
+
 // requestSchema asks for the schema for a type in the package with the
 // given import path.
 func (c *schemaContext) requestSchema(pkgPath, typeName string) {
@@ -282,6 +293,12 @@ func localNamedToSchema(ctx *schemaContext, ident *ast.Ident) *apiextensionsv1.J
 		// > Otherwise, the alias information is only in the type name, which
 		// > points directly to the actual (aliased) type.
 		if basicInfo.Name() != ident.Name {
+			if ctx.opaque {
+				return &apiextensionsv1.JSONSchemaProps{
+					Type:   typ,
+					Format: fmt,
+				}
+			}
 			ctx.requestSchema("", ident.Name)
 			link := TypeRefLink("", ident.Name)
 			return &apiextensionsv1.JSONSchemaProps{
@@ -303,8 +320,9 @@ func localNamedToSchema(ctx *schemaContext, ident *ast.Ident) *apiextensionsv1.J
 	if pkg == ctx.pkg.Types {
 		pkgPath = ""
 	}
-	ctx.requestSchema(pkgPath, typeNameInfo.Name())
-	link := TypeRefLink(pkgPath, typeNameInfo.Name())
+	if !ctx.opaque {
+		ctx.requestSchema(pkgPath, typeNameInfo.Name())
+	}
 
 	// In cases where we have a named type, apply the type and format from the named schema
 	// to allow markers that need this information to apply correctly.
@@ -321,11 +339,17 @@ func localNamedToSchema(ctx *schemaContext, ident *ast.Ident) *apiextensionsv1.J
 		}
 	}
 
-	return &apiextensionsv1.JSONSchemaProps{
+	props := &apiextensionsv1.JSONSchemaProps{
 		Type:   typ,
 		Format: fmt,
-		Ref:    &link,
 	}
+
+	if !ctx.opaque {
+		link := TypeRefLink(pkgPath, typeNameInfo.Name())
+		props.Ref = &link
+	}
+
+	return props
 }
 
 // namedSchema creates a schema (ref) for an explicitly external type reference.
@@ -338,6 +362,11 @@ func namedToSchema(ctx *schemaContext, named *ast.SelectorExpr) *apiextensionsv1
 	typeInfo := typeInfoRaw.(interface{ Obj() *types.TypeName })
 	typeNameInfo := typeInfo.Obj()
 	nonVendorPath := loader.NonVendorPath(typeNameInfo.Pkg().Path())
+
+	if ctx.opaque {
+		return &apiextensionsv1.JSONSchemaProps{}
+	}
+
 	ctx.requestSchema(nonVendorPath, typeNameInfo.Name())
 	link := TypeRefLink(nonVendorPath, typeNameInfo.Name())
 	return &apiextensionsv1.JSONSchemaProps{
@@ -522,6 +551,8 @@ func structToSchema(ctx *schemaContext, structType *ast.StructType) *apiextensio
 		var propSchema *apiextensionsv1.JSONSchemaProps
 		if field.Markers.Get(crdmarkers.SchemalessName) != nil {
 			propSchema = &apiextensionsv1.JSONSchemaProps{}
+		} else if field.Markers.Get(crdmarkers.OpaqueFieldName) != nil {
+			propSchema = typeToSchema(ctx.ForInfoOpaque(&markers.TypeInfo{}), field.RawField.Type)
 		} else {
 			propSchema = typeToSchema(ctx.ForInfo(&markers.TypeInfo{}), field.RawField.Type)
 		}
diff --git a/pkg/crd/testdata/cronjob_types.go b/pkg/crd/testdata/cronjob_types.go
@@ -430,6 +430,15 @@ type CronJobSpec struct {
 	// +kubebuilder:validation:MinLength=10
 	// +kubebuilder:validation:MaxLength=10
 	FieldLevelLocalDeclarationOverride LongerString `json:"fieldLevelLocalDeclarationOverride,omitempty"`
+
+	// This tests that +k8s:opaque suppresses type-level validation from LongerString (MinLength=4).
+	// +k8s:opaque
+	// +kubebuilder:validation:MaxLength=5
+	OpaqueField LongerString `json:"opaqueField,omitempty"`
+
+	// This tests that without +k8s:opaque, type-level validations from LongerString are inherited.
+	// +kubebuilder:validation:MaxLength=5
+	NonOpaqueField LongerString `json:"nonOpaqueField,omitempty"`
 }
 
 type InlineAlias = EmbeddedStruct
diff --git a/pkg/crd/testdata/testdata.kubebuilder.io_cronjobs.yaml b/pkg/crd/testdata/testdata.kubebuilder.io_cronjobs.yaml
@@ -9542,6 +9542,12 @@ spec:
                   This flag is like suspend, but for when you really mean it.
                   It helps test the +kubebuilder:validation:Type marker.
                 type: string
+              nonOpaqueField:
+                description: This tests that without +k8s:opaque, type-level validations
+                  from LongerString are inherited.
+                maxLength: 5
+                minLength: 4
+                type: string
               onlyAllowSettingOnUpdate:
                 description: Test that we can add a field that can only be set to
                   a non-default value on updates using XValidation OptionalOldSelf.
@@ -9552,6 +9558,11 @@ spec:
                     an update.
                   optionalOldSelf: true
                   rule: oldSelf.hasValue() || self == 0
+              opaqueField:
+                description: This tests that +k8s:opaque suppresses type-level validation
+                  from LongerString (MinLength=4).
+                maxLength: 5
+                type: string
               patternObject:
                 description: This tests that pattern validator is properly applied.
                 pattern: ^$|^((https):\/\/?)[^\s()<>]+(?:\([\w\d]+\)|([^[:punct:]\s]|\/?))$
