use a CEL validation for URLs

v47 · v47 · commit 99178e8e7980 · 2025-09-20T02:03:02.000+02:00
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -907,8 +907,9 @@ spec:
                       or https://example.com. This URL should point to the level below .well-known/openid-configuration
                       and must be publicly accessible over the internet.
                     minLength: 1
-                    pattern: ^https://.+
                     type: string
+                    x-kubernetes-validations:
+                    - rule: isURL(self) && url(self).getScheme() == 'https'
                   requiredClaims:
                     additionalProperties:
                       type: string
@@ -3083,8 +3084,9 @@ spec:
                       or https://example.com. This URL should point to the level below .well-known/openid-configuration
                       and must be publicly accessible over the internet.
                     minLength: 1
-                    pattern: ^https://.+
                     type: string
+                    x-kubernetes-validations:
+                    - rule: isURL(self) && url(self).getScheme() == 'https'
                   requiredClaims:
                     additionalProperties:
                       type: string
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanetemplates.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanetemplates.yaml
@@ -909,8 +909,9 @@ spec:
                               or https://example.com. This URL should point to the level below .well-known/openid-configuration
                               and must be publicly accessible over the internet.
                             minLength: 1
-                            pattern: ^https://.+
                             type: string
+                            x-kubernetes-validations:
+                            - rule: isURL(self) && url(self).getScheme() == 'https'
                           requiredClaims:
                             additionalProperties:
                               type: string
diff --git a/controlplane/eks/api/v1beta1/types.go b/controlplane/eks/api/v1beta1/types.go
@@ -253,7 +253,7 @@ type OIDCIdentityProviderConfig struct {
 	//
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:Pattern=`^https://.+`
+	// +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getScheme() == 'https'"
 	IssuerURL string `json:"issuerUrl,omitempty"`
 
 	// The key value pairs that describe required claims in the identity token.
diff --git a/controlplane/eks/api/v1beta2/types.go b/controlplane/eks/api/v1beta2/types.go
@@ -257,7 +257,7 @@ type OIDCIdentityProviderConfig struct {
 	//
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:Pattern=`^https://.+`
+	// +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getScheme() == 'https'"
 	IssuerURL string `json:"issuerUrl,omitempty"`
 
 	// The key value pairs that describe required claims in the identity token.
