openshift
diff --git a/‎api/hypershift/v1beta1/hosted_controlplane.go
+1-1 b/‎api/hypershift/v1beta1/hosted_controlplane.go
+1-1
diff --git a/‎api/hypershift/v1beta1/hostedcluster_types.go
+2-3 b/‎api/hypershift/v1beta1/hostedcluster_types.go
+2-3
diff --git a/‎api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
+36-11 b/‎api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
+36-11
diff --git a/‎api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AROHCPManagedIdentities.yaml
+36-11 b/‎api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AROHCPManagedIdentities.yaml
+36-11
@@ -34,6 +34,7 @@ type HostedControlPlane struct {
 }
 
 // HostedControlPlaneSpec defines the desired state of HostedControlPlane
+// +kubebuilder:validation:XValidation:rule="self.platform.type == 'IBMCloud' ? size(self.services) >= 3 : size(self.services) >= 4",message="spec.services in body should have at least 4 items or 3 for IBMCloud"
 type HostedControlPlaneSpec struct {
 	// ReleaseImage is the release image applied to the hosted control plane.
 	ReleaseImage string `json:"releaseImage"`
@@ -118,7 +119,6 @@ type HostedControlPlaneSpec struct {
 	// Services defines metadata about how control plane services are published
 	// in the management cluster.
 	// +kubebuilder:validation:MaxItems=6
-	// +kubebuilder:validation:MinItems=4
 	Services []ServicePublishingStrategyMapping `json:"services"`
 
 	// AuditWebhook contains metadata for configuring an audit webhook
 
@@ -351,6 +351,7 @@ const (
 
 // HostedClusterSpec is the desired behavior of a HostedCluster.
 
+// +kubebuilder:validation:XValidation:rule="self.platform.type == 'IBMCloud' ? size(self.services) >= 3 : size(self.services) >= 4",message="spec.services in body should have at least 4 items or 3 for IBMCloud"
 // +kubebuilder:validation:XValidation:rule=`self.platform.type != "IBMCloud" ? self.services == oldSelf.services : true`, message="Services is immutable. Changes might result in unpredictable and disruptive behavior."
 // +kubebuilder:validation:XValidation:rule=`self.platform.type == "Azure" ? self.services.exists(s, s.service == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname != "") : true`,message="Azure platform requires APIServer Route service with a hostname to be defined"
 // +kubebuilder:validation:XValidation:rule=`self.platform.type == "Azure" ? self.services.exists(s, s.service == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname != "") : true`,message="Azure platform requires OAuthServer Route service with a hostname to be defined"
@@ -471,11 +472,9 @@ type HostedClusterSpec struct {
 	// Max is 6 to account for OIDC;OVNSbDb for backward compability though they are no-op.
 	//
 	// +kubebuilder:validation:MaxItems=6
-	// +kubebuilder:validation:MinItems=4
 	// +kubebuilder:validation:ListType=atomic
 	// -kubebuilder:validation:XValidation:rule="self.all(s, !(s.service == 'APIServer' && s.servicePublishingStrategy.type == 'Route') || has(s.servicePublishingStrategy.route.hostname))",message="If serviceType is 'APIServer' and publishing strategy is 'Route', then hostname must be set"
-	// -kubebuilder:validation:XValidation:rule="['APIServer', 'OAuthServer', 'Konnectivity', 'Ignition'].all(requiredType, self.exists(s, s.service == requiredType))",message="Services list must contain at least 'APIServer', 'OAuthServer', 'Konnectivity', and 'Ignition' service types"
-	// -kubebuilder:validation:XValidation:rule="self.filter(s, s.servicePublishingStrategy.type == 'Route' && has(s.servicePublishingStrategy.route) && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y, y.servicePublishingStrategy.type == 'Route' && (has(y.servicePublishingStrategy.route) && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname == x.servicePublishingStrategy.route.hostname)).size() <= 1)",message="Each route publishingStrategy 'hostname' must be unique within the Services list."
+	// -kubebuilder:validation:XValidation:rule="self.platform.type == 'IBMCloud' ? ['APIServer', 'OAuthServer', 'Konnectivity'].all(requiredType, self.exists(s, s.service == requiredType))",message="Services list must contain at least 'APIServer', 'OAuthServer', and 'Konnectivity' service types" : ['APIServer', 'OAuthServer', 'Konnectivity', 'Ignition'].all(requiredType, self.exists(s, s.service == requiredType))",message="Services list must contain at least 'APIServer', 'OAuthServer', 'Konnectivity', and 'Ignition' service types"	// -kubebuilder:validation:XValidation:rule="self.filter(s, s.servicePublishingStrategy.type == 'Route' && has(s.servicePublishingStrategy.route) && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y, y.servicePublishingStrategy.type == 'Route' && (has(y.servicePublishingStrategy.route) && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname == x.servicePublishingStrategy.route.hostname)).size() <= 1)",message="Each route publishingStrategy 'hostname' must be unique within the Services list."
 	// -kubebuilder:validation:XValidation:rule="self.filter(s, s.servicePublishingStrategy.type == 'NodePort' && has(s.servicePublishingStrategy.nodePort) && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x, self.filter(y, y.servicePublishingStrategy.type == 'NodePort' && (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address) && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port == x.servicePublishingStrategy.nodePort.port )).size() <= 1)",message="Each nodePort publishingStrategy 'nodePort' and 'hostname' must be unique within the Services list."
 	// TODO(alberto): this breaks the cost budget for < 4.17. We should figure why and enable it back. And If not fixable, consider imposing a minimum version on the management cluster.
 	// +required
 
@@ -3826,16 +3826,38 @@ spec:
                 type: object
                 x-kubernetes-map-type: atomic
               services:
-                description: |-
-                  services specifies how individual control plane services endpoints are published for consumption.
-                  This requires APIServer;OAuthServer;Konnectivity;Ignition.
-                  This field is immutable for all platforms but IBMCloud.
-                  Max is 6 to account for OIDC;OVNSbDb for backward compability though they are no-op.
-
-                  -kubebuilder:validation:XValidation:rule="self.all(s, !(s.service == 'APIServer' && s.servicePublishingStrategy.type == 'Route') || has(s.servicePublishingStrategy.route.hostname))",message="If serviceType is 'APIServer' and publishing strategy is 'Route', then hostname must be set"
-                  -kubebuilder:validation:XValidation:rule="['APIServer', 'OAuthServer', 'Konnectivity', 'Ignition'].all(requiredType, self.exists(s, s.service == requiredType))",message="Services list must contain at least 'APIServer', 'OAuthServer', 'Konnectivity', and 'Ignition' service types"
-                  -kubebuilder:validation:XValidation:rule="self.filter(s, s.servicePublishingStrategy.type == 'Route' && has(s.servicePublishingStrategy.route) && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y, y.servicePublishingStrategy.type == 'Route' && (has(y.servicePublishingStrategy.route) && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname == x.servicePublishingStrategy.route.hostname)).size() <= 1)",message="Each route publishingStrategy 'hostname' must be unique within the Services list."
-                  -kubebuilder:validation:XValidation:rule="self.filter(s, s.servicePublishingStrategy.type == 'NodePort' && has(s.servicePublishingStrategy.nodePort) && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x, self.filter(y, y.servicePublishingStrategy.type == 'NodePort' && (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address) && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port == x.servicePublishingStrategy.nodePort.port )).size() <= 1)",message="Each nodePort publishingStrategy 'nodePort' and 'hostname' must be unique within the Services list."
+                description: "services specifies how individual control plane services
+                  endpoints are published for consumption.\nThis requires APIServer;OAuthServer;Konnectivity;Ignition.\nThis
+                  field is immutable for all platforms but IBMCloud.\nMax is 6 to
+                  account for OIDC;OVNSbDb for backward compability though they are
+                  no-op.\n\n-kubebuilder:validation:XValidation:rule=\"self.all(s,
+                  !(s.service == 'APIServer' && s.servicePublishingStrategy.type ==
+                  'Route') || has(s.servicePublishingStrategy.route.hostname))\",message=\"If
+                  serviceType is 'APIServer' and publishing strategy is 'Route', then
+                  hostname must be set\"\n-kubebuilder:validation:XValidation:rule=\"self.platform.type
+                  == 'IBMCloud' ? ['APIServer', 'OAuthServer', 'Konnectivity'].all(requiredType,
+                  self.exists(s, s.service == requiredType))\",message=\"Services
+                  list must contain at least 'APIServer', 'OAuthServer', and 'Konnectivity'
+                  service types\" : ['APIServer', 'OAuthServer', 'Konnectivity', 'Ignition'].all(requiredType,
+                  self.exists(s, s.service == requiredType))\",message=\"Services
+                  list must contain at least 'APIServer', 'OAuthServer', 'Konnectivity',
+                  and 'Ignition' service types\"\t// -kubebuilder:validation:XValidation:rule=\"self.filter(s,
+                  s.servicePublishingStrategy.type == 'Route' && has(s.servicePublishingStrategy.route)
+                  && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y,
+                  y.servicePublishingStrategy.type == 'Route' && (has(y.servicePublishingStrategy.route)
+                  && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname
+                  == x.servicePublishingStrategy.route.hostname)).size() <= 1)\",message=\"Each
+                  route publishingStrategy 'hostname' must be unique within the Services
+                  list.\"\n-kubebuilder:validation:XValidation:rule=\"self.filter(s,
+                  s.servicePublishingStrategy.type == 'NodePort' && has(s.servicePublishingStrategy.nodePort)
+                  && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x,
+                  self.filter(y, y.servicePublishingStrategy.type == 'NodePort' &&
+                  (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address)
+                  && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address
+                  && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port
+                  == x.servicePublishingStrategy.nodePort.port )).size() <= 1)\",message=\"Each
+                  nodePort publishingStrategy 'nodePort' and 'hostname' must be unique
+                  within the Services list.\""
                 items:
                   description: |-
                     ServicePublishingStrategyMapping specifies how individual control plane services endpoints are published for consumption.
@@ -3957,7 +3979,6 @@ spec:
                   - servicePublishingStrategy
                   type: object
                 maxItems: 6
-                minItems: 4
                 type: array
               sshKey:
                 description: |-
@@ -4036,6 +4057,10 @@ spec:
             - services
             type: object
             x-kubernetes-validations:
+            - message: spec.services in body should have at least 4 items or 3 for
+                IBMCloud
+              rule: 'self.platform.type == ''IBMCloud'' ? size(self.services) >= 3
+                : size(self.services) >= 4'
             - message: Services is immutable. Changes might result in unpredictable
                 and disruptive behavior.
               rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services
 
@@ -4304,16 +4304,38 @@ spec:
                 type: object
                 x-kubernetes-map-type: atomic
               services:
-                description: |-
-                  services specifies how individual control plane services endpoints are published for consumption.
-                  This requires APIServer;OAuthServer;Konnectivity;Ignition.
-                  This field is immutable for all platforms but IBMCloud.
-                  Max is 6 to account for OIDC;OVNSbDb for backward compability though they are no-op.
-
-                  -kubebuilder:validation:XValidation:rule="self.all(s, !(s.service == 'APIServer' && s.servicePublishingStrategy.type == 'Route') || has(s.servicePublishingStrategy.route.hostname))",message="If serviceType is 'APIServer' and publishing strategy is 'Route', then hostname must be set"
-                  -kubebuilder:validation:XValidation:rule="['APIServer', 'OAuthServer', 'Konnectivity', 'Ignition'].all(requiredType, self.exists(s, s.service == requiredType))",message="Services list must contain at least 'APIServer', 'OAuthServer', 'Konnectivity', and 'Ignition' service types"
-                  -kubebuilder:validation:XValidation:rule="self.filter(s, s.servicePublishingStrategy.type == 'Route' && has(s.servicePublishingStrategy.route) && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y, y.servicePublishingStrategy.type == 'Route' && (has(y.servicePublishingStrategy.route) && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname == x.servicePublishingStrategy.route.hostname)).size() <= 1)",message="Each route publishingStrategy 'hostname' must be unique within the Services list."
-                  -kubebuilder:validation:XValidation:rule="self.filter(s, s.servicePublishingStrategy.type == 'NodePort' && has(s.servicePublishingStrategy.nodePort) && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x, self.filter(y, y.servicePublishingStrategy.type == 'NodePort' && (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address) && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port == x.servicePublishingStrategy.nodePort.port )).size() <= 1)",message="Each nodePort publishingStrategy 'nodePort' and 'hostname' must be unique within the Services list."
+                description: "services specifies how individual control plane services
+                  endpoints are published for consumption.\nThis requires APIServer;OAuthServer;Konnectivity;Ignition.\nThis
+                  field is immutable for all platforms but IBMCloud.\nMax is 6 to
+                  account for OIDC;OVNSbDb for backward compability though they are
+                  no-op.\n\n-kubebuilder:validation:XValidation:rule=\"self.all(s,
+                  !(s.service == 'APIServer' && s.servicePublishingStrategy.type ==
+                  'Route') || has(s.servicePublishingStrategy.route.hostname))\",message=\"If
+                  serviceType is 'APIServer' and publishing strategy is 'Route', then
+                  hostname must be set\"\n-kubebuilder:validation:XValidation:rule=\"self.platform.type
+                  == 'IBMCloud' ? ['APIServer', 'OAuthServer', 'Konnectivity'].all(requiredType,
+                  self.exists(s, s.service == requiredType))\",message=\"Services
+                  list must contain at least 'APIServer', 'OAuthServer', and 'Konnectivity'
+                  service types\" : ['APIServer', 'OAuthServer', 'Konnectivity', 'Ignition'].all(requiredType,
+                  self.exists(s, s.service == requiredType))\",message=\"Services
+                  list must contain at least 'APIServer', 'OAuthServer', 'Konnectivity',
+                  and 'Ignition' service types\"\t// -kubebuilder:validation:XValidation:rule=\"self.filter(s,
+                  s.servicePublishingStrategy.type == 'Route' && has(s.servicePublishingStrategy.route)
+                  && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y,
+                  y.servicePublishingStrategy.type == 'Route' && (has(y.servicePublishingStrategy.route)
+                  && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname
+                  == x.servicePublishingStrategy.route.hostname)).size() <= 1)\",message=\"Each
+                  route publishingStrategy 'hostname' must be unique within the Services
+                  list.\"\n-kubebuilder:validation:XValidation:rule=\"self.filter(s,
+                  s.servicePublishingStrategy.type == 'NodePort' && has(s.servicePublishingStrategy.nodePort)
+                  && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x,
+                  self.filter(y, y.servicePublishingStrategy.type == 'NodePort' &&
+                  (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address)
+                  && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address
+                  && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port
+                  == x.servicePublishingStrategy.nodePort.port )).size() <= 1)\",message=\"Each
+                  nodePort publishingStrategy 'nodePort' and 'hostname' must be unique
+                  within the Services list.\""
                 items:
                   description: |-
                     ServicePublishingStrategyMapping specifies how individual control plane services endpoints are published for consumption.
@@ -4435,7 +4457,6 @@ spec:
                   - servicePublishingStrategy
                   type: object
                 maxItems: 6
-                minItems: 4
                 type: array
               sshKey:
                 description: |-
@@ -4514,6 +4535,10 @@ spec:
             - services
             type: object
             x-kubernetes-validations:
+            - message: spec.services in body should have at least 4 items or 3 for
+                IBMCloud
+              rule: 'self.platform.type == ''IBMCloud'' ? size(self.services) >= 3
+                : size(self.services) >= 4'
             - message: Services is immutable. Changes might result in unpredictable
                 and disruptive behavior.
               rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services