chore(tools): bump controller-tools with XValidation ordering fix

Update controller-tools to jaypoulz/controller-tools fork which includes
a fix for deterministic XValidation rule ordering. This ensures CRD
generation produces consistent output regardless of map iteration order.

Changes included:
- tools/go.mod: Point replace directive to jaypoulz/controller-tools
- tools/Makefile: Fix openapi-gen path (moved from code-generator to
  kube-openapi upstream)
- tools/codegen/pkg/crdify/generator.go: Ignore 'type' validation for
  allOf→enum schema simplification
- tools/codegen/pkg/schemacheck/generator.go: Disable NoDataTypeChange
  comparator for the same schema simplification

The new controller-tools generates simpler enum schemas without allOf
wrappers when both type and field have enum markers. This is functionally
equivalent but structurally different, requiring the crdify and
schemacheck adjustments to avoid false positive violations.

Upstream fix: kubernetes-sigs/controller-tools#1324
OpenShift carry: openshift/kubernetes-sigs-controller-tools#33

The OpenShift carry is a temporary backport until we can bump to Go 1.25,
which is required by the upstream controller-tools version with this fix.

Created with support from Claude Opus 4 (Anthropic)

Author: jaypoulz

config/v1/tests/authentications.config.openshift.io/ExternalOIDC.yaml

@@ -123,7 +123,7 @@ tests:
                 prefixPolicy: NoPrefix
     - name: Cannot set OIDC providers with no claim mappings
       initial: |
-        apiVersion: config.openshift.io/v1 
+        apiVersion: config.openshift.io/v1
         kind: Authentication
         spec:
           type: OIDC
@@ -699,7 +699,7 @@ tests:
     - name: Should allow updating other fields if issuerURL has a query
       initialCRDPatches:
         - op: remove
-          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/issuer/properties/issuerURL/x-kubernetes-validations/2
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/issuer/properties/issuerURL/x-kubernetes-validations/1
       initial: |
         apiVersion: config.openshift.io/v1
         kind: Authentication
@@ -742,7 +742,7 @@ tests:
     - name: Should allow updating issuerURL from a previously invalid value to a valid value (query)
       initialCRDPatches:
         - op: remove
-          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/issuer/properties/issuerURL/x-kubernetes-validations/2
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/issuer/properties/issuerURL/x-kubernetes-validations/1
       initial: |
         apiVersion: config.openshift.io/v1
         kind: Authentication
@@ -785,7 +785,7 @@ tests:
     - name: Should not allow updating issuerURL from a previously invalid value to a still invalid value (query)
       initialCRDPatches:
         - op: remove
-          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/issuer/properties/issuerURL/x-kubernetes-validations/2
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/issuer/properties/issuerURL/x-kubernetes-validations/1
       initial: |
         apiVersion: config.openshift.io/v1
         kind: Authentication

config/v1/tests/infrastructures.config.openshift.io/DyanmicServiceEndpointIBMCloud.yaml

@@ -1,7 +1,7 @@
 apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
 name: "Infrastructure"
 crdName: infrastructures.config.openshift.io
-featureGates: 
+featureGates:
 - DyanmicServiceEndpointIBMCloud
 tests:
   onCreate:
@@ -50,7 +50,7 @@ tests:
             serviceEndpoints:
             - name: VPC
               url: " "
-    expectedError: "spec.platformSpec.ibmcloud.serviceEndpoints[0].url: Invalid value: \"string\": URL parse error during conversion from string: parse \" \": invalid URI for request evaluating rule: url must use https scheme, spec.platformSpec.ibmcloud.serviceEndpoints[0].url: Invalid value: \"string\": URL parse error during conversion from string: parse \" \": invalid URI for request evaluating rule: url path must match /v[0,9]+ or /api/v[0,9]+, spec.platformSpec.ibmcloud.serviceEndpoints[0].url: Invalid value: \"string\": url must be a valid absolute URL]"
+    expectedError: "spec.platformSpec.ibmcloud.serviceEndpoints[0].url: Invalid value: \"string\": url must be a valid absolute URL, spec.platformSpec.ibmcloud.serviceEndpoints[0].url: Invalid value: \"string\": URL parse error during conversion from string: parse \" \": invalid URI for request evaluating rule: url path must match /v[0,9]+ or /api/v[0,9]+, spec.platformSpec.ibmcloud.serviceEndpoints[0].url: Invalid value: \"string\": URL parse error during conversion from string: parse \" \": invalid URI for request evaluating rule: url must use https scheme]"
   - name: Should not be able to add invalid ServiceEndpoint (incorect URL path) to IBMCloud PlatformSpec
     initial: |
       apiVersion: config.openshift.io/v1

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml

@@ -121,33 +121,33 @@ spec:
                                 minLength: 1
                                 type: string
                                 x-kubernetes-validations:
-                                - message: key must contain the '/' character
-                                  rule: self.contains('/')
-                                - message: the domain of the key must consist of only
-                                    lower case alphanumeric characters, '-' or '.',
-                                    and must start and end with an alphanumeric character
-                                  rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
-                                - message: the domain of the key must not exceed 253
-                                    characters in length
-                                  rule: self.split('/', 2)[0].size() <= 253
-                                - message: the domain 'kubernetes.io' is reserved
+                                - message: the subdomains '*.k8s.io' are reserved
                                     for Kubernetes use
-                                  rule: self.split('/', 2)[0] != 'kubernetes.io'
+                                  rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')'
                                 - message: the subdomains '*.kubernetes.io' are reserved
                                     for Kubernetes use
                                   rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')'
+                                - message: the subdomains '*.openshift.io' are reserved
+                                    for OpenShift use
+                                  rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')'
+                                - message: key must contain the '/' character
+                                  rule: self.contains('/')
                                 - message: the domain 'k8s.io' is reserved for Kubernetes
                                     use
                                   rule: self.split('/', 2)[0] != 'k8s.io'
-                                - message: the subdomains '*.k8s.io' are reserved
+                                - message: the domain 'kubernetes.io' is reserved
                                     for Kubernetes use
-                                  rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')'
+                                  rule: self.split('/', 2)[0] != 'kubernetes.io'
                                 - message: the domain 'openshift.io' is reserved for
                                     OpenShift use
                                   rule: self.split('/', 2)[0] != 'openshift.io'
-                                - message: the subdomains '*.openshift.io' are reserved
-                                    for OpenShift use
-                                  rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')'
+                                - message: the domain of the key must consist of only
+                                    lower case alphanumeric characters, '-' or '.',
+                                    and must start and end with an alphanumeric character
+                                  rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
+                                - message: the domain of the key must not exceed 253
+                                    characters in length
+                                  rule: self.split('/', 2)[0].size() <= 253
                                 - message: the path of the key must not be empty and
                                     must consist of at least one alphanumeric character,
                                     percent-encoded octets, apostrophe, '-', '.',
@@ -470,16 +470,16 @@ spec:
                           minLength: 1
                           type: string
                           x-kubernetes-validations:
+                          - message: discoveryURL must not contain user info
+                            rule: '!self.matches(''^https://.+:.+@.+/.*$'')'
                           - message: discoveryURL must be a valid URL
                             rule: isURL(self)
-                          - message: discoveryURL must be a valid https URL
-                            rule: url(self).getScheme() == 'https'
-                          - message: discoveryURL must not contain query parameters
-                            rule: url(self).getQuery().size() == 0
                           - message: discoveryURL must not contain fragments
                             rule: self.matches('^[^#]*$')
-                          - message: discoveryURL must not contain user info
-                            rule: '!self.matches(''^https://.+:.+@.+/.*$'')'
+                          - message: discoveryURL must not contain query parameters
+                            rule: url(self).getQuery().size() == 0
+                          - message: discoveryURL must be a valid https URL
+                            rule: url(self).getScheme() == 'https'
                         issuerCertificateAuthority:
                           description: |-
                             issuerCertificateAuthority is an optional field that configures the
@@ -514,10 +514,10 @@ spec:
                           x-kubernetes-validations:
                           - message: must be a valid URL
                             rule: isURL(self)
-                          - message: must use the 'https' scheme
-                            rule: isURL(self) && url(self).getScheme() == 'https'
                           - message: must not have a query
                             rule: isURL(self) && url(self).getQuery() == {}
+                          - message: must use the 'https' scheme
+                            rule: isURL(self) && url(self).getScheme() == 'https'
                           - message: must not have a fragment
                             rule: self.find('#(.+)$') == ''
                           - message: must not have user info

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml

@@ -121,33 +121,33 @@ spec:
                                 minLength: 1
                                 type: string
                                 x-kubernetes-validations:
-                                - message: key must contain the '/' character
-                                  rule: self.contains('/')
-                                - message: the domain of the key must consist of only
-                                    lower case alphanumeric characters, '-' or '.',
-                                    and must start and end with an alphanumeric character
-                                  rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
-                                - message: the domain of the key must not exceed 253
-                                    characters in length
-                                  rule: self.split('/', 2)[0].size() <= 253
-                                - message: the domain 'kubernetes.io' is reserved
+                                - message: the subdomains '*.k8s.io' are reserved
                                     for Kubernetes use
-                                  rule: self.split('/', 2)[0] != 'kubernetes.io'
+                                  rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')'
                                 - message: the subdomains '*.kubernetes.io' are reserved
                                     for Kubernetes use
                                   rule: '!self.split(''/'', 2)[0].endsWith(''.kubernetes.io'')'
+                                - message: the subdomains '*.openshift.io' are reserved
+                                    for OpenShift use
+                                  rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')'
+                                - message: key must contain the '/' character
+                                  rule: self.contains('/')
                                 - message: the domain 'k8s.io' is reserved for Kubernetes
                                     use
                                   rule: self.split('/', 2)[0] != 'k8s.io'
-                                - message: the subdomains '*.k8s.io' are reserved
+                                - message: the domain 'kubernetes.io' is reserved
                                     for Kubernetes use
-                                  rule: '!self.split(''/'', 2)[0].endsWith(''.k8s.io'')'
+                                  rule: self.split('/', 2)[0] != 'kubernetes.io'
                                 - message: the domain 'openshift.io' is reserved for
                                     OpenShift use
                                   rule: self.split('/', 2)[0] != 'openshift.io'
-                                - message: the subdomains '*.openshift.io' are reserved
-                                    for OpenShift use
-                                  rule: '!self.split(''/'', 2)[0].endsWith(''.openshift.io'')'
+                                - message: the domain of the key must consist of only
+                                    lower case alphanumeric characters, '-' or '.',
+                                    and must start and end with an alphanumeric character
+                                  rule: self.split('/', 2)[0].matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
+                                - message: the domain of the key must not exceed 253
+                                    characters in length
+                                  rule: self.split('/', 2)[0].size() <= 253
                                 - message: the path of the key must not be empty and
                                     must consist of at least one alphanumeric character,
                                     percent-encoded octets, apostrophe, '-', '.',
@@ -461,10 +461,10 @@ spec:
                           x-kubernetes-validations:
                           - message: must be a valid URL
                             rule: isURL(self)
-                          - message: must use the 'https' scheme
-                            rule: isURL(self) && url(self).getScheme() == 'https'
                           - message: must not have a query
                             rule: isURL(self) && url(self).getQuery() == {}
+                          - message: must use the 'https' scheme
+                            rule: isURL(self) && url(self).getScheme() == 'https'
                           - message: must not have a fragment
                             rule: self.find('#(.+)$') == ''
                           - message: must not have user info