UPSTREAM: <carry>: fix crdupgradesafety diff when items schema differ (#1863)

* crdupgradesafety: original copies from kapp

Signed-off-by: Joe Lanford <[email protected]>

* crdupgradesafety: drop kapp dependency

Signed-off-by: Joe Lanford <[email protected]>

* crdupgradesafety: remove unused code

Signed-off-by: Joe Lanford <[email protected]>

* crdupgradesafety: fixup apiextensionsv1 import aliases

Signed-off-by: Joe Lanford <[email protected]>

* crdupgradesafety: fix to ignore diffs in child items

Signed-off-by: Joe Lanford <[email protected]>

---------

Signed-off-by: Joe Lanford <[email protected]>

Author: joelanford

go.mod

@@ -3,7 +3,6 @@ module github.com/operator-framework/operator-controller
 go 1.22.5
 
 require (
-	carvel.dev/kapp v0.63.3
 	github.com/BurntSushi/toml v1.4.0
 	github.com/Masterminds/semver/v3 v3.3.0
 	github.com/blang/semver/v4 v4.0.0
@@ -16,6 +15,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.21.0
 	github.com/onsi/gomega v1.35.1
 	github.com/opencontainers/go-digest v1.0.0
+	github.com/openshift/crd-schema-checker v0.0.0-20240404194209-35a9033b1d11
 	github.com/operator-framework/api v0.27.0
 	github.com/operator-framework/catalogd v1.0.0-rc1
 	github.com/operator-framework/helm-operator-plugins v0.7.0
@@ -38,7 +38,6 @@ require (
 )
 
 require (
-	carvel.dev/vendir v0.40.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
@@ -69,9 +68,6 @@ require (
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 	github.com/containers/ocicrypt v1.2.0 // indirect
 	github.com/containers/storage v1.55.0 // indirect
-	github.com/cppforlife/cobrautil v0.0.0-20221130162803-acdfead391ef // indirect
-	github.com/cppforlife/color v1.9.1-0.20200716202919-6706ac40b835 // indirect
-	github.com/cppforlife/go-cli-ui v0.0.0-20220425131040-94f26b16bc14 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
 	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -128,7 +124,6 @@ require (
 	github.com/h2non/go-is-svg v0.0.0-20160927212452-35e8c4b0612c // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -137,8 +132,6 @@ require (
 	github.com/joelanford/ignore v0.1.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/k14s/starlark-go v0.0.0-20200720175618-3a5c849cc368 // indirect
-	github.com/k14s/ytt v0.36.0 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
@@ -172,7 +165,6 @@ require (
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opencontainers/runtime-spec v1.2.0 // indirect
-	github.com/openshift/crd-schema-checker v0.0.0-20240404194209-35a9033b1d11 // indirect
 	github.com/operator-framework/operator-lib v0.15.0 // indirect
 	github.com/otiai10/copy v1.14.0 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
@@ -202,8 +194,6 @@ require (
 	github.com/ulikunitz/xz v0.5.12 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
 	github.com/vbauerster/mpb/v8 v8.7.5 // indirect
-	github.com/vito/go-interact v1.0.1 // indirect
-	github.com/vmware-tanzu/carvel-kapp-controller v0.51.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect

go.sum

@@ -0,0 +1,167 @@
+// Originally copied from https://github.com/carvel-dev/kapp/tree/d7fc2e15439331aa3a379485bb124e91a0829d2e
+// Attribution:
+//   Copyright 2024 The Carvel Authors.
+//   SPDX-License-Identifier: Apache-2.0
+
+package crdupgradesafety
+
+import (
+	"errors"
+	"fmt"
+	"reflect"
+
+	"github.com/openshift/crd-schema-checker/pkg/manifestcomparators"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// ChangeValidation is a function that accepts a FieldDiff
+// as a parameter and should return:
+// - a boolean representation of whether or not the change
+// - an error if the change would be unsafe
+// has been fully handled (i.e no additional changes exist)
+type ChangeValidation func(diff FieldDiff) (bool, error)
+
+// ChangeValidator is a Validation implementation focused on
+// handling updates to existing fields in a CRD
+type ChangeValidator struct {
+	// Validations is a slice of ChangeValidations
+	// to run against each changed field
+	Validations []ChangeValidation
+}
+
+func (cv *ChangeValidator) Name() string {
+	return "ChangeValidator"
+}
+
+// Validate will compare each version in the provided existing and new CRDs.
+// Since the ChangeValidator is tailored to handling updates to existing fields in
+// each version of a CRD. As such the following is assumed:
+// - Validating the removal of versions during an update is handled outside of this
+// validator. If a version in the existing version of the CRD does not exist in the new
+// version that version of the CRD is skipped in this validator.
+// - Removal of existing fields is unsafe. Regardless of whether or not this is handled
+// by a validator outside this one, if a field is present in a version provided by the existing CRD
+// but not present in the same version provided by the new CRD this validation will fail.
+//
+// Additionally, any changes that are not validated and handled by the known ChangeValidations
+// are deemed as unsafe and returns an error.
+func (cv *ChangeValidator) Validate(old, new apiextensionsv1.CustomResourceDefinition) error {
+	errs := []error{}
+	for _, version := range old.Spec.Versions {
+		newVersion := manifestcomparators.GetVersionByName(&new, version.Name)
+		if newVersion == nil {
+			// if the new version doesn't exist skip this version
+			continue
+		}
+		flatOld := FlattenSchema(version.Schema.OpenAPIV3Schema)
+		flatNew := FlattenSchema(newVersion.Schema.OpenAPIV3Schema)
+
+		diffs, err := CalculateFlatSchemaDiff(flatOld, flatNew)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("calculating schema diff for CRD version %q", version.Name))
+			continue
+		}
+
+		for field, diff := range diffs {
+			handled := false
+			for _, validation := range cv.Validations {
+				ok, err := validation(diff)
+				if err != nil {
+					errs = append(errs, fmt.Errorf("version %q, field %q: %w", version.Name, field, err))
+				}
+				if ok {
+					handled = true
+					break
+				}
+			}
+
+			if !handled {
+				errs = append(errs, fmt.Errorf("version %q, field %q has unknown change, refusing to determine that change is safe", version.Name, field))
+			}
+		}
+	}
+
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+	return nil
+}
+
+type FieldDiff struct {
+	Old *apiextensionsv1.JSONSchemaProps
+	New *apiextensionsv1.JSONSchemaProps
+}
+
+// FlatSchema is a flat representation of a CRD schema.
+type FlatSchema map[string]*apiextensionsv1.JSONSchemaProps
+
+// FlattenSchema takes in a CRD version OpenAPIV3Schema and returns
+// a flattened representation of it. For example, a CRD with a schema of:
+// ```yaml
+//
+//	...
+//	spec:
+//	  type: object
+//	  properties:
+//	    foo:
+//	      type: string
+//	    bar:
+//	      type: string
+//	...
+//
+// ```
+// would be represented as:
+//
+//	map[string]*apiextensionsv1.JSONSchemaProps{
+//	   "^": {},
+//	   "^.spec": {},
+//	   "^.spec.foo": {},
+//	   "^.spec.bar": {},
+//	}
+//
+// where "^" represents the "root" schema
+func FlattenSchema(schema *apiextensionsv1.JSONSchemaProps) FlatSchema {
+	fieldMap := map[string]*apiextensionsv1.JSONSchemaProps{}
+
+	manifestcomparators.SchemaHas(schema,
+		field.NewPath("^"),
+		field.NewPath("^"),
+		nil,
+		func(s *apiextensionsv1.JSONSchemaProps, _, simpleLocation *field.Path, _ []*apiextensionsv1.JSONSchemaProps) bool {
+			fieldMap[simpleLocation.String()] = s.DeepCopy()
+			return false
+		})
+
+	return fieldMap
+}
+
+// CalculateFlatSchemaDiff finds fields in a FlatSchema that are different
+// and returns a mapping of field --> old and new field schemas. If a field
+// exists in the old FlatSchema but not the new an empty diff mapping and an error is returned.
+func CalculateFlatSchemaDiff(o, n FlatSchema) (map[string]FieldDiff, error) {
+	diffMap := map[string]FieldDiff{}
+	for field, schema := range o {
+		if _, ok := n[field]; !ok {
+			return diffMap, fmt.Errorf("field %q in existing not found in new", field)
+		}
+		newSchema := n[field]
+
+		// Copy the schemas and remove any child properties for comparison.
+		// In theory this will focus in on detecting changes for only the
+		// field we are looking at and ignore changes in the children fields.
+		// Since we are iterating through the map that should have all fields
+		// we should still detect changes in the children fields.
+		oldCopy := schema.DeepCopy()
+		newCopy := newSchema.DeepCopy()
+		oldCopy.Properties, oldCopy.Items = nil, nil
+		newCopy.Properties, newCopy.Items = nil, nil
+		if !reflect.DeepEqual(oldCopy, newCopy) {
+			diffMap[field] = FieldDiff{
+				Old: oldCopy,
+				New: newCopy,
+			}
+		}
+	}
+	return diffMap, nil
+}

internal/rukpak/preflights/crdupgradesafety/change_validator.go

@@ -0,0 +1,327 @@
+// Originally copied from https://github.com/carvel-dev/kapp/tree/d7fc2e15439331aa3a379485bb124e91a0829d2e
+// Attribution:
+//   Copyright 2024 The Carvel Authors.
+//   SPDX-License-Identifier: Apache-2.0
+
+package crdupgradesafety_test
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+
+	"github.com/operator-framework/operator-controller/internal/rukpak/preflights/crdupgradesafety"
+)
+
+func TestCalculateFlatSchemaDiff(t *testing.T) {
+	for _, tc := range []struct {
+		name         string
+		old          crdupgradesafety.FlatSchema
+		new          crdupgradesafety.FlatSchema
+		expectedDiff map[string]crdupgradesafety.FieldDiff
+		shouldError  bool
+	}{
+		{
+			name: "no diff in schemas, empty diff, no error",
+			old: crdupgradesafety.FlatSchema{
+				"foo": &apiextensionsv1.JSONSchemaProps{},
+			},
+			new: crdupgradesafety.FlatSchema{
+				"foo": &apiextensionsv1.JSONSchemaProps{},
+			},
+			expectedDiff: map[string]crdupgradesafety.FieldDiff{},
+		},
+		{
+			name: "diff in schemas, diff returned, no error",
+			old: crdupgradesafety.FlatSchema{
+				"foo": &apiextensionsv1.JSONSchemaProps{},
+			},
+			new: crdupgradesafety.FlatSchema{
+				"foo": &apiextensionsv1.JSONSchemaProps{
+					ID: "bar",
+				},
+			},
+			expectedDiff: map[string]crdupgradesafety.FieldDiff{
+				"foo": {
+					Old: &apiextensionsv1.JSONSchemaProps{},
+					New: &apiextensionsv1.JSONSchemaProps{ID: "bar"},
+				},
+			},
+		},
+		{
+			name: "diff in child properties only, no diff returned, no error",
+			old: crdupgradesafety.FlatSchema{
+				"foo": &apiextensionsv1.JSONSchemaProps{
+					Properties: map[string]apiextensionsv1.JSONSchemaProps{
+						"bar": {ID: "bar"},
+					},
+				},
+			},
+			new: crdupgradesafety.FlatSchema{
+				"foo": &apiextensionsv1.JSONSchemaProps{
+					Properties: map[string]apiextensionsv1.JSONSchemaProps{
+						"bar": {ID: "baz"},
+					},
+				},
+			},
+			expectedDiff: map[string]crdupgradesafety.FieldDiff{},
+		},
+		{
+			name: "diff in child items only, no diff returned, no error",
+			old: crdupgradesafety.FlatSchema{
+				"foo": &apiextensionsv1.JSONSchemaProps{
+					Items: &apiextensionsv1.JSONSchemaPropsOrArray{Schema: &apiextensionsv1.JSONSchemaProps{ID: "bar"}},
+				},
+			},
+			new: crdupgradesafety.FlatSchema{
+				"foo": &apiextensionsv1.JSONSchemaProps{
+					Items: &apiextensionsv1.JSONSchemaPropsOrArray{Schema: &apiextensionsv1.JSONSchemaProps{ID: "baz"}},
+				},
+			},
+			expectedDiff: map[string]crdupgradesafety.FieldDiff{},
+		},
+		{
+			name: "field exists in old but not new, no diff returned, error",
+			old: crdupgradesafety.FlatSchema{
+				"foo": &apiextensionsv1.JSONSchemaProps{},
+			},
+			new: crdupgradesafety.FlatSchema{
+				"bar": &apiextensionsv1.JSONSchemaProps{},
+			},
+			expectedDiff: map[string]crdupgradesafety.FieldDiff{},
+			shouldError:  true,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			diff, err := crdupgradesafety.CalculateFlatSchemaDiff(tc.old, tc.new)
+			assert.Equal(t, tc.shouldError, err != nil, "should error? - %v", tc.shouldError)
+			assert.Equal(t, tc.expectedDiff, diff)
+		})
+	}
+}
+
+func TestFlattenSchema(t *testing.T) {
+	schema := &apiextensionsv1.JSONSchemaProps{
+		Properties: map[string]apiextensionsv1.JSONSchemaProps{
+			"foo": {
+				Properties: map[string]apiextensionsv1.JSONSchemaProps{
+					"bar": {},
+				},
+			},
+			"baz": {},
+		},
+	}
+
+	foo := schema.Properties["foo"]
+	foobar := schema.Properties["foo"].Properties["bar"]
+	baz := schema.Properties["baz"]
+	expected := crdupgradesafety.FlatSchema{
+		"^":         schema,
+		"^.foo":     &foo,
+		"^.foo.bar": &foobar,
+		"^.baz":     &baz,
+	}
+
+	actual := crdupgradesafety.FlattenSchema(schema)
+
+	assert.Equal(t, expected, actual)
+}
+
+func TestChangeValidator(t *testing.T) {
+	for _, tc := range []struct {
+		name            string
+		changeValidator *crdupgradesafety.ChangeValidator
+		old             apiextensionsv1.CustomResourceDefinition
+		new             apiextensionsv1.CustomResourceDefinition
+		shouldError     bool
+	}{
+		{
+			name: "no changes, no error",
+			changeValidator: &crdupgradesafety.ChangeValidator{
+				Validations: []crdupgradesafety.ChangeValidation{
+					func(_ crdupgradesafety.FieldDiff) (bool, error) {
+						return false, errors.New("should not run")
+					},
+				},
+			},
+			old: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{},
+							},
+						},
+					},
+				},
+			},
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "changes, validation successful, change is fully handled, no error",
+			changeValidator: &crdupgradesafety.ChangeValidator{
+				Validations: []crdupgradesafety.ChangeValidation{
+					func(_ crdupgradesafety.FieldDiff) (bool, error) {
+						return true, nil
+					},
+				},
+			},
+			old: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{},
+							},
+						},
+					},
+				},
+			},
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									ID: "foo",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "changes, validation successful, change not fully handled, error",
+			changeValidator: &crdupgradesafety.ChangeValidator{
+				Validations: []crdupgradesafety.ChangeValidation{
+					func(_ crdupgradesafety.FieldDiff) (bool, error) {
+						return false, nil
+					},
+				},
+			},
+			old: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{},
+							},
+						},
+					},
+				},
+			},
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									ID: "foo",
+								},
+							},
+						},
+					},
+				},
+			},
+			shouldError: true,
+		},
+		{
+			name: "changes, validation failed, change fully handled, error",
+			changeValidator: &crdupgradesafety.ChangeValidator{
+				Validations: []crdupgradesafety.ChangeValidation{
+					func(_ crdupgradesafety.FieldDiff) (bool, error) {
+						return true, errors.New("fail")
+					},
+				},
+			},
+			old: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{},
+							},
+						},
+					},
+				},
+			},
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									ID: "foo",
+								},
+							},
+						},
+					},
+				},
+			},
+			shouldError: true,
+		},
+		{
+			name: "changes, validation failed, change not fully handled, error",
+			changeValidator: &crdupgradesafety.ChangeValidator{
+				Validations: []crdupgradesafety.ChangeValidation{
+					func(_ crdupgradesafety.FieldDiff) (bool, error) {
+						return false, errors.New("fail")
+					},
+				},
+			},
+			old: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{},
+							},
+						},
+					},
+				},
+			},
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									ID: "foo",
+								},
+							},
+						},
+					},
+				},
+			},
+			shouldError: true,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.changeValidator.Validate(tc.old, tc.new)
+			assert.Equal(t, tc.shouldError, err != nil, "should error? - %v", tc.shouldError)
+		})
+	}
+}

internal/rukpak/preflights/crdupgradesafety/change_validator_test.go

@@ -8,14 +8,13 @@ import (
 	"reflect"
 	"slices"
 
-	kappcus "carvel.dev/kapp/pkg/kapp/crdupgradesafety"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	versionhelper "k8s.io/apimachinery/pkg/version"
 )
 
 type ServedVersionValidator struct {
-	Validations []kappcus.ChangeValidation
+	Validations []ChangeValidation
 }
 
 func (c *ServedVersionValidator) Validate(old, new apiextensionsv1.CustomResourceDefinition) error {
@@ -38,9 +37,9 @@ func (c *ServedVersionValidator) Validate(old, new apiextensionsv1.CustomResourc
 
 	for i, oldVersion := range servedVersions[:len(servedVersions)-1] {
 		for _, newVersion := range servedVersions[i+1:] {
-			flatOld := kappcus.FlattenSchema(oldVersion.Schema.OpenAPIV3Schema)
-			flatNew := kappcus.FlattenSchema(newVersion.Schema.OpenAPIV3Schema)
-			diffs, err := kappcus.CalculateFlatSchemaDiff(flatOld, flatNew)
+			flatOld := FlattenSchema(oldVersion.Schema.OpenAPIV3Schema)
+			flatNew := FlattenSchema(newVersion.Schema.OpenAPIV3Schema)
+			diffs, err := CalculateFlatSchemaDiff(flatOld, flatNew)
 			if err != nil {
 				errs = append(errs, fmt.Errorf("calculating schema diff between CRD versions %q and %q", oldVersion.Name, newVersion.Name))
 				continue
@@ -75,15 +74,15 @@ func (c *ServedVersionValidator) Name() string {
 	return "ServedVersionValidator"
 }
 
-type resetFunc func(diff kappcus.FieldDiff) kappcus.FieldDiff
+type resetFunc func(diff FieldDiff) FieldDiff
 
-func isHandled(diff kappcus.FieldDiff, reset resetFunc) bool {
+func isHandled(diff FieldDiff, reset resetFunc) bool {
 	diff = reset(diff)
 	return reflect.DeepEqual(diff.Old, diff.New)
 }
 
-func Enum(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func Enum(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.Enum = []apiextensionsv1.JSON{}
 		diff.New.Enum = []apiextensionsv1.JSON{}
 		return diff
@@ -111,8 +110,8 @@ func Enum(diff kappcus.FieldDiff) (bool, error) {
 	return isHandled(diff, reset), err
 }
 
-func Required(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func Required(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.Required = []string{}
 		diff.New.Required = []string{}
 		return diff
@@ -141,8 +140,8 @@ func maxVerification[T cmp.Ordered](older *T, newer *T) error {
 	return err
 }
 
-func Maximum(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func Maximum(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.Maximum = nil
 		diff.New.Maximum = nil
 		return diff
@@ -156,8 +155,8 @@ func Maximum(diff kappcus.FieldDiff) (bool, error) {
 	return isHandled(diff, reset), err
 }
 
-func MaxItems(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func MaxItems(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.MaxItems = nil
 		diff.New.MaxItems = nil
 		return diff
@@ -171,8 +170,8 @@ func MaxItems(diff kappcus.FieldDiff) (bool, error) {
 	return isHandled(diff, reset), err
 }
 
-func MaxLength(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func MaxLength(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.MaxLength = nil
 		diff.New.MaxLength = nil
 		return diff
@@ -186,8 +185,8 @@ func MaxLength(diff kappcus.FieldDiff) (bool, error) {
 	return isHandled(diff, reset), err
 }
 
-func MaxProperties(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func MaxProperties(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.MaxProperties = nil
 		diff.New.MaxProperties = nil
 		return diff
@@ -212,8 +211,8 @@ func minVerification[T cmp.Ordered](older *T, newer *T) error {
 	return err
 }
 
-func Minimum(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func Minimum(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.Minimum = nil
 		diff.New.Minimum = nil
 		return diff
@@ -227,8 +226,8 @@ func Minimum(diff kappcus.FieldDiff) (bool, error) {
 	return isHandled(diff, reset), err
 }
 
-func MinItems(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func MinItems(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.MinItems = nil
 		diff.New.MinItems = nil
 		return diff
@@ -242,8 +241,8 @@ func MinItems(diff kappcus.FieldDiff) (bool, error) {
 	return isHandled(diff, reset), err
 }
 
-func MinLength(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func MinLength(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.MinLength = nil
 		diff.New.MinLength = nil
 		return diff
@@ -257,8 +256,8 @@ func MinLength(diff kappcus.FieldDiff) (bool, error) {
 	return isHandled(diff, reset), err
 }
 
-func MinProperties(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func MinProperties(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.MinProperties = nil
 		diff.New.MinProperties = nil
 		return diff
@@ -272,8 +271,8 @@ func MinProperties(diff kappcus.FieldDiff) (bool, error) {
 	return isHandled(diff, reset), err
 }
 
-func Default(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func Default(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.Default = nil
 		diff.New.Default = nil
 		return diff
@@ -293,8 +292,8 @@ func Default(diff kappcus.FieldDiff) (bool, error) {
 	return isHandled(diff, reset), err
 }
 
-func Type(diff kappcus.FieldDiff) (bool, error) {
-	reset := func(diff kappcus.FieldDiff) kappcus.FieldDiff {
+func Type(diff FieldDiff) (bool, error) {
+	reset := func(diff FieldDiff) FieldDiff {
 		diff.Old.Type = ""
 		diff.New.Type = ""
 		return diff

internal/rukpak/preflights/crdupgradesafety/checks.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"strings"
 
-	kappcus "carvel.dev/kapp/pkg/kapp/crdupgradesafety"
 	"helm.sh/helm/v3/pkg/release"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
@@ -19,19 +18,19 @@ import (
 
 type Option func(p *Preflight)
 
-func WithValidator(v *kappcus.Validator) Option {
+func WithValidator(v *Validator) Option {
 	return func(p *Preflight) {
 		p.validator = v
 	}
 }
 
 type Preflight struct {
 	crdClient apiextensionsv1client.CustomResourceDefinitionInterface
-	validator *kappcus.Validator
+	validator *Validator
 }
 
 func NewPreflight(crdCli apiextensionsv1client.CustomResourceDefinitionInterface, opts ...Option) *Preflight {
-	changeValidations := []kappcus.ChangeValidation{
+	changeValidations := []ChangeValidation{
 		Enum,
 		Required,
 		Maximum,
@@ -48,13 +47,13 @@ func NewPreflight(crdCli apiextensionsv1client.CustomResourceDefinitionInterface
 	p := &Preflight{
 		crdClient: crdCli,
 		// create a default validator. Can be overridden via the options
-		validator: &kappcus.Validator{
-			Validations: []kappcus.Validation{
-				kappcus.NewValidationFunc("NoScopeChange", kappcus.NoScopeChange),
-				kappcus.NewValidationFunc("NoStoredVersionRemoved", kappcus.NoStoredVersionRemoved),
-				kappcus.NewValidationFunc("NoExistingFieldRemoved", kappcus.NoExistingFieldRemoved),
+		validator: &Validator{
+			Validations: []Validation{
+				NewValidationFunc("NoScopeChange", NoScopeChange),
+				NewValidationFunc("NoStoredVersionRemoved", NoStoredVersionRemoved),
+				NewValidationFunc("NoExistingFieldRemoved", NoExistingFieldRemoved),
 				&ServedVersionValidator{Validations: changeValidations},
-				&kappcus.ChangeValidator{Validations: changeValidations},
+				&ChangeValidator{Validations: changeValidations},
 			},
 		},
 	}

internal/rukpak/preflights/crdupgradesafety/checks_test.go

@@ -7,7 +7,6 @@ import (
 	"strings"
 	"testing"
 
-	kappcus "carvel.dev/kapp/pkg/kapp/crdupgradesafety"
 	"github.com/stretchr/testify/require"
 	"helm.sh/helm/v3/pkg/release"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -31,7 +30,7 @@ func (c *MockCRDGetter) Get(ctx context.Context, name string, options metav1.Get
 	return c.oldCrd, c.getErr
 }
 
-func newMockPreflight(crd *apiextensionsv1.CustomResourceDefinition, err error, customValidator *kappcus.Validator) *crdupgradesafety.Preflight {
+func newMockPreflight(crd *apiextensionsv1.CustomResourceDefinition, err error, customValidator *crdupgradesafety.Validator) *crdupgradesafety.Preflight {
 	var preflightOpts []crdupgradesafety.Option
 	if customValidator != nil {
 		preflightOpts = append(preflightOpts, crdupgradesafety.WithValidator(customValidator))
@@ -76,7 +75,7 @@ func TestInstall(t *testing.T) {
 	tests := []struct {
 		name          string
 		oldCrdPath    string
-		validator     *kappcus.Validator
+		validator     *crdupgradesafety.Validator
 		release       *release.Release
 		wantErrMsgs   []string
 		wantCrdGetErr error
@@ -137,9 +136,9 @@ func TestInstall(t *testing.T) {
 				Name:     "test-release",
 				Manifest: getManifestString(t, "old-crd.json"),
 			},
-			validator: &kappcus.Validator{
-				Validations: []kappcus.Validation{
-					kappcus.NewValidationFunc("test", func(old, new apiextensionsv1.CustomResourceDefinition) error {
+			validator: &crdupgradesafety.Validator{
+				Validations: []crdupgradesafety.Validation{
+					crdupgradesafety.NewValidationFunc("test", func(old, new apiextensionsv1.CustomResourceDefinition) error {
 						return fmt.Errorf("custom validation error!!")
 					}),
 				},
@@ -213,7 +212,7 @@ func TestUpgrade(t *testing.T) {
 	tests := []struct {
 		name          string
 		oldCrdPath    string
-		validator     *kappcus.Validator
+		validator     *crdupgradesafety.Validator
 		release       *release.Release
 		wantErrMsgs   []string
 		wantCrdGetErr error
@@ -274,9 +273,9 @@ func TestUpgrade(t *testing.T) {
 				Name:     "test-release",
 				Manifest: getManifestString(t, "old-crd.json"),
 			},
-			validator: &kappcus.Validator{
-				Validations: []kappcus.Validation{
-					kappcus.NewValidationFunc("test", func(old, new apiextensionsv1.CustomResourceDefinition) error {
+			validator: &crdupgradesafety.Validator{
+				Validations: []crdupgradesafety.Validation{
+					crdupgradesafety.NewValidationFunc("test", func(old, new apiextensionsv1.CustomResourceDefinition) error {
 						return fmt.Errorf("custom validation error!!")
 					}),
 				},

internal/rukpak/preflights/crdupgradesafety/crdupgradesafety.go

@@ -0,0 +1,123 @@
+// Originally copied from https://github.com/carvel-dev/kapp/tree/d7fc2e15439331aa3a379485bb124e91a0829d2e
+// Attribution:
+//   Copyright 2024 The Carvel Authors.
+//   SPDX-License-Identifier: Apache-2.0
+
+package crdupgradesafety
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/openshift/crd-schema-checker/pkg/manifestcomparators"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// Validation is a representation of a validation to run
+// against a CRD being upgraded
+type Validation interface {
+	// Validate contains the actual validation logic. An error being
+	// returned means validation has failed
+	Validate(old, new apiextensionsv1.CustomResourceDefinition) error
+	// Name returns a human-readable name for the validation
+	Name() string
+}
+
+// ValidateFunc is a function to validate a CustomResourceDefinition
+// for safe upgrades. It accepts the old and new CRDs and returns an
+// error if performing an upgrade from old -> new is unsafe.
+type ValidateFunc func(old, new apiextensionsv1.CustomResourceDefinition) error
+
+// ValidationFunc is a helper to wrap a ValidateFunc
+// as an implementation of the Validation interface
+type ValidationFunc struct {
+	name         string
+	validateFunc ValidateFunc
+}
+
+func NewValidationFunc(name string, vfunc ValidateFunc) Validation {
+	return &ValidationFunc{
+		name:         name,
+		validateFunc: vfunc,
+	}
+}
+
+func (vf *ValidationFunc) Name() string {
+	return vf.name
+}
+
+func (vf *ValidationFunc) Validate(old, new apiextensionsv1.CustomResourceDefinition) error {
+	return vf.validateFunc(old, new)
+}
+
+type Validator struct {
+	Validations []Validation
+}
+
+func (v *Validator) Validate(old, new apiextensionsv1.CustomResourceDefinition) error {
+	validateErrs := []error{}
+	for _, validation := range v.Validations {
+		if err := validation.Validate(old, new); err != nil {
+			formattedErr := fmt.Errorf("CustomResourceDefinition %s failed upgrade safety validation. %q validation failed: %w",
+				new.Name, validation.Name(), err)
+
+			validateErrs = append(validateErrs, formattedErr)
+		}
+	}
+	if len(validateErrs) > 0 {
+		return errors.Join(validateErrs...)
+	}
+	return nil
+}
+
+func NoScopeChange(old, new apiextensionsv1.CustomResourceDefinition) error {
+	if old.Spec.Scope != new.Spec.Scope {
+		return fmt.Errorf("scope changed from %q to %q", old.Spec.Scope, new.Spec.Scope)
+	}
+	return nil
+}
+
+func NoStoredVersionRemoved(old, new apiextensionsv1.CustomResourceDefinition) error {
+	newVersions := sets.New[string]()
+	for _, version := range new.Spec.Versions {
+		if !newVersions.Has(version.Name) {
+			newVersions.Insert(version.Name)
+		}
+	}
+
+	for _, storedVersion := range old.Status.StoredVersions {
+		if !newVersions.Has(storedVersion) {
+			return fmt.Errorf("stored version %q removed", storedVersion)
+		}
+	}
+
+	return nil
+}
+
+func NoExistingFieldRemoved(old, new apiextensionsv1.CustomResourceDefinition) error {
+	reg := manifestcomparators.NewRegistry()
+	err := reg.AddComparator(manifestcomparators.NoFieldRemoval())
+	if err != nil {
+		return err
+	}
+
+	results, errs := reg.Compare(&old, &new)
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+
+	errSet := []error{}
+
+	for _, result := range results {
+		if len(result.Errors) > 0 {
+			errSet = append(errSet, errors.New(strings.Join(result.Errors, "\n")))
+		}
+	}
+	if len(errSet) > 0 {
+		return errors.Join(errSet...)
+	}
+
+	return nil
+}

internal/rukpak/preflights/crdupgradesafety/crdupgradesafety_test.go

@@ -0,0 +1,340 @@
+// Originally copied from https://github.com/carvel-dev/kapp/tree/d7fc2e15439331aa3a379485bb124e91a0829d2e
+// Attribution:
+//   Copyright 2024 The Carvel Authors.
+//   SPDX-License-Identifier: Apache-2.0
+
+package crdupgradesafety
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+func TestValidator(t *testing.T) {
+	for _, tc := range []struct {
+		name        string
+		validations []Validation
+		shouldErr   bool
+	}{
+		{
+			name:        "no validators, no error",
+			validations: []Validation{},
+		},
+		{
+			name: "passing validator, no error",
+			validations: []Validation{
+				NewValidationFunc("pass", func(_, _ apiextensionsv1.CustomResourceDefinition) error {
+					return nil
+				}),
+			},
+		},
+		{
+			name: "failing validator, error",
+			validations: []Validation{
+				NewValidationFunc("fail", func(_, _ apiextensionsv1.CustomResourceDefinition) error {
+					return errors.New("boom")
+				}),
+			},
+			shouldErr: true,
+		},
+		{
+			name: "passing+failing validator, error",
+			validations: []Validation{
+				NewValidationFunc("pass", func(_, _ apiextensionsv1.CustomResourceDefinition) error {
+					return nil
+				}),
+				NewValidationFunc("fail", func(_, _ apiextensionsv1.CustomResourceDefinition) error {
+					return errors.New("boom")
+				}),
+			},
+			shouldErr: true,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			v := Validator{
+				Validations: tc.validations,
+			}
+			var o, n apiextensionsv1.CustomResourceDefinition
+
+			err := v.Validate(o, n)
+			require.Equal(t, tc.shouldErr, err != nil)
+		})
+	}
+}
+
+func TestNoScopeChange(t *testing.T) {
+	for _, tc := range []struct {
+		name        string
+		old         apiextensionsv1.CustomResourceDefinition
+		new         apiextensionsv1.CustomResourceDefinition
+		shouldError bool
+	}{
+		{
+			name: "no scope change, no error",
+			old: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Scope: apiextensionsv1.ClusterScoped,
+				},
+			},
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Scope: apiextensionsv1.ClusterScoped,
+				},
+			},
+		},
+		{
+			name: "scope change, error",
+			old: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Scope: apiextensionsv1.ClusterScoped,
+				},
+			},
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Scope: apiextensionsv1.NamespaceScoped,
+				},
+			},
+			shouldError: true,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			err := NoScopeChange(tc.old, tc.new)
+			require.Equal(t, tc.shouldError, err != nil)
+		})
+	}
+}
+
+func TestNoStoredVersionRemoved(t *testing.T) {
+	for _, tc := range []struct {
+		name        string
+		old         apiextensionsv1.CustomResourceDefinition
+		new         apiextensionsv1.CustomResourceDefinition
+		shouldError bool
+	}{
+		{
+			name: "no stored versions, no error",
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+						},
+					},
+				},
+			},
+			old: apiextensionsv1.CustomResourceDefinition{},
+		},
+		{
+			name: "stored versions, no stored version removed, no error",
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+						},
+						{
+							Name: "v1alpha2",
+						},
+					},
+				},
+			},
+			old: apiextensionsv1.CustomResourceDefinition{
+				Status: apiextensionsv1.CustomResourceDefinitionStatus{
+					StoredVersions: []string{
+						"v1alpha1",
+					},
+				},
+			},
+		},
+		{
+			name: "stored versions, stored version removed, error",
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha2",
+						},
+					},
+				},
+			},
+			old: apiextensionsv1.CustomResourceDefinition{
+				Status: apiextensionsv1.CustomResourceDefinitionStatus{
+					StoredVersions: []string{
+						"v1alpha1",
+					},
+				},
+			},
+			shouldError: true,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			err := NoStoredVersionRemoved(tc.old, tc.new)
+			require.Equal(t, tc.shouldError, err != nil)
+		})
+	}
+}
+
+func TestNoExistingFieldRemoved(t *testing.T) {
+	for _, tc := range []struct {
+		name        string
+		new         apiextensionsv1.CustomResourceDefinition
+		old         apiextensionsv1.CustomResourceDefinition
+		shouldError bool
+	}{
+		{
+			name: "no existing field removed, no error",
+			old: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensionsv1.JSONSchemaProps{
+										"fieldOne": {
+											Type: "string",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensionsv1.JSONSchemaProps{
+										"fieldOne": {
+											Type: "string",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "existing field removed, error",
+			old: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensionsv1.JSONSchemaProps{
+										"fieldOne": {
+											Type: "string",
+										},
+										"fieldTwo": {
+											Type: "string",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensionsv1.JSONSchemaProps{
+										"fieldOne": {
+											Type: "string",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			shouldError: true,
+		},
+		{
+			name: "new version is added with the field removed, no error",
+			old: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensionsv1.JSONSchemaProps{
+										"fieldOne": {
+											Type: "string",
+										},
+										"fieldTwo": {
+											Type: "string",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			new: apiextensionsv1.CustomResourceDefinition{
+				Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+					Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+						{
+							Name: "v1alpha1",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensionsv1.JSONSchemaProps{
+										"fieldOne": {
+											Type: "string",
+										},
+										"fieldTwo": {
+											Type: "string",
+										},
+									},
+								},
+							},
+						},
+						{
+							Name: "v1alpha2",
+							Schema: &apiextensionsv1.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensionsv1.JSONSchemaProps{
+										"fieldOne": {
+											Type: "string",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			err := NoExistingFieldRemoved(tc.old, tc.new)
+			assert.Equal(t, tc.shouldError, err != nil)
+		})
+	}
+}