SAP · AndresNico · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/apis/resources/v1alpha1/domain_types.go b/apis/resources/v1alpha1/domain_types.go
@@ -111,6 +111,7 @@ type DomainStatus struct {
 // +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,cloudfoundry}
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || has(self.spec.forProvider.name) || (has(self.spec.forProvider.subDomain) && has(self.spec.forProvider.domain))",message="either name or domain and subDomain must be set"
 type Domain struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

diff --git a/apis/resources/v1alpha1/orgmember_types.go b/apis/resources/v1alpha1/orgmember_types.go
@@ -13,7 +13,7 @@ type OrgMembersParameters struct {
 	OrgReference `json:",inline"`
 
 	// (String) Org role type to assign to members; see valid role types https://v3-apidocs.cloudfoundry.org/version/3.127.0/index.html#valid-role-types
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:Enum=User;Auditor;Manager;BillingManager;Users;Auditors;Managers;BillingManagers
 	RoleType string `json:"roleType"`
 }
@@ -38,6 +38,9 @@ type OrgMembersStatus struct {
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,cloudfoundry}
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || has(self.spec.forProvider.roleType)",message="roleType is required"
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || (has(self.spec.forProvider.orgName) || has(self.spec.forProvider.orgRef) || has(self.spec.forProvider.orgSelector))",message="OrgReference is required: exactly one of orgName, orgRef, or orgSelector must be set"
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || (has(self.spec.forProvider.members) && self.spec.forProvider.members.size() >= 1)",message="Members validation: at least one member must be set"
 type OrgMembers struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

diff --git a/apis/resources/v1alpha1/orgrole_types.go b/apis/resources/v1alpha1/orgrole_types.go
diff --git a/apis/resources/v1alpha1/role_types.go b/apis/resources/v1alpha1/role_types.go
@@ -74,6 +74,7 @@ type RoleAssignments struct {
 // MemberList includes a list of members and an enforcement policy for role assignment.
 type MemberList struct {
 	// (List of Attributes) List of members (usernames) to assign as org members with the specified role type. Defaults to empty list.
+	// +kubebuilder:validation:Optional
 	Members []*Member `json:"members"`
 
 	// (String) Set to `Lax` to enforce that the role is assigned to AT LEAST those members as defined in this CR. Set to `Strict` to enforce that the role is assigned to EXACTLY those members as defined in this CR and any other members will be removed. Defaults to `Lax`.

diff --git a/apis/resources/v1alpha1/servicecredentialbinding_types.go b/apis/resources/v1alpha1/servicecredentialbinding_types.go
@@ -21,12 +21,8 @@ type ServiceCredentialBindingObservation struct {
 	RetiredKeys []*SCBResource `json:"retiredKeys,omitempty"`
 }
 
-// +kubebuilder:validation:XValidation:rule="!(has(self.type) && self.type == 'app') || !has(self.rotation)",message="rotation cannot be enabled when type is app"
-// +kubebuilder:validation:XValidation:rule="!(has(self.type) && self.type == 'key') || has(self.name)",message="name is required when type is key"
-// +kubebuilder:validation:XValidation:rule="!(has(self.type) && self.type == 'app') || has(self.app) || has(self.appRef) || has(self.appSelector)",message="app, appRef, or appSelector is required when type is app"
 type ServiceCredentialBindingParameters struct {
 	// (String) The type of the service credential binding in Cloud Foundry. Either "key" or "app".
-	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Enum=key;app
 	// +kubebuilder:default=key
 	Type string `json:"type,omitempty"`
@@ -122,6 +118,12 @@ type SCBResource struct {
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,cloudfoundry}
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || has(self.spec.forProvider.type)",message="type is required"
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || !(has(self.spec.forProvider.type) && self.spec.forProvider.type == 'key') || has(self.spec.forProvider.name)",message="name is required when type is key"
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || !(has(self.spec.forProvider.type) && self.spec.forProvider.type == 'app') || !has(self.spec.forProvider.rotation)",message="rotation cannot be enabled when type is app"
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || !(has(self.spec.forProvider.type) && self.spec.forProvider.type == 'app') || (has(self.spec.forProvider.app) || has(self.spec.forProvider.appRef) || has(self.spec.forProvider.appSelector))",message="AppReference is required: exactly one of app, appRef, or appSelector must be set if type is app"
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || (has(self.spec.forProvider.serviceInstance) || has(self.spec.forProvider.serviceInstanceRef) || has(self.spec.forProvider.serviceInstanceSelector))",message="ServiceInstanceReference is required: exactly one of serviceInstance, serviceInstanceRef, or serviceInstanceSelector must be set"
+// +kubebuilder:validation:XValidation:rule="[has(self.spec.forProvider.parameters), has(self.spec.forProvider.paramsSecretRef)].filter(x, x).size() <= 1",message="ParametersReference validation:either parameters or paramsSecretRef may be set but not both"
 type ServiceCredentialBinding struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

diff --git a/apis/resources/v1alpha1/serviceinstance_types.go b/apis/resources/v1alpha1/serviceinstance_types.go
diff --git a/apis/resources/v1alpha1/space_types.go b/apis/resources/v1alpha1/space_types.go
diff --git a/apis/resources/v1alpha1/spacemember_types.go b/apis/resources/v1alpha1/spacemember_types.go
@@ -13,8 +13,8 @@ type SpaceMembersParameters struct {
 	SpaceReference `json:",inline"`
 
 	// (String) Space role type to assign to members; see valid role types https://v3-apidocs.cloudfoundry.space/version/3.127.0/index.html#valid-role-types
+	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:Enum=Developer;Auditor;Manager;Supporter;Developers;Auditors;Managers;Supporters
-	// +kubebuilder:validation:Required
 	RoleType string `json:"roleType"`
 
 	// (Attributes) List of members and enforcement policy for role assignment.
@@ -43,8 +43,9 @@ type SpaceMembersStatus struct {
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,cloudfoundry}
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || has(self.spec.forProvider.roleType)",message="roleType is required"
 // +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || (has(self.spec.forProvider.spaceName) || has(self.spec.forProvider.spaceRef) || has(self.spec.forProvider.spaceSelector))",message="SpaceReference is required: exactly one of spaceName, spaceRef, or spaceSelector must be set"
-// +kubebuilder:validation:XValidation:rule="[has(self.spec.forProvider.spaceName), has(self.spec.forProvider.spaceRef), has(self.spec.forProvider.spaceSelector)].filter(x, x).size() <= 1",message="SpaceReference validation: only one of spaceName, spaceRef, or spaceSelector can be set"
+// +kubebuilder:validation:XValidation:rule="self.spec.managementPolicies == ['Observe'] || (has(self.spec.forProvider.members) && self.spec.forProvider.members.size() >= 1)",message="Members validation: at least one member must be set"
 type SpaceMembers struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

diff --git a/apis/resources/v1alpha1/spacerole_types.go b/apis/resources/v1alpha1/spacerole_types.go
diff --git a/package/crds/cloudfoundry.crossplane.io_domains.yaml b/package/crds/cloudfoundry.crossplane.io_domains.yaml
@@ -494,6 +494,10 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: either name or domain and subDomain must be set
+          rule: self.spec.managementPolicies == ['Observe'] || has(self.spec.forProvider.name)
+            || (has(self.spec.forProvider.subDomain) && has(self.spec.forProvider.domain))
     served: true
     storage: true
     subresources:

diff --git a/package/crds/cloudfoundry.crossplane.io_orgmembers.yaml b/package/crds/cloudfoundry.crossplane.io_orgmembers.yaml
@@ -198,9 +198,6 @@ spec:
                     - Managers
                     - BillingManagers
                     type: string
-                required:
-                - members
-                - roleType
                 type: object
               managementPolicies:
                 default:
@@ -439,6 +436,16 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: roleType is required
+          rule: self.spec.managementPolicies == ['Observe'] || has(self.spec.forProvider.roleType)
+        - message: 'OrgReference is required: exactly one of orgName, orgRef, or orgSelector
+            must be set'
+          rule: self.spec.managementPolicies == ['Observe'] || (has(self.spec.forProvider.orgName)
+            || has(self.spec.forProvider.orgRef) || has(self.spec.forProvider.orgSelector))
+        - message: 'Members validation: at least one member must be set'
+          rule: self.spec.managementPolicies == ['Observe'] || (has(self.spec.forProvider.members)
+            && self.spec.forProvider.members.size() >= 1)
     served: true
     storage: true
     subresources:

diff --git a/package/crds/cloudfoundry.crossplane.io_orgroles.yaml b/package/crds/cloudfoundry.crossplane.io_orgroles.yaml
@@ -176,9 +176,6 @@ spec:
                     description: (String) The username of the Cloud Foundry user to
                       assign the role to.
                     type: string
-                required:
-                - type
-                - username
                 type: object
               managementPolicies:
                 default:
@@ -435,6 +432,15 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: type is required
+          rule: self.spec.managementPolicies == ['Observe'] || has(self.spec.forProvider.type)
+        - message: username is required
+          rule: self.spec.managementPolicies == ['Observe'] || has(self.spec.forProvider.username)
+        - message: 'OrgReference is required: exactly one of orgName, orgRef, or orgSelector
+            must be set'
+          rule: self.spec.managementPolicies == ['Observe'] || (has(self.spec.forProvider.orgName)
+            || has(self.spec.forProvider.orgRef) || has(self.spec.forProvider.orgSelector))
     served: true
     storage: true
     subresources: