[Control Plane API] Manual upload for Serverless private links

[kbatuigas]

Our automated import for the Cloud API is erroring out #52 (see https://github.com/redpanda-data/api-docs/actions/runs/21609773679) Changing to Node.js version in the GitHub workflow appears to resolve this, but we encounter a different error from the OpenAPI validation in the Bump GitHub action.

This branch is to try and consolidate the changes that we want:

• Update Control Plane API docs with the latest spec from the source
• Upgrade the Node.js version in our auto import to v24
• Fix the OpenAPI validation error

I'm sending this PR over to the Bump.sh team for troubleshooting and determining what the right next steps are.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

📝 Walkthrough

Walkthrough

This pull request updates the CI/CD workflow to use Node.js 24 and significantly extends the cloud-controlplane API schema. The schema changes introduce support for Serverless Private Link lifecycle management with new public schemas (AIGateway, PlainConfig) and comprehensive ServerlessPrivateLink families including creation, deletion, update, and listing operations. The scope system is expanded to track dataplane resources with new ScopeResourceType enum values for MCP servers, AI agents, and AI gateway components. AuthenticationConfiguration is updated to support SASL/PLAIN configuration alongside existing SASL/SCRAM options, and various example payloads are updated to reflect these additions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• api-docs#51: Overlapping ServerlessPrivateLink and OperationMetadata schema changes for long-running operations support in Serverless Private Link functionality.
• api-docs#20: Related through ServerlessPrivateLink operation type enum additions that correspond to the create/update/delete operations being added here.
• api-docs#43: Related through authentication configuration modifications, specifically the addition of PlainConfig and AuthenticationConfiguration updates.

Suggested reviewers

• JakeSCahill
• micheleRP

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly relates to the main change: adding Serverless private links to the Control Plane API specification with a manual upload.
Description check	✅ Passed	The description accurately relates to the changeset, explaining the motivation for the manual upload and listing the intended changes that align with the actual modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch serverless-private-networking-manual-spec-update

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@cloud-controlplane/cloud-controlplane.yaml`:
- Around line 5161-5163: The example YAML contains an undefined field "oxla" in
the Cluster examples; either add a corresponding property to the Cluster schema
(e.g., add an optional "oxla" field with its type and description in the Cluster
schema) or remove "oxla" from all cluster example blocks so examples match the
Cluster schema; search for "oxla" and the "Cluster" schema and update the schema
definition or prune the example entries accordingly.
- Around line 3554-3613: Update the ServerlessPrivateLink-related schemas to use
snake_case: rename the property "cloudprovider" to "cloud_provider" wherever it
appears (e.g., in ServerlessPrivateLink and ServerlessPrivateLinkCreate schema
property lists) and adjust any required arrays that list "cloudprovider" to
instead list "cloud_provider"; ensure all $ref usages or schema property names
referencing CloudProvider remain unchanged except for the property key name swap
so the schema and required validation match the rest of the spec.

🧹 Nitpick comments (1)

cloud-controlplane/cloud-controlplane.yaml (1)

2868-2876: Mark PlainConfig.password as writeOnly (and format: password).
It’s a secret; make the contract explicit that it’s request-only.

🔐 Proposed adjustment

     PlainConfig:
       properties:
         password:
           title: Password
+          format: password
+          writeOnly: true
           type: string

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's check if the file exists and examine the lines in question
if [ -f "cloud-controlplane/cloud-controlplane.yaml" ]; then
  echo "=== Lines 3554-3613 from cloud-controlplane.yaml ==="
  sed -n '3554,3613p' cloud-controlplane/cloud-controlplane.yaml
else
  echo "File not found at expected path"
  find . -name "cloud-controlplane.yaml" -type f 2>/dev/null | head -5
fi

Repository: redpanda-data/api-docs

Length of output: 1871

---

🏁 Script executed:

# Search for cloudprovider vs cloud_provider occurrences in the YAML
echo "=== Occurrences of 'cloudprovider' in YAML files ==="
rg 'cloudprovider' --type yaml -n

echo ""
echo "=== Occurrences of 'cloud_provider' in YAML files ==="
rg 'cloud_provider' --type yaml -n | head -30

Repository: redpanda-data/api-docs

Length of output: 2828

---

🏁 Script executed:

# Look for proto files that might define the actual contract
echo "=== Proto files in the repository ==="
find . -name "*.proto" -type f 2>/dev/null | head -10

Repository: redpanda-data/api-docs

Length of output: 103

---

🏁 Script executed:

# Look at specific schemas that use cloud_provider to see the pattern
echo "=== Example: Cluster schema (around line 471) ==="
sed -n '465,480p' cloud-controlplane/cloud-controlplane.yaml

echo ""
echo "=== Example: ClusterCreate schema (around line 722) ==="
sed -n '715,735p' cloud-controlplane/cloud-controlplane.yaml

echo ""
echo "=== Example: ClusterUpdate schema (around line 2401) ==="
sed -n '2395,2415p' cloud-controlplane/cloud-controlplane.yaml

Repository: redpanda-data/api-docs

Length of output: 2844

---

🏁 Script executed:

# Check if there's any documentation or comments about field naming
rg 'snake_case|camelCase|naming' cloud-controlplane/cloud-controlplane.yaml -B2 -A2 | head -30

Repository: redpanda-data/api-docs

Length of output: 885

---

Rename cloudprovider to cloud_provider in ServerlessPrivateLink schemas.

The field uses camelCase, while the entire OpenAPI specification consistently uses snake_case (cloud_provider appears 27+ times across Cluster, Network, and other schemas). This inconsistency will confuse clients and likely cause request failures if the backend expects snake_case field names.

Required changes

     ServerlessPrivateLink:
       properties:
         aws_config:
           $ref: '#/components/schemas/ServerlessPrivateLink.AWS'
-        cloudprovider:
+        cloud_provider:
           $ref: '#/components/schemas/CloudProvider'
@@
     ServerlessPrivateLinkCreate:
       properties:
         aws_config:
           $ref: '#/components/schemas/ServerlessPrivateLinkCreate.AWS'
-        cloudprovider:
+        cloud_provider:
           $ref: '#/components/schemas/CloudProvider'
@@
       required:
-        - cloudprovider
+        - cloud_provider

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	properties:
	aws_config:
	$ref: '#/components/schemas/ServerlessPrivateLink.AWS'
	cloudprovider:
	$ref: '#/components/schemas/CloudProvider'
	created_at:
	format: date-time
	type: string
	id:
	type: string
	name:
	type: string
	resource_group_id:
	type: string
	serverless_region:
	type: string
	state:
	$ref: '#/components/schemas/ServerlessPrivateLink.State'
	status:
	$ref: '#/components/schemas/ServerlessPrivateLinkStatus'
	updated_at:
	format: date-time
	type: string
	type: object
	ServerlessPrivateLink.AWS:
	properties:
	allowed_principals:
	items:
	type: string
	type: array
	type: object
	ServerlessPrivateLink.State:
	description: |2-
	- STATE_CREATING: Private link is being created.
	- STATE_READY: Private link is ready to use.
	- STATE_DELETING: Private link is being deleted.
	- STATE_FAILED: Private link is in an error state.
	- STATE_UPDATING: Private link is in an updating state.
	enum:
	- STATE_CREATING
	- STATE_READY
	- STATE_DELETING
	- STATE_FAILED
	- STATE_UPDATING
	type: string
	ServerlessPrivateLinkCreate:
	properties:
	aws_config:
	$ref: '#/components/schemas/ServerlessPrivateLinkCreate.AWS'
	cloudprovider:
	$ref: '#/components/schemas/CloudProvider'
	name:
	type: string
	resource_group_id:
	type: string
	serverless_region:
	type: string
	required:
	- cloudprovider
	type: object
	properties:
	aws_config:
	$ref: '#/components/schemas/ServerlessPrivateLink.AWS'
	cloud_provider:
	$ref: '#/components/schemas/CloudProvider'
	created_at:
	format: date-time
	type: string
	id:
	type: string
	name:
	type: string
	resource_group_id:
	type: string
	serverless_region:
	type: string
	state:
	$ref: '#/components/schemas/ServerlessPrivateLink.State'
	status:
	$ref: '#/components/schemas/ServerlessPrivateLinkStatus'
	updated_at:
	format: date-time
	type: string
	type: object
	ServerlessPrivateLink.AWS:
	properties:
	allowed_principals:
	items:
	type: string
	type: array
	type: object
	ServerlessPrivateLink.State:
	description: |2-
	- STATE_CREATING: Private link is being created.
	- STATE_READY: Private link is ready to use.
	- STATE_DELETING: Private link is being deleted.
	- STATE_FAILED: Private link is in an error state.
	- STATE_UPDATING: Private link is in an updating state.
	enum:
	- STATE_CREATING
	- STATE_READY
	- STATE_DELETING
	- STATE_FAILED
	- STATE_UPDATING
	type: string
	ServerlessPrivateLinkCreate:
	properties:
	aws_config:
	$ref: '#/components/schemas/ServerlessPrivateLinkCreate.AWS'
	cloud_provider:
	$ref: '#/components/schemas/CloudProvider'
	name:
	type: string
	resource_group_id:
	type: string
	serverless_region:
	type: string
	required:
	- cloud_provider
	type: object

🤖 Prompt for AI Agents

In `@cloud-controlplane/cloud-controlplane.yaml` around lines 3554 - 3613, Update
the ServerlessPrivateLink-related schemas to use snake_case: rename the property
"cloudprovider" to "cloud_provider" wherever it appears (e.g., in
ServerlessPrivateLink and ServerlessPrivateLinkCreate schema property lists) and
adjust any required arrays that list "cloudprovider" to instead list
"cloud_provider"; ensure all $ref usages or schema property names referencing
CloudProvider remain unchanged except for the property key name swap so the
schema and required validation match the rest of the spec.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove or define oxla in cluster examples.
The example includes oxla, but the Cluster schema doesn’t define it. Either add the schema field or drop it from all examples.

🧹 Example cleanup

                     network_id: cjb69k1c4vs45df9bee0
-                    oxla: null
                     prometheus:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	network_id: cjb69k1c4vs45df9bee0
	oxla: null
	prometheus:
	network_id: cjb69k1c4vs45df9bee0
	prometheus:

🤖 Prompt for AI Agents

In `@cloud-controlplane/cloud-controlplane.yaml` around lines 5161 - 5163, The
example YAML contains an undefined field "oxla" in the Cluster examples; either
add a corresponding property to the Cluster schema (e.g., add an optional "oxla"
field with its type and description in the Cluster schema) or remove "oxla" from
all cluster example blocks so examples match the Cluster schema; search for
"oxla" and the "Cluster" schema and update the schema definition or prune the
example entries accordingly.

[github-actions]

🤖 Redpanda/cloud-controlplane API structural change detected

Preview documentation

Structural change details

Added (5)

• DELETE /v1/serverless/private-links/{id}
• GET /v1/serverless/private-links
• GET /v1/serverless/private-links/{id}
• PATCH /v1/serverless/private-links/{id}
• POST /v1/serverless/private-links

Modified (25)

• DELETE /v1/clusters/{id}
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• DELETE /v1/network/{network_id}/network-peerings/{id}
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• DELETE /v1/networks/{id}
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• DELETE /v1/serverless/clusters/{id}
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• DELETE /v1/shadow-links/{id}
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• GET /v1/clusters
  • Response modified: 200
    • Content type modified: application/json
      • Property modified: clusters
        • Property added: ai_gateway
• GET /v1/clusters/{id}
  • Response modified: 200
    • Content type modified: application/json
      • Property modified: cluster
        • Property added: ai_gateway
• GET /v1/operations
  • Response modified: 200
    • Content type modified: application/json
      • Property modified: operations
        • Property modified: response
• GET /v1/operations/{id}
  • Response modified: 200
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• GET /v1/role-bindings
  • Response modified: 200
    • Content type modified: application/json
      • Property modified: role_bindings
        • Property modified: scope
  • Query parameter added: filter.scope.dataplane_id
• GET /v1/role-bindings/{id}
  • Response modified: 200
    • Content type modified: application/json
      • Property modified: role_binding
        • Property modified: scope
• GET /v1/shadow-links/{id}
  • Response modified: 200
    • Content type modified: application/json
      • Property modified: shadow_link
        • Property modified: client_options
• GET /v1/user-invites
  • Response modified: 200
    • Content type modified: application/json
      • Property modified: user_invites
        • Property modified: role_bindings
• GET /v1/user-invites/{id}
  • Response modified: 200
    • Content type modified: application/json
      • Property modified: user_invite
        • Property modified: role_bindings
• PATCH /v1/serverless/clusters/{id}
  • Content type modified: application/json
    • Properties added: networking_config, private_link_id
  • Response modified: 202
    • Content type modified: application/json
      • Properties added: networking_config, private_link_id
• PATCH /v1/shadow-links/{shadow_link.id}
  • Content type modified: application/json
    • Property modified: client_options
      • Property modified: authentication_configuration
        • Property added: plain_configuration
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• PATCH /v1/user-invites/{id}
  • Content type modified: application/json
    • Property modified: user_invite
      • Property modified: role_bindings
        • Property modified: scope
  • Response modified: 200
    • Content type modified: application/json
      • Property modified: user_invite
        • Property modified: role_bindings
• POST /v1/clusters
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• POST /v1/network/{network_peering.network_id}/network-peerings
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• POST /v1/networks
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• POST /v1/role-bindings
  • Content type modified: application/json
    • Property modified: role_binding
      • Property modified: scope
        • Property added: dataplane_id
  • Response modified: 201
    • Content type modified: application/json
      • Property modified: role_binding
        • Property modified: scope
• POST /v1/serverless/clusters
  • Content type modified: application/json
    • Property modified: serverless_cluster
      • Properties added: networking_config, private_link_id
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• POST /v1/service-accounts
  • Content type modified: application/json
    • Property modified: service_account
      • Property modified: role_bindings
        • Property modified: scope
• POST /v1/shadow-links
  • Content type modified: application/json
    • Property modified: shadow_link
      • Property modified: client_options
        • Property modified: authentication_configuration
  • Response modified: 202
    • Content type modified: application/json
      • Property modified: operation
        • Property modified: response
• POST /v1/user-invites
  • Content type modified: application/json
    • Property modified: user_invite
      • Property modified: role_bindings
        • Property modified: scope
  • Response modified: 201
    • Content type modified: application/json
      • Property modified: user_invite
        • Property modified: role_bindings

Powered by Bump.sh

[micheleRP]

lgtm!