azureadapplication: make .spec.tenant immutable

These external resources may become dangling when transitioning between tenants,
so we want to ensure that they are properly clean up.

This is done with a transition rule that disallows changing the value once created.
In other words, the field is only allowed to be set during creation.

See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#transition-rules

charts/templates/nais.io_azureadapplications.yaml

@@ -175,10 +175,20 @@ spec:
                 description: |-
                   Tenant is an optional alias for targeting a tenant matching an instance of Azurerator that targets said tenant.
                   Can be omitted if only running a single instance or targeting the default tenant.
+                  Immutable once set.
                 type: string
+                x-kubernetes-validations:
+                - message: tenant is immutable once set; delete and recreate AzureAdApplication
+                    to change tenant
+                  rule: self == oldSelf
             required:
             - secretName
             type: object
+            x-kubernetes-validations:
+            - message: tenant can only be set on creation; delete and recreate AzureAdApplication
+                to set tenant
+              rule: (has(oldSelf.tenant) && has(self.tenant)) || (!has(oldSelf.tenant)
+                && !has(self.tenant))
           status:
             description: AzureAdApplicationStatus defines the observed state of AzureAdApplication
             properties:

config/crd/bases/nais.io_azureadapplications.yaml

@@ -175,10 +175,20 @@ spec:
                 description: |-
                   Tenant is an optional alias for targeting a tenant matching an instance of Azurerator that targets said tenant.
                   Can be omitted if only running a single instance or targeting the default tenant.
+                  Immutable once set.
                 type: string
+                x-kubernetes-validations:
+                - message: tenant is immutable once set; delete and recreate AzureAdApplication
+                    to change tenant
+                  rule: self == oldSelf
             required:
             - secretName
             type: object
+            x-kubernetes-validations:
+            - message: tenant can only be set on creation; delete and recreate AzureAdApplication
+                to set tenant
+              rule: (has(oldSelf.tenant) && has(self.tenant)) || (!has(oldSelf.tenant)
+                && !has(self.tenant))
           status:
             description: AzureAdApplicationStatus defines the observed state of AzureAdApplication
             properties:

pkg/apis/nais.io/v1/azureadapplication_types.go

@@ -47,6 +47,7 @@ type AzureAdApplicationList struct {
 }
 
 // AzureAdApplicationSpec defines the desired state of AzureAdApplication
+// +kubebuilder:validation:XValidation:rule="(has(oldSelf.tenant) && has(self.tenant)) || (!has(oldSelf.tenant) && !has(self.tenant))", message="tenant can only be set on creation; delete and recreate AzureAdApplication to set tenant"
 type AzureAdApplicationSpec struct {
 	// AllowAllUsers denotes whether all users within the tenant should be allowed to access this AzureAdApplication. Defaults to false.
 	AllowAllUsers *bool          `json:"allowAllUsers,omitempty"`
@@ -66,6 +67,9 @@ type AzureAdApplicationSpec struct {
 	SinglePageApplication *bool `json:"singlePageApplication,omitempty"`
 	// Tenant is an optional alias for targeting a tenant matching an instance of Azurerator that targets said tenant.
 	// Can be omitted if only running a single instance or targeting the default tenant.
+	// Immutable once set.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="tenant is immutable once set; delete and recreate AzureAdApplication to change tenant"
 	Tenant string `json:"tenant,omitempty"`
 }