diff --git a/charts/templates/nais.io_azureadapplications.yaml b/charts/templates/nais.io_azureadapplications.yaml index 00c627cd..e32b76eb 100644 --- a/charts/templates/nais.io_azureadapplications.yaml +++ b/charts/templates/nais.io_azureadapplications.yaml @@ -175,10 +175,20 @@ spec: description: |- Tenant is an optional alias for targeting a tenant matching an instance of Azurerator that targets said tenant. Can be omitted if only running a single instance or targeting the default tenant. + Immutable once set. type: string + x-kubernetes-validations: + - message: tenant is immutable once set; delete and recreate AzureAdApplication + to change tenant + rule: self == oldSelf required: - secretName type: object + x-kubernetes-validations: + - message: tenant can only be set on creation; delete and recreate AzureAdApplication + to set tenant + rule: (has(oldSelf.tenant) && has(self.tenant)) || (!has(oldSelf.tenant) + && !has(self.tenant)) status: description: AzureAdApplicationStatus defines the observed state of AzureAdApplication properties: diff --git a/config/crd/bases/nais.io_azureadapplications.yaml b/config/crd/bases/nais.io_azureadapplications.yaml index 00c627cd..e32b76eb 100644 --- a/config/crd/bases/nais.io_azureadapplications.yaml +++ b/config/crd/bases/nais.io_azureadapplications.yaml @@ -175,10 +175,20 @@ spec: description: |- Tenant is an optional alias for targeting a tenant matching an instance of Azurerator that targets said tenant. Can be omitted if only running a single instance or targeting the default tenant. + Immutable once set. type: string + x-kubernetes-validations: + - message: tenant is immutable once set; delete and recreate AzureAdApplication + to change tenant + rule: self == oldSelf required: - secretName type: object + x-kubernetes-validations: + - message: tenant can only be set on creation; delete and recreate AzureAdApplication + to set tenant + rule: (has(oldSelf.tenant) && has(self.tenant)) || (!has(oldSelf.tenant) + && !has(self.tenant)) status: description: AzureAdApplicationStatus defines the observed state of AzureAdApplication properties: diff --git a/pkg/apis/nais.io/v1/azureadapplication_types.go b/pkg/apis/nais.io/v1/azureadapplication_types.go index 6023696a..1ad284fa 100644 --- a/pkg/apis/nais.io/v1/azureadapplication_types.go +++ b/pkg/apis/nais.io/v1/azureadapplication_types.go @@ -47,6 +47,7 @@ type AzureAdApplicationList struct { } // AzureAdApplicationSpec defines the desired state of AzureAdApplication +// +kubebuilder:validation:XValidation:rule="(has(oldSelf.tenant) && has(self.tenant)) || (!has(oldSelf.tenant) && !has(self.tenant))", message="tenant can only be set on creation; delete and recreate AzureAdApplication to set tenant" type AzureAdApplicationSpec struct { // AllowAllUsers denotes whether all users within the tenant should be allowed to access this AzureAdApplication. Defaults to false. AllowAllUsers *bool `json:"allowAllUsers,omitempty"` @@ -66,6 +67,9 @@ type AzureAdApplicationSpec struct { SinglePageApplication *bool `json:"singlePageApplication,omitempty"` // Tenant is an optional alias for targeting a tenant matching an instance of Azurerator that targets said tenant. // Can be omitted if only running a single instance or targeting the default tenant. + // Immutable once set. + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="tenant is immutable once set; delete and recreate AzureAdApplication to change tenant" Tenant string `json:"tenant,omitempty"` }