From 8875af382632de9ace13da7e7290b7b8c09543ac Mon Sep 17 00:00:00 2001
From: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Date: Thu, 31 Oct 2024 15:13:48 +0100
Subject: [PATCH] azureadapplication: make .spec.tenant immutable

These external resources may become dangling when transitioning between tenants,
so we want to ensure that they are properly clean up.

This is done with a transition rule that disallows changing the value once created.
In other words, the field is only allowed to be set during creation.

See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#transition-rules
---
 charts/templates/nais.io_azureadapplications.yaml | 10 ++++++++++
 config/crd/bases/nais.io_azureadapplications.yaml | 10 ++++++++++
 pkg/apis/nais.io/v1/azureadapplication_types.go   |  4 ++++
 3 files changed, 24 insertions(+)

diff --git a/charts/templates/nais.io_azureadapplications.yaml b/charts/templates/nais.io_azureadapplications.yaml
index 00c627cd..e32b76eb 100644
--- a/charts/templates/nais.io_azureadapplications.yaml
+++ b/charts/templates/nais.io_azureadapplications.yaml
@@ -175,10 +175,20 @@ spec:
                 description: |-
                   Tenant is an optional alias for targeting a tenant matching an instance of Azurerator that targets said tenant.
                   Can be omitted if only running a single instance or targeting the default tenant.
+                  Immutable once set.
                 type: string
+                x-kubernetes-validations:
+                - message: tenant is immutable once set; delete and recreate AzureAdApplication
+                    to change tenant
+                  rule: self == oldSelf
             required:
             - secretName
             type: object
+            x-kubernetes-validations:
+            - message: tenant can only be set on creation; delete and recreate AzureAdApplication
+                to set tenant
+              rule: (has(oldSelf.tenant) && has(self.tenant)) || (!has(oldSelf.tenant)
+                && !has(self.tenant))
           status:
             description: AzureAdApplicationStatus defines the observed state of AzureAdApplication
             properties:
diff --git a/config/crd/bases/nais.io_azureadapplications.yaml b/config/crd/bases/nais.io_azureadapplications.yaml
index 00c627cd..e32b76eb 100644
--- a/config/crd/bases/nais.io_azureadapplications.yaml
+++ b/config/crd/bases/nais.io_azureadapplications.yaml
@@ -175,10 +175,20 @@ spec:
                 description: |-
                   Tenant is an optional alias for targeting a tenant matching an instance of Azurerator that targets said tenant.
                   Can be omitted if only running a single instance or targeting the default tenant.
+                  Immutable once set.
                 type: string
+                x-kubernetes-validations:
+                - message: tenant is immutable once set; delete and recreate AzureAdApplication
+                    to change tenant
+                  rule: self == oldSelf
             required:
             - secretName
             type: object
+            x-kubernetes-validations:
+            - message: tenant can only be set on creation; delete and recreate AzureAdApplication
+                to set tenant
+              rule: (has(oldSelf.tenant) && has(self.tenant)) || (!has(oldSelf.tenant)
+                && !has(self.tenant))
           status:
             description: AzureAdApplicationStatus defines the observed state of AzureAdApplication
             properties:
diff --git a/pkg/apis/nais.io/v1/azureadapplication_types.go b/pkg/apis/nais.io/v1/azureadapplication_types.go
index 6023696a..1ad284fa 100644
--- a/pkg/apis/nais.io/v1/azureadapplication_types.go
+++ b/pkg/apis/nais.io/v1/azureadapplication_types.go
@@ -47,6 +47,7 @@ type AzureAdApplicationList struct {
 }
 
 // AzureAdApplicationSpec defines the desired state of AzureAdApplication
+// +kubebuilder:validation:XValidation:rule="(has(oldSelf.tenant) && has(self.tenant)) || (!has(oldSelf.tenant) && !has(self.tenant))", message="tenant can only be set on creation; delete and recreate AzureAdApplication to set tenant"
 type AzureAdApplicationSpec struct {
 	// AllowAllUsers denotes whether all users within the tenant should be allowed to access this AzureAdApplication. Defaults to false.
 	AllowAllUsers *bool          `json:"allowAllUsers,omitempty"`
@@ -66,6 +67,9 @@ type AzureAdApplicationSpec struct {
 	SinglePageApplication *bool `json:"singlePageApplication,omitempty"`
 	// Tenant is an optional alias for targeting a tenant matching an instance of Azurerator that targets said tenant.
 	// Can be omitted if only running a single instance or targeting the default tenant.
+	// Immutable once set.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="tenant is immutable once set; delete and recreate AzureAdApplication to change tenant"
 	Tenant string `json:"tenant,omitempty"`
 }