Make spec.namespace fields immutable

Moving a control plane around has consequences beyond just the templates
installed by helm, as the control plane namespace has its own semantics
within Istio: it is often the place where you can put Istio configs that
serve as defaults. By making the field immutable, we avoid strange side-
effects that might occur when moving a control plane to another
namespace.

Signed-off-by: Daniel Grimm <dgrimm@redhat.com>

api/v1alpha1/istio_types.go

@@ -60,6 +60,7 @@ type IstioSpec struct {
 	// Namespace to which the Istio components should be installed.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"}
 	// +kubebuilder:default=istio-system
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	Namespace string `json:"namespace"`
 
 	// Defines the values to be passed to the Helm charts when installing Istio.

api/v1alpha1/istiorevision_types.go

@@ -42,6 +42,7 @@ type IstioRevisionSpec struct {
 
 	// Namespace to which the Istio components should be installed.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"}
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	Namespace string `json:"namespace"`
 
 	// Defines the values to be passed to the Helm charts when installing Istio.

bundle/manifests/sailoperator.io_istiorevisions.yaml

@@ -75,6 +75,9 @@ spec:
               namespace:
                 description: Namespace to which the Istio components should be installed.
                 type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
               type:
                 default: Local
                 description: Type indicates whether this revision represents a local

bundle/manifests/sailoperator.io_istios.yaml

@@ -87,6 +87,9 @@ spec:
                 default: istio-system
                 description: Namespace to which the Istio components should be installed.
                 type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
               profile:
                 description: |-
                   The built-in installation configuration profile to use.

chart/crds/sailoperator.io_istiorevisions.yaml

@@ -75,6 +75,9 @@ spec:
               namespace:
                 description: Namespace to which the Istio components should be installed.
                 type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
               type:
                 default: Local
                 description: Type indicates whether this revision represents a local

chart/crds/sailoperator.io_istios.yaml

@@ -87,6 +87,9 @@ spec:
                 default: istio-system
                 description: Namespace to which the Istio components should be installed.
                 type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
               profile:
                 description: |-
                   The built-in installation configuration profile to use.

tests/integration/api/istio_test.go

@@ -272,6 +272,14 @@ var _ = Describe("Istio resource", Ordered, func() {
 						deleteAllIstiosAndRevisions(ctx)
 					})
 
+					When("namespace is updated", func() {
+						It("throws a validation error as the field is immutable", func() {
+							Expect(k8sClient.Get(ctx, istioKey, istio)).To(Succeed())
+							istio.Spec.Namespace = workloadNamespace
+							Expect(k8sClient.Update(ctx, istio)).To(MatchError(ContainSubstring("immutable")))
+						})
+					})
+
 					When("version is updated", func() {
 						BeforeAll(func() {
 							Expect(k8sClient.Get(ctx, istioKey, istio)).To(Succeed())