add CEL ratcheting rule for serverless spec

helderjs · helderjs · commit 1f9d02f9143c · 2025-11-27T12:05:03.000+01:00
diff --git a/api/v1/atlasdeployment_types.go b/api/v1/atlasdeployment_types.go
@@ -43,6 +43,7 @@ const (
 // Only one of DeploymentSpec, AdvancedDeploymentSpec and ServerlessSpec should be defined.
 // +kubebuilder:validation:XValidation:rule="(has(self.externalProjectRef) && !has(self.projectRef)) || (!has(self.externalProjectRef) && has(self.projectRef))",message="must define only one project reference through externalProjectRef or projectRef"
 // +kubebuilder:validation:XValidation:rule="(has(self.externalProjectRef) && has(self.connectionSecret)) || !has(self.externalProjectRef)",message="must define a local connection secret when referencing an external project"
+// +kubebuilder:validation:XValidation:rule="!has(self.serverlessSpec) || (oldSelf.hasValue() && oldSelf.value().serverlessSpec != null)",optionalOldSelf=true,message="serverlessSpec cannot be added - serverless instances are deprecated",fieldPath=.serverlessSpec
 type AtlasDeploymentSpec struct {
 	// ProjectReference is the dual external or kubernetes reference with access credentials
 	ProjectDualReference `json:",inline"`
diff --git a/api/v1/atlasdeployment_types_test.go b/api/v1/atlasdeployment_types_test.go
@@ -49,6 +49,57 @@ func TestDeploymentCELChecks(t *testing.T) {
 			},
 			expectedErrors: []string{"spec.deploymentSpec.name: Invalid value: \"string\": Name cannot be modified after deployment creation"},
 		},
+		{
+			title: "Cannot add a serverless deployment",
+			old:   nil,
+			obj: &AtlasDeployment{
+				Spec: AtlasDeploymentSpec{
+					ServerlessSpec: &ServerlessSpec{
+						Name: "my-serverless",
+					},
+				},
+			},
+			expectedErrors: []string{"spec.serverlessSpec: Invalid value: \"object\": serverlessSpec cannot be added - serverless instances are deprecated"},
+		},
+		{
+			title: "Can modify to a serverless deployment",
+			old: &AtlasDeployment{
+				Spec: AtlasDeploymentSpec{
+					ServerlessSpec: &ServerlessSpec{
+						Name:                         "my-serverless",
+						TerminationProtectionEnabled: false,
+					},
+				},
+			},
+			obj: &AtlasDeployment{
+				Spec: AtlasDeploymentSpec{
+					ServerlessSpec: &ServerlessSpec{
+						Name:                         "my-serverless",
+						TerminationProtectionEnabled: true,
+					},
+				},
+			},
+		},
+		{
+			title: "Existing serverless deployment can continue existing when not modified",
+			old: &AtlasDeployment{
+				Spec: AtlasDeploymentSpec{
+					ServerlessSpec: &ServerlessSpec{
+						Name:                         "my-serverless",
+						TerminationProtectionEnabled: false,
+					},
+				},
+			},
+			obj: &AtlasDeployment{
+				Spec: AtlasDeploymentSpec{
+					BackupScheduleRef: common.ResourceRefNamespaced{},
+					ServerlessSpec: &ServerlessSpec{
+						Name:                         "my-serverless",
+						TerminationProtectionEnabled: false,
+					},
+				},
+			},
+		},
 	} {
 		t.Run(tc.title, func(t *testing.T) {
 			// inject a project to avoid other CEL validations being hit
