ESO-49: Updates ExternalSecrets API to make operand namespace config immutable

bharath-b-rh · bharath-b-rh · commit fda98df2a1e5 · 2025-05-31T20:06:04.000+05:30
diff --git a/api/v1alpha1/external_secrets_types.go b/api/v1alpha1/external_secrets_types.go
@@ -120,10 +120,12 @@ type ExternalSecretsConfig struct {
 
 // ControllerConfig is for configuring the operator for setting up
 // defaults to install external-secrets.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.namespace) && !has(self.namespace) || has(oldSelf.namespace) && has(self.namespace)",message="namespace may only be configured during creation"
 type ControllerConfig struct {
 	// namespace is for configuring the namespace to install the external-secret operand.
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default:="external-secrets"
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="namespace is immutable once set"
 	Namespace string `json:"namespace,omitempty"`
 
 	// labels to apply to all resources created for external-secrets deployment.
diff --git a/bundle/manifests/operator.openshift.io_externalsecrets.yaml b/bundle/manifests/operator.openshift.io_externalsecrets.yaml
@@ -63,7 +63,14 @@ spec:
                     description: namespace is for configuring the namespace to install
                       the external-secret operand.
                     type: string
+                    x-kubernetes-validations:
+                    - message: namespace is immutable once set
+                      rule: self == oldSelf
                 type: object
+                x-kubernetes-validations:
+                - message: namespace may only be configured during creation
+                  rule: '!has(oldSelf.namespace) && !has(self.namespace) || has(oldSelf.namespace)
+                    && has(self.namespace)'
               externalSecretsConfig:
                 description: externalSecretsConfig is for configuring the external-secrets
                   behavior.
diff --git a/config/crd/bases/operator.openshift.io_externalsecrets.yaml b/config/crd/bases/operator.openshift.io_externalsecrets.yaml
@@ -63,7 +63,14 @@ spec:
                     description: namespace is for configuring the namespace to install
                       the external-secret operand.
                     type: string
+                    x-kubernetes-validations:
+                    - message: namespace is immutable once set
+                      rule: self == oldSelf
                 type: object
+                x-kubernetes-validations:
+                - message: namespace may only be configured during creation
+                  rule: '!has(oldSelf.namespace) && !has(self.namespace) || has(oldSelf.namespace)
+                    && has(self.namespace)'
               externalSecretsConfig:
                 description: externalSecretsConfig is for configuring the external-secrets
                   behavior.
