Ensure composition for nested postgres is not changed

this ensures that the existing vshnkeycloak instances will not switch
the composition used by the depending postgres instance and thus
breaking the instance.

Author: mikeshootzz

cmd/controller.go

@@ -196,6 +196,10 @@ func setupWebhooks(mgr manager.Manager, withQuota bool, withAppcatWebhooks bool,
 		if err != nil {
 			return err
 		}
+		err = webhooks.SetupXVSHNPostgreSQLWebhookHandlerWithManager(mgr)
+		if err != nil {
+			return err
+		}
 		err = webhooks.SetupRedisWebhookHandlerWithManager(mgr, withQuota)
 		if err != nil {
 			return err

config/controller/webhooks.yaml

@@ -324,3 +324,22 @@ webhooks:
     resources:
     - xobjectbuckets
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-vshn-appcat-vshn-io-v1-xvshnpostgresql
+  failurePolicy: Fail
+  name: xvshnpostgresql.vshn.appcat.vshn.io
+  rules:
+  - apiGroups:
+    - vshn.appcat.vshn.io
+    apiVersions:
+    - v1
+    operations:
+    - UPDATE
+    resources:
+    - xvshnpostgresqls
+  sideEffects: None

pkg/comp-functions/functions/common/postgresql.go

@@ -162,6 +162,21 @@ func (a *PostgreSQLDependencyBuilder) CreateDependency() (string, error) {
 	// and would therefore override any value we set before the merge.
 	params.Instances = a.comp.GetInstances()
 
+	// Preserve the compositionRef of an already-existing nested PostgreSQL composite.
+	// If we always wrote defaultPGComposition, switching that default (e.g. Stackgres → CNPG)
+	// would silently migrate live instances on the next reconcile, which is destructive.
+	// If the observed composite exists but has no compositionRef we return an error rather than
+	// falling back to the default — an empty ref on an existing instance is unexpected and
+	// silently overwriting it could trigger an unintended backend migration.
+	compositionName := a.svc.Config.Data["defaultPGComposition"]
+	observedPg := &vshnv1.XVSHNPostgreSQL{}
+	if err := a.svc.GetObservedComposedResource(observedPg, a.comp.GetName()+PgInstanceNameSuffix); err == nil {
+		if observedPg.Spec.CompositionRef.Name == "" {
+			return "", fmt.Errorf("observed nested postgresql composite %q has no compositionRef, refusing to overwrite with default to prevent unintended backend migration", observedPg.GetName())
+		}
+		compositionName = observedPg.Spec.CompositionRef.Name
+	}
+
 	// We have to ignore the providerconfig on the composite itself.
 	pg := &vshnv1.XVSHNPostgreSQL{
 		ObjectMeta: metav1.ObjectMeta{
@@ -173,7 +188,7 @@ func (a *PostgreSQLDependencyBuilder) CreateDependency() (string, error) {
 		Spec: vshnv1.XVSHNPostgreSQLSpec{
 			Parameters: *params,
 			CompositionRef: v1.CompositionReference{
-				Name: a.svc.Config.Data["defaultPGComposition"],
+				Name: compositionName,
 			},
 			ResourceSpec: xpv1.ResourceSpec{
 				WriteConnectionSecretToReference: &xpv1.SecretReference{

pkg/controller/webhooks/postgresql.go

@@ -24,6 +24,10 @@ import (
 // See https://book.kubebuilder.io/reference/markers/webhook for docs
 //+kubebuilder:webhook:verbs=create;update;delete,path=/validate-vshn-appcat-vshn-io-v1-vshnpostgresql,mutating=false,failurePolicy=fail,groups=vshn.appcat.vshn.io,resources=vshnpostgresqls,versions=v1,name=postgresql.vshn.appcat.vshn.io,sideEffects=None,admissionReviewVersions=v1
 
+// Protect the nested XVSHNPostgreSQL composite from having its compositionRef changed once set.
+// This prevents accidental backend migrations (e.g. StackGres → CNPG) on live instances.
+//+kubebuilder:webhook:verbs=update,path=/validate-vshn-appcat-vshn-io-v1-xvshnpostgresql,mutating=false,failurePolicy=fail,groups=vshn.appcat.vshn.io,resources=xvshnpostgresqls,versions=v1,name=xvshnpostgresql.vshn.appcat.vshn.io,sideEffects=None,admissionReviewVersions=v1
+
 //RBAC
 //+kubebuilder:rbac:groups=vshn.appcat.vshn.io,resources=xvshnpostgresqls,verbs=get;list;watch;patch;update
 //+kubebuilder:rbac:groups=vshn.appcat.vshn.io,resources=xvshnpostgresqls/status,verbs=get;list;watch;patch;update
@@ -38,10 +42,12 @@ const (
 )
 
 var (
-	pgGK = schema.GroupKind{Group: "vshn.appcat.vshn.io", Kind: "VSHNPostgreSQL"}
-	pgGR = schema.GroupResource{Group: pgGK.Group, Resource: "vshnpostgresqls"}
+	pgGK  = schema.GroupKind{Group: "vshn.appcat.vshn.io", Kind: "VSHNPostgreSQL"}
+	pgGR  = schema.GroupResource{Group: pgGK.Group, Resource: "vshnpostgresqls"}
+	xpgGK = schema.GroupKind{Group: "vshn.appcat.vshn.io", Kind: "XVSHNPostgreSQL"}
 
 	_ webhook.CustomValidator = &PostgreSQLWebhookHandler{}
+	_ webhook.CustomValidator = &XVSHNPostgreSQLWebhookHandler{}
 
 	blocklist = map[string]string{
 		"listen_addresses":      "",
@@ -84,6 +90,46 @@ func SetupPostgreSQLWebhookHandlerWithManager(mgr ctrl.Manager, withQuota bool)
 		Complete()
 }
 
+// XVSHNPostgreSQLWebhookHandler validates the nested XVSHNPostgreSQL composite resource.
+// Its sole purpose is to make compositionRef immutable once set, preventing accidental
+// backend migrations on live nested instances (e.g. those created by VSHNKeycloak).
+type XVSHNPostgreSQLWebhookHandler struct{}
+
+// SetupXVSHNPostgreSQLWebhookHandlerWithManager registers the XVSHNPostgreSQL validation webhook.
+func SetupXVSHNPostgreSQLWebhookHandlerWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&vshnv1.XVSHNPostgreSQL{}).
+		WithValidator(&XVSHNPostgreSQLWebhookHandler{}).
+		Complete()
+}
+
+func (x *XVSHNPostgreSQLWebhookHandler) ValidateCreate(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (x *XVSHNPostgreSQLWebhookHandler) ValidateUpdate(_ context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	oldPg, ok := oldObj.(*vshnv1.XVSHNPostgreSQL)
+	if !ok {
+		return nil, fmt.Errorf("provided manifest is not a valid XVSHNPostgreSQL object")
+	}
+	newPg, ok := newObj.(*vshnv1.XVSHNPostgreSQL)
+	if !ok {
+		return nil, fmt.Errorf("provided manifest is not a valid XVSHNPostgreSQL object")
+	}
+
+	if newPg.DeletionTimestamp != nil {
+		return nil, nil
+	}
+
+	allErrs := newFielErrors(newPg.Name, xpgGK)
+	allErrs.Add(validateCompositionRefImmutability(oldPg.Spec.CompositionRef.Name, newPg.Spec.CompositionRef.Name))
+	return nil, allErrs.Get()
+}
+
+func (x *XVSHNPostgreSQLWebhookHandler) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
 func (p *PostgreSQLWebhookHandler) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	return p.validatePostgreSQL(ctx, obj, nil, true)
 }
@@ -151,9 +197,7 @@ func (p *PostgreSQLWebhookHandler) validatePostgreSQL(ctx context.Context, newOb
 
 		// Do not allow changing compositionRef if it has been set previously.
 		// When creating a new VSHNPostgresQL, crossplane will automatically set this field if unset.
-		if oldPg.Spec.CompositionRef.Name != "" && newPg.Spec.CompositionRef.Name != oldPg.Spec.CompositionRef.Name {
-			allErrs.Add(field.Forbidden(field.NewPath("spec", "compositionRef"), "compositionRef is immutable"))
-		}
+		allErrs.Add(validateCompositionRefImmutability(oldPg.Spec.CompositionRef.Name, newPg.Spec.CompositionRef.Name))
 
 		// Check for disk downsizing
 		if diskErr := p.DefaultWebhookHandler.ValidateDiskDownsizing(ctx, oldPg, newPg, p.gk.Kind); diskErr != nil {
@@ -389,6 +433,14 @@ func validatePostgreSQLEncryptionChanges(newEncryption, oldEncryption *vshnv1.VS
 	return nil
 }
 
+// validateCompositionRefImmutability returns a Forbidden error if the compositionRef name has changed after being set
+func validateCompositionRefImmutability(oldRef, newRef string) *field.Error {
+	if oldRef != "" && newRef != oldRef {
+		return field.Forbidden(field.NewPath("spec", "compositionRef"), "compositionRef is immutable")
+	}
+	return nil
+}
+
 // validatePinImageTag validates that pinImageTag's major version matches the specified majorVersion
 func validatePinImageTag(pinImageTag, majorVersion string) *field.Error {
 	if pinImageTag == "" {