use CEL to enforce immutable featureset

config/v1/tests/featuregates.config.openshift.io/AAA_ungated.yaml

@@ -12,3 +12,83 @@ tests:
         apiVersion: config.openshift.io/v1
         kind: FeatureGate
         spec: {}
+    - name: Can create TechPreview
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+  onUpdate:
+    - name: Default to TechPreview
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: ""
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+    - name: TechPreview to Default
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: ""
+      expectedError: "TechPreviewNoUpgrade may not be changed"
+    - name: TechPreview to Custom
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: TechPreviewNoUpgrade
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: CustomNoUpgrade
+      expectedError: "TechPreviewNoUpgrade may not be changed"
+    - name: Default to Custom
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: ""
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: CustomNoUpgrade
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: CustomNoUpgrade
+    - name: Custom to Default
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: CustomNoUpgrade
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: FeatureGate
+        spec:
+          featureSet: ""
+      expectedError: "CustomNoUpgrade may not be changed"

config/v1/types_feature.go

@@ -65,6 +65,8 @@ type FeatureGateSelection struct {
 	// Turning on or off features may cause irreversible changes in your cluster which cannot be undone.
 	// +unionDiscriminator
 	// +optional
+	// +kubebuilder:validation:XValidation:rule="oldSelf == 'CustomNoUpgrade' ? self == 'CustomNoUpgrade' : true",message="CustomNoUpgrade may not be changed"
+	// +kubebuilder:validation:XValidation:rule="oldSelf == 'TechPreviewNoUpgrade' ? self == 'TechPreviewNoUpgrade' : true",message="TechPreviewNoUpgrade may not be changed"
 	FeatureSet FeatureSet `json:"featureSet,omitempty"`
 
 	// customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_featuregates.crd.yaml

@@ -73,6 +73,13 @@ spec:
                   on or off features may cause irreversible changes in your cluster
                   which cannot be undone.
                 type: string
+                x-kubernetes-validations:
+                - message: CustomNoUpgrade may not be changed
+                  rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade''
+                    : true'
+                - message: TechPreviewNoUpgrade may not be changed
+                  rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade''
+                    : true'
             type: object
           status:
             description: status holds observed values from the cluster. They may not

config/v1/zz_generated.featuregated-crd-manifests/featuregates.config.openshift.io/AAA_ungated.yaml

@@ -74,6 +74,13 @@ spec:
                   on or off features may cause irreversible changes in your cluster
                   which cannot be undone.
                 type: string
+                x-kubernetes-validations:
+                - message: CustomNoUpgrade may not be changed
+                  rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade''
+                    : true'
+                - message: TechPreviewNoUpgrade may not be changed
+                  rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade''
+                    : true'
             type: object
           status:
             description: status holds observed values from the cluster. They may not

payload-manifests/crds/0000_10_config-operator_01_featuregates.crd.yaml

@@ -73,6 +73,13 @@ spec:
                   on or off features may cause irreversible changes in your cluster
                   which cannot be undone.
                 type: string
+                x-kubernetes-validations:
+                - message: CustomNoUpgrade may not be changed
+                  rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade''
+                    : true'
+                - message: TechPreviewNoUpgrade may not be changed
+                  rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade''
+                    : true'
             type: object
           status:
             description: status holds observed values from the cluster. They may not