From 1f72d794c7e8b872c86512701638fa51dbde8a04 Mon Sep 17 00:00:00 2001
From: Gemma Hou <yuhou@google.com>
Date: Mon, 18 Nov 2024 23:38:53 +0000
Subject: [PATCH] Use CEL rule to validate field immutability

---
 apis/compute/v1beta1/firewallpolicyrule_types.go            | 2 ++
 ...tefirewallpolicyrules.compute.cnrm.cloud.google.com.yaml | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/apis/compute/v1beta1/firewallpolicyrule_types.go b/apis/compute/v1beta1/firewallpolicyrule_types.go
index f546f0f18f..d67649936c 100644
--- a/apis/compute/v1beta1/firewallpolicyrule_types.go
+++ b/apis/compute/v1beta1/firewallpolicyrule_types.go
@@ -102,12 +102,14 @@ type ComputeFirewallPolicyRuleSpec struct {
 	// +optional
 	EnableLogging *bool `json:"enableLogging,omitempty"`
 
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="the field is immutable"
 	/* Immutable. */
 	FirewallPolicyRef *refs.ComputeFirewallPolicyRef `json:"firewallPolicyRef"`
 
 	/* A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. */
 	Match *FirewallPolicyRuleMatch `json:"match"`
 
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="the field is immutable"
 	/* Immutable. An integer indicating the priority of a rule in the list. The priority must be a positive value between 0 and 2147483647. Rules are evaluated from highest to lowest priority where 0 is the highest priority and 2147483647 is the lowest prority. */
 	Priority int64 `json:"priority"`
 
diff --git a/config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_computefirewallpolicyrules.compute.cnrm.cloud.google.com.yaml b/config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_computefirewallpolicyrules.compute.cnrm.cloud.google.com.yaml
index 9a47b7d509..560e48e351 100644
--- a/config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_computefirewallpolicyrules.compute.cnrm.cloud.google.com.yaml
+++ b/config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_computefirewallpolicyrules.compute.cnrm.cloud.google.com.yaml
@@ -112,6 +112,9 @@ spec:
                       resource.
                     type: string
                 type: object
+                x-kubernetes-validations:
+                - message: the field is immutable
+                  rule: self == oldSelf
               match:
                 description: A match condition that incoming traffic is evaluated
                   against. If it evaluates to true, the corresponding 'action' is
@@ -217,6 +220,9 @@ spec:
                   where 0 is the highest priority and 2147483647 is the lowest prority.
                 format: int64
                 type: integer
+                x-kubernetes-validations:
+                - message: the field is immutable
+                  rule: self == oldSelf
               targetResources:
                 items:
                   oneOf: