enhancement(pni-crd): enforce immutable spec and add property for IP constraints

[aranta-rokade]

Reason for Change:

1. Make PNI CRD immutable using Kubernetes validations
2. Add a new optional property for enforcing IPContstraints
3. Fix deprecated messages for properties - PodNetworkConfigs

Issue Fixed:
Making PNI CRD immutable, allows PNIs to retry reconcile after failure, for the cases when IP allocations become available.
The new property is added in preparation to support new feature to enforce an IP constraint on the subnet. Reservations will be added from the IP or cidr provided in the IPConstraint field.

• uses conventional commit messages
• includes documentation
• adds unit tests
• relevant PR labels added

Tested PNI - I will add these test cases on dncrc UT

<style> </style>

Test:	create	update	delete
no IPConstraint with podIPReservationSize: 0 (dynamic)	yes	not allowed	yes
no IPConstraint with podIPReservationSize: 1 (static)	yes	not allowed	yes
no IPConstraint with podIPReservationSize: 2 (static)	yes	not allowed	yes
IPConstraint: with podIPReservationSize: 0 (dynamic)	yes	not allowed	yes
IPConstraint: with podIPReservationSize: 1 (static)	yes	not allowed	yes
IPConstraint: with podIPReservationSize: 2 (static)	yes	not allowed	yes
IPConstraint: 198.176.10.1 with podIPReservationSize: 0 (dynamic ipconstraint - not supported)	not allowed The PodNetworkInstance "pni1" is invalid: spec.podNetworkConfigs[0]: Invalid value: "object": ipConstraint is only allowed when podIPReservationSize is 1	N/A No resources found in default namespace.	N/A
IPConstraint: 198.176.10.1 with podIPReservationSize: 1 (static ipconstraint - supported with 1 reservation)	yes	not allowed The PodNetworkInstance "pni1" is invalid: : Invalid value: "object": Spec is immutable.	not deleting currently due to dncrc not updated
IPConstraint: 198.176.10.1 with podIPReservationSize: 2 (static ipconstraint with > 1 reservation - not supported)	not allowed The PodNetworkInstance "pni1" is invalid: spec.podNetworkConfigs[0]: Invalid value: "object": ipConstraint is only allowed when podIPReservationSize is 1	N/A	N/A
IPConstraint with prefix: 198.176.10.1/31 with podIPReservationSize: 1 (static ipconstraint - supported with 1 reservation)	not allowed - prefix 31 The PodNetworkInstance "pni1" is invalid: spec.podNetworkConfigs[0].ipConstraint: Invalid value: "10.10.10.1/21": spec.podNetworkConfigs[0].ipConstraint in body should match '^$|^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d).){3}(25[0-5]|(2[0-4]|1\d|[1-9]|)\d)(/32)?$'	N/A	N/A
IPConstraint: 198.176.110.1123/32 with podIPReservationSize: 1 (static ipconstraint - supported with 1 reservation) (max length)	yes	not allowed The PodNetworkInstance "pni1" is invalid: : Invalid value: "object": Spec is immutable	not deleting currently due to dncrc not updated
IPConstraint: 2001:db8:1234::/32 with podIPReservationSize: 1 (static ipconstraint - supported with 1 reservation)	The PodNetworkInstance "pni3" is invalid: spec.podNetworkConfigs[0].ipConstraint: Invalid value: "2001:db8:1234::/32": spec.podNetworkConfigs[0].ipConstraint in body should match '^$|^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d).){3}(25[0-5]|(2[0-4]|1\d|[1-9]|)\d)(/32)?$'	N/A	N/A

[Copilot]

Pull request overview

This PR adds immutability validation to the PodNetworkInstance CRD's spec field using Kubernetes CEL validation rules. The goal is to prevent modifications to the PNI spec after creation, which allows PNIs to retry reconciliation after failures when IP allocations become available.

• Adds kubebuilder XValidation annotation to enforce self.spec == oldSelf.spec
• Updates generated CRD manifest with x-kubernetes-validations
• Adds documentation comments explaining the validation rule and its requirements

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
crd/multitenancy/api/v1alpha1/podnetworkinstance.go	Adds kubebuilder XValidation annotation to PodNetworkInstance type to enforce spec immutability
crd/multitenancy/manifests/multitenancy.acn.azure.com_podnetworkinstances.yaml	Updates generated CRD manifest with x-kubernetes-validations rule to enforce spec immutability

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days

[github-actions]

Pull request closed due to inactivity.

[miguelgoms]

lets remove the 'code comments' for the kubebuilder validation rule from the CRD description compiled by kubebuilder? the consumer of the CRD doesn't need to know this is output from the tool, and the rule is already self-descriptive in the yaml.

[miguelgoms]

if we need to document the rule in more detail, that should be part of the message of the rule.

[aranta-rokade]

Removed the comments.

[miguelgoms]

shouldn't this have additional kubebuilder markers? at min. // +kubebuilder:validation:Optional.
check podnetwork for examples, https://book.kubebuilder.io/reference/markers/crd-validation.html?highlight=required#crd-validation for reference

[miguelgoms]

also document example format / usage.

[aranta-rokade]

I had added this validation for cidr check, but the CEL validation cost was too high.
// +kubebuilder:validation:XValidation:rule="self == '' || isIP(self) || isCIDR(self)",message="must be a valid IPv4/IPv6 address or CIDR"

So, I added this MaxLength:
// +kubebuilder:validation:MaxLength=43

But the cost is still too high, copilot is suggesting to add MaxItems on PodNetworkConfig array -> but this is incorrect.

adding just the Optional validation for now, which I had missed earlier

[aranta-rokade]

done, added the optional validation + description with example and format

[kmurudi]

immutable spec changes lgtm

[isaac-dasan]

Since ipConstraint has +kubebuilder:default="", the field is always present post-defaulting. This makes has(self.ipConstraint) redundant in the XValidation rule. Simplified the rule to validate purely on value semantics: empty string is always allowed, and non-empty ipConstraint is only allowed when podIPReservationSize == 1. This keeps the invariant clear and aligns with CRD defaulting behavior.