Skip to content

Fix CEL to actually block deprecated resource create#313

Merged
carlydf merged 2 commits intomainfrom
actually-block-create-with-cel
May 1, 2026
Merged

Fix CEL to actually block deprecated resource create#313
carlydf merged 2 commits intomainfrom
actually-block-create-with-cel

Conversation

@carlydf
Copy link
Copy Markdown
Collaborator

@carlydf carlydf commented May 1, 2026

What was changed

Without optionalOldSelf: true, oldSelf is either present (on update) or rule is skipped (on create).
We want the rule to be enforced on create!
Also, oldSelf != nil doesn't work, must be hasValue()

Why?

To behave as documented and expected after deprecating the old CRDs

Checklist

  1. Closes

  2. How was this tested:
    In local cluster I tested that you could update an existing object, but that you could not create one.
    Also tested with the old rule and saw that it did not actually block creation.

Note: regardless of the CEL rule, all operations (get, delete, describe, etc) print this warning, which is nice:

Warning: TemporalConnection is deprecated. Use Connection instead.
  1. Any docs updates needed?

@carlydf carlydf requested review from a team and jlegrone as code owners May 1, 2026 17:29
@carlydf @claude
Bump envtest to 1.29.0 to support optionalOldSelf CEL validation
8195966 
optionalOldSelf/hasValue() require Kubernetes 1.29+.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@carlydf carlydf merged commit d89cb15 into main May 1, 2026
18 checks passed
@carlydf carlydf deleted the actually-block-create-with-cel branch May 1, 2026 18:32
carlydf added a commit that referenced this pull request May 1, 2026
@carlydf @claude
Fix CEL to actually block deprecated resource create (#313)
f14adb9 
<!--- Note to EXTERNAL Contributors -->
<!-- Thanks for opening a PR! 
If it is a significant code change, please **make sure there is an open
issue** for this.
We work best with you when we have accepted the idea first before you
code. -->

<!--- For ALL Contributors 👇 -->

## What was changed
Without `optionalOldSelf: true`, oldSelf is either present (on update)
or rule is skipped (on create).
We want the rule to be enforced on create!
Also, oldSelf != nil doesn't work, must be hasValue()

## Why?
To behave as documented and expected after deprecating the old CRDs

## Checklist
<!--- add/delete as needed --->

1. Closes <!-- add issue number here -->

2. How was this tested:
In local cluster I tested that you could update an existing object, but
that you could not create one.
Also tested with the old rule and saw that it did not actually block
creation.

Note: regardless of the CEL rule, all operations (get, delete, describe,
etc) print this warning, which is nice:
```
Warning: TemporalConnection is deprecated. Use Connection instead.
```

3. Any docs updates needed?
<!--- update README if applicable
      or point out where to update docs.temporal.io -->

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaypipes jaypipes jaypipes approved these changes

@jlegrone jlegrone Awaiting requested review from jlegrone jlegrone is a code owner

Assignees

No one assigned

Labels

release/v1.7.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlydf @jaypipes