feat(CNTRLPLANE-2678): enforce restoreSnapshotURL immutability via CEL

Add CEL validation rule to prevent day-2 modifications of the
restoreSnapshotURL field. This ensures the field can only be set at
creation time, which aligns with the existing API contract and makes
the OADP restoration workflow safe without changing the field semantics.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Juan Manuel Parrilla Madrid <jparrill@redhat.com>

Author: jparrill

api/hypershift/v1beta1/hostedcluster_types.go

@@ -1924,6 +1924,11 @@ const (
 var DefaultPersistentVolumeEtcdStorageSize resource.Quantity = resource.MustParse("8Gi")
 
 // ManagedEtcdStorageSpec describes the storage configuration for etcd data.
+//
+// This struct-level rule complements the field-level "self == oldSelf" on restoreSnapshotURL.
+// The field-level rule catches value changes but does not fire when the field is removed
+// (CEL skips optional fields absent in the updated object). This rule covers that case.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.restoreSnapshotURL) || (has(self.restoreSnapshotURL) && self.restoreSnapshotURL == oldSelf.restoreSnapshotURL)", message="restoreSnapshotURL is immutable"
 type ManagedEtcdStorageSpec struct {
 	// type is the kind of persistent storage implementation to use for etcd.
 	// Only PersistentVolume is supported at the moment.
@@ -1952,6 +1957,8 @@ type ManagedEtcdStorageSpec struct {
 	// +kubebuilder:validation:MaxItems=1
 	// +kubebuilder:validation:items:MaxLength=1024
 	// +kubebuilder:validation:XValidation:rule="self.size() <= 1", message="RestoreSnapshotURL shouldn't contain more than 1 entry"
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="restoreSnapshotURL is immutable"
+	// +kubebuilder:validation:XValidation:rule="self.size() == 0 || self[0].matches('^(https|s3)://.*')", message="restoreSnapshotURL must be a valid URL with scheme https or s3"
 	RestoreSnapshotURL []string `json:"restoreSnapshotURL,omitempty"`
 }