From 46199356579d7610fc4555615a1a4916b846e88d Mon Sep 17 00:00:00 2001
From: Tim Rozet <trozet@redhat.com>
Date: Thu, 9 Jan 2025 11:22:39 -0500
Subject: [PATCH 1/2] Disable adding/removing the UDN namespace label

UDN namespace label will be required when namespaces are created in
order to use a primary UDN in that namespace.

Co-authored-by: Patryk Diak <pdiak@redhat.com>
Signed-off-by: Tim Rozet <trozet@redhat.com>
(cherry picked from commit 4668f71220e44c1c4a4a2640eb3e3d259df3b398)
---
 .../common/udn-admission-policy.yaml          | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml

diff --git a/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml b/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml
new file mode 100644
index 0000000000..f6c3a5f443
--- /dev/null
+++ b/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml
@@ -0,0 +1,32 @@
+{{if .OVN_NETWORK_SEGMENTATION_ENABLE}}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: user-defined-networks-namespace-label
+spec:
+  matchConstraints:
+    resourceRules:
+      - apiGroups:   [""]
+        apiVersions: ["v1"]
+        operations:  ["UPDATE"]
+        resources:   ["namespaces"]
+  failurePolicy: Fail
+  validations:
+    - expression: "('k8s.ovn.org/primary-user-defined-network' in oldObject.metadata.labels) == ('k8s.ovn.org/primary-user-defined-network' in object.metadata.labels)"
+      message: "The 'k8s.ovn.org/primary-user-defined-network' label cannot be added/removed after the namespace was created"
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: user-defined-networks-namespace-label-binding
+spec:
+  policyName: disable-udn-label-change
+  validationActions: [Deny]
+  matchResources:
+    resourceRules:
+      - apiGroups:   [""]
+        apiVersions: ["v1"]
+        operations:  ["UPDATE"]
+        resources:   ["namespaces"]
+{{end}}

From ff1666af3c18cdfefc38267fc6c60f3a508352b7 Mon Sep 17 00:00:00 2001
From: Patryk Diak <pdiak@redhat.com>
Date: Mon, 13 Jan 2025 20:32:09 +0100
Subject: [PATCH 2/2] Fix user-defined-networks-namespace-label binding

Signed-off-by: Patryk Diak <pdiak@redhat.com>
(cherry picked from commit 91b8a784242abd127049ba11ee74a4181c10ca38)
---
 bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml b/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml
index f6c3a5f443..ee815f7f94 100644
--- a/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml
+++ b/bindata/network/ovn-kubernetes/common/udn-admission-policy.yaml
@@ -21,7 +21,7 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   name: user-defined-networks-namespace-label-binding
 spec:
-  policyName: disable-udn-label-change
+  policyName: user-defined-networks-namespace-label
   validationActions: [Deny]
   matchResources:
     resourceRules: