From bea25d90a69d5ccd71ae43a117df525b97af7e37 Mon Sep 17 00:00:00 2001
From: Patryk Diak <pdiak@redhat.com>
Date: Mon, 4 Aug 2025 17:03:54 +0200
Subject: [PATCH] Avoid webhook race with ovn-kubernetes on install

Add CEL expression to ignore default/openshift-ovn-kubernetes NAD to prevent
circular dependency where ovn-k fails to start because multus webhook blocks
NAD creation, while webhook uses cluster-networked pdos which require ovn-k to be running.

Signed-off-by: Patryk Diak <pdiak@redhat.com>
---
 bindata/network/multus-admission-controller/003-webhook.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/bindata/network/multus-admission-controller/003-webhook.yaml b/bindata/network/multus-admission-controller/003-webhook.yaml
index 533001a069..49d9d46b7e 100644
--- a/bindata/network/multus-admission-controller/003-webhook.yaml
+++ b/bindata/network/multus-admission-controller/003-webhook.yaml
@@ -31,6 +31,9 @@ webhooks:
       # On updates, only validate if the Spec changes
       - name: CreateDeleteOrUpdatedSpec
         expression: oldObject == null || object == null || object.spec != oldObject.spec
+      # Ignore default/openshift-ovn-kubernetes NAD to avoid a race between ovn-kubernetes and the multus webhook on install
+      - name: IgnoreDefaultOVNKubernetesNAD
+        expression: object == null || object.metadata.namespace != "openshift-ovn-kubernetes" || object.metadata.name != "default"
     sideEffects: NoneOnDryRun
     admissionReviewVersions:
     - v1