From aa7981f7e386daf8ec79e2dfd54b255feaaaae19 Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Fri, 2 Feb 2024 11:35:31 +0100
Subject: [PATCH] fix: always allow to add new isolation rule (#375)

---
 pkg/apis/metal/validation/cloudprofile.go     |  2 +-
 .../metal/validation/cloudprofile_test.go     | 44 +++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/pkg/apis/metal/validation/cloudprofile.go b/pkg/apis/metal/validation/cloudprofile.go
index 11417e3b6..bd183079e 100644
--- a/pkg/apis/metal/validation/cloudprofile.go
+++ b/pkg/apis/metal/validation/cloudprofile.go
@@ -146,7 +146,7 @@ func ValidateImmutableCloudProfileConfig(
 				continue
 			}
 
-			if partition.NetworkIsolation == nil && oldPartition.NetworkIsolation == nil {
+			if oldPartition.NetworkIsolation == nil {
 				continue
 			}
 
diff --git a/pkg/apis/metal/validation/cloudprofile_test.go b/pkg/apis/metal/validation/cloudprofile_test.go
index cf1afb927..efb6ae7fb 100644
--- a/pkg/apis/metal/validation/cloudprofile_test.go
+++ b/pkg/apis/metal/validation/cloudprofile_test.go
@@ -398,6 +398,50 @@ var _ = Describe("CloudProfileConfig validation", func() {
 			Expect(errorList).To(BeEmpty())
 		})
 
+		It("should pass when isolation not existing previously", func() {
+			newCloudProfileConfig.MetalControlPlanes = map[string]apismetal.MetalControlPlane{
+				"prod": {
+					Partitions: map[string]apismetal.Partition{
+						"partition-b": {
+							NetworkIsolation: &apismetal.NetworkIsolation{
+								AllowedNetworks: apismetal.AllowedNetworks{
+									Ingress: []string{"10.0.0.1/24"},
+									Egress:  []string{"100.0.0.1/24"},
+								},
+								DNSServers: []string{"1.1.1.1", "1.0.0.1"},
+								NTPServers: []string{"134.60.1.27", "134.60.111.110"},
+								RegistryMirrors: []apismetal.RegistryMirror{
+									{
+										Name:     "metal-stack registry",
+										Endpoint: "https://some.registry",
+										IP:       "1.2.3.4",
+										Port:     443,
+										MirrorOf: []string{
+											"ghcr.io",
+											"quay.io",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			}
+			oldCloudProfileConfig.MetalControlPlanes = map[string]apismetal.MetalControlPlane{
+				"prod": {
+					Partitions: map[string]apismetal.Partition{
+						"partition-b": {
+							NetworkIsolation: nil,
+						},
+					},
+				},
+			}
+
+			errorList := ValidateImmutableCloudProfileConfig(newCloudProfileConfig, oldCloudProfileConfig, path)
+
+			Expect(errorList).To(BeEmpty())
+		})
+
 		It("should pass when changing anything except dns", func() {
 			newCloudProfileConfig.MetalControlPlanes = map[string]apismetal.MetalControlPlane{
 				"prod": {