fix: replacing of namespace annotation when kubevirt namespace is

set
When ssp CR contains kubevirt namespace as a target namespace
for pipelines, ssp operator recognized this namespace as user defined
and deployed configmaps and roleBindings to a single namespace, instead
of two namespaces. That broke our default pipeline flow. This
change adds a check if the pipeline namespace in the CR is kubevirt,
then it is not used as a user defined namespace and
kubevirt.io/deploy-namespace annotation is used instead.

Signed-off-by: Karel Simon <[email protected]>

internal/operands/tekton-pipelines/reconcile.go

@@ -27,6 +27,7 @@ const (
 	tektonCrd                  = "tasks.tekton.dev"
 	deployNamespaceAnnotation  = "kubevirt.io/deploy-namespace"
 	pipelineServiceAccountName = "pipeline"
+	kubevirtNamespace          = "kubevirt"
 )
 
 var namespaceRegex = regexp.MustCompile(namespacePattern)
@@ -133,9 +134,14 @@ func (t *tektonPipelines) Cleanup(request *common.Request) ([]common.CleanupResu
 		o := sa.DeepCopy()
 		objects = append(objects, o)
 	}
-	namespace, _ := getTektonPipelinesNamespace(request)
-	for i := range objects {
-		objects[i].SetNamespace(namespace)
+
+	namespace, userDefinedNamespace := getTektonPipelinesNamespace(request)
+	for i, o := range objects {
+		objectNamespace := namespace
+		if value, ok := o.GetAnnotations()[deployNamespaceAnnotation]; ok && !userDefinedNamespace {
+			objectNamespace = value
+		}
+		objects[i].SetNamespace(objectNamespace)
 	}
 
 	for _, cr := range t.clusterRoles {
@@ -281,7 +287,7 @@ func reconcileRoleBindingsFuncs(rolebindings []rbac.RoleBinding) []common.Reconc
 }
 
 func getTektonPipelinesNamespace(request *common.Request) (string, bool) {
-	if request.Instance.Spec.TektonPipelines != nil && request.Instance.Spec.TektonPipelines.Namespace != "" {
+	if request.Instance.Spec.TektonPipelines != nil && request.Instance.Spec.TektonPipelines.Namespace != "" && request.Instance.Spec.TektonPipelines.Namespace != kubevirtNamespace {
 		return request.Instance.Spec.TektonPipelines.Namespace, true
 	}
 	return request.Instance.Namespace, false

internal/operands/tekton-pipelines/reconcile_test.go

@@ -202,6 +202,53 @@ var _ = Describe("environments", func() {
 		})
 	})
 
+	Context("With kubevirt namespace in ssp CR for pipelines", func() {
+		BeforeEach(func() {
+			request.Instance.Spec.FeatureGates.DeployTektonTaskResources = true
+			request.Instance.Spec.TektonPipelines = &ssp.TektonPipelines{
+				Namespace: kubevirtNamespace,
+			}
+		})
+
+		It("kubevirt.io/deploy-namespace annotation in configMaps should not be replaced", func() {
+			_, err := operand.Reconcile(request)
+			Expect(err).ToNot(HaveOccurred())
+
+			for _, configMap := range bundle.ConfigMaps {
+				objNamespace := namespace
+
+				if configMap.Name == "test-cm" {
+					configMap.Namespace = testDifferentNamespace
+					objNamespace = testDifferentNamespace
+				}
+
+				key := client.ObjectKeyFromObject(&configMap)
+				cm := &v1.ConfigMap{}
+				Expect(request.Client.Get(request.Context, key, cm)).ToNot(HaveOccurred())
+				Expect(cm.Namespace).To(Equal(objNamespace), cm.Name+" configMap namespace should equal")
+			}
+		})
+
+		It("kubevirt.io/deploy-namespace annotation in roleBindings should not be replaced", func() {
+			_, err := operand.Reconcile(request)
+			Expect(err).ToNot(HaveOccurred())
+
+			for _, roleBinding := range bundle.RoleBindings {
+				objNamespace := namespace
+
+				if roleBinding.Name == "test-rb" {
+					roleBinding.Namespace = testDifferentNamespace
+					objNamespace = testDifferentNamespace
+				}
+
+				key := client.ObjectKeyFromObject(&roleBinding)
+				rb := &rbac.RoleBinding{}
+				Expect(request.Client.Get(request.Context, key, rb)).ToNot(HaveOccurred())
+				Expect(rb.Namespace).To(Equal(objNamespace), rb.Name+" roleBinding namespace should equal")
+			}
+		})
+	})
+
 	Context("Without user defined namespace in ssp CR for pipelines", func() {
 		BeforeEach(func() {
 			request.Instance.Spec.FeatureGates.DeployTektonTaskResources = true