From ef328cf1c72b50db90f2a8bc253d7bfe64940779 Mon Sep 17 00:00:00 2001
From: Simon Gerber <simon.gerber@vshn.ch>
Date: Wed, 8 Mar 2023 16:35:52 +0100
Subject: [PATCH] Don't take over ownership of OpenShift-managed namespace
 `openshift-operators`

---
 component/main.jsonnet                        | 52 ++++++++++++-------
 .../openshift-operators.yaml                  | 39 ++++++++------
 tests/openshift-operators.yml                 | 12 ++++-
 3 files changed, 66 insertions(+), 37 deletions(-)

diff --git a/component/main.jsonnet b/component/main.jsonnet
index 83ff085..86d1cfc 100644
--- a/component/main.jsonnet
+++ b/component/main.jsonnet
@@ -2,32 +2,44 @@
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
 local operatorlib = import 'lib/openshift4-operators.libsonnet';
+local po = import 'lib/patch-operator.libsonnet';
+
 local inv = kap.inventory();
 local params = inv.parameters.openshift4_operators;
 
 
 local namespace = operatorlib.validateInstance(params.namespace);
 
-{
-  [namespace]: [
-    kube.Namespace(namespace) {
-      metadata+: {
-        annotations+: std.prune(params.namespaceAnnotations),
-        labels+: {
-          // enable cluster monitoring when instantiating to manage
-          // namespace openshift-operators-redhat
-          'openshift.io/cluster-monitoring':
-            '%s' % [ namespace == 'openshift-operators-redhat' ],
-          // ignore namespace by user-workload monitoring
-          'openshift.io/user-monitoring': 'false',
-        },
-      },
+local nsmeta = {
+  metadata+: {
+    annotations+: std.prune(params.namespaceAnnotations),
+    labels+: {
+      // enable cluster monitoring when instantiating to manage
+      // namespace openshift-operators-redhat
+      'openshift.io/cluster-monitoring':
+        '%s' % [ namespace == 'openshift-operators-redhat' ],
+      // ignore namespace by user-workload monitoring
+      'openshift.io/user-monitoring': 'false',
     },
-    // Create cluster-scoped OperatorGroup
-    operatorlib.OperatorGroup(namespace) {
-      metadata+: {
-        namespace: namespace,
-      },
+  },
+};
+local ns = kube.Namespace(namespace) + nsmeta;
+
+local operatorgroup =
+  // Create cluster-scoped OperatorGroup
+  operatorlib.OperatorGroup(namespace) {
+    metadata+: {
+      namespace: namespace,
     },
-  ],
+  };
+
+local nspatch = po.Patch(ns, nsmeta);
+
+{
+  [namespace]:
+    if namespace != 'openshift-operators' then [
+      ns,
+      operatorgroup,
+    ]
+    else nspatch,
 }
diff --git a/tests/golden/openshift-operators/openshift-operators/openshift4-operators/openshift-operators.yaml b/tests/golden/openshift-operators/openshift-operators/openshift4-operators/openshift-operators.yaml
index e9d0e39..9ee6fd1 100644
--- a/tests/golden/openshift-operators/openshift-operators/openshift4-operators/openshift-operators.yaml
+++ b/tests/golden/openshift-operators/openshift-operators/openshift4-operators/openshift-operators.yaml
@@ -1,19 +1,26 @@
-apiVersion: v1
-kind: Namespace
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: Patch
 metadata:
   annotations:
-    openshift.io/node-selector: node-role.kubernetes.io/infra=
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
   labels:
-    name: openshift-operators
-    openshift.io/cluster-monitoring: 'false'
-    openshift.io/user-monitoring: 'false'
-  name: openshift-operators
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  annotations: {}
-  labels:
-    name: openshift-operators
-  name: openshift-operators
-  namespace: openshift-operators
+    name: namespace-openshift-operators-29c692296e708c9
+  name: namespace-openshift-operators-29c692296e708c9
+  namespace: syn-patch-operator
+spec:
+  patches:
+    namespace-openshift-operators-29c692296e708c9-patch:
+      patchTemplate: |-
+        "metadata":
+          "annotations":
+            "openshift.io/node-selector": "node-role.kubernetes.io/infra="
+          "labels":
+            "openshift.io/cluster-monitoring": "false"
+            "openshift.io/user-monitoring": "false"
+      patchType: application/strategic-merge-patch+json
+      targetObjectRef:
+        apiVersion: v1
+        kind: Namespace
+        name: openshift-operators
+  serviceAccountRef:
+    name: patch-sa
diff --git a/tests/openshift-operators.yml b/tests/openshift-operators.yml
index e0c9eb5..d42ebe2 100644
--- a/tests/openshift-operators.yml
+++ b/tests/openshift-operators.yml
@@ -1 +1,11 @@
-parameters: {}
+parameters:
+  kapitan:
+    dependencies:
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-patch-operator/v1.1.0/lib/patch-operator.libsonnet
+        output_path: vendor/lib/patch-operator.libsonnet
+
+  patch_operator:
+    namespace: syn-patch-operator
+    patch_serviceaccount:
+      name: patch-sa