fix(ci): eliminate race conditions for parallel deployments

Address 3 critical race conditions identified by Qodo code review:

**1. Shared temp files in helm::merge_values (Bug #1)**
- BEFORE: Used fixed paths /tmp/step-without-plugins.yaml and
  /tmp/step-only-plugins.yaml
- AFTER: Generate unique temp files per invocation via mktemp
- WHY: Concurrent helm::merge_values calls would overwrite each other's
  intermediate files, corrupting merged values

**2. Kubeconfig global state mutation (Bug #2)**
- BEFORE: namespace::configure and apply_yaml_files both ran
  `oc config set-context --current --namespace=...`
- AFTER: Removed all oc config set-context calls; added explicit
  --namespace flag to all oc/kubectl apply commands that lacked it
- WHY: Parallel deployments racing on current context would apply
  resources to nondeterministic namespaces

**3. In-place YAML file edits (Bug #3)**
- BEFORE: apply_yaml_files used sed -i to modify shared YAML templates
  directly in the repo
- AFTER: Copy templates to per-deployment tmpdir, patch copies, apply
  from tmpdir
- WHY: Concurrent sed -i edits would clobber each other and apply
  manifests with wrong namespace fields

All three bugs would have caused nondeterministic deployment failures
when base_deployment and rbac_deployment run in parallel.

Changes:
- .ci/pipelines/lib/helm.sh: mktemp + trap cleanup for intermediate files
- .ci/pipelines/lib/namespace.sh: Remove oc config set-context
- .ci/pipelines/utils.sh: Tmpdir for YAML patches, explicit --namespace
  on all oc apply calls

Author: gustavolira

.ci/pipelines/lib/helm.sh

@@ -32,15 +32,19 @@ helm::merge_values() {
   local base_file=$2
   local diff_file=$3
   local final_file=$4
-  local step_1_file="/tmp/step-without-plugins.yaml"
-  local step_2_file="/tmp/step-only-plugins.yaml"
 
   if [[ -z "$plugin_operation" || -z "$base_file" || -z "$diff_file" || -z "$final_file" ]]; then
     log::error "Missing required parameters"
     log::info "Usage: helm::merge_values <operation> <base_file> <diff_file> <output_file>"
     return 1
   fi
 
+  # Use unique temp files per invocation to support parallel deployments
+  local step_1_file step_2_file
+  step_1_file=$(mktemp "${TMPDIR:-/tmp}/helm-merge-step1-XXXXXX.yaml")
+  step_2_file=$(mktemp "${TMPDIR:-/tmp}/helm-merge-step2-XXXXXX.yaml")
+  trap 'rm -f "${step_1_file}" "${step_2_file}"' RETURN
+
   if [[ "$plugin_operation" == "merge" ]]; then
     # Step 1: Merge files, excluding the .global.dynamic.plugins key
     # Values from `diff_file` override those in `base_file`

.ci/pipelines/lib/namespace.sh

@@ -83,12 +83,15 @@ namespace::setup_image_pull_secret() {
 # ==============================================================================
 
 # Function: namespace::configure
-# Description: Deletes and recreates a namespace, then sets it as current context
+# Description: Deletes and recreates a namespace
 # Arguments:
 #   $1 - project: The namespace/project name
 # Returns:
 #   0 - Success
 #   Exits on failure
+# Notes:
+#   Does not set kubeconfig current context to support parallel deployments.
+#   All downstream oc/kubectl commands must use explicit --namespace flag.
 namespace::configure() {
   local project=$1
   log::warn "Deleting and recreating namespace: $project"
@@ -98,10 +101,6 @@ namespace::configure() {
     log::error "Error: Failed to create namespace ${project}" >&2
     exit 1
   fi
-  if ! oc config set-context --current --namespace="${project}"; then
-    log::error "Error: Failed to set context for namespace ${project}" >&2
-    exit 1
-  fi
 
   echo "Namespace ${project} is ready."
   return 0

.ci/pipelines/utils.sh

@@ -300,28 +300,35 @@ apply_yaml_files() {
   local rhdh_base_url=$3
   log::info "Applying YAML files to namespace ${project}"
 
-  oc config set-context --current --namespace="${project}"
+  # Create temporary directory for namespace-patched YAMLs (parallel-deployment safe)
+  local tmpdir
+  tmpdir=$(mktemp -d "${TMPDIR:-/tmp}/apply-yaml-${project}-XXXXXX")
+  trap 'rm -rf "${tmpdir}"' RETURN
 
+  # Copy and patch YAML files that need namespace substitution
   local files=(
     "$dir/resources/service_account/service-account-rhdh.yaml"
     "$dir/resources/cluster_role_binding/cluster-role-binding-k8s.yaml"
     "$dir/resources/cluster_role/cluster-role-k8s.yaml"
   )
 
   for file in "${files[@]}"; do
-    common::sed_inplace "s/namespace:.*/namespace: ${project}/g" "$file"
+    local basename
+    basename=$(basename "$file")
+    sed "s/namespace:.*/namespace: ${project}/g" "$file" > "${tmpdir}/${basename}"
   done
 
   DH_TARGET_URL=$(common::base64_encode "test-backstage-customization-provider-${project}.${K8S_CLUSTER_ROUTER_BASE}")
   RHDH_BASE_URL=$(common::base64_encode "$rhdh_base_url")
   RHDH_BASE_URL_HTTP=$(common::base64_encode "${rhdh_base_url/https/http}")
   export DH_TARGET_URL RHDH_BASE_URL RHDH_BASE_URL_HTTP
 
-  oc apply -f "$dir/resources/service_account/service-account-rhdh.yaml" --namespace="${project}"
+  # Apply YAMLs from tmpdir (patched) or original location (no patch needed)
+  oc apply -f "${tmpdir}/service-account-rhdh.yaml" --namespace="${project}"
   oc apply -f "$dir/auth/service-account-rhdh-secret.yaml" --namespace="${project}"
 
-  oc apply -f "$dir/resources/cluster_role/cluster-role-k8s.yaml" --namespace="${project}"
-  oc apply -f "$dir/resources/cluster_role_binding/cluster-role-binding-k8s.yaml" --namespace="${project}"
+  oc apply -f "${tmpdir}/cluster-role-k8s.yaml" --namespace="${project}"
+  oc apply -f "${tmpdir}/cluster-role-binding-k8s.yaml" --namespace="${project}"
 
   envsubst < "${DIR}/auth/secrets-rhdh-secrets.yaml" | oc apply --namespace="${project}" -f -
 
@@ -349,15 +356,15 @@ apply_yaml_files() {
   # Tekton tests are not executed in showcase-k8s or showcase-rbac-k8s projects
   if [[ "$JOB_NAME" != *"aks"* && "$JOB_NAME" != *"eks"* && "$JOB_NAME" != *"gke"* ]]; then
     # Create Pipeline run for tekton test case.
-    oc apply -f "$dir/resources/pipeline-run/hello-world-pipeline.yaml"
-    oc apply -f "$dir/resources/pipeline-run/hello-world-pipeline-run.yaml"
+    oc apply -f "$dir/resources/pipeline-run/hello-world-pipeline.yaml" --namespace="${project}"
+    oc apply -f "$dir/resources/pipeline-run/hello-world-pipeline-run.yaml" --namespace="${project}"
 
     # Create Deployment and Pipeline for Topology test.
-    oc apply -f "$dir/resources/topology_test/topology-test.yaml"
+    oc apply -f "$dir/resources/topology_test/topology-test.yaml" --namespace="${project}"
     if [[ -z "${IS_OPENSHIFT}" || "${IS_OPENSHIFT}" == "false" ]]; then
-      kubectl apply -f "$dir/resources/topology_test/topology-test-ingress.yaml"
+      kubectl apply -f "$dir/resources/topology_test/topology-test-ingress.yaml" --namespace="${project}"
     else
-      oc apply -f "$dir/resources/topology_test/topology-test-route.yaml"
+      oc apply -f "$dir/resources/topology_test/topology-test-route.yaml" --namespace="${project}"
     fi
   else
     log::info "Skipping Tekton Pipeline and Topology resources for K8s deployment (${JOB_NAME})"