We must create ns and operatorgroup only when the the gitopssubnamespace is not openshift-operators

Author: mbaldessari

templates/policies/ocp-gitops-policy.yaml

@@ -26,22 +26,6 @@ spec:
             include:
               - default
           object-templates:
-            {{- if $.Values.global.gitOpsSubNamespace }}
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: v1
-                kind: Namespace
-                metadata:
-                  name: {{ $.Values.global.gitOpsSubNamespace }}
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: operators.coreos.com/v1
-                kind: OperatorGroup
-                metadata:
-                  name: {{ $.Values.global.gitOpsSubNamespace }}-operator-group
-                  namespace: {{ $.Values.global.gitOpsSubNamespace }}
-                spec:
-            {{- end }}
             - complianceType: mustonlyhave
               objectDefinition:
                 # This is an auto-generated file. DO NOT EDIT
@@ -69,6 +53,22 @@ spec:
                   namespace: openshift-gitops
                   labels:
                     config.openshift.io/inject-trusted-cabundle: 'true'
+            {{- if ne $.Values.global.gitOpsSubNamespace "openshift-operators" }}
+            - complianceType: mustonlyhave
+              objectDefinition:
+                apiVersion: v1
+                kind: Namespace
+                metadata:
+                  name: {{ $.Values.global.gitOpsSubNamespace }}
+            - complianceType: mustonlyhave
+              objectDefinition:
+                apiVersion: operators.coreos.com/v1
+                kind: OperatorGroup
+                metadata:
+                  name: {{ $.Values.global.gitOpsSubNamespace }}-operator-group
+                  namespace: {{ $.Values.global.gitOpsSubNamespace }}
+                spec:
+            {{- end }}
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: PlacementBinding

tests/gitops_sub_namespace_test.yaml

@@ -62,10 +62,10 @@ tests:
           path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.metadata.namespace
           pattern: ^openshift-operators$
 
-  - it: should create namespace object-template when gitOpsSubNamespace is set
+  - it: should create namespace object-template when gitOpsSubNamespace is set to something other than openshift-operators
     set:
       global:
-        gitOpsSubNamespace: my-gitops-ns
+        gitOpsSubNamespace: yolo
       clusterGroup:
         managedClusterGroups:
           region-one:
@@ -78,16 +78,16 @@ tests:
           path: metadata.name
           value: region-one-gitops-policy
         equal:
-          path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.kind
+          path: spec.policy-templates[0].objectDefinition.spec.object-templates[2].objectDefinition.kind
           value: Namespace
       - documentSelector:
           path: metadata.name
           value: region-one-gitops-policy
         equal:
-          path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.metadata.name
-          value: my-gitops-ns
+          path: spec.policy-templates[0].objectDefinition.spec.object-templates[2].objectDefinition.metadata.name
+          value: yolo
 
-  - it: should create operatorgroup object-template when gitOpsSubNamespace is set
+  - it: should create operatorgroup object-template when gitOpsSubNamespace is set to something other than openshift-operators
     set:
       global:
         gitOpsSubNamespace: my-gitops-ns
@@ -103,21 +103,40 @@ tests:
           path: metadata.name
           value: region-one-gitops-policy
         equal:
-          path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.kind
+          path: spec.policy-templates[0].objectDefinition.spec.object-templates[3].objectDefinition.kind
           value: OperatorGroup
       - documentSelector:
           path: metadata.name
           value: region-one-gitops-policy
         equal:
-          path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.metadata.name
+          path: spec.policy-templates[0].objectDefinition.spec.object-templates[3].objectDefinition.metadata.name
           value: my-gitops-ns-operator-group
       - documentSelector:
           path: metadata.name
           value: region-one-gitops-policy
         equal:
-          path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.metadata.namespace
+          path: spec.policy-templates[0].objectDefinition.spec.object-templates[3].objectDefinition.metadata.namespace
           value: my-gitops-ns
 
+  - it: should not create operatorgroup nor namespace object-template when gitOpsSubNamespace is set to openshift-operators
+    set:
+      global:
+        gitOpsSubNamespace: openshift-operators
+      clusterGroup:
+        managedClusterGroups:
+          region-one:
+            name: region-one
+            acmlabels:
+              - name: clusterGroup
+                value: region-one
+    asserts:
+      - documentSelector:
+          path: metadata.name
+          value: region-one-gitops-policy
+        lengthEqual:
+          path: spec.policy-templates[0].objectDefinition.spec.object-templates
+          count: 2 # Just subscription and configmap
+
   - it: should use gitOpsSubNamespace as subscription namespace when set
     set:
       global:
@@ -134,5 +153,5 @@ tests:
           path: metadata.name
           value: region-one-gitops-policy
         matchRegex:
-          path: spec.policy-templates[0].objectDefinition.spec.object-templates[2].objectDefinition.metadata.namespace
+          path: spec.policy-templates[0].objectDefinition.spec.object-templates[3].objectDefinition.metadata.namespace
           pattern: ^my-gitops-ns$