From 6e45afe69aceab029e26a68470f5e1fd781a4220 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Fri, 17 Apr 2026 08:33:10 -0500 Subject: [PATCH 1/2] Add some missing elements to JSON schema --- .github/workflows/jsonschema.yaml | 4 +- Chart.yaml | 2 +- README.md.gotmpl | 1 + tests/application_target_cluster_test.yaml | 28 ++++++++ .../fixtures/values-cluster-group-schema.yaml | 31 ++++++++ values.schema.json | 70 +++++++++++++++++-- 6 files changed, 130 insertions(+), 6 deletions(-) create mode 100644 tests/application_target_cluster_test.yaml create mode 100644 tests/fixtures/values-cluster-group-schema.yaml diff --git a/.github/workflows/jsonschema.yaml b/.github/workflows/jsonschema.yaml index 3d57500..b73929e 100644 --- a/.github/workflows/jsonschema.yaml +++ b/.github/workflows/jsonschema.yaml @@ -30,4 +30,6 @@ jobs: - name: Verify ClusterGroup values.schema.json run: | - check-jsonschema --schemafile ./values.schema.json "values.yaml" + check-jsonschema --schemafile ./values.schema.json \ + "values.yaml" \ + "tests/fixtures/values-cluster-group-schema.yaml" diff --git a/Chart.yaml b/Chart.yaml index 35e19e3..582351a 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ description: A Helm chart to create per-clustergroup ArgoCD applications and any keywords: - pattern name: clustergroup -version: 0.9.48 +version: 0.9.49 home: https://github.com/validatedpatterns/clustergroup-chart maintainers: - name: Validated Patterns Team diff --git a/README.md.gotmpl b/README.md.gotmpl index 22983df..627c15a 100644 --- a/README.md.gotmpl +++ b/README.md.gotmpl @@ -9,6 +9,7 @@ This chart is used to set up the basic building blocks in [Validated Patterns](h ### Notable changes +* v0.9.49: Ensure schema matches what we template. Add missing elements and correct some entries. * v0.9.48: Templates in override values now render * v0.9.45: Default value of `resourceTrackingMethod` is now `annotation` * v0.9.44: Default value of `resourceTrackingMethod` is now `annotation` diff --git a/tests/application_target_cluster_test.yaml b/tests/application_target_cluster_test.yaml new file mode 100644 index 0000000..623a15e --- /dev/null +++ b/tests/application_target_cluster_test.yaml @@ -0,0 +1,28 @@ +suite: Test clusterGroup.targetCluster on Argo CD Applications +templates: + - templates/plumbing/applications.yaml +release: + name: release-test +tests: + - it: should set spec.destination.name from clusterGroup.targetCluster + set: + global: + repoURL: https://github.com/validatedpatterns/multicloud-gitops + multiSourceRepoUrl: https://charts.validatedpatterns.io + clusterGroup: + name: example + targetCluster: my-remote-cluster + namespaces: [] + applications: + acm: + name: acm + namespace: open-cluster-management + project: hub + chart: acm + chartVersion: 0.1.* + asserts: + - hasDocuments: + count: 1 + - equal: + path: spec.destination.name + value: my-remote-cluster diff --git a/tests/fixtures/values-cluster-group-schema.yaml b/tests/fixtures/values-cluster-group-schema.yaml new file mode 100644 index 0000000..f97964c --- /dev/null +++ b/tests/fixtures/values-cluster-group-schema.yaml @@ -0,0 +1,31 @@ +# Minimal values exercised by check-jsonschema in CI to keep clusterGroup fields +# used by templates aligned with values.schema.json. +global: + options: + syncPolicy: Automatic + installPlanApproval: Automatic + useCSV: true + multiSourceRepoUrl: https://charts.validatedpatterns.io + +clusterGroup: + name: schema-fixture + targetCluster: spoke-cluster-1 + namespaces: [] + sharedValueFiles: + - values-{{ $.Values.clusterGroup.name }}.yaml + applications: + schema-fixture-app: + name: schema-fixture-app + namespace: fixture-ns + project: default + path: charts/fixture + overrides: + - name: plain-override + value: plain + - name: tpl-override + value: "{{ .Values.global.multiSourceRepoUrl }}" + forceString: true + syncPolicy: manual + fileParameters: + - name: some-values + path: secrets://config/values.yaml diff --git a/values.schema.json b/values.schema.json index 8c20a22..7828ec9 100644 --- a/values.schema.json +++ b/values.schema.json @@ -178,6 +178,10 @@ "readOnly": true, "description": "URL of the pattern's git repository, it is set automatically by the pattern's operator" }, + "multiSourceRepoUrl": { + "type": "string", + "description": "Default Helm repository URL for multisource Argo CD Applications when an application entry does not set repoURL. Passed as a Helm parameter and used by templates under global.multiSourceRepoUrl." + }, "hubClusterDomain": { "type": "string", "readOnly": true, @@ -516,6 +520,17 @@ "disabled": { "type": "boolean", "description": "Whether to disable namespace creation. If set to true, the namespace will be skipped." + }, + "operatorGroup": { + "type": "boolean", + "description": "When false, no OperatorGroup is created for this namespace map entry." + }, + "targetNamespaces": { + "type": "array", + "description": "OperatorGroup spec.targetNamespaces entries; when set and non-empty, overrides the default single-namespace target.", + "items": { + "type": "string" + } } } }, @@ -613,19 +628,66 @@ "description": "List of extra fields that will be passed to ArgoCD." }, "overrides": { - "type": "object" + "type": "array", + "description": "Extra Helm parameters for this application; rendered under spec.source.helm.parameters or spec.sources[1].helm.parameters.", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string", + "description": "Parameter value; may contain Helm tpl expressions evaluated with the chart root context." + }, + "forceString": { + "type": "boolean", + "description": "When true, sets forceString on the Argo CD Application helm parameter." + } + }, + "required": [ + "name", + "value" + ] + } }, "fileParameters": { "type": "array", - "description": "FileParameters are file parameters to the helm template" + "description": "FileParameters are file parameters to the helm template", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "type": "string" + }, + "path": { + "type": "string" + } + }, + "required": [ + "name", + "path" + ] + } }, "ignoreDifferences": { "type": "array", "description": "IgnoreDifferences is a list of resources and their fields which should be ignored during comparison" }, "syncPolicy": { - "type": "object", - "description": "SyncPolicy controls when and how a sync will be performed" + "anyOf": [ + { + "type": "string", + "description": "When set to Manual (any case), Argo CD syncPolicy is omitted for this application. Automatic uses the chart default. Other strings follow the same lowercasing rules in templates." + }, + { + "type": "object", + "description": "Passed through to the Application spec.syncPolicy field as JSON." + } + ], + "description": "SyncPolicy controls when and how a sync will be performed; may be a string (e.g. Manual) or an object merged into the Application." }, "namespace": { "type": "string", From 5b237875a565861176beb36484ceecf55dce7f13 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Mon, 11 May 2026 15:47:46 -0500 Subject: [PATCH 2/2] Add SS-CSI ssCsiWorkloadAuth to values schema and release 0.9.53 Document optional workload-auth fields (namespace inferred per vp-sscsi-spc), refresh README, and reword imperative ansibleDevMode comments for textlint. Co-authored-by: Cursor --- Chart.yaml | 2 +- README.md | 10 +++++----- README.md.gotmpl | 1 + values.schema.json | 35 +++++++++++++++++++++++++++++++++++ values.yaml | 6 +++--- 5 files changed, 45 insertions(+), 9 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 99e1ad0..85e12b7 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ description: A Helm chart to create per-clustergroup ArgoCD applications and any keywords: - pattern name: clustergroup -version: 0.9.52 +version: 0.9.53 home: https://github.com/validatedpatterns/clustergroup-chart maintainers: - name: Validated Patterns Team diff --git a/README.md b/README.md index 86cab7a..beadb62 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # clustergroup - -![Version: 0.9.52](https://img.shields.io/badge/Version-0.9.52-informational?style=flat-square) +![Version: 0.9.53](https://img.shields.io/badge/Version-0.9.53-informational?style=flat-square) A Helm chart to create per-clustergroup ArgoCD applications and any required namespaces or subscriptions. @@ -9,6 +8,7 @@ This chart is used to set up the basic building blocks in [Validated Patterns](h ### Notable changes +* v0.9.53: Schema documents SS-CSI (Secrets Store CSI with Vault) workload metadata on `clusterGroup.applications`: optional `ssCsiWorkloadAuth` array with required `serviceAccount` and `roleSlug`, optional `namespace` (vp-sscsi-spc infers from the referenced application and chart values when omitted), and optional `cluster`. Aligns with pattern values used by rhvp.cluster_utils and vp-sscsi-spc (see multicloud-gitops and aap-starter-kit). * v0.9.52: Add ansibleDevMode (requirements.yml injection and optional ansibleCfgFile/ansibleCfgContent) to simplify rhvp.cluster_utils development. Add extraPlaybookArgs to imperative as well. * v0.9.50: Add support to custom `rbac` in `ArgoDC.spec` * v0.9.49: Boolean Templates in override values now also render correctly @@ -88,10 +88,10 @@ clusterGroup: | clusterGroup.imperative.adminServiceAccountCreate | bool | `true` | | | clusterGroup.imperative.adminServiceAccountName | string | `"imperative-admin-sa"` | | | clusterGroup.imperative.ansibleDevMode.ansibleCfgContent | string | `""` | Inline ansible.cfg; when non-empty, written to ansibleCfgFile before ansible-galaxy (so galaxy and playbooks honor collections_path, etc.). | -| clusterGroup.imperative.ansibleDevMode.ansibleCfgFile | string | `"ansible.cfg"` | Path under the cloned pattern repo for optional injected ansible.cfg (written from ansibleCfgContent when set). | -| clusterGroup.imperative.ansibleDevMode.enabled | bool | `false` | When true, run an init container before imperative playbooks that can install collections and optionally write ansible.cfg into the cloned repo (/git/repo). | +| clusterGroup.imperative.ansibleDevMode.ansibleCfgFile | string | `"ansible.cfg"` | Path under the cloned pattern repository for optional injected ansible.cfg (written from ansibleCfgContent when set). | +| clusterGroup.imperative.ansibleDevMode.enabled | bool | `false` | When true, run an init container before imperative playbooks that can install collections and optionally write ansible.cfg into the cloned pattern checkout in the workload. | | clusterGroup.imperative.ansibleDevMode.requirementsContent | string | `""` | Inline requirements.yml; when non-empty, written to requirementsFile before galaxy install. | -| clusterGroup.imperative.ansibleDevMode.requirementsFile | string | `"requirements.yml"` | Path under the cloned pattern repo for ansible-galaxy -r (written from requirementsContent when set). | +| clusterGroup.imperative.ansibleDevMode.requirementsFile | string | `"requirements.yml"` | Path under the cloned pattern repository for ansible-galaxy -r (written from requirementsContent when set). | | clusterGroup.imperative.clusterRoleName | string | `"imperative-cluster-role"` | | | clusterGroup.imperative.clusterRoleYaml | string | `""` | | | clusterGroup.imperative.cronJobName | string | `"imperative-cronjob"` | | diff --git a/README.md.gotmpl b/README.md.gotmpl index e09fd63..2ffd348 100644 --- a/README.md.gotmpl +++ b/README.md.gotmpl @@ -9,6 +9,7 @@ This chart is used to set up the basic building blocks in [Validated Patterns](h ### Notable changes +* v0.9.53: Schema documents SS-CSI (Secrets Store CSI with Vault) workload metadata on `clusterGroup.applications`: optional `ssCsiWorkloadAuth` array with required `serviceAccount` and `roleSlug`, optional `namespace` (vp-sscsi-spc infers from the referenced application and chart values when omitted), and optional `cluster`. Aligns with pattern values used by rhvp.cluster_utils and vp-sscsi-spc (see multicloud-gitops and aap-starter-kit). * v0.9.52: Add ansibleDevMode (requirements.yml injection and optional ansibleCfgFile/ansibleCfgContent) to simplify rhvp.cluster_utils development. Add extraPlaybookArgs to imperative as well. * v0.9.50: Add support to custom `rbac` in `ArgoDC.spec` * v0.9.49: Boolean Templates in override values now also render correctly diff --git a/values.schema.json b/values.schema.json index 1903c50..a4393eb 100644 --- a/values.schema.json +++ b/values.schema.json @@ -566,6 +566,34 @@ } } }, + "SsCsiWorkloadAuthEntry": { + "type": "object", + "additionalProperties": false, + "description": "Secrets Store CSI with Vault workload identity metadata. Patterns such as multicloud-gitops and aap-starter-kit pass this under clusterGroup.applications for rhvp.cluster_utils (vault_ss_csi_workload_auth) and for vp-sscsi-spc-style charts. The Vault Kubernetes auth role name follows -sscsi- (hub mount or spoke cluster domain as mount).", + "properties": { + "serviceAccount": { + "type": "string", + "description": "Service account whose token is associated with the Vault role." + }, + "namespace": { + "type": "string", + "description": "Namespace of the service account. Optional: vp-sscsi-spc falls back to ocpSecretsStoreCsiVault.secretProviderClass.namespace, then clusterGroup.applications[applicationKey].namespace for the referenced application, then the Helm release namespace." + }, + "roleSlug": { + "type": "string", + "description": "Stable slug used as the suffix in the Vault role name (-sscsi-)." + }, + "cluster": { + "type": "string", + "description": "Optional cluster label (for example hub on a standalone cluster) when workload auth rows must be disambiguated." + } + }, + "required": [ + "serviceAccount", + "roleSlug" + ], + "title": "SsCsiWorkloadAuthEntry" + }, "Applications": { "type": "object", "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.", @@ -713,6 +741,13 @@ "disabled": { "type": "boolean", "description": "Whether to disable application creation. If set to true, the application will be skipped." + }, + "ssCsiWorkloadAuth": { + "type": "array", + "description": "List of SS-CSI (Secrets Store CSI with Vault) workload auth bindings for this application, for example on openshift-sscsi-vault or an app chart that consumes the same metadata (see Validated Patterns multicloud-gitops / aap-starter-kit).", + "items": { + "$ref": "#/definitions/SsCsiWorkloadAuthEntry" + } } }, "required": [ diff --git a/values.yaml b/values.yaml index 07295dd..6b25748 100644 --- a/values.yaml +++ b/values.yaml @@ -148,13 +148,13 @@ clusterGroup: jobs: [] image: quay.io/validatedpatterns/imperative-container:v1 ansibleDevMode: - # -- When true, run an init container before imperative playbooks that can install collections and optionally write ansible.cfg into the cloned repo (/git/repo). + # -- When true, run an init container before imperative playbooks that can install collections and optionally write ansible.cfg into the cloned pattern checkout in the workload. enabled: false - # -- Path under the cloned pattern repo for ansible-galaxy -r (written from requirementsContent when set). + # -- Path under the cloned pattern repository for ansible-galaxy -r (written from requirementsContent when set). requirementsFile: "requirements.yml" # -- Inline requirements.yml; when non-empty, written to requirementsFile before galaxy install. requirementsContent: "" - # -- Path under the cloned pattern repo for optional injected ansible.cfg (written from ansibleCfgContent when set). + # -- Path under the cloned pattern repository for optional injected ansible.cfg (written from ansibleCfgContent when set). ansibleCfgFile: "ansible.cfg" # -- Inline ansible.cfg; when non-empty, written to ansibleCfgFile before ansible-galaxy (so galaxy and playbooks honor collections_path, etc.). ansibleCfgContent: ""