validatedpatterns · mbaldessari · Oct 1, 2025 · Sep 29, 2025 · Sep 30, 2025
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -57,3 +57,55 @@ Default always defined valueFiles to be included when pushing the cluster wide a
 - name: global.experimentalCapabilities
   value: {{ $.Values.global.experimentalCapabilities }}
 {{- end }} {{- /*acm.app.policies.helmparameters */}}
+
+{{- define "acm.app.clusterSelector" -}}
+{{- $cs := .clusterSelector -}}
+{{- $g  := default (dict) .group -}}
+{{- $rawLabels := get $g "acmlabels" -}}
+{{- $isSlice := kindIs "slice" $rawLabels -}}
+{{- $isMap   := kindIs "map"   $rawLabels -}}
+{{- $hasAny  := and $rawLabels (gt (len $rawLabels) 0) -}}
+{{- if $cs -}}
+clusterSelector: {{ $cs | toPrettyJson }}
+{{- else if not $hasAny -}}
+clusterSelector:
+  matchExpressions:
+    - key: local-cluster
+      operator: NotIn
+      values:
+        - 'true'
+  matchLabels:
+    clusterGroup: {{ $g.name }}
+{{- else if $isSlice -}}
+clusterSelector:
+  matchExpressions:
+    - key: local-cluster
+      operator: NotIn
+      values:
+        - 'true'
+  matchLabels:
+{{- range $rawLabels }}
+    {{ .name }}: {{ .value }}
+{{- end }}
+{{- else if $isMap -}}
+clusterSelector:
+  matchExpressions:
+    - key: local-cluster
+      operator: NotIn
+      values:
+        - 'true'
+  matchLabels:
+{{- range $k, $v := $rawLabels }}
+    {{ $k }}: {{ $v }}
+{{- end }}
+{{- else -}} {{- /* Fallback: unknown acmlabels shape then default to group */}}
+clusterSelector:
+  matchExpressions:
+    - key: local-cluster
+      operator: NotIn
+      values:
+        - 'true'
+  matchLabels:
+    clusterGroup: {{ $g.name }}
+{{- end -}}
+{{- end -}} {{- /*acm.app.clusterSelector */}}
diff --git a/templates/policies/acm-hub-ca-policy.yaml b/templates/policies/acm-hub-ca-policy.yaml
@@ -1,11 +1,12 @@
 # This pushes out the HUB's Certificate Authorities on to the imported clusters
 {{- if .Values.clusterGroup.isHubCluster }}
-{{- if (eq (((.Values.global).secretStore).backend) "vault") }}
+{{- range .Values.clusterGroup.managedClusterGroups }}
+{{- $group := . }}
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
 metadata:
-  name: acm-hub-ca-policy
+  name: hub-argo-ca-{{ .name }}-policy
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/compare-options: IgnoreExtraneous
@@ -17,32 +18,21 @@ spec:
         apiVersion: policy.open-cluster-management.io/v1
         kind: ConfigurationPolicy
         metadata:
-          name: acm-hub-ca-config-policy
+          name: hub-argo-ca-{{ .name }}-config
         spec:
           remediationAction: enforce
           severity: medium
           namespaceSelector:
             include:
               - default
           object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: Secret
-                apiVersion: v1
-                type: Opaque
-                metadata:
-                  name: hub-ca
-                  namespace: golang-external-secrets
-                data:
-                  hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}'
-                  hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}'
             - complianceType: mustonlyhave
               objectDefinition:
                 kind: ConfigMap
                 apiVersion: v1
                 metadata:
                   name: trusted-hub-bundle
-                  namespace: imperative
+                  namespace: {{ $.Values.global.pattern }}-{{ .name }}
                 data:
                   hub-kube-root-ca.crt: |
                     {{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
@@ -52,39 +42,38 @@ spec:
 apiVersion: policy.open-cluster-management.io/v1
 kind: PlacementBinding
 metadata:
-  name: acm-hub-ca-policy-placement-binding
+  name: hub-argo-ca-{{ .name }}-placement-binding
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 placementRef:
-  name: acm-hub-ca-policy-placement
+  name: hub-argo-ca-{{ .name }}-placement
   kind: PlacementRule
   apiGroup: apps.open-cluster-management.io
 subjects:
-  - name: acm-hub-ca-policy
+  - name: hub-argo-ca-{{ .name }}-policy
     kind: Policy
     apiGroup: policy.open-cluster-management.io
 ---
 apiVersion: apps.open-cluster-management.io/v1
 kind: PlacementRule
 metadata:
-  name: acm-hub-ca-policy-placement
+  name: hub-argo-ca-{{ .name }}-placement
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   clusterConditions:
     - status: 'True'
       type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
+{{- include "acm.app.clusterSelector" (dict 
+  "clusterSelector" .clusterSelector
+  "group" $group
+  ) | nindent 2 }}
+{{- if (eq ((($.Values.global).secretStore).backend) "vault") }}
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
 metadata:
-  name: hub-argo-ca-openshift-gitops-policy
+  name: {{ .name }}-acm-hub-ca-policy
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/compare-options: IgnoreExtraneous
@@ -96,21 +85,32 @@ spec:
         apiVersion: policy.open-cluster-management.io/v1
         kind: ConfigurationPolicy
         metadata:
-          name: hub-argo-ca-openshift-gitops-config
+          name: {{ .name }}-acm-hub-ca-config-policy
         spec:
           remediationAction: enforce
           severity: medium
           namespaceSelector:
             include:
               - default
           object-templates:
+            - complianceType: mustonlyhave
+              objectDefinition:
+                kind: Secret
+                apiVersion: v1
+                type: Opaque
+                metadata:
+                  name: hub-ca
+                  namespace: golang-external-secrets
+                data:
+                  hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}'
+                  hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}'
             - complianceType: mustonlyhave
               objectDefinition:
                 kind: ConfigMap
                 apiVersion: v1
                 metadata:
                   name: trusted-hub-bundle
-                  namespace: openshift-gitops
+                  namespace: imperative
                 data:
                   hub-kube-root-ca.crt: |
                     {{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
@@ -120,43 +120,37 @@ spec:
 apiVersion: policy.open-cluster-management.io/v1
 kind: PlacementBinding
 metadata:
-  name: hub-argo-ca-openshift-gitops-policy-binding
+  name: {{ .name }}-acm-hub-ca-policy-placement-binding
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 placementRef:
-  name: hub-argo-ca-openshift-gitops-policy-placement
+  name: {{ .name }}-acm-hub-ca-policy-placement
   kind: PlacementRule
   apiGroup: apps.open-cluster-management.io
 subjects:
-  - name: hub-argo-ca-openshift-gitops-policy
+  - name: {{ .name }}-acm-hub-ca-policy
     kind: Policy
     apiGroup: policy.open-cluster-management.io
 ---
 apiVersion: apps.open-cluster-management.io/v1
 kind: PlacementRule
 metadata:
-  name: hub-argo-ca-openshift-gitops-policy-placement
+  name: {{ .name }}-acm-hub-ca-policy-placement
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   clusterConditions:
     - status: 'True'
       type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
-
-{{- end }}{{/* if (eq (((.Values.global).secretStore).backend) "vault") */}}
-{{- range .Values.clusterGroup.managedClusterGroups }}
-{{- $group := . }}
+{{- include "acm.app.clusterSelector" (dict 
+  "clusterSelector" .clusterSelector
+  "group" $group
+  ) | nindent 2 }}
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
 metadata:
-  name: hub-argo-ca-{{ .name }}-policy
+  name: {{ .name }}-hub-argo-ca-gitops-policy
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/compare-options: IgnoreExtraneous
@@ -168,7 +162,7 @@ spec:
         apiVersion: policy.open-cluster-management.io/v1
         kind: ConfigurationPolicy
         metadata:
-          name: hub-argo-ca-{{ .name }}-config
+          name: {{ .name }}-hub-argo-ca-gitops-config
         spec:
           remediationAction: enforce
           severity: medium
@@ -182,7 +176,7 @@ spec:
                 apiVersion: v1
                 metadata:
                   name: trusted-hub-bundle
-                  namespace: {{ $.Values.global.pattern }}-{{ .name }}
+                  namespace: openshift-gitops
                 data:
                   hub-kube-root-ca.crt: |
                     {{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
@@ -192,33 +186,33 @@ spec:
 apiVersion: policy.open-cluster-management.io/v1
 kind: PlacementBinding
 metadata:
-  name: hub-argo-ca-{{ .name }}-placement-binding
+  name: {{ .name }}-hub-argo-ca-gitops-policy-binding
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 placementRef:
-  name: hub-argo-ca-{{ .name }}-placement
+  name: {{ .name }}-hub-argo-ca-gitops-policy-placement
   kind: PlacementRule
   apiGroup: apps.open-cluster-management.io
 subjects:
-  - name: hub-argo-ca-{{ .name }}-policy
+  - name: {{ .name }}-hub-argo-ca-gitops-policy
     kind: Policy
     apiGroup: policy.open-cluster-management.io
 ---
 apiVersion: apps.open-cluster-management.io/v1
 kind: PlacementRule
 metadata:
-  name: hub-argo-ca-{{ .name }}-placement
+  name: {{ .name }}-hub-argo-ca-gitops-policy-placement
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   clusterConditions:
     - status: 'True'
       type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
+{{- include "acm.app.clusterSelector" (dict 
+  "clusterSelector" .clusterSelector
+  "group" $group
+  ) | nindent 2 }}
+
+{{- end }}{{/* if (eq ((($.Values.global).secretStore).backend) "vault") */}}
 {{- end }}{{/* range .Values.clusterGroup.managedClusterGroups */}}
 {{- end }}{{/* isHubCluster */}}
diff --git a/templates/policies/application-policies.yaml b/templates/policies/application-policies.yaml
@@ -156,22 +156,9 @@ spec:
   clusterConditions:
     - status: 'True'
       type: ManagedClusterConditionAvailable
-  {{- if .clusterSelector }}
-  clusterSelector: {{ .clusterSelector | toPrettyJson }}
-  {{- else if (not $group.acmlabels) }}
-  clusterSelector:
-    matchLabels:
-      clusterGroup: {{ $group.name }}
-  {{- else if eq (len $group.acmlabels) 0 }}
-  clusterSelector:
-    matchLabels:
-      clusterGroup: {{ $group.name }}
-  {{- else }}
-  clusterSelector:
-    matchLabels:
-    {{- range .acmlabels }}
-      {{ .name }}: {{ .value }}
-    {{- end }}
-  {{- end }}
+{{- include "acm.app.clusterSelector" (dict 
+  "clusterSelector" .clusterSelector
+  "group" $group
+  ) | nindent 2 }}
 ---
 {{- end }}