[WIP] Add some missing elements to JSON schema

.github/workflows/jsonschema.yaml

@@ -30,4 +30,6 @@ jobs:
 
       - name: Verify ClusterGroup values.schema.json
         run: |
-          check-jsonschema --schemafile ./values.schema.json "values.yaml"
+          check-jsonschema --schemafile ./values.schema.json \
+            "values.yaml" \
+            "tests/fixtures/values-cluster-group-schema.yaml"

Chart.yaml

@@ -3,7 +3,7 @@ description: A Helm chart to create per-clustergroup ArgoCD applications and any
 keywords:
 - pattern
 name: clustergroup
-version: 0.9.52
+version: 0.9.53
 home: https://github.com/validatedpatterns/clustergroup-chart
 maintainers:
   - name: Validated Patterns Team

README.md

@@ -1,13 +1,14 @@
 # clustergroup
 
-![Version: 0.9.52](https://img.shields.io/badge/Version-0.9.52-informational?style=flat-square)
+![Version: 0.9.53](https://img.shields.io/badge/Version-0.9.53-informational?style=flat-square)
 
 A Helm chart to create per-clustergroup ArgoCD applications and any required namespaces or subscriptions.
 
 This chart is used to set up the basic building blocks in [Validated Patterns](https://validatedpatterns.io)
 
 ### Notable changes
 
+* v0.9.53: Schema documents SS-CSI (Secrets Store CSI with Vault) workload metadata on `clusterGroup.applications`: optional `ssCsiWorkloadAuth` array with required `serviceAccount` and `roleSlug`, optional `namespace` (vp-sscsi-spc infers from the referenced application and chart values when omitted), and optional `cluster`. Aligns with pattern values used by rhvp.cluster_utils and vp-sscsi-spc (see multicloud-gitops and aap-starter-kit).
 * v0.9.52: Add ansibleDevMode (requirements.yml injection and optional ansibleCfgFile/ansibleCfgContent) to simplify rhvp.cluster_utils development. Add extraPlaybookArgs to imperative as well.
 * v0.9.50: Add support to custom `rbac` in `ArgoDC.spec`
 * v0.9.49: Boolean Templates in override values now also render correctly
@@ -87,10 +88,10 @@ clusterGroup:
 | clusterGroup.imperative.adminServiceAccountCreate | bool | `true` |  |
 | clusterGroup.imperative.adminServiceAccountName | string | `"imperative-admin-sa"` |  |
 | clusterGroup.imperative.ansibleDevMode.ansibleCfgContent | string | `""` | Inline ansible.cfg; when non-empty, written to ansibleCfgFile before ansible-galaxy (so galaxy and playbooks honor collections_path, etc.). |
-| clusterGroup.imperative.ansibleDevMode.ansibleCfgFile | string | `"ansible.cfg"` | Path under the cloned pattern repo for optional injected ansible.cfg (written from ansibleCfgContent when set). |
-| clusterGroup.imperative.ansibleDevMode.enabled | bool | `false` | When true, run an init container before imperative playbooks that can install collections and optionally write ansible.cfg into the cloned repo (/git/repo). |
+| clusterGroup.imperative.ansibleDevMode.ansibleCfgFile | string | `"ansible.cfg"` | Path under the cloned pattern repository for optional injected ansible.cfg (written from ansibleCfgContent when set). |
+| clusterGroup.imperative.ansibleDevMode.enabled | bool | `false` | When true, run an init container before imperative playbooks that can install collections and optionally write ansible.cfg into the cloned pattern checkout in the workload. |
 | clusterGroup.imperative.ansibleDevMode.requirementsContent | string | `""` | Inline requirements.yml; when non-empty, written to requirementsFile before galaxy install. |
-| clusterGroup.imperative.ansibleDevMode.requirementsFile | string | `"requirements.yml"` | Path under the cloned pattern repo for ansible-galaxy -r (written from requirementsContent when set). |
+| clusterGroup.imperative.ansibleDevMode.requirementsFile | string | `"requirements.yml"` | Path under the cloned pattern repository for ansible-galaxy -r (written from requirementsContent when set). |
 | clusterGroup.imperative.clusterRoleName | string | `"imperative-cluster-role"` |  |
 | clusterGroup.imperative.clusterRoleYaml | string | `""` |  |
 | clusterGroup.imperative.cronJobName | string | `"imperative-cronjob"` |  |

README.md.gotmpl

@@ -9,6 +9,7 @@ This chart is used to set up the basic building blocks in [Validated Patterns](h
 
 ### Notable changes
 
+* v0.9.53: Schema documents SS-CSI (Secrets Store CSI with Vault) workload metadata on `clusterGroup.applications`: optional `ssCsiWorkloadAuth` array with required `serviceAccount` and `roleSlug`, optional `namespace` (vp-sscsi-spc infers from the referenced application and chart values when omitted), and optional `cluster`. Aligns with pattern values used by rhvp.cluster_utils and vp-sscsi-spc (see multicloud-gitops and aap-starter-kit).
 * v0.9.52: Add ansibleDevMode (requirements.yml injection and optional ansibleCfgFile/ansibleCfgContent) to simplify rhvp.cluster_utils development. Add extraPlaybookArgs to imperative as well.
 * v0.9.50: Add support to custom `rbac` in `ArgoDC.spec`
 * v0.9.49: Boolean Templates in override values now also render correctly

tests/application_target_cluster_test.yaml

@@ -0,0 +1,28 @@
+suite: Test clusterGroup.targetCluster on Argo CD Applications
+templates:
+  - templates/plumbing/applications.yaml
+release:
+  name: release-test
+tests:
+  - it: should set spec.destination.name from clusterGroup.targetCluster
+    set:
+      global:
+        repoURL: https://github.com/validatedpatterns/multicloud-gitops
+        multiSourceRepoUrl: https://charts.validatedpatterns.io
+      clusterGroup:
+        name: example
+        targetCluster: my-remote-cluster
+        namespaces: []
+        applications:
+          acm:
+            name: acm
+            namespace: open-cluster-management
+            project: hub
+            chart: acm
+            chartVersion: 0.1.*
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: spec.destination.name
+          value: my-remote-cluster

tests/fixtures/values-cluster-group-schema.yaml

@@ -0,0 +1,31 @@
+# Minimal values exercised by check-jsonschema in CI to keep clusterGroup fields
+# used by templates aligned with values.schema.json.
+global:
+  options:
+    syncPolicy: Automatic
+    installPlanApproval: Automatic
+    useCSV: true
+  multiSourceRepoUrl: https://charts.validatedpatterns.io
+
+clusterGroup:
+  name: schema-fixture
+  targetCluster: spoke-cluster-1
+  namespaces: []
+  sharedValueFiles:
+    - values-{{ $.Values.clusterGroup.name }}.yaml
+  applications:
+    schema-fixture-app:
+      name: schema-fixture-app
+      namespace: fixture-ns
+      project: default
+      path: charts/fixture
+      overrides:
+        - name: plain-override
+          value: plain
+        - name: tpl-override
+          value: "{{ .Values.global.multiSourceRepoUrl }}"
+          forceString: true
+      syncPolicy: manual
+      fileParameters:
+        - name: some-values
+          path: secrets://config/values.yaml

values.schema.json

@@ -178,6 +178,10 @@
           "readOnly": true,
           "description": "URL of the pattern's git repository, it is set automatically by the pattern's operator"
         },
+        "multiSourceRepoUrl": {
+          "type": "string",
+          "description": "Default Helm repository URL for multisource Argo CD Applications when an application entry does not set repoURL. Passed as a Helm parameter and used by templates under global.multiSourceRepoUrl."
+        },
         "hubClusterDomain": {
           "type": "string",
           "readOnly": true,
@@ -516,6 +520,17 @@
         "disabled": {
           "type": "boolean",
           "description": "Whether to disable namespace creation. If set to true, the namespace will be skipped."
+        },
+        "operatorGroup": {
+          "type": "boolean",
+          "description": "When false, no OperatorGroup is created for this namespace map entry."
+        },
+        "targetNamespaces": {
+          "type": "array",
+          "description": "OperatorGroup spec.targetNamespaces entries; when set and non-empty, overrides the default single-namespace target.",
+          "items": {
+            "type": "string"
+          }
         }
       }
     },
@@ -551,6 +566,34 @@
         }
       }
     },
+    "SsCsiWorkloadAuthEntry": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Secrets Store CSI with Vault workload identity metadata. Patterns such as multicloud-gitops and aap-starter-kit pass this under clusterGroup.applications for rhvp.cluster_utils (vault_ss_csi_workload_auth) and for vp-sscsi-spc-style charts. The Vault Kubernetes auth role name follows <vaultKubernetesMountPath>-sscsi-<roleSlug> (hub mount or spoke cluster domain as mount).",
+      "properties": {
+        "serviceAccount": {
+          "type": "string",
+          "description": "Service account whose token is associated with the Vault role."
+        },
+        "namespace": {
+          "type": "string",
+          "description": "Namespace of the service account. Optional: vp-sscsi-spc falls back to ocpSecretsStoreCsiVault.secretProviderClass.namespace, then clusterGroup.applications[applicationKey].namespace for the referenced application, then the Helm release namespace."
+        },
+        "roleSlug": {
+          "type": "string",
+          "description": "Stable slug used as the suffix in the Vault role name (<mount>-sscsi-<roleSlug>)."
+        },
+        "cluster": {
+          "type": "string",
+          "description": "Optional cluster label (for example hub on a standalone cluster) when workload auth rows must be disambiguated."
+        }
+      },
+      "required": [
+        "serviceAccount",
+        "roleSlug"
+      ],
+      "title": "SsCsiWorkloadAuthEntry"
+    },
     "Applications": {
       "type": "object",
       "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.",
@@ -613,19 +656,66 @@
           "description": "List of extra fields that will be passed to ArgoCD."
         },
         "overrides": {
-          "type": "object"
+          "type": "array",
+          "description": "Extra Helm parameters for this application; rendered under spec.source.helm.parameters or spec.sources[1].helm.parameters.",
+          "items": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "name": {
+                "type": "string"
+              },
+              "value": {
+                "type": "string",
+                "description": "Parameter value; may contain Helm tpl expressions evaluated with the chart root context."
+              },
+              "forceString": {
+                "type": "boolean",
+                "description": "When true, sets forceString on the Argo CD Application helm parameter."
+              }
+            },
+            "required": [
+              "name",
+              "value"
+            ]
+          }
         },
         "fileParameters": {
           "type": "array",
-          "description": "FileParameters are file parameters to the helm template"
+          "description": "FileParameters are file parameters to the helm template",
+          "items": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "name": {
+                "type": "string"
+              },
+              "path": {
+                "type": "string"
+              }
+            },
+            "required": [
+              "name",
+              "path"
+            ]
+          }
         },
         "ignoreDifferences": {
           "type": "array",
           "description": "IgnoreDifferences is a list of resources and their fields which should be ignored during comparison"
         },
         "syncPolicy": {
-          "type": "object",
-          "description": "SyncPolicy controls when and how a sync will be performed"
+          "anyOf": [
+            {
+              "type": "string",
+              "description": "When set to Manual (any case), Argo CD syncPolicy is omitted for this application. Automatic uses the chart default. Other strings follow the same lowercasing rules in templates."
+            },
+            {
+              "type": "object",
+              "description": "Passed through to the Application spec.syncPolicy field as JSON."
+            }
+          ],
+          "description": "SyncPolicy controls when and how a sync will be performed; may be a string (e.g. Manual) or an object merged into the Application."
         },
         "namespace": {
           "type": "string",
@@ -651,6 +741,13 @@
         "disabled": {
           "type": "boolean",
           "description": "Whether to disable application creation. If set to true, the application will be skipped."
+        },
+        "ssCsiWorkloadAuth": {
+          "type": "array",
+          "description": "List of SS-CSI (Secrets Store CSI with Vault) workload auth bindings for this application, for example on openshift-sscsi-vault or an app chart that consumes the same metadata (see Validated Patterns multicloud-gitops / aap-starter-kit).",
+          "items": {
+            "$ref": "#/definitions/SsCsiWorkloadAuthEntry"
+          }
         }
       },
       "required": [

values.yaml

@@ -148,13 +148,13 @@ clusterGroup:
     jobs: []
     image: quay.io/validatedpatterns/imperative-container:v1
     ansibleDevMode:
-      # -- When true, run an init container before imperative playbooks that can install collections and optionally write ansible.cfg into the cloned repo (/git/repo).
+      # -- When true, run an init container before imperative playbooks that can install collections and optionally write ansible.cfg into the cloned pattern checkout in the workload.
       enabled: false
-      # -- Path under the cloned pattern repo for ansible-galaxy -r (written from requirementsContent when set).
+      # -- Path under the cloned pattern repository for ansible-galaxy -r (written from requirementsContent when set).
       requirementsFile: "requirements.yml"
       # -- Inline requirements.yml; when non-empty, written to requirementsFile before galaxy install.
       requirementsContent: ""
-      # -- Path under the cloned pattern repo for optional injected ansible.cfg (written from ansibleCfgContent when set).
+      # -- Path under the cloned pattern repository for optional injected ansible.cfg (written from ansibleCfgContent when set).
       ansibleCfgFile: "ansible.cfg"
       # -- Inline ansible.cfg; when non-empty, written to ansibleCfgFile before ansible-galaxy (so galaxy and playbooks honor collections_path, etc.).
       ansibleCfgContent: ""