Make clusterGroup.isHubCluster optional

templates/_helpers.tpl

@@ -196,3 +196,26 @@ health_status.status = "Progressing"
 health_status.message = "An install plan for a subscription is pending installation"
 return health_status
 {{- end }} {{- /*acm.subscription.healthcheck.lua */}}
+
+{{/*
+Determines if the current cluster is a hub cluster.
+First checks if clusterGroup.isHubCluster is explicitly set and uses that value.
+If not set, falls back to comparing global.localClusterDomain and global.hubClusterDomain.
+If domains are equal or localClusterDomain is not set (defaults to hubClusterDomain), this is a hub cluster.
+Usage: {{ include "acm.ishubcluster" . }}
+Returns: "true" or "false" as a string
+*/}}
+{{- define "acm.ishubcluster" -}}
+{{- if and (hasKey .Values.clusterGroup "isHubCluster") (not (kindIs "invalid" .Values.clusterGroup.isHubCluster)) -}}
+{{- .Values.clusterGroup.isHubCluster | toString -}}
+{{- else if $.Values.global.hubClusterDomain -}}
+{{- $localDomain := coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain -}}
+{{- if eq $localDomain $.Values.global.hubClusterDomain -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- else -}}
+false
+{{- end -}}
+{{- end }}

templates/policies/acm-hub-ca-policy.yaml

@@ -1,5 +1,5 @@
 # This pushes out the HUB's Certificate Authorities on to the imported clusters
-{{- if .Values.clusterGroup.isHubCluster }}
+{{- if eq (include "acm.ishubcluster" .) "true" }}
 {{- range .Values.clusterGroup.managedClusterGroups }}
 {{- $group := . }}
 ---
@@ -217,4 +217,4 @@ spec:
 
 {{- end }}{{/* if (eq ((($.Values.global).secretStore).backend) "vault") */}}
 {{- end }}{{/* range .Values.clusterGroup.managedClusterGroups */}}
-{{- end }}{{/* isHubCluster */}}
+{{- end }}{{/* ishubcluster */}}

templates/policies/private-repo-policies.yaml

@@ -84,7 +84,7 @@ spec:
   "group" $group
   ) | nindent 2 }}
 {{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}}
-{{ if $.Values.clusterGroup.isHubCluster }}
+{{ if eq (include "acm.ishubcluster" $) "true" }}
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
@@ -153,5 +153,5 @@ spec:
         values:
           - 'true'
 ---
-{{ end }}{{- /* if .Values.clusterGroup.isHubCluster */}}
+{{ end }}{{- /* if ishubcluster */}}
 {{- end }}{{- /* if $.Values.global.privateRepo */}}

tests/hub_cluster_additional_scenarios_test.yaml

@@ -0,0 +1,140 @@
+suite: Test Hub Cluster Detection Additional Scenarios
+templates:
+  - templates/policies/acm-hub-ca-policy.yaml
+release:
+  name: release-test
+tests:
+  # Test subdomain variations (domain-based detection)
+  - it: should differentiate between similar domains
+    set:
+      global:
+        repoURL: https://github.com/test/repo
+        hubClusterDomain: "apps.hub.example.com"
+        localClusterDomain: "apps.hub-spoke.example.com"  # Similar but different
+        secretStore:
+          backend: "vault"
+        pattern: "test-pattern"
+      clusterGroup:
+        isHubCluster: null  # Explicitly unset to enable domain-based detection
+        managedClusterGroups:
+          test:
+            name: test-cluster
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  # Test with special characters (domain-based detection)
+  - it: should handle domains with special characters
+    set:
+      global:
+        repoURL: https://github.com/test/repo
+        hubClusterDomain: "apps.hub-cluster_1.example-domain.com"
+        localClusterDomain: "apps.hub-cluster_1.example-domain.com"
+        secretStore:
+          backend: "vault"
+        pattern: "test-pattern"
+      clusterGroup:
+        isHubCluster: null  # Explicitly unset to enable domain-based detection
+        managedClusterGroups:
+          test:
+            name: test-cluster
+    asserts:
+      - hasDocuments:
+          count: 9
+
+  # Test with missing managedClusterGroups
+  - it: should handle missing managedClusterGroups gracefully
+    set:
+      global:
+        repoURL: https://github.com/test/repo
+        hubClusterDomain: "apps.hub.example.com"
+        localClusterDomain: "apps.hub.example.com"
+        secretStore:
+          backend: "vault"
+        pattern: "test-pattern"
+      clusterGroup:
+        isHubCluster: null  # Explicitly unset to enable domain-based detection
+        managedClusterGroups: null  # Explicitly unset
+    asserts:
+      - hasDocuments:
+          count: 0  # No managed cluster groups means no policies
+
+  # Test with empty managedClusterGroups
+  - it: should handle empty managedClusterGroups
+    set:
+      global:
+        repoURL: https://github.com/test/repo
+        hubClusterDomain: "apps.hub.example.com"
+        localClusterDomain: "apps.hub.example.com"
+        secretStore:
+          backend: "vault"
+        pattern: "test-pattern"
+      clusterGroup:
+        isHubCluster: null  # Explicitly unset to enable domain-based detection
+        managedClusterGroups: {}  # Empty
+    asserts:
+      - hasDocuments:
+          count: 0  # Empty managed cluster groups means no policies
+
+  # Test explicit isHubCluster takes precedence over domain-based detection
+  - it: should respect explicit isHubCluster even when domains match
+    set:
+      global:
+        repoURL: https://github.com/test/migration
+        hubClusterDomain: "apps.migration-hub.example.com"
+        localClusterDomain: "apps.migration-hub.example.com"
+        secretStore:
+          backend: "vault"
+        pattern: "migration-test"
+      clusterGroup:
+        # Explicit isHubCluster takes precedence over domain-based detection
+        isHubCluster: false  # Explicitly set to false, should be respected
+        managedClusterGroups:
+          migrationTarget:
+            name: migration-target
+            labels:
+            - name: migration
+              value: in-progress
+    asserts:
+      # Explicit isHubCluster: false is respected even though domains match
+      - hasDocuments:
+          count: 0
+
+  # Test multiple cluster groups with domain-based logic (no explicit isHubCluster)
+  - it: should handle multiple cluster groups with domain-based hub detection
+    set:
+      global:
+        repoURL: https://github.com/test/multi-cluster
+        hubClusterDomain: "apps.prod-hub.company.com"
+        localClusterDomain: "apps.prod-hub.company.com"
+        secretStore:
+          backend: "vault"
+        pattern: "multi-cluster-test"
+      clusterGroup:
+        isHubCluster: null  # Explicitly unset to enable domain-based detection
+        managedClusterGroups:
+          prodEast:
+            name: prod-east
+            labels:
+            - name: environment
+              value: production
+          stagingWest:
+            name: staging-west
+            labels:
+            - name: environment
+              value: staging
+    asserts:
+      # Should have CA policies for 2 cluster groups (9 docs each)
+      - hasDocuments:
+          count: 18
+      # Verify specific policies exist
+      - documentSelector:
+          path: metadata.name
+          value: hub-argo-ca-prod-east-policy
+        isKind:
+          of: Policy
+      - documentSelector:
+          path: metadata.name
+          value: hub-argo-ca-staging-west-policy
+        isKind:
+          of: Policy

tests/hub_cluster_detection_private_repo_test.yaml

@@ -0,0 +1,130 @@
+suite: Test Hub Cluster Detection Logic - Private Repo Policies
+templates:
+  - templates/policies/private-repo-policies.yaml
+release:
+  name: release-test
+tests:
+  # Test 1: Hub cluster when localClusterDomain equals hubClusterDomain (includes private hub policy)
+  - it: should render private hub policy when localClusterDomain equals hubClusterDomain
+    set:
+      global:
+        repoURL: https://github.com/validatedpatterns/multicloud-gitops
+        hubClusterDomain: "apps.hub.example.com"
+        localClusterDomain: "apps.hub.example.com"
+        privateRepo: true
+        pattern: "test-pattern"
+      clusterGroup:
+        isHubCluster: null  # Explicitly unset to enable domain-based detection
+        managedClusterGroups:
+          testRegion:
+            name: region-one
+            labels:
+            - name: clusterGroup
+              value: region-one
+    asserts:
+      - documentSelector:
+          path: metadata.name
+          value: vp-private-hub-policy
+        isKind:
+          of: Policy
+      - hasDocuments:
+          count: 6
+
+  # Test 2: Not hub cluster when localClusterDomain differs from hubClusterDomain (no private hub policy)
+  - it: should not render private hub policy when localClusterDomain differs from hubClusterDomain
+    set:
+      global:
+        repoURL: https://github.com/validatedpatterns/multicloud-gitops
+        hubClusterDomain: "apps.hub.example.com"
+        localClusterDomain: "apps.spoke.example.com"
+        privateRepo: true
+        pattern: "test-pattern"
+      clusterGroup:
+        isHubCluster: null  # Explicitly unset to enable domain-based detection
+        managedClusterGroups:
+          testRegion:
+            name: region-one
+            labels:
+            - name: clusterGroup
+              value: region-one
+    asserts:
+      # Should have the managed cluster policies but not the hub policy
+      - documentSelector:
+          path: metadata.name
+          value: private-region-one-policy
+        isKind:
+          of: Policy
+      - hasDocuments:
+          count: 3
+
+  # Test 3: Fallback to isHubCluster when domains are not set (true)
+  - it: should render private hub policy when fallback to isHubCluster true
+    set:
+      global:
+        repoURL: https://github.com/validatedpatterns/multicloud-gitops
+        # No domain configuration provided
+        privateRepo: true
+        pattern: "test-pattern"
+      clusterGroup:
+        isHubCluster: true
+        managedClusterGroups:
+          testRegion:
+            name: region-one
+            labels:
+            - name: clusterGroup
+              value: region-one
+    asserts:
+      - documentSelector:
+          path: metadata.name
+          value: vp-private-hub-policy
+        isKind:
+          of: Policy
+      - hasDocuments:
+          count: 6
+
+  # Test 4: Fallback to isHubCluster false when no domain configuration is provided
+  - it: should not render private hub policy when fallback to isHubCluster false
+    set:
+      global:
+        repoURL: https://github.com/validatedpatterns/multicloud-gitops
+        # No domain configuration provided
+        privateRepo: true
+        pattern: "test-pattern"
+      clusterGroup:
+        isHubCluster: false
+        managedClusterGroups:
+          testRegion:
+            name: region-one
+            labels:
+            - name: clusterGroup
+              value: region-one
+    asserts:
+      # Should have the managed cluster policies but not the hub policy
+      - documentSelector:
+          path: metadata.name
+          value: private-region-one-policy
+        isKind:
+          of: Policy
+      - hasDocuments:
+          count: 3
+
+  # Test 5: No policies when privateRepo is false
+  - it: should not render any private repo policies when privateRepo is false
+    set:
+      global:
+        repoURL: https://github.com/validatedpatterns/multicloud-gitops
+        hubClusterDomain: "apps.hub.example.com"
+        localClusterDomain: "apps.hub.example.com"
+        privateRepo: false
+        pattern: "test-pattern"
+      clusterGroup:
+        isHubCluster: true
+        managedClusterGroups:
+          testRegion:
+            name: region-one
+            labels:
+            - name: clusterGroup
+              value: region-one
+    asserts:
+      - hasDocuments:
+          count: 0