From a3b035b326921e31ab68a6901686eefa84aac011 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Tue, 28 Oct 2025 17:26:17 +0100
Subject: [PATCH] Push the hub CA via lookup() of a namespace

Currently we just push the hub ca in the golang-external-secrets
namespace. This is problematic once we move to the downstream ESO
because that uses different namespaces. In order to support both
ESO versions (upstream - golang-external-secret and downstream -
external-secrets) we tried different approaches.

Initially, we checked if a specific application existed

    {{- $eso_ns := "golang-external-secrets" }}
    {{- range .Values.clusterGroup.applications }}
      {{- if or (eq .chart "openshift-external-secrets") (and (hasKey . "repoURL") .repoURL (hasSuffix "openshift-external-secrets" .repoURL)) (and (hasKey . "repoURL") .repoURL (hasSuffix "openshift-external-secrets-chart" .repoURL))
        {{- $eso_ns = "external-secrets" }}
      {{- end }}
    {{- end }}

The problem with the above is that is just too fragile.

The approach we actually use here is the lookup functionality in ACM:

If the "external-secrets-operator" namespace exists on the spoke, we can
safely assume that we are using the downstream ESO, in which case the
policy with the CA of the hub will be pushed to the external-secrets
namespace (where the real ESO pods run).

Tested this with both the old upstream golang-external-secrets and with
the downstream ESO.
---
 .gitignore                                | 1 +
 templates/policies/acm-hub-ca-policy.yaml | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ceb2b98
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+CLAUDE.md
diff --git a/templates/policies/acm-hub-ca-policy.yaml b/templates/policies/acm-hub-ca-policy.yaml
index 4f575a1..143e7d4 100644
--- a/templates/policies/acm-hub-ca-policy.yaml
+++ b/templates/policies/acm-hub-ca-policy.yaml
@@ -89,9 +89,11 @@ spec:
         spec:
           remediationAction: enforce
           severity: medium
+          # Here we need to put any namespace that might be rendered in the template
           namespaceSelector:
             include:
-              - default
+              - external-secrets
+              - golang-external-secrets
           object-templates:
             - complianceType: mustonlyhave
               objectDefinition:
@@ -100,7 +102,7 @@ spec:
                 type: Opaque
                 metadata:
                   name: hub-ca
-                  namespace: golang-external-secrets
+                  namespace: '{{ `{{ if (lookup "v1" "Namespace" "" "external-secrets-operator") }}external-secrets{{ else }}golang-external-secrets{{ end }}` }}'
                 data:
                   hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}'
                   hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}'