From 86551c3e1725b9c497225670875c3ef19ba6a905 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Tue, 4 Nov 2025 08:41:00 +0100
Subject: [PATCH 1/4] Switch namespaces to dictionary

This makes it easier to override/merge
---
 values-group-one.yaml |  7 ++++---
 values-hub.yaml       | 11 ++++++-----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/values-group-one.yaml b/values-group-one.yaml
index 4be23f17d..cd163243f 100644
--- a/values-group-one.yaml
+++ b/values-group-one.yaml
@@ -1,10 +1,11 @@
 clusterGroup:
   name: group-one
   isHubCluster: false
+  # Namespace is a dictionary for easier overriding (lists are supported as well)
   namespaces:
-    - config-demo
-    - hello-world
-    - golang-external-secrets
+    config-demo:
+    hello-world:
+    golang-external-secrets:
   # The only subscription on spokes is gitops which gets managed by ACM
   # subscriptions:
   argoProjects:
diff --git a/values-hub.yaml b/values-hub.yaml
index 49fe2e94c..5df42e5dc 100644
--- a/values-hub.yaml
+++ b/values-hub.yaml
@@ -1,12 +1,13 @@
 clusterGroup:
   name: hub
   isHubCluster: true
+  # Namespace is a dictionary for easier overriding (lists are supported as well)
   namespaces:
-    - open-cluster-management
-    - vault
-    - golang-external-secrets
-    - config-demo
-    - hello-world
+    open-cluster-management:
+    vault:
+    golang-external-secrets:
+    config-demo:
+    hello-world:
   subscriptions:
     acm:
       name: advanced-cluster-management

From 8bb7aad7eea962f11067ccb7e78ac49025086b5c Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Tue, 4 Nov 2025 08:41:33 +0100
Subject: [PATCH 2/4] Add overrides for ocp 4.20 with downstream-eso

Note that we cannot use the sharedValueFiles field.
This does not work on the clusterwise ardocd instance on the spokes.

This is because the helm template resolution happens on the hub and
so it won't reflect the values on the spokes.
---
 .../config-demo-external-secret.yaml          |  2 +-
 charts/all/config-demo/values.yaml            |  1 +
 values-4.20-group-one.yaml                    | 23 +++++++++++++++++++
 values-4.20-hub.yaml                          | 22 ++++++++++++++++++
 4 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 values-4.20-group-one.yaml
 create mode 100644 values-4.20-hub.yaml

diff --git a/charts/all/config-demo/templates/config-demo-external-secret.yaml b/charts/all/config-demo/templates/config-demo-external-secret.yaml
index 0081dd875..fa9ed0180 100644
--- a/charts/all/config-demo/templates/config-demo-external-secret.yaml
+++ b/charts/all/config-demo/templates/config-demo-external-secret.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: {{ .Values.esoversion }}
 kind: ExternalSecret
 metadata:
   name: config-demo-secret
diff --git a/charts/all/config-demo/values.yaml b/charts/all/config-demo/values.yaml
index 2dda45229..6d27c371d 100644
--- a/charts/all/config-demo/values.yaml
+++ b/charts/all/config-demo/values.yaml
@@ -3,6 +3,7 @@ secretStore:
   name: vault-backend
   kind: ClusterSecretStore
 
+esoversion: "external-secrets.io/v1beta1"
 configdemosecret:
   key: secret/data/global/config-demo
 
diff --git a/values-4.20-group-one.yaml b/values-4.20-group-one.yaml
new file mode 100644
index 000000000..2e715c014
--- /dev/null
+++ b/values-4.20-group-one.yaml
@@ -0,0 +1,23 @@
+esoversion: "external-secrets.io/v1"
+
+clusterGroup:
+  namespaces:
+    golang-external-secrets: null
+    external-secrets-operator:
+      operatorGroup: true
+      targetNamespaces: []
+    external-secrets:
+  subscriptions:
+    eso:
+      name: openshift-external-secrets-operator
+      namespace: external-secrets-operator
+      channel: stable-v1
+  applications:
+    golang-external-secrets: null
+    openshift-external-secrets:
+      name: openshift-external-secrets
+      namespace: external-secrets
+      argoProject: eso
+      chart: openshift-external-secrets
+      chartVersion: 0.0.*
+
diff --git a/values-4.20-hub.yaml b/values-4.20-hub.yaml
new file mode 100644
index 000000000..ce3299251
--- /dev/null
+++ b/values-4.20-hub.yaml
@@ -0,0 +1,22 @@
+esoversion: "external-secrets.io/v1"
+
+clusterGroup:
+  namespaces:
+    golang-external-secrets: null
+    external-secrets-operator:
+      operatorGroup: true
+      targetNamespaces: []
+    external-secrets:
+  subscriptions:
+    eso:
+      name: openshift-external-secrets-operator
+      namespace: external-secrets-operator
+      channel: stable-v1
+  applications:
+    golang-external-secrets: null
+    openshift-external-secrets:
+      name: openshift-external-secrets
+      namespace: external-secrets
+      argoProject: hub
+      chart: openshift-external-secrets
+      chartVersion: 0.0.*

From 9224da1507bd0a9bb47b4e4974ca291eed843fae Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Thu, 6 Nov 2025 08:39:38 +0100
Subject: [PATCH 3/4] Use the disabled field for namespaces

Tested the whole set as follows:

- hub on 4.20 + spokes on 4.19 and 4.20 -> All green

- hub on 4.19 + spoke on 4.19 -> All green
---
 values-4.20-group-one.yaml | 7 ++++---
 values-4.20-hub.yaml       | 6 ++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/values-4.20-group-one.yaml b/values-4.20-group-one.yaml
index 2e715c014..8d4c5a8e5 100644
--- a/values-4.20-group-one.yaml
+++ b/values-4.20-group-one.yaml
@@ -2,7 +2,8 @@ esoversion: "external-secrets.io/v1"
 
 clusterGroup:
   namespaces:
-    golang-external-secrets: null
+    golang-external-secrets:
+      disabled: true
     external-secrets-operator:
       operatorGroup: true
       targetNamespaces: []
@@ -13,11 +14,11 @@ clusterGroup:
       namespace: external-secrets-operator
       channel: stable-v1
   applications:
-    golang-external-secrets: null
+    golang-external-secrets:
+      disabled: true
     openshift-external-secrets:
       name: openshift-external-secrets
       namespace: external-secrets
       argoProject: eso
       chart: openshift-external-secrets
       chartVersion: 0.0.*
-
diff --git a/values-4.20-hub.yaml b/values-4.20-hub.yaml
index ce3299251..fc8d37601 100644
--- a/values-4.20-hub.yaml
+++ b/values-4.20-hub.yaml
@@ -2,7 +2,8 @@ esoversion: "external-secrets.io/v1"
 
 clusterGroup:
   namespaces:
-    golang-external-secrets: null
+    golang-external-secrets:
+      disabled: true
     external-secrets-operator:
       operatorGroup: true
       targetNamespaces: []
@@ -13,7 +14,8 @@ clusterGroup:
       namespace: external-secrets-operator
       channel: stable-v1
   applications:
-    golang-external-secrets: null
+    golang-external-secrets:
+      disabled: true
     openshift-external-secrets:
       name: openshift-external-secrets
       namespace: external-secrets

From 9cec6866cadaeb363ba5cb9227f73b839d1e4384 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Thu, 6 Nov 2025 11:06:57 +0100
Subject: [PATCH 4/4] Fix json schema action

---
 .github/workflows/jsonschema.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/jsonschema.yaml b/.github/workflows/jsonschema.yaml
index 03e563dbc..79f22d7b0 100644
--- a/.github/workflows/jsonschema.yaml
+++ b/.github/workflows/jsonschema.yaml
@@ -45,6 +45,10 @@ jobs:
           set -e
           find . -maxdepth 1 -type f -name "values-*.yaml" ! -name "values-global.yaml" -print0 | while IFS= read -r -d '' i;
           do
+            if [[ "$i" =~ 4\.[0-9]+ ]]; then
+              echo "Skipping $i"
+              continue
+            fi
             echo "$i"
             # disable shellcheck of single quotes in yq
             # shellcheck disable=2016