validatedpatterns · mbaldessari · Jun 4, 2026 · Sep 22, 2025 · Jun 4, 2026
diff --git a/.github/workflows/helm-lint.yml b/.github/workflows/helm-lint.yml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

diff --git a/.github/workflows/helm-unittest.yml b/.github/workflows/helm-unittest.yml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

diff --git a/.github/workflows/jsonschema.yaml b/.github/workflows/jsonschema.yaml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml
@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           # Full git history is needed to get a proper list of changed files within `super-linter`

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -121,9 +121,9 @@ Default always defined valueFiles to be included in Applications but with a pref
 {{- end }} {{/* if $.Values.global.extraValueFiles */}}
 {{- end }} {{/* clustergroup.app.globalvalues.prefixedvaluefiles */}}
 
-{{/* 
+{{/*
 Helper function to generate AppProject from a map object
-Called from common/clustergroup/templates/plumbing/projects.yaml 
+Called from common/clustergroup/templates/plumbing/projects.yaml
 */}}
 {{- define "clustergroup.template.plumbing.projects.map" -}}
 {{- $projects := index . 0 }}
@@ -194,18 +194,19 @@ status: {}
 {{- end }}
 {{- end }}
 
-{{/* 
+{{/*
   Helper function to generate Namespaces from a map object.
   Arguments passed as a list object are:
   0 - The namespace hash keys
   1 - Pattern name from .Values.global.pattern
   2 - Cluster group name from .Values.clusterGroup.name
-  Called from common/clustergroup/templates/core/namespaces.yaml 
+  Called from common/clustergroup/templates/core/namespaces.yaml
 */}}
 {{- define "clustergroup.template.core.namespaces.map" -}}
 {{- $ns := index . 0 }}
 {{- $patternName := index . 1 }}
 {{- $clusterGroupName := index . 2 }}
+{{- $root := index . 3 }}
 
 {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}}
 {{- if or (eq $v nil) (not $v.disabled) }} {{- /* Process if $v is nil or disabled is false */}}
@@ -216,7 +217,7 @@ metadata:
   name: {{ $k }}
   {{- if ne $v nil }}
   labels:
-    argocd.argoproj.io/managed-by: {{ $patternName }}-{{ $clusterGroupName }}
+    argocd.argoproj.io/managed-by: {{ include "clustergroup.template.argocdnamespace" $root }}
     {{- if $v.labels }}
     {{- range $key, $value := $v.labels }} {{- /* We loop here even though the map has always just one key */}}
     {{ $key }}: {{ $value | default "" | quote }}
@@ -225,14 +226,14 @@ metadata:
   {{- include "clustergroup.annotations" $v.annotations | nindent 2 }}
   {{- else }}
   labels:
-    argocd.argoproj.io/managed-by: {{ $patternName }}-{{ $clusterGroupName }}
+    argocd.argoproj.io/managed-by: {{ include "clustergroup.template.argocdnamespace" $root }}
   {{- end }}
 spec:
 {{- end }}{{- /* if not disabled */}}
 {{- end }}{{- /* range $k, $v := $ns */}}
 {{- end }}
 
-{{- /* 
+{{- /*
   Helper function to generate OperatorGroup from a map object.
   Arguments passed as a list object are:
   0 - The namespace hash keys
@@ -320,3 +321,14 @@ false
 false
 {{- end -}}
 {{- end }}
+
+{{- /*
+  Helper function to generate argocd namespace name
+*/ -}}
+{{- define "clustergroup.template.argocdnamespace" -}}
+{{- if .Values.global.singleArgoCD }}
+{{- .Values.global.vpArgoNamespace -}}
+{{- else }}
+{{- .Values.global.pattern }}-{{ .Values.clusterGroup.name -}}
+{{- end }}{{- /* if .singleArgoCD */}}
+{{- end }} {{- /* End define  "clustergroup.template.argocdnamespace" */}}
diff --git a/templates/core/namespaces.yaml b/templates/core/namespaces.yaml
@@ -1,11 +1,11 @@
 {{- /*
   We first check if namespaces are defined as a map.  If it is we call
   our helper function in _helpers.tpl to process the namespaces
-  described in the values file. This is to support issue 
+  described in the values file. This is to support issue
   https://github.com/validatedpatterns/common/issues/459 created by our customer.
 */ -}}
 {{- if kindIs "map" .Values.clusterGroup.namespaces }}
-{{- template "clustergroup.template.core.namespaces.map" (list .Values.clusterGroup.namespaces $.Values.global.pattern $.Values.clusterGroup.name) }}
+{{- template "clustergroup.template.core.namespaces.map" (list .Values.clusterGroup.namespaces $.Values.global.pattern $.Values.clusterGroup.name $) }}
 {{- else }}
 {{- range $ns := .Values.clusterGroup.namespaces }}
 {{- if $ns }} {{- /* Skip null namespaces */}}
@@ -25,7 +25,7 @@ metadata:
   {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}}
   name: {{ $k }}
   labels:
-    argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }}
+    argocd.argoproj.io/managed-by: {{ include "clustergroup.template.argocdnamespace" $ }}
     {{- if $v.labels }}
     {{- range $key, $value := $v.labels }} {{- /* We loop here even though the map has always just one key */}}
     {{ $key }}: {{ $value | default "" | quote }}
@@ -36,7 +36,7 @@ metadata:
 
   {{- else if kindIs "string" $ns }}
   labels:
-    argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }}
+    argocd.argoproj.io/managed-by: {{ include "clustergroup.template.argocdnamespace" $ }}
   name: {{ $ns }}
   {{- end }} {{- /* if kindIs "string" $ns */}}
 spec:

diff --git a/templates/core/nodes.yaml b/templates/core/nodes.yaml
@@ -6,7 +6,7 @@ metadata:
   {{- range $k, $v := $node }}
   name: {{ $k }}
   labels:
-    argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }}
+    argocd.argoproj.io/managed-by: {{ include "clustergroup.template.argocdnamespace" $ | quote }}
     {{- if $v.labels }}
     {{- range $key, $value := $v.labels }}
     {{ $key }}: {{ $value | default "" | quote }}

diff --git a/templates/imperative/namespace.yaml b/templates/imperative/namespace.yaml
@@ -5,6 +5,6 @@ kind: Namespace
 metadata:
   labels:
     name: {{ $.Values.clusterGroup.imperative.namespace }}
-    argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }}
+    argocd.argoproj.io/managed-by: {{ include "clustergroup.template.argocdnamespace" . }}
   name: {{ $.Values.clusterGroup.imperative.namespace }}
 {{- end }}
diff --git a/templates/plumbing/applications.yaml b/templates/plumbing/applications.yaml
@@ -1,5 +1,5 @@
 {{- if ($.Values.global.deletePattern | ne "DeleteChildApps") }} {{- /* When a pattern is deleting applications should be removed */}}
-{{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }}
+{{- $namespace := include "clustergroup.template.argocdnamespace" . | trim }}
 {{- range .Values.clusterGroup.applications }}
 {{- if . }} {{- /* Skip null applications */}}
 {{- $projectName := coalesce .argoProject .project "default" -}} {{- /* Read argoProject if set, otherwise .project and otherwise set it to "default" */}}

diff --git a/templates/plumbing/argoProjects.yaml b/templates/plumbing/argoProjects.yaml
@@ -1,4 +1,4 @@
-{{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }}
+{{ $namespace := include "clustergroup.template.argocdnamespace" . | trim }}
 {{- /*
   We first check if projects are defined as a map.  If it is we call
   our helper function in _helpers.tpl to process the projects

diff --git a/templates/plumbing/argocd-super-role.yaml b/templates/plumbing/argocd-super-role.yaml
@@ -20,6 +20,8 @@ subjects:
     name: {{ $.Values.global.vpArgoNamespace }}-argocd-server
     namespace: {{ $.Values.global.vpArgoNamespace }}
 ---
+{{- if $.Values.global.singleArgoCD }}
+{{- else }}
 # WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -43,3 +45,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ .Values.clusterGroup.name }}-gitops-argocd-dex-server
     namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}
+{{- end }}{{- /* if .singleArgoCD */}}
diff --git a/templates/plumbing/argocd.yaml b/templates/plumbing/argocd.yaml
diff --git a/templates/plumbing/gitops-namespace.yaml b/templates/plumbing/gitops-namespace.yaml
@@ -1,3 +1,5 @@
+{{- if $.Values.global.singleArgoCD }}
+{{- else }}
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -9,3 +11,4 @@ metadata:
   # - any references to secrets and route URLs in documentation
   name: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}
 spec: {}
+{{- end }}{{- /* if .singleArgoCD */}}
diff --git a/templates/plumbing/trusted-bundle-ca-configmap.yaml b/templates/plumbing/trusted-bundle-ca-configmap.yaml
@@ -1,7 +1,8 @@
+{{- $namespace := include "clustergroup.template.argocdnamespace" . | trim }}
 kind: ConfigMap
 apiVersion: v1
 metadata:
   name: trusted-ca-bundle
-  namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}
+  namespace: {{ $namespace }}
   labels:
     config.openshift.io/inject-trusted-cabundle: 'true'
diff --git a/values.schema.json b/values.schema.json
@@ -207,6 +207,10 @@
           "type": "string",
           "description": "The namespace used for the GitOps subscription. Passed as a helm parameter to all ArgoCD applications.",
           "default": ""
+        },
+        "singleArgoCD": {
+          "type": "boolean",
+          "description": "If set to true there will only be a single argocd instance"
         }
       },
       "required": [
@@ -301,8 +305,8 @@
           "description": "DEPRECATED: If set to true the values is used to identify whether this is the hub cluster or an edge/spoke cluster configuration. Use global.localClusterDomain and global.hubClusterDomain instead."
         },
         "sharedValueFiles": {
-            "type": "array",
-            "description": "Templated value file paths."
+          "type": "array",
+          "description": "Templated value file paths."
         },
         "scheduler": {
           "type": "object",
@@ -893,7 +897,10 @@
           "type": "string"
         },
         "clusterRoleYaml": {
-          "type": ["string", "array"]
+          "type": [
+            "string",
+            "array"
+          ]
         },
         "roleName": {
           "type": "string"
@@ -957,7 +964,10 @@
           "type": "string"
         },
         "timeout": {
-          "type": ["integer", "string"]
+          "type": [
+            "integer",
+            "string"
+          ]
         },
         "image": {
           "type": "string",