rh-mobb · foster-rh · Mar 19, 2026 · Mar 18, 2026 · Mar 19, 2026
diff --git a/charts/external-secrets-operator/Chart.yaml b/charts/external-secrets-operator/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+name: external-secrets-operator
+description: External Secrets Operator with AWS Secrets Manager integration via IRSA
+version: 1.0.0
+type: application
+home: https://rh-mobb.github.io/validated-pattern-helm-charts/
+maintainers:
+  - name: rh-mobb
diff --git a/charts/external-secrets-operator/templates/clustersecretstore.yaml b/charts/external-secrets-operator/templates/clustersecretstore.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.serviceAccount.roleArn }}
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: {{ .Values.secretStore.name }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: {{ .Values.secretStore.region }}
+      auth:
+        jwt:
+          serviceAccountRef:
+            name: {{ .Values.serviceAccount.name }}
+            namespace: {{ .Values.namespace }}
+{{- end }}
diff --git a/charts/external-secrets-operator/templates/externalsecret.yaml b/charts/external-secrets-operator/templates/externalsecret.yaml
@@ -0,0 +1,36 @@
+{{- if .Values.serviceAccount.roleArn }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: kuadrant-aws-credentials
+  namespace: {{ .Values.target.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "6"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  refreshInterval: {{ .Values.target.refreshInterval }}
+  secretStoreRef:
+    name: {{ .Values.secretStore.name }}
+    kind: ClusterSecretStore
+  target:
+    name: {{ .Values.target.secretName }}
+    template:
+      type: kuadrant.io/aws
+      data:
+        AWS_ACCESS_KEY_ID: "{{ "{{ .aws_access_key_id }}" }}"
+        AWS_SECRET_ACCESS_KEY: "{{ "{{ .aws_secret_access_key }}" }}"
+        AWS_REGION: "{{ "{{ .aws_region }}" }}"
+  data:
+    - secretKey: aws_access_key_id
+      remoteRef:
+        key: {{ .Values.secretStore.secretName }}
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: aws_secret_access_key
+      remoteRef:
+        key: {{ .Values.secretStore.secretName }}
+        property: AWS_SECRET_ACCESS_KEY
+    - secretKey: aws_region
+      remoteRef:
+        key: {{ .Values.secretStore.secretName }}
+        property: AWS_REGION
+{{- end }}
diff --git a/charts/external-secrets-operator/templates/namespace.yaml b/charts/external-secrets-operator/templates/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
diff --git a/charts/external-secrets-operator/templates/operatorgroup.yaml b/charts/external-secrets-operator/templates/operatorgroup.yaml
@@ -0,0 +1,10 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: external-secrets-operator
+  namespace: {{ .Values.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  targetNamespaces:
+    - {{ .Values.namespace }}
diff --git a/charts/external-secrets-operator/templates/serviceaccount.yaml b/charts/external-secrets-operator/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.serviceAccount.roleArn }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Values.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+    eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.roleArn }}
+{{- end }}
diff --git a/charts/external-secrets-operator/templates/subscription.yaml b/charts/external-secrets-operator/templates/subscription.yaml
@@ -0,0 +1,16 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: {{ .Values.subscription.name }}
+  namespace: {{ .Values.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  channel: {{ .Values.subscription.channel }}
+  installPlanApproval: {{ .Values.subscription.installPlanApproval }}
+  name: {{ .Values.subscription.name }}
+  source: {{ .Values.subscription.source }}
+  sourceNamespace: {{ .Values.subscription.sourceNamespace }}
+  {{- if .Values.subscription.startingCSV }}
+  startingCSV: {{ .Values.subscription.startingCSV }}
+  {{- end }}
diff --git a/charts/external-secrets-operator/values.yaml b/charts/external-secrets-operator/values.yaml
@@ -0,0 +1,23 @@
+namespace: external-secrets
+
+subscription:
+  name: external-secrets-operator
+  channel: stable-v1
+  installPlanApproval: Manual
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  startingCSV: ""
+
+serviceAccount:
+  name: external-secrets-sa
+  roleArn: ""
+
+secretStore:
+  name: aws-secrets-manager
+  region: ap-southeast-4
+  secretName: connectivity-link-route53-credentials
+
+target:
+  namespace: istio-system
+  secretName: aws-credentials
+  refreshInterval: 1h
diff --git a/charts/letsencrypt-clusterissuer/Chart.yaml b/charts/letsencrypt-clusterissuer/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+name: letsencrypt-clusterissuer
+description: Let's Encrypt ACME ClusterIssuer with DNS-01 Route 53 solver (uses IRSA, no static credentials)
+version: 1.0.0
+type: application
+home: https://rh-mobb.github.io/validated-pattern-helm-charts/
+maintainers:
+  - name: rh-mobb
diff --git a/charts/letsencrypt-clusterissuer/templates/clusterissuer.yaml b/charts/letsencrypt-clusterissuer/templates/clusterissuer.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ .Values.name }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  acme:
+    server: {{ .Values.acme.server }}
+    email: {{ .Values.acme.email }}
+    privateKeySecretRef:
+      name: {{ .Values.name }}-account-key
+    solvers:
+      - dns01:
+          route53:
+            hostedZoneID: {{ .Values.route53.hostedZoneID }}
+            region: {{ .Values.route53.region }}
+            secretAccessKeySecretRef:
+              name: ""
diff --git a/charts/letsencrypt-clusterissuer/values.yaml b/charts/letsencrypt-clusterissuer/values.yaml
@@ -0,0 +1,9 @@
+name: letsencrypt-production
+
+acme:
+  server: https://acme-v02.api.letsencrypt.org/directory
+  email: ""
+
+route53:
+  hostedZoneID: ""
+  region: ap-southeast-4
diff --git a/charts/rhcl-operator/Chart.yaml b/charts/rhcl-operator/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+name: rhcl-operator
+description: Chart to deploy Red Hat Connectivity Link (RHCL/Kuadrant) operator for DNS-based traffic management
+version: 1.0.0
+home: https://rh-mobb.github.io/validated-pattern-helm-charts/
+maintainers:
+  - name: rh-mobb
+dependencies:
+  - name: helper-status-checker
+    repository: https://rosa-hcp-dedicated-vpc.github.io/helm-repository/
+    version: 4.4.3
diff --git a/charts/rhcl-operator/templates/gatewayclass.yaml b/charts/rhcl-operator/templates/gatewayclass.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.gatewayClass.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: {{ .Values.gatewayClass.name }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  controllerName: {{ .Values.gatewayClass.controllerName | quote }}
+{{- end }}
+
diff --git a/charts/rhcl-operator/templates/kuadrant.yaml b/charts/rhcl-operator/templates/kuadrant.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.kuadrant.enabled }}
+apiVersion: kuadrant.io/v1beta1
+kind: Kuadrant
+metadata:
+  name: {{ .Values.kuadrant.name }}
+  namespace: {{ .Values.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+{{- end }}
+
diff --git a/charts/rhcl-operator/templates/namespace.yaml b/charts/rhcl-operator/templates/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+
diff --git a/charts/rhcl-operator/templates/operatorgroup.yaml b/charts/rhcl-operator/templates/operatorgroup.yaml
@@ -0,0 +1,8 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: kuadrant-operator-group
+  namespace: {{ .Values.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+
diff --git a/charts/rhcl-operator/templates/subscription.yaml b/charts/rhcl-operator/templates/subscription.yaml
@@ -0,0 +1,15 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: rhcl-operator
+  namespace: {{ .Values.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  channel: stable
+  installPlanApproval: Manual
+  name: rhcl-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  startingCSV: {{ .Values.startingCSV }}
+
diff --git a/charts/rhcl-operator/values.yaml b/charts/rhcl-operator/values.yaml
@@ -0,0 +1,22 @@
+startingCSV: rhcl-operator.v1.2.1
+namespace: kuadrant-system
+
+gatewayClass:
+  enabled: false
+  name: openshift-default
+  controllerName: "openshift.io/gateway-controller/v1"
+
+kuadrant:
+  enabled: true
+  name: kuadrant
+
+helper-status-checker:
+  approver: true
+  enabled: true
+  checks:
+    - operatorName: rhcl-operator
+      subscriptionName: rhcl-operator
+      namespace:
+        name: kuadrant-system
+      serviceAccount:
+        name: "status-checker"
diff --git a/charts/servicemesh-operator-ambient/Chart.yaml b/charts/servicemesh-operator-ambient/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: servicemesh-operator-ambient
 description: Helm chart for deploying Red Hat OpenShift Service Mesh 3 Operator
 type: application
-version: 1.0.4
+version: 1.1.0
 appVersion: "3.0"
 dependencies:
   - name: helper-status-checker

diff --git a/charts/servicemesh-operator-ambient/templates/gateway.yaml b/charts/servicemesh-operator-ambient/templates/gateway.yaml
@@ -8,9 +8,28 @@ metadata:
     networking.istio.io/service-type: {{ .Values.gateway.serviceType }}
     argocd.argoproj.io/sync-wave: "3"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  {{- if .Values.gateway.connectivityLink.enabled }}
+  labels:
+    kuadrant.io/gateway: "true"
+  {{- end }}
 spec:
   gatewayClassName: istio
   listeners:
+  {{- if .Values.gateway.connectivityLink.enabled }}
+  - name: https
+    hostname: {{ .Values.gateway.connectivityLink.hostname }}
+    port: 443
+    protocol: HTTPS
+    allowedRoutes:
+      namespaces:
+        from: All
+    tls:
+      mode: Terminate
+      certificateRefs:
+        - group: ""
+          kind: Secret
+          name: {{ .Values.gateway.connectivityLink.tls.secretName }}
+  {{- else }}
   {{- range .Values.gateway.listeners }}
   - name: {{ .name }}
     port: {{ .port }}
@@ -19,7 +38,8 @@ spec:
       namespaces:
         from: All
   {{- end }}
-{{- if .Values.gateway.route.enabled }}
+  {{- end }}
+{{- if and .Values.gateway.route.enabled (not .Values.gateway.connectivityLink.enabled) }}
 ---
 apiVersion: route.openshift.io/v1
 kind: Route

diff --git a/charts/servicemesh-operator-ambient/values.yaml b/charts/servicemesh-operator-ambient/values.yaml
@@ -37,6 +37,11 @@ gateway:
       protocol: HTTP
   route:
     enabled: false
+  connectivityLink:
+    enabled: false
+    hostname: ""
+    tls:
+      secretName: shared-app-gw-tls
 
 helper-status-checker:
   enabled: true