Pacify super-linter

Author: Martin Jackson

roles/vault_utils/README.md

@@ -88,7 +88,8 @@ For each `ssCsiWorkloadAuth` entry:
 - required: `serviceAccount`
 - optional: `namespace`, `cluster`, `roleSlug` (or `role_slug`)
 
-For spokes, `cluster` in values can be the **managed cluster group** name (default), the ACM **`ManagedCluster` name**, the spoke **FQDN** (`vault_path`, same as Vault/ESO), or **`metadata.labels.clusterGroup`**. During `vault_spokes_init`, rows are **normalized** so spoke Vault roles always use **`vault_path`** (full cluster DNS name) as the cluster id, matching ESO and the Kubernetes auth mount path on the spoke.
+For spokes, `cluster` in values can be the **managed cluster group** name (default), the ACM **`ManagedCluster` name**, the spoke **FQDN** (`vault_path`, same as Vault/ESO), or **`metadata.labels.clusterGroup`**.
+During `vault_spokes_init`, rows are **normalized** so spoke Vault roles always use **`vault_path`** (full cluster DNS name) as the cluster ID, matching ESO and the Kubernetes auth mount path on the spoke.
 
 **Charts (vp-sscsi-spc):** `SecretProviderClass` workload auth should use the same
 idea: with `roleSlug` set, the chart emits **`roleName: <vaultKubernetesMountPath>-sscsi-<roleSlug>`**

secrets-initialization-and-vault-unseal.md

@@ -105,11 +105,15 @@ Summary:
 `vault_ss_csi_workload_auth.yaml` includes **`vault_ss_csi_load_clustergroup_values.yaml`**, which prefers an in-cluster **`ConfigMap`** so SS CSI sees **merged** values (including GitOps overrides), then optionally falls back to the local **`values-<clustergroup>.yaml`** file under `pattern_dir`.
 
 - **Default `ConfigMap`:** namespace **`openshift-gitops`**, name **`values-<main_clustergroupname>`** (same stem as the usual values file), YAML in a data key tried from **`vault_ss_csi_clustergroup_configmap_key_candidates`** (for example **`values.yaml`**) unless **`vault_ss_csi_clustergroup_configmap_key`** is set.
-- **Requirement:** the decoded YAML must have a top-level **`clusterGroup`** map (same shape as the repo values file). The role then scans **`clusterGroup.applications`** and **`clusterGroup.managedClusterGroups`** for **`ssCsiWorkloadAuth`**.
+- **Requirement:** the decoded YAML must have a top-level **`clusterGroup`** map (same shape as the repository values file). The role then scans **`clusterGroup.applications`** and **`clusterGroup.managedClusterGroups`** for **`ssCsiWorkloadAuth`**.
 - **Fallback:** when **`vault_ss_csi_fallback_local_clustergroup_file`** is true (default), it uses **`vault_ss_csi_cluster_values_file`** if set, else **`{{ pattern_dir }}/values-{{ main_clustergroupname }}.yaml`**.
 - **Disable cluster read:** set **`vault_ss_csi_clustergroup_values_from_configmap`** to false to use only the file path.
 
-**Spoke cluster id and charts:** Before applying SS CSI roles on spokes, **`vault_ss_csi_normalize_spoke_entries_to_vault_path.yaml`** rewrites each spoke row so **`cluster` equals `vault_path`** (spoke FQDN) for every cluster that has External Secrets token data (`esoToken`). That matches Vault Kubernetes auth mounts and ESO. Pattern charts that render **`SecretProviderClass`** via **vp-sscsi-spc** should keep **`global.clusterDomain`** set to that same FQDN on the spoke; the library builds **`spec.parameters.roleName`** as **`<vaultKubernetesMountPath>-sscsi-<roleSlug>`**, using the mount path (not the short `ssCsiWorkloadAuth.cluster` label).
+**Spoke cluster ID and charts:** Before applying SS CSI roles on spokes,
+`**vault_ss_csi_normalize_spoke_entries_to_vault_path.yaml`** rewrites each spoke row so **`cluster` equals `vault_path`**
+(spoke FQDN) for every cluster that has External Secrets token data (`esoToken`).
+That matches Vault Kubernetes auth mounts and ESO.
+Pattern charts that render **`SecretProviderClass`** via **vp-sscsi-spc** should keep **`global.clusterDomain`** set to that same FQDN on the spoke; the library builds **`spec.parameters.roleName`** as **`<vaultKubernetesMountPath>-sscsi-<roleSlug>`**, using the mount path (not the short `ssCsiWorkloadAuth.cluster` label).
 
 ### Vault route CA for SS CSI TLS