From c53e466592208ded055e7bdae6ca5a37db7c37b9 Mon Sep 17 00:00:00 2001
From: Florian Bergmann <fbergman@redhat.com>
Date: Tue, 23 Dec 2025 13:19:10 +0100
Subject: [PATCH 1/2] Add a linter check for environment selectors.

This should prevent putting an invalid environment selector like 'stage'
or 'int' into this repo.
---
 .../stg/pre-4.15/config.yaml                  |  1 -
 ...naged-cluster-config-integration.yaml.tmpl |  1 -
 ...anaged-cluster-config-production.yaml.tmpl |  1 -
 ...osd-managed-cluster-config-stage.yaml.tmpl |  1 -
 scripts/generate_template.py                  | 19 ++++++++++++++++++-
 5 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/deploy/osd-fedramp-machineconfig/stg/pre-4.15/config.yaml b/deploy/osd-fedramp-machineconfig/stg/pre-4.15/config.yaml
index ae85cd3dc6..5c6d12b7ce 100644
--- a/deploy/osd-fedramp-machineconfig/stg/pre-4.15/config.yaml
+++ b/deploy/osd-fedramp-machineconfig/stg/pre-4.15/config.yaml
@@ -9,7 +9,6 @@ selectorSyncSet:
       operator: In
       values:
         - "staging"
-        - "stage"
     - key: hive.openshift.io/version-major-minor
       operator: In
       values: ["4.11", "4.12", "4.13", "4.14", "4.15", "4.16"]
diff --git a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl
index fa122cb913..ec114ee920 100644
--- a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl
+++ b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl
@@ -40493,7 +40493,6 @@ objects:
         operator: In
         values:
         - staging
-        - stage
       - key: hive.openshift.io/version-major-minor
         operator: In
         values:
diff --git a/hack/00-osd-managed-cluster-config-production.yaml.tmpl b/hack/00-osd-managed-cluster-config-production.yaml.tmpl
index fa122cb913..ec114ee920 100644
--- a/hack/00-osd-managed-cluster-config-production.yaml.tmpl
+++ b/hack/00-osd-managed-cluster-config-production.yaml.tmpl
@@ -40493,7 +40493,6 @@ objects:
         operator: In
         values:
         - staging
-        - stage
       - key: hive.openshift.io/version-major-minor
         operator: In
         values:
diff --git a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl
index fa122cb913..ec114ee920 100644
--- a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl
+++ b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl
@@ -40493,7 +40493,6 @@ objects:
         operator: In
         values:
         - staging
-        - stage
       - key: hive.openshift.io/version-major-minor
         operator: In
         values:
diff --git a/scripts/generate_template.py b/scripts/generate_template.py
index 193eb0c453..1e6e047001 100755
--- a/scripts/generate_template.py
+++ b/scripts/generate_template.py
@@ -10,6 +10,8 @@
 
 cluster_platform_ann = "hive.openshift.io/cluster-platform"
 config_filename = "config.yaml"
+environment_selector = "api.openshift.com/environment"
+valid_environments = ["production", "staging", "integration"]
 
 data_sss = []
 data_resources = {
@@ -96,6 +98,7 @@ def add_sss_for(name, directory, config):
     # collect the new sss for later processing
     data_sss.append(o)
 
+
 if __name__ == '__main__':
     #Argument parser
     parser = argparse.ArgumentParser(description="template generation tool", usage='%(prog)s [options]')
@@ -127,7 +130,7 @@ def add_sss_for(name, directory, config):
         deploymentMode = "SelectorSyncSet"
 
         if "deploymentMode" in config:
-            deploymentMode = config["deploymentMode"]
+            deploymentMode: str = config["deploymentMode"]
 
         # skip any directory only containing governance policies, as they are only for hypershift
         if deploymentMode == "Policy":
@@ -159,6 +162,20 @@ def add_sss_for(name, directory, config):
                 print("The selectorsyncset name should be lowercase. Found selectorsyncset with name " + sss_name)
                 sys.exit(1)
 
+            # Verify that environment selectors make sense
+            sss = config["selectorSyncSet"]
+            expressions = sss.get("matchExpressions", []) if sss else []
+            for expression in expressions:
+                if not expression["key"] == environment_selector:
+                    continue
+                values = expression["values"]
+                if type(values) == list:
+                    for value in values:
+                        if value not in valid_environments:
+                            raise RuntimeError(f"The environment value {value} for {dirpath} does not match a known environment: must be one of {valid_environments}")
+                elif values not in valid_environments:
+                            raise RuntimeError(f"The environment value {values} for {dirpath} does not match a known environment: must be one of {valid_environments}")
+
             # If no matchLabelsApplyMode, process as nornmal
             if "matchLabelsApplyMode" in config["selectorSyncSet"] and config["selectorSyncSet"]["matchLabelsApplyMode"] == "OR":
                 # generate new SSS per matchLabels line

From 7abefbd78b67217b56bb7e9eb0f83c95e0996370 Mon Sep 17 00:00:00 2001
From: Florian Bergmann <fbergman@redhat.com>
Date: Tue, 23 Dec 2025 14:58:13 +0100
Subject: [PATCH 2/2] Update to ubi9 & python3.12

---
 Makefile                     |  4 ++--
 scripts/generate_template.py | 19 ++++++++++++-------
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/Makefile b/Makefile
index ea3eeb654b..2456426991 100644
--- a/Makefile
+++ b/Makefile
@@ -77,8 +77,8 @@ generate-rosa-brand-logo:
 .PHONY: generate-hive-templates
 generate-hive-templates: generate-oauth-templates
 	if [ -z ${IN_CONTAINER} ]; then \
-		$(CONTAINER_ENGINE) run $(CONTAINER_RUN_FLAGS) registry.access.redhat.com/ubi8/python-39 /bin/bash -xc "cd `pwd -P`; pip install --disable-pip-version-check oyaml; curl -sSL https://github.com/open-cluster-management-io/policy-generator-plugin/releases/download/${POLICYGEN_VERSION}/linux-amd64-PolicyGenerator --output /opt/app-root/bin/PolicyGenerator; chmod +x /opt/app-root/bin/PolicyGenerator; ${GEN_POLICY_CONFIG}; ${GEN_POLICY_CONFIG_SP}; ${GEN_POLICY}; ${GEN_CMO_CONFIG}";\
-		$(CONTAINER_ENGINE) run $(CONTAINER_RUN_FLAGS) registry.access.redhat.com/ubi8/python-39 /bin/bash -xc "cd `pwd -P`; pip install --disable-pip-version-check oyaml; ${GEN_TEMPLATE}"; \
+		$(CONTAINER_ENGINE) run $(CONTAINER_RUN_FLAGS) registry.access.redhat.com/ubi9/python-312 /bin/bash -xc "cd `pwd -P`; pip install --disable-pip-version-check oyaml; curl -sSL https://github.com/open-cluster-management-io/policy-generator-plugin/releases/download/${POLICYGEN_VERSION}/linux-amd64-PolicyGenerator --output /opt/app-root/bin/PolicyGenerator; chmod +x /opt/app-root/bin/PolicyGenerator; ${GEN_POLICY_CONFIG}; ${GEN_POLICY_CONFIG_SP}; ${GEN_POLICY}; ${GEN_CMO_CONFIG}";\
+		$(CONTAINER_ENGINE) run $(CONTAINER_RUN_FLAGS) registry.access.redhat.com/ubi9/python-312 /bin/bash -xc "cd `pwd -P`; pip install --disable-pip-version-check oyaml; ${GEN_TEMPLATE}"; \
 	else \
 		${GEN_POLICY_CONFIG};\
 		${GEN_POLICY_CONFIG_SP};\
diff --git a/scripts/generate_template.py b/scripts/generate_template.py
index 1e6e047001..4ccf8d86b5 100755
--- a/scripts/generate_template.py
+++ b/scripts/generate_template.py
@@ -7,6 +7,7 @@
 import argparse
 import copy
 import re
+from typing import Any
 
 cluster_platform_ann = "hive.openshift.io/cluster-platform"
 config_filename = "config.yaml"
@@ -164,17 +165,21 @@ def add_sss_for(name, directory, config):
 
             # Verify that environment selectors make sense
             sss = config["selectorSyncSet"]
-            expressions = sss.get("matchExpressions", []) if sss else []
+            expressions: list[dict[str, Any]] = sss.get("matchExpressions", []) if sss else []
             for expression in expressions:
                 if not expression["key"] == environment_selector:
                     continue
-                values = expression["values"]
-                if type(values) == list:
-                    for value in values:
-                        if value not in valid_environments:
-                            raise RuntimeError(f"The environment value {value} for {dirpath} does not match a known environment: must be one of {valid_environments}")
-                elif values not in valid_environments:
+                values: str|list[str] = expression["values"]
+                match values:
+                    case list(x):
+                        for value in x:
+                            if value not in valid_environments:
+                                raise RuntimeError(f"The environment value {value} for {dirpath} does not match a known environment: must be one of {valid_environments}")
+                    case str(x):
+                        if x not in valid_environments:
                             raise RuntimeError(f"The environment value {values} for {dirpath} does not match a known environment: must be one of {valid_environments}")
+                    case _:
+                        raise RuntimeError(f"Received invalid values {values} for {dirpath} for key: {environment_selector}")
 
             # If no matchLabelsApplyMode, process as nornmal
             if "matchLabelsApplyMode" in config["selectorSyncSet"] and config["selectorSyncSet"]["matchLabelsApplyMode"] == "OR":