From 97cd9a92168627d3c808543cd34ff2542b0f2048 Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Wed, 12 Feb 2025 16:07:43 +0100
Subject: [PATCH 01/15] telco-hub: add first set of reference templates for the
 cluster-compare tool

The templates cover the reference CRs for:
* LSO
* ODF
* TALM
* ACM (without the observability configuration)
* Cluster logging
* Quay

The ACM MultiClusterHub is also updated to include the SiteConfig
Operator.
---
 .../ReferenceVersionCheck.yaml                |   7 ++
 .../reference-crs-kube-compare/compare_ignore |   5 +
 .../reference-crs-kube-compare/metadata.yaml  | 111 ++++++++++++++++++
 .../optional/logging/clusterLogNS.yaml        |   7 ++
 .../optional/logging/clusterLogOperGroup.yaml |  12 ++
 .../logging/clusterLogSubscription.yaml       |  12 ++
 .../optional/quay/quayNS.yaml                 |   7 ++
 .../optional/quay/quayOperatorGroup.yaml      |  12 ++
 .../optional/quay/quaySubscription.yaml       |  12 ++
 .../required/acm/acmAgentServiceConfig.yaml   |  36 ++++++
 .../required/acm/acmMCH.yaml                  |  41 +++++++
 .../required/acm/acmMirrorRegistryCM.yaml     |  10 ++
 .../required/acm/acmNS.yaml                   |   7 ++
 .../required/acm/acmOperGroup.yaml            |  12 ++
 .../required/acm/acmProvisioning.yaml         |  10 ++
 .../required/acm/acmSubscription.yaml         |  12 ++
 .../required/lso/lsoLocalVolume.yaml          |  21 ++++
 .../required/lso/lsoNS.yaml                   |   7 ++
 .../required/lso/lsoOperatorGroup.yaml        |  12 ++
 .../required/lso/lsoSubscription.yaml         |  12 ++
 .../required/odf-internal/odfNS.yaml          |   9 ++
 .../odf-internal/odfOperatorGroup.yaml        |  12 ++
 .../odf-internal/odfSubscription.yaml         |  12 ++
 .../required/odf-internal/storageCluster.yaml |  32 +++++
 .../required/talm/talmSubscription.yaml       |  12 ++
 .../version_match.tmpl                        |   9 ++
 .../reference-crs/required/acm/acmMCH.yaml    |   2 +
 .../reference-crs/required/acm/readme.md      |  17 +--
 .../required/lso/lsoLocalVolume.yaml          |   2 +
 29 files changed, 464 insertions(+), 8 deletions(-)
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/compare_ignore
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogOperGroup.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogSubscription.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayNS.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayOperatorGroup.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/optional/quay/quaySubscription.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCH.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/acmNS.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/acmOperGroup.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/acmSubscription.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoLocalVolume.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoNS.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoOperatorGroup.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoSubscription.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfNS.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfOperatorGroup.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfSubscription.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/storageCluster.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/talm/talmSubscription.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/version_match.tmpl

diff --git a/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml b/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
new file mode 100644
index 000000000..396227df2
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
@@ -0,0 +1,7 @@
+apiVersion: config.openshift.io/v1
+kind: ClusterVersion
+metadata:
+  name: version
+status:
+  desired:
+    version: {{ template "versionMatch" (list .status.desired.version "4.17") }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/compare_ignore b/telco-hub/configuration/reference-crs-kube-compare/compare_ignore
new file mode 100644
index 000000000..41ce989b2
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/compare_ignore
@@ -0,0 +1,5 @@
+# Internal files for cluster-compare, not real CRs
+metadata.yaml
+
+# Used in the reference only for version compliance checks
+ReferenceVersionCheck.yaml
diff --git a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
new file mode 100644
index 000000000..413fa072f
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
@@ -0,0 +1,111 @@
+apiVersion: v2
+parts:
+  - name: version-check
+    description: |-
+      A mismatch here means you may be using the wrong reference.
+      This reference was designed for OpenShift 4.17.
+    components:
+      - name: version-check
+        allOf:
+          - path: ReferenceVersionCheck.yaml
+            config:
+              ignore-unspecified-fields: true
+              fieldsToOmitRefs:
+                - allowStatusCheck
+  - name: required-storage
+    description: |-
+      TODO: Link to Hub RDS storage section when published
+    components:
+      - name: local-storage-operator
+        allOf:
+          - path: required/lso/lsoNS.yaml
+          - path: required/lso/lsoOperatorGroup.yaml
+          - path: required/lso/lsoSubscription.yaml
+          - path: required/lso/lsoLocalVolume.yaml
+      - name: odf-internal-operator
+        allOf:
+          - path: required/odf-internal/odfNS.yaml
+          - path: required/odf-internal/odfOperatorGroup.yaml
+          - path: required/odf-internal/odfSubscription.yaml
+          - path: required/odf-internal/storageCluster.yaml
+            config:
+              ignore-unspecified-fields: true
+  - name: required-talm
+    description: |-
+      TODO: Link to Hub RDS TALM section when published
+    components:
+      - name: talm-operator
+        allOf:
+          - path: required/talm/talmSubscription.yaml
+  - name: required-acm
+    description: |-
+      TODO: Link to Hub RDS ACM section when published
+    components:
+      - name: acm-operator
+        allOf:
+          - path: required/acm/acmNS.yaml
+          - path: required/acm/acmOperGroup.yaml
+          - path: required/acm/acmSubscription.yaml
+          - path: required/acm/acmMCH.yaml
+            config:
+              ignore-unspecified-fields: true
+          - path: required/acm/acmProvisioning.yaml
+            config:
+              ignore-unspecified-fields: true
+          - path: required/acm/acmMirrorRegistryCM.yaml
+          - path: required/acm/acmAgentServiceConfig.yaml
+  - name: optional-logging
+    description: |-
+      TODO: Link to Hub RDS logging section when published
+    components:
+      - name: cluster-logging-operator
+        allOf:
+          - path: optional/logging/clusterLogNS.yaml
+          - path: optional/logging/clusterLogOperGroup.yaml
+          - path: optional/logging/clusterLogSubscription.yaml
+  - name: optional-quay
+    description: |-
+      TODO: Link to Hub RDS Quay section when published
+    components:
+      - name: quay-operator
+        allOf:
+          - path: optional/quay/quayNS.yaml
+          - path: optional/quay/quayOperatorGroup.yaml
+          - path: optional/quay/quaySubscription.yaml
+
+templateFunctionFiles:
+  - version_match.tmpl
+
+fieldsToOmit:
+  defaultOmitRef: all
+  items:
+    defaults:
+      - pathToKey: metadata.annotations."kubectl.kubernetes.io/last-applied-configuration"
+      - pathToKey: metadata.annotations."openshift.io/sa.scc.uid-range"
+      - pathToKey: metadata.annotations."openshift.io/sa.scc.mcs"
+      - pathToKey: metadata.annotations."openshift.io/sa.scc.supplemental-groups"
+      - pathToKey: metadata.annotations."olm.providedAPIs"
+      - pathToKey: metadata.labels."kubernetes.io/metadata.name"
+      - pathToKey: metadata.labels."security.openshift.io/scc.podSecurityLabelSync"
+      - pathToKey: metadata.labels."operators.coreos.com/local-storage-operator.openshift-local-storage"
+      - pathToKey: metadata.labels."operators.coreos.com/odf-operator.openshift-storage"
+      - pathToKey: metadata.labels."operators.coreos.com/topology-aware-lifecycle-manager.openshift-operators"
+      - pathToKey: metadata.labels."operators.coreos.com/advanced-cluster-management.open-cluster-management"
+      - pathToKey: metadata.labels."agent-install.openshift.io/watch"
+      - pathToKey: metadata.labels."cluster.open-cluster-management.io/backup"
+      - pathToKey: metadata.labels."pod-security.kubernetes.io"
+        isPrefix: true
+      - pathToKey: metadata.labels."olm.operatorgroup.uid"
+        isPrefix: true
+      - pathToKey: metadata.creationTimestamp
+      - pathToKey: metadata.finalizers
+      - pathToKey: metadata.generation
+      - pathToKey: metadata.resourceVersion
+      - pathToKey: metadata.uid
+      - pathToKey: metadata.ownerReferences
+      - pathToKey: spec.finalizers
+    allowStatusCheck:
+      - include: defatuls
+    all:
+      - include: defaults
+      - pathToKey: status
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml
new file mode 100644
index 000000000..1fcd5d63d
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-logging
+  annotations:
+    workload.openshift.io/allowed: management
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogOperGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogOperGroup.yaml
new file mode 100644
index 000000000..35c1b3991
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogOperGroup.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: cluster-logging
+  namespace: openshift-logging
+spec:
+  targetNamespaces:
+  - openshift-logging
+  {{- if .spec.upgradeStrategy }}
+  upgradeStrategy: Default
+  {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogSubscription.yaml
new file mode 100644
index 000000000..64976adcf
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogSubscription.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: cluster-logging
+  namespace: openshift-logging
+spec:
+  channel: "stable"
+  name: cluster-logging
+  source: {{ .spec.source }}
+  sourceNamespace: openshift-marketplace
+  installPlanApproval: Automatic
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayNS.yaml
new file mode 100644
index 000000000..1d16fecc4
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayNS.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    openshift.io/cluster-monitoring: "true"
+  name: quay-enterprise
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayOperatorGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayOperatorGroup.yaml
new file mode 100644
index 000000000..eb920a873
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayOperatorGroup.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: quay-operator
+  namespace: quay-enterprise
+spec:
+  targetNamespaces:
+  - quay-enterprise
+  {{- if .spec.upgradeStrategy }}
+  upgradeStrategy: Default
+  {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quaySubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quaySubscription.yaml
new file mode 100644
index 000000000..e589d7a22
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quaySubscription.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: quay-operator
+  namespace: quay-enterprise
+spec:
+  sourceNamespace: openshift-marketplace
+  source: {{ .spec.source }}
+  channel: stable-3.12  # should match latest version
+  installPlanApproval: Automatic
+  name: quay-operator
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
new file mode 100644
index 000000000..f6cba7ea7
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: agent-install.openshift.io/v1beta1
+kind: AgentServiceConfig
+metadata:
+  name: agent
+spec:
+  databaseStorage:
+    accessModes:
+      - ReadWriteOnce
+    resources:
+      requests:
+        storage: 20Gi
+  filesystemStorage:
+    accessModes:
+      - ReadWriteOnce
+    resources:
+      requests:
+        storage: 20Gi
+  imageStorage:
+    accessModes:
+      - ReadWriteOnce
+    resources:
+      requests:
+        storage: 100Gi
+  mirrorRegistryRef:
+    name: mirror-registry-config
+  {{- if .spec.osImages }}
+  osImages:
+  # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
+  # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
+  - cpuArchitecture: "x86_64"
+    openshiftVersion: "4.17"
+    rootFSUrl: {{ (index .spec.osImages 0).rootFSUrl }}
+    url: {{ (index .spec.osImages 0).url }}
+    version: "417.94.202409121747-0"
+  {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCH.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCH.yaml
new file mode 100644
index 000000000..16ca527de
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCH.yaml
@@ -0,0 +1,41 @@
+---
+apiVersion: operator.open-cluster-management.io/v1
+kind: MultiClusterHub
+metadata:
+  annotations:
+    installer.open-cluster-management.io/mce-subscription-spec: '{"installPlanApproval": "Automatic"}'
+  name: multiclusterhub
+  namespace: open-cluster-management
+spec:
+  availabilityConfig: High
+  enableClusterBackup: false
+  ingress: {}
+  overrides:
+    components:
+    - enabled: true
+      name: app-lifecycle
+    - enabled: true
+      name: cluster-lifecycle
+    - enabled: true
+      name: cluster-permission
+    - enabled: true
+      name: console
+    - enabled: true
+      name: grc
+    - enabled: true
+      name: insights
+    - enabled: true
+      name: multicluster-engine
+    - enabled: true
+      name: multicluster-observability
+    - enabled: true
+      name: search
+    - enabled: true
+      name: submariner-addon
+    - enabled: true
+      name: volsync
+    - enabled: true
+      name: cluster-backup
+    - enabled: true
+      name: siteconfig
+  separateCertificateManagement: false
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
new file mode 100644
index 000000000..271a0b83b
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mirror-registry-config
+  namespace: multicluster-engine
+  labels:
+    app: assisted-service
+data:
+    {{- .data | toYaml | nindent 2 }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmNS.yaml
new file mode 100644
index 000000000..960802415
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmNS.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    openshift.io/cluster-monitoring: "true"
+  name: open-cluster-management
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmOperGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmOperGroup.yaml
new file mode 100644
index 000000000..7bdbfad66
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmOperGroup.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: open-cluster-management-group
+  namespace: open-cluster-management
+spec:
+  targetNamespaces:
+  - open-cluster-management
+  {{- if .spec.upgradeStrategy }}
+  upgradeStrategy: Default
+  {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml
new file mode 100644
index 000000000..807084629
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: metal3.io/v1alpha1
+kind: Provisioning
+metadata:
+  name: provisioning-configuration
+spec:
+  watchAllNamespaces: true
+  # some servers do not support virtual media installations
+  # when the image is served using the https protocol
+  # disableVirtualMediaTLS: true
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmSubscription.yaml
new file mode 100644
index 000000000..d221a2ff6
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmSubscription.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: open-cluster-management-subscription
+  namespace: open-cluster-management
+spec:
+  channel: release-2.12
+  installPlanApproval: Automatic
+  name: advanced-cluster-management
+  source: {{ .spec.source }}
+  sourceNamespace: openshift-marketplace
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoLocalVolume.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoLocalVolume.yaml
new file mode 100644
index 000000000..2f3567dfb
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoLocalVolume.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: "local.storage.openshift.io/v1"
+kind: "LocalVolume"
+metadata:
+  name: {{ .metadata.name }}
+  namespace: "openshift-local-storage"
+spec:
+  logLevel: Normal
+  managementState: Managed
+  {{- if .spec.nodeSelector }}
+  nodeSelector:
+    {{- .spec.nodeSelector | toYaml | nindent 4 }}
+  {{- end }}
+  storageClassDevices:
+    {{- range .spec.storageClassDevices }}
+    - storageClassName: {{ .storageClassName }}
+      forceWipeDevicesAndDestroyAllData: true
+      volumeMode: Block
+      devicePaths:
+        {{- .devicePaths | toYaml | nindent 8 }}
+    {{- end}}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoNS.yaml
new file mode 100644
index 000000000..117cf59b3
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoNS.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-local-storage
+  labels:
+    openshift.io/cluster-monitoring: "true"
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoOperatorGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoOperatorGroup.yaml
new file mode 100644
index 000000000..7572ac178
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoOperatorGroup.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: local-operator-group
+  namespace: openshift-local-storage
+spec:
+  targetNamespaces:
+  - openshift-local-storage
+  {{- if .spec.upgradeStrategy }}
+  upgradeStrategy: Default
+  {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoSubscription.yaml
new file mode 100644
index 000000000..42ebbb56a
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoSubscription.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: local-storage-operator
+  namespace: openshift-local-storage
+spec:
+  channel: stable
+  installPlanApproval: Automatic
+  name: local-storage-operator
+  source: {{ .spec.source }}
+  sourceNamespace: openshift-marketplace
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfNS.yaml
new file mode 100644
index 000000000..582be877d
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfNS.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-storage
+  annotations:
+    workload.openshift.io/allowed: management
+  labels:
+    openshift.io/cluster-monitoring: "true"
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfOperatorGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfOperatorGroup.yaml
new file mode 100644
index 000000000..e52c24a20
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfOperatorGroup.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: openshift-storage-operatorgroup
+  namespace: openshift-storage
+spec:
+  targetNamespaces:
+    - openshift-storage
+  {{- if .spec.upgradeStrategy }}
+  upgradeStrategy: Default
+  {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfSubscription.yaml
new file mode 100644
index 000000000..05ee99736
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfSubscription.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: odf-operator
+  namespace: openshift-storage
+spec:
+  channel: "stable-4.17"
+  name: odf-operator
+  source: {{ .spec.source }}
+  sourceNamespace: openshift-marketplace
+  installPlanApproval: Automatic
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/storageCluster.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/storageCluster.yaml
new file mode 100644
index 000000000..cca544477
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/storageCluster.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: ocs.openshift.io/v1
+kind: StorageCluster
+metadata:
+  name: ocs-storagecluster
+  namespace: openshift-storage
+spec:
+  manageNodes: false
+  {{- if .spec.resources }}
+  resources:
+    {{- .spec.resources | toYaml | nindent 4 }}
+  {{- end }}
+  monDataDirHostPath: /var/lib/rook
+  storageDeviceSets:
+  {{- range .spec.storageDeviceSets }}
+  - count: {{ .count }}  # <-- Modify count to desired value. For each set of 3 disks increment the count by 1.
+    dataPVCTemplate:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: {{ .dataPVCTemplate.spec.resources.requests.storage }}  # <-- This should be changed as per storage size. Minimum 100 GiB and Maximum 4 TiB
+        storageClassName: {{ .dataPVCTemplate.spec.storageClassName }}  # match this with the storage block created at the LSO step
+        volumeMode: Block
+    name: ocs-deviceset
+    placement: {}
+    portable: false
+    replica: 3
+    resources:
+      {{- .resources | toYaml | nindent 6 }}
+  {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/talm/talmSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/talm/talmSubscription.yaml
new file mode 100644
index 000000000..b49e2c21d
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/talm/talmSubscription.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: openshift-topology-aware-lifecycle-manager-subscription
+  namespace: openshift-operators
+spec:
+  channel: stable
+  installPlanApproval: Automatic
+  name: topology-aware-lifecycle-manager
+  source: {{ .spec.source }}
+  sourceNamespace: openshift-marketplace
diff --git a/telco-hub/configuration/reference-crs-kube-compare/version_match.tmpl b/telco-hub/configuration/reference-crs-kube-compare/version_match.tmpl
new file mode 100644
index 000000000..c5af9af76
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/version_match.tmpl
@@ -0,0 +1,9 @@
+{{- define "versionMatch" }}
+  {{- $version := semver (index . 0 | default "0.0.0") }}
+  {{- $target := semver (index . 1) }}
+  {{- $result := print ($target.Original) ".*" }}
+  {{- if and (eq $version.Major $target.Major) (eq $version.Minor $target.Minor) }}
+    {{- $result = $version.Original }}
+  {{- end }}
+  {{- $result }}
+{{- end }}
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmMCH.yaml b/telco-hub/configuration/reference-crs/required/acm/acmMCH.yaml
index f3a0095b2..b638e30c0 100644
--- a/telco-hub/configuration/reference-crs/required/acm/acmMCH.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/acmMCH.yaml
@@ -38,4 +38,6 @@ spec:
       name: volsync
     - enabled: true
       name: cluster-backup
+    - enabled: true
+      name: siteconfig
   separateCertificateManagement: false
diff --git a/telco-hub/configuration/reference-crs/required/acm/readme.md b/telco-hub/configuration/reference-crs/required/acm/readme.md
index 6e3fdc8d0..ded5bb253 100644
--- a/telco-hub/configuration/reference-crs/required/acm/readme.md
+++ b/telco-hub/configuration/reference-crs/required/acm/readme.md
@@ -5,15 +5,16 @@
 3. Create the `acmMCH.yaml`.
 4. If Subscription was set to Manual installPlanApproval, approve the created InstallPlan on `multicluster-engine`
 5. Apply the `acmProvisioning.yaml`.
-6. Create the `acmAgentServiceConfig.yaml` (Two PVs are required, so ODF must be configured prior to this step).
-7. The `multicluster-engine` enables the `cluster-proxy-addon` feature by default. Apply the following patch to disable it: `oc patch multiclusterengines.multicluster.openshift.io multiclusterengine --type=merge --patch-file ./disable-cluster-proxy-addon.json`.
-8. Create the `observabilityNS.yaml`.
-9. Generate the pull-secret `observabilitySecret.yaml`. The value for the `.dockerconfigjson` field can be found as follows:
+6. Create the `acmMirrorRegistryCM.yaml`.
+7. Create the `acmAgentServiceConfig.yaml` (Two PVs are required, so ODF must be configured prior to this step).
+8. The `multicluster-engine` enables the `cluster-proxy-addon` feature by default. Apply the following patch to disable it: `oc patch multiclusterengines.multicluster.openshift.io multiclusterengine --type=merge --patch-file ./disable-cluster-proxy-addon.json`.
+9. Create the `observabilityNS.yaml`.
+10. Generate the pull-secret `observabilitySecret.yaml`. The value for the `.dockerconfigjson` field can be found as follows:
     - Try `oc extract secret/multiclusterhub-operator-pull-secret -n open-cluster-management --to=-`.
     - If the previous command returns an empty value use: `oc extract secret/pull-secret -n openshift-config --to=-`.
-10. Create the `observabilityOBC.yaml`.
-11. Create the Thanos secret `thanosSecret.yaml`.
+11. Create the `observabilityOBC.yaml`.
+12. Create the Thanos secret `thanosSecret.yaml`.
     - The `bucket` and the `endpoint` can be obtained from the ConfigMap that the OBC automatically creates in its namespace. Use the fields `BUCKET_NAME` (without any protocol or port specification) and `BUCKET_HOST` respectively.
     - The `access_key` and the `secret_key` can be obtained from the Secret that the OBC creates automatically in its namespace. Use the fields `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` respectively. This two fields are encoded in base64 in the OBC Secret but must be decoded in the Thanos Secret (use `echo -n "<string>" | base64 -d` to decode it).
-12. Create the `observabilityMCO.yaml`.
-13. When all the installation is done. Apply the `acmPerfSearch.yaml` .This will configure Search CR called `search-v2-operator` considering different performance and scale optimizations.
+13. Create the `observabilityMCO.yaml`.
+14. When all the installation is done. Apply the `acmPerfSearch.yaml` .This will configure Search CR called `search-v2-operator` considering different performance and scale optimizations.
diff --git a/telco-hub/configuration/reference-crs/required/lso/lsoLocalVolume.yaml b/telco-hub/configuration/reference-crs/required/lso/lsoLocalVolume.yaml
index 6ef3b7b00..40380a512 100644
--- a/telco-hub/configuration/reference-crs/required/lso/lsoLocalVolume.yaml
+++ b/telco-hub/configuration/reference-crs/required/lso/lsoLocalVolume.yaml
@@ -8,6 +8,8 @@ metadata:
     argocd.argoproj.io/sync-wave: "2"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
+  logLevel: Normal
+  managementState: Managed
   nodeSelector:
     nodeSelectorTerms:
     - matchExpressions:

From 05ef4183f81af2066760b16cf4281672584a1604 Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Tue, 18 Feb 2025 15:30:58 +0100
Subject: [PATCH 02/15] Skip yaml linting for the template CRs

---
 .yamllint.yaml                                           | 6 ++++++
 Makefile                                                 | 9 +--------
 .../ReferenceVersionCheck.yaml                           | 1 +
 .../reference-crs-kube-compare/metadata.yaml             | 1 +
 4 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/.yamllint.yaml b/.yamllint.yaml
index d61260030..5de6cf2ad 100644
--- a/.yamllint.yaml
+++ b/.yamllint.yaml
@@ -24,3 +24,9 @@ rules:
   # which are quite long.
   line-length:
     max: 2000
+
+# Skip the yamls augmented with golang templating as they are not
+# expected to be legal yaml.
+ignore:
+  - telco-core/configuration/reference-crs-kube-compare/
+  - telco-hub/configuration/reference-crs-kube-compare/
diff --git a/Makefile b/Makefile
index 0df59dd4d..93aa180c3 100644
--- a/Makefile
+++ b/Makefile
@@ -5,14 +5,7 @@ CONTAINER_TOOL ?= podman
 
 # Basic lint checking
 lintCheck:
-	# The configuration is done piece-wise in order to skip the
-	# kube-compare reference tree. Those yamls are augmented with
-	# golang templating and are not expected to be legal yaml.
-	yamllint -c .yamllint.yaml telco-core/configuration/*yaml
-	yamllint -c .yamllint.yaml telco-core/configuration/reference-crs
-	yamllint -c .yamllint.yaml telco-core/configuration/template-values
-	yamllint -c .yamllint.yaml telco-core/install/
-	yamllint -c .yamllint.yaml telco-hub/
+	yamllint .
 
 # markdownlint rules, following: https://github.com/openshift/enhancements/blob/master/Makefile
 .PHONY: markdownlint-image
diff --git a/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml b/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
index 396227df2..c1c0ae751 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: config.openshift.io/v1
 kind: ClusterVersion
 metadata:
diff --git a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
index 413fa072f..16ee1545b 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: v2
 parts:
   - name: version-check

From 1fb009a88411873ba416f7516a330a71a2e4e33d Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Mon, 26 May 2025 17:50:33 +0200
Subject: [PATCH 03/15] Update templates to OCP 4.18 and handle ArgoCD metadata

---
 .../ReferenceVersionCheck.yaml                |  2 +-
 .../reference-crs-kube-compare/metadata.yaml  | 31 ++++++------
 .../lso/lsoLocalVolume.yaml                   |  0
 .../{required => optional}/lso/lsoNS.yaml     |  0
 .../lso/lsoOperatorGroup.yaml                 |  0
 .../lso/lsoSubscription.yaml                  |  0
 .../odf-internal/odfNS.yaml                   |  0
 .../odf-internal/odfOperatorGroup.yaml        |  0
 .../odf-internal/odfSubscription.yaml         |  2 +-
 .../odf-internal/storageCluster.yaml          |  0
 .../required/acm/acmAgentServiceConfig.yaml   |  3 ++
 .../required/acm/acmMCH.yaml                  | 47 +++++++++++++------
 .../required/acm/acmSubscription.yaml         |  2 +-
 13 files changed, 56 insertions(+), 31 deletions(-)
 rename telco-hub/configuration/reference-crs-kube-compare/{required => optional}/lso/lsoLocalVolume.yaml (100%)
 rename telco-hub/configuration/reference-crs-kube-compare/{required => optional}/lso/lsoNS.yaml (100%)
 rename telco-hub/configuration/reference-crs-kube-compare/{required => optional}/lso/lsoOperatorGroup.yaml (100%)
 rename telco-hub/configuration/reference-crs-kube-compare/{required => optional}/lso/lsoSubscription.yaml (100%)
 rename telco-hub/configuration/reference-crs-kube-compare/{required => optional}/odf-internal/odfNS.yaml (100%)
 rename telco-hub/configuration/reference-crs-kube-compare/{required => optional}/odf-internal/odfOperatorGroup.yaml (100%)
 rename telco-hub/configuration/reference-crs-kube-compare/{required => optional}/odf-internal/odfSubscription.yaml (91%)
 rename telco-hub/configuration/reference-crs-kube-compare/{required => optional}/odf-internal/storageCluster.yaml (100%)

diff --git a/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml b/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
index c1c0ae751..492fc7e7f 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
@@ -5,4 +5,4 @@ metadata:
   name: version
 status:
   desired:
-    version: {{ template "versionMatch" (list .status.desired.version "4.17") }}
+    version: {{ template "versionMatch" (list .status.desired.version "4.18") }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
index 16ee1545b..8fc72faee 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
@@ -4,7 +4,7 @@ parts:
   - name: version-check
     description: |-
       A mismatch here means you may be using the wrong reference.
-      This reference was designed for OpenShift 4.17.
+      This reference was designed for OpenShift 4.18.
     components:
       - name: version-check
         allOf:
@@ -13,22 +13,22 @@ parts:
               ignore-unspecified-fields: true
               fieldsToOmitRefs:
                 - allowStatusCheck
-  - name: required-storage
+  - name: optional-storage
     description: |-
       TODO: Link to Hub RDS storage section when published
     components:
       - name: local-storage-operator
-        allOf:
-          - path: required/lso/lsoNS.yaml
-          - path: required/lso/lsoOperatorGroup.yaml
-          - path: required/lso/lsoSubscription.yaml
-          - path: required/lso/lsoLocalVolume.yaml
+        allOrNoneOf:
+          - path: optional/lso/lsoNS.yaml
+          - path: optional/lso/lsoOperatorGroup.yaml
+          - path: optional/lso/lsoSubscription.yaml
+          - path: optional/lso/lsoLocalVolume.yaml
       - name: odf-internal-operator
-        allOf:
-          - path: required/odf-internal/odfNS.yaml
-          - path: required/odf-internal/odfOperatorGroup.yaml
-          - path: required/odf-internal/odfSubscription.yaml
-          - path: required/odf-internal/storageCluster.yaml
+        allOrNoneOf:
+          - path: optional/odf-internal/odfNS.yaml
+          - path: optional/odf-internal/odfOperatorGroup.yaml
+          - path: optional/odf-internal/odfSubscription.yaml
+          - path: optional/odf-internal/storageCluster.yaml
             config:
               ignore-unspecified-fields: true
   - name: required-talm
@@ -60,7 +60,7 @@ parts:
       TODO: Link to Hub RDS logging section when published
     components:
       - name: cluster-logging-operator
-        allOf:
+        allOrNoneOf:
           - path: optional/logging/clusterLogNS.yaml
           - path: optional/logging/clusterLogOperGroup.yaml
           - path: optional/logging/clusterLogSubscription.yaml
@@ -69,7 +69,7 @@ parts:
       TODO: Link to Hub RDS Quay section when published
     components:
       - name: quay-operator
-        allOf:
+        allOrNoneOf:
           - path: optional/quay/quayNS.yaml
           - path: optional/quay/quayOperatorGroup.yaml
           - path: optional/quay/quaySubscription.yaml
@@ -86,6 +86,8 @@ fieldsToOmit:
       - pathToKey: metadata.annotations."openshift.io/sa.scc.mcs"
       - pathToKey: metadata.annotations."openshift.io/sa.scc.supplemental-groups"
       - pathToKey: metadata.annotations."olm.providedAPIs"
+      - pathToKey: metadata.annotations."argocd.argoproj.io"
+        isPrefix: true
       - pathToKey: metadata.labels."kubernetes.io/metadata.name"
       - pathToKey: metadata.labels."security.openshift.io/scc.podSecurityLabelSync"
       - pathToKey: metadata.labels."operators.coreos.com/local-storage-operator.openshift-local-storage"
@@ -98,6 +100,7 @@ fieldsToOmit:
         isPrefix: true
       - pathToKey: metadata.labels."olm.operatorgroup.uid"
         isPrefix: true
+      - pathToKey: metadata.labels."app.kubernetes.io/instance"
       - pathToKey: metadata.creationTimestamp
       - pathToKey: metadata.finalizers
       - pathToKey: metadata.generation
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoLocalVolume.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
similarity index 100%
rename from telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoLocalVolume.yaml
rename to telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoNS.yaml
similarity index 100%
rename from telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoNS.yaml
rename to telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoNS.yaml
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoOperatorGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoOperatorGroup.yaml
similarity index 100%
rename from telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoOperatorGroup.yaml
rename to telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoOperatorGroup.yaml
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoSubscription.yaml
similarity index 100%
rename from telco-hub/configuration/reference-crs-kube-compare/required/lso/lsoSubscription.yaml
rename to telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoSubscription.yaml
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfNS.yaml
similarity index 100%
rename from telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfNS.yaml
rename to telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfNS.yaml
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfOperatorGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfOperatorGroup.yaml
similarity index 100%
rename from telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfOperatorGroup.yaml
rename to telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfOperatorGroup.yaml
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfSubscription.yaml
similarity index 91%
rename from telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfSubscription.yaml
rename to telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfSubscription.yaml
index 05ee99736..e571cda8d 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/odfSubscription.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfSubscription.yaml
@@ -5,7 +5,7 @@ metadata:
   name: odf-operator
   namespace: openshift-storage
 spec:
-  channel: "stable-4.17"
+  channel: "stable-4.18"
   name: odf-operator
   source: {{ .spec.source }}
   sourceNamespace: openshift-marketplace
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/storageCluster.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/storageCluster.yaml
similarity index 100%
rename from telco-hub/configuration/reference-crs-kube-compare/required/odf-internal/storageCluster.yaml
rename to telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/storageCluster.yaml
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
index f6cba7ea7..d624ce83b 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
@@ -5,18 +5,21 @@ metadata:
   name: agent
 spec:
   databaseStorage:
+    storageClassName: {{ .spec.databaseStorage.storageClassName }}
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
         storage: 20Gi
   filesystemStorage:
+    storageClassName: {{ .spec.filesystemStorage.storageClassName }}
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
         storage: 20Gi
   imageStorage:
+    storageClassName: {{ .spec.imageStorage.storageClassName }}
     accessModes:
       - ReadWriteOnce
     resources:
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCH.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCH.yaml
index 16ca527de..b8f9ecbbd 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCH.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCH.yaml
@@ -3,7 +3,10 @@ apiVersion: operator.open-cluster-management.io/v1
 kind: MultiClusterHub
 metadata:
   annotations:
-    installer.open-cluster-management.io/mce-subscription-spec: '{"installPlanApproval": "Automatic"}'
+    argocd.argoproj.io/sync-wave: "4"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators-disconnected", "installPlanApproval": "Automatic"}'
+    installer.open-cluster-management.io/oadp-subscription-spec: '{"source": "redhat-operators-disconnected", "installPlanApproval": "Automatic"}'
   name: multiclusterhub
   namespace: open-cluster-management
 spec:
@@ -12,30 +15,46 @@ spec:
   ingress: {}
   overrides:
     components:
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: app-lifecycle
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: cluster-lifecycle
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: cluster-permission
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: console
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: grc
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: insights
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: multicluster-engine
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: multicluster-observability
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: search
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: submariner-addon
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: volsync
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: cluster-backup
-    - enabled: true
+    - configOverrides: {}
+      enabled: true
       name: siteconfig
+    - configOverrides: {}
+      enabled: false
+      name: edge-manager-preview
   separateCertificateManagement: false
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmSubscription.yaml
index d221a2ff6..65bfa0cff 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmSubscription.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmSubscription.yaml
@@ -5,7 +5,7 @@ metadata:
   name: open-cluster-management-subscription
   namespace: open-cluster-management
 spec:
-  channel: release-2.12
+  channel: release-2.13
   installPlanApproval: Automatic
   name: advanced-cluster-management
   source: {{ .spec.source }}

From 097ca3b4d962e92bd520849924d373fb15c269ee Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Tue, 27 May 2025 15:14:19 +0200
Subject: [PATCH 04/15] Update lint checking

---
 .yamllint.yaml |  6 ------
 Makefile       | 12 +++++++++++-
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/.yamllint.yaml b/.yamllint.yaml
index 5de6cf2ad..d61260030 100644
--- a/.yamllint.yaml
+++ b/.yamllint.yaml
@@ -24,9 +24,3 @@ rules:
   # which are quite long.
   line-length:
     max: 2000
-
-# Skip the yamls augmented with golang templating as they are not
-# expected to be legal yaml.
-ignore:
-  - telco-core/configuration/reference-crs-kube-compare/
-  - telco-hub/configuration/reference-crs-kube-compare/
diff --git a/Makefile b/Makefile
index 76c347c9e..61b8b22f1 100644
--- a/Makefile
+++ b/Makefile
@@ -5,7 +5,17 @@ CONTAINER_TOOL ?= podman
 
 # Basic lint checking
 lintCheck:
-	yamllint .
+	# The configuration is done piece-wise in order to skip the
+	# kube-compare reference tree. Those yamls are augmented with
+	# golang templating and are not expected to be legal yaml.
+	yamllint -c .yamllint.yaml telco-core/configuration/*yaml
+	yamllint -c .yamllint.yaml telco-core/configuration/reference-crs
+	yamllint -c .yamllint.yaml telco-core/configuration/template-values
+	yamllint -c .yamllint.yaml telco-core/install/
+	yamllint -c .yamllint.yaml telco-hub/configuration/*yaml
+	yamllint -c .yamllint.yaml telco-hub/configuration/reference-crs
+	yamllint -c .yamllint.yaml telco-hub/configuration/example-overlays-config
+	yamllint -c .yamllint.yaml telco-hub/install/
 
 # markdownlint rules, following: https://github.com/openshift/enhancements/blob/master/Makefile
 .PHONY: markdownlint-image

From 3eec9ff89c3b90fa66398021e483507c163bf392 Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Mon, 2 Jun 2025 11:17:57 +0200
Subject: [PATCH 05/15] Minor changes to address review comments

---
 .../reference-crs-kube-compare/metadata.yaml           | 10 +---------
 .../optional/logging/clusterLogNS.yaml                 |  2 --
 .../optional/lso/lsoLocalVolume.yaml                   |  8 ++++++--
 .../required/acm/acmAgentServiceConfig.yaml            |  2 +-
 .../required/acm/acmMirrorRegistryCM.yaml              |  2 +-
 .../required/acm/acmProvisioning.yaml                  |  4 +++-
 6 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
index 8fc72faee..49ad41bb9 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
@@ -64,15 +64,6 @@ parts:
           - path: optional/logging/clusterLogNS.yaml
           - path: optional/logging/clusterLogOperGroup.yaml
           - path: optional/logging/clusterLogSubscription.yaml
-  - name: optional-quay
-    description: |-
-      TODO: Link to Hub RDS Quay section when published
-    components:
-      - name: quay-operator
-        allOrNoneOf:
-          - path: optional/quay/quayNS.yaml
-          - path: optional/quay/quayOperatorGroup.yaml
-          - path: optional/quay/quaySubscription.yaml
 
 templateFunctionFiles:
   - version_match.tmpl
@@ -88,6 +79,7 @@ fieldsToOmit:
       - pathToKey: metadata.annotations."olm.providedAPIs"
       - pathToKey: metadata.annotations."argocd.argoproj.io"
         isPrefix: true
+      - pathToKey: metadata.annotations."workload.openshift.io/allowed"
       - pathToKey: metadata.labels."kubernetes.io/metadata.name"
       - pathToKey: metadata.labels."security.openshift.io/scc.podSecurityLabelSync"
       - pathToKey: metadata.labels."operators.coreos.com/local-storage-operator.openshift-local-storage"
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml
index 1fcd5d63d..f13ffef9b 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml
@@ -3,5 +3,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-logging
-  annotations:
-    workload.openshift.io/allowed: management
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
index 2f3567dfb..a367d40a4 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
@@ -15,7 +15,11 @@ spec:
     {{- range .spec.storageClassDevices }}
     - storageClassName: {{ .storageClassName }}
       forceWipeDevicesAndDestroyAllData: true
-      volumeMode: Block
+      {{- if or (eq .volumeMode "Block") (eq .volumeMode "Filesystem") }}
+      volumeMode: {{ .volumeMode }}
+      {{- else }}
+      volumeMode: must be 'Block' or 'Filesystem'
+      {{- end }}
       devicePaths:
         {{- .devicePaths | toYaml | nindent 8 }}
-    {{- end}}
+    {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
index d624ce83b..b5e6a4e5f 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
@@ -35,5 +35,5 @@ spec:
     openshiftVersion: "4.17"
     rootFSUrl: {{ (index .spec.osImages 0).rootFSUrl }}
     url: {{ (index .spec.osImages 0).url }}
-    version: "417.94.202409121747-0"
+    version: {{ (index .spec.osImages 0).version }}
   {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
index 271a0b83b..e61c2b7ed 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
@@ -7,4 +7,4 @@ metadata:
   labels:
     app: assisted-service
 data:
-    {{- .data | toYaml | nindent 2 }}
+  {{- .data | toYaml | nindent 2 }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml
index 807084629..aac6b6601 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml
@@ -7,4 +7,6 @@ spec:
   watchAllNamespaces: true
   # some servers do not support virtual media installations
   # when the image is served using the https protocol
-  # disableVirtualMediaTLS: true
+  {{- if .spec.disableVirtualMediaTLS }}
+  disableVirtualMediaTLS: true
+  {{- end }}

From ae211307221b898b660e6390f525587c505358ed Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Tue, 17 Jun 2025 11:13:02 +0200
Subject: [PATCH 06/15] Add observability config templates and links to the
 published RDS doc

---
 .../reference-crs-kube-compare/metadata.yaml  | 32 ++++++--
 .../required/acm/observabilityMCO.yaml        | 45 +++++++++++
 .../required/acm/observabilityNS.yaml         |  7 ++
 .../required/acm/observabilityOBC.yaml        | 12 +++
 .../required/acm/observabilitySecret.yaml     | 14 ++++
 .../required/acm/pull-secret-copy.yaml        | 79 +++++++++++++++++++
 .../required/acm/thanosSecretMCSB.yaml        | 11 +++
 .../required/acm/thanosSecretNS.yaml          |  5 ++
 .../required/acm/thanosSecretPlacement.yaml   | 18 +++++
 .../acm/thanosSecretPlacementBinding.yaml     | 17 ++++
 .../required/acm/thanosSecretPolicy.yaml      | 24 ++++++
 11 files changed, 259 insertions(+), 5 deletions(-)
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityNS.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityOBC.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilitySecret.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/pull-secret-copy.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretMCSB.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretNS.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPlacement.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPlacementBinding.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPolicy.yaml

diff --git a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
index 49ad41bb9..a82d4ae09 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
@@ -14,16 +14,18 @@ parts:
               fieldsToOmitRefs:
                 - allowStatusCheck
   - name: optional-storage
-    description: |-
-      TODO: Link to Hub RDS storage section when published
     components:
       - name: local-storage-operator
+        description: |-
+          https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/scalability_and_performance/telco-hub-ref-design-specs#telco-hub-local-storage-operator_telco-hub
         allOrNoneOf:
           - path: optional/lso/lsoNS.yaml
           - path: optional/lso/lsoOperatorGroup.yaml
           - path: optional/lso/lsoSubscription.yaml
           - path: optional/lso/lsoLocalVolume.yaml
       - name: odf-internal-operator
+        description: |-
+          https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/scalability_and_performance/telco-hub-ref-design-specs#telco-hub-openshift-data-foundation_telco-hub
         allOrNoneOf:
           - path: optional/odf-internal/odfNS.yaml
           - path: optional/odf-internal/odfOperatorGroup.yaml
@@ -33,14 +35,14 @@ parts:
               ignore-unspecified-fields: true
   - name: required-talm
     description: |-
-      TODO: Link to Hub RDS TALM section when published
+      https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/scalability_and_performance/telco-hub-ref-design-specs#telco-hub-topology-aware-lifecycle-manager-talm_telco-hub
     components:
       - name: talm-operator
         allOf:
           - path: required/talm/talmSubscription.yaml
   - name: required-acm
     description: |-
-      TODO: Link to Hub RDS ACM section when published
+      https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/scalability_and_performance/telco-hub-ref-design-specs#telco-hub-red-hat-advanced-cluster-management-rhacm_telco-hub
     components:
       - name: acm-operator
         allOf:
@@ -55,9 +57,27 @@ parts:
               ignore-unspecified-fields: true
           - path: required/acm/acmMirrorRegistryCM.yaml
           - path: required/acm/acmAgentServiceConfig.yaml
+          - path: required/acm/observabilityMCO.yaml
+            config:
+              ignore-unspecified-fields: true
+          - path: required/acm/observabilityNS.yaml
+          - path: required/acm/observabilityOBC.yaml
+            config:
+              ignore-unspecified-fields: true
+          - path: required/acm/observabilitySecret.yaml
+          - path: required/acm/pull-secret-copy.yaml
+          - path: required/acm/thanosSecretNS.yaml
+          - path: required/acm/thanosSecretPolicy.yaml
+            config:
+              ignore-unspecified-fields: true
+              fieldsToOmitRefs:
+                - templates
+          - path: required/acm/thanosSecretPlacement.yaml
+          - path: required/acm/thanosSecretPlacementBinding.yaml
+          - path: required/acm/thanosSecretMCSB.yaml
   - name: optional-logging
     description: |-
-      TODO: Link to Hub RDS logging section when published
+      https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/scalability_and_performance/telco-hub-ref-design-specs#telco-hub-logging_telco-hub
     components:
       - name: cluster-logging-operator
         allOrNoneOf:
@@ -102,6 +122,8 @@ fieldsToOmit:
       - pathToKey: spec.finalizers
     allowStatusCheck:
       - include: defatuls
+    templates:
+      - pathToKey: spec.policy-templates
     all:
       - include: defaults
       - pathToKey: status
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
new file mode 100644
index 000000000..2efbe9a27
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: observability.open-cluster-management.io/v1beta2
+kind: MultiClusterObservability
+metadata:
+  name: observability
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    # avoids MultiClusterHub Observability to own/manage the
+    # spoke clusters configuration about AlertManager forwards.
+    # ZTP Policies will be in charge of configuring it
+    # https://issues.redhat.com/browse/CNF-13398
+    mco-disable-alerting: "true"
+spec:
+  # based on the data provided by acm-capacity tool
+  # https://github.com/stolostron/capacity-planning/blob/main/calculation/ObsSizingTemplate-Rev1.ipynb
+  # for an scenario with:
+  # 3500SNOs, 125 pods and 4 Namespaces (apart from Openshift NS)
+  # storage retention 15 days
+  # downsampling disabled
+  # default MCO Addon configuration samples_per_hour, pv_retention_hrs.
+  # More on how to stimate: https://access.redhat.com/articles/7103886
+  advanced:
+    retentionConfig:
+      blockDuration: 2h
+      deleteDelay: 48h
+      retentionInLocal: 24h
+      retentionResolutionRaw: 15d
+  enableDownsampling: false
+  observabilityAddonSpec:
+    enableMetrics: true
+    interval: 300
+  storageConfig:
+    storageClass:  {{ .spec.storageConfig.storageClass }}
+    alertmanagerStorageSize: 10Gi
+    compactStorageSize: 100Gi
+    metricObjectStorage:
+      key: thanos.yaml
+      name: thanos-object-storage
+    receiveStorageSize: 10Gi
+    ruleStorageSize: 30Gi
+    storeStorageSize: 100Gi
+    # In addition to these storage settings, the `metricObjectStorage`
+    # points to an Object Storage. Under the reference configuration,
+    # scale and retention the estimated object storage is about 101Gi
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityNS.yaml
new file mode 100644
index 000000000..6eee63d14
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityNS.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    openshift.io/cluster-monitoring: "true"
+  name: open-cluster-management-observability
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityOBC.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityOBC.yaml
new file mode 100644
index 000000000..1ef1da5a3
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityOBC.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: observability-obc
+  annotations:
+    argocd.argoproj.io/sync-wave: "8"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  namespace: open-cluster-management-observability
+spec:
+  generateBucketName: observability-object-bucket
+  storageClassName: openshift-storage.noobaa.io
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilitySecret.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilitySecret.yaml
new file mode 100644
index 000000000..d2d503af0
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilitySecret.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    cluster.open-cluster-management.io/backup: ""
+  name: multiclusterhub-operator-pull-secret
+  namespace: open-cluster-management-observability
+type: kubernetes.io/dockerconfigjson
+data:
+  {{- .data | toYaml | nindent 2 }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/pull-secret-copy.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pull-secret-copy.yaml
new file mode 100644
index 000000000..f5961bfa2
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pull-secret-copy.yaml
@@ -0,0 +1,79 @@
+---
+# this policy will create a copy of the pull secret from openshift-config to open-cluster-management-observability namespace
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: pull-secret-copy
+  namespace: open-cluster-management-observability
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    policy.open-cluster-management.io/description: Policy used to copy the pull secret from openshift-config to open-cluster-management-observability namespace
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: pull-secret-openshift-config-copy
+        spec:
+          object-templates:
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: v1
+                data:
+                  .dockerconfigjson: {{ `'{{- if eq (lookup "v1" "Secret" "open-cluster-management" "multiclusterhub-operator-pull-secret").kind "Secret" -}} {{- fromSecret "open-cluster-management" "multiclusterhub-operator-pull-secret" ".dockerconfigjson" -}} {{- else -}} {{- fromSecret "openshift-config" "pull-secret" ".dockerconfigjson" -}} {{- end -}}'` }}
+                kind: Secret
+                metadata:
+                  labels:
+                    ccluster.open-cluster-management.io/backup: ""
+                  name: multiclusterhub-operator-pull-secret
+                  namespace: open-cluster-management-observability
+                type: kubernetes.io/dockerconfigjson
+---
+apiVersion: cluster.open-cluster-management.io/v1beta1
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: pull-secret-copy
+  namespace: open-cluster-management-observability
+spec:
+  predicates:
+    - requiredClusterSelector:
+        labelSelector:
+          matchExpressions:
+            - key: name
+              operator: In
+              values:
+                - local-cluster
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: pull-secret-copy
+  namespace: open-cluster-management-observability
+placementRef:
+  name: pull-secret-copy
+  apiGroup: cluster.open-cluster-management.io
+  kind: Placement
+subjects:
+  - name: pull-secret-copy
+    apiGroup: policy.open-cluster-management.io
+    kind: Policy
+---
+apiVersion: cluster.open-cluster-management.io/v1beta2
+kind: ManagedClusterSetBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: global
+  namespace: open-cluster-management-observability
+spec:
+  clusterSet: global
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretMCSB.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretMCSB.yaml
new file mode 100644
index 000000000..ac9c6337f
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretMCSB.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta2
+kind: ManagedClusterSetBinding
+metadata:
+  name: default
+  namespace: hub-policies
+  annotations:
+    argocd.argoproj.io/sync-wave: "8"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  clusterSet: default
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretNS.yaml
new file mode 100644
index 000000000..91117b368
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretNS.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: hub-policies
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPlacement.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPlacement.yaml
new file mode 100644
index 000000000..a54b3c0d1
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPlacement.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta1
+kind: Placement
+metadata:
+  name: obs-thanos-pl
+  namespace: hub-policies
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  predicates:
+  - requiredClusterSelector:
+      labelSelector:
+        matchExpressions:
+        - key: name
+          operator: In
+          values:
+          - local-cluster
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPlacementBinding.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPlacementBinding.yaml
new file mode 100644
index 000000000..50ea1e136
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPlacementBinding.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: obs-thanos-binding
+  namespace: hub-policies
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: obs-thanos-pl
+  apiGroup: cluster.open-cluster-management.io
+  kind: Placement
+subjects:
+  - name: obs-thanos-secret
+    apiGroup: policy.open-cluster-management.io
+    kind: Policy
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPolicy.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPolicy.yaml
new file mode 100644
index 000000000..b995c4c44
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/thanosSecretPolicy.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  annotations:
+    policy.open-cluster-management.io/categories: CM Configuration Management
+    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+    policy.open-cluster-management.io/description: ""
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: obs-thanos-secret
+  namespace: hub-policies
+spec:
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: thanos-secret-cp
+      spec:
+        remediationAction: enforce
+        severity: high

From 987381aa8320dc06ea11dfb1cd046b7ad7062de1 Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Tue, 24 Jun 2025 12:18:02 +0200
Subject: [PATCH 07/15] Addressed review comments

---
 .../reference-crs-kube-compare/metadata.yaml  |  7 +-
 .../required/acm/acmAgentServiceConfig.yaml   |  6 +-
 .../required/acm/pull-secret-copy.yaml        | 79 -------------------
 .../required/acm/pull-secret-copy.yaml        |  2 +-
 4 files changed, 9 insertions(+), 85 deletions(-)
 delete mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/pull-secret-copy.yaml

diff --git a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
index a82d4ae09..d025b19f0 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
@@ -65,7 +65,10 @@ parts:
             config:
               ignore-unspecified-fields: true
           - path: required/acm/observabilitySecret.yaml
-          - path: required/acm/pull-secret-copy.yaml
+          - path: required/acm/pullSecretPolicy.yaml
+          - path: required/acm/pullSecretPlacement.yaml
+          - path: required/acm/pullSecretPlacementBinding.yaml
+          - path: required/acm/pullSecretMCSB.yaml
           - path: required/acm/thanosSecretNS.yaml
           - path: required/acm/thanosSecretPolicy.yaml
             config:
@@ -121,7 +124,7 @@ fieldsToOmit:
       - pathToKey: metadata.ownerReferences
       - pathToKey: spec.finalizers
     allowStatusCheck:
-      - include: defatuls
+      - include: defaults
     templates:
       - pathToKey: spec.policy-templates
     all:
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
index b5e6a4e5f..6427ed414 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
@@ -10,21 +10,21 @@ spec:
       - ReadWriteOnce
     resources:
       requests:
-        storage: 20Gi
+        storage: {{ .spec.databaseStorage.resources.requests.storage }}
   filesystemStorage:
     storageClassName: {{ .spec.filesystemStorage.storageClassName }}
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
-        storage: 20Gi
+        storage: {{ .spec.filesystemStorage.resources.requests.storage }}
   imageStorage:
     storageClassName: {{ .spec.imageStorage.storageClassName }}
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
-        storage: 100Gi
+        storage: {{ .spec.imageStorage.resources.requests.storage }}
   mirrorRegistryRef:
     name: mirror-registry-config
   {{- if .spec.osImages }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/pull-secret-copy.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pull-secret-copy.yaml
deleted file mode 100644
index f5961bfa2..000000000
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/pull-secret-copy.yaml
+++ /dev/null
@@ -1,79 +0,0 @@
----
-# this policy will create a copy of the pull secret from openshift-config to open-cluster-management-observability namespace
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: pull-secret-copy
-  namespace: open-cluster-management-observability
-  annotations:
-    argocd.argoproj.io/sync-wave: "9"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    policy.open-cluster-management.io/description: Policy used to copy the pull secret from openshift-config to open-cluster-management-observability namespace
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: pull-secret-openshift-config-copy
-        spec:
-          object-templates:
-            - complianceType: musthave
-              objectDefinition:
-                apiVersion: v1
-                data:
-                  .dockerconfigjson: {{ `'{{- if eq (lookup "v1" "Secret" "open-cluster-management" "multiclusterhub-operator-pull-secret").kind "Secret" -}} {{- fromSecret "open-cluster-management" "multiclusterhub-operator-pull-secret" ".dockerconfigjson" -}} {{- else -}} {{- fromSecret "openshift-config" "pull-secret" ".dockerconfigjson" -}} {{- end -}}'` }}
-                kind: Secret
-                metadata:
-                  labels:
-                    ccluster.open-cluster-management.io/backup: ""
-                  name: multiclusterhub-operator-pull-secret
-                  namespace: open-cluster-management-observability
-                type: kubernetes.io/dockerconfigjson
----
-apiVersion: cluster.open-cluster-management.io/v1beta1
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "9"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: pull-secret-copy
-  namespace: open-cluster-management-observability
-spec:
-  predicates:
-    - requiredClusterSelector:
-        labelSelector:
-          matchExpressions:
-            - key: name
-              operator: In
-              values:
-                - local-cluster
----
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "9"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: pull-secret-copy
-  namespace: open-cluster-management-observability
-placementRef:
-  name: pull-secret-copy
-  apiGroup: cluster.open-cluster-management.io
-  kind: Placement
-subjects:
-  - name: pull-secret-copy
-    apiGroup: policy.open-cluster-management.io
-    kind: Policy
----
-apiVersion: cluster.open-cluster-management.io/v1beta2
-kind: ManagedClusterSetBinding
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "9"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: global
-  namespace: open-cluster-management-observability
-spec:
-  clusterSet: global
diff --git a/telco-hub/configuration/reference-crs/required/acm/pull-secret-copy.yaml b/telco-hub/configuration/reference-crs/required/acm/pull-secret-copy.yaml
index 835a83324..0f0b98648 100644
--- a/telco-hub/configuration/reference-crs/required/acm/pull-secret-copy.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/pull-secret-copy.yaml
@@ -28,7 +28,7 @@ spec:
                 kind: Secret
                 metadata:
                   labels:
-                    ccluster.open-cluster-management.io/backup: ""
+                    cluster.open-cluster-management.io/backup: ""
                   name: multiclusterhub-operator-pull-secret
                   namespace: open-cluster-management-observability
                 type: kubernetes.io/dockerconfigjson

From 1b34ced05ec8ab42f3bf7ff4e94b03f26174f7da Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Thu, 26 Jun 2025 11:24:04 +0200
Subject: [PATCH 08/15] Split the ACM pull secret handling CRs into different
 files

---
 .../required/acm/pullSecretMCSB.yaml          | 11 ++++++
 .../required/acm/pullSecretPlacement.yaml     | 18 ++++++++++
 .../acm/pullSecretPlacementBinding.yaml       | 17 ++++++++++
 .../required/acm/pullSecretPolicy.yaml        | 34 +++++++++++++++++++
 4 files changed, 80 insertions(+)
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretMCSB.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPlacement.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPlacementBinding.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPolicy.yaml

diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretMCSB.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretMCSB.yaml
new file mode 100644
index 000000000..6680ef486
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretMCSB.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta2
+kind: ManagedClusterSetBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: global
+  namespace: open-cluster-management-observability
+spec:
+  clusterSet: global
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPlacement.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPlacement.yaml
new file mode 100644
index 000000000..aebeca5b5
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPlacement.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta1
+kind: Placement
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: pull-secret-copy
+  namespace: open-cluster-management-observability
+spec:
+  predicates:
+    - requiredClusterSelector:
+        labelSelector:
+          matchExpressions:
+            - key: name
+              operator: In
+              values:
+                - local-cluster
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPlacementBinding.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPlacementBinding.yaml
new file mode 100644
index 000000000..6b4539fb0
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPlacementBinding.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: pull-secret-copy
+  namespace: open-cluster-management-observability
+placementRef:
+  name: pull-secret-copy
+  apiGroup: cluster.open-cluster-management.io
+  kind: Placement
+subjects:
+  - name: pull-secret-copy
+    apiGroup: policy.open-cluster-management.io
+    kind: Policy
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPolicy.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPolicy.yaml
new file mode 100644
index 000000000..43bde25fd
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretPolicy.yaml
@@ -0,0 +1,34 @@
+---
+# this policy will create a copy of the pull secret from openshift-config to open-cluster-management-observability namespace
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: pull-secret-copy
+  namespace: open-cluster-management-observability
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    policy.open-cluster-management.io/description: Policy used to copy the pull secret from openshift-config to open-cluster-management-observability namespace
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: pull-secret-openshift-config-copy
+        spec:
+          object-templates:
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: v1
+                data:
+                  .dockerconfigjson: {{ `'{{- if eq (lookup "v1" "Secret" "open-cluster-management" "multiclusterhub-operator-pull-secret").kind "Secret" -}} {{- fromSecret "open-cluster-management" "multiclusterhub-operator-pull-secret" ".dockerconfigjson" -}} {{- else -}} {{- fromSecret "openshift-config" "pull-secret" ".dockerconfigjson" -}} {{- end -}}'` }}
+                kind: Secret
+                metadata:
+                  labels:
+                    cluster.open-cluster-management.io/backup: ""
+                  name: multiclusterhub-operator-pull-secret
+                  namespace: open-cluster-management-observability
+                type: kubernetes.io/dockerconfigjson

From 93f16d71aec26e568c66431e13412a70a76edae4 Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Thu, 3 Jul 2025 11:32:40 +0200
Subject: [PATCH 09/15] Add a make recipe to check the aligment of reference
 CRs and templates

---
 Makefile                                      |   6 +-
 .../reference-crs-kube-compare/Makefile       |  50 +++
 .../reference-crs-kube-compare/compare.sh     | 175 +++++++++++
 .../reference-crs-kube-compare/compare_ignore |  46 +++
 .../default_value.yaml                        | 284 ++++++++++++++++++
 .../reference-crs-kube-compare/metadata.yaml  |   2 +-
 .../logging/clusterLogSubscription.yaml       |   2 +-
 .../optional/lso/lsoLocalVolume.yaml          |   3 +
 .../optional/lso/lsoNS.yaml                   |   2 +
 .../optional/lso/lsoOperatorGroup.yaml        |   2 +
 .../optional/lso/lsoSubscription.yaml         |   2 +
 .../optional/odf-internal/odfNS.yaml          |   1 +
 .../odf-internal/odfOperatorGroup.yaml        |   2 +
 .../odf-internal/odfSubscription.yaml         |   2 +
 .../optional/odf-internal/storageCluster.yaml |   3 +
 .../required/acm/acmAgentServiceConfig.yaml   |   5 +-
 .../required/acm/acmMCSB.yaml                 |  11 +
 .../required/acm/acmMirrorRegistryCM.yaml     |   5 +-
 .../required/acm/acmProvisioning.yaml         |   4 +
 .../required/acm/observabilityMCO.yaml        |   2 +-
 .../optional/logging/clusterLogNS.yaml        |   2 -
 .../optional/lso/lsoLocalVolume.yaml          |  12 +-
 .../optional/lso/lsoOperatorGroup.yaml        |   2 +-
 .../optional/odf-internal/storageCluster.yaml |  12 +-
 .../required/acm/acmAgentServiceConfig.yaml   |  18 +-
 .../reference-crs/required/acm/acmMCH.yaml    |  11 -
 .../reference-crs/required/acm/acmMCSB.yaml   |  11 +
 .../required/acm/acmMirrorRegistryCM.yaml     |   3 -
 .../required/acm/kustomization.yaml           |  12 +-
 .../required/acm/observabilityMCO.yaml        |   2 +-
 .../required/acm/observabilitySecret.yaml     |   2 +-
 .../required/acm/pullSecretMCSB.yaml          |  11 +
 .../required/acm/pullSecretPlacement.yaml     |  18 ++
 .../acm/pullSecretPlacementBinding.yaml       |  17 ++
 ...secret-copy.yaml => pullSecretPolicy.yaml} |  46 ---
 .../reference-crs/required/acm/readme.md      |   4 +-
 .../required/acm/thanosSecretMCSB.yaml        |  11 +
 .../required/acm/thanosSecretNS.yaml          |   5 +
 .../required/acm/thanosSecretPlacement.yaml   |  18 ++
 .../acm/thanosSecretPlacementBinding.yaml     |  17 ++
 ...nosSecret.yaml => thanosSecretPolicy.yaml} |  73 -----
 41 files changed, 742 insertions(+), 174 deletions(-)
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/Makefile
 create mode 100755 telco-hub/configuration/reference-crs-kube-compare/compare.sh
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCSB.yaml
 create mode 100644 telco-hub/configuration/reference-crs/required/acm/acmMCSB.yaml
 create mode 100644 telco-hub/configuration/reference-crs/required/acm/pullSecretMCSB.yaml
 create mode 100644 telco-hub/configuration/reference-crs/required/acm/pullSecretPlacement.yaml
 create mode 100644 telco-hub/configuration/reference-crs/required/acm/pullSecretPlacementBinding.yaml
 rename telco-hub/configuration/reference-crs/required/acm/{pull-secret-copy.yaml => pullSecretPolicy.yaml} (56%)
 create mode 100644 telco-hub/configuration/reference-crs/required/acm/thanosSecretMCSB.yaml
 create mode 100644 telco-hub/configuration/reference-crs/required/acm/thanosSecretNS.yaml
 create mode 100644 telco-hub/configuration/reference-crs/required/acm/thanosSecretPlacement.yaml
 create mode 100644 telco-hub/configuration/reference-crs/required/acm/thanosSecretPlacementBinding.yaml
 rename telco-hub/configuration/reference-crs/required/acm/{thanosSecret.yaml => thanosSecretPolicy.yaml} (53%)

diff --git a/Makefile b/Makefile
index 61b8b22f1..b70c4d5d9 100644
--- a/Makefile
+++ b/Makefile
@@ -35,7 +35,7 @@ markdownlint: markdownlint-image  ## run the markdown linter
 		-v $$(pwd):/workdir:Z \
 		$(IMAGE_NAME)-markdownlint:latest
 
-ci-validate: lintCheck check-reference-core check-reference-ran
+ci-validate: lintCheck check-reference-core check-reference-ran check-reference-hub
 
 .PHONY: check-reference-core
 check-reference-core:
@@ -44,3 +44,7 @@ check-reference-core:
 .PHONY: check-reference-ran
 check-reference-ran:
 	$(MAKE) -C ./telco-ran/configuration check
+
+.PHONY: check-reference-hub
+check-reference-hub:
+	$(MAKE) -C ./telco-hub/configuration/reference-crs-kube-compare check
diff --git a/telco-hub/configuration/reference-crs-kube-compare/Makefile b/telco-hub/configuration/reference-crs-kube-compare/Makefile
new file mode 100644
index 000000000..1fc3b2d2e
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/Makefile
@@ -0,0 +1,50 @@
+.PHONY: check
+check: metadata_lint compare
+
+kubectl-cluster_compare:
+	@command -v kubectl-cluster_compare > /dev/null 2>&1 || { \
+		echo "kubectl-cluster_compare tool isn't installed; please download it from https://github.com/openshift/kube-compare"; \
+	}
+
+helm-convert:
+	@command -v helm-convert > /dev/null 2>&1 || { \
+		echo "helm-convert isn't installed; please download and install it"; \
+	}
+
+.PHONY: metadata_lint
+metadata_lint: kubectl-cluster_compare
+	@echo "Running kube-compare to ensure metadata.yaml is sane"
+	@COMPARE_OUTPUT=$$(./kubectl-cluster_compare -r ./metadata.yaml -f /dev/null 2>&1); \
+	if grep -q 'an error occurred while parsing template' <<<"$${COMPARE_OUTPUT}"; then \
+		echo "Template parsing error"; \
+		echo "$${COMPARE_OUTPUT}"; \
+		exit 1; \
+	fi; \
+	echo "Okay"; \
+	exit 0
+
+.PHONY: clean
+clean:
+	rm -rf kubectl-cluster_compare Chartv1 renderedv1 helm
+
+
+.PHONY: convert
+convert: helm-convert helm
+	@echo "Converting reference files to Helm Charts."
+	@rm -rf Chartv1 renderedv1
+	@helm-convert -r ./metadata.yaml -n Chartv1 -v default_value.yaml
+	@echo "Rendering Helm Charts to CR files."
+	@helm template renderedv1 ./Chartv1 --output-dir renderedv1
+
+helm:
+	@command -v helm > /dev/null 2>&1 || { \
+		echo "helm isn't installed; please download and install it"; \
+	}
+
+.PHONY: compare
+compare: convert
+	@./compare.sh "../reference-crs" renderedv1
+
+.PHONY: sync
+sync: convert
+	@./compare.sh --sync "../reference-crs" renderedv1 
\ No newline at end of file
diff --git a/telco-hub/configuration/reference-crs-kube-compare/compare.sh b/telco-hub/configuration/reference-crs-kube-compare/compare.sh
new file mode 100755
index 000000000..75399d95a
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/compare.sh
@@ -0,0 +1,175 @@
+#! /bin/bash
+
+trap cleanup EXIT
+
+function cleanup() {
+  rm -rf source_file rendered_file same_file
+}
+
+function read_dir() {
+  local dir=$1
+  local file
+
+  for file in "$dir"/*; do
+    if [ -d "$file" ]; then
+      read_dir "$file"
+    else
+      echo "$file"
+    fi
+  done
+}
+
+function compare_cr {
+  local rendered_dir=$1
+  local source_dir=$2
+  local exclusionfile=$3
+  local status=0
+
+  local DIFF=${DIFF:-colordiff}
+  if ! command -v "$DIFF" >/dev/null; then
+    echo "Warning: Requested diff tool '$DIFF' is not found; falling back to plain old 'diff'"
+    DIFF="diff"
+  fi
+
+  read_dir "$rendered_dir" |grep yaml  > rendered_file
+  read_dir "$source_dir" |grep yaml  > source_file
+
+  # Apply ignore filtering before comparison
+  while IFS= read -r file; do
+    [[ ${file::1} != "#" ]] || continue # Skip any comment lines in the exclusionfile
+    [[ -n ${file} ]] || continue # Skip empty lines
+    sed -i "/${file##*/}/d" source_file
+    sed -i "/${file##*/}/d" rendered_file
+  done < "$exclusionfile"
+
+  local source_cr rendered
+  while IFS= read -r source_cr; do
+    while IFS= read -r rendered; do
+      if [ "${source_cr##*/}" = "${rendered##*/}" ]; then
+        # helm adds a yaml doc header (---) and a leading comment to every source_cr file; so remove those lines
+        tail -n +3 "$rendered" > "$rendered.fixed"
+        mv "$rendered.fixed" "$rendered"
+
+        # Check the differences
+        if ! "$DIFF" -u "$source_cr" "$rendered"; then
+            status=$(( status || 1 ))
+            printf "\n\n**********************************************************************************\n\n"
+        fi
+        # cleanup
+        echo "$source_cr" >> same_file
+      fi
+    done < rendered_file
+  done < source_file
+
+  # Filter out files with a source-cr/reference match from the full list of potentiol source-crs/reference files
+  while IFS= read -r file; do
+    [[ ${file::1} != "#" ]] || continue # Skip any comment lines in the exclusionfile
+    [[ -n ${file} ]] || continue # Skip empty lines
+    sed -i "/${file##*/}/d" source_file
+    sed -i "/${file##*/}/d" rendered_file
+  done < <(cat same_file "$exclusionfile")
+
+  if [[ -s source_file || -s rendered_file ]]; then
+    [ -s source_file ] && printf "\n\nThe following files exist in source-crs only, but not found in reference:\n" && cat source_file
+    [ -s rendered_file ] && printf "\nThe following files exist in reference only, but not found in source-crs:\n" && cat rendered_file
+    status=1
+  fi
+
+  return $status
+}
+
+sync_cr() {
+    local rendered_dir=$1
+    local source_dir=$2
+    local exclusionfile=$3
+    local status=0
+
+    local -a renderedFiles
+    readarray -t renderedFiles < <(read_dir "$rendered_dir" | grep yaml)
+
+    local -a sourceFiles
+    readarray -t sourceFiles < <(read_dir "$source_dir" | grep yaml)
+
+    local -a excludedFiles
+    readarray -t excludedFiles < <(grep -v '^#' "$exclusionfile" | grep -v '^$')
+
+    local source rendered excluded found
+    for rendered in "${renderedFiles[@]}"; do
+        found=0
+        for source in "${sourceFiles[@]}"; do
+            if [ "${source##*/}" = "${rendered##*/}" ]; then
+                # Match found!
+                found=1
+                break
+            fi
+        done
+        if [[ $found == 0 ]]; then
+            source="$source_dir/${rendered##*/}"
+        fi
+
+        # Replace the CR with the rendered copy (minus the helm-rendered heading)
+        tail -n +3 "$rendered" >"$source"
+        git add "$source"
+    done
+
+    for source in "${sourceFiles[@]}"; do
+        found=0
+        for rendered in "${renderedFiles[@]}"; do
+            if [ "${source##*/}" = "${rendered##*/}" ]; then
+                # Match found!
+                found=1
+                break
+            fi
+        done
+        for excluded in "${excludedFiles[@]}"; do
+            if [ "${source##*/}" = "${excluded##*/}" ]; then
+                # Match found!
+                found=1
+                break
+            fi
+        done
+        if [[ $found == 0 ]]; then
+            git rm -f "$source"
+        fi
+    done
+
+    git diff --cached --stat --exit-code
+}
+
+usage() {
+    echo "$(basename "$0") [--sync] sourceDir renderDir"
+    echo
+    echo "Compares the rendered reference-based CRs to the CRs in the compare directory"
+}
+
+DOSYNC=0
+for arg in "$@"; do
+    case "$arg" in
+        -h | --help)
+            usage
+            exit 0
+            ;;
+        --sync)
+            DOSYNC=1
+            shift
+            ;;
+    esac
+done
+SOURCEDIR=$1
+if [[ ! -d $SOURCEDIR ]]; then
+    echo "No such source directory $SOURCEDIR"
+    usage
+    exit 1
+fi
+RENDERDIR=$2
+if [[ ! -d $RENDERDIR ]]; then
+    echo "No such source directory $RENDERDIR"
+    usage
+    exit 1
+fi
+
+if [[ $DOSYNC == 1 ]]; then
+    sync_cr "$RENDERDIR" "$SOURCEDIR" compare_ignore
+else
+    compare_cr "$RENDERDIR" "$SOURCEDIR" compare_ignore
+fi 
\ No newline at end of file
diff --git a/telco-hub/configuration/reference-crs-kube-compare/compare_ignore b/telco-hub/configuration/reference-crs-kube-compare/compare_ignore
index 41ce989b2..2105472c3 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/compare_ignore
+++ b/telco-hub/configuration/reference-crs-kube-compare/compare_ignore
@@ -3,3 +3,49 @@ metadata.yaml
 
 # Used in the reference only for version compliance checks
 ReferenceVersionCheck.yaml
+
+# Not yet published in the RDS:
+optional/quay/quayNS.yaml
+optional/quay/quayOperatorGroup.yaml
+optional/quay/quaySubscription.yaml
+
+# Reference templates not implemented yet:
+required/gitops/app-project.yaml
+required/gitops/argocd-application.yaml
+required/gitops/argocd-ssh-known-hosts-cm.yaml
+required/gitops/clusterrolebinding.yaml
+required/gitops/clusterrole.yaml
+required/gitops/gitopsNS.yaml
+required/gitops/gitopsOperatorGroup.yaml
+required/gitops/gitopsSubscription.yaml
+required/gitops/kustomization.yaml
+required/gitops/ztp-installation/app-project.yaml
+required/gitops/ztp-installation/clusters-app.yaml
+required/gitops/ztp-installation/gitops-cluster-rolebinding.yaml
+required/gitops/ztp-installation/gitops-policy-rolebinding.yaml
+required/gitops/ztp-installation/kustomization.yaml
+required/gitops/ztp-installation/policies-app-project.yaml
+required/gitops/ztp-installation/policies-app.yaml
+required/gitops/ztp-repo.yaml
+optional/cert-manager/certManagerClusterIssuer.yaml
+optional/cert-manager/certManagerNS.yaml
+optional/cert-manager/certManagerOperatorgroup.yaml
+optional/cert-manager/certManagerSubscription.yaml
+optional/cert-manager/consoleCertificate.yaml
+optional/cert-manager/downloadsCertificate.yaml
+optional/cert-manager/oauthServiceCertificate.yaml
+optional/backup-recovery/backupSchedule.yaml
+optional/backup-recovery/dataProtectionApplication.yaml
+optional/backup-recovery/objectBucketClaim.yaml
+optional/backup-recovery/policy-backup.yaml
+optional/backup-recovery/restore.yaml
+optional/odf-internal/odfReady.yaml
+required/acm/acmPerfSearch.yaml
+required/acm/thanosSecretPolicy.yaml
+
+# ArgoCD files
+kustomization.yaml
+optional/lso/kustomization.yaml
+optional/odf-internal/kustomization.yaml
+required/talm/kustomization.yaml
+required/acm/kustomization.yaml
diff --git a/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml b/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
new file mode 100644
index 000000000..556148f24
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
@@ -0,0 +1,284 @@
+optional_odf_internal_storageCluster:
+- metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: "-2"
+      argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  spec:
+    manageNodes: false
+    resources:
+      mds:
+        limits:
+          cpu: "3"
+          memory: "8Gi"
+        requests:
+          cpu: "3"
+          memory: "8Gi"
+    storageDeviceSets:
+    - count: 1
+      dataPVCTemplate:
+        spec:
+          accessModes:
+          - ReadWriteOnce
+          resources:
+            requests:
+              storage: "600Gi"
+          storageClassName: "local-sc"
+          volumeMode: Block
+      name: ocs-deviceset
+      placement: {}
+      portable: false
+      replica: 3
+      resources:
+        limits:
+          cpu: "2"
+          memory: "5Gi"
+        requests:
+          cpu: "2"
+          memory: "5Gi"
+    monDataDirHostPath: /var/lib/rook
+
+optional_lso_lsoLocalVolume:
+- metadata:
+    name: "local-disks"
+    namespace: "openshift-local-storage"
+    annotations:
+      argocd.argoproj.io/sync-wave: "-3"
+      argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  spec:
+    logLevel: Normal
+    managementState: Managed
+    nodeSelector:
+      nodeSelectorTerms:
+      - matchExpressions:
+          - key: cluster.ocs.openshift.io/openshift-storage
+            operator: In
+            values:
+            - ""
+    storageClassDevices:
+    - storageClassName: "local-sc"
+      forceWipeDevicesAndDestroyAllData: true
+      volumeMode: Block
+      devicePaths:
+      - /dev/disk/by-path/pci-xxx
+
+optional_lso_lsoNS:
+- metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: "-5"
+    labels:
+      openshift.io/cluster-monitoring: "true"
+
+optional_lso_lsoOperatorGroup:
+- metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: "-5"
+  spec:
+    targetNamespaces:
+    - openshift-local-storage
+
+optional_lso_lsoSubscription:
+- metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: "-5"
+  spec:
+    source: redhat-operators-disconnected
+
+optional_odf_internal_odfNS:
+- metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: "-5"
+      workload.openshift.io/allowed: management
+
+optional_odf_internal_odfOperatorGroup:
+- metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: "-5"
+  spec: {}
+
+optional_odf_internal_odfSubscription:
+- metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: "-5"
+  spec:
+    source: redhat-operators-disconnected
+
+# ACM defaults
+required_acm_acmSubscription:
+- spec:
+    source: redhat-operators-disconnected
+
+required_acm_acmMCH:
+- spec:
+    availabilityConfig: High
+
+required_acm_acmProvisioning:
+- metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: "6"
+      argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  spec:
+    watchAllNamespaces: true
+    provisioningNetwork: Disabled
+    # disableVirtualMediaTLS: true
+
+required_acm_observabilityMCO:
+- spec:
+    availabilityConfig: Basic
+    storageConfig:
+      storageClass: example-storage-class
+
+required_acm_observabilityOBC:
+- spec:
+    storageClassName: example-storage-class
+
+required_acm_acmAgentServiceConfig:
+- metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: "7"
+      argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  spec:
+    databaseStorage:
+      storageClassName: example-storage-class
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 20Gi
+    filesystemStorage:
+      storageClassName: example-storage-class
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 20Gi
+    imageStorage:
+      storageClassName: example-storage-class
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 100Gi
+    mirrorRegistryRef:
+      name: mirror-registry-config
+    osImages:
+    - cpuArchitecture: "x86_64"
+      openshiftVersion: "4.18"
+      rootFSUrl: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live-rootfs.x86_64.img
+      url: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live.x86_64.iso
+      version: 418.94.202502100215-0
+    osImageVersion: {}
+
+required_acm_acmMirrorRegistryCM:
+- metadata:
+    annotations:
+      argocd.argoproj.io/sync-wave: "5"
+      argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  data:
+    ca-bundle.crt: |
+      -----BEGIN CERTIFICATE-----
+      MIID7jCCAtagAwXXX...
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIDvTCCAqWgAwXXX...
+      -----END CERTIFICATE-----
+    registries.conf: |
+      unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
+      [[registry]]
+        prefix = ""
+        location = "quay.io/openshift-release-dev"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/openshift-release-dev"
+          pull-from-mirror = "digest-only"
+
+      [[registry]]
+        prefix = ""
+        location = "quay.io/openshift-release-dev/ocp-release"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/openshift-release-dev/ocp-release"
+          pull-from-mirror = "digest-only"
+
+      [[registry]]
+        prefix = ""
+        location = "quay.io/openshift-release-dev/ocp-v4.0-art-dev"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/openshift-release-dev/ocp-v4.0-art-dev"
+          pull-from-mirror = "digest-only"
+
+      [[registry]]
+        prefix = ""
+        location = "registry.redhat.io/multicluster-engine"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/multicluster-engine"
+          pull-from-mirror = "digest-only"
+
+      [[registry]]
+        prefix = ""
+        location = "registry.redhat.io/odf4"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/odf4"
+          pull-from-mirror = "digest-only"
+
+      [[registry]]
+        prefix = ""
+        location = "registry.redhat.io/openshift4"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/openshift4"
+          pull-from-mirror = "digest-only"
+
+      [[registry]]
+        prefix = ""
+        location = "registry.redhat.io/rhacm2"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/rhacm2"
+          pull-from-mirror = "digest-only"
+
+      [[registry]]
+        prefix = ""
+        location = "registry.redhat.io/rhceph"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/rhceph"
+          pull-from-mirror = "digest-only"
+
+      [[registry]]
+        prefix = ""
+        location = "registry.redhat.io/rhel8"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/rhel8"
+          pull-from-mirror = "digest-only"
+
+      [[registry]]
+        prefix = ""
+        location = "registry.redhat.io/rhel9"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/rhel9"
+          pull-from-mirror = "digest-only"
+
+      [[registry]]
+        prefix = ""
+        location = "registry.redhat.io/ubi8"
+
+        [[registry.mirror]]
+          location = "<registry.example.com:8443>/ubi8"
+          pull-from-mirror = "tag-only"
+
+required_acm_observabilitySecret:
+- data:
+    .dockerconfigjson: ''  # Value provided by user or by pull-secret-openshift-config-copy policy
+
+required_talm_talmSubscription:
+- spec:
+    source: redhat-operators-disconnected
+
+optional_logging_clusterLogSubscription:
+- spec:
+    source: redhat-operators-disconnected 
diff --git a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
index d025b19f0..1cb47bdb5 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
@@ -50,6 +50,7 @@ parts:
           - path: required/acm/acmOperGroup.yaml
           - path: required/acm/acmSubscription.yaml
           - path: required/acm/acmMCH.yaml
+          - path: required/acm/acmMCSB.yaml
             config:
               ignore-unspecified-fields: true
           - path: required/acm/acmProvisioning.yaml
@@ -102,7 +103,6 @@ fieldsToOmit:
       - pathToKey: metadata.annotations."olm.providedAPIs"
       - pathToKey: metadata.annotations."argocd.argoproj.io"
         isPrefix: true
-      - pathToKey: metadata.annotations."workload.openshift.io/allowed"
       - pathToKey: metadata.labels."kubernetes.io/metadata.name"
       - pathToKey: metadata.labels."security.openshift.io/scc.podSecurityLabelSync"
       - pathToKey: metadata.labels."operators.coreos.com/local-storage-operator.openshift-local-storage"
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogSubscription.yaml
index 64976adcf..01907497a 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogSubscription.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogSubscription.yaml
@@ -5,7 +5,7 @@ metadata:
   name: cluster-logging
   namespace: openshift-logging
 spec:
-  channel: "stable"
+  channel: "stable-6.2"
   name: cluster-logging
   source: {{ .spec.source }}
   sourceNamespace: openshift-marketplace
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
index a367d40a4..03ef7355a 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
@@ -4,6 +4,9 @@ kind: "LocalVolume"
 metadata:
   name: {{ .metadata.name }}
   namespace: "openshift-local-storage"
+  annotations:
+    argocd.argoproj.io/sync-wave: "-3"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   logLevel: Normal
   managementState: Managed
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoNS.yaml
index 117cf59b3..cfe82946c 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoNS.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoNS.yaml
@@ -3,5 +3,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-local-storage
+  annotations:
+    argocd.argoproj.io/sync-wave: "-5"
   labels:
     openshift.io/cluster-monitoring: "true"
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoOperatorGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoOperatorGroup.yaml
index 7572ac178..3c2bbc7a8 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoOperatorGroup.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoOperatorGroup.yaml
@@ -2,6 +2,8 @@
 apiVersion: operators.coreos.com/v1
 kind: OperatorGroup
 metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "-5"
   name: local-operator-group
   namespace: openshift-local-storage
 spec:
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoSubscription.yaml
index 42ebbb56a..80d4f6119 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoSubscription.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoSubscription.yaml
@@ -2,6 +2,8 @@
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "-5"
   name: local-storage-operator
   namespace: openshift-local-storage
 spec:
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfNS.yaml
index 582be877d..cd2316510 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfNS.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfNS.yaml
@@ -4,6 +4,7 @@ kind: Namespace
 metadata:
   name: openshift-storage
   annotations:
+    argocd.argoproj.io/sync-wave: "-5"
     workload.openshift.io/allowed: management
   labels:
     openshift.io/cluster-monitoring: "true"
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfOperatorGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfOperatorGroup.yaml
index e52c24a20..9272a6b38 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfOperatorGroup.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfOperatorGroup.yaml
@@ -2,6 +2,8 @@
 apiVersion: operators.coreos.com/v1
 kind: OperatorGroup
 metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "-5"
   name: openshift-storage-operatorgroup
   namespace: openshift-storage
 spec:
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfSubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfSubscription.yaml
index e571cda8d..48eed8eb4 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfSubscription.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/odfSubscription.yaml
@@ -2,6 +2,8 @@
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "-5"
   name: odf-operator
   namespace: openshift-storage
 spec:
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/storageCluster.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/storageCluster.yaml
index cca544477..7312e4489 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/storageCluster.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/storageCluster.yaml
@@ -4,6 +4,9 @@ kind: StorageCluster
 metadata:
   name: ocs-storagecluster
   namespace: openshift-storage
+  annotations:
+    argocd.argoproj.io/sync-wave: "-2"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   manageNodes: false
   {{- if .spec.resources }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
index 6427ed414..629b01fef 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
@@ -3,6 +3,9 @@ apiVersion: agent-install.openshift.io/v1beta1
 kind: AgentServiceConfig
 metadata:
   name: agent
+  annotations:
+    argocd.argoproj.io/sync-wave: "7"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   databaseStorage:
     storageClassName: {{ .spec.databaseStorage.storageClassName }}
@@ -32,7 +35,7 @@ spec:
   # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
   # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
   - cpuArchitecture: "x86_64"
-    openshiftVersion: "4.17"
+    openshiftVersion: "4.18"
     rootFSUrl: {{ (index .spec.osImages 0).rootFSUrl }}
     url: {{ (index .spec.osImages 0).url }}
     version: {{ (index .spec.osImages 0).version }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCSB.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCSB.yaml
new file mode 100644
index 000000000..35f4f8d86
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCSB.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta2
+kind: ManagedClusterSetBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "4"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: global
+  namespace: openshift-storage
+spec:
+  clusterSet: global
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
index e61c2b7ed..d72ea3dad 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
@@ -3,8 +3,11 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: mirror-registry-config
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
   namespace: multicluster-engine
   labels:
     app: assisted-service
 data:
-  {{- .data | toYaml | nindent 2 }}
+  {{- .data | toYaml | nindent 2 | replace "  \n" "\n" }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml
index aac6b6601..121b6e5a2 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmProvisioning.yaml
@@ -3,10 +3,14 @@ apiVersion: metal3.io/v1alpha1
 kind: Provisioning
 metadata:
   name: provisioning-configuration
+  annotations:
+    argocd.argoproj.io/sync-wave: "6"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   watchAllNamespaces: true
   # some servers do not support virtual media installations
   # when the image is served using the https protocol
+  # disableVirtualMediaTLS: true
   {{- if .spec.disableVirtualMediaTLS }}
   disableVirtualMediaTLS: true
   {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
index 2efbe9a27..ad476e551 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
@@ -31,7 +31,7 @@ spec:
     enableMetrics: true
     interval: 300
   storageConfig:
-    storageClass:  {{ .spec.storageConfig.storageClass }}
+    storageClass: {{ .spec.storageConfig.storageClass }}
     alertmanagerStorageSize: 10Gi
     compactStorageSize: 100Gi
     metricObjectStorage:
diff --git a/telco-hub/configuration/reference-crs/optional/logging/clusterLogNS.yaml b/telco-hub/configuration/reference-crs/optional/logging/clusterLogNS.yaml
index 1fcd5d63d..f13ffef9b 100644
--- a/telco-hub/configuration/reference-crs/optional/logging/clusterLogNS.yaml
+++ b/telco-hub/configuration/reference-crs/optional/logging/clusterLogNS.yaml
@@ -3,5 +3,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-logging
-  annotations:
-    workload.openshift.io/allowed: management
diff --git a/telco-hub/configuration/reference-crs/optional/lso/lsoLocalVolume.yaml b/telco-hub/configuration/reference-crs/optional/lso/lsoLocalVolume.yaml
index 9ffcc90fc..aac023110 100644
--- a/telco-hub/configuration/reference-crs/optional/lso/lsoLocalVolume.yaml
+++ b/telco-hub/configuration/reference-crs/optional/lso/lsoLocalVolume.yaml
@@ -2,7 +2,7 @@
 apiVersion: "local.storage.openshift.io/v1"
 kind: "LocalVolume"
 metadata:
-  name: "local-disks"
+  name: local-disks
   namespace: "openshift-local-storage"
   annotations:
     argocd.argoproj.io/sync-wave: "-3"
@@ -13,12 +13,12 @@ spec:
   nodeSelector:
     nodeSelectorTerms:
     - matchExpressions:
-        - key: cluster.ocs.openshift.io/openshift-storage
-          operator: In
-          values:
-          - ""
+      - key: cluster.ocs.openshift.io/openshift-storage
+        operator: In
+        values:
+        - ""
   storageClassDevices:
-    - storageClassName: "local-sc"
+    - storageClassName: local-sc
       forceWipeDevicesAndDestroyAllData: true
       volumeMode: Block
       devicePaths:
diff --git a/telco-hub/configuration/reference-crs/optional/lso/lsoOperatorGroup.yaml b/telco-hub/configuration/reference-crs/optional/lso/lsoOperatorGroup.yaml
index 18d884503..c6b4a9634 100644
--- a/telco-hub/configuration/reference-crs/optional/lso/lsoOperatorGroup.yaml
+++ b/telco-hub/configuration/reference-crs/optional/lso/lsoOperatorGroup.yaml
@@ -8,4 +8,4 @@ metadata:
   namespace: openshift-local-storage
 spec:
   targetNamespaces:
-    - openshift-local-storage
+  - openshift-local-storage
diff --git a/telco-hub/configuration/reference-crs/optional/odf-internal/storageCluster.yaml b/telco-hub/configuration/reference-crs/optional/odf-internal/storageCluster.yaml
index 88b45b951..7236005e9 100644
--- a/telco-hub/configuration/reference-crs/optional/odf-internal/storageCluster.yaml
+++ b/telco-hub/configuration/reference-crs/optional/odf-internal/storageCluster.yaml
@@ -13,10 +13,10 @@ spec:
     mds:
       limits:
         cpu: "3"
-        memory: "8Gi"
+        memory: 8Gi
       requests:
         cpu: "3"
-        memory: "8Gi"
+        memory: 8Gi
   monDataDirHostPath: /var/lib/rook
   storageDeviceSets:
   - count: 1  # <-- Modify count to desired value. For each set of 3 disks increment the count by 1.
@@ -26,8 +26,8 @@ spec:
         - ReadWriteOnce
         resources:
           requests:
-            storage: "600Gi"  # <-- This should be changed as per storage size. Minimum 100 GiB and Maximum 4 TiB
-        storageClassName: "local-sc"  # match this with the storage block created at the LSO step
+            storage: 600Gi  # <-- This should be changed as per storage size. Minimum 100 GiB and Maximum 4 TiB
+        storageClassName: local-sc  # match this with the storage block created at the LSO step
         volumeMode: Block
     name: ocs-deviceset
     placement: {}
@@ -36,7 +36,7 @@ spec:
     resources:
       limits:
         cpu: "2"
-        memory: "5Gi"
+        memory: 5Gi
       requests:
         cpu: "2"
-        memory: "5Gi"
+        memory: 5Gi
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
index 91def13d5..3ec0b576b 100644
--- a/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
@@ -8,21 +8,21 @@ metadata:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   databaseStorage:
-    storageClassName:  # your-fs-storageclass-here
+    storageClassName: example-storage-class
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
         storage: 20Gi
   filesystemStorage:
-    storageClassName:  # your-fs-storageclass-here
+    storageClassName: example-storage-class
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
         storage: 20Gi
   imageStorage:
-    storageClassName:  # your-fs-storageclass-here
+    storageClassName: example-storage-class
     accessModes:
       - ReadWriteOnce
     resources:
@@ -33,18 +33,8 @@ spec:
   osImages:
   # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
   # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
-  - cpuArchitecture: "x86_64"
-    openshiftVersion: "4.16"
-    rootFSUrl: https://<http-server-address:port>/rhcos-4.16.0-x86_64-live-rootfs.x86_64.img
-    url: https://<http-server-address:port>/rhcos-4.16.0-x86_64-live.x86_64.iso
-    version: "416.94.202406172220-0"
-  - cpuArchitecture: "x86_64"
-    openshiftVersion: "4.17"
-    rootFSUrl: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live-rootfs.x86_64.img
-    url: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live.x86_64.iso
-    version: "417.94.202409121747-0"
   - cpuArchitecture: "x86_64"
     openshiftVersion: "4.18"
     rootFSUrl: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live-rootfs.x86_64.img
     url: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live.x86_64.iso
-    version: "418.94.202502100215-0"
+    version: 418.94.202502100215-0
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmMCH.yaml b/telco-hub/configuration/reference-crs/required/acm/acmMCH.yaml
index a1566e270..b8f9ecbbd 100644
--- a/telco-hub/configuration/reference-crs/required/acm/acmMCH.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/acmMCH.yaml
@@ -58,14 +58,3 @@ spec:
       enabled: false
       name: edge-manager-preview
   separateCertificateManagement: false
----
-apiVersion: cluster.open-cluster-management.io/v1beta2
-kind: ManagedClusterSetBinding
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "4"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: global
-  namespace: openshift-storage
-spec:
-  clusterSet: global
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmMCSB.yaml b/telco-hub/configuration/reference-crs/required/acm/acmMCSB.yaml
new file mode 100644
index 000000000..35f4f8d86
--- /dev/null
+++ b/telco-hub/configuration/reference-crs/required/acm/acmMCSB.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta2
+kind: ManagedClusterSetBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "4"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: global
+  namespace: openshift-storage
+spec:
+  clusterSet: global
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmMirrorRegistryCM.yaml b/telco-hub/configuration/reference-crs/required/acm/acmMirrorRegistryCM.yaml
index 8a7954cb1..77817dca6 100644
--- a/telco-hub/configuration/reference-crs/required/acm/acmMirrorRegistryCM.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/acmMirrorRegistryCM.yaml
@@ -10,7 +10,6 @@ metadata:
   labels:
     app: assisted-service
 data:
-  # Add the mirror registry SSL certificate chain up to the CA itself.
   ca-bundle.crt: |
     -----BEGIN CERTIFICATE-----
     MIID7jCCAtagAwXXX...
@@ -18,8 +17,6 @@ data:
     -----BEGIN CERTIFICATE-----
     MIIDvTCCAqWgAwXXX...
     -----END CERTIFICATE-----
-  # The registries.conf field has been populated using the registries.conf file found in "/etc/containers/registries.conf" on each node.
-  # Replace <registry.example.com:8443> with the mirror registry's address.
   registries.conf: |
     unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
     [[registry]]
diff --git a/telco-hub/configuration/reference-crs/required/acm/kustomization.yaml b/telco-hub/configuration/reference-crs/required/acm/kustomization.yaml
index 26e210cb6..26cbe1b72 100644
--- a/telco-hub/configuration/reference-crs/required/acm/kustomization.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/kustomization.yaml
@@ -6,13 +6,21 @@ resources:
   - acmOperGroup.yaml
   - acmSubscription.yaml
   - acmMCH.yaml
+  - acmMCSB.yaml
   - acmAgentServiceConfig.yaml
   - acmMirrorRegistryCM.yaml
   - acmPerfSearch.yaml
   - acmProvisioning.yaml
   - observabilityNS.yaml
   - observabilityOBC.yaml
-  - thanosSecret.yaml
+  - thanosSecretPolicy.yaml
+  - thanosSecretPlacement.yaml
+  - thanosSecretPlacementBinding.yaml
+  - thanosSecretMCSB.yaml
   # - observabilitySecret.yaml
-  - pull-secret-copy.yaml
+  - pullSecretPolicy.yaml
+  - pullSecretPlacement.yaml
+  - pullSecretPlacementBinding.yaml
+  - pullSecretMCSB.yaml
+
   - observabilityMCO.yaml
diff --git a/telco-hub/configuration/reference-crs/required/acm/observabilityMCO.yaml b/telco-hub/configuration/reference-crs/required/acm/observabilityMCO.yaml
index 4727cd524..ac8937468 100644
--- a/telco-hub/configuration/reference-crs/required/acm/observabilityMCO.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/observabilityMCO.yaml
@@ -31,7 +31,7 @@ spec:
     enableMetrics: true
     interval: 300
   storageConfig:
-    storageClass:  # your-fs-storageclass-here
+    storageClass: example-storage-class
     alertmanagerStorageSize: 10Gi
     compactStorageSize: 100Gi
     metricObjectStorage:
diff --git a/telco-hub/configuration/reference-crs/required/acm/observabilitySecret.yaml b/telco-hub/configuration/reference-crs/required/acm/observabilitySecret.yaml
index 3a7d1d5c8..dc8f06ea6 100644
--- a/telco-hub/configuration/reference-crs/required/acm/observabilitySecret.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/observabilitySecret.yaml
@@ -11,4 +11,4 @@ metadata:
   namespace: open-cluster-management-observability
 type: kubernetes.io/dockerconfigjson
 data:
-  .dockerconfigjson: ''  # Value provided by user or by pull-secret-openshift-config-copy policy
+  .dockerconfigjson: ""
diff --git a/telco-hub/configuration/reference-crs/required/acm/pullSecretMCSB.yaml b/telco-hub/configuration/reference-crs/required/acm/pullSecretMCSB.yaml
new file mode 100644
index 000000000..6680ef486
--- /dev/null
+++ b/telco-hub/configuration/reference-crs/required/acm/pullSecretMCSB.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta2
+kind: ManagedClusterSetBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: global
+  namespace: open-cluster-management-observability
+spec:
+  clusterSet: global
diff --git a/telco-hub/configuration/reference-crs/required/acm/pullSecretPlacement.yaml b/telco-hub/configuration/reference-crs/required/acm/pullSecretPlacement.yaml
new file mode 100644
index 000000000..aebeca5b5
--- /dev/null
+++ b/telco-hub/configuration/reference-crs/required/acm/pullSecretPlacement.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta1
+kind: Placement
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: pull-secret-copy
+  namespace: open-cluster-management-observability
+spec:
+  predicates:
+    - requiredClusterSelector:
+        labelSelector:
+          matchExpressions:
+            - key: name
+              operator: In
+              values:
+                - local-cluster
diff --git a/telco-hub/configuration/reference-crs/required/acm/pullSecretPlacementBinding.yaml b/telco-hub/configuration/reference-crs/required/acm/pullSecretPlacementBinding.yaml
new file mode 100644
index 000000000..6b4539fb0
--- /dev/null
+++ b/telco-hub/configuration/reference-crs/required/acm/pullSecretPlacementBinding.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: pull-secret-copy
+  namespace: open-cluster-management-observability
+placementRef:
+  name: pull-secret-copy
+  apiGroup: cluster.open-cluster-management.io
+  kind: Placement
+subjects:
+  - name: pull-secret-copy
+    apiGroup: policy.open-cluster-management.io
+    kind: Policy
diff --git a/telco-hub/configuration/reference-crs/required/acm/pull-secret-copy.yaml b/telco-hub/configuration/reference-crs/required/acm/pullSecretPolicy.yaml
similarity index 56%
rename from telco-hub/configuration/reference-crs/required/acm/pull-secret-copy.yaml
rename to telco-hub/configuration/reference-crs/required/acm/pullSecretPolicy.yaml
index 0f0b98648..70109556d 100644
--- a/telco-hub/configuration/reference-crs/required/acm/pull-secret-copy.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/pullSecretPolicy.yaml
@@ -32,49 +32,3 @@ spec:
                   name: multiclusterhub-operator-pull-secret
                   namespace: open-cluster-management-observability
                 type: kubernetes.io/dockerconfigjson
----
-apiVersion: cluster.open-cluster-management.io/v1beta1
-kind: Placement
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "9"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: pull-secret-copy
-  namespace: open-cluster-management-observability
-spec:
-  predicates:
-    - requiredClusterSelector:
-        labelSelector:
-          matchExpressions:
-            - key: name
-              operator: In
-              values:
-                - local-cluster
----
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "9"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: pull-secret-copy
-  namespace: open-cluster-management-observability
-placementRef:
-  name: pull-secret-copy
-  apiGroup: cluster.open-cluster-management.io
-  kind: Placement
-subjects:
-  - name: pull-secret-copy
-    apiGroup: policy.open-cluster-management.io
-    kind: Policy
----
-apiVersion: cluster.open-cluster-management.io/v1beta2
-kind: ManagedClusterSetBinding
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "9"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: global
-  namespace: open-cluster-management-observability
-spec:
-  clusterSet: global
diff --git a/telco-hub/configuration/reference-crs/required/acm/readme.md b/telco-hub/configuration/reference-crs/required/acm/readme.md
index 8695c384e..66ee242a8 100644
--- a/telco-hub/configuration/reference-crs/required/acm/readme.md
+++ b/telco-hub/configuration/reference-crs/required/acm/readme.md
@@ -10,11 +10,11 @@
 8. The `multicluster-engine` enables the `cluster-proxy-addon` feature by default. Apply the following patch to disable it: `oc patch multiclusterengines.multicluster.openshift.io multiclusterengine --type=merge --patch-file ./disable-cluster-proxy-addon.json`.
 9. Create the `observabilityNS.yaml`.
 10. Create the pull-secret. There are two methods to create the pull-secret:
-    - The pull-secret multiclusterhub-operator-pull-secret can be automatically created by the ACM policy in pull-secret-copy.yaml. If secret multiclusterhub-operator-pull-secret exists in open-cluster-management, the policy copy it to ns open-cluster-management-observability. If the previous command returns an empty value, then copy secret pull-secret from ns openshift-config.
+    - The pull-secret multiclusterhub-operator-pull-secret can be automatically created by the ACM policy in pullSecretPolicy.yaml. If secret multiclusterhub-operator-pull-secret exists in open-cluster-management, the policy copy it to ns open-cluster-management-observability. If the previous command returns an empty value, then copy secret pull-secret from ns openshift-config.
     - If you want to use your own pull-secret, you may update the value of .dockerconfigjson in observabilitySecret.yaml.
 11. Create the `observabilityOBC.yaml`.
 12. The Thanos secret will be automatically created by the ACM Policy
-    in `thanosSecret.yaml`.
+    in `thanosSecretPolicy.yaml`.
     - The `bucket` and the `endpoint` are copied from the ConfigMap
       that the OBC automatically creates in its namespace. The policy
       pulls the bucket name and host from the fields `BUCKET_NAME`
diff --git a/telco-hub/configuration/reference-crs/required/acm/thanosSecretMCSB.yaml b/telco-hub/configuration/reference-crs/required/acm/thanosSecretMCSB.yaml
new file mode 100644
index 000000000..ac9c6337f
--- /dev/null
+++ b/telco-hub/configuration/reference-crs/required/acm/thanosSecretMCSB.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta2
+kind: ManagedClusterSetBinding
+metadata:
+  name: default
+  namespace: hub-policies
+  annotations:
+    argocd.argoproj.io/sync-wave: "8"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  clusterSet: default
diff --git a/telco-hub/configuration/reference-crs/required/acm/thanosSecretNS.yaml b/telco-hub/configuration/reference-crs/required/acm/thanosSecretNS.yaml
new file mode 100644
index 000000000..91117b368
--- /dev/null
+++ b/telco-hub/configuration/reference-crs/required/acm/thanosSecretNS.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: hub-policies
diff --git a/telco-hub/configuration/reference-crs/required/acm/thanosSecretPlacement.yaml b/telco-hub/configuration/reference-crs/required/acm/thanosSecretPlacement.yaml
new file mode 100644
index 000000000..a54b3c0d1
--- /dev/null
+++ b/telco-hub/configuration/reference-crs/required/acm/thanosSecretPlacement.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: cluster.open-cluster-management.io/v1beta1
+kind: Placement
+metadata:
+  name: obs-thanos-pl
+  namespace: hub-policies
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  predicates:
+  - requiredClusterSelector:
+      labelSelector:
+        matchExpressions:
+        - key: name
+          operator: In
+          values:
+          - local-cluster
diff --git a/telco-hub/configuration/reference-crs/required/acm/thanosSecretPlacementBinding.yaml b/telco-hub/configuration/reference-crs/required/acm/thanosSecretPlacementBinding.yaml
new file mode 100644
index 000000000..50ea1e136
--- /dev/null
+++ b/telco-hub/configuration/reference-crs/required/acm/thanosSecretPlacementBinding.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: obs-thanos-binding
+  namespace: hub-policies
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: obs-thanos-pl
+  apiGroup: cluster.open-cluster-management.io
+  kind: Placement
+subjects:
+  - name: obs-thanos-secret
+    apiGroup: policy.open-cluster-management.io
+    kind: Policy
diff --git a/telco-hub/configuration/reference-crs/required/acm/thanosSecret.yaml b/telco-hub/configuration/reference-crs/required/acm/thanosSecretPolicy.yaml
similarity index 53%
rename from telco-hub/configuration/reference-crs/required/acm/thanosSecret.yaml
rename to telco-hub/configuration/reference-crs/required/acm/thanosSecretPolicy.yaml
index da1bcfe94..3593aaa98 100644
--- a/telco-hub/configuration/reference-crs/required/acm/thanosSecret.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/thanosSecretPolicy.yaml
@@ -1,11 +1,3 @@
-# This content creates a policy which copies the necessary data from
-# the generated Object Bucket Claim into the necessary secret for
-# observability to connect to thanos.
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: hub-policies
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
@@ -60,68 +52,3 @@ spec:
                                                       ($awsAccess.data.AWS_ACCESS_KEY_ID | base64dec)
                                                       ($awsAccess.data.AWS_SECRET_ACCESS_KEY | base64dec)
                                 ) | base64enc }}
----
-apiVersion: cluster.open-cluster-management.io/v1beta1
-kind: Placement
-metadata:
-  name: obs-thanos-pl
-  namespace: hub-policies
-  annotations:
-    argocd.argoproj.io/sync-wave: "9"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  predicates:
-  - requiredClusterSelector:
-      labelSelector:
-        matchExpressions:
-        - key: name
-          operator: In
-          values:
-          - local-cluster
----
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: obs-thanos-binding
-  namespace: hub-policies
-  annotations:
-    argocd.argoproj.io/sync-wave: "9"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: obs-thanos-pl
-  apiGroup: cluster.open-cluster-management.io
-  kind: Placement
-subjects:
-  - name: obs-thanos-secret
-    apiGroup: policy.open-cluster-management.io
-    kind: Policy
----
-apiVersion: cluster.open-cluster-management.io/v1beta2
-kind: ManagedClusterSetBinding
-metadata:
-  name: default
-  namespace: hub-policies
-  annotations:
-    argocd.argoproj.io/sync-wave: "8"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterSet: default
-
-# For reference this is the secret which is being generated (with
-# approriate values in the fields):
-# ---
-# apiVersion: v1
-# kind: Secret
-# metadata:
-#   name: thanos-object-storage
-#   namespace: open-cluster-management-observability
-# type: Opaque
-# stringData:
-#   thanos.yaml: |
-#     type: s3
-#     config:
-#       bucket:  "<BUCKET_NAME>"
-#       endpoint: "<BUCKET_HOST>"
-#       insecure: true
-#       access_key: "<AWS_ACCESS_KEY_ID>"
-#       secret_key: "<AWS_SECRET_ACCESS_KEY>"

From dee2308160cbcb6e30bcfcdb5e93679f15796ae8 Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Mon, 7 Jul 2025 10:59:03 +0200
Subject: [PATCH 10/15] Address review comments

---
 .../ReferenceVersionCheck.yaml                     |  2 +-
 .../reference-crs-kube-compare/default_value.yaml  |  5 +++++
 .../optional/quay/quayNS.yaml                      |  7 -------
 .../optional/quay/quayOperatorGroup.yaml           | 12 ------------
 .../optional/quay/quaySubscription.yaml            | 12 ------------
 .../required/acm/acmAgentServiceConfig.yaml        | 12 +++---------
 .../required/acm/observabilityMCO.yaml             | 10 +++++-----
 .../required/acm/acmAgentServiceConfig.yaml        | 14 +++++++-------
 8 files changed, 21 insertions(+), 53 deletions(-)
 delete mode 100644 telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayNS.yaml
 delete mode 100644 telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayOperatorGroup.yaml
 delete mode 100644 telco-hub/configuration/reference-crs-kube-compare/optional/quay/quaySubscription.yaml

diff --git a/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml b/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
index 492fc7e7f..47d938237 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/ReferenceVersionCheck.yaml
@@ -5,4 +5,4 @@ metadata:
   name: version
 status:
   desired:
-    version: {{ template "versionMatch" (list .status.desired.version "4.18") }}
+    version: {{ template "versionMatch" (list .status.desired.version "4.19") }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml b/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
index 556148f24..104140615 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
@@ -126,6 +126,11 @@ required_acm_observabilityMCO:
     availabilityConfig: Basic
     storageConfig:
       storageClass: example-storage-class
+      alertmanagerStorageSize: 10Gi
+      compactStorageSize: 100Gi
+      receiveStorageSize: 10Gi
+      ruleStorageSize: 30Gi
+      storeStorageSize: 100Gi
 
 required_acm_observabilityOBC:
 - spec:
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayNS.yaml
deleted file mode 100644
index 1d16fecc4..000000000
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayNS.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    openshift.io/cluster-monitoring: "true"
-  name: quay-enterprise
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayOperatorGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayOperatorGroup.yaml
deleted file mode 100644
index eb920a873..000000000
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quayOperatorGroup.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: quay-operator
-  namespace: quay-enterprise
-spec:
-  targetNamespaces:
-  - quay-enterprise
-  {{- if .spec.upgradeStrategy }}
-  upgradeStrategy: Default
-  {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quaySubscription.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quaySubscription.yaml
deleted file mode 100644
index e589d7a22..000000000
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/quay/quaySubscription.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: quay-operator
-  namespace: quay-enterprise
-spec:
-  sourceNamespace: openshift-marketplace
-  source: {{ .spec.source }}
-  channel: stable-3.12  # should match latest version
-  installPlanApproval: Automatic
-  name: quay-operator
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
index 629b01fef..561e46913 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
@@ -30,13 +30,7 @@ spec:
         storage: {{ .spec.imageStorage.resources.requests.storage }}
   mirrorRegistryRef:
     name: mirror-registry-config
-  {{- if .spec.osImages }}
   osImages:
-  # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
-  # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
-  - cpuArchitecture: "x86_64"
-    openshiftVersion: "4.18"
-    rootFSUrl: {{ (index .spec.osImages 0).rootFSUrl }}
-    url: {{ (index .spec.osImages 0).url }}
-    version: {{ (index .spec.osImages 0).version }}
-  {{- end }}
+    # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
+    # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
+    {{- .spec.osImages | toYaml | nindent 4 }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
index ad476e551..c78371751 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
@@ -32,14 +32,14 @@ spec:
     interval: 300
   storageConfig:
     storageClass: {{ .spec.storageConfig.storageClass }}
-    alertmanagerStorageSize: 10Gi
-    compactStorageSize: 100Gi
+    alertmanagerStorageSize: {{ .spec.storageConfig.alertmanagerStorageSize }}
+    compactStorageSize: {{ .spec.storageConfig.compactStorageSize }}
     metricObjectStorage:
       key: thanos.yaml
       name: thanos-object-storage
-    receiveStorageSize: 10Gi
-    ruleStorageSize: 30Gi
-    storeStorageSize: 100Gi
+    receiveStorageSize: {{ .spec.storageConfig.receiveStorageSize }}
+    ruleStorageSize: {{ .spec.storageConfig.ruleStorageSize }}
+    storeStorageSize: {{ .spec.storageConfig.storeStorageSize }}
     # In addition to these storage settings, the `metricObjectStorage`
     # points to an Object Storage. Under the reference configuration,
     # scale and retention the estimated object storage is about 101Gi
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
index 3ec0b576b..87194d68e 100644
--- a/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
@@ -31,10 +31,10 @@ spec:
   mirrorRegistryRef:
     name: mirror-registry-config
   osImages:
-  # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
-  # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
-  - cpuArchitecture: "x86_64"
-    openshiftVersion: "4.18"
-    rootFSUrl: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live-rootfs.x86_64.img
-    url: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live.x86_64.iso
-    version: 418.94.202502100215-0
+    # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
+    # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
+    - cpuArchitecture: x86_64
+      openshiftVersion: "4.18"
+      rootFSUrl: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live-rootfs.x86_64.img
+      url: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live.x86_64.iso
+      version: 418.94.202502100215-0

From 094ec1d159df616eb665b0811fa03f5a2006f62b Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Tue, 15 Jul 2025 15:05:33 +0200
Subject: [PATCH 11/15] Changes to align with main branch update to 4.19

---
 .../acm/acmMirrorRegistryCM-patch.yaml        |  1 +
 .../default_value.yaml                        | 12 +++-
 .../reference-crs-kube-compare/metadata.yaml  |  1 +
 .../required/acm/acmAgentServiceConfig.yaml   |  8 ++-
 .../required/acm/acmMCE.yaml                  | 62 +++++++++++++++++++
 .../required/acm/observabilityMCO.yaml        |  2 +
 .../required/acm/acmAgentServiceConfig.yaml   | 34 +++++-----
 .../reference-crs/required/acm/acmMCE.yaml    |  1 +
 8 files changed, 102 insertions(+), 19 deletions(-)
 create mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCE.yaml

diff --git a/telco-hub/configuration/example-overlays-config/acm/acmMirrorRegistryCM-patch.yaml b/telco-hub/configuration/example-overlays-config/acm/acmMirrorRegistryCM-patch.yaml
index dce34e277..4aa744dbf 100644
--- a/telco-hub/configuration/example-overlays-config/acm/acmMirrorRegistryCM-patch.yaml
+++ b/telco-hub/configuration/example-overlays-config/acm/acmMirrorRegistryCM-patch.yaml
@@ -1,3 +1,4 @@
+---
 - op: replace
   path: /data/ca-bundle.crt
   value: |
diff --git a/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml b/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
index 104140615..d6234cd4c 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
@@ -166,11 +166,21 @@ required_acm_acmAgentServiceConfig:
     mirrorRegistryRef:
       name: mirror-registry-config
     osImages:
+    - cpuArchitecture: "x86_64"
+      openshiftVersion: "4.17"
+      rootFSUrl: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live-rootfs.x86_64.img
+      url: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live.x86_64.iso
+      version: "417.94.202409121747-0"
     - cpuArchitecture: "x86_64"
       openshiftVersion: "4.18"
       rootFSUrl: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live-rootfs.x86_64.img
       url: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live.x86_64.iso
-      version: 418.94.202502100215-0
+      version: "418.94.202502100215-0"
+    - cpuArchitecture: "x86_64"
+      openshiftVersion: "4.19"
+      rootFSUrl: http://<http-server-address:port>/rhcos-4.19.0-x86_64-live-rootfs.x86_64.img
+      url: http://<http-server-address:port>/rhcos-4.19.0-x86_64-live-iso.x86_64.iso
+      version: "9.6.20250530-0"
     osImageVersion: {}
 
 required_acm_acmMirrorRegistryCM:
diff --git a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
index 1cb47bdb5..2243bf73b 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
@@ -50,6 +50,7 @@ parts:
           - path: required/acm/acmOperGroup.yaml
           - path: required/acm/acmSubscription.yaml
           - path: required/acm/acmMCH.yaml
+          - path: required/acm/acmMCE.yaml
           - path: required/acm/acmMCSB.yaml
             config:
               ignore-unspecified-fields: true
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
index 561e46913..6175f7333 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
@@ -33,4 +33,10 @@ spec:
   osImages:
     # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
     # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
-    {{- .spec.osImages | toYaml | nindent 4 }}
+    {{- range .spec.osImages }}
+    - cpuArchitecture: {{ .cpuArchitecture | quote }}
+      openshiftVersion: {{ .openshiftVersion | quote }}
+      rootFSUrl: {{ .rootFSUrl }}
+      url: {{ .url }}
+      version: {{ .version | quote }}
+    {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCE.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCE.yaml
new file mode 100644
index 000000000..254f97186
--- /dev/null
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCE.yaml
@@ -0,0 +1,62 @@
+---
+apiVersion: multicluster.openshift.io/v1
+kind: MultiClusterEngine
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: multiclusterengine
+spec:
+  availabilityConfig: High
+  overrides:
+    components:
+    - configOverrides: {}
+      enabled: true
+      name: local-cluster
+    - configOverrides: {}
+      enabled: true
+      name: assisted-service
+    - configOverrides: {}
+      enabled: true
+      name: cluster-lifecycle
+    - configOverrides: {}
+      enabled: true
+      name: cluster-manager
+    - configOverrides: {}
+      enabled: true
+      name: discovery
+    - configOverrides: {}
+      enabled: true
+      name: hive
+    - configOverrides: {}
+      enabled: true
+      name: server-foundation
+    - configOverrides: {}
+      enabled: true
+      name: cluster-proxy-addon
+    - configOverrides: {}
+      enabled: true
+      name: hypershift-local-hosting
+    - configOverrides: {}
+      enabled: true
+      name: hypershift
+    - configOverrides: {}
+      enabled: true
+      name: managedserviceaccount
+    - configOverrides: {}
+      enabled: false
+      name: cluster-api-preview
+    - configOverrides: {}
+      enabled: false
+      name: cluster-api-provider-aws-preview
+    - configOverrides: {}
+      enabled: true
+      name: image-based-install-operator
+    - configOverrides: {}
+      enabled: true
+      name: console-mce
+  targetNamespace: multicluster-engine
+  tolerations:
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/infra
+    operator: Exists
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
index c78371751..12a7b0976 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilityMCO.yaml
@@ -35,6 +35,8 @@ spec:
     alertmanagerStorageSize: {{ .spec.storageConfig.alertmanagerStorageSize }}
     compactStorageSize: {{ .spec.storageConfig.compactStorageSize }}
     metricObjectStorage:
+      # buckets storage should provide a capacity
+      # of at least 2.5TB
       key: thanos.yaml
       name: thanos-object-storage
     receiveStorageSize: {{ .spec.storageConfig.receiveStorageSize }}
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
index e50c4abc2..c696ad28d 100644
--- a/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
@@ -31,20 +31,20 @@ spec:
   mirrorRegistryRef:
     name: mirror-registry-config
   osImages:
-  # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
-  # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
-  - cpuArchitecture: "x86_64"
-    openshiftVersion: "4.17"
-    rootFSUrl: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live-rootfs.x86_64.img
-    url: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live.x86_64.iso
-    version: "417.94.202409121747-0"
-  - cpuArchitecture: "x86_64"
-    openshiftVersion: "4.18"
-    rootFSUrl: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live-rootfs.x86_64.img
-    url: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live.x86_64.iso
-    version: "418.94.202502100215-0"
-  - cpuArchitecture: "x86_64"
-    openshiftVersion: "4.19"
-    rootFSUrl: http://<http-server-address:port>/rhcos-4.19.0-x86_64-live-rootfs.x86_64.img
-    url: http://<http-server-address:port>/rhcos-4.19.0-x86_64-live-iso.x86_64.iso
-    version: "9.6.20250530-0"
+    # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
+    # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
+    - cpuArchitecture: "x86_64"
+      openshiftVersion: "4.17"
+      rootFSUrl: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live-rootfs.x86_64.img
+      url: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live.x86_64.iso
+      version: "417.94.202409121747-0"
+    - cpuArchitecture: "x86_64"
+      openshiftVersion: "4.18"
+      rootFSUrl: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live-rootfs.x86_64.img
+      url: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live.x86_64.iso
+      version: "418.94.202502100215-0"
+    - cpuArchitecture: "x86_64"
+      openshiftVersion: "4.19"
+      rootFSUrl: http://<http-server-address:port>/rhcos-4.19.0-x86_64-live-rootfs.x86_64.img
+      url: http://<http-server-address:port>/rhcos-4.19.0-x86_64-live-iso.x86_64.iso
+      version: "9.6.20250530-0"
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmMCE.yaml b/telco-hub/configuration/reference-crs/required/acm/acmMCE.yaml
index d9bdeafb8..254f97186 100644
--- a/telco-hub/configuration/reference-crs/required/acm/acmMCE.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/acmMCE.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: multicluster.openshift.io/v1
 kind: MultiClusterEngine
 metadata:

From dbf34cd8e2c37f83a3e6b15413f90993c157f112 Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Sun, 20 Jul 2025 17:11:01 +0200
Subject: [PATCH 12/15] Avoid modifying the reference CRs as much as possible

---
 .../default_value.yaml                        | 45 +++++++------------
 .../reference-crs-kube-compare/metadata.yaml  |  9 +++-
 .../optional/logging/clusterLogNS.yaml        |  6 +++
 .../optional/lso/lsoLocalVolume.yaml          |  4 +-
 .../optional/lso/lsoOperatorGroup.yaml        |  2 +-
 .../optional/odf-internal/storageCluster.yaml | 19 ++++++--
 .../required/acm/acmAgentServiceConfig.yaml   | 18 ++++----
 .../required/acm/acmMirrorRegistryCM.yaml     | 10 ++++-
 .../required/acm/observabilitySecret.yaml     |  5 ++-
 .../optional/logging/clusterLogNS.yaml        |  2 +
 .../optional/lso/lsoLocalVolume.yaml          |  4 +-
 .../optional/lso/lsoOperatorGroup.yaml        |  2 +-
 .../optional/odf-internal/storageCluster.yaml | 12 ++---
 .../required/acm/acmAgentServiceConfig.yaml   | 40 ++++++++---------
 .../required/acm/acmMirrorRegistryCM.yaml     | 24 ++--------
 .../required/acm/observabilityMCO.yaml        |  2 +-
 .../required/acm/observabilitySecret.yaml     |  1 +
 .../required/acm/thanosSecretPolicy.yaml      | 19 ++++++++
 18 files changed, 124 insertions(+), 100 deletions(-)

diff --git a/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml b/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
index d6234cd4c..60f7c3b74 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
@@ -50,10 +50,10 @@ optional_lso_lsoLocalVolume:
     nodeSelector:
       nodeSelectorTerms:
       - matchExpressions:
-          - key: cluster.ocs.openshift.io/openshift-storage
-            operator: In
-            values:
-            - ""
+        - key: cluster.ocs.openshift.io/openshift-storage
+          operator: In
+          values:
+          - ""
     storageClassDevices:
     - storageClassName: "local-sc"
       forceWipeDevicesAndDestroyAllData: true
@@ -125,7 +125,7 @@ required_acm_observabilityMCO:
 - spec:
     availabilityConfig: Basic
     storageConfig:
-      storageClass: example-storage-class
+      storageClass: " # your-fs-storageclass-here"
       alertmanagerStorageSize: 10Gi
       compactStorageSize: 100Gi
       receiveStorageSize: 10Gi
@@ -143,21 +143,21 @@ required_acm_acmAgentServiceConfig:
       argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
   spec:
     databaseStorage:
-      storageClassName: example-storage-class
+      storageClassName:  " # your-fs-storageclass-here"
       accessModes:
         - ReadWriteOnce
       resources:
         requests:
           storage: 20Gi
     filesystemStorage:
-      storageClassName: example-storage-class
+      storageClassName:  " # your-fs-storageclass-here"
       accessModes:
         - ReadWriteOnce
       resources:
         requests:
           storage: 20Gi
     imageStorage:
-      storageClassName: example-storage-class
+      storageClassName:  " # your-fs-storageclass-here"
       accessModes:
         - ReadWriteOnce
       resources:
@@ -201,99 +201,84 @@ required_acm_acmMirrorRegistryCM:
       [[registry]]
         prefix = ""
         location = "quay.io/openshift-release-dev"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/openshift-release-dev"
           pull-from-mirror = "digest-only"
-
       [[registry]]
         prefix = ""
         location = "quay.io/openshift-release-dev/ocp-release"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/openshift-release-dev/ocp-release"
           pull-from-mirror = "digest-only"
-
       [[registry]]
         prefix = ""
         location = "quay.io/openshift-release-dev/ocp-v4.0-art-dev"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/openshift-release-dev/ocp-v4.0-art-dev"
           pull-from-mirror = "digest-only"
-
       [[registry]]
         prefix = ""
         location = "registry.redhat.io/multicluster-engine"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/multicluster-engine"
           pull-from-mirror = "digest-only"
-
       [[registry]]
         prefix = ""
         location = "registry.redhat.io/odf4"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/odf4"
           pull-from-mirror = "digest-only"
-
       [[registry]]
         prefix = ""
         location = "registry.redhat.io/openshift4"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/openshift4"
           pull-from-mirror = "digest-only"
-
       [[registry]]
         prefix = ""
         location = "registry.redhat.io/rhacm2"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/rhacm2"
           pull-from-mirror = "digest-only"
-
       [[registry]]
         prefix = ""
         location = "registry.redhat.io/rhceph"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/rhceph"
           pull-from-mirror = "digest-only"
-
       [[registry]]
         prefix = ""
         location = "registry.redhat.io/rhel8"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/rhel8"
           pull-from-mirror = "digest-only"
-
       [[registry]]
         prefix = ""
         location = "registry.redhat.io/rhel9"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/rhel9"
           pull-from-mirror = "digest-only"
-
       [[registry]]
         prefix = ""
         location = "registry.redhat.io/ubi8"
-
         [[registry.mirror]]
           location = "<registry.example.com:8443>/ubi8"
           pull-from-mirror = "tag-only"
 
 required_acm_observabilitySecret:
 - data:
-    .dockerconfigjson: ''  # Value provided by user or by pull-secret-openshift-config-copy policy
+    # Value provided by user or by pull-secret-openshift-config-copy policy
+    .dockerconfigjson: ''
 
 required_talm_talmSubscription:
 - spec:
     source: redhat-operators-disconnected
 
+optional_logging_clusterLogNS:
+- metadata:
+    annotations:
+      workload.openshift.io/allowed: management
+
 optional_logging_clusterLogSubscription:
 - spec:
     source: redhat-operators-disconnected 
diff --git a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
index ab3247f73..3d88b26c6 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
@@ -4,7 +4,7 @@ parts:
   - name: version-check
     description: |-
       A mismatch here means you may be using the wrong reference.
-      This reference was designed for OpenShift 4.18.
+      This reference was designed for OpenShift 4.19.
     components:
       - name: version-check
         allOf:
@@ -102,6 +102,10 @@ fieldsToOmit:
       - pathToKey: metadata.annotations."olm.providedAPIs"
       - pathToKey: metadata.annotations."argocd.argoproj.io"
         isPrefix: true
+      - pathToKey: metadata.annotations."installer.multicluster.openshift.io"
+        isPrefix: true
+      - pathToKey: metadata.annotations."installer.open-cluster-management.io"
+        isPrefix: true
       - pathToKey: metadata.labels."kubernetes.io/metadata.name"
       - pathToKey: metadata.labels."security.openshift.io/scc.podSecurityLabelSync"
       - pathToKey: metadata.labels."operators.coreos.com/local-storage-operator.openshift-local-storage"
@@ -115,6 +119,9 @@ fieldsToOmit:
       - pathToKey: metadata.labels."olm.operatorgroup.uid"
         isPrefix: true
       - pathToKey: metadata.labels."app.kubernetes.io/instance"
+      - pathToKey: metadata.labels."installer.name"
+      - pathToKey: metadata.labels."installer.namespace"
+      - pathToKey: metadata.labels."multiclusterhubs.operator.open-cluster-management.io/managed-by"
       - pathToKey: metadata.creationTimestamp
       - pathToKey: metadata.finalizers
       - pathToKey: metadata.generation
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml
index f13ffef9b..bcfc99edf 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/logging/clusterLogNS.yaml
@@ -3,3 +3,9 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-logging
+{{- if .metadata.annotations }}
+  annotations:
+{{- range $key, $value := .metadata.annotations }}
+    {{ $key }}: {{ $value }}
+{{- end }}
+{{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
index 03ef7355a..b0977e14b 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoLocalVolume.yaml
@@ -2,7 +2,7 @@
 apiVersion: "local.storage.openshift.io/v1"
 kind: "LocalVolume"
 metadata:
-  name: {{ .metadata.name }}
+  name: {{ .metadata.name | quote }}
   namespace: "openshift-local-storage"
   annotations:
     argocd.argoproj.io/sync-wave: "-3"
@@ -16,7 +16,7 @@ spec:
   {{- end }}
   storageClassDevices:
     {{- range .spec.storageClassDevices }}
-    - storageClassName: {{ .storageClassName }}
+    - storageClassName: {{ .storageClassName | quote }}
       forceWipeDevicesAndDestroyAllData: true
       {{- if or (eq .volumeMode "Block") (eq .volumeMode "Filesystem") }}
       volumeMode: {{ .volumeMode }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoOperatorGroup.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoOperatorGroup.yaml
index 3c2bbc7a8..2fcf19740 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoOperatorGroup.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/lso/lsoOperatorGroup.yaml
@@ -8,7 +8,7 @@ metadata:
   namespace: openshift-local-storage
 spec:
   targetNamespaces:
-  - openshift-local-storage
+    - openshift-local-storage
   {{- if .spec.upgradeStrategy }}
   upgradeStrategy: Default
   {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/storageCluster.yaml b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/storageCluster.yaml
index 7312e4489..8ec1f1228 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/storageCluster.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/optional/odf-internal/storageCluster.yaml
@@ -11,7 +11,13 @@ spec:
   manageNodes: false
   {{- if .spec.resources }}
   resources:
-    {{- .spec.resources | toYaml | nindent 4 }}
+    mds:
+      limits:
+        cpu: {{ .spec.resources.mds.limits.cpu | quote }}
+        memory: {{ .spec.resources.mds.limits.memory | quote }}
+      requests:
+        cpu: {{ .spec.resources.mds.requests.cpu | quote }}
+        memory: {{ .spec.resources.mds.requests.memory | quote }}
   {{- end }}
   monDataDirHostPath: /var/lib/rook
   storageDeviceSets:
@@ -23,13 +29,18 @@ spec:
         - ReadWriteOnce
         resources:
           requests:
-            storage: {{ .dataPVCTemplate.spec.resources.requests.storage }}  # <-- This should be changed as per storage size. Minimum 100 GiB and Maximum 4 TiB
-        storageClassName: {{ .dataPVCTemplate.spec.storageClassName }}  # match this with the storage block created at the LSO step
+            storage: {{ .dataPVCTemplate.spec.resources.requests.storage | quote }}  # <-- This should be changed as per storage size. Minimum 100 GiB and Maximum 4 TiB
+        storageClassName: {{ .dataPVCTemplate.spec.storageClassName | quote }}  # match this with the storage block created at the LSO step
         volumeMode: Block
     name: ocs-deviceset
     placement: {}
     portable: false
     replica: 3
     resources:
-      {{- .resources | toYaml | nindent 6 }}
+      limits:
+        cpu: {{ .resources.limits.cpu | quote }}
+        memory: {{ .resources.limits.memory | quote }}
+      requests:
+        cpu: {{ .resources.requests.cpu | quote }}
+        memory: {{ .resources.requests.memory | quote }}
   {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
index 6175f7333..2c640b01c 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmAgentServiceConfig.yaml
@@ -31,12 +31,12 @@ spec:
   mirrorRegistryRef:
     name: mirror-registry-config
   osImages:
-    # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
-    # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
-    {{- range .spec.osImages }}
-    - cpuArchitecture: {{ .cpuArchitecture | quote }}
-      openshiftVersion: {{ .openshiftVersion | quote }}
-      rootFSUrl: {{ .rootFSUrl }}
-      url: {{ .url }}
-      version: {{ .version | quote }}
-    {{- end }}
+  # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
+  # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
+  {{- range .spec.osImages }}
+  - cpuArchitecture: {{ .cpuArchitecture | quote }}
+    openshiftVersion: {{ .openshiftVersion | quote }}
+    rootFSUrl: {{ .rootFSUrl }}
+    url: {{ .url }}
+    version: {{ .version | quote }}
+  {{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
index d72ea3dad..012dbe067 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMirrorRegistryCM.yaml
@@ -10,4 +10,12 @@ metadata:
   labels:
     app: assisted-service
 data:
-  {{- .data | toYaml | nindent 2 | replace "  \n" "\n" }}
+{{- if .data }}
+  # Add the mirror registry SSL certificate chain up to the CA itself.
+  ca-bundle.crt: |
+{{ index .data "ca-bundle.crt" | trimSuffix "\n" | indent 4 }}
+  # The registries.conf field has been populated using the registries.conf file found in "/etc/containers/registries.conf" on each node.
+  # Replace <registry.example.com:8443> with the mirror registry's address.
+  registries.conf: |
+{{ index .data "registries.conf" | trimSuffix "\n" | indent 4 }}
+{{- end }}
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilitySecret.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilitySecret.yaml
index d2d503af0..2d6300005 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilitySecret.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/observabilitySecret.yaml
@@ -11,4 +11,7 @@ metadata:
   namespace: open-cluster-management-observability
 type: kubernetes.io/dockerconfigjson
 data:
-  {{- .data | toYaml | nindent 2 }}
+{{- if .data }}
+  # Value provided by user or by pull-secret-openshift-config-copy policy
+  .dockerconfigjson: {{ index .data ".dockerconfigjson" | quote }}
+{{- end }}
diff --git a/telco-hub/configuration/reference-crs/optional/logging/clusterLogNS.yaml b/telco-hub/configuration/reference-crs/optional/logging/clusterLogNS.yaml
index f13ffef9b..1fcd5d63d 100644
--- a/telco-hub/configuration/reference-crs/optional/logging/clusterLogNS.yaml
+++ b/telco-hub/configuration/reference-crs/optional/logging/clusterLogNS.yaml
@@ -3,3 +3,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-logging
+  annotations:
+    workload.openshift.io/allowed: management
diff --git a/telco-hub/configuration/reference-crs/optional/lso/lsoLocalVolume.yaml b/telco-hub/configuration/reference-crs/optional/lso/lsoLocalVolume.yaml
index aac023110..cb858673e 100644
--- a/telco-hub/configuration/reference-crs/optional/lso/lsoLocalVolume.yaml
+++ b/telco-hub/configuration/reference-crs/optional/lso/lsoLocalVolume.yaml
@@ -2,7 +2,7 @@
 apiVersion: "local.storage.openshift.io/v1"
 kind: "LocalVolume"
 metadata:
-  name: local-disks
+  name: "local-disks"
   namespace: "openshift-local-storage"
   annotations:
     argocd.argoproj.io/sync-wave: "-3"
@@ -18,7 +18,7 @@ spec:
         values:
         - ""
   storageClassDevices:
-    - storageClassName: local-sc
+    - storageClassName: "local-sc"
       forceWipeDevicesAndDestroyAllData: true
       volumeMode: Block
       devicePaths:
diff --git a/telco-hub/configuration/reference-crs/optional/lso/lsoOperatorGroup.yaml b/telco-hub/configuration/reference-crs/optional/lso/lsoOperatorGroup.yaml
index c6b4a9634..18d884503 100644
--- a/telco-hub/configuration/reference-crs/optional/lso/lsoOperatorGroup.yaml
+++ b/telco-hub/configuration/reference-crs/optional/lso/lsoOperatorGroup.yaml
@@ -8,4 +8,4 @@ metadata:
   namespace: openshift-local-storage
 spec:
   targetNamespaces:
-  - openshift-local-storage
+    - openshift-local-storage
diff --git a/telco-hub/configuration/reference-crs/optional/odf-internal/storageCluster.yaml b/telco-hub/configuration/reference-crs/optional/odf-internal/storageCluster.yaml
index 7236005e9..88b45b951 100644
--- a/telco-hub/configuration/reference-crs/optional/odf-internal/storageCluster.yaml
+++ b/telco-hub/configuration/reference-crs/optional/odf-internal/storageCluster.yaml
@@ -13,10 +13,10 @@ spec:
     mds:
       limits:
         cpu: "3"
-        memory: 8Gi
+        memory: "8Gi"
       requests:
         cpu: "3"
-        memory: 8Gi
+        memory: "8Gi"
   monDataDirHostPath: /var/lib/rook
   storageDeviceSets:
   - count: 1  # <-- Modify count to desired value. For each set of 3 disks increment the count by 1.
@@ -26,8 +26,8 @@ spec:
         - ReadWriteOnce
         resources:
           requests:
-            storage: 600Gi  # <-- This should be changed as per storage size. Minimum 100 GiB and Maximum 4 TiB
-        storageClassName: local-sc  # match this with the storage block created at the LSO step
+            storage: "600Gi"  # <-- This should be changed as per storage size. Minimum 100 GiB and Maximum 4 TiB
+        storageClassName: "local-sc"  # match this with the storage block created at the LSO step
         volumeMode: Block
     name: ocs-deviceset
     placement: {}
@@ -36,7 +36,7 @@ spec:
     resources:
       limits:
         cpu: "2"
-        memory: 5Gi
+        memory: "5Gi"
       requests:
         cpu: "2"
-        memory: 5Gi
+        memory: "5Gi"
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml b/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
index c696ad28d..2a0494d9f 100644
--- a/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/acmAgentServiceConfig.yaml
@@ -8,21 +8,21 @@ metadata:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   databaseStorage:
-    storageClassName: example-storage-class
+    storageClassName:  # your-fs-storageclass-here
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
         storage: 20Gi
   filesystemStorage:
-    storageClassName: example-storage-class
+    storageClassName:  # your-fs-storageclass-here
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
         storage: 20Gi
   imageStorage:
-    storageClassName: example-storage-class
+    storageClassName:  # your-fs-storageclass-here
     accessModes:
       - ReadWriteOnce
     resources:
@@ -31,20 +31,20 @@ spec:
   mirrorRegistryRef:
     name: mirror-registry-config
   osImages:
-    # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
-    # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
-    - cpuArchitecture: "x86_64"
-      openshiftVersion: "4.17"
-      rootFSUrl: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live-rootfs.x86_64.img
-      url: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live.x86_64.iso
-      version: "417.94.202409121747-0"
-    - cpuArchitecture: "x86_64"
-      openshiftVersion: "4.18"
-      rootFSUrl: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live-rootfs.x86_64.img
-      url: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live.x86_64.iso
-      version: "418.94.202502100215-0"
-    - cpuArchitecture: "x86_64"
-      openshiftVersion: "4.19"
-      rootFSUrl: http://<http-server-address:port>/rhcos-4.19.0-x86_64-live-rootfs.x86_64.img
-      url: http://<http-server-address:port>/rhcos-4.19.0-x86_64-live-iso.x86_64.iso
-      version: "9.6.20250530-0"
+  # Replace <http-server-address:port> with the address of the local web server that stores the RHCOS images.
+  # The images can be downloaded from "https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rhcos/".
+  - cpuArchitecture: "x86_64"
+    openshiftVersion: "4.17"
+    rootFSUrl: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live-rootfs.x86_64.img
+    url: http://<http-server-address:port>/rhcos-4.17.0-x86_64-live.x86_64.iso
+    version: "417.94.202409121747-0"
+  - cpuArchitecture: "x86_64"
+    openshiftVersion: "4.18"
+    rootFSUrl: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live-rootfs.x86_64.img
+    url: http://<http-server-address:port>/rhcos-4.18.0-x86_64-live.x86_64.iso
+    version: "418.94.202502100215-0"
+  - cpuArchitecture: "x86_64"
+    openshiftVersion: "4.19"
+    rootFSUrl: http://<http-server-address:port>/rhcos-4.19.0-x86_64-live-rootfs.x86_64.img
+    url: http://<http-server-address:port>/rhcos-4.19.0-x86_64-live-iso.x86_64.iso
+    version: "9.6.20250530-0"
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmMirrorRegistryCM.yaml b/telco-hub/configuration/reference-crs/required/acm/acmMirrorRegistryCM.yaml
index 77817dca6..669b966d1 100644
--- a/telco-hub/configuration/reference-crs/required/acm/acmMirrorRegistryCM.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/acmMirrorRegistryCM.yaml
@@ -10,6 +10,7 @@ metadata:
   labels:
     app: assisted-service
 data:
+  # Add the mirror registry SSL certificate chain up to the CA itself.
   ca-bundle.crt: |
     -----BEGIN CERTIFICATE-----
     MIID7jCCAtagAwXXX...
@@ -17,92 +18,73 @@ data:
     -----BEGIN CERTIFICATE-----
     MIIDvTCCAqWgAwXXX...
     -----END CERTIFICATE-----
+  # The registries.conf field has been populated using the registries.conf file found in "/etc/containers/registries.conf" on each node.
+  # Replace <registry.example.com:8443> with the mirror registry's address.
   registries.conf: |
     unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
     [[registry]]
       prefix = ""
       location = "quay.io/openshift-release-dev"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/openshift-release-dev"
         pull-from-mirror = "digest-only"
-
     [[registry]]
       prefix = ""
       location = "quay.io/openshift-release-dev/ocp-release"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/openshift-release-dev/ocp-release"
         pull-from-mirror = "digest-only"
-
     [[registry]]
       prefix = ""
       location = "quay.io/openshift-release-dev/ocp-v4.0-art-dev"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/openshift-release-dev/ocp-v4.0-art-dev"
         pull-from-mirror = "digest-only"
-
     [[registry]]
       prefix = ""
       location = "registry.redhat.io/multicluster-engine"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/multicluster-engine"
         pull-from-mirror = "digest-only"
-
     [[registry]]
       prefix = ""
       location = "registry.redhat.io/odf4"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/odf4"
         pull-from-mirror = "digest-only"
-
     [[registry]]
       prefix = ""
       location = "registry.redhat.io/openshift4"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/openshift4"
         pull-from-mirror = "digest-only"
-
     [[registry]]
       prefix = ""
       location = "registry.redhat.io/rhacm2"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/rhacm2"
         pull-from-mirror = "digest-only"
-
     [[registry]]
       prefix = ""
       location = "registry.redhat.io/rhceph"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/rhceph"
         pull-from-mirror = "digest-only"
-
     [[registry]]
       prefix = ""
       location = "registry.redhat.io/rhel8"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/rhel8"
         pull-from-mirror = "digest-only"
-
     [[registry]]
       prefix = ""
       location = "registry.redhat.io/rhel9"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/rhel9"
         pull-from-mirror = "digest-only"
-
     [[registry]]
       prefix = ""
       location = "registry.redhat.io/ubi8"
-
       [[registry.mirror]]
         location = "<registry.example.com:8443>/ubi8"
         pull-from-mirror = "tag-only"
diff --git a/telco-hub/configuration/reference-crs/required/acm/observabilityMCO.yaml b/telco-hub/configuration/reference-crs/required/acm/observabilityMCO.yaml
index 031741b65..3578fe065 100644
--- a/telco-hub/configuration/reference-crs/required/acm/observabilityMCO.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/observabilityMCO.yaml
@@ -31,7 +31,7 @@ spec:
     enableMetrics: true
     interval: 300
   storageConfig:
-    storageClass: example-storage-class
+    storageClass:  # your-fs-storageclass-here
     alertmanagerStorageSize: 10Gi
     compactStorageSize: 100Gi
     metricObjectStorage:
diff --git a/telco-hub/configuration/reference-crs/required/acm/observabilitySecret.yaml b/telco-hub/configuration/reference-crs/required/acm/observabilitySecret.yaml
index dc8f06ea6..b2587bc8f 100644
--- a/telco-hub/configuration/reference-crs/required/acm/observabilitySecret.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/observabilitySecret.yaml
@@ -11,4 +11,5 @@ metadata:
   namespace: open-cluster-management-observability
 type: kubernetes.io/dockerconfigjson
 data:
+  # Value provided by user or by pull-secret-openshift-config-copy policy
   .dockerconfigjson: ""
diff --git a/telco-hub/configuration/reference-crs/required/acm/thanosSecretPolicy.yaml b/telco-hub/configuration/reference-crs/required/acm/thanosSecretPolicy.yaml
index f938e1d8a..20ebe3b07 100644
--- a/telco-hub/configuration/reference-crs/required/acm/thanosSecretPolicy.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/thanosSecretPolicy.yaml
@@ -55,3 +55,22 @@ spec:
                                                       ($awsAccess.data.AWS_ACCESS_KEY_ID | base64dec)
                                                       ($awsAccess.data.AWS_SECRET_ACCESS_KEY | base64dec)
                                 ) | base64enc }}
+
+# For reference this is the secret which is being generated (with
+# approriate values in the fields):
+# ---
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: thanos-object-storage
+#   namespace: open-cluster-management-observability
+# type: Opaque
+# stringData:
+#   thanos.yaml: |
+#     type: s3
+#     config:
+#       bucket:  "<BUCKET_NAME>"
+#       endpoint: "<BUCKET_HOST>"
+#       insecure: true
+#       access_key: "<AWS_ACCESS_KEY_ID>"
+#       secret_key: "<AWS_SECRET_ACCESS_KEY>"

From c15a291a3842d615835588e3cea3165311786025 Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Thu, 24 Jul 2025 17:21:08 +0200
Subject: [PATCH 13/15] Fix newline

---
 telco-hub/configuration/reference-crs-kube-compare/Makefile   | 2 +-
 telco-hub/configuration/reference-crs-kube-compare/compare.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/telco-hub/configuration/reference-crs-kube-compare/Makefile b/telco-hub/configuration/reference-crs-kube-compare/Makefile
index 1fc3b2d2e..213a4c21c 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/Makefile
+++ b/telco-hub/configuration/reference-crs-kube-compare/Makefile
@@ -47,4 +47,4 @@ compare: convert
 
 .PHONY: sync
 sync: convert
-	@./compare.sh --sync "../reference-crs" renderedv1 
\ No newline at end of file
+	@./compare.sh --sync "../reference-crs" renderedv1
diff --git a/telco-hub/configuration/reference-crs-kube-compare/compare.sh b/telco-hub/configuration/reference-crs-kube-compare/compare.sh
index 75399d95a..20c0310d3 100755
--- a/telco-hub/configuration/reference-crs-kube-compare/compare.sh
+++ b/telco-hub/configuration/reference-crs-kube-compare/compare.sh
@@ -172,4 +172,4 @@ if [[ $DOSYNC == 1 ]]; then
     sync_cr "$RENDERDIR" "$SOURCEDIR" compare_ignore
 else
     compare_cr "$RENDERDIR" "$SOURCEDIR" compare_ignore
-fi 
\ No newline at end of file
+fi

From b064ed7f8d6b5e602dad8f5ceb3f1e45060f43c7 Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Tue, 5 Aug 2025 09:37:35 +0200
Subject: [PATCH 14/15] Disable cluster-proxy-addon in the acmMCE
 cluster-compare template

---
 .../reference-crs-kube-compare/required/acm/acmMCE.yaml         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCE.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCE.yaml
index 254f97186..574bda309 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCE.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCE.yaml
@@ -32,7 +32,7 @@ spec:
       enabled: true
       name: server-foundation
     - configOverrides: {}
-      enabled: true
+      enabled: false
       name: cluster-proxy-addon
     - configOverrides: {}
       enabled: true

From 155be99ff1ec9d89d815269ca79ded59ce0278c2 Mon Sep 17 00:00:00 2001
From: jmontesi <jmontesi@redhat.com>
Date: Tue, 5 Aug 2025 16:27:46 +0200
Subject: [PATCH 15/15] Rebase changes and CI fixes

---
 .../reference-crs-kube-compare/compare_ignore         | 10 ++++++++++
 .../reference-crs-kube-compare/default_value.yaml     |  4 ----
 .../reference-crs-kube-compare/metadata.yaml          |  3 ---
 .../required/acm/acmMCSB.yaml                         | 11 -----------
 .../required/acm/pullSecretMCSB.yaml                  |  4 ++--
 .../reference-crs/required/acm/acmMCE.yaml            |  2 +-
 .../reference-crs/required/acm/acmMCSB.yaml           | 11 -----------
 7 files changed, 13 insertions(+), 32 deletions(-)
 delete mode 100644 telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCSB.yaml
 delete mode 100644 telco-hub/configuration/reference-crs/required/acm/acmMCSB.yaml

diff --git a/telco-hub/configuration/reference-crs-kube-compare/compare_ignore b/telco-hub/configuration/reference-crs-kube-compare/compare_ignore
index 1a6f8ad75..576cbc374 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/compare_ignore
+++ b/telco-hub/configuration/reference-crs-kube-compare/compare_ignore
@@ -10,6 +10,16 @@ optional/quay/quayOperatorGroup.yaml
 optional/quay/quaySubscription.yaml
 
 # Reference templates not implemented yet:
+optional/logging/clusterLogForwarder.yaml
+optional/logging/clusterLogServiceAccount.yaml
+optional/logging/clusterLogServiceAccountAuditBinding.yaml
+optional/logging/clusterLogServiceAccountInfrastructureBinding.yaml
+required/registry/catalog-source.yaml
+required/registry/idms-operator.yaml
+required/registry/idms-release.yaml
+required/registry/itms-generic.yaml
+required/registry/itms-release.yaml
+required/registry/operator-hub.yaml
 required/gitops/addPluginsPolicy.yaml
 required/gitops/app-project.yaml
 required/gitops/argocd-application.yaml
diff --git a/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml b/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
index 60f7c3b74..190472d0f 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/default_value.yaml
@@ -107,10 +107,6 @@ required_acm_acmSubscription:
 - spec:
     source: redhat-operators-disconnected
 
-required_acm_acmMCH:
-- spec:
-    availabilityConfig: High
-
 required_acm_acmProvisioning:
 - metadata:
     annotations:
diff --git a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
index 69b58e35f..a4f4ebfa7 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/metadata.yaml
@@ -51,9 +51,6 @@ parts:
           - path: required/acm/acmSubscription.yaml
           - path: required/acm/acmMCH.yaml
           - path: required/acm/acmMCE.yaml
-          - path: required/acm/acmMCSB.yaml
-            config:
-              ignore-unspecified-fields: true
           - path: required/acm/acmProvisioning.yaml
             config:
               ignore-unspecified-fields: true
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCSB.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCSB.yaml
deleted file mode 100644
index 35f4f8d86..000000000
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/acmMCSB.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-apiVersion: cluster.open-cluster-management.io/v1beta2
-kind: ManagedClusterSetBinding
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "4"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: global
-  namespace: openshift-storage
-spec:
-  clusterSet: global
diff --git a/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretMCSB.yaml b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretMCSB.yaml
index 6680ef486..e8dace2d1 100644
--- a/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretMCSB.yaml
+++ b/telco-hub/configuration/reference-crs-kube-compare/required/acm/pullSecretMCSB.yaml
@@ -5,7 +5,7 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "9"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: global
+  name: default
   namespace: open-cluster-management-observability
 spec:
-  clusterSet: global
+  clusterSet: default
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmMCE.yaml b/telco-hub/configuration/reference-crs/required/acm/acmMCE.yaml
index 254f97186..574bda309 100644
--- a/telco-hub/configuration/reference-crs/required/acm/acmMCE.yaml
+++ b/telco-hub/configuration/reference-crs/required/acm/acmMCE.yaml
@@ -32,7 +32,7 @@ spec:
       enabled: true
       name: server-foundation
     - configOverrides: {}
-      enabled: true
+      enabled: false
       name: cluster-proxy-addon
     - configOverrides: {}
       enabled: true
diff --git a/telco-hub/configuration/reference-crs/required/acm/acmMCSB.yaml b/telco-hub/configuration/reference-crs/required/acm/acmMCSB.yaml
deleted file mode 100644
index 35f4f8d86..000000000
--- a/telco-hub/configuration/reference-crs/required/acm/acmMCSB.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-apiVersion: cluster.open-cluster-management.io/v1beta2
-kind: ManagedClusterSetBinding
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "4"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: global
-  namespace: openshift-storage
-spec:
-  clusterSet: global