Application path

Java/JBoss app and RKE2 Kafka dependency

The next demo app should live in the workload repo, run on the selected OCP spoke, and consume RKE2 Kafka only after DNS, trust, and app-specific authentication are ready.

Architecture

Recommended GitOps layout

LayerRepository or platformExpected artifacts
Application sourceNew app repo or workload source treeJava/JBoss code, Maven or Gradle build, Containerfile, unit tests.
Workload desired statelab-workloads/Namespace, Deployment, Service, ConfigMap, runtime Secret reference, health probes, route or mesh resources.
Platform desired statelab-gitops-full/Only shared platform prerequisites, policy, operators, or cluster-level resources.
Kafka platformRKE2 KafkaApp-specific KafkaUser, ACLs, topic policy, cluster CA distribution, runtime SCRAM credentials.

Kafka readiness

Current finding

Working

RKE2 DC Kafka is healthy. Direct TCP/TLS SNI to RKE2 node IPs and HAProxy IP on 443 succeeds from both spokes.

Blocked

bootstrap.kafka.apps.sub.comptech-lab.com and broker-*.kafka.apps.sub.comptech-lab.com do not resolve yet. External 9094 is not reachable.

bootstrap.servers=bootstrap.kafka.apps.sub.comptech-lab.com:443
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512

Before deployment

Application checklist

  1. Fix DNS: add explicit records or wildcard DNS for *.kafka.apps.sub.comptech-lab.com to the HAProxy IP.
  2. Create app identity: do not reuse platform Kafka users such as mm2 or redis-applier.
  3. Define topics and ACLs: model least privilege for the app producer and consumer behavior.
  4. Handle secrets safely: runtime credentials must not be committed into Git.
  5. Mount trust: provide the Strimzi cluster CA to the Java trust configuration.
  6. Choose placement: start on spoke-dc, then decide whether spoke-dr is active standby.

Runtime shape

Expected OCP resources

Next: roadmap