Root app
Root application on hub-dc reconciles the platform repo and ApplicationSets.
Use GitOps as the fleet contract. Live edits should either be deliberate break-glass fixes or short-lived remediation that is reconciled back into desired state.
Repositories
| Path | Role | Notes |
|---|---|---|
lab-gitops/ | Platform desired state | Operators, storage, ACM, OADP, service mesh, ESO wiring, policies, dashboards, cluster overlays, and platform cleanup commits. |
lab-workloads/ | Application workload source | Non-platform app bases. Source-only bases are inert until a cluster overlay references them. |
lab-gitops/ | Bootstrap context | Bootstrap-only reference copied from ocp-bootstrap. Do not treat it as the live desired-state source. |
Argo CD
Root application on hub-dc reconciles the platform repo and ApplicationSets.
Each cluster has a cluster-config Application. Local spoke Argo status is authoritative for managed-pull spoke apps.
hub-dc-workloads points at lab-workloads and deploys only referenced workload overlays. The ApplicationSet matches spoke-dc only — spoke-dr is platform standby (decision 2026-05-07) and opts in deliberately via the activation runbook. Workload Applications use traditional push-based delivery (hub Argo on hub-dc registers spoke-dc as a destination cluster and pushes via RHACM cluster-proxy) per ADR-0006, which supersedes ADR-0003 for the POC. Argo CD Agent is the documented future-migration path.
Current repo facts
demo-orders was removed from lab-workloads; inactive non-core app middleware fixtures were removed from OpenShift desired state.components/platform/acm-observability; its object-store Secret remains local-only.open-cluster-management-observability and openshift-image-prepull as trusted platform namespaces.cluster-monitoring-config are ignored by Argo so the operator can own Alertmanager/external label wiring while GitOps still disables hub user workload monitoring.components/platform/hub-image-prepull warms selected hub recovery images but does not replace durable image mirroring.components/platform/external-secrets-vault defines the non-secret OpenShift side of the external Vault integration: service accounts, TokenReview RBAC, SecretStore/rke2-vault, and the smoke ExternalSecret.lab-gitops/CHANGELOG.md must be updated when desired-state changes occur.Validation
oc kustomize lab-gitops/clusters/hub-dc
oc kustomize lab-gitops/clusters/hub-dr
oc kustomize lab-gitops/clusters/spoke-dc
oc kustomize lab-gitops/clusters/spoke-dr
oc kustomize lab-workloads/clusters/spoke-dc
oc kustomize lab-workloads/clusters/spoke-dr
For live validation, check Argo CD sync and health on the specific cluster that owns the Application. Avoid assuming the hub-side status artifact is authoritative for managed-pull spokes.