Status

Recorded current state

Role
Passive management restore hub.
ACM/MCE
MCH recorded Running; MCE recorded Available.
GitOps
Uses local hub-dr-cluster-config Application rather than hub-propagated managed pull GitOps.
Restore posture
No active BackupSchedule or Restore should exist during passive state.
Storage
LVMS retained with pinned devices /dev/vdb, /dev/vdc, and /dev/vdd.
User workload metrics
Disabled by cluster-monitoring-config; no user workload monitoring pods should run on this hub.
ACM Observability
Enabled and Ready=True. The previous Grafana image pull blocker is resolved.
Vault / ESO
SecretStore/rke2-vault is Ready=True and ExternalSecret/eso-vault-smoke is synced through the kubernetes-hub-dr Vault auth mount.

Blockers

Before activation

  1. Fresh active-hub backup: prove all critical ACM backup streams meet the agreed RPO.
  2. Image readiness: finish current pre-pull warm-up, then build a durable mirror/IDMS for recovery images.
  3. Dry-run restore: server-side dry-run restore manifests before real activation.
  4. Ownership check: confirm no managed cluster will be dual-owned after activation.

Image risk

Known slow pull classes

Prior recovery exposed slow startup for large ACM/MCE images. A hub pre-pull DaemonSet now exists in openshift-image-prepull as a short-term bridge. The durable fix is still a DR-reachable mirror with IDMS/ITMS, CatalogSource, registry CA, and pull-secret handling committed to desired state.

Validation

Useful read-only checks

export KUBECONFIG=<hub-dr-kubeconfig>
oc -n open-cluster-management get mch
oc get mce
oc -n open-cluster-management-backup get dpa,bsl,backupschedule,restore
oc -n open-cluster-management-observability get pods
oc -n openshift-image-prepull get ds,pods
oc get imagedigestmirrorset,imagetagmirrorset,imagecontentsourcepolicy
oc get ds -A | egrep -i 'pre.?pull|warm|mirror|acm|mce'