Summary

Service matrix

AreaCurrent stateNotes
StorageHubs are storage-light with LVMS. Spokes retain ODF.Hub ODF/NooBaa and related stacks were removed; RHACS PVCs remain bound on LVMS.
IdentityWSO2 IS removed. Google and htpasswd remain by cluster role.spoke-dc is Google-only; other clusters retain htpasswd plus Google where recorded.
AINo user AI workloads found.spoke-dr has RHOAI operator only; hub-dc has stale-looking RHOAI artifacts.
User workload metricsEnabled only on spokes.hub-dc and hub-dr are explicitly disabled; spoke-dc and spoke-dr run the user workload monitoring stack.
ACM ObservabilityEnabled on hubs for fleet metrics.Both hubs are Ready. PVC requests were increased, but the lab still uses non-resilient lvms-vg1.
Tracingspoke-dc OpenTelemetry collector is healthy.The inactive bridge exporter was removed from the collector pipelines; the active trace path keeps both Tempo exporters.
Image pre-pullEnabled on hubs as a short-term DR bridge.openshift-image-prepull warms selected ACM, MCE, GitOps, RHACS, ACM Observability, and OADP images. A durable mirror/IDMS remains open.
Demo appsNo removable demo apps on spokes.demo-orders was wiped from desired state.
OADPGeneral daily backups complete in latest recorded run.OADP backup health ServiceMonitors and alert rules now exist on all clusters.
Vault / external secretsESO installed and smoke-wired to external Vault.All four clusters have a namespace-scoped SecretStore/rke2-vault and synced smoke ExternalSecret. Real app secrets still need namespace-specific Vault policies and roles.

Hub observability

ACM Observability placement

Secrets

Vault direction

For this fleet, the selected pattern is to run Vault outside the OpenShift clusters as an HA secrets service, then connect each cluster through its own Kubernetes auth mount, policies, and short-lived roles. The current OpenShift-facing Vault endpoint is vault-rke2.apps.sub.comptech-lab.com.

External Secrets Operator is now installed on all four clusters and smoke-wired through components/platform/external-secrets-vault. The smoke path validates SecretStore/rke2-vault, ExternalSecret/eso-vault-smoke, and target Secret key creation on hub-dc, hub-dr, spoke-dc, and spoke-dr. No Vault token, TokenReview JWT, or application secret value is committed to Git.

Use per-cluster Vaults only when clusters must survive long isolation windows, have separate trust boundaries, or cannot depend on a shared secrets control plane. For real application onboarding, create namespace-specific Vault policies and roles before committing non-secret SecretStore or ExternalSecret references.

Open the dedicated Secrets and Vault page.

Retired or absent

What should not reappear accidentally

Operational note

Source-only app bases

Some app bases may remain in source repositories as templates or retained examples. They are not live workloads unless a cluster overlay includes them. Current rendered spoke overlays do not deploy candidate demo apps.