Completed gate

Vault and ESO integration

1

Scoped export token

External Vault export now uses a scoped periodic token and scripts renew it at job start.

2

Kubernetes auth

Vault has one Kubernetes auth mount per OpenShift cluster for ESO login boundaries.

3

ESO smoke path

SecretStore/rke2-vault and ExternalSecret/eso-vault-smoke are Ready on all four clusters.

Readiness framework

Production gate analysis

TrackNext stepDone signal
Gate sourceUse the production readiness checklist as the local analysis page.Every gate has an evidence source, owner, remediation path, and accepted risk state.
Hub DRDeferred for the POC per ADR-0005. POC ships on hub-dc + spoke-dc only. Original gate (backup/image/observability/lifecycle) re-applies when DR work is in scope post-POC.Resumption signal: explicit decision to re-open DR work; ADR-0005 is revisited.
Regional DRDeferred for the POC per ADR-0005. spoke-dr stays platform standby (ADR-0001) without an active DR drill in POC scope. Drill captures (image pre-pull warmth, Vault role on spoke-dr, runbook activation steps, RTO) re-apply when DR work resumes.Resumption signal: explicit decision to re-open DR work; ADR-0005 is revisited.
1

Pre-pull completion

Wait for the hub image pre-pull DaemonSet to finish or expose a clear pull failure.

2

Durable mirror

Build the DR-reachable image mirror/IDMS path for hub recovery images.

3

Activation preflight

Prove backup freshness, hub-dr passive state, dry-run restore manifests, and restate abort criteria.

4

Controlled drill

Run hub-dc to hub-dr activation only after gates pass and ownership risk is accepted.

Parallel work

Application and platform roadmap

TrackNext stepDone signal
ACM ObservabilityChoose resilient storage for Thanos stateful PVCs.MultiClusterObservability Ready on both hubs and PVCs no longer depend on lab-local LVMS for production claims.
Backup health alertsValidate the new ACM/OADP alert rules through an alerting cycle.Failed or stale backups produce visible alert signals before DR drills.
Image mirror / pre-pullMonitor current pre-pull, then implement durable mirror/IDMS.First-start hub-dr pulls no longer depend on public registry latency.
Governance PolicySetsGroup baseline ACM policies into explicit PolicySets.Compliance posture is visible by purpose rather than loose individual policies.
Vault / external secretsUse the completed smoke path as the template for app-specific policies and roles.Each real app gets a scoped Vault policy and no static app secrets are committed to Git.
External dependency policyDocument which external services are allowed in the OCP wiki and only when they affect OpenShift core operations.Wiki references stay limited to Vault, backup/object storage, GitOps source, identity, ingress, and approved app onboarding touchpoints.
Java/JBoss appCreate workload base, image build, runtime config, and OCP overlay.App runs on selected spoke with health checks, secrets through ESO, and documented OpenShift routing/mesh posture.
OSSM 3 onboardingSelect workload namespace and routing model.Kiali shows app traffic and routes behave as intended.
spoke-dr semanticsDecided 2026-05-07: platform standby. Documented in spoke-dr and topology.Done. Follow-up work is the Regional DR drill row above and the activation runbook in Backup and DR.
Wiki maintenanceUpdate pages after meaningful fleet changes.Wiki matches CURRENT_STATE.md, ASSESSMENT.md, and TODO.md.

Work tracking

GitHub issues and project board