Workload base
Create a Java/JBoss app base in lab-workloads with deployment, service, config, health checks, and overlay placement.
spoke-dc is the active workload cluster. It is the likely first target for the Java/JBoss app once workload placement, secrets, routing, and mesh onboarding are ready.
Status
spoke-dc-cluster-config recorded Synced/Healthy from local spoke Argo CD status.localblock topology.lab-dpa reconciled, BSL available, latest daily backup completed in the recorded run.SecretStore/rke2-vault is Ready=True and ExternalSecret/eso-vault-smoke is synced through the kubernetes-spoke-dc Vault auth mount. Existing Argo drift is non-ESO drift in monitoring/Velero resources.Service mesh
servicemeshoperator3.v3.3.2 and kiali-operator.v2.22.2 CSVs recorded Succeeded.Istio/default, IstioCNI/default, and ZTunnel/default recorded healthy.v1.28.5.istio.io/dataplane-mode=ambient for app onboarding.App readiness
Create a Java/JBoss app base in lab-workloads with deployment, service, config, health checks, and overlay placement.
Document external app dependencies only when they affect OpenShift routing, egress, secrets, monitoring, or backup policy.
Use the validated Vault/ESO pattern, but create app-specific Vault policy, role, and ExternalSecret resources before storing app credentials.
Opt the app namespace into ambient only after the workload manifests and routing intent are defined.
Decide whether the app also lands in spoke-dr as hot standby or remains active-only during initial validation.