Installation Manual - 13 Hub GitOps bootstrap

How the hub-dc-v7 operational GitOps repository is seeded and OpenShift GitOps is bootstrapped from the mirrored catalog.

This chapter installs the first in-cluster GitOps control point for hub-dc-v7.

GitHub remains the planning and documentation source. Operational OpenShift desired state lives inside the environment GitLab.

Target State

Item	Value
GitLab project	`platform/openshift/openshift-gitops`
Local operator clone	`/home/ze/greenfield-ops/openshift-gitops`
Cluster path	`clusters/hub-dc-v7`
OpenShift GitOps operator	`openshift-gitops-operator.v1.20.3`
Operator channel	`latest`
Catalog source	`cs-redhat-operator-index-v4-20`
Root Argo CD app	`hub-dc-v7-bootstrap`
Argo CD namespace	`openshift-gitops`

The GitOps repository starts clean. Do not include old cluster names, old app examples, or any previous tenant/demo workload references.

Repository Structure

The first hub path uses this structure:

clusters/
  hub-dc-v7/
    kustomization.yaml
    bootstrap/
    gitops-control/
    operators/
      openshift-gitops-operator/
    platform/
      catalogs/
      image-mirrors/
scripts/
  bootstrap-hub-dc-v7-gitops.sh

The root clusters/hub-dc-v7/kustomization.yaml initially includes:

platform/image-mirrors
platform/catalogs
operators/openshift-gitops-operator
bootstrap
gitops-control

Later platform operators are added through the same root application.

Image Mirrors And Catalogs

Seed the GitOps repo with the mirror and catalog resources generated by the greenfield oc-mirror baseline:

clusters/hub-dc-v7/platform/image-mirrors/
clusters/hub-dc-v7/platform/catalogs/

Required catalog sources:

cs-redhat-operator-index-v4-20
cs-certified-operator-index-v4-20

Both should point to Quay:

quay.v7.comptech-lab.com/openshift-operators/redhat/redhat-operator-index:v4.20
quay.v7.comptech-lab.com/openshift-operators/redhat/certified-operator-index:v4.20

OperatorGroup Rule

Install OpenShift GitOps in all-namespaces mode:

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-gitops-operator
  namespace: openshift-gitops-operator
spec: {}

Do not target only openshift-gitops-operator. The operator does not support own-namespace install mode and will fail with:

UnsupportedOperatorGroup: OwnNamespace InstallModeType not supported

If that happens, fix the OperatorGroup source, remove the failed Subscription/CSV/InstallPlan/OperatorGroup attempt, and rerun the bootstrap.

Bootstrap Script

The first-run script is:

scripts/bootstrap-hub-dc-v7-gitops.sh

Run it from a clone of the operational GitLab repo on the bootstrap VM.

Required environment:

export KUBECONFIG=/home/ze/ocp-greenfield-deployment/artifacts/openshift/hub-dc-v7/auth/kubeconfig
export GITLAB_REPO_USERNAME=svc-greenfield-bootstrap
export GITLAB_REPO_PASSWORD=<redacted>

The password comes from Vault custody. Do not print it, commit it, or place it in shell history.

Run:

./scripts/bootstrap-hub-dc-v7-gitops.sh

The script:

applies image mirror resources;
applies custom operator catalogs;
waits for the Red Hat catalog source;
installs OpenShift GitOps;
waits for the GitOps CSV and default Argo CD server deployment;
creates the private GitLab repository credential in openshift-gitops;
grants the application controller the platform bootstrap permissions;
creates the root application hub-dc-v7-bootstrap.

Root Application

The root application points at:

repoURL: http://gitlab.v7.comptech-lab.com/platform/openshift/openshift-gitops.git
targetRevision: main
path: clusters/hub-dc-v7

It uses automated sync with prune and self-heal:

syncPolicy:
  automated:
    prune: true
    selfHeal: true
  syncOptions:
    - CreateNamespace=true
    - ApplyOutOfSyncOnly=true
    - SkipDryRunOnMissingResource=true
    - ServerSideApply=true

Validation

Validate OpenShift GitOps:

oc get sub -n openshift-gitops-operator
oc get csv -n openshift-gitops-operator
oc get pods -n openshift-gitops
oc get route -n openshift-gitops

Expected state:

subscription state is AtLatestKnown;
openshift-gitops-operator.v1.20.3 is Succeeded;
all OpenShift GitOps pods are Running;
an openshift-gitops-server route exists.

Validate root application:

oc -n openshift-gitops get application.argoproj.io hub-dc-v7-bootstrap \
  -o custom-columns=NAME:.metadata.name,SYNC:.status.sync.status,HEALTH:.status.health.status,REV:.status.sync.revision

Expected state:

hub-dc-v7-bootstrap   Synced   Healthy

The first bootstrap may report an orphan warning for pre-existing resources. Review it, but do not treat it as a failure when the app is Synced, Healthy, and the managed resource list is synced.

Completion State

After this chapter, future hub platform components should be added by Git commits to the operational GitLab repo and reconciled by Argo CD.

Do not continue with one-off oc apply installs except for explicitly approved break-glass remediation.