Installation Manual - 49 OADP operator-only install

How the OADP operator was installed on hub-dc-v7 and spoke-dc-v7 without enabling backup configuration yet.

This gate installed only the Red Hat OADP operator on hub-dc-v7 and spoke-dc-v7. It deliberately did not configure backup storage, schedules, or restore behavior.

Governance

Allowed resources:

• Namespace/openshift-adp;
• OperatorGroup/openshift-adp;
• Subscription/redhat-oadp-operator.

Not allowed in this gate:

• ExternalSecret;
• Secret/cloud-credentials;
• DataProtectionApplication;
• BackupStorageLocation;
• VolumeSnapshotLocation;
• Schedule;
• Backup;
• Restore;
• OADP NetworkPolicy.

No MinIO object, MinIO IAM, Vault secret, cordon, drain, or storage mutation was made.

Pre-Apply State

Both clusters were healthy before the change:

OADP was absent:

openshift-adp namespace: absent
redhat-oadp-operator Subscription: absent
OADP/Velero CSV: absent
OADP/Velero CRDs: absent

The mirrored Red Hat catalog source was Ready and exposed:

redhat-oadp-operator
channel: stable
CSV: oadp-operator.v1.5.5

The hub PackageManifest selected redhat-operators by default, so the Subscription explicitly pins the mirrored source.

GitOps Shape

Added:

clusters/hub-dc-v7/operators/oadp/
clusters/spoke-dc-v7/operators/oadp/

Each directory contains:

kustomization.yaml
namespace.yaml
operatorgroup.yaml
subscription.yaml

The namespace is monitored and privileged:

apiVersion: v1
kind: Namespace
metadata:
  name: openshift-adp
  annotations:
    argocd.argoproj.io/sync-wave: "10"
  labels:
    openshift.io/cluster-monitoring: "true"
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged

The OperatorGroup is namespace-scoped:

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-adp
  namespace: openshift-adp
  annotations:
    argocd.argoproj.io/sync-wave: "10"
spec:
  targetNamespaces:
    - openshift-adp

The Subscription pins the mirrored catalog:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: redhat-oadp-operator
  namespace: openshift-adp
  annotations:
    argocd.argoproj.io/sync-wave: "10"
    operatorframework.io/bundle-unpack-timeout: 30m
spec:
  channel: stable
  installPlanApproval: Automatic
  name: redhat-oadp-operator
  source: cs-redhat-operator-index-v4-20
  sourceNamespace: openshift-marketplace
  startingCSV: oadp-operator.v1.5.5

Validation

Render checks:

oc kustomize clusters/hub-dc-v7
oc kustomize clusters/spoke-dc-v7
oc kustomize clusters/hub-dc-v7/operators/oadp
oc kustomize clusters/spoke-dc-v7/operators/oadp

Argo final state:

Hub OADP result:

Subscription: AtLatestKnown
installedCSV: oadp-operator.v1.5.5
InstallPlan: Complete
CSV: Succeeded
controller-manager pod: 1/1 Running

Spoke OADP result:

Subscription: AtLatestKnown
installedCSV: oadp-operator.v1.5.5
InstallPlan: Complete
CSV: Succeeded
controller-manager pod: 1/1 Running

The operator created the OADP and Velero CRDs on both clusters, including:

dataprotectionapplications.oadp.openshift.io
backupstoragelocations.velero.io
volumesnapshotlocations.velero.io
schedules.velero.io
backups.velero.io
restores.velero.io

The following remain absent by design:

DataProtectionApplication
BackupStorageLocation
VolumeSnapshotLocation
Schedule
Backup
Restore

Cluster health stayed steady: no non-steady ClusterOperators were reported, and MCPs remained updated and not degraded.

Next Gate

The next gate should configure credentials and the DPA, still without enabling backup schedules:

OP-GF-SPOKEDCV7-37: OADP credential and DPA preflight/apply

That gate must:

• decide the v7 cloud-credentials shape without printing MinIO key values;
• create or template the cloud INI body safely through ESO/Vault;
• apply one DPA per cluster;
• validate BSL availability;
• validate actual Velero pod-to-MinIO reachability;
• run ad hoc backup validation before any schedule is enabled.