Installation Manual - 92 Operator readiness and batch execution

Read-only operator readiness, parity audit, install/defer decisions, the consolidated v7 operator batch plan, and the spoke Pipelines, observability foundation, and tracing/mesh executions.

This chapter records the OP-GF-OPERATORS-01 read-only operator-readiness gate for the greenfield v7 clusters. It also carries the OP-GF-OPERATORS-18 v6-to-v7 operator parity addendum, the OP-GF-OPERATORS-19 missing-operator decision, and the OP-GF-OPERATORS-20 batch model.

The completed 2026-05-21 batch closeouts are also published as standalone installation-manual chapters so they are visible from the Greenfield manual index without splitting each batch into separate preflight, installation, validation, and rollback pages:

ChapterScope
110 v7 operator batch modelConsolidated batch model and active/deferred queue.
111 Spoke Pipelines operator batchOP-GF-OPERATORS-21, OpenShift Pipelines operator-only install.
112 Spoke observability foundation operatorsOP-GF-OPERATORS-22, Cluster Observability and NetObserv operator-only install.
113 Spoke tracing and mesh operatorsOP-GF-OPERATORS-23, Tempo, OpenTelemetry, Service Mesh, and Kiali operator-only install.
114 App-platform batch deferralOP-GF-OPERATORS-24, Open Liberty and app-facing CloudNativePG deferral.

The initial readiness gate did not change live cluster state. Later batch sections state their live changes explicitly.

Governance

FieldValue
IssueOP-GF-OPERATORS-01 / #413
MilestoneWorkspace Governance
Governing ADRADR 0016
PredecessorOP-GF-COMPLIANCE-20 / #412

Access Path

All live checks used the established path:

local workspace -> dl385-2 -> gf-ocp-bootstrap-01 -> v7 kubeconfigs

Kubeconfigs on gf-ocp-bootstrap-01:

/home/ze/ocp-greenfield-deployment/artifacts/openshift/hub-dc-v7/auth/kubeconfig
/home/ze/ocp-greenfield-deployment/artifacts/openshift/spoke-dc-v7/auth/kubeconfig

Desired State

The bootstrap GitOps clone was clean and matched the live Argo revision:

repo: /home/ze/greenfield-ops/openshift-gitops
HEAD: 12c68aee6d6a77dfcc197926d4f36594ea224625
status: main...origin/main

Cluster Health

Checkhub-dc-v7spoke-dc-v7
OpenShift4.20.184.20.18
ClusterVersionAvailable, not Progressing, not FailingAvailable, not Progressing, not Failing
Nodes3/3 Ready6/6 Ready
MCPsupdated, not updating, not degradedupdated, not updating, not degraded
ClusterOperatorssteadysteady
Non-running podsnonenone
Pending CSRsnonenone
Argo CDSynced/Healthy at 12c68aee6d6a77dfcc197926d4f36594ea224625Synced/Healthy at 12c68aee6d6a77dfcc197926d4f36594ea224625

Installed Operators

All installed Subscriptions reported AtLatestKnown. No non-complete InstallPlans were found.

Hub operator areas:

Advanced Cluster Management
cert-manager
Compliance Operator
External Secrets Operator
LVMS
Loki Operator
MCE
OADP
OpenShift GitOps
OpenShift Logging
RHACS

Spoke operator areas:

cert-manager
Compliance Operator
External Secrets Operator
File Integrity Operator
Local Storage Operator
Loki Operator
OADP
ODF dependency operators
OpenShift Logging
RHACS secured cluster

Platform Dependencies

OADP is installed and reconciled on both clusters.

ClusterDPABSLSchedule
hub-dc-v7Reconciled=TrueAvailableplatform-resource-daily, enabled
spoke-dc-v7Reconciled=TrueAvailableplatform-resource-daily, enabled

External Secrets stores are Ready/Valid, and no non-ready ExternalSecrets were reported.

Spoke ODF/Ceph/NooBaa, Loki, log forwarding, and RHACS secured cluster are steady.

Compliance State

Hub Compliance Operator state:

ocp4-cis: DONE / COMPLIANT
ocp4-cis-node-master: DONE / COMPLIANT
counts: PASS=162, MANUAL=21, FAIL=0

Spoke Compliance Operator state remains partially non-compliant for known unrelated controls:

PASS=1028
FAIL=432
MANUAL=107

Catalog Finding

The platform is healthy enough for more work, but catalog hygiene is not ready for another operator install.

Both clusters still have:

OperatorHub/cluster spec: {}
default classic sources enabled
external classic CatalogSources READY
external OLM v1 ClusterCatalogs Serving=True

Hub has mirrored OLM v1 cc-* ClusterCatalogs:

cc-certified-operator-index-v4-20
cc-redhat-operator-index-v4-20

Spoke does not currently show mirrored cc-* ClusterCatalogs.

Installed Subscriptions are using mirrored classic cs-* sources, but future PackageManifest resolution is mixed while the external defaults remain available.

Decision

Do not install another operator as the immediate next step.

Selected next gate:

OP-GF-OPERATORS-02: disconnected catalog hygiene and package-source pinning

That gate should make catalog resolution mirror-only and deterministic before another operator install.

First Operator Candidate

After catalog hygiene, the first actual operator candidate is:

Gatekeeper preflight and dry-run-only install design

Gatekeeper is a reasonable governance/security next layer, but it affects admission. It should wait until catalog source resolution is clean and the install plan is dry-run reviewed.

2026-05-21 Parity Addendum

OP-GF-OPERATORS-18 audited whether v7 has the operator shape planned from the retired v6 environment. v6 was not queried live because it is gone; the audit used historical local records for v6 and live read-only checks for hub-dc-v7 and spoke-dc-v7.

No live object, GitOps desired state, VM service, DNS record, HAProxy config, or secret was changed.

Live v7 health at the audit point:

Checkhub-dc-v7spoke-dc-v7
OpenShift4.20.184.20.18
ClusterOperatorssteadysteady
Non-running podsnonenone
OLM InstallPlansno non-complete rowsno non-complete rows
OperatorHub defaultsdisableddisabled
Mirrored classic catalogscs-redhat-operator-index-v4-20, cs-certified-operator-index-v4-20 readycs-redhat-operator-index-v4-20, cs-certified-operator-index-v4-20 ready

Core parity is substantially present:

AreaCurrent v7 state
GitOpsHub subscription installed; spoke GitOps service/application present, without a direct spoke OLM Subscription.
ACM/MCEInstalled on hub; local-cluster and spoke-dc-v7 are Available managed clusters.
StorageHub LVMS Ready; spoke Local Storage plus ODF/NooBaa/Ceph Ready and HEALTH_OK.
BackupOADP installed on hub and spoke with available BSLs and enabled daily schedules.
SecretsExternal Secrets installed on both clusters; Vault stores and ExternalSecrets Ready.
SecurityRHACS Central on hub and SecuredCluster on hub/spoke are Available; Compliance Operator installed; Gatekeeper installed and non-enforcing by design.
LoggingLogging/Loki installed on both clusters with LokiStack and ClusterLogForwarder Ready.
File integrityInstalled on spoke only.

The audit also confirmed that not every first-mirror or catalog-visible operator package is installed in v7. Missing or deferred decision items are:

OpenShift Pipelines
Cluster Observability Operator / ACM observability operand
NetObserv
Tempo
OpenTelemetry
Service Mesh / Kiali / Jaeger
Quay Operator
Container Security Operator
Open Liberty Operator
Kube Descheduler
Security Profiles Operator
CloudNativePG package for application database use
NFD / NVIDIA GPU Operator
OpenShift Virtualization
Serverless
OpenShift AI / RHODS

The result is not an automatic install queue. The next operator gate should decide which missing families are required now, which stay mirrored but deferred, which are replaced by external services, and which should be removed from the active expectation.

Recommended next gate:

OP-GF-OPERATORS-19: v7 missing-operator decision and install/defer plan

2026-05-21 Missing-operator Decision

OP-GF-OPERATORS-19 converted the missing/deferred list into a concrete install/defer plan. No operators were installed or removed in that gate.

The only immediate next install candidate is:

OP-GF-OPERATORS-20: spoke OpenShift Pipelines operator-only install

Guardrails for that future gate:

GuardrailDecision
Targetspoke-dc-v7 only
Sourcemirrored cs-redhat-operator-index-v4-20
Scopeoperator readiness only
Excluded workno Tasks, Pipelines, Triggers, app namespaces, build workloads, or CI/CD credentials
RollbackGitOps-first; do not force-delete Tekton CRDs without a separate cleanup issue

Deferred tracks:

TrackPackages
OP-GF-OBS-01Cluster Observability Operator and NetObserv
OP-GF-TRACE-MESH-01Tempo, OpenTelemetry, Service Mesh, and Kiali
OP-GF-APPPLAT-01Open Liberty and app-facing CloudNativePG
OP-GF-HARDENING-01Kube Descheduler and Security Profiles Operator

Removed or replaced active parity expectations:

PackageDecision
Quay OperatorDo not install for parity; v7 uses external Quay.
Container Security OperatorDo not install for parity; RHACS is the active security control plane.

Kept out of active scope until explicitly reintroduced:

NFD / NVIDIA GPU Operator
OpenShift AI / RHODS
OpenShift Virtualization
Serverless

2026-05-21 Operator Batch Execution Model

OP-GF-OPERATORS-20 changed the remaining operator work into consolidated batches. Each batch now carries its own preflight, GitOps install, validation, rollback or promotion decision, and documentation closeout.

The previous narrow next label, OP-GF-OPERATORS-20: spoke OpenShift Pipelines operator-only install, is superseded by the batch model. The Pipelines install remains the next actual operator action, but it moves to Batch 1:

OP-GF-OPERATORS-21: Batch 1 app delivery foundation - spoke OpenShift Pipelines operator-only

Every operator batch must include:

PhaseRequired outcome
PreflightIssue, milestone, phase, ADR coverage, live health, OADP posture, catalog/package/channel/CSV/image availability, and GitOps render/diff are recorded.
InstallOnly batch-owned GitOps manifests are applied. Scope stays limited to the target cluster and operator family.
ValidationSubscription, InstallPlan, CSV, operator pods, operands, Argo health, ClusterOperators, pods, CSRs, and domain smoke checks are recorded.
Rollback or promotionGitOps rollback path and CRD cleanup boundary are explicit. Forced CRD deletion requires a separate issue.
DocumentationThis page is updated as the single operator-batch record; the operator version-lock reference is updated when package status changes.

Planned batches:

BatchPhaseTargetPackagesGate posture
1OP-GF-OPERATORS-21spoke-dc-v7openshift-pipelines-operator-rhCompleted. Operator-only app delivery foundation; no user workload runs, triggers, app namespaces, build workloads, or CI/CD credentials.
2OP-GF-OPERATORS-22spoke-dc-v7Cluster Observability Operator and NetObservCompleted. Operator-only observability foundation; no FlowCollector, MonitoringStack, UIPlugin, Perses, ACM observability, object storage, retention, or tenant workload operands.
3OP-GF-OPERATORS-23spoke-dc-v7Tempo, OpenTelemetry, Service Mesh, and KialiCompleted. Operator-only tracing and mesh foundation; no TempoStack, OpenTelemetryCollector, ServiceMeshControlPlane, Istio/Sail, Kiali, Jaeger, mesh membership, telemetry pipeline, storage, retention, tenant namespace, or sample app operands.
4OP-GF-OPERATORS-24spoke-dc-v7Open Liberty and app-facing CloudNativePGDeferred by user decision in issue #440; do not treat as the active next batch unless app-platform work is explicitly reintroduced.
5OP-GF-OPERATORS-25hub/spoke after evidenceKube Descheduler and Security Profiles OperatorRequires workload evidence, disruption budgets, profile ownership, and exception process.

Do not include these in the active batch queue unless their domain is explicitly reintroduced:

Quay Operator
Container Security Operator
NFD / NVIDIA GPU Operator
OpenShift AI / RHODS
OpenShift Virtualization
Serverless

2026-05-21 Batch 1: spoke OpenShift Pipelines

OP-GF-OPERATORS-21 installed the Red Hat OpenShift Pipelines operator on spoke-dc-v7 as the first consolidated operator batch.

Governance:

FieldValue
Issue#437 / OP-GF-OPERATORS-21
MilestoneWorkspace Governance
Governing ADRsADR 0016, ADR 0024
Predecessor#436 / OP-GF-OPERATORS-20

Scope:

FieldValue
Targetspoke-dc-v7 only
Packageopenshift-pipelines-operator-rh
Channelpipelines-1.22
CSVopenshift-pipelines-operator-rh.v1.22.0
CatalogSourcecs-redhat-operator-index-v4-20
GitOps commit8c41a86 / Install spoke OpenShift Pipelines operator

The batch remained operator-only from a user workload perspective. It did not create application namespaces, CI/CD credentials, build workloads, PipelineRuns, TaskRuns, TriggerBindings, TriggerTemplates, or EventListeners.

Batch preflight

Preflight used the standard path:

local workspace -> dl385-2 -> gf-ocp-bootstrap-01 -> spoke-dc-v7 kubeconfig

Readiness checks passed before install:

CheckResult
OpenShift4.20.18
ClusterVersionAvailable, not Progressing, not Failing
Nodes3 masters and 3 workers Ready
ClusterOperatorsno non-steady rows
Pending CSRsnone
Existing Pipelines stateno namespace, Subscription, CSV, or Tekton API resources
OADP DPAspoke-dc-v7, Reconciled=True
OADP BSLspoke-dc-v7, Available
OADP scheduleplatform-resource-daily, enabled

The PackageManifest resolved from the mirrored Red Hat catalog with default channel pipelines-1.22 and current CSV openshift-pipelines-operator-rh.v1.22.0. The package supports AllNamespaces install mode.

Related image source prefixes identified for mirror policy:

registry.redhat.io/openshift-pipelines
registry.redhat.io/openshift-serverless-1
registry.redhat.io/rhel9
registry.redhat.io/source-to-image
registry.redhat.io/ubi9

GitOps install

Platform GitOps commit 8c41a86 added:

clusters/spoke-dc-v7/operators/openshift-pipelines-operator/kustomization.yaml
clusters/spoke-dc-v7/operators/openshift-pipelines-operator/subscription.yaml
clusters/spoke-dc-v7/platform/image-mirrors/idms-openshift-pipelines.yaml

It also updated the spoke overlay kustomizations and the platform GitOps CHANGELOG.md.

The Subscription lives in openshift-operators, uses source cs-redhat-operator-index-v4-20, channel pipelines-1.22, and starting CSV openshift-pipelines-operator-rh.v1.22.0.

ImageDigestMirrorSet/idms-openshift-pipelines maps the related Red Hat source prefixes to quay.v7.comptech-lab.com/openshift-operators/*.

GitOps render and server-side dry-run passed before push. The bootstrap clone on gf-ocp-bootstrap-01 was then fast-forwarded to 8c41a86.

Validation

Final validation:

CheckResult
Hub Argo viewhub-dc-v7-bootstrap and spoke-dc-v7-cluster-config Healthy/Synced at 8c41a86ebc59390f0be4aae765dfb17276a11602
Spoke Argo viewspoke-dc-v7-cluster-config Healthy/Synced at 8c41a86ebc59390f0be4aae765dfb17276a11602
IDMSidms-openshift-pipelines present
SubscriptionAtLatestKnown
CSVopenshift-pipelines-operator-rh.v1.22.0, Succeeded
InstallPlanapproved, Complete
TektonConfigconfig, version 1.22.0, Ready=True
Operator podsRunning
openshift-pipelines podsRunning
ClusterVersion4.20.18, Available, not Progressing, not Failing
Non-running podsnone
Pending CSRsnone

All TektonInstallerSet objects reported Ready.

Scope caveat

The operator creates default operator-owned Tekton add-ons. At validation time those included default Task and Pipeline resources owned by TektonInstallerSet objects.

The batch still created no workload runs or trigger entry points:

pipelineruns.tekton.dev: 0
taskruns.tekton.dev: 0
triggerbindings.triggers.tekton.dev: 0
triggertemplates.triggers.tekton.dev: 0
eventlisteners.triggers.tekton.dev: 0

Treat the default Tasks/Pipelines as operator-managed add-ons, not tenant application delivery onboarding.

Promotion decision

Keep the install.

The install is promoted because GitOps is synced, OLM is AtLatestKnown, the CSV is Succeeded, TektonConfig is Ready, operator pods are Running, and spoke cluster health stayed steady.

Rollback, if needed, is GitOps-first:

  1. Remove operators/openshift-pipelines-operator from the spoke overlay.
  2. Remove idms-openshift-pipelines only if no other installed workload depends on those mirror mappings.
  3. Sync and validate OLM/operator pruning.
  4. Do not force-delete Tekton CRDs, the operator-created namespace, or cluster-scoped Tekton objects without a separate cleanup issue.

Next operator batch:

OP-GF-OPERATORS-22: Batch 2 observability foundation - Cluster Observability and NetObserv

2026-05-21 Batch 2: spoke observability foundation operators

OP-GF-OPERATORS-22 installed the Cluster Observability Operator and NetObserv Operator on spoke-dc-v7 as the second consolidated operator batch.

Governance:

FieldValue
Issue#438 / OP-GF-OPERATORS-22
MilestoneWorkspace Governance
Governing ADRsADR 0016, ADR 0024
Predecessor#437 / OP-GF-OPERATORS-21

Scope:

FieldCluster Observability OperatorNetObserv Operator
Targetspoke-dc-v7 onlyspoke-dc-v7 only
Packagecluster-observability-operatornetobserv-operator
Channelstablestable
CSVcluster-observability-operator.v1.4.0network-observability-operator.v1.11.1
Version1.4.01.11.1
Namespaceopenshift-cluster-observability-operatoropenshift-netobserv-operator
CatalogSourcecs-redhat-operator-index-v4-20cs-redhat-operator-index-v4-20
GitOps commitdd6d1da / Install spoke observability foundation operatorsdd6d1da / Install spoke observability foundation operators

The batch intentionally stopped at operator readiness. It did not create FlowCollector, FlowMetric, MonitoringStack, UIPlugin, ObservabilityInstaller, Perses, PersesDashboard, or MultiClusterObservability resources. It also did not introduce object storage, retention policy, flow collection, telemetry tenants, sample applications, tracing, service mesh, or workload onboarding.

Batch preflight

Preflight used the standard path:

local workspace -> dl385-2 -> gf-ocp-bootstrap-01 -> spoke-dc-v7 kubeconfig

Readiness checks passed before install:

CheckResult
OpenShift4.20.18
ClusterVersionAvailable, not Progressing, not Failing
Nodes3 masters and 3 workers Ready
MCPsupdated, not updating, not degraded
ClusterOperatorsno non-steady rows
Non-running podsnone
Pending CSRsnone
OADP DPAspoke-dc-v7, Reconciled=True
OADP BSLspoke-dc-v7, Available
OADP scheduleplatform-resource-daily, enabled; last schedule observed at 2026-05-21T02:45:26Z
Existing target namespacesabsent
Existing target Subscriptionsabsent

The PackageManifests resolved from the mirrored Red Hat catalog:

PackageDefault channelCurrent CSVInstall mode
cluster-observability-operatorstablecluster-observability-operator.v1.4.0AllNamespaces
netobserv-operatorstablenetwork-observability-operator.v1.11.1AllNamespaces

Related image source prefixes identified for spoke mirror policy:

registry.redhat.io/cluster-observability-operator
registry.redhat.io/network-observability
registry.redhat.io/openshift-logging

The hub already had broad mirror mappings for the observability source prefixes. The spoke did not, so Batch 2 added spoke-only mirror policy.

GitOps install

Platform GitOps commit dd6d1da added:

clusters/spoke-dc-v7/operators/cluster-observability-operator/
clusters/spoke-dc-v7/operators/netobserv-operator/
clusters/spoke-dc-v7/platform/image-mirrors/idms-observability-foundation.yaml

It also updated the spoke overlay kustomizations and the platform GitOps CHANGELOG.md.

The new namespaces use sync wave 5. The OperatorGroups and Subscriptions use sync wave 10.

ImageDigestMirrorSet/idms-observability-foundation maps the related Red Hat source prefixes to:

quay.v7.comptech-lab.com/openshift-operators/cluster-observability-operator
quay.v7.comptech-lab.com/openshift-operators/network-observability
quay.v7.comptech-lab.com/openshift-operators/openshift-logging

GitOps render passed. Server-side dry-run passed for the new namespaces and IDMS. A full rendered-stream server-side dry-run hit the expected dry-run limitation where namespaced OperatorGroups and Subscriptions cannot be dry-run created into namespaces that only exist in the same dry-run stream; no live object was changed by that failed full-stream dry-run.

The bootstrap clone on gf-ocp-bootstrap-01 was then fast-forwarded to dd6d1da.

Validation

Final validation:

CheckResult
Hub Argo viewhub-dc-v7-bootstrap and spoke-dc-v7-cluster-config Healthy/Synced at dd6d1da61f01ff01be9069bf34d1be66a8c211d4
Spoke Argo viewspoke-dc-v7-cluster-config Healthy/Synced at dd6d1da61f01ff01be9069bf34d1be66a8c211d4
IDMSidms-observability-foundation present with all three mappings
Cluster Observability SubscriptionAtLatestKnown, installed/current cluster-observability-operator.v1.4.0
NetObserv SubscriptionAtLatestKnown, installed/current network-observability-operator.v1.11.1
Cluster Observability CSVSucceeded, version 1.4.0
NetObserv CSVSucceeded, version 1.11.1
InstallPlansapproved, Complete
Operator podsRunning
Operand resourcesno FlowCollector, FlowMetric, MonitoringStack, UIPlugin, ObservabilityInstaller, Perses, PersesDashboard, or MultiClusterObservability rows
ClusterVersion4.20.18, Available, not Progressing, not Failing
MCPsupdated, not updating, not degraded
ClusterOperatorsno non-steady rows
Non-running podsnone
Pending CSRsnone

Operator pods observed Running:

obo-prometheus-operator
obo-prometheus-operator-admission-webhook
observability-operator
perses-operator
netobserv-controller-manager
netobserv-plugin-static

Promotion decision

Keep the install.

The install is promoted because GitOps is synced, OLM is AtLatestKnown, both CSVs are Succeeded, operator pods are Running, no excluded operands were created, and spoke cluster health stayed steady.

Rollback, if needed, is GitOps-first:

  1. Remove the two Batch 2 operator directories from the spoke overlay.
  2. Remove idms-observability-foundation only if no other installed workload depends on those mirror mappings.
  3. Sync and validate OLM/operator pruning.
  4. Do not force-delete the newly introduced CRDs or operator namespaces without a separate cleanup issue.

Next operator batch:

OP-GF-OPERATORS-23: Batch 3 tracing and mesh - Tempo, OpenTelemetry, Service Mesh, and Kiali

2026-05-21 Batch 3: spoke tracing and mesh operators

OP-GF-OPERATORS-23 installed the Tempo, OpenTelemetry, Service Mesh 3, and Kiali operators on spoke-dc-v7 as the third consolidated operator batch.

Governance:

FieldValue
Issue#439 / OP-GF-OPERATORS-23
MilestoneWorkspace Governance
Governing ADRsADR 0016, ADR 0024
Predecessor#438 / OP-GF-OPERATORS-22

Scope:

FieldTempoOpenTelemetryService Mesh 3Kiali
Targetspoke-dc-v7 onlyspoke-dc-v7 onlyspoke-dc-v7 onlyspoke-dc-v7 only
Packagetempo-productopentelemetry-productservicemeshoperator3kiali-ossm
Channelstablestablestable-3.3stable
CSVtempo-operator.v0.20.0-3opentelemetry-operator.v0.144.0-3servicemeshoperator3.v3.3.2kiali-operator.v2.22.2
Version0.20.0-30.144.0-33.3.22.22.2
Namespaceopenshift-tempo-operatoropenshift-opentelemetry-operatoropenshift-operatorsopenshift-operators
CatalogSourcecs-redhat-operator-index-v4-20cs-redhat-operator-index-v4-20cs-redhat-operator-index-v4-20cs-redhat-operator-index-v4-20
GitOps commit0f08a74 / Install spoke tracing and mesh operators0f08a74 / Install spoke tracing and mesh operators0f08a74 / Install spoke tracing and mesh operators0f08a74 / Install spoke tracing and mesh operators

The batch intentionally stopped at operator readiness. It did not create a TempoStack, TempoMonolithic, OpenTelemetryCollector, OpAMPBridge, TargetAllocator, ServiceMeshControlPlane, ServiceMeshMemberRoll, ServiceMeshMember, Sail Istio, IstioRevision, ztunnel, Kiali, OSSMConsole, Jaeger, sample application, mesh tenant namespace, telemetry pipeline, trace storage, or retention policy.

Batch preflight

Preflight used the standard path:

local workspace -> dl385-2 -> gf-ocp-bootstrap-01 -> spoke-dc-v7 kubeconfig

Readiness checks passed before install:

CheckResult
OpenShift4.20.18
ClusterVersionAvailable, not Progressing, not Failing
Nodes3 masters and 3 workers Ready
MCPsupdated, not updating, not degraded
ClusterOperatorsno non-steady rows
Non-running podsnone after a transient ODF status-reporter ContainerCreating recheck cleared
Pending CSRsnone
OADP DPAspoke-dc-v7, Reconciled=True
OADP BSLspoke-dc-v7, Available
OADP scheduleplatform-resource-daily, enabled; last schedule observed at 2026-05-21T02:45:26Z
Existing target namespacesabsent for Tempo and OpenTelemetry
Existing target Subscriptionsabsent
Existing target operandsabsent

The PackageManifests resolved from the mirrored Red Hat catalog:

PackageDefault channelCurrent CSVInstall mode
tempo-productstabletempo-operator.v0.20.0-3AllNamespaces
opentelemetry-productstableopentelemetry-operator.v0.144.0-3AllNamespaces
servicemeshoperator3stable-3.3servicemeshoperator3.v3.3.2AllNamespaces
kiali-ossmstablekiali-operator.v2.22.2AllNamespaces

Related image source prefixes identified for spoke mirror policy:

registry.redhat.io/rhosdt
registry.redhat.io/openshift4
registry.redhat.io/openshift-service-mesh
registry.redhat.io/openshift-service-mesh-tech-preview

The hub already had broad mirror mappings for these source prefixes. The spoke did not, so Batch 3 added spoke-only mirror policy.

GitOps install

Platform GitOps commit 0f08a74 added:

clusters/spoke-dc-v7/operators/tempo-operator/
clusters/spoke-dc-v7/operators/opentelemetry-operator/
clusters/spoke-dc-v7/operators/service-mesh-operator/
clusters/spoke-dc-v7/operators/kiali-operator/
clusters/spoke-dc-v7/platform/image-mirrors/idms-tracing-mesh.yaml

It also updated the spoke overlay kustomizations and the platform GitOps CHANGELOG.md.

Tempo and OpenTelemetry use dedicated namespaces because their PackageManifest records advertise suggested namespaces. Service Mesh 3 and Kiali use the existing openshift-operators namespace because the PackageManifest records did not advertise a dedicated namespace and both packages support AllNamespaces install mode.

ImageDigestMirrorSet/idms-tracing-mesh maps the related Red Hat source prefixes to:

quay.v7.comptech-lab.com/openshift-operators/rhosdt
quay.v7.comptech-lab.com/openshift-operators/openshift4
quay.v7.comptech-lab.com/openshift-operators/openshift-service-mesh
quay.v7.comptech-lab.com/openshift-operators/openshift-service-mesh-tech-preview

GitOps render passed. Server-side dry-run passed for the new IDMS, the new namespaces, and the existing-namespace Service Mesh and Kiali Subscriptions. As in Batch 2, namespaced OperatorGroups and Subscriptions in namespaces created by the same render stream cannot be fully server-dry-run into not-yet-created namespaces; no live object was changed by that dry-run limitation.

The bootstrap clone on gf-ocp-bootstrap-01 was then fast-forwarded to 0f08a74.

Validation

Final validation:

CheckResult
Hub Argo viewhub-dc-v7-bootstrap and spoke-dc-v7-cluster-config Healthy/Synced at 0f08a74502047e21d74fe6f4eea90d0dd81b780d
Spoke Argo viewspoke-dc-v7-cluster-config Healthy/Synced at 0f08a74502047e21d74fe6f4eea90d0dd81b780d
IDMSidms-tracing-mesh present with all four mappings
Tempo SubscriptionAtLatestKnown, installed/current tempo-operator.v0.20.0-3
OpenTelemetry SubscriptionAtLatestKnown, installed/current opentelemetry-operator.v0.144.0-3
Service Mesh 3 SubscriptionAtLatestKnown, installed/current servicemeshoperator3.v3.3.2
Kiali SubscriptionAtLatestKnown, installed/current kiali-operator.v2.22.2
Tempo CSVSucceeded, version 0.20.0-3
OpenTelemetry CSVSucceeded, version 0.144.0-3
Service Mesh 3 CSVSucceeded, version 3.3.2
Kiali CSVSucceeded, version 2.22.2
InstallPlansapproved, Complete
Operator podsRunning
Operand resourcesno Tempo, OpenTelemetry collector, mesh control plane/member, Sail/Istio, Kiali, OSSMConsole, or Jaeger operands
ClusterVersion4.20.18, Available, not Progressing, not Failing
MCPsupdated, not updating, not degraded
ClusterOperatorsno non-steady rows
Non-running podsnone
Pending CSRsnone

Operator pods observed Running:

tempo-operator-controller
opentelemetry-operator-controller-manager
servicemesh-operator3
kiali-operator

Promotion decision

Keep the install.

The install is promoted because GitOps is synced, OLM is AtLatestKnown, all four CSVs are Succeeded, operator pods are Running, no excluded operands were created, and spoke cluster health stayed steady.

Rollback, if needed, is GitOps-first:

  1. Remove the four Batch 3 operator directories from the spoke overlay.
  2. Remove idms-tracing-mesh only if no other installed workload depends on those mirror mappings.
  3. Sync and validate OLM/operator pruning.
  4. Do not force-delete newly introduced CRDs or operator namespaces without a separate cleanup issue.

Operator queue decision:

OP-GF-OPERATORS-24: deferred by user decision; no active next operator batch is selected.

2026-05-21 App-platform batch deferral

Issue #440 records the user decision that the previously listed Batch 4 app platform operator wave is not needed now.

No live clusters, GitOps desired state, Subscriptions, operands, image mirror sets, routes, DNS records, or secrets were changed for this decision. Open Liberty and app-facing CloudNativePG remain catalog-visible and documented as deferred app-platform items, but future sessions must not present them as the next operator batch unless the user explicitly reintroduces application platform onboarding.

Last reviewed: 2026-05-21