Federated Monorepo Architecture

The two-tree GitLab group layout — comptech-platform vs divisions — the eleven ct-* role groups, repository ownership, and the boundaries that keep app teams off platform state.

The lab’s GitLab is organized as a federated monorepo by ownership boundary: two sibling group trees, one for platform-owned operational state, one for application-team state. The split is not stylistic. It exists to make the OpenShift GitOps pull model enforceable, and to keep application teams structurally unable to write to platform state.

This page covers the architecture, the ownership matrix, the role-group model, and the CODEOWNERS baselines. ADR 0023 locks the design in.

Architecture

comptech-platform/ (platform-owned)

openshift-ops/

infra-ops/

platform-services/

tenant-registry/

divisions/ (app-team owned)

sandbox/

openshift-platform-gitops (project ID 12)

openshift-cluster-build

vm-platform-ops (planned)

<division>-apps-monorepo

<division>-gitops

The two trees:

comptech-platform/ contains platform-owned operational state — OpenShift cluster GitOps, VM platform-ops, platform tools, tenant registry.
divisions/ contains application-team state, organized one sub-group per division. The lab’s current bootstrap division is sandbox.

Why two trees, not one

Per ADR 0023 the alternatives considered include:

Alternative	Why rejected
Single super-group with role-groups distinguishing ownership	Easy to grant a role group too broadly; loses the visual boundary between platform-owned and division-owned state.
Flat repo model under `comptech-platform/`	Forces all project shares per-repository; loses the sub-group-level share affordance.
Per-team ownership of everything (give divisions maintainer on platform repos so their CI can do direct cluster changes)	Violates the ADR 0015 ownership boundary; makes the ADR 0018 GitOps pull model unenforceable.
Defer the formal model until more divisions exist	Issue #68 explicitly required documenting the model before more teams onboard.

The two-tree split is cheap to operate and gives the OpenShift/platform team a defensible namespace boundary. It is the lock-in decision.

Group layout (live)

The skeleton already exists in the live GitLab:

comptech-platform/
  openshift-ops/
    openshift-platform-gitops   (project ID 12 — live)
    openshift-cluster-build     (planned)
  infra-ops/
    vm-platform-ops             (planned)
  platform-services/
    platform-tools-iac          (deferred)
    platform-tools-config       (deferred)
  tenant-registry/
    openshift-tenants           (deferred)

divisions/
  sandbox/
    openliberty-readiness-probe (live source repo)
    demo-smoke                  (live source repo)
    sandbox-apps-monorepo       (planned)
    sandbox-gitops              (planned)

The first live repo is openshift-platform-gitops (project ID 12). It was migrated from gitops/platform-gitops to comptech-platform/openshift-ops/openshift-platform-gitops as part of the bootstrap. The local clone on operator workstations is at /home/ze/platform-gitops and points at the LAN endpoint.

Repository ownership matrix

Repo/domain	Purpose	Writers	Readers
`openshift-platform-gitops`	OpenShift cluster desired state, platform operators, policies, tenant boundaries	OpenShift/platform team only	platform, security, auditors
`openshift-cluster-build`	Cluster install inputs, agent install automation, mirror references	OpenShift/platform team only	platform, auditors
`vm-platform-ops`	HAProxy, PowerDNS, GitLab, Jenkins, Nexus, Docker runtime, runners, VM inventory	Infra/platform tools team	OpenShift read, security, auditors
`platform-tools-iac`	Shared infra modules if split later	Infra/platform tools team	platform read
`platform-tools-config`	Tool config through APIs/JCasC/Ansible if split later	Infra/platform tools team	platform read
`openshift-tenants`	Approved tenant metadata if split later	OpenShift/platform team	tenant owners by approval
`<division>-apps-monorepo`	Application source	Division app team	platform/CI/security as needed
`<division>-gitops`	Application deployment intent and overlays	Division app team inside guardrails	OpenShift/platform retains maintainer for guardrails/emergency rollback

Application teams must not write to:

openshift-platform-gitops
openshift-cluster-build
vm-platform-ops
Platform runner or admin configuration repos

Creation order

Not every repository above must exist immediately. The accepted creation order per ADR 0023:

openshift-platform-gitops (live, project ID 12).
vm-platform-ops when ownership and first service adoption are ready.
openshift-cluster-build when cluster-build artifacts are ready to split out of planning docs.
platform-tools-iac, platform-tools-config, openshift-tenants only when their split proves useful.
Division repositories as teams onboard.

Role groups (eleven `ct-*` groups)

Individual users are added to role groups, not directly to projects, except for tightly scoped temporary exceptions recorded against an issue.

Role group	GitLab role	Scope
`ct-gitlab-admins`	Owner	Top-level operational groups; very small admin group
`ct-openshift-platform-maintainers`	Maintainer	`openshift-ops/*`, tenant boundaries
`ct-openshift-platform-reviewers`	Reporter or Developer	OpenShift platform review/read
`ct-infra-platform-maintainers`	Maintainer	`infra-ops/`, selected `platform-services/`
`ct-infra-platform-reviewers`	Reporter or Developer	Infra review/read
`ct-cicd-platform-maintainers`	Maintainer	CI templates, runner config, Jenkins shared libraries
`ct-security-reviewers`	Reporter or Developer	Platform and app GitOps policy/security review
`ct-auditors`	Reporter	Selected operational repos, read-only
`ct-<division>-app-maintainers`	Maintainer	Division source and app GitOps repos only
`ct-<division>-developers`	Developer	Division app source repos
`ct-<division>-release-approvers`	Developer or Maintainer	Division app GitOps promotion paths

The bootstrap sandbox already has ct-sandbox-app-maintainers, ct-sandbox-developers, and ct-sandbox-release-approvers instantiated.

Initial project shares (`openshift-platform-gitops`)

Project ID 12 is shared with:

ct-openshift-platform-maintainers: Maintainer
ct-openshift-platform-reviewers: Reporter
ct-security-reviewers: Reporter
ct-auditors: Reporter

ct-sandbox-* groups have no access to platform GitOps. The same pattern is applied to each new operational repo as it’s created.

CODEOWNERS baseline

The CODEOWNERS files express path-level review ownership and complement project shares. The lab baseline:

`openshift-platform-gitops`

/clusters/       @ct-openshift-platform-maintainers
/components/     @ct-openshift-platform-maintainers
/policies/       @ct-openshift-platform-maintainers @ct-security-reviewers
/tenants/        @ct-openshift-platform-maintainers @ct-security-reviewers
/bootstrap/      @ct-openshift-platform-maintainers

Future `vm-platform-ops`

/services/haproxy/        @ct-infra-platform-maintainers
/services/pdns/           @ct-infra-platform-maintainers
/services/gitlab/         @ct-infra-platform-maintainers
/services/jenkins/        @ct-infra-platform-maintainers @ct-cicd-platform-maintainers
/services/nexus/          @ct-infra-platform-maintainers @ct-cicd-platform-maintainers
/services/docker-runtime/ @ct-infra-platform-maintainers
/services/gitlab-runner/  @ct-infra-platform-maintainers @ct-cicd-platform-maintainers @ct-security-reviewers
/terraform/               @ct-infra-platform-maintainers
/ansible/                 @ct-infra-platform-maintainers
/policies/                @ct-infra-platform-maintainers @ct-security-reviewers

Division app GitOps

/apps/*/dev/      @ct-<division>-app-maintainers
/apps/*/uat/      @ct-<division>-release-approvers
/apps/*/staging/  @ct-<division>-release-approvers
/apps/*/prod/     @ct-<division>-release-approvers @ct-security-reviewers

Review rules

Per ADR 0023, the minimum approval expectations are fixed:

Change type	Required approvers
OpenShift cluster-wide operator/platform change	OpenShift maintainer + second platform reviewer
Tenant onboarding or namespace policy change	OpenShift maintainer + tenant owner acknowledgement
Production AppProject/RBAC/NetworkPolicy change	OpenShift maintainer + security reviewer
VM platform tool change	Infra maintainer + service owner
HAProxy or PowerDNS production-impacting change	Infra maintainer + affected service owner
GitLab/Jenkins/Nexus admin/config change	Infra maintainer + CI/CD maintainer where relevant
GitLab Runner privilege/tag change	Infra maintainer + CI/CD maintainer + security reviewer
App build template change	CI/CD maintainer + app representative
App production promotion	App release approver + required pipeline evidence

Where GitLab CE cannot enforce a rule natively, compensating controls — CODEOWNERS, protected branches, validation pipelines, MR evidence — must be recorded.

OpenShift GitOps boundary

openshift-platform-gitops owns OpenShift operations only:

Cluster bootstrap paths
ACM/MCE and OpenShift GitOps control
Mirrored CatalogSources and ClusterCatalogs
IDMS/ITMS mirror configuration
Platform operators
Storage layer configuration
Tenant namespaces and AppProjects
Quotas, limit ranges, NetworkPolicies, RBAC, and policy guardrails

It does not own:

Application source code
Routine application release manifests
VM-hosted platform tool configuration
Kafka or other middleware (unless explicitly introduced as an OpenShift platform workload through a tracked issue and ADR)
Generic Docker image catalogues

Onboarding a new division

When the time comes:

Create divisions/<division>.
Create role groups: ct-<division>-app-maintainers, ct-<division>-developers, ct-<division>-release-approvers.
Create <division>-apps-monorepo.
Create <division>-gitops.
Add README, CODEOWNERS, MR template, and validation pipeline.
Grant app teams only to division repos.
Register tenant boundaries in platform-owned OpenShift GitOps (namespaces, AppProjects, quotas, limit ranges, NetworkPolicies, RBAC, allowed source repos, allowed destination namespaces).
Run negative access tests.
Run a golden-path app smoke test before production onboarding.

Stop and revisit the design if the division needs write access to openshift-platform-gitops for normal application deployment — that means the tenant/AppProject model is wrong or incomplete.

Residual decisions (still open)

ADR 0023 explicitly leaves these open for separate tracking:

Final naming for the existing ct-* role groups if the eleven-group list proves too coarse or too fine in practice.
Whether openshift-tenants should be a separate repo or a folder inside openshift-platform-gitops.
Whether platform-tools-iac and platform-tools-config should be separate repos immediately or deferred.
Whether application GitOps repositories should be one per division or one per application for high-risk teams.
Whether production branches should require signed commits immediately or in a later hardening phase.
The GitLab CE merge-control and CODEOWNERS-enforcement decision under FG-1.

References

opp-full-plat/adr/0023-federated-gitlab-group-repo-ownership.md — ownership model.
opp-full-plat/adr/0015-federated-gitops-repo-architecture.md — parent architecture.
opp-full-plat/adr/0016-workspace-execution-governance.md — operator workspace rules.
opp-full-plat/connection-details/gitlab-operator-guide.md — operator runbook.
opp-full-plat/plans/federated-gitops-gitlab-access-matrix.md — full access matrix (the source-of-truth design baseline).
opp-full-plat/plans/federated-gitops-gitlab-implementation-checklist.md — execution sequence.