Architecture

Components

• OpenShift GitOps (Argo CD): syncs Git state to clusters.
• ACM (Advanced Cluster Management) (optional): manages multiple clusters and exposes which clusters satisfy each Placement via cluster decision resources.
• ApplicationSet: generates multiple Argo CD Applications from a matrix (environments × clusters).
• Kustomize: overlays in nfl-wallet/ deploy Routes, AuthPolicy, API keys, and namespace-mesh.

Deployment modes

1. With ACM

1. Apply app-nfl-wallet-acm.yaml on the hub. It defines:
   • ManagedClusterSetBinding: binds cluster set global to openshift-gitops.
   • Placement nfl-wallet-gitops-placement: selects clusters with region=east or region=west.
   • GitOpsCluster: registers managed clusters in Argo CD (creates east/west secrets).
2. Apply app-nfl-wallet-acm-cluster-decision.yaml. It defines:
   • ApplicationSet nfl-wallet with matrix generator:
     • clusterDecisionResource: reads ConfigMap acm-placement and gets clusters from Placement.
     • list: three elements (dev, test, prod) with path and namespace.

3. For each (environment, cluster) pair, an Application is created (e.g. nfl-wallet-dev-east, nfl-wallet-prod-west).

4. Each Application points to the path of the corresponding Kustomize overlay (nfl-wallet/overlays/dev-east, nfl-wallet/overlays/prod-west, etc.).

5. Argo CD runs kustomize build and applies resources to the target namespace and cluster.

6. Apply app-kuadrant-resources.yaml. It defines:
   • ApplicationSet kuadrant-resources with list generator (east, west).
   • Deploys resource patches for Authorino, Limitador (kuadrant-system namespace) and Gateway proxy (nfl-wallet-test, nfl-wallet-prod namespaces) using ServerSideApply.
   • selfHeal: true reapplies if operators reset the values.

2. East and West without ACM (separate files)

Use when not using ACM and managing east and west independently.

• app-nfl-wallet-east.yaml: ApplicationSet nfl-wallet-east → list generator; generates 3 Applications (dev, test, prod). Target cluster via server (default: https://kubernetes.default.svc in-cluster).
• app-nfl-wallet-west.yaml: Same for west; edit server for the west cluster API.
• Application names: nfl-wallet-east-nfl-wallet-dev, nfl-wallet-west-nfl-wallet-test, etc.

No Placements, ConfigMap, or cluster labels required.

East / West with ACM (labels)

With ACM, clusters are mapped via labels region=east or region=west.

Placement nfl-wallet-gitops-placement

The current Placement selects clusters with:

predicates:
  - requiredClusterSelector:
      labelSelector:
        matchExpressions:
          - key: region
            operator: In
            values:
              - east
              - west

Result: dev, test, and prod deploy on both clusters (east and west). To restrict (e.g. dev only on east, prod only on west), create separate Placements per environment and adjust the ApplicationSet.

Simplified diagram (ACM)

                    Hub (OpenShift GitOps + ACM)
    ┌─────────────────────────────────────────────────────────┐
    │  app-nfl-wallet-acm.yaml                                 │
    │  ┌─────────────┐  ┌──────────────────────────────────┐  │
    │  │ Placement   │  │ GitOpsCluster                     │  │
    │  │ nfl-wallet- │  │ (creates east/west secrets)        │  │
    │  │ gitops-     │  │                                    │  │
    │  │ placement   │  └──────────────────────────────────┘  │
    │  └──────┬──────┘                                        │
    │         │                                                │
    │  app-nfl-wallet-acm-cluster-decision.yaml                │
    │  ┌──────────────────────────────────────────────────┐   │
    │  │ ApplicationSet nfl-wallet (matrix)                │   │
    │  │ clusterDecisionResource × list (dev, test, prod)   │   │
    │  └──────────────┬───────────────────────────────────┘   │
    │                 │                                        │
    │  app-kuadrant-resources.yaml                             │
    │  ┌──────────────────────────────────────────────────┐   │
    │  │ ApplicationSet kuadrant-resources (list)           │   │
    │  │ east, west → kuadrant-system/ (ServerSideApply)     │   │
    │  └──────────────┬───────────────────────────────────┘   │
    │                 │                                        │
    │                 ▼                                        │
    │  Applications:                                           │
    │    nfl-wallet-<namespace>-<clusterName>                   │
    │    kuadrant-resources-east, kuadrant-resources-west       │
    └──────────────────────┬──────────────────────────────────┘
                            │
         ┌──────────────────┼──────────────────┐
         ▼                  ▼                  ▼
    Cluster east       Cluster west
    nfl-wallet-dev     nfl-wallet-dev
    nfl-wallet-test    nfl-wallet-test
    nfl-wallet-prod    nfl-wallet-prod
    kuadrant-system    kuadrant-system

ConfigMap acm-placement (ACM only)

The ApplicationSet uses clusterDecisionResource with configMapRef: acm-placement. That ConfigMap must exist in openshift-gitops and defines the duck type so ApplicationSet can read status.decisions[].clusterName from PlacementDecisions.

Apply with: kubectl apply -f argocd-placement-configmap.yaml -n openshift-gitops

Helm chart versions per environment

The ApplicationSet uses chartVersion per environment to deploy different chart versions:

Chart 0.1.3 includes rhbk-neuroface as an optional dependency (RHBK + NeuroFace). Prod stays on 0.1.1 to keep the production environment stable without biometric features.

The RHBK Route host follows the pattern: nfl-wallet-rhbk-neuroface-<namespace>.apps.<cluster-domain>

Kustomize overlay structure