refactor(secrets): add kustomize components tree

applications/external-secrets-operator-redhat.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "-10"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/foreground
+  name: subscribe-external-secrets-operator-redhat
+  namespace: openshift-gitops
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    kustomize:
+      components:
+        - https://github.com/openstack-k8s-operators/gitops/components/argocd/annotations?ref=feature/rhoso-apps-helm-chart
+    path: resources/external-secrets-operator/redhat
+    repoURL: https://github.com/openstack-k8s-operators/gitops.git
+    targetRevision: feature/rhoso-apps-helm-chart
+  syncPolicy:
+    automated: {}

applications/external-secrets-operator.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "-10"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io/foreground
+  name: subscribe-external-secrets-operator
+  namespace: openshift-gitops
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    kustomize:
+      components:
+        - https://github.com/openstack-k8s-operators/gitops/components/argocd/annotations?ref=feature/rhoso-apps-helm-chart
+    path: resources/external-secrets-operator
+    repoURL: https://github.com/openstack-k8s-operators/gitops.git
+    targetRevision: feature/rhoso-apps-helm-chart
+  syncPolicy:
+    automated: {}

applications/vault-secrets-operator.yaml

@@ -15,9 +15,9 @@ spec:
   source:
     kustomize:
       components:
-        - https://github.com/openstack-k8s-operators/gitops/components/argocd/annotations
+        - https://github.com/openstack-k8s-operators/gitops/components/argocd/annotations?ref=feature/rhoso-apps-helm-chart
     path: resources/vault-secrets-operator
     repoURL: https://github.com/openstack-k8s-operators/gitops.git
-    targetRevision: HEAD
+    targetRevision: feature/rhoso-apps-helm-chart
   syncPolicy:
     automated: {}

components/secrets/README.md

@@ -0,0 +1,28 @@
+# Secrets operator components
+
+Kustomize `Component` and overlay bases for Vault Secrets Operator (VSO) and External Secrets Operator (ESO). The matching [`resources/`](../../resources/) paths are thin wrappers so you can install from this repo with `oc apply -k resources/...` or compose only the component from another repository.
+
+Pin a Git revision on remote URLs (replace `BRANCH` with your branch or tag):
+
+- VSO: `https://github.com/openstack-k8s-operators/gitops/components/secrets/vault-secrets-operator?ref=BRANCH`
+- ESO (community catalog): `https://github.com/openstack-k8s-operators/gitops/components/secrets/external-secrets-operator/community?ref=BRANCH`
+- ESO (Red Hat overlay): use as a **base** (not `kind: Component`): `https://github.com/openstack-k8s-operators/gitops/components/secrets/external-secrets-operator/redhat?ref=BRANCH`
+
+Example overlay `kustomization.yaml` (VSO):
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: []
+components:
+  - https://github.com/openstack-k8s-operators/gitops/components/secrets/vault-secrets-operator?ref=feature/rhoso-apps-helm-chart
+```
+
+Example including the Red Hat ESO overlay as a resource:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - https://github.com/openstack-k8s-operators/gitops/components/secrets/external-secrets-operator/redhat?ref=feature/rhoso-apps-helm-chart
+```

components/secrets/external-secrets-operator/community/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - subscription.yaml

components/secrets/external-secrets-operator/redhat/kustomization.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - operatorgroup.yaml
+components:
+  - ../community
+patches:
+  - path: patch-subscription-redhat.json
+    target:
+      kind: Subscription
+      name: external-secrets-operator
+      namespace: openshift-operators

components/secrets/vault-secrets-operator/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - subscription.yaml

resources/external-secrets-operator/README.md

@@ -4,8 +4,10 @@ Subscribe to External Secrets Operator on OpenShift via Operator Lifecycle Manag
 
 ## Layout
 
-- **`community/`** — default install: a single `Subscription` in `openshift-operators` from the **community-operators** catalog (`spec.channel: stable`). This is split into a `community` kustomization so the **`redhat/`** overlay can include it without tripping kustomize path or cycle restrictions (you cannot reference a parent directory that contains the overlay, or files outside the overlay path, from `redhat/`).
-- **`redhat/`** — overlay that includes `community`, adds Namespace `external-secrets-operator` and an `OperatorGroup`, and applies a **JSON6902** patch to the community `Subscription` so it targets the Red Hat catalog (`openshift-external-secrets-operator`, `redhat-operators`, `stable-v1`), including `metadata.name` / `metadata.namespace` and stripping `metadata.labels`. Strategic merge does not reliably change Subscription identity fields; use RFC6902 for those edits.
+Manifests live under [`components/secrets/external-secrets-operator/`](../../components/secrets/external-secrets-operator/) in this repository. The `resources/` paths here are thin entrypoints for `oc apply -k` and Argo CD.
+
+- **`components/.../community/`** — default install: a single `Subscription` in `openshift-operators` from the **community-operators** catalog (`spec.channel: stable`). Implemented as a `kind: Component` so the **`redhat/`** overlay can compose it without kustomize path cycles.
+- **`components/.../redhat/`** — overlay that includes `community` as a component, adds Namespace `external-secrets-operator` and an `OperatorGroup`, and applies a **JSON6902** patch to the community `Subscription` so it targets the Red Hat catalog (`openshift-external-secrets-operator`, `redhat-operators`, `stable-v1`), including `metadata.name` / `metadata.namespace` and stripping `metadata.labels`. Strategic merge does not reliably change Subscription identity fields; use RFC6902 for those edits.
 
 ## Choose one catalog
 
@@ -32,7 +34,16 @@ Point `spec.source.path` at:
 - `resources/external-secrets-operator` for the default (community) manifest, or
 - `resources/external-secrets-operator/redhat` for the Red Hat operator.
 
-You can mirror [applications/vault-secrets-operator.yaml](https://github.com/openstack-k8s-operators/gitops/blob/main/applications/vault-secrets-operator.yaml) (sync-wave, repo URL, kustomize components) and set `path` accordingly.
+Use pinned revisions and mirror the pattern in [`applications/external-secrets-operator.yaml`](https://github.com/openstack-k8s-operators/gitops/blob/feature/rhoso-apps-helm-chart/applications/external-secrets-operator.yaml) or [`applications/external-secrets-operator-redhat.yaml`](https://github.com/openstack-k8s-operators/gitops/blob/feature/rhoso-apps-helm-chart/applications/external-secrets-operator-redhat.yaml) (sync-wave, repo URL, `targetRevision`, `kustomize.components` with `?ref=` on remote component URLs).
+
+## Consuming as a component (remote)
+
+From another repo, reference the same content as `components` or `resources` with a **pinned** `ref` (use your branch or tag instead of `feature/rhoso-apps-helm-chart` after merge):
+
+- Community (Component): `https://github.com/openstack-k8s-operators/gitops/components/secrets/external-secrets-operator/community?ref=feature/rhoso-apps-helm-chart`
+- Red Hat (Kustomization base; include under `resources:`): `https://github.com/openstack-k8s-operators/gitops/components/secrets/external-secrets-operator/redhat?ref=feature/rhoso-apps-helm-chart`
+
+See also [`components/secrets/README.md`](../../components/secrets/README.md).
 
 ## Links
 

resources/external-secrets-operator/kustomization.yaml

@@ -1,5 +1,5 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources:
-  - community
+components:
+  - ../../components/secrets/external-secrets-operator/community

resources/external-secrets-operator/redhat/kustomization.yaml

@@ -2,12 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../community
-  - namespace.yaml
-  - operatorgroup.yaml
-patches:
-  - path: patch-subscription-redhat.json
-    target:
-      kind: Subscription
-      name: external-secrets-operator
-      namespace: openshift-operators
+  - ../../../components/secrets/external-secrets-operator/redhat

resources/vault-secrets-operator/README.md

@@ -1,3 +1,13 @@
 # Vault Secrets Operator
 
 Subscribe to the Vault Secrets Operator on OpenShift.
+
+The subscription manifest lives under [`components/secrets/vault-secrets-operator/`](../../components/secrets/vault-secrets-operator/) in this repository. This `resources/` directory is a thin wrapper for `oc apply -k` and Argo CD (`applications/vault-secrets-operator.yaml`).
+
+## Consuming as a component (remote)
+
+Pin a Git revision (replace `BRANCH` with your branch or tag):
+
+`https://github.com/openstack-k8s-operators/gitops/components/secrets/vault-secrets-operator?ref=BRANCH`
+
+See [`components/secrets/README.md`](../../components/secrets/README.md).

resources/vault-secrets-operator/kustomization.yaml

@@ -1,5 +1,5 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources:
-  - subscription.yaml
+components:
+  - ../../components/secrets/vault-secrets-operator