feat!: migrate to argocd-operator on k3s; drop OpenShift-isms (Phase A) (#5)

## Summary

Phase A of the k3s migration: re-targets `kustomize-cluster` from
OpenShift Local (CRC) onto vanilla k3s, consumed by `argocd-operator`
(community, upstream of OpenShift GitOps — same `argoproj.io/v1beta1
ArgoCD` CRD, so the existing `repo:` block with KSOPS/Dex/RBAC works
unchanged).

This is the *minimum* set of changes for ArgoCD to bootstrap
successfully on k3s. Phase B (replace OLM Subscriptions for
cert-manager/awx/grafana with upstream Helm) and Phase C (clean up
`openshift-monitoring` Prometheus scrape refs, `system:openshift:scc`
references in workloads) follow as separate PRs.

Bundles the previously-staged repo-local opencode config (the prior
commit on this branch).

### Renames

- namespace `openshift-gitops` → `argocd` (~22 files)
- ArgoCD CR `name: openshift-gitops` → `name: argocd`
- SA `openshift-gitops-argocd-application-controller` →
`argocd-argocd-application-controller`
- directory `workloads/openshift-gitops/` → `workloads/argocd/`
- service ref `argocd-server.openshift-gitops.svc.cluster.local` →
`argocd-server.argocd.svc.cluster.local`
- TunnelBinding subject `openshift-gitops-server` → `argocd-server`
- PostSync hooks: `oc` → `kubectl`, OpenShift CLI ImageStream →
`bitnami/kubectl:latest`
- ci-token-sync image:
`image-registry.openshift-image-registry.svc:5000/public-registry/gh-cli`
→ `ghcr.io/makeitworkcloud/gh-cli`

### Deletions (OpenShift-only constructs)

- `bootstrap/console-branding/` — OpenShift web console branding
- `bootstrap/secrets/openshift-oauth/` — cluster-wide OpenShift OAuth
provider config; ArgoCD's own Dex GitHub SSO remains the SSO path
- `bootstrap/public-registry.yaml` — OpenShift internal-registry-backed
namespace
- `operators/cert-manager/{ingress-patch,openshift-ingress-config}.yaml`
— patched OpenShift's IngressController + componentRoutes
- `operators/cert-manager/wildcard-certificate.yaml` — the wildcard
`*.apps.makeitwork.cloud` LE cert was a CRC ingress workaround. With
public traffic flowing through Cloudflare Tunnels (already in this repo
via `cloudflare-operator` + `TunnelBinding`), TLS terminates at
Cloudflare's edge and an in-cluster wildcard cert is dead code.
- `workloads/arc/imagestream.yaml` — OpenShift ImageStream

### Bootstrap chain

```
tfroot-libvirt k3s cloud-init runcmd:
  1. Install k3s
  2. Create ns argocd + sops-age-keys Secret (in argocd ns)
  3. kubectl apply -k argocd-operator (community)
  4. kubectl apply -k kustomize-cluster//bootstrap?ref=main
       → applies argocd-config.yaml (operator reconciles → argocd-server with KSOPS init)
       → applies bootstrap-secrets-app, gitops-operators, gitops-workloads (sit dormant until argocd-server is up)
  5. argocd-server starts → picks up Applications → self-manages from here
```

The argocd-operator install + sops-age-keys Secret + bootstrap apply is
in the **companion tfroot-libvirt PR #2**. The `sops_age_key` value
needs to be added to `tfroot-libvirt/secrets/secrets.yaml`
(sops-encrypted; same age recipient as the rest).

## Test plan

- [x] `kustomize build bootstrap/` passes locally
- [x] `kustomize build workloads/apps/` passes locally
- [x] All pre-commit hooks (yaml lint, KubeLinter, EOF/whitespace) pass
- [x] CI `Pre-commit Tests` job passes (now `ubuntu-latest`)
- [x] Apply locally (after tfroot-libvirt is also applied) — verify
ArgoCD comes up, repo-server has KSOPS init-container, root sync starts
- [x] Expected red items in ArgoCD UI after sync: cert-manager / awx /
grafana OLM Subscriptions (Phase B will replace), grafana scrape refs to
`openshift-monitoring` (Phase C)

## Migration notes for operators

- The OLM-installed operators (cert-manager, awx, grafana) **will fail
to sync** on k3s because there's no OLM. Their `operator.yaml`
Subscription resources land in etcd but go nowhere. Expected; see Phase
B.
- The wildcard cert is gone. Anything that previously consumed
`wildcard-apps-makeitwork-cloud-tls` Secret (none currently in repo)
will need re-plumbing through Cloudflare.

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: xnoto

.github/workflows/ci.yml

@@ -15,7 +15,9 @@ permissions:
 jobs:
   test:
     name: Pre-commit Tests
-    runs-on: arc
+    # ubuntu-latest while arc-dind runners are unavailable during the libvirt
+    # migration. Revert to `arc` once the new k3s cluster has ARC runners up.
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -30,23 +32,18 @@ jobs:
 
   sync:
     name: Sync ArgoCD
+    # In-cluster `arc` runner uses its SA token to talk to the API directly;
+    # this job stays on `arc` because it needs cluster access. It will not run
+    # until ARC dind runners are deployed by kustomize-cluster post-bootstrap.
     runs-on: arc
     needs: [test]
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
 
     steps:
-      - name: Install OpenShift CLI
-        uses: redhat-actions/oc-installer@v1
-
-      - name: Login to OpenShift
-        uses: redhat-actions/oc-login@v1
-        with:
-          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER_URL }}
-          openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
-          insecure_skip_tls_verify: true
-
-      - name: Sync ArgoCD application
+      - name: Sync ArgoCD bootstrap Applications
         run: |
-          oc -n openshift-gitops patch application kustomize-cluster \
-            --type=merge \
-            -p '{"operation":{"initiatedBy":{"username":"github-actions"},"sync":{"revision":"${{ github.sha }}"}}}'
+          for app in bootstrap-secrets gitops-operators gitops-workloads; do
+            kubectl -n argocd patch application "$app" \
+              --type=merge \
+              -p '{"operation":{"initiatedBy":{"username":"github-actions"},"sync":{"revision":"${{ github.sha }}"}}}'
+          done

bootstrap/argocd-config.yaml

@@ -1,13 +1,13 @@
 ---
-# OpenShift GitOps ArgoCD configuration
+# ArgoCD instance managed by argocd-operator (community).
 # - KSOPS for SOPS-encrypted secrets using AGE keys
 # - GitHub OAuth authentication via Dex
 # - RBAC with GitHub org/team mapping
 apiVersion: argoproj.io/v1beta1
 kind: ArgoCD
 metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
+  name: argocd
+  namespace: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "0"
 spec:

bootstrap/bootstrap-secrets-app.yaml

@@ -5,7 +5,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: bootstrap-secrets
-  namespace: openshift-gitops
+  namespace: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "1"
 spec:

bootstrap/ci-service-account.yaml

@@ -5,17 +5,17 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ci-deployer
-  namespace: openshift-gitops
+  namespace: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "0"
 ---
 # Long-lived API token for CI/CD
-# Extract with: oc get secret ci-deployer-token -n openshift-gitops -o jsonpath='{.data.token}' | base64 -d
+# Extract with: kubectl get secret ci-deployer-token -n argocd -o jsonpath='{.data.token}' | base64 -d
 apiVersion: v1
 kind: Secret
 metadata:
   name: ci-deployer-token
-  namespace: openshift-gitops
+  namespace: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "0"
     kubernetes.io/service-account.name: ci-deployer
@@ -35,4 +35,4 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: ci-deployer
-    namespace: openshift-gitops
+    namespace: argocd

bootstrap/ci-token-sync-job.yaml

@@ -5,7 +5,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ci-token-sync
-  namespace: openshift-gitops
+  namespace: argocd
   annotations:
     argocd.argoproj.io/hook: PostSync
     argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
@@ -25,7 +25,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: sync
-          image: image-registry.openshift-image-registry.svc:5000/public-registry/gh-cli:latest
+          image: ghcr.io/makeitworkcloud/gh-cli:latest
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true