Document ACM and ACS with dedicated sections and screenshots.

maximilianoPizarro · cursoragent · maximilianoPizarro · commit 4f36ef8b385c · 2026-06-10T14:15:19.000-03:00
Add architecture narrative for fleet management and Central/SecuredCluster
topology, ACS-2 console image, and expanded getting-started operator guidance.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/content/patterns/hybrid-mesh-platform/_index.md b/content/patterns/hybrid-mesh-platform/_index.md
@@ -61,7 +61,7 @@ This repository models a **GitOps-first platform** where:
 
 _Hub cluster aggregates observability and Developer Hub; east and west spokes run Industrial Edge workloads connected via Service Interconnect (Skupper). Click the image to open the full diagram._
 
-Architecture diagrams in this documentation illustrate Git, ACM, Skupper VAN, and Industrial Edge placement on east/west — use them as the visual companion to the install chapters.
+Architecture diagrams illustrate Git, **ACM fleet management**, **ACS Central**, Skupper VAN, Connectivity Link, and Industrial Edge on east/west — use them as the visual companion to the install chapters (see [Architecture](architecture) for ACM and ACS console views).
 
 ## Quick links
 
diff --git a/content/patterns/hybrid-mesh-platform/architecture.md b/content/patterns/hybrid-mesh-platform/architecture.md
@@ -81,6 +81,59 @@ In parallel:
 
 Industrial Edge components exist **only** in spoke charts. The hub chart never includes factory workloads.
 
+## Advanced Cluster Management (ACM)
+
+Red Hat Advanced Cluster Management for Kubernetes (ACM) provides fleet-wide visibility and lifecycle for OpenShift clusters. In Hybrid Mesh Platform it anchors hub-spoke registration, policy placement, and integration with OpenShift GitOps via `GitOpsCluster` and related APIs.
+
+[![ACM fleet management — east and west managed clusters on the hub](/images/hybrid-mesh-platform/ACM.png)](/images/hybrid-mesh-platform/ACM.png)
+
+### Role in this solution
+
+- Inventory managed clusters (`hub`, `east`, `west`) and apply governance policies consistently.
+- Drive which spokes receive Industrial Edge and platform components through **Placement** rules (`region=east`, `region=west`).
+- Coordinate klusterlet agents, `ManagedClusterSet` membership, and secrets required for spoke import.
+- Publish **PlacementDecision** objects consumed by the Argo CD ApplicationSet (`clusterDecisionResource` generator).
+
+### Notable APIs / CRDs
+
+| Resource | Purpose |
+| --- | --- |
+| `MultiClusterHub` | Hub installation health |
+| `ManagedCluster`, `ManagedClusterSet` | Fleet membership and RBAC grouping |
+| `Placement`, `PlacementDecision` | Dynamic cluster selection for GitOps |
+| `GitOpsCluster` | Binds placement results to Argo CD cluster secrets |
+
+Charts: `components/acm-operator`, `components/acm-hub-spoke`. Verify with `oc get managedcluster` and PlacementDecision in `openshift-gitops`.
+
+## Advanced Cluster Security (ACS)
+
+Red Hat Advanced Cluster Security for Kubernetes (ACS) centralizes build-time image scanning, deployment-time policy, and runtime detection across the fleet.
+
+[![ACS Central — hub, east, and west registered](/images/hybrid-mesh-platform/ACS.png)](/images/hybrid-mesh-platform/ACS.png)
+
+[![ACS Central — policies, vulnerabilities, and runtime visibility](/images/hybrid-mesh-platform/ACS-2.png)](/images/hybrid-mesh-platform/ACS-2.png)
+
+### Hub-spoke topology
+
+| Component | Location | Role |
+| --- | --- | --- |
+| **Central** | Hub | Policy console, vulnerability database, admission coordination |
+| **SecuredCluster** | Hub + spokes | Sensor, collector, and admission control per cluster |
+
+Cluster names in Central: **`hub`**, **`east`**, **`west`**. Init bundles (TLS secrets in namespace `stackrox`) register each SecuredCluster with Central.
+
+### Service mesh exception
+
+Namespace `stackrox` is listed in `$noMeshNamespaces` (`components/namespaces`) — **do not** label it `istio.io/dataplane-mode: ambient`. Ambient ztunnel breaks Central ↔ PostgreSQL TLS and Central becomes unreachable.
+
+### Capabilities used
+
+- CVE scanning for Industrial Edge and platform images (Quay/internal registry).
+- Risk prioritization across namespaces and clusters.
+- Optional network and process baselines for regulated factory environments.
+
+Charts: `components/acs-operator` (hub Central), `components/acs-secured-cluster` (hub + spokes). See [Getting Started](getting-started#advanced-cluster-security-acs) for init bundle generation.
+
 ## GitOps application delivery flow
 
 1. Hub Argo CD syncs the root Application (operators, ACM, gateway, observability).
diff --git a/content/patterns/hybrid-mesh-platform/getting-started.md b/content/patterns/hybrid-mesh-platform/getting-started.md
@@ -27,13 +27,43 @@ Then continue with [Scaffolding](scaffolding) to deploy a new edge instance on e
 
 ## Platform operators (reference)
 
-The hub chart deploys ACM, GitOps, ACS, and related operators before application workloads. Console views after sync:
+The hub chart deploys **ACM**, **OpenShift GitOps**, **ACS**, Service Mesh, Skupper, and related operators before application workloads.
 
-[![Advanced Cluster Management — fleet view](/images/hybrid-mesh-platform/ACM.png)](/images/hybrid-mesh-platform/ACM.png)
+[![OpenShift GitOps — Argo CD Applications on the hub](/images/hybrid-mesh-platform/product-argocd-openshift-gitops.png)](/images/hybrid-mesh-platform/product-argocd-openshift-gitops.png)
 
-[![OpenShift GitOps — Argo CD Applications](/images/hybrid-mesh-platform/product-argocd-openshift-gitops.png)](/images/hybrid-mesh-platform/product-argocd-openshift-gitops.png)
+### Advanced Cluster Management (ACM)
 
-[![Advanced Cluster Security — central console](/images/hybrid-mesh-platform/ACS.png)](/images/hybrid-mesh-platform/ACS.png)
+ACM must show **`east`** and **`west`** as **Available** managed clusters before the ApplicationSet can push spoke charts.
+
+[![ACM fleet management — east and west registered on the hub](/images/hybrid-mesh-platform/ACM.png)](/images/hybrid-mesh-platform/ACM.png)
+
+Verify:
+
+```bash
+oc get managedcluster
+oc get multiclusterhub -n open-cluster-management
+```
+
+Spoke names must match repository folders (`east`, `west`). Placement labels drive ApplicationSet targeting — see [Step 4](#step-4-import-managed-clusters-in-acm) and [Deploy with ACM and GitOps](#deploy-with-acm-and-gitops).
+
+### Advanced Cluster Security (ACS)
+
+ACS Central runs on the hub; **SecuredCluster** agents install on hub and both spokes. All three clusters appear in the Central UI when init bundles are applied.
+
+[![ACS Central — hub, east, and west clusters](/images/hybrid-mesh-platform/ACS.png)](/images/hybrid-mesh-platform/ACS.png)
+
+[![ACS Central — policies and vulnerability views](/images/hybrid-mesh-platform/ACS-2.png)](/images/hybrid-mesh-platform/ACS-2.png)
+
+#### Generating SecuredCluster init bundles
+
+Generate one init bundle per cluster from Central (do not commit secrets to Git):
+
+```bash
+roxctl -e central.stackrox:443 --password "$ROX_ADMIN_PASSWORD" --insecure-skip-tls-verify \
+  central init-bundles generate <cluster-name> --output-secrets - | oc apply -n stackrox -f -
+```
+
+Use cluster names **`hub`**, **`east`**, and **`west`**. Namespace **`stackrox`** must stay **off** Service Mesh ambient — see [Architecture — ACS](architecture#advanced-cluster-security-acs).
 
 ## Prerequisites
 
diff --git a/static/images/hybrid-mesh-platform/ACS-2.png b/static/images/hybrid-mesh-platform/ACS-2.png
