Fix namespace sync waves (#32)

* Fix namespace sync-wave ordering for openstack namespace

Ensure the 'openstack' namespace is created after the 'openstack-operators'
namespace by setting its sync-wave to -29 (vs -30 for all other namespaces).

This provides more fine-grained ordering in ArgoCD synchronization, ensuring
proper namespace dependencies are respected during deployment.

* Add sync-wave ordering for MetalLB after NMState

Set MetalLB sync-wave to '1' to ensure it is deployed after NMState
(which uses the default sync-wave '0'). This provides proper ordering
for the network infrastructure components during ArgoCD synchronization.

Deployment order:
- Wave 0: NMState, OpenStack operator
- Wave 1: MetalLB, NodeNetworkConfigurationPolicy, VaultConnection

* Add OpenShift Project deletion permissions to ArgoCD ClusterRole

Add permissions for the project.openshift.io API group to allow ArgoCD
to manage OpenShift Projects. This fixes DeletionError when removing
applications that manage namespaces/projects.

This allows the ArgoCD application controller service account to
create, update, and delete OpenShift Projects, which is necessary
for full lifecycle management of applications via GitOps.

* Align sync-wave ordering with RHOSO removal process

This commit reorganizes the ArgoCD sync-wave annotations to ensure
proper resource ordering that aligns with the official RHOSO deployment
removal process documented at:
https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0/html/maintaining_the_red_hat_openstack_services_on_openshift_deployment/assembly_removing-rhoso-deployment-from-rhocp-environment

Key changes:
- Isolate openstack-operators namespace at wave -31 (created first, deleted last)
- Add sync-wave annotations for DataPlane resources:
  * OpenStackDataPlaneNodeSet: wave 15
  * OpenStackDataPlaneDeployment: wave 20 (deleted first)
- Set NMState to wave 0 (before MetalLB at wave 1) to respect dependencies
- Reorganize patches in sync-wave order for better readability

The ordering now ensures:
1. DataPlane resources are removed first (highest waves)
2. ControlPlane follows (wave 10)
3. Vault/secrets cleanup (waves 1-3)
4. openstack namespace removal (wave -29)
5. Infrastructure operators (MetalLB, NMState) removal (waves 0-1)
6. Operator subscriptions removal (wave -10)
7. OperatorGroups removal (wave -20)
8. General namespaces removal (wave -30)
9. openstack-operators namespace removal last (wave -31)

This guarantees a clean removal process following RHOSO documentation,
preventing resource conflicts and ensuring proper cleanup order when
using ArgoCD's automated sync-wave deletion.

* Add RBAC permissions for ArgoCD-based cleanup operations

Extend the gitops-openstack ClusterRole to support ArgoCD-driven
cleanup operations that align with the RHOSO removal process.

Added permissions for:
- PersistentVolumeClaims: Required for cleaning up storage resources
- Pods: Required for listing and monitoring pod cleanup in namespaces
- VaultConnection and VaultAuth: Required for managing Vault resources
  (in addition to existing VaultStaticSecret permissions)

These permissions enable ArgoCD to properly handle cascade deletion
of applications with sync-wave ordering, ensuring resources are
removed in the correct sequence as defined by the sync-wave annotations.

Note: OpenStackDataPlaneServices permissions were already present.

* Fix OpenStack operator initialization sync-wave ordering

Set the OpenStack operator initialization (kind: OpenStack) to sync-wave -5
to ensure proper deletion order.

Current issue:
- OpenStack operator init was at wave 0 (default)
- Infrastructure (MetalLB, etc.) at wave 1
- This caused operator init to be deleted AFTER infrastructure

Correct deletion order (highest to lowest):
- DataPlane/ControlPlane resources (waves 20-10)
- Infrastructure components (waves 5-1)
- NMState (wave 0)
- OpenStack operator init (wave -5) ← Fixed position
- Subscriptions (wave -10)
- OperatorGroups/Namespaces (waves -20 to -31)

This aligns with the RHOSO removal documentation where the operator
is deleted after infrastructure but before operator subscriptions.

Author: cjeanner

base/initialize/gitops/components/annotations/kustomization.yaml

@@ -4,8 +4,7 @@ kind: Component
 # These patches will define the overlay for sync-waves within
 # GitOps-orchestrated RHOSO deployment.
 patches:
-  # --- pre-install --
-  # create Namespaces first
+  # --- Wave -30: Create general Namespaces (default for all namespaces) ---
   - target:
       kind: Namespace
     patch: |-
@@ -14,7 +13,27 @@ patches:
         value:
           argocd.argoproj.io/managed-by: openshift-gitops
           argocd.argoproj.io/sync-wave: "-30"
-  # set up the OperatorGroup for Operator deployments
+  # --- Wave -29: Create openstack namespace after openstack-operators namespace ---
+  - target:
+      kind: Namespace
+      name: openstack
+    patch: |-
+      - op: add
+        path: /metadata/annotations
+        value:
+          argocd.argoproj.io/managed-by: openshift-gitops
+          argocd.argoproj.io/sync-wave: "-29"
+  # --- Wave -31: Create openstack-operators namespace first (deleted last) ---
+  - target:
+      kind: Namespace
+      name: openstack-operators
+    patch: |-
+      - op: add
+        path: /metadata/annotations
+        value:
+          argocd.argoproj.io/managed-by: openshift-gitops
+          argocd.argoproj.io/sync-wave: "-31"
+  # --- Wave -20: Set up OperatorGroup and CatalogSource for Operator deployments ---
   - target:
       kind: OperatorGroup
     patch: |-
@@ -29,46 +48,47 @@ patches:
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-wave: "-20"
-  # Subscribe to the Operators required in our deployment
+  # --- Wave -10: Subscribe to Operators and Advanced Cluster Manager setup ---
   - target:
       kind: Subscription
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-wave: "-10"
-    # --- base install ---
   - target:
-      kind: LVMCluster
+      group: operator.open-cluster-management.io
+      version: v1
+      kind: MultiClusterHub
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+          argocd.argoproj.io/sync-wave: "-10"
+  # --- Wave 0 (default): Base infrastructure and OpenStack operator initialization ---
   - target:
-      kind: ArgoCD
+      kind: LVMCluster
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
   - target:
-      kind: NMState
+      kind: ArgoCD
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
   - target:
-      kind: MetalLB
+      kind: NMState
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    # --- RHOSO staged deployment ---
-  # Initialize OpenStackOperator
-  # Do it at wave 0 (default)
+          argocd.argoproj.io/sync-wave: "0"
   - target:
       group: operator.openstack.org
       version: v1beta1
@@ -78,7 +98,16 @@ patches:
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  # Deploy NodeNetworkConfigurationPolicy early
+          argocd.argoproj.io/sync-wave: "-5"
+  # --- Wave 1: MetalLB, network policies, and Vault connection ---
+  - target:
+      kind: MetalLB
+    patch: |-
+      - op: add
+        path: /metadata/annotations
+        value:
+          argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+          argocd.argoproj.io/sync-wave: "1"
   - target:
       group: nmstate.io
       version: v1
@@ -89,6 +118,17 @@ patches:
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
           argocd.argoproj.io/sync-wave: "1"
+  - target:
+      group: secrets.hashicorp.com
+      version: v1beta1
+      kind: VaultConnection
+    patch: |-
+      - op: add
+        path: /metadata/annotations
+        value:
+          argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+          argocd.argoproj.io/sync-wave: "1"
+  # --- Wave 2: Network attachment definitions and Vault authentication ---
   - target:
       group: k8s.cni.cncf.io
       version: v1
@@ -100,82 +140,86 @@ patches:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
           argocd.argoproj.io/sync-wave: "2"
   - target:
-      group: metallb.io
-      kind: IPAddressPool
+      group: secrets.hashicorp.com
+      version: v1beta1
+      kind: VaultAuth
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-          argocd.argoproj.io/sync-wave: "3"
+          argocd.argoproj.io/sync-wave: "2"
+  # --- Wave 3: MetalLB IP pools and Vault secrets ---
   - target:
       group: metallb.io
-      kind: L2Advertisement
+      kind: IPAddressPool
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-          argocd.argoproj.io/sync-wave: "4"
+          argocd.argoproj.io/sync-wave: "3"
   - target:
-      group: network.openstack.org
+      group: secrets.hashicorp.com
       version: v1beta1
-      kind: NetConfig
+      kind: VaultStaticSecret
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-          argocd.argoproj.io/sync-wave: "5"
+          argocd.argoproj.io/sync-wave: "3"
+  # --- Wave 4: MetalLB L2 advertisement ---
   - target:
-      group: core.openstack.org
-      version: v1beta1
-      kind: OpenStackControlPlane
+      group: metallb.io
+      kind: L2Advertisement
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-          argocd.argoproj.io/sync-wave: "10"
-    # --- Vault Connection Setup
+          argocd.argoproj.io/sync-wave: "4"
+  # --- Wave 5: OpenStack network configuration ---
   - target:
-      group: secrets.hashicorp.com
+      group: network.openstack.org
       version: v1beta1
-      kind: VaultConnection
+      kind: NetConfig
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-          argocd.argoproj.io/sync-wave: "1"
+          argocd.argoproj.io/sync-wave: "5"
+  # --- Wave 10: OpenStack ControlPlane deployment ---
   - target:
-      group: secrets.hashicorp.com
+      group: core.openstack.org
       version: v1beta1
-      kind: VaultAuth
+      kind: OpenStackControlPlane
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-          argocd.argoproj.io/sync-wave: "2"
+          argocd.argoproj.io/sync-wave: "10"
+  # --- Wave 15: OpenStack DataPlane NodeSet ---
   - target:
-      group: secrets.hashicorp.com
+      group: dataplane.openstack.org
       version: v1beta1
-      kind: VaultStaticSecret
+      kind: OpenStackDataPlaneNodeSet
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-          argocd.argoproj.io/sync-wave: "3"
-    # --- Advanced Cluster Manager setup
+          argocd.argoproj.io/sync-wave: "15"
+  # --- Wave 20: OpenStack DataPlane Deployment (deployed last, deleted first) ---
   - target:
-      group: operator.open-cluster-management.io
-      version: v1
-      kind: MultiClusterHub
+      group: dataplane.openstack.org
+      version: v1beta1
+      kind: OpenStackDataPlaneDeployment
     patch: |-
       - op: add
         path: /metadata/annotations
         value:
           argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-          argocd.argoproj.io/sync-wave: "-10"
+          argocd.argoproj.io/sync-wave: "20"

base/initialize/gitops/enable/clusterrole.yaml

@@ -41,6 +41,14 @@ rules:
       - ""
     resources:
       - secrets
+      - persistentvolumeclaims
+      - pods
+    verbs:
+      - '*'
+  - apiGroups:
+      - project.openshift.io
+    resources:
+      - projects
     verbs:
       - '*'
   - apiGroups:
@@ -78,6 +86,8 @@ rules:
       - secrets.hashicorp.com
     resources:
       - 'vaultstaticsecrets'
+      - 'vaultconnections'
+      - 'vaultauths'
     verbs:
       - '*'
   - apiGroups: