feat!: migrate to argocd-operator on k3s; drop OpenShift-isms (Phase A)

[xnoto]

Summary

Phase A of the k3s migration: re-targets kustomize-cluster from OpenShift Local (CRC) onto vanilla k3s, consumed by argocd-operator (community, upstream of OpenShift GitOps — same argoproj.io/v1beta1 ArgoCD CRD, so the existing repo: block with KSOPS/Dex/RBAC works unchanged).

This is the minimum set of changes for ArgoCD to bootstrap successfully on k3s. Phase B (replace OLM Subscriptions for cert-manager/awx/grafana with upstream Helm) and Phase C (clean up openshift-monitoring Prometheus scrape refs, system:openshift:scc references in workloads) follow as separate PRs.

Bundles the previously-staged repo-local opencode config (the prior commit on this branch).

Renames

• namespace openshift-gitops → argocd (~22 files)
• ArgoCD CR name: openshift-gitops → name: argocd
• SA openshift-gitops-argocd-application-controller → argocd-argocd-application-controller
• directory workloads/openshift-gitops/ → workloads/argocd/
• service ref argocd-server.openshift-gitops.svc.cluster.local → argocd-server.argocd.svc.cluster.local
• TunnelBinding subject openshift-gitops-server → argocd-server
• PostSync hooks: oc → kubectl, OpenShift CLI ImageStream → bitnami/kubectl:latest
• ci-token-sync image: image-registry.openshift-image-registry.svc:5000/public-registry/gh-cli → ghcr.io/makeitworkcloud/gh-cli

Deletions (OpenShift-only constructs)

• bootstrap/console-branding/ — OpenShift web console branding
• bootstrap/secrets/openshift-oauth/ — cluster-wide OpenShift OAuth provider config; ArgoCD's own Dex GitHub SSO remains the SSO path
• bootstrap/public-registry.yaml — OpenShift internal-registry-backed namespace
• operators/cert-manager/{ingress-patch,openshift-ingress-config}.yaml — patched OpenShift's IngressController + componentRoutes
• operators/cert-manager/wildcard-certificate.yaml — the wildcard *.apps.makeitwork.cloud LE cert was a CRC ingress workaround. With public traffic flowing through Cloudflare Tunnels (already in this repo via cloudflare-operator + TunnelBinding), TLS terminates at Cloudflare's edge and an in-cluster wildcard cert is dead code.
• workloads/arc/imagestream.yaml — OpenShift ImageStream

Bootstrap chain

tfroot-libvirt k3s cloud-init runcmd:
  1. Install k3s
  2. Create ns argocd + sops-age-keys Secret (in argocd ns)
  3. kubectl apply -k argocd-operator (community)
  4. kubectl apply -k kustomize-cluster//bootstrap?ref=main
       → applies argocd-config.yaml (operator reconciles → argocd-server with KSOPS init)
       → applies bootstrap-secrets-app, gitops-operators, gitops-workloads (sit dormant until argocd-server is up)
  5. argocd-server starts → picks up Applications → self-manages from here

The argocd-operator install + sops-age-keys Secret + bootstrap apply is in the companion tfroot-libvirt PR #2. The sops_age_key value needs to be added to tfroot-libvirt/secrets/secrets.yaml (sops-encrypted; same age recipient as the rest).

Test plan

• kustomize build bootstrap/ passes locally
• kustomize build workloads/apps/ passes locally
• All pre-commit hooks (yaml lint, KubeLinter, EOF/whitespace) pass
• CI Pre-commit Tests job passes (now ubuntu-latest)
• Apply locally (after tfroot-libvirt is also applied) — verify ArgoCD comes up, repo-server has KSOPS init-container, root sync starts
• Expected red items in ArgoCD UI after sync: cert-manager / awx / grafana OLM Subscriptions (Phase B will replace), grafana scrape refs to openshift-monitoring (Phase C)

Migration notes for operators

• The OLM-installed operators (cert-manager, awx, grafana) will fail to sync on k3s because there's no OLM. Their operator.yaml Subscription resources land in etcd but go nowhere. Expected; see Phase B.
• The wildcard cert is gone. Anything that previously consumed wildcard-apps-makeitwork-cloud-tls Secret (none currently in repo) will need re-plumbing through Cloudflare.