Default Label Values

These defaults come from the demo profile (config.toml) and can be overridden per environment. Keep the keys; adjust the values as needed for your org.

Business Labels

• owner: defaults to platform-team
• business-unit: defaults to infrastructure
• environment: defaults to demo

Application Labels

• app.kubernetes.io/part-of: defaults to idp

Label Requirements by Resource Type

Namespaces

All namespaces MUST include:

labels:
  app.kubernetes.io/part-of: idp
  owner: platform-team
  business-unit: infrastructure
  environment: demo

Workloads

Deployments, StatefulSets, and DaemonSets SHOULD include:

labels:
  app.kubernetes.io/name: <component-name>
  app.kubernetes.io/instance: <instance-name>
  app.kubernetes.io/version: <version>
  app.kubernetes.io/component: <component-type>

Other Resources

All other Kubernetes resources SHOULD include at minimum:

labels:
  app.kubernetes.io/part-of: idp
  app.kubernetes.io/component: <component-type>

Comment Style for Values Files

Standard: # @section -- Section Name

Example:

# @section -- Global Configuration
# @description Global settings for the component

# -- Enable high availability mode
ha:
  enabled: false

Rationale: This style is compatible with helm-docs and provides consistent documentation generation.

Priority Classes Assignment

PriorityClasses are defined as code in IT/priorityclasses/priorityclasses.yaml and are part of the scheduling model described in Scheduling, Priority, and Node Pools.

Use them to express relative importance rather than absolute guarantees. The main classes are:

• platform-infrastructure – Vault, ArgoCD, cert-manager, External Secrets Operator and other core control planes
• platform-events – Argo Events controller, webhook, EventBus
• platform-policy – Kyverno admission/background controllers
• platform-security – Trivy security scanners
• platform-observability – Prometheus, Loki, Fluent Bit, Policy Reporter and related telemetry
• platform-cicd – long‑lived CI/CD services (Argo Workflows, SonarQube, backing databases)
• platform-dashboards – Grafana, Alertmanager and other dashboards
• user-workloads – user applications deployed via GitOps
• cicd-execution – short‑lived CI/CD execution pods (e.g. workflow pods, ephemeral builds)
• unclassified-workload – default for any workload without an explicit PriorityClass

Guidelines:

• Platform components SHOULD set one of the platform-* PriorityClasses.
• Eventing components SHOULD use platform-events.
• CI/CD execution pods SHOULD use cicd-execution.
• User workloads MAY use user-workloads or rely on the global default unclassified-workload, depending on environment guarantees.

External Secrets RefreshInterval Strategy

Guidelines:

• Use 1h for bootstrap/admin secrets that are manually rotated
• Use 5m for infrastructure components (default for most cases)
• Use 3m for application-level secrets that may rotate programmatically
• Never use <1m to avoid overwhelming Vault API

ArgoCD Sync Wave Annotations

Sync waves control deployment order in ArgoCD:

For the full wave model used in this repository, see GitOps, Policy, and Eventing.

Annotations

Common Annotations

annotations:
  contact: platform-team
  documentation: https://github.com/rou-cru/idp-blueprint
  description: '<Brief description of the resource>'

ArgoCD-specific Annotations

annotations:
  argocd.argoproj.io/sync-wave: '<wave-number>'
  argocd.argoproj.io/sync-options: 'SkipDryRunOnMissingResource=true'

Validation

All changes should be validated against:

1. Kyverno policies in Policies/rules/
2. Kustomize build: kustomize build <directory>
3. Helm lint: helm lint --values <values-file>
4. The validation script: Scripts/validate-consistency.sh

References

• Kubernetes Recommended Labels
• Kyverno Best Practices
• ArgoCD Sync Waves