rackerlabs · cardoe · Mar 31, 2026 · Mar 30, 2026 · Mar 30, 2026 · Mar 31, 2026
diff --git a/charts/argocd-understack/templates/_helpers.tpl b/charts/argocd-understack/templates/_helpers.tpl
@@ -155,3 +155,56 @@ Defaults to false if any path segment is missing.
 {{- $result = and $result $componentEnabled -}}
 {{- ternary "true" "false" $result -}}
 {{- end }}
+
+{{/*
+Resolve whether a component sub-option (e.g. installApp, installConfigs) is active
+within a single scope.
+
+Arguments:
+  - scope (.Values.global or .Values.site)
+  - component name (e.g., "external_secrets", "cert_manager")
+  - sub-option key (e.g., "installApp", "installConfigs")
+  - default value (true or false) used when the key is absent
+
+Returns "true" if the scope+component are enabled and the sub-option is active,
+empty string otherwise.
+
+Usage:
+  {{ include "understack.componentOption" (list $.Values.global "external_secrets" "installApp" true) }}
+*/}}
+{{- define "understack.componentOption" -}}
+{{- $scope := index . 0 -}}
+{{- $componentName := index . 1 -}}
+{{- $optionKey := index . 2 -}}
+{{- $default := index . 3 -}}
+{{- $scopeEnabled := get $scope "enabled" -}}
+{{- $component := get $scope $componentName | default dict -}}
+{{- $result := and $scopeEnabled (dig $optionKey $default $component) -}}
+{{- ternary "true" "false" $result -}}
+{{- end }}
+
+{{/*
+Resolve whether a component sub-option is active across both global and site scopes.
+Convenience wrapper around understack.componentOption for components that exist in
+both scopes.
+
+Arguments:
+  - root ($) — the root context
+  - component name (e.g., "external_secrets", "cert_manager")
+  - sub-option key (e.g., "installApp", "installConfigs")
+  - default value (true or false) used when the key is absent
+
+Returns "true" if the sub-option is active in any enabled scope, empty string otherwise.
+
+Usage:
+  {{ include "understack.componentOptionAny" (list $ "external_secrets" "installApp" true) }}
+*/}}
+{{- define "understack.componentOptionAny" -}}
+{{- $root := index . 0 -}}
+{{- $componentName := index . 1 -}}
+{{- $optionKey := index . 2 -}}
+{{- $default := index . 3 -}}
+{{- $globalActive := eq (include "understack.componentOption" (list $root.Values.global $componentName $optionKey $default)) "true" -}}
+{{- $siteActive := eq (include "understack.componentOption" (list $root.Values.site $componentName $optionKey $default)) "true" -}}
+{{- ternary "true" "false" (or $globalActive $siteActive) -}}
+{{- end }}
diff --git a/charts/argocd-understack/templates/application-cert-manager.yaml b/charts/argocd-understack/templates/application-cert-manager.yaml
@@ -1,4 +1,6 @@
-{{- if or (eq (include "understack.isEnabled" (list $.Values.global "cert_manager")) "true") (eq (include "understack.isEnabled" (list $.Values.site "cert_manager")) "true") }}
+{{- $installApp := eq (include "understack.componentOptionAny" (list $ "cert_manager" "installApp" true)) "true" }}
+{{- $installConfigs := eq (include "understack.componentOptionAny" (list $ "cert_manager" "installConfigs" false)) "true" }}
+{{- if or $installApp $installConfigs }}
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -17,6 +19,7 @@ spec:
     server: {{ $.Values.cluster_server }}
   project: understack-infra
   sources:
+  {{- if $installApp }}
   - chart: cert-manager
     helm:
       releaseName: cert-manager
@@ -29,6 +32,12 @@ spec:
           enabled: true
     repoURL: https://charts.jetstack.io
     targetRevision: v1.20.0
+  {{- end }}
+  {{- if $installConfigs }}
+  - path: {{ include "understack.deploy_path" $ }}/cert-manager
+    repoURL: {{ include "understack.deploy_url" $ }}
+    targetRevision: {{ include "understack.deploy_ref" $ }}
+  {{- end }}
   syncPolicy:
     automated:
       prune: true

diff --git a/charts/argocd-understack/templates/application-external-secrets.yaml b/charts/argocd-understack/templates/application-external-secrets.yaml
@@ -1,4 +1,6 @@
-{{- if or (eq (include "understack.isEnabled" (list $.Values.global "external_secrets")) "true") (eq (include "understack.isEnabled" (list $.Values.site "external_secrets")) "true") }}
+{{- $installApp := eq (include "understack.componentOptionAny" (list $ "external_secrets" "installApp" true)) "true" }}
+{{- $installConfigs := eq (include "understack.componentOptionAny" (list $ "external_secrets" "installConfigs" false)) "true" }}
+{{- if or $installApp $installConfigs }}
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -14,10 +16,17 @@ spec:
     server: {{ $.Values.cluster_server }}
   project: understack-operators
   sources:
+  {{- if $installApp }}
   - path: operators/external-secrets
     ref: understack
     repoURL: {{ include "understack.understack_url" $ }}
     targetRevision: {{ include "understack.understack_ref" $ }}
+  {{- end }}
+  {{- if $installConfigs }}
+  - path: {{ include "understack.deploy_path" $ }}/external-secrets
+    repoURL: {{ include "understack.deploy_url" $ }}
+    targetRevision: {{ include "understack.deploy_ref" $ }}
+  {{- end }}
   syncPolicy:
     automated:
       prune: true

diff --git a/charts/argocd-understack/values.yaml b/charts/argocd-understack/values.yaml
@@ -47,9 +47,12 @@ global:
 
   # -- Cert-Manager
   cert_manager:
-    # -- Enable/disable deploying Cert-Manager
+    # -- Enable/disable deploying the cert-manager Helm chart (operator)
     # @default -- false
-    enabled: false
+    installApp: false
+    # -- Enable/disable deploying site-specific cert-manager configs from the deploy repo
+    # @default -- false
+    installConfigs: false
 
   # Cilium configurations
   cilium:
@@ -101,9 +104,12 @@ global:
 
   # -- External Secrets operator
   external_secrets:
-    # -- Enable/disable deploying External Secrets
+    # -- Enable/disable deploying the External Secrets Operator Helm chart
     # @default -- false
-    enabled: false
+    installApp: false
+    # -- Enable/disable deploying site-specific ESO configs from the deploy repo
+    # @default -- false
+    installConfigs: false
 
   # -- Global workflows for Argo Events and Workflows
   global_workflows:
@@ -196,23 +202,32 @@ site:
   # @default -- false
   enabled: false
 
-  # -- Argo Events configuration for event-driven workflows
+  # -- Argo Events operator
   argo_events:
     # -- Enable/disable deploying Argo Events
     # @default -- false
     enabled: false
 
-  # -- Argo Workflows configuration
+  # -- Event-driven workflows that live in argo-events namespace (need to move)
+  argo_events_workflows:
+    # -- Enable/disable deploying Workflows
+    # @default -- false
+    enabled: false
+
+  # -- Argo Workflows operator
   argo_workflows:
     # -- Enable/disable deploying Argo Workflows
     # @default -- false
     enabled: false
 
   # -- Cert-Manager
   cert_manager:
-    # -- Enable/disable deploying Cert-Manager
+    # -- Enable/disable deploying the cert-manager Helm chart (operator)
     # @default -- false
-    enabled: false
+    installApp: false
+    # -- Enable/disable deploying site-specific cert-manager configs from the deploy repo
+    # @default -- false
+    installConfigs: false
 
   # Cilium configurations
   cilium:
@@ -434,9 +449,12 @@ site:
 
   # -- External Secrets operator
   external_secrets:
-    # -- Enable/disable deploying External Secrets
+    # -- Enable/disable deploying the External Secrets Operator Helm chart
     # @default -- false
-    enabled: false
+    installApp: false
+    # -- Enable/disable deploying site-specific ESO configs from the deploy repo
+    # @default -- false
+    installConfigs: false
 
   # -- Alerts management (karma)
   karma:

diff --git a/docs/deploy-guide/components/cert-manager.md b/docs/deploy-guide/components/cert-manager.md
@@ -10,7 +10,7 @@ deploy_overrides:
 
 # cert-manager
 
-Certificate management operator installation.
+Certificate management operator installation and site-specific cert-manager configuration.
 
 ## Deployment Scope
 
@@ -24,25 +24,48 @@ Certificate management operator installation.
 
 ## How to Enable
 
-Enable this component under the scope that matches your deployment model:
+Enable this component by setting one or both options under the scope that matches your deployment model:
 
 ```yaml title="$CLUSTER_NAME/deploy.yaml"
 global:
   cert_manager:
-    enabled: true
+    installApp: true
 site:
   cert_manager:
-    enabled: true
+    installApp: true
+```
+
+### Options
+
+| Key | Default | Description |
+|-----|---------|-------------|
+| `installApp` | `false` | Deploy the cert-manager Helm chart |
+| `installConfigs` | `false` | Deploy site-specific cert-manager configs from the deploy repo |
+
+To use an externally-managed cert-manager installation while still deploying your site's cert-manager resources:
+
+```yaml title="$CLUSTER_NAME/deploy.yaml"
+global:
+  cert_manager:
+    installApp: false
+    installConfigs: true
 ```
 
 ## Deployment Repo Content
 
 {{ secrets_disclaimer }}
 
+When `installConfigs: true`, the Application reads from:
+
+```text
+$DEPLOY_REPO/<cluster-name>/cert-manager/
+```
+
 Required or commonly required items:
 
-- None for this Application today. It installs the upstream chart with inline values and does not consume deploy-repo `values.yaml` or overlay content.
+- None required. With `installApp: true` the chart is installed with inline values and does not consume deploy-repo content.
 
 Optional additions:
 
-- Document issuer manifests and challenge-credential Secrets in the `cluster-issuer` component page rather than here.
+- For `ClusterIssuer` and `Issuer` resources, prefer the dedicated [`cluster-issuer`](cluster-issuer.md) component.
+- Other cert-manager configuration resources can be placed in the `cert-manager/` deploy-repo path when `installConfigs: true`.
diff --git a/docs/deploy-guide/components/external-secrets.md b/docs/deploy-guide/components/external-secrets.md
@@ -10,7 +10,7 @@ deploy_overrides:
 
 # external-secrets
 
-External Secrets operator installation.
+External Secrets operator installation and site-specific ESO configuration.
 
 ## Deployment Scope
 
@@ -24,25 +24,52 @@ External Secrets operator installation.
 
 ## How to Enable
 
-Enable this component under the scope that matches your deployment model:
+Enable this component by setting one or both options under the scope that matches your deployment model:
 
 ```yaml title="$CLUSTER_NAME/deploy.yaml"
 global:
   external_secrets:
-    enabled: true
+    installApp: true
 site:
   external_secrets:
-    enabled: true
+    installApp: true
+```
+
+### Options
+
+| Key | Default | Description |
+|-----|---------|-------------|
+| `installApp` | `false` | Deploy the External Secrets Operator from the understack repo |
+| `installConfigs` | `false` | Deploy site-specific ESO configs from the deploy repo |
+
+To use an externally-managed ESO installation (e.g. the operator is already installed by another team) while still deploying your site's ESO resources:
+
+```yaml title="$CLUSTER_NAME/deploy.yaml"
+global:
+  external_secrets:
+    installApp: false
+    installConfigs: true
 ```
 
 ## Deployment Repo Content
 
 {{ secrets_disclaimer }}
 
+When `installConfigs: true`, the Application reads from:
+
+```text
+$DEPLOY_REPO/<cluster-name>/external-secrets/
+```
+
+Place any site-specific ESO resources here, for example:
+
+- `ClusterSecretStore` manifests connecting to your secrets backend
+- `ExternalSecret` objects for secrets that don't belong to a specific component
+
 Required or commonly required items:
 
-- None for this Application today. It deploys the shared operator manifests directly and does not read deploy-repo values or overlay manifests for this component.
+- None required. With `installApp: true` the operator manifests are deployed directly from the understack repo with no deploy-repo content needed.
 
 Optional additions:
 
-- Document provider-specific SecretStores and authentication material only where a consuming component needs the resulting Secret shape.
+- Provider-specific `ClusterSecretStore` and authentication `Secret` objects in the `external-secrets/` deploy-repo path when `installConfigs: true`.
diff --git a/go/understackctl/cmd/deploy/check.go b/go/understackctl/cmd/deploy/check.go
@@ -39,16 +39,20 @@ func runDeployCheck(clusterName string) error {
 	missing := []string{}
 
 	for _, comp := range components {
-		compDir := filepath.Join(clusterName, comp)
-		kustomPath := filepath.Join(compDir, "kustomization.yaml")
-		valuesPath := filepath.Join(compDir, "values.yaml")
+		compDir := filepath.Join(clusterName, comp.Name)
 
-		if _, err := os.Stat(kustomPath); os.IsNotExist(err) {
-			missing = append(missing, kustomPath)
+		if comp.InstallApp {
+			valuesPath := filepath.Join(compDir, "values.yaml")
+			if _, err := os.Stat(valuesPath); os.IsNotExist(err) {
+				missing = append(missing, valuesPath)
+			}
 		}
 
-		if _, err := os.Stat(valuesPath); os.IsNotExist(err) {
-			missing = append(missing, valuesPath)
+		if comp.InstallConfigs {
+			kustomPath := filepath.Join(compDir, "kustomization.yaml")
+			if _, err := os.Stat(kustomPath); os.IsNotExist(err) {
+				missing = append(missing, kustomPath)
+			}
 		}
 	}