From df751cb0e3abe01aba7013eacc4356d540b1ee78 Mon Sep 17 00:00:00 2001
From: Robert Grimm <rgrimm@redhat.com>
Date: Mon, 19 Aug 2024 20:52:52 -0500
Subject: [PATCH] Initial AMQ Broker Operator commit

Co-authored-by: Robert Grimm <rgrimm@redhat.com>
Co-authored-by: Joe Strickland <jstrickl@redhat.com>
---
 amq-broker-operator/.editorconfig             |   8 +
 .../amq-cluster-basic/kustomization.yaml      |  33 ++++
 .../examples/amq-cluster-basic/namespace.yaml |   4 +
 .../amq-cluster-basic/operator-group.yaml     |   8 +
 .../kustomization.yaml                        |  52 +++++++
 .../namespace.yaml                            |   4 +
 .../operator-group.yaml                       |   8 +
 .../kustomization.yaml                        |  76 +++++++++
 .../namespace.yaml                            |   4 +
 .../operator-group.yaml                       |   8 +
 .../instance/base/activemq-artemis-cr.yaml    |  77 +++++++++
 .../instance/base/kustomization.yaml          |   5 +
 .../acceptors/mutual-tls/kustomization.yaml   |  25 +++
 .../acceptors/one-way-tls/kustomization.yaml  |  25 +++
 .../addresses/broker-address-security-bp.yaml |  15 ++
 .../addresses/broker-address-settings-bp.yaml |  12 ++
 .../addresses/broker-addresses-bp.yaml        |  18 +++
 .../components/addresses/kustomization.yaml   |  35 +++++
 .../authentication/_base/kustomization.yaml   |  29 ++++
 .../certificate/broker-jaas-config.yaml       |  58 +++++++
 .../certificate/kustomization.yaml            |   8 +
 .../guest/broker-jaas-config.yaml             |  45 ++++++
 .../authentication/guest/kustomization.yaml   |   8 +
 .../ldap/broker-jaas-config.yaml              |  47 ++++++
 .../authentication/ldap/kustomization.yaml    |   8 +
 .../properties/broker-jaas-config.yaml        |  56 +++++++
 .../properties/kustomization.yaml             |   8 +
 .../acceptor-ssl-truststore.yaml              |   8 +
 .../kustomization.yaml                        |  24 +++
 .../acceptor-ssl-certificate.yaml             |  39 +++++
 .../acceptor-ssl-keystore.yaml                |   8 +
 .../acceptor-ssl-keystore/kustomization.yaml  |  17 ++
 .../cluster-ssl-truststore.yaml               |   8 +
 .../kustomization.yaml                        |  24 +++
 .../cluster-ssl-certificate.yaml              |  39 +++++
 .../cluster-ssl-keystore.yaml                 |   8 +
 .../cluster-ssl-keystore/kustomization.yaml   |  17 ++
 .../console-ssl-certificate.yaml              |  29 ++++
 .../console-ssl-keystore.yaml                 |  10 ++
 .../console-ssl-keystore/kustomization.yaml   |  23 +++
 .../acceptor-ssl-keystore.yaml                |   8 +
 .../acceptor-ssl-truststore.yaml              |   8 +
 .../kustomization.yaml                        |   6 +
 .../cluster-ssl-keystore.yaml                 |   8 +
 .../cluster-ssl-truststore.yaml               |   8 +
 .../kustomization.yaml                        |   6 +
 .../console-ssl-keystore.yaml                 |  10 ++
 .../console-ssl-keystore/kustomization.yaml   |  19 +++
 .../init-container/kustomization.yaml         |  10 ++
 .../init-container/patch-broker.yaml          |  88 +++++++++++
 .../acceptor-ssl-truststore.yaml              |   8 +
 .../kustomization.yaml                        |  35 +++++
 .../cluster-ssl-truststore.yaml               |   8 +
 .../cluster-ssl-truststore/kustomization.yaml |  35 +++++
 .../console-ssl-keystore/kustomization.yaml   |  32 ++++
 .../letsencrypt-prod/kustomization.yaml       |  23 +++
 .../letsencrypt-prod/regenerate-truststore.sh |  22 +++
 .../letsencrypt-prod/truststore.jks           | Bin 0 -> 6411 bytes
 .../acceptor-ssl-truststore.yaml              |   8 +
 .../kustomization.yaml                        |  35 +++++
 .../cluster-ssl-truststore.yaml               |   8 +
 .../cluster-ssl-truststore/kustomization.yaml |  35 +++++
 .../console-ssl-keystore/kustomization.yaml   |  32 ++++
 .../letsencrypt-staging/kustomization.yaml    |  23 +++
 .../regenerate-truststore.sh                  |  17 ++
 .../letsencrypt-staging/truststore.jks        | Bin 0 -> 3330 bytes
 .../components/clustering/README.adoc         | 147 ++++++++++++++++++
 .../broker-cluster-configs-bp.yaml            |  32 ++++
 .../broker-connector-configs-bp.yaml          |  30 ++++
 .../cross-ocp-cluster/kustomization.yaml      |  73 +++++++++
 .../intra-namespace/kustomization.yaml        |  24 +++
 .../clustering/none/kustomization.yaml        |  13 ++
 .../components/high-availability/README.adoc  |  12 ++
 .../_base/broker-ha-configs-bp.yaml           |  10 ++
 .../ha-cluster/_base/kustomization.yaml       |   5 +
 .../ha-cluster/backup/kustomization.yaml      |  16 ++
 .../ha-cluster/primary/kustomization.yaml     |  16 ++
 .../_base/broker-ha-configs-bp.yaml           |   9 ++
 .../_base/kustomization.yaml                  |  22 +++
 .../follower/kustomization.yaml               |  19 +++
 .../leader/kustomization.yaml                 |  19 +++
 .../claim-template/broker-logging-config.yaml | 108 +++++++++++++
 .../logging/claim-template/kustomization.yaml |  30 ++++
 .../console-only/broker-logging-config.yaml   |  77 +++++++++
 .../logging/console-only/kustomization.yaml   |  16 ++
 .../instance/components/metrics/README.adoc   |  71 +++++++++
 .../address-metrics/kustomization.yaml        |  20 +++
 .../external-hawtio/kustomization.yaml        |  23 +++
 .../jolokia/kustomization.yaml                |  13 ++
 .../prometheus/kustomization.yaml             |  16 ++
 .../prometheus/service-monitor.yaml           |  12 ++
 .../jvm/broker-jvm-metrics-bp.yaml            |  10 ++
 .../broker-internal/jvm/kustomization.yaml    |  16 ++
 .../web-console/kustomization.yaml            |  16 ++
 .../broker-other-configs-bp.yaml              |   8 +
 .../kustomization.yaml                        |  16 ++
 .../components/persistence/README.adoc        |  50 ++++++
 .../persistence/file/kustomization.yaml       |  39 +++++
 .../jdbc/_base/broker-jdbc-configs-bp.yaml    |  35 +++++
 .../persistence/jdbc/_base/kustomization.yaml |  13 ++
 .../persistence/jdbc/_base/patch-broker.yaml  |  52 +++++++
 .../jdbc/_copy-driver/kustomization.yaml      |  54 +++++++
 .../_download-driver/broker-jdbc-jars.yaml    |  10 ++
 .../jdbc/_download-driver/kustomization.yaml  |  59 +++++++
 .../jdbc/oracle/broker-jdbc-driver.yaml       |   7 +
 .../jdbc/oracle/kustomization.yaml            |  20 +++
 .../jdbc/postgresql/broker-jdbc-driver.yaml   |   7 +
 .../jdbc/postgresql/kustomization.yaml        |  21 +++
 .../persistence/none/kustomization.yaml       |  18 +++
 .../keystore-inputs.yaml                      |   8 +
 .../kustomization.yaml                        |  56 +++++++
 .../kustomization.yaml                        |  26 ++++
 .../clustered-ephemeral/kustomization.yaml    |   9 ++
 .../backup/kustomization.yaml                 |  26 ++++
 .../primary/kustomization.yaml                |  26 ++++
 amq-broker-operator/operator/README.adoc      |  34 ++++
 .../operator/base/kustomization.yaml          |   5 +
 .../operator/base/subscription.yaml           |  10 ++
 .../components/metrics/kustomization.yaml     |   5 +
 .../components/metrics/pod-monitor.yaml       |  10 ++
 .../overlays/v7.12/kustomization.yaml         |  13 ++
 .../overlays/v7.12/patch-channel.yaml         |   3 +
 122 files changed, 2945 insertions(+)
 create mode 100644 amq-broker-operator/.editorconfig
 create mode 100644 amq-broker-operator/examples/amq-cluster-basic/kustomization.yaml
 create mode 100644 amq-broker-operator/examples/amq-cluster-basic/namespace.yaml
 create mode 100644 amq-broker-operator/examples/amq-cluster-basic/operator-group.yaml
 create mode 100644 amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/kustomization.yaml
 create mode 100644 amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/namespace.yaml
 create mode 100644 amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/operator-group.yaml
 create mode 100644 amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/kustomization.yaml
 create mode 100644 amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/namespace.yaml
 create mode 100644 amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/operator-group.yaml
 create mode 100644 amq-broker-operator/instance/base/activemq-artemis-cr.yaml
 create mode 100644 amq-broker-operator/instance/base/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/acceptors/mutual-tls/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/acceptors/one-way-tls/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/addresses/broker-address-security-bp.yaml
 create mode 100644 amq-broker-operator/instance/components/addresses/broker-address-settings-bp.yaml
 create mode 100644 amq-broker-operator/instance/components/addresses/broker-addresses-bp.yaml
 create mode 100644 amq-broker-operator/instance/components/addresses/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/authentication/_base/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/authentication/certificate/broker-jaas-config.yaml
 create mode 100644 amq-broker-operator/instance/components/authentication/certificate/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/authentication/guest/broker-jaas-config.yaml
 create mode 100644 amq-broker-operator/instance/components/authentication/guest/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/authentication/ldap/broker-jaas-config.yaml
 create mode 100644 amq-broker-operator/instance/components/authentication/ldap/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/authentication/properties/broker-jaas-config.yaml
 create mode 100644 amq-broker-operator/instance/components/authentication/properties/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore-and-truststore/acceptor-ssl-truststore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore-and-truststore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/acceptor-ssl-certificate.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/acceptor-ssl-keystore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore-and-truststore/cluster-ssl-truststore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore-and-truststore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/cluster-ssl-certificate.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/cluster-ssl-keystore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/console-ssl-certificate.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/console-ssl-keystore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/acceptor-ssl-keystore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/acceptor-ssl-truststore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/cluster-ssl-keystore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/cluster-ssl-truststore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/init-build-keystore/console-ssl-keystore/console-ssl-keystore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/init-build-keystore/console-ssl-keystore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/patch-broker.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/acceptor-ssl-truststore/acceptor-ssl-truststore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/acceptor-ssl-truststore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/cluster-ssl-truststore/cluster-ssl-truststore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/cluster-ssl-truststore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/console-ssl-keystore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/kustomization.yaml
 create mode 100755 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/regenerate-truststore.sh
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/truststore.jks
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/acceptor-ssl-truststore/acceptor-ssl-truststore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/acceptor-ssl-truststore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/cluster-ssl-truststore/cluster-ssl-truststore.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/cluster-ssl-truststore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/console-ssl-keystore/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/kustomization.yaml
 create mode 100755 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/regenerate-truststore.sh
 create mode 100644 amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/truststore.jks
 create mode 100644 amq-broker-operator/instance/components/clustering/README.adoc
 create mode 100644 amq-broker-operator/instance/components/clustering/cross-ocp-cluster/broker-cluster-configs-bp.yaml
 create mode 100644 amq-broker-operator/instance/components/clustering/cross-ocp-cluster/broker-connector-configs-bp.yaml
 create mode 100644 amq-broker-operator/instance/components/clustering/cross-ocp-cluster/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/clustering/intra-namespace/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/clustering/none/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/high-availability/README.adoc
 create mode 100644 amq-broker-operator/instance/components/high-availability/ha-cluster/_base/broker-ha-configs-bp.yaml
 create mode 100644 amq-broker-operator/instance/components/high-availability/ha-cluster/_base/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/high-availability/ha-cluster/backup/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/high-availability/ha-cluster/primary/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/high-availability/ha-leader-follower/_base/broker-ha-configs-bp.yaml
 create mode 100644 amq-broker-operator/instance/components/high-availability/ha-leader-follower/_base/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/high-availability/ha-leader-follower/follower/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/high-availability/ha-leader-follower/leader/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/logging/claim-template/broker-logging-config.yaml
 create mode 100644 amq-broker-operator/instance/components/logging/claim-template/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/logging/console-only/broker-logging-config.yaml
 create mode 100644 amq-broker-operator/instance/components/logging/console-only/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/metrics/README.adoc
 create mode 100644 amq-broker-operator/instance/components/metrics/address-metrics/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/metrics/broker-external/external-hawtio/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/metrics/broker-external/jolokia/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/metrics/broker-external/prometheus/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/metrics/broker-external/prometheus/service-monitor.yaml
 create mode 100644 amq-broker-operator/instance/components/metrics/broker-internal/jvm/broker-jvm-metrics-bp.yaml
 create mode 100644 amq-broker-operator/instance/components/metrics/broker-internal/jvm/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/metrics/broker-internal/web-console/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/other-broker-properties/broker-other-configs-bp.yaml
 create mode 100644 amq-broker-operator/instance/components/other-broker-properties/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/README.adoc
 create mode 100644 amq-broker-operator/instance/components/persistence/file/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/jdbc/_base/broker-jdbc-configs-bp.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/jdbc/_base/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/jdbc/_base/patch-broker.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/jdbc/_copy-driver/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/jdbc/_download-driver/broker-jdbc-jars.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/jdbc/_download-driver/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/jdbc/oracle/broker-jdbc-driver.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/jdbc/oracle/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/jdbc/postgresql/broker-jdbc-driver.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/jdbc/postgresql/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/components/persistence/none/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/overlays/clustered-ephemeral-tls-init-container/keystore-inputs.yaml
 create mode 100644 amq-broker-operator/instance/overlays/clustered-ephemeral-tls-init-container/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/overlays/clustered-ephemeral-tls-letsencrypt/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/overlays/clustered-ephemeral/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/backup/kustomization.yaml
 create mode 100644 amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/primary/kustomization.yaml
 create mode 100644 amq-broker-operator/operator/README.adoc
 create mode 100644 amq-broker-operator/operator/base/kustomization.yaml
 create mode 100644 amq-broker-operator/operator/base/subscription.yaml
 create mode 100644 amq-broker-operator/operator/components/metrics/kustomization.yaml
 create mode 100644 amq-broker-operator/operator/components/metrics/pod-monitor.yaml
 create mode 100644 amq-broker-operator/operator/overlays/v7.12/kustomization.yaml
 create mode 100644 amq-broker-operator/operator/overlays/v7.12/patch-channel.yaml

diff --git a/amq-broker-operator/.editorconfig b/amq-broker-operator/.editorconfig
new file mode 100644
index 00000000..100d7752
--- /dev/null
+++ b/amq-broker-operator/.editorconfig
@@ -0,0 +1,8 @@
+# AMQ Broker Operator EditorConfig File
+
+[*]
+end_of_line = lf
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
diff --git a/amq-broker-operator/examples/amq-cluster-basic/kustomization.yaml b/amq-broker-operator/examples/amq-cluster-basic/kustomization.yaml
new file mode 100644
index 00000000..8f3d67f7
--- /dev/null
+++ b/amq-broker-operator/examples/amq-cluster-basic/kustomization.yaml
@@ -0,0 +1,33 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: amq-cluster-basic
+
+resources:
+  - namespace.yaml
+  - operator-group.yaml
+  - ../../operator/overlays/v7.12
+  - ../../instance/overlays/clustered-ephemeral
+
+components:
+  - ../../instance/components/addresses
+  - ../../instance/components/authentication/guest
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/console/expose
+        value: true
+
+      - op: add
+        path: /spec/adminUser
+        value: admin
+      - op: add
+        path: /spec/adminPassword
+        value: example
+
diff --git a/amq-broker-operator/examples/amq-cluster-basic/namespace.yaml b/amq-broker-operator/examples/amq-cluster-basic/namespace.yaml
new file mode 100644
index 00000000..b82cbb9a
--- /dev/null
+++ b/amq-broker-operator/examples/amq-cluster-basic/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: amq-cluster-basic
diff --git a/amq-broker-operator/examples/amq-cluster-basic/operator-group.yaml b/amq-broker-operator/examples/amq-cluster-basic/operator-group.yaml
new file mode 100644
index 00000000..39df6229
--- /dev/null
+++ b/amq-broker-operator/examples/amq-cluster-basic/operator-group.yaml
@@ -0,0 +1,8 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: default
+  namespace: amq-cluster-basic
+spec:
+  targetNamespaces:
+    - amq-cluster-basic
diff --git a/amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/kustomization.yaml b/amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/kustomization.yaml
new file mode 100644
index 00000000..1b699a90
--- /dev/null
+++ b/amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/kustomization.yaml
@@ -0,0 +1,52 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: amq-cluster-ssl
+
+resources:
+  - namespace.yaml
+  - operator-group.yaml
+  - ../../operator/overlays/v7.12
+  - ../../instance/overlays/clustered-ephemeral-tls-init-container
+
+components:
+  - ../../instance/components/addresses
+  - ../../instance/components/authentication/guest
+  - ../../instance/components/logging/claim-template
+  - ../../instance/components/metrics/address-metrics
+  - ../../instance/components/metrics/broker-internal/jvm
+  - ../../instance/components/metrics/broker-external/prometheus
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: amq-cluster-ssl
+
+      - op: replace
+        path: /spec/console/expose
+        value: true
+
+      - op: add
+        path: /spec/adminUser
+        value: admin
+      - op: add
+        path: /spec/adminPassword
+        value: example
+  - target:
+      group: monitoring.coreos.com
+      version: v1
+      kind: ServiceMonitor
+      name: default
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: amq-cluster-ssl-prometheus-sm
+      - op: replace
+        path: /spec/selector/matchLabels/application
+        value: amq-cluster-ssl
diff --git a/amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/namespace.yaml b/amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/namespace.yaml
new file mode 100644
index 00000000..b1baa648
--- /dev/null
+++ b/amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: amq-cluster-ssl
diff --git a/amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/operator-group.yaml b/amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/operator-group.yaml
new file mode 100644
index 00000000..6c75f55c
--- /dev/null
+++ b/amq-broker-operator/examples/amq-cluster-ssl-init-self-signed/operator-group.yaml
@@ -0,0 +1,8 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: default
+  namespace: amq-cluster-ssl
+spec:
+  targetNamespaces:
+    - amq-cluster-ssl
diff --git a/amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/kustomization.yaml b/amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/kustomization.yaml
new file mode 100644
index 00000000..362f09e6
--- /dev/null
+++ b/amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/kustomization.yaml
@@ -0,0 +1,76 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: amq-cluster-ssl
+
+resources:
+  - namespace.yaml
+  - operator-group.yaml
+  - ../../operator/overlays/v7.12
+  - ../../instance/overlays/clustered-ephemeral-tls-letsencrypt
+
+components:
+  - ../../instance/components/addresses
+  - ../../instance/components/authentication/guest
+  - ../../instance/components/logging/claim-template
+  - ../../instance/components/metrics/address-metrics
+  - ../../instance/components/metrics/broker-internal/jvm
+  - ../../instance/components/metrics/broker-external/prometheus
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: amq-cluster-ssl
+
+      - op: replace
+        path: /spec/console/expose
+        value: true
+
+      - op: add
+        path: /spec/adminUser
+        value: admin
+      - op: add
+        path: /spec/adminPassword
+        value: example
+  - target:
+      group: cert-manager.io
+      version: v1
+      kind: Certificate
+      name: console-ssl-certificate
+    patch: |-
+      - op: replace
+        path: /spec/dnsNames
+        value:
+          - amq-cluster-ssl-wconsj-0-svc-rte-amq-cluster-ssl.apps.cluster.example.com
+          - amq-cluster-ssl-wconsj-1-svc-rte-amq-cluster-ssl.apps.cluster.example.com
+          - amq-cluster-ssl-wconsj-2-svc-rte-amq-cluster-ssl.apps.cluster.example.com
+  - target:
+      group: cert-manager.io
+      version: v1
+      kind: Certificate
+      name: acceptor-ssl-certificate
+    patch: |-
+      - op: replace
+        path: /spec/dnsNames
+        value:
+          - amq-cluster-ssl-ssl-0-svc-rte-amq-cluster-ssl.apps.cluster.example.com
+          - amq-cluster-ssl-ssl-1-svc-rte-amq-cluster-ssl.apps.cluster.example.com
+          - amq-cluster-ssl-ssl-2-svc-rte-amq-cluster-ssl.apps.cluster.example.com
+  - target:
+      group: monitoring.coreos.com
+      version: v1
+      kind: ServiceMonitor
+      name: default
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: amq-cluster-ssl-prometheus-sm
+      - op: replace
+        path: /spec/selector/matchLabels/application
+        value: amq-cluster-ssl
diff --git a/amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/namespace.yaml b/amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/namespace.yaml
new file mode 100644
index 00000000..b1baa648
--- /dev/null
+++ b/amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: amq-cluster-ssl
diff --git a/amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/operator-group.yaml b/amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/operator-group.yaml
new file mode 100644
index 00000000..6c75f55c
--- /dev/null
+++ b/amq-broker-operator/examples/amq-cluster-ssl-letsencrypt/operator-group.yaml
@@ -0,0 +1,8 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: default
+  namespace: amq-cluster-ssl
+spec:
+  targetNamespaces:
+    - amq-cluster-ssl
diff --git a/amq-broker-operator/instance/base/activemq-artemis-cr.yaml b/amq-broker-operator/instance/base/activemq-artemis-cr.yaml
new file mode 100644
index 00000000..95482796
--- /dev/null
+++ b/amq-broker-operator/instance/base/activemq-artemis-cr.yaml
@@ -0,0 +1,77 @@
+apiVersion: broker.amq.io/v1beta1
+kind: ActiveMQArtemis
+metadata:
+  name: default
+spec:
+  console:
+    expose: false
+    sslEnabled: false
+  deploymentPlan:
+    size: 1
+    resources:
+      requests: {}
+      limits: {}
+    clustered: false
+    persistenceEnabled: false
+    journalType: nio
+    requireLogin: false
+    managementRBACEnabled: true
+    enableMetricsPlugin: false
+    jolokiaAgentEnabled: false
+    messageMigration: false
+    extraMounts:
+      configMaps: []
+      secrets: []
+    extraVolumeClaimTemplates: []
+    extraVolumes: []
+    extraVolumeMounts: []
+    readinessProbe:
+      initialDelaySeconds: 5
+      periodSeconds: 5
+    livenessProbe:
+      failureThreshold: 30
+      initialDelaySeconds: 5
+      periodSeconds: 5
+    startupProbe:
+      exec:
+        command:
+          - /bin/bash
+          - '-c'
+          - >-
+            /opt/amq/bin/artemis check node
+            --up
+            --url=tcp://"$HOSTNAME":61610
+      failureThreshold: 30
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 10
+  acceptors:
+    - # Acceptor for use with startup probe, possibly liveness probe, etc
+      name: probes
+      expose: false
+      port: 61610
+      protocols: all
+      sslEnabled: false
+  connectors: []
+  addressSettings:
+    applyRule: replace_all
+    addressSetting:
+      # Default catch-all, to be replaced or modified by overlays
+      - match: '#'
+
+        enableMetrics: false
+
+        addressFullPolicy: BLOCK
+
+        autoCreateAddresses: true
+        autoCreateQueues: true
+        autoCreateDeadLetterResources: true
+
+  env: []
+  brokerProperties:
+    # Set value that can be used to remove values from arrays in broker.properties files
+    - remove.value=-
+
+    # Even with persistenceEnabled set to false above, the broker.xml shows peristence-enabled true... override that
+    - persistenceEnabled=false
+  resourceTemplates: []
diff --git a/amq-broker-operator/instance/base/kustomization.yaml b/amq-broker-operator/instance/base/kustomization.yaml
new file mode 100644
index 00000000..5d3818be
--- /dev/null
+++ b/amq-broker-operator/instance/base/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - activemq-artemis-cr.yaml
diff --git a/amq-broker-operator/instance/components/acceptors/mutual-tls/kustomization.yaml b/amq-broker-operator/instance/components/acceptors/mutual-tls/kustomization.yaml
new file mode 100644
index 00000000..5647bacc
--- /dev/null
+++ b/amq-broker-operator/instance/components/acceptors/mutual-tls/kustomization.yaml
@@ -0,0 +1,25 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: add
+        path: /spec/acceptors/-
+        value:
+          name: ssl
+          expose: true
+          port: 61617
+          protocols: all
+
+          multicastPrefix: jms.topic.
+          anycastPrefix: jms.queue.
+
+          sslEnabled: true
+          needClientAuth: true
+          sslSecret: acceptor-ssl-keystore
+          trustSecret: acceptor-ssl-truststore
diff --git a/amq-broker-operator/instance/components/acceptors/one-way-tls/kustomization.yaml b/amq-broker-operator/instance/components/acceptors/one-way-tls/kustomization.yaml
new file mode 100644
index 00000000..7ac6b82d
--- /dev/null
+++ b/amq-broker-operator/instance/components/acceptors/one-way-tls/kustomization.yaml
@@ -0,0 +1,25 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: add
+        path: /spec/acceptors/-
+        value:
+          name: ssl
+          expose: true
+          port: 61617
+          protocols: all
+
+          multicastPrefix: jms.topic.
+          anycastPrefix: jms.queue.
+
+          sslEnabled: true
+          needClientAuth: false
+          sslSecret: acceptor-ssl-keystore
+          trustSecret: acceptor-ssl-truststore
diff --git a/amq-broker-operator/instance/components/addresses/broker-address-security-bp.yaml b/amq-broker-operator/instance/components/addresses/broker-address-security-bp.yaml
new file mode 100644
index 00000000..b32fd84e
--- /dev/null
+++ b/amq-broker-operator/instance/components/addresses/broker-address-security-bp.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-address-security-bp
+type: Opaque
+stringData:
+  brokerProperties: |
+    securityRoles.#.group2.send=true
+    securityRoles.#.group1.consume=true
+    securityRoles.#.group1.createAddress=true
+    securityRoles.#.group1.createNonDurableQueue=true
+    securityRoles.#.group1.browse=true
+
+    # FQQN example. Colon (:) is a reserved character and must be escaped
+    'securityRoles."my-address\:\:my-queue".group2.send=true'
diff --git a/amq-broker-operator/instance/components/addresses/broker-address-settings-bp.yaml b/amq-broker-operator/instance/components/addresses/broker-address-settings-bp.yaml
new file mode 100644
index 00000000..2f5db0f0
--- /dev/null
+++ b/amq-broker-operator/instance/components/addresses/broker-address-settings-bp.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-address-settings-bp
+type: Opaque
+stringData:
+  address-settings.broker.properties: |
+    addressSettings."EXAMPLE.ADDRESS.#".name=EXAMPLE.ADDRESS.#
+    addressSettings."EXAMPLE.ADDRESS.#".autoCreateAddresses=false
+
+    addressSettings."EXAMPLE.ADDRESS.2".name=EXAMPLE.ADDRESS.2
+    addressSettings."EXAMPLE.ADDRESS.2".autoCreateQueues=false
diff --git a/amq-broker-operator/instance/components/addresses/broker-addresses-bp.yaml b/amq-broker-operator/instance/components/addresses/broker-addresses-bp.yaml
new file mode 100644
index 00000000..96db261b
--- /dev/null
+++ b/amq-broker-operator/instance/components/addresses/broker-addresses-bp.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-addresses-bp
+type: Opaque
+stringData:
+  addresses.broker.properties: |
+    addressConfigurations."EXAMPLE.ADDRESS.1".name=EXAMPLE.ADDRESS.1
+    addressConfigurations."EXAMPLE.ADDRESS.1".routingTypes=MULTICAST
+    addressConfigurations."EXAMPLE.ADDRESS.1".queueConfigs."MULTICAST.QUEUE".name=MULTICAST.QUEUE
+    addressConfigurations."EXAMPLE.ADDRESS.1".queueConfigs."MULTICAST.QUEUE".address=EXAMPLE.ADDRESS.1
+    addressConfigurations."EXAMPLE.ADDRESS.1".queueConfigs."MULTICAST.QUEUE".routingType=MULTICAST
+
+    addressConfigurations."EXAMPLE.ADDRESS.2".name=EXAMPLE.ADDRESS.2
+    addressConfigurations."EXAMPLE.ADDRESS.2".routingTypes=ANYCAST
+    addressConfigurations."EXAMPLE.ADDRESS.2".queueConfigs."EXAMPLE.QUEUE".name=EXAMPLE.QUEUE
+    addressConfigurations."EXAMPLE.ADDRESS.2".queueConfigs."EXAMPLE.QUEUE".address=EXAMPLE.ADDRESS.2
+    addressConfigurations."EXAMPLE.ADDRESS.2".queueConfigs."EXAMPLE.QUEUE".routingType=ANYCAST
diff --git a/amq-broker-operator/instance/components/addresses/kustomization.yaml b/amq-broker-operator/instance/components/addresses/kustomization.yaml
new file mode 100644
index 00000000..2a1c692d
--- /dev/null
+++ b/amq-broker-operator/instance/components/addresses/kustomization.yaml
@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-addresses-bp.yaml
+  - broker-address-settings-bp.yaml
+  - broker-address-security-bp.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      # Add broperProperties secrets
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: broker-addresses-bp
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: broker-address-settings-bp
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: broker-address-security-bp
+
+      # Add example address settings (this may be removed in an overlay if unneeded)
+      - op: add
+        path: /spec/addressSettings/addressSetting/-
+        value:
+          match: 'EXAMPLE.SETTINGS.#'
+
+          autoCreateAddresses: true
+          autoCreateQueues: true
+          autoCreateDeadLetterResources: true
diff --git a/amq-broker-operator/instance/components/authentication/_base/kustomization.yaml b/amq-broker-operator/instance/components/authentication/_base/kustomization.yaml
new file mode 100644
index 00000000..83c4fec3
--- /dev/null
+++ b/amq-broker-operator/instance/components/authentication/_base/kustomization.yaml
@@ -0,0 +1,29 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/deploymentPlan/requireLogin
+        value: true
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: broker-jaas-config
+
+      - op: test
+        path: /spec/deploymentPlan/startupProbe/exec/command/2
+        value: |-
+          /opt/amq/bin/artemis check node --up --url=tcp://"$HOSTNAME":61610
+      - op: replace
+        path: /spec/deploymentPlan/startupProbe/exec/command/2
+        value: >-
+          /opt/amq/bin/artemis check node
+          --up
+          --url=tcp://"$HOSTNAME":61610
+          --user="$AMQ_USER"
+          --password="$AMQ_PASSWORD"
diff --git a/amq-broker-operator/instance/components/authentication/certificate/broker-jaas-config.yaml b/amq-broker-operator/instance/components/authentication/certificate/broker-jaas-config.yaml
new file mode 100644
index 00000000..99bfae17
--- /dev/null
+++ b/amq-broker-operator/instance/components/authentication/certificate/broker-jaas-config.yaml
@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-jaas-config
+type: Opaque
+stringData:
+  login.config: |
+    /*
+    * Licensed to the Apache Software Foundation (ASF) under one or more
+    * contributor license agreements.  See the NOTICE file distributed with
+    * this work for additional information regarding copyright ownership.
+    * The ASF licenses this file to You under the Apache License, Version 2.0
+    * (the "License"); you may not use this file except in compliance with
+    * the License.  You may obtain a copy of the License at
+    *
+    * http://www.apache.org/licenses/LICENSE-2.0
+    *
+    * Unless required by applicable law or agreed to in writing, software
+    * distributed under the License is distributed on an "AS IS" BASIS,
+    * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    * See the License for the specific language governing permissions and
+    * limitations under the License.
+    */
+
+    activemq {
+      /*
+       * Allow users to authenticate using certificate that matches DN from secret key users-dn.properties
+       */
+      org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
+        debug=true
+        reload=true
+        org.apache.activemq.jaas.textfiledn.user="users-dn.properties"
+        org.apache.activemq.jaas.textfiledn.role="roles.properties"
+      ;
+
+      /*
+       * Include operator-defined users and roles so that the operator may manage the broker and drain messages
+       */
+      org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
+        reload=false
+        org.apache.activemq.jaas.properties.user="artemis-users.properties"
+        org.apache.activemq.jaas.properties.role="artemis-roles.properties"
+        baseDir="/home/jboss/amq-broker/etc"
+      ;
+    };
+  users-dn.properties: |
+    ## This should be replaced in a kustomize overlay with actual user DNs
+    ruben=CN=ruben,O=Example,C=US
+    anne=CN=anne,O=Example,C=US
+    rick=CN=rick,O=Example,C=US
+
+    ## User DNs can be made case insensitive using regexp, but there may be performance implications
+    bob=/(?i)CN=Bob,O=example,C=us/
+  roles.properties: |
+    ## This secret key should be replaced in a kustomize overlay with intended user groups
+    admin=ruben, rick
+    group1=bob
+    group2=anne
diff --git a/amq-broker-operator/instance/components/authentication/certificate/kustomization.yaml b/amq-broker-operator/instance/components/authentication/certificate/kustomization.yaml
new file mode 100644
index 00000000..e93c6382
--- /dev/null
+++ b/amq-broker-operator/instance/components/authentication/certificate/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-jaas-config.yaml
+
+components:
+  - ../_base
diff --git a/amq-broker-operator/instance/components/authentication/guest/broker-jaas-config.yaml b/amq-broker-operator/instance/components/authentication/guest/broker-jaas-config.yaml
new file mode 100644
index 00000000..6a3ce1ed
--- /dev/null
+++ b/amq-broker-operator/instance/components/authentication/guest/broker-jaas-config.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-jaas-config
+type: Opaque
+stringData:
+  login.config: |
+    /*
+    * Licensed to the Apache Software Foundation (ASF) under one or more
+    * contributor license agreements.  See the NOTICE file distributed with
+    * this work for additional information regarding copyright ownership.
+    * The ASF licenses this file to You under the Apache License, Version 2.0
+    * (the "License"); you may not use this file except in compliance with
+    * the License.  You may obtain a copy of the License at
+    *
+    * http://www.apache.org/licenses/LICENSE-2.0
+    *
+    * Unless required by applicable law or agreed to in writing, software
+    * distributed under the License is distributed on an "AS IS" BASIS,
+    * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    * See the License for the specific language governing permissions and
+    * limitations under the License.
+    */
+
+    activemq {
+      /*
+       * Allow users without credentials to be "authenticated" as guest
+       */
+      org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule sufficient
+        debug=true
+        credentialsInvalidate=true
+        org.apache.activemq.jaas.guest.user="guest"
+        org.apache.activemq.jaas.guest.role="guests"
+      ;
+
+      /*
+       * Include operator-defined users and roles so that the operator may manage the broker and drain messages
+       */
+      org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule requisite
+        reload=false
+        org.apache.activemq.jaas.properties.user="artemis-users.properties"
+        org.apache.activemq.jaas.properties.role="artemis-roles.properties"
+        baseDir="/home/jboss/amq-broker/etc"
+      ;
+    };
diff --git a/amq-broker-operator/instance/components/authentication/guest/kustomization.yaml b/amq-broker-operator/instance/components/authentication/guest/kustomization.yaml
new file mode 100644
index 00000000..e93c6382
--- /dev/null
+++ b/amq-broker-operator/instance/components/authentication/guest/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-jaas-config.yaml
+
+components:
+  - ../_base
diff --git a/amq-broker-operator/instance/components/authentication/ldap/broker-jaas-config.yaml b/amq-broker-operator/instance/components/authentication/ldap/broker-jaas-config.yaml
new file mode 100644
index 00000000..10c42c95
--- /dev/null
+++ b/amq-broker-operator/instance/components/authentication/ldap/broker-jaas-config.yaml
@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-jaas-config
+type: Opaque
+stringData:
+  login.config: |
+    /*
+     * Note: This value should be replaced in an overlay with proper LDAP settings. The secret provided is for
+     *       reference. For additional information, see the following documentation:
+     * https://docs.redhat.com/en/documentation/red_hat_amq_broker/7.12/html/configuring_amq_broker/assembly-br-securing-brokers_configuring#assembly-br-using-ldap-for-authentication-and-authorization_configuring
+     */
+
+    activemq {
+      /*
+       * Use LDAP for authentication
+       */
+      org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
+        debug=true
+        initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
+        connectionURL="ldap://ldap.example.com:10389"
+        connectionUsername="uid=admin,ou=system"
+        connectionPassword=secret
+        connectionProtocol=s
+        connectionTimeout=5000
+        authentication=simple
+        userBase="dc=example,dc=com"
+        userSearchMatching="(uid={0})"
+        userSearchSubtree=true
+        userRoleName=
+        readTimeout=5000
+        roleBase="dc=example,dc=com"
+        roleName=cn
+        roleSearchMatching="(member={0})"
+        roleSearchSubtree=true
+      ;
+
+      /*
+       * Include operator-defined users and roles so that the operator may manage the broker and drain messages
+       */
+      org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
+        reload=false
+        org.apache.activemq.jaas.properties.user="artemis-users.properties"
+        org.apache.activemq.jaas.properties.role="artemis-roles.properties"
+        baseDir="/home/jboss/amq-broker/etc"
+      ;
+    };
diff --git a/amq-broker-operator/instance/components/authentication/ldap/kustomization.yaml b/amq-broker-operator/instance/components/authentication/ldap/kustomization.yaml
new file mode 100644
index 00000000..e93c6382
--- /dev/null
+++ b/amq-broker-operator/instance/components/authentication/ldap/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-jaas-config.yaml
+
+components:
+  - ../_base
diff --git a/amq-broker-operator/instance/components/authentication/properties/broker-jaas-config.yaml b/amq-broker-operator/instance/components/authentication/properties/broker-jaas-config.yaml
new file mode 100644
index 00000000..78af7d13
--- /dev/null
+++ b/amq-broker-operator/instance/components/authentication/properties/broker-jaas-config.yaml
@@ -0,0 +1,56 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-jaas-config
+type: Opaque
+stringData:
+  login.config: |
+    /*
+    * Licensed to the Apache Software Foundation (ASF) under one or more
+    * contributor license agreements.  See the NOTICE file distributed with
+    * this work for additional information regarding copyright ownership.
+    * The ASF licenses this file to You under the Apache License, Version 2.0
+    * (the "License"); you may not use this file except in compliance with
+    * the License.  You may obtain a copy of the License at
+    *
+    * http://www.apache.org/licenses/LICENSE-2.0
+    *
+    * Unless required by applicable law or agreed to in writing, software
+    * distributed under the License is distributed on an "AS IS" BASIS,
+    * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    * See the License for the specific language governing permissions and
+    * limitations under the License.
+    */
+
+    activemq {
+      /*
+       * Allow users to authenticate using lists provided in the secret keys users.properties and roles.properties
+       */
+      org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
+        debug=true
+        reload=true
+        org.apache.activemq.jaas.properties.user="users.properties"
+        org.apache.activemq.jaas.properties.role="roles.properties"
+      ;
+
+      /*
+       * Include operator-defined users and roles so that the operator may manage the broker and drain messages
+       */
+      org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
+        reload=false
+        org.apache.activemq.jaas.properties.user="artemis-users.properties"
+        org.apache.activemq.jaas.properties.role="artemis-roles.properties"
+        baseDir="/home/jboss/amq-broker/etc"
+      ;
+    };
+  users.properties: |
+    ## This secret key should be replaced in a kustomize overlay with users and hashed passwords
+    ruben=ruben01!
+    anne=anne01!
+    rick=rick01!
+    bob=bob01!
+  roles.properties: |
+    ## This secret key should be replaced in a kustomize overlay with intended user groups
+    admin=ruben, rick
+    group1=bob
+    group2=anne
diff --git a/amq-broker-operator/instance/components/authentication/properties/kustomization.yaml b/amq-broker-operator/instance/components/authentication/properties/kustomization.yaml
new file mode 100644
index 00000000..e93c6382
--- /dev/null
+++ b/amq-broker-operator/instance/components/authentication/properties/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-jaas-config.yaml
+
+components:
+  - ../_base
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore-and-truststore/acceptor-ssl-truststore.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore-and-truststore/acceptor-ssl-truststore.yaml
new file mode 100644
index 00000000..7f4dbe5c
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore-and-truststore/acceptor-ssl-truststore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: acceptor-ssl-truststore
+type: Opaque
+stringData:
+  trustStorePath: '/amq/extra/secrets/acceptor-ssl-certificate/truststore.jks'
+  trustStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore-and-truststore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore-and-truststore/kustomization.yaml
new file mode 100644
index 00000000..9cf5c419
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore-and-truststore/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - acceptor-ssl-truststore.yaml
+
+components:
+  - ../acceptor-ssl-keystore
+
+replacements:
+  - source:
+      group: ''
+      version: v1
+      kind: Secret
+      name: acceptor-ssl-keystore
+      fieldPath: stringData.keyStorePassword
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: acceptor-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePassword
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/acceptor-ssl-certificate.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/acceptor-ssl-certificate.yaml
new file mode 100644
index 00000000..c936c308
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/acceptor-ssl-certificate.yaml
@@ -0,0 +1,39 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: acceptor-ssl-certificate
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: namespaced-issuer
+  secretName: acceptor-ssl-certificate
+  dnsNames:
+    # These should be replaced in a kustomize overlay, according to intended hostnames
+
+    # Route hostname
+    - default-ssl-0-svc-rte-target-namespace.apps.cluster.example.com
+
+    # Service hostnames
+    - default-ssl-0-svc.target-namespace.svc.cluster.local
+    - default-ssl-0-svc.target-namespace.svc.cluster
+    - default-ssl-0-svc.target-namespace.svc
+    - default-ssl-0-svc.target-namespace
+    - default-ssl-0-svc
+
+    # Pod hostname
+    - default-ss-0
+  usages:
+    - digital signature
+    - key encipherment
+  secretTemplate:
+    annotations:
+      kubernetes.io/description: >-
+        Secret issued via cert-manager which will be referenced by an ActiveMQArtemis CR for securing AMQ acceptor
+        communications
+  keystores:
+    jks:
+      create: true
+      passwordSecretRef:
+        name: acceptor-ssl-keystore
+        key: keyStorePassword
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/acceptor-ssl-keystore.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/acceptor-ssl-keystore.yaml
new file mode 100644
index 00000000..53839819
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/acceptor-ssl-keystore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: acceptor-ssl-keystore
+type: Opaque
+stringData:
+  keyStorePath: '/amq/extra/secrets/acceptor-ssl-certificate/keystore.jks'
+  keyStorePassword: 'super-secret-acceptor-keystore-password'
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/kustomization.yaml
new file mode 100644
index 00000000..09303b2c
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/acceptor-ssl-keystore/kustomization.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - acceptor-ssl-keystore.yaml
+  - acceptor-ssl-certificate.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: acceptor-ssl-certificate
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore-and-truststore/cluster-ssl-truststore.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore-and-truststore/cluster-ssl-truststore.yaml
new file mode 100644
index 00000000..f3ddd454
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore-and-truststore/cluster-ssl-truststore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cluster-ssl-truststore
+type: Opaque
+stringData:
+  trustStorePath: '/amq/extra/secrets/cluster-ssl-certificate/truststore.jks'
+  trustStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore-and-truststore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore-and-truststore/kustomization.yaml
new file mode 100644
index 00000000..3b4baae6
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore-and-truststore/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - cluster-ssl-truststore.yaml
+
+components:
+  - ../cluster-ssl-keystore
+
+replacements:
+  - source:
+      group: ''
+      version: v1
+      kind: Secret
+      name: cluster-ssl-keystore
+      fieldPath: stringData.keyStorePassword
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: cluster-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePassword
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/cluster-ssl-certificate.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/cluster-ssl-certificate.yaml
new file mode 100644
index 00000000..f68a1bfa
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/cluster-ssl-certificate.yaml
@@ -0,0 +1,39 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cluster-ssl-certificate
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: namespaced-issuer
+  secretName: cluster-ssl-certificate
+  dnsNames:
+    # These should be replaced in a kustomize overlay, according to intended hostnames
+
+    # Route hostname
+    - default-cluster-ssl-0-svc-rte-target-namespace.apps.cluster.example.com
+
+    # Service hostnames
+    - default-cluster-ssl-0-svc.target-namespace.svc.cluster.local
+    - default-cluster-ssl-0-svc.target-namespace.svc.cluster
+    - default-cluster-ssl-0-svc.target-namespace.svc
+    - default-cluster-ssl-0-svc.target-namespace
+    - default-cluster-ssl-0-svc
+
+    # Pod hostname
+    - default-ss-0
+  usages:
+    - digital signature
+    - key encipherment
+  secretTemplate:
+    annotations:
+      kubernetes.io/description: >-
+        Secret issued via cert-manager which will be referenced by an ActiveMQArtemis CR for securing AMQ cluster
+        communications
+  keystores:
+    jks:
+      create: true
+      passwordSecretRef:
+        name: cluster-ssl-keystore
+        key: keyStorePassword
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/cluster-ssl-keystore.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/cluster-ssl-keystore.yaml
new file mode 100644
index 00000000..b1243a2d
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/cluster-ssl-keystore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cluster-ssl-keystore
+type: Opaque
+stringData:
+  keyStorePath: '/amq/extra/secrets/cluster-ssl-certificate/keystore.jks'
+  keyStorePassword: 'super-secret-cluster-keystore-password'
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/kustomization.yaml
new file mode 100644
index 00000000..95750579
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/cluster-ssl-keystore/kustomization.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - cluster-ssl-keystore.yaml
+  - cluster-ssl-certificate.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: cluster-ssl-certificate
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/console-ssl-certificate.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/console-ssl-certificate.yaml
new file mode 100644
index 00000000..9e2c1cd1
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/console-ssl-certificate.yaml
@@ -0,0 +1,29 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: console-ssl-certificate
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: namespaced-issuer
+  secretName: console-ssl-certificate
+  dnsNames:
+    # These should be replaced in a kustomize overlay, according to intended hostnames
+
+    # Route hostname
+    - default-wconsj-0-svc-rte-target-namespace.apps.cluster.example.com
+  usages:
+    - digital signature
+    - key encipherment
+  secretTemplate:
+    annotations:
+      kubernetes.io/description: >-
+        Secret issued via cert-manager which will be referenced by an ActiveMQArtemis CR for securing the AMQ web
+        console
+  keystores:
+    jks:
+      create: true
+      passwordSecretRef:
+        name: console-ssl-keystore
+        key: keyStorePassword
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/console-ssl-keystore.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/console-ssl-keystore.yaml
new file mode 100644
index 00000000..c18e9764
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/console-ssl-keystore.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: console-ssl-keystore
+type: Opaque
+stringData:
+  keyStorePath: '/amq/extra/secrets/console-ssl-certificate/keystore.jks'
+  keyStorePassword: 'changeit'
+  trustStorePath: '/amq/extra/secrets/console-ssl-certificate/truststore.jks'
+  trustStorePassword: 'changeit'
diff --git a/amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/kustomization.yaml
new file mode 100644
index 00000000..a4c80e42
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/cert-manager/console-ssl-keystore/kustomization.yaml
@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - console-ssl-keystore.yaml
+  - console-ssl-certificate.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/console/sslEnabled
+        value: true
+      - op: replace
+        path: /spec/console/sslSecret
+        value: console-ssl-keystore
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: console-ssl-certificate
diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/acceptor-ssl-keystore.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/acceptor-ssl-keystore.yaml
new file mode 100644
index 00000000..b3956687
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/acceptor-ssl-keystore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: acceptor-ssl-keystore
+type: Opaque
+stringData:
+  keyStorePath: '/amq/extra/volumes/built-keystore/keystore.jks'
+  keyStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/acceptor-ssl-truststore.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/acceptor-ssl-truststore.yaml
new file mode 100644
index 00000000..68a5b187
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/acceptor-ssl-truststore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: acceptor-ssl-truststore
+type: Opaque
+stringData:
+  trustStorePath: '/amq/extra/volumes/built-keystore/truststore.jks'
+  trustStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/kustomization.yaml
new file mode 100644
index 00000000..2dc8ef9f
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - acceptor-ssl-keystore.yaml
+  - acceptor-ssl-truststore.yaml
diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/cluster-ssl-keystore.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/cluster-ssl-keystore.yaml
new file mode 100644
index 00000000..da4a621d
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/cluster-ssl-keystore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cluster-ssl-keystore
+type: Opaque
+stringData:
+  keyStorePath: '/amq/extra/volumes/built-keystore/keystore.jks'
+  keyStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/cluster-ssl-truststore.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/cluster-ssl-truststore.yaml
new file mode 100644
index 00000000..181161af
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/cluster-ssl-truststore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cluster-ssl-truststore
+type: Opaque
+stringData:
+  trustStorePath: '/amq/extra/volumes/built-keystore/truststore.jks'
+  trustStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/kustomization.yaml
new file mode 100644
index 00000000..170ca767
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/cluster-ssl-keystore-and-truststore/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - cluster-ssl-keystore.yaml
+  - cluster-ssl-truststore.yaml
diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/console-ssl-keystore/console-ssl-keystore.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/console-ssl-keystore/console-ssl-keystore.yaml
new file mode 100644
index 00000000..2274d0ec
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/console-ssl-keystore/console-ssl-keystore.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: console-ssl-keystore
+type: Opaque
+stringData:
+  keyStorePath: '/amq/extra/volumes/built-keystore/keystore.jks'
+  keyStorePassword: '__REPLACE_ME__'
+  trustStorePath: '/amq/extra/volumes/built-keystore/truststore.jks'
+  trustStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/console-ssl-keystore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/console-ssl-keystore/kustomization.yaml
new file mode 100644
index 00000000..4adcb1eb
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/console-ssl-keystore/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - console-ssl-keystore.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/console/sslEnabled
+        value: true
+      - op: replace
+        path: /spec/console/sslSecret
+        value: console-ssl-keystore
diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/kustomization.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/kustomization.yaml
new file mode 100644
index 00000000..71149a8b
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    path: patch-broker.yaml
diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/patch-broker.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/patch-broker.yaml
new file mode 100644
index 00000000..9558a228
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/patch-broker.yaml
@@ -0,0 +1,88 @@
+- op: add
+  path: /spec/deploymentPlan/extraVolumes/-
+  value:
+    name: built-keystore
+    emptyDir: {}
+
+# The extraVolumeMounts here is optional, but is included to explicitly set readOnly to true
+- op: add
+  path: /spec/deploymentPlan/extraVolumeMounts/-
+  value:
+    name: built-keystore
+    mountPath: /amq/extra/volumes/built-keystore
+    readOnly: true
+
+- op: add
+  path: /spec/resourceTemplates/-
+  value:
+    selector:
+      apiGroup: apps/v1
+      kind: StatefulSet
+    patch:
+      apiVersion: apps/v1
+      kind: StatefulSet
+      spec:
+        template:
+          spec:
+            volumes:
+              - name: keystore-build-input
+                secret:
+                  secretName: keystore-inputs
+                  defaultMode: 0400
+            initContainers:
+              - name: build-keystore
+                image: 'image-registry.openshift-image-registry.svc:5000/openshift/java-runtime:latest'
+                imagePullPolicy: Always
+                resources:
+                  requests:
+                    cpu: 250m
+                    memory: 250Mi
+                  limits:
+                    memory: 250Mi
+                volumeMounts:
+                  - name: keystore-build-input
+                    mountPath: /amq/extra/volumes/keystore-build-input
+                    readOnly: true
+                  - name: built-keystore
+                    mountPath: /amq/extra/volumes/built-keystore
+                env:
+                  - name: SUBJECT_ALTERNATE_NAME
+                    value: default-ssl-0-svc-rte-target-namespace.apps.cluster.example.com
+
+                  - name: KEYSTORE_OUTPUT_FILE
+                    value: /amq/extra/volumes/built-keystore/keystore.jks
+                  - name: KEYSTORE_PASSWORD
+                    valueFrom:
+                      secretKeyRef:
+                        name: keystore-inputs
+                        key: keyStorePassword
+
+                  - name: TRUSTSTORE_OUTPUT_FILE
+                    value: /amq/extra/volumes/built-keystore/truststore.jks
+                  - name: TRUSTSTORE_PASSWORD
+                    valueFrom:
+                      secretKeyRef:
+                        name: keystore-inputs
+                        key: trustStorePassword
+                command:
+                  - /bin/bash
+                  - '-e'
+                  - '-c'
+                args:
+                  - |-
+
+                    keytool -genkey -keyalg "RSA" -keysize 2048 \
+                      -storetype jks -keystore "$KEYSTORE_OUTPUT_FILE" -storepass "$KEYSTORE_PASSWORD" \
+                      -keypass "$KEYSTORE_PASSWORD" \
+                      -alias server -dname "CN=AMQ Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" \
+                      -validity 365 -ext bc=ca:false -ext eku=sA \
+                      -ext san=dns:"$SUBJECT_ALTERNATE_NAME"
+
+                    keytool -exportcert \
+                      -storetype jks -keystore "$KEYSTORE_OUTPUT_FILE" -storepass "$KEYSTORE_PASSWORD" \
+                      -keypass "$KEYSTORE_PASSWORD" \
+                      -alias server -rfc > server.crt
+
+                    keytool -importcert \
+                      -storetype jks -keystore "$TRUSTSTORE_OUTPUT_FILE" -storepass "$TRUSTSTORE_PASSWORD" \
+                      -alias server -file server.crt -noprompt
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/acceptor-ssl-truststore/acceptor-ssl-truststore.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/acceptor-ssl-truststore/acceptor-ssl-truststore.yaml
new file mode 100644
index 00000000..7766e867
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/acceptor-ssl-truststore/acceptor-ssl-truststore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: acceptor-ssl-truststore
+type: Opaque
+stringData:
+  trustStorePath: '__REPLACE_ME__'
+  trustStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/acceptor-ssl-truststore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/acceptor-ssl-truststore/kustomization.yaml
new file mode 100644
index 00000000..b1737ef5
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/acceptor-ssl-truststore/kustomization.yaml
@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - acceptor-ssl-truststore.yaml
+
+replacements:
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-prod-truststore
+      fieldPath: data.trustStorePassword
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: acceptor-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePassword
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-prod-truststore
+      fieldPath: data.trustStorePath
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: acceptor-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePath
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/cluster-ssl-truststore/cluster-ssl-truststore.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/cluster-ssl-truststore/cluster-ssl-truststore.yaml
new file mode 100644
index 00000000..1bc309e7
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/cluster-ssl-truststore/cluster-ssl-truststore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cluster-ssl-truststore
+type: Opaque
+stringData:
+  trustStorePath: '__REPLACE_ME__'
+  trustStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/cluster-ssl-truststore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/cluster-ssl-truststore/kustomization.yaml
new file mode 100644
index 00000000..7086c804
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/cluster-ssl-truststore/kustomization.yaml
@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - cluster-ssl-truststore.yaml
+
+replacements:
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-prod-truststore
+      fieldPath: data.trustStorePassword
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: cluster-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePassword
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-prod-truststore
+      fieldPath: data.trustStorePath
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: cluster-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePath
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/console-ssl-keystore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/console-ssl-keystore/kustomization.yaml
new file mode 100644
index 00000000..0e409257
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/console-ssl-keystore/kustomization.yaml
@@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+replacements:
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-prod-truststore
+      fieldPath: data.trustStorePassword
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: console-ssl-keystore
+        fieldPaths:
+          - stringData.trustStorePassword
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-prod-truststore
+      fieldPath: data.trustStorePath
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: console-ssl-keystore
+        fieldPaths:
+          - stringData.trustStorePath
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/kustomization.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/kustomization.yaml
new file mode 100644
index 00000000..260e0883
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/kustomization.yaml
@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+  - name: letsencrypt-prod-truststore
+    options:
+      disableNameSuffixHash: true
+    files:
+      - truststore.jks
+    literals:
+      - trustStorePassword=changeit
+      - trustStorePath=/amq/extra/configmaps/letsencrypt-prod-truststore/truststore.jks
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/configMaps/-
+        value: letsencrypt-prod-truststore
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/regenerate-truststore.sh b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/regenerate-truststore.sh
new file mode 100755
index 00000000..1a595ee5
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/regenerate-truststore.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+import_der_from_url() {
+  curl --silent --output "$1".der "$2"
+  keytool -importcert -alias "$1" -noprompt -storetype jks -keystore truststore.jks -storepass changeit -file "$1".der
+  rm "$1".der
+}
+
+rm -f truststore.jks
+
+# List from:
+# https://letsencrypt.org/certificates/
+
+import_der_from_url e5 https://letsencrypt.org/certs/2024/e5.der
+import_der_from_url e5-cross https://letsencrypt.org/certs/2024/e5-cross.der
+
+import_der_from_url e6 https://letsencrypt.org/certs/2024/e6.der
+import_der_from_url e6-cross https://letsencrypt.org/certs/2024/e6-cross.der
+
+import_der_from_url r10 https://letsencrypt.org/certs/2024/r10.der
+
+import_der_from_url r11 https://letsencrypt.org/certs/2024/r11.der
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/truststore.jks b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-prod/truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..92c4d5c11ef094fdd159f0cf6da8e078c665a918
GIT binary patch
literal 6411
zcmd^@2T&B-p2jDWv%-*^5tISZp$8-*QHC6a2bUZq=V1T=eKLTEatV?VBqLEoGDvnr
zK!PF}1OX)pqDYkVP_K8rwe@PZcK6oXTd%85b^p81=|0{4^{>9K4^|FVKp+t0s3E?s
zDeXkh*%Cawy+I)G9fJx5dJx<gD+)-0KrmAv7-j?nL*z1{5HJM71PY0Ewe5W*`Kt}W
zCggbM{v<$$pgI$#8n#6T2GhVnfDVoZph7?mVF(t8;U$~^fcaWbv!K=7iFO2cJ0kj$
zovjbSiRh2kxAV5MCfGWnRR|tFp19)x%h#?@7FxAS`YLFB4-X>R7zdnSqZ2+4h~Pwk
zZ;Q!MDSlK63yX+Kib|RQ!hgIVD{$=l1?e>Hh!}6Qvb!z8-;?;G6O;v_EDHDnj0lRO
zS@&LmfDv#(5)8xxwE@BCXryktSVvW_PFNbxw<{_e6x(jvTdPuIfAOg#LBw@y<XHVD
zl9#jilL%<8vweeC_0ie}S4=~XxwOQT-dJwYQ;;#ac^#oOaA5WFi|e`RYYB|u*^~wh
zDIA(}OVlMJIiziXv;oi`O^}-b3_gUxjvi_l!2Pv84f{HCN<jn|4yS-Ze%}HE%wG?)
zeC<vNAdXfLFzEXbdKfG0ScafwpUg>}d$5`n!L#Ic&xrnEIso-`2rmo?um&CTul!{$
zu=?Fwuy+t;cn62^=3=TlApGO}U@(jiI0f+hr~ybAt0R%<DJ3Ly1&4LQy4oE*KdcAA
zLFn7t;YPz~0cwB}fp8$vf+65<Z<iYdLjxxOu1t<h<j<pRe;)lunLvY&?gB-)cV1ah
zVJ!DWd3kL=pJu+^=}5(~Wii#noO+Jj4%?BBLKVHwGaME()7h5>=x!TAW4n|>@8LfU
zcGpkUw?g>6w(1Yux;ZcRmS_rdFxTGMTYI}uUb4<sS%1STXeNYkr?LFw)<j0wdJU>s
zzcKO6oSFn;(OVfk>2Wp6s$xe|?hG&EGu7^grU{+Cho)WRRaPX1w}~v8meJQXMWYa7
zDPfjic8GPQzV5v8+M7ge?4c>0Hu20PZfn-)qJyC+)5ByYJ#fK9__JX^>z7)m+^J7d
zu|c#eDZKVh7G1X(1|C(UteNRexvtEY4j*0*pf^hJyFP#Cfek>rjfHY1KlaaYCb-?$
zJ!_2K4e+X7vA(26>F~@Xi>yR4Rv#2*4csf2DZ12MNJ@;v3?+D74yUXLXR&<Ie6Vn)
zbCk;F+IY#aMUJq6IR@lHRqq>cXoJ+?^Js(fn`=bo{SOseNmLdOP6+CnIi_cvPUUky
zZ^dxe@9rnm+?K9L1%!Fye5LR5GaJcdug*-6ibq=l0$zAv#K!KJ=rmhSQK_>%|D<}m
zTB^P9>6L^JpA9Q&x)UpHZH*TMiteXkFo=(5hJ#@46A_P$dNoQ(pNcMDG29f5Vw1ri
zpN<a>e5xW_<HE!)))L(QT8_+dIXs5%xGp(A%EsIfw9l4fa=1KahWW-GC;<n2$Br_?
z@7RG;0l{$i5q4I-V~0_rKtFElu28l&LZbi{>GR@WP92dSK>3cje@307kLBo7JYpJD
z9|r)zV4j~R4u*rE!C(f^(SB-3Fc=K#GkP~iHeg<<R5|Fx82jRN`G4h>4WEMF8>~VK
zG`_AfY5ua=o740VbW+2{#6$)x^wb!-dFwEWN$GuS)th4!iP0XY;rV)!B$ba{P1{4H
zsW>11e9k(Bpc}_wv2jB}sr=#Mb0cz<>GdmgNb3f+d4u-HYIl0vkuQU8e7J8X)<9fp
z(A8YpJNa3HH7>rs?3IfIqKB0^piAGU<AHB^Tbg;YvYCf<VEefbGA#OG;8CMF39hNg
zDpc&9yYuQ?-O2?7!;fWiITXwL`JDFYa;gztp<c$FQeRdr)=V!7$`I$H%T-z_oO|xp
z&?Rm$llb%usF$rbw>D<hZg(WmMM9up5cto4<l}}XDtT`k3frIL5@;DCvqh&n7XBiT
zjD0k(ApYL}9%-&;=Jd1_dNJl=LJrBS?}_<-W2WceqeOlln*KHZKHB+#Ii+7u@o={)
z#=fL_n4z)W;i-dWePr?)youUIS-Tv=lo29rOFzu?YV?V}ew;JVGyg#ML1XjmvaF4m
zX9_NVA@cQ-%?xwtM%uuIv$RDo()^p2E|^_(PsG`pTpRkk&Z$fd_;m}9{(&V+5e=3h
zqw20ny;}1es$k;&vn%NpbtSB0>Vk<+sv~TocZlrS>CnkVkJK`T{!Ek28)j{=nvOwj
zVRAFfyg^`dixf?3E_10<J|<$fn$oT=_v9eeJC@K;@!(!Y{ypC|#OVOMzSh_!LM}$m
z#<Qf!Nfor~z%Xu_wJ;1ld2YCKGeuD{L}|*8nwj#`>7n{~b^~O1-qWaQj+8immu0RU
zoP1fgFlZ{nV!krAI41Z`B;A`63H857V>K+>YVe}^l8BbZq7wa9p3I9$DO<FeC-bvh
zy;NA)z>Y0l_xbE#S1U?8=i?3AJW^%23U{zi(HtLr-!v^Fhjd0x@A@(=G|!!6SXk(;
zs?Hy*-O5ntv*y7&hg3TzVXrP}CyevH$94$vhvr%>s;ytdO7C>p7=dTZV_0`O_X2oT
zqwWuq2%q@BnD_3kXnRM;WBV22lT*g?A9`ADH0?sr&Gs1A$_HP3m}vxMd!gyS88oq<
z4VqHr@1*?C2Cd9U_KtTF#&f*#=5r}!L5ZJ<^A|B_V*kvbjebhU-`qawWmUlUKIco_
z(inFgbN&F|sNS(h)>nNJn|Wv?QG-n{sqsbUWYnobu}$&`hKua-;`Tl(!rFc?wQbM9
zC&>BUEicA{65<GGV8xBgn^lA{O{#p!)n>i1_RnBX90s2ZE!1<2N**FBs*dwE8^`zm
zMc8vKB2XPIS`H7RyzQQ@E%h)6Mh-O-VW%dkY9-dM4sch6&LxQ-*oW&xNQ%8D*vW}Z
zJfz7vZriwyeCa6Eb`sOE*HjUa+b%XT`^7D{DsG6j^u?<rh)SmY+N;oMEfo^I2J;58
z^u%_WeWryEg(_RAll_9z6>$W-ZN|Eo@!==>Ia;sEhPb;l6sqs^;jP*kqgKu3WXdm%
z5p@|T|H5|amjY*1a+la&<aK+ZvQE5z7ppg4y+zq?ORJ=oWg}Zu*{WZy;De6|n+SQ$
zOKnI+UHZ{3u;O`YEYZ7SrEQPBYJ*8Tn|G03Q>bHjHHGeqg=SGfc3oD6Na%&l7z5on
z)`q(H(wkv%Jl0;Zfi+tQ5;@d}CA_O$mrtRW@z=jO7VF<v%tgP**f?d$6mQz;++#=(
zUbQhDpl}IDkE_q3Y@M`>7Tt&Dfp>3d`kBhgM}o2!8tYhPLSGft!!uqax)}Rf?%9PE
zOrLU=(U4ng;bD7=nwJpM$0t@wStsdt3BT>ZMtD5BevRv((a2#;9Fv(fa9-$C%l+n6
z9W7%SZK;NFC>GK*-S$Php>4mEm0<0!#(Zt6`+f74`zgY({4MO<zAOv0eE#L@RHavY
z>W80iDjCVgMh;vb4NMX77w972#)39H3qqhXOu@4uG;F;a-N`)kQq7|`k~!B<+TYj%
zu@n35&lDYgrw*k4$eUFkHJKl=FsRU5brs`SIJ@~+sb!~K;K=t-ehXMIDD?k26AJ$c
zneg8WIad`EOD8o{rN6{(r~lgL7EwqLPx$X;LgD{aCKSg0Art<j5vU^wu!8_r$mcB;
z5{iDhuJ~DiJt+7ksN#Ck^}Uul@R{(gZr(|zw5<4x5}94TYdR;8-1f~794N6kI45b{
zzSiQxS&qgl2Mg?0T=QuXoQ*d!OC((e%UjQadxPE6tIIV}7&?A(*y?Yh7X2=2xwQWf
zb?uR$E03D=Z=nO}?lbVAEYp1dTmd@F`~>c=rs;pL{~Z4hHSGWbE<*rLH>|P(m$K}r
z<#{C0fyKYRSfHw!Q9A^q9-*xLEU<4~9^kglo8xlJjiHKl$7?_UyZ|!vd_cqQ<Ot^o
zdp>OA`QPW=LPy7<mU_j2y6hm$vvXF=8il?^3vLN2V+1PNA3+-TUDNo0-!%=VJ_^!^
zBTaw!0qWb=WLbuUfK}eGMga<!^V|P&d-y*{(zyRJN!Q<OFyjPCKJTLL8E|0S0n6lR
z=UG4J>(bvn4z8)=-{3#7f~h!#lysn?rCfd^RVM96-}w2Rq=5phcB#Tp3UN|zd^PaU
zxUryyWpffYxJKwCIMaj>6VmXY%g0haKN{s3?J0;Y;^GUCJ6JV_2T~@G#=RJ#c4u)^
zkExn;wJf9W_+Bu%mmadVNVcz-M%XK<B7^KQ#gTVYLxqzbl{b>NkAv=E!gptE*%Dn-
zF%BB!aefP@Hvf-mW^YdEPLmt5;3a|bZlKCG1-X3VTA`<Asd<m7(mx%%FS{YRUqHR8
zOuq8o?o3;srOf24nHJ|34MwntM$zw*j=wYa&Cx$CNk8qw=Ps>3X$f#mAfGF<h!x_S
zt^13(S?!ry=G0KG7>O4fs2wk}?I+RY;^6@vWv5XqO*JE7h^R%X&>liF>GNJ!-zC+R
z#!V;1fjlNz(GHgKSZ=uG5_Vu@TkXk%jg-W+Rlbqw%2PC|Xsx|h29<^FCp)IaI1l|U
z3$WFF)L1oN>hXWk9MjyyTOKo}UZ{#A7G9*8p4mJX;+5+Y*dN~tXUB8ZMSms}RZpLx
zd$%#JG&3HTTE||A5}I<RkH)>SWq2$w@!I~ZTp6c>-nN3wTdlg1+T1jI+l}HIyxiTF
zs*Al!C!T`6#>75QBhLu$Q{k>gZ+g$CrB$gPclHZ5=^KkwK0uwh3<qSr+uCXChNNxP
zi}BEdloq@^#>#d|SBgSq<hXjqk_sxtgwlq#+Es*7Ygl4M^&A%NSQ=!$syQ)&R<LyZ
z^w^|lmcEP@cQaLKQcY>P119%UhV!N};8ajZp!a9y!i~uC8okcf$^6Jgdg+Jq80xPp
zsDQGPBsDS&OZ%PQRx~f=4Q6QMbPh=qKC5pU6w~fWY*__Oxr=uBWEs2_YH(-k<j51R
z%D!8_yx!u2*YPV@_~mbR?9aJR3Xq2GC&4W)D>t3(UAnAzvFwS?gO8OH(5{qJs^ElR
zI@{a!JM4t*!Ma<FGq;kdM0c{enqs|qiHrA8!_w+^LyZ~RKIhMfF8^Ixxfj6eyR@_r
YTdQl2J59cyZrrsUm(G^d&@O-T4>zR}j{pDw

literal 0
HcmV?d00001

diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/acceptor-ssl-truststore/acceptor-ssl-truststore.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/acceptor-ssl-truststore/acceptor-ssl-truststore.yaml
new file mode 100644
index 00000000..7766e867
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/acceptor-ssl-truststore/acceptor-ssl-truststore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: acceptor-ssl-truststore
+type: Opaque
+stringData:
+  trustStorePath: '__REPLACE_ME__'
+  trustStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/acceptor-ssl-truststore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/acceptor-ssl-truststore/kustomization.yaml
new file mode 100644
index 00000000..592ca045
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/acceptor-ssl-truststore/kustomization.yaml
@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - acceptor-ssl-truststore.yaml
+
+replacements:
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-staging-truststore
+      fieldPath: data.trustStorePassword
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: acceptor-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePassword
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-staging-truststore
+      fieldPath: data.trustStorePath
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: acceptor-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePath
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/cluster-ssl-truststore/cluster-ssl-truststore.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/cluster-ssl-truststore/cluster-ssl-truststore.yaml
new file mode 100644
index 00000000..1bc309e7
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/cluster-ssl-truststore/cluster-ssl-truststore.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cluster-ssl-truststore
+type: Opaque
+stringData:
+  trustStorePath: '__REPLACE_ME__'
+  trustStorePassword: '__REPLACE_ME__'
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/cluster-ssl-truststore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/cluster-ssl-truststore/kustomization.yaml
new file mode 100644
index 00000000..ce78c83c
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/cluster-ssl-truststore/kustomization.yaml
@@ -0,0 +1,35 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - cluster-ssl-truststore.yaml
+
+replacements:
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-staging-truststore
+      fieldPath: data.trustStorePassword
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: cluster-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePassword
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-staging-truststore
+      fieldPath: data.trustStorePath
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: cluster-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePath
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/console-ssl-keystore/kustomization.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/console-ssl-keystore/kustomization.yaml
new file mode 100644
index 00000000..eb8c2c2a
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/console-ssl-keystore/kustomization.yaml
@@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+replacements:
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-staging-truststore
+      fieldPath: data.trustStorePassword
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: console-ssl-keystore
+        fieldPaths:
+          - stringData.trustStorePassword
+  - source:
+      group: ''
+      version: v1
+      kind: ConfigMap
+      name: letsencrypt-staging-truststore
+      fieldPath: data.trustStorePath
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: console-ssl-keystore
+        fieldPaths:
+          - stringData.trustStorePath
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/kustomization.yaml b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/kustomization.yaml
new file mode 100644
index 00000000..bb0bb331
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/kustomization.yaml
@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+  - name: letsencrypt-staging-truststore
+    options:
+      disableNameSuffixHash: true
+    files:
+      - truststore.jks
+    literals:
+      - trustStorePassword=changeit
+      - trustStorePath=/amq/extra/configmaps/letsencrypt-prod-truststore/truststore.jks
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/configMaps/-
+        value: letsencrypt-staging-truststore
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/regenerate-truststore.sh b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/regenerate-truststore.sh
new file mode 100755
index 00000000..2a87165f
--- /dev/null
+++ b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/regenerate-truststore.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+import_der_from_url() {
+  curl --silent --output "$1".der "$2"
+  keytool -importcert -alias "$1" -noprompt -storetype jks -keystore truststore.jks -storepass changeit -file "$1".der
+  rm "$1".der
+}
+
+rm -f truststore.jks
+
+# List from:
+# https://letsencrypt.org/docs/staging-environment/
+
+import_der_from_url x1 https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.der
+
+import_der_from_url x2 https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x2.der
+import_der_from_url x2-cross https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x2-signed-by-x1.der
diff --git a/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/truststore.jks b/amq-broker-operator/instance/components/certificates/public-ca-truststores/letsencrypt-staging/truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..736672a25da69fc53bf7b792cc7fed634026d38a
GIT binary patch
literal 3330
zcmd^>c~Dc=9><fLg*6C@1R8;e%ARlo1S2A06~h{c5D*0n29PZfmJ&pSfK(LOl(H)b
ziXbAjB9TQgqJjb{ltoam5TT+0S*jH<Ht1{XblyL2-kbjO?#!KYzW1JU@0s8EobP-^
zLXi*xfdJwg_PGV(3?UF`&h8&^br6Ino(OIezjXt-fHTO2{!|77pa7r%NqG^)*@k!P
z$M-AV?2-N`0ZJn!b<=kB?0~~yU=TqDltRMX;mCD>JB?rj5>|!uI$dqrZc96gvz-o>
z5+2QDhclzGG^T$H`(QK&>&A>??q~Z4VeQzgm<YmVP-ArxY#rvWNmi`Dm?*3jo8|A%
z3O$JRGz8VqC_@n31{#B(uRUm#xVMe4m0+@}_xyt^i3R165}zvoK#>T&WH>|v#(=<0
z7jNG20=i^9N#D2im4S~VU50ya>sS1;UOHzHrk}enP=<Brr9ii{JrSZe6i+p~yn@&}
z*`<24b0p@W#FRzGygR8hlikthQNfF88)%+>{M1b*mhI}V8%U?gI<JqcumUYWIdP>_
z*Fd44;BfKwAi*`Odflo<fG}|bs;)kegDb%mN1s%99gw?SWKywnrd~dFwk|&};Oo7E
z1wlY20NOr?J5UySsbAnWk#PH0k@C)=pGE@<Ht(IAHO`^np;N!y=&pFq2RQM>h&RR7
zp5Frm$g}Bh_`Yh^o8$OAe)+HPc{Nhiu4RU=0O{uC@~E}7*-j{#*FDbNX1oUbET_gN
z>tC=DzQCq$|0isS5|E210J*TFFR;ne9=FUy>5!7`8TqrMNIOLkg_IIkI_*6Q3Y9@X
zz<~b&ZW<u=3vMcZ;YMXMqnY6cuv9UZSWm(#Yy=``0vZztps^8244cu{@*i6V7tr{+
z1W*J7#s$_u#79&b-~v#{_2DEtYp2W9BtH*Ix}hOv12YmuQp&S6LJy$THe37Ex5|cO
zSwHJIzlobW)_FNM(Dv1xfs$J{6D7)BEWK@F{W5;mo3lWT6PC^ey$%CKA3Op%+hyI$
ziwdPuqP;jNp31@6n{z`GOtG1-@9`|-NVoN?rm^Fd6)R06@MTq-k@lq7oE}EazB*?K
z4CXZcLr7nOii)ASC^c;4y?IP}O8L3{$+KyuSKAaI?CrN&mR5TBr!34I<8iE#T1yq-
z3;J=jJhE@7V`yXN((%bYp;P~$q(D|%Ix$K6)9wxB1;<6bo2+Hd7;{JZ$D9Vv-+Oz8
zBIAccGzKcuHVSheIv++WY#+ZKS!7hMzn+XuSUKx@zTJM5q~-fG{NxHml#L-<#Zng$
z_n1d*rS6`rX{xg?Hn#9HFsM{)bz0l*-Qw}!vht0vjO(YL)(-W$1iW{$y!PqoV=rAs
za65+}J&~<MqF4-O{x&q(U&??Q-x_TW9noY~vup1njJ96t4kb&MMms7@<h!02p{EBY
zXss0D;yicu9_wm(<HvCrDWUA6yWOB+@{kejg(NiGt)SLsPScVp=fu!P$=RA}-crsw
zexkJTO7P6ufJsbZI|57pcCBjZ@TDw+?A=maPD{%D!902YV;2rLg@rrlOwSaQ>{;1p
z8FY~shM9~$?Et`_5a@qu3=Ip+c~QM|uKKds;RTzrTK_F~{(jKJltCe-ZBMuAS%)|E
zAG)IGQo|mg-yK#vRUDj9muYgMXTW>YJN+xlB|q?cG2Mp)zb`VO`YEa_<M#?H6%LtH
zE<Je|8{DnU(VC=)7F`^q!J@TY$21OCR6ltM*i|>bZPbklqpO8^JCD9>?#MV@!na5X
z{WzR+K%;%hRZ&KZ{8Hxr4dWnT<VA@hK+&X5nutETG4g}o#md1mr@H!rsv79y?p|mC
z^OdIIjkT#b-2JP{(}H_6@()JSKif||D6Fm4Ec4oTKa%2kjZ_u&Y9`yul%s||MZC=d
ziZb^pXKnYb)sQevq)O&4Ioi0Rek2FMUOw!U8n~N=e?9A!(Zv83<X#;SH6R9e!3hER
z?s=S_YTOo0$O65prnmV8Hd1Pt0+qWAmu9$gV)~=r%(QnKe5?*#$Si#yLC(S>wddEI
z;U71q<lJ@0_s?*RRoixrABZEuq77^}I;rPv&3wPyeV%GY`jvRX$3TXhLF4E5H+-wY
zxphRvQb@Htd4x52RISRMoOMM(gncPFL2{=*3F$z;+HsWD*d23;^-a_E8?qg(!Rkq4
z9yCa?d>i}YF-!Y~`G_(zHV>JS5L0kM`@#{k&9$1KQqz2DvwYN!JN3MWt&VR<Nz0$8
zv1eTojDt=F43XcICMxn~7Wz?EKpjuLunp~~5$uEG5ijj}Huc%ICF2Zn{%lrM)EDzM
zQ2x`r;iVuKUMRMr<Uf)^uDeESYVopMkG%EMAGG94zP7G^*uDQ26%57MhCuxPi3-U=
zFnRjF4h!n5Sz;4h8B|JA{I{lIf|S%lLJ<fFC={*>YJ-}8Xb?#ICMY^O!qmVZDmoAs
zN5CJ%hcd(c*?1N^&;Zn1{jfS*9Q;6RnOfO~zYq5RdhlvERK>zEpb997L<T0yLIJ3l
zEE(~i;ZW|FIQ*>2uVcbz_cFBS#P{~J_n3#2>-q)-K*z2UZB9zci3sVRJX)mA6e=C+
znvt36z@;efe8JxHXd%w);?%jlGlQJ1z2+9r_4aF}hD*>O_luAw-;%4++q*47ZYG8E
zK2RH{=i;2#CH69)-b@2eGXaVJORZGo>$(sgbAVDz?66FXACdRbLN8WuZ&%~E&vmM^
z-<cojq+Q?dypmZ%(MfR0n>Th^nKGguL?_hpgN+S*u@MtH#vM1-;GdXyx;UI<^%V*W
zXfvJJl=5d7jQx`>0h)6sgC$IN(nB_Qj22vf>ydx##juV|LX}mmz+*%maBJC3j-{l%
zI_Da?C9h7^OCtF`ev|85pI~>D`_3%dBf3zkAixI`T8!VLILw<MTnoq^>bp1jj^@1}
z8Ei=@^W6_j=tsP@a<ZsaK;@NKU(`V>HJQa%E;+hBZ$vd~r;5&fq(1m={8G%OK{=s$
zK7xQ9OZRtOXM4|2yItRu_%3DIYG@Zhj=ubHs8Y8uQV`eD9)EUt3;yh)Zctm#d2@W(
zyTttt*L$xp9X;mC0Y}CL*+{NgwjdueFzR#16=k-^-1fWq)Fb&j686n3G@OPM^E}k8
zKD<E(JbU=K{<mol?1jX!TO~W{ukpH3d@ODz){vv}Xm-xi#qvCHEoYg?;$b;sl!+xw
i(Sp7M^YPNCO!~Fr?)v^&s%nE`A2V3OyC?rW)8cn;9rg48

literal 0
HcmV?d00001

diff --git a/amq-broker-operator/instance/components/clustering/README.adoc b/amq-broker-operator/instance/components/clustering/README.adoc
new file mode 100644
index 00000000..fcda7157
--- /dev/null
+++ b/amq-broker-operator/instance/components/clustering/README.adoc
@@ -0,0 +1,147 @@
+= ActiveMQ Artemis Cluster Components
+
+For clustered AMQ brokers, the following options are available:
+
+== No Clustering
+
+== Intra-Namespace Clustering
+
+To use Operator-default clustering, in which brokers are clustered from the same *ActiveMQArtemis* resource, use the `clustering/intra-namespace` component. No additional kustomize patches are required for this style of clustering. The default component behavior sets a a cluster deployment size of 3 brokers. This may be adjusted by patching the deployment size:
+
+.Example of /spec/deploymentPlan/size of 5
+[source,yaml]
+----
+- target:
+    group: broker.amq.io
+    version: v1beta1
+    kind: ActiveMQArtemis
+    name: default
+  patch: |-
+    - op: replace
+      patch: /spec/deploymentPlan/size
+      value: 5
+----
+
+== Cross-OpenShift Clustering
+
+For AMQ Artemis Broker clustering that spans across OpenShift clusters, use the `clustering/cross-ocp-cluster` component. The following additional kustomize patches will be required:
+
+=== Hostnames
+
+Due to the requirement to use OpenShift Routes for connections from outside an OpenShift
+cluster, hostnames will need to be specified.
+
+[NOTE]
+====
+The clustering acceptor is named `cluster-ssl`, so route hostnames will take the form of:
+
+----
+BROKER-NAME-cluster-ssl-0-svc-rte-NAMESPACE.apps.OPENSHIFT-BASE
+----
+
+For example:
+----
+default-cluster-ssl-0-svc-rte-demo-amq.apps.cluster.example.com
+----
+====
+
+Every broker cluster will need to have at least the following for the first broker pod:
+
+.Broker #0 connector hostname patch
+[source,yaml]
+----
+- target:
+    group: ''
+    version: v1
+    kind: Secret
+    name: broker-connector-configs-bp
+  patch: |-
+    - op: replace
+      path: /stringData/broker-0~1broker.properties
+      value: |
+        connectorConfigurations.cluster-self-ssl.host=ex-aao-cluster-ssl-0-svc-rte-demo-amq.apps.left-cluster.example.com
+        connectorConfigurations.cluster-other-ssl.host=ex-aao-cluster-ssl-0-svc-rte-demo-amq.apps.right-cluster.example.com
+----
+
+For broker clusters that have a deployment size of at least 2, additional broker pod properties will need to be added:
+
+.Broker #1 and Broker #2 connector hostname patches
+[source,yaml]
+----
+- target:
+    group: ''
+    version: v1
+    kind: Secret
+    name: broker-connector-configs-bp
+  patch: |-
+    - op: add
+      path: /stringData/broker-1~1broker.properties
+      value: |
+        connectorConfigurations.cluster-self-ssl.host=ex-aao-cluster-ssl-1-svc-rte-demo-amq.apps.left-cluster.example.com
+        connectorConfigurations.cluster-local-0-ssl.host=ex-aao-cluster-ssl-0-svc-rte-demo-amq.apps.left-cluster.example.com
+        connectorConfigurations.cluster-other-ssl.host=ex-aao-cluster-ssl-0-svc-rte-demo-amq.apps.right-cluster.example.com
+    - op: add
+      path: /stringData/broker-2~1broker.properties
+      value: |
+        connectorConfigurations.cluster-self-ssl.host=ex-aao-cluster-ssl-2-svc-rte-demo-amq.apps.left-cluster.example.com
+        connectorConfigurations.cluster-local-0-ssl.host=ex-aao-cluster-ssl-0-svc-rte-demo-amq.apps.left-cluster.example.com
+        connectorConfigurations.cluster-other-ssl.host=ex-aao-cluster-ssl-0-svc-rte-demo-amq.apps.right-cluster.example.com
+----
+
+=== TLS Keystore and Truststore
+
+TLS certificates will need to be provided in keystore and truststore secrets. Other components are provided to set up secrets to use cert-manager generated Certificates or certificates generated in an init container. In order to manually provide certificates, the acceptors and connectors may be patched in an overlay to reference other secrets:
+
+[source,yaml]
+----
+- target:
+    group: broker.amq.io
+    version: v1beta1
+    kind: ActiveMQArtemis
+    name: default
+  patch: |-
+    # Test that acceptors are in expected array index and then set SSL secrets
+    - op: test
+      path: /spec/acceptors/1/name
+      value: cluster-ssl
+
+    - op: replace
+      path: /spec/acceptors/1/sslSecret
+      value: example-ssl-keystore
+    - op: replace
+      path: /spec/acceptors/0/trustSecret
+      value: example-ssl-truststore
+
+    # Test that connectors are in expected array index and then set SSL secrets
+    - op: test
+      path: /spec/connectors/1/name
+      value: cluster-self-ssl
+    - op: test
+      path: /spec/connectors/2/name
+      value: cluster-local-0-ssl
+    - op: test
+      path: /spec/connectors/3/name
+      value: cluster-other-ssl
+
+    - op: replace
+      path: /spec/connectors/1/sslSecret
+      value: example-ssl-keystore
+    - op: replace
+      path: /spec/connectors/1/trustSecret
+      value: example-ssl-truststore
+
+    - op: replace
+      path: /spec/connectors/2/sslSecret
+      value: example-ssl-keystore
+    - op: replace
+      path: /spec/connectors/2/trustSecret
+      value: example-ssl-truststore
+
+    - op: replace
+      path: /spec/connectors/3/sslSecret
+      value: example-ssl-keystore
+    - op: replace
+      path: /spec/connectors/3/trustSecret
+      value: example-ssl-truststore
+----
+
diff --git a/amq-broker-operator/instance/components/clustering/cross-ocp-cluster/broker-cluster-configs-bp.yaml b/amq-broker-operator/instance/components/clustering/cross-ocp-cluster/broker-cluster-configs-bp.yaml
new file mode 100644
index 00000000..e95fcec6
--- /dev/null
+++ b/amq-broker-operator/instance/components/clustering/cross-ocp-cluster/broker-cluster-configs-bp.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-cluster-configs-bp
+type: Opaque
+stringData:
+  base-cluster-config.broker.properties: |
+    # Add new cluster configuration with name "custom-cluster"
+    clusterConfigurations.custom-cluster.name=custom-cluster
+  base-cluster-connectors.broker.properties: |
+    # Add broker to broker connector references for the cluster
+    clusterConfigurations.custom-cluster.connectorName=cluster-self-ssl
+    clusterConfigurations.custom-cluster.staticConnectors=cluster-local-0-ssl,cluster-other-ssl
+  cluster-configuration.broker.properties: |
+    # Cluster bridging configuration; this may be patched to use different configs as desired
+    clusterConfigurations.custom-cluster.retryInterval=1000
+    clusterConfigurations.custom-cluster.retryIntervalMultiplier=2
+    clusterConfigurations.custom-cluster.maxRetryInterval=32000
+    clusterConfigurations.custom-cluster.initialConnectAttempts=20
+    clusterConfigurations.custom-cluster.reconnectAttempts=10
+    clusterConfigurations.custom-cluster.useDuplicateDetection=true
+    clusterConfigurations.custom-cluster.messageLoadBalancing=ON_DEMAND
+    clusterConfigurations.custom-cluster.maxHops=1
+  cluster-credentials.broker.properties: |
+    # These must be identical across all brokers participating in a cluster and should be set in an overlay
+    clusterUser=cluster-user
+    clusterPassword=kustomize-cross-ocp-cluster
+  broker-0/broker.properties: |
+    # Set broker pod #0 to only try connecting across to other OCP cluster brokers, not any other within same cluster
+    # (Others in same cluster will connect to broker #0 and announce with their "cluster-self" connector info to build
+    # the cluster-local network of brokers.)
+    clusterConfigurations.custom-cluster.staticConnectors=cluster-other-ssl
diff --git a/amq-broker-operator/instance/components/clustering/cross-ocp-cluster/broker-connector-configs-bp.yaml b/amq-broker-operator/instance/components/clustering/cross-ocp-cluster/broker-connector-configs-bp.yaml
new file mode 100644
index 00000000..d41f70d1
--- /dev/null
+++ b/amq-broker-operator/instance/components/clustering/cross-ocp-cluster/broker-connector-configs-bp.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-connector-configs-bp
+type: Opaque
+stringData:
+  broker-0/broker.properties: |
+    # Configuration specific to broker pod 0
+    connectorConfigurations.cluster-self-ssl.host=default-cluster-ssl-0-svc-rte-target-namespace.apps.left-cluster.example.com
+    connectorConfigurations.cluster-other-ssl.host=default-cluster-ssl-0-svc-rte-target-namespace.apps.right-cluster.example.com
+
+  # The following additional secret keys can be patched in when deploying with a deployment size of more than 1
+  #broker-1/broker.properties: |
+  #  # Configuration specific to broker pod 1
+  #  connectorConfigurations.cluster-self-ssl.host=default-cluster-ssl-1-svc-rte-target-namespace.apps.left-cluster.example.com
+  #  connectorConfigurations.cluster-local-0-ssl.host=default-cluster-ssl-1-svc-rte-target-namespace.apps.left-cluster.example.com
+  #  connectorConfigurations.cluster-other-ssl.host=default-cluster-ssl-0-svc-rte-target-namespace.apps.right-cluster.example.com
+  #broker-2/broker.properties: |
+  #  # Configuration specific to broker pod 2
+  #  connectorConfigurations.cluster-self-ssl.host=default-cluster-ssl-2-svc-rte-target-namespace.apps.left-cluster.example.com
+  #  connectorConfigurations.cluster-local-0-ssl.host=default-cluster-ssl-1-svc-rte-target-namespace.apps.left-cluster.example.com
+  #  connectorConfigurations.cluster-other-ssl.host=default-cluster-ssl-0-svc-rte-target-namespace.apps.right-cluster.example.com
+
+  cluster-connector-configurations.broker.properties: |
+    # Add broker to broker connector configurations
+    connectorConfigurations.cluster-self-ssl.params.verifyHost=true
+    connectorConfigurations.cluster-local-0-ssl.params.verifyHost=true
+    connectorConfigurations.cluster-other-ssl.params.verifyHost=true
+
+
diff --git a/amq-broker-operator/instance/components/clustering/cross-ocp-cluster/kustomization.yaml b/amq-broker-operator/instance/components/clustering/cross-ocp-cluster/kustomization.yaml
new file mode 100644
index 00000000..16b71a16
--- /dev/null
+++ b/amq-broker-operator/instance/components/clustering/cross-ocp-cluster/kustomization.yaml
@@ -0,0 +1,73 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-cluster-configs-bp.yaml
+  - broker-connector-configs-bp.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      # Add brokerPropeties in correct order to build clustering before cluster settings
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: broker-cluster-configs-bp
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: broker-connector-configs-bp
+
+      # Add acceptor dedicated to clustering
+      - op: add
+        path: /spec/acceptors/-
+        value:
+          expose: true
+          name: cluster-ssl
+          port: 61611
+          protocols: all
+          sslEnabled: true
+          needClientAuth: true
+          verifyHost: true
+          sslSecret: cluster-ssl-keystore
+          trustSecret: cluster-ssl-truststore
+
+      # Add required connectors for clustering:
+      #  - cluster-self-ssl: for using as self-reference to advertise for other brokers to connect
+      #  - cluster-local-0-ssl: for reference to local OCP cluster's broker on pod #0
+      #  - cluster-other-ssl: for reference to remote OCP cluster's broker
+      - op: add
+        path: /spec/connectors/-
+        value:
+          name: cluster-self-ssl
+          host: __SET_IN_BROKER_PROPERTIES__
+          port: 443
+          sslEnabled: true
+          needClientAuth: true
+          verifyHost: true
+          sslSecret: cluster-ssl-keystore
+          trustSecret: cluster-ssl-truststore
+      - op: add
+        path: /spec/connectors/-
+        value:
+          name: cluster-local-0-ssl
+          host: __SET_IN_BROKER_PROPERTIES__
+          port: 443
+          sslEnabled: true
+          needClientAuth: true
+          verifyHost: true
+          sslSecret: cluster-ssl-keystore
+          trustSecret: cluster-ssl-truststore
+      - op: add
+        path: /spec/connectors/-
+        value:
+          name: cluster-other-ssl
+          host: __SET_IN_BROKER_PROPERTIES__
+          port: 443
+          sslEnabled: true
+          needClientAuth: true
+          verifyHost: true
+          sslSecret: cluster-ssl-keystore
+          trustSecret: cluster-ssl-truststore
diff --git a/amq-broker-operator/instance/components/clustering/intra-namespace/kustomization.yaml b/amq-broker-operator/instance/components/clustering/intra-namespace/kustomization.yaml
new file mode 100644
index 00000000..2fc8a22d
--- /dev/null
+++ b/amq-broker-operator/instance/components/clustering/intra-namespace/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      # Default size to 3 instead of 1 for clustered deployments; assume that overlay will change if needed
+      - op: replace
+        path: /spec/deploymentPlan/size
+        value: 3
+
+      # Turn clustering on from the AMQ Broker operator; leave everything else as-is so operator can set up the cluster
+      - op: replace
+        path: /spec/deploymentPlan/clustered
+        value: true
+
+      # Enable message migration for clustered deployment
+      - op: replace
+        path: /spec/deploymentPlan/messageMigration
+        value: true
diff --git a/amq-broker-operator/instance/components/clustering/none/kustomization.yaml b/amq-broker-operator/instance/components/clustering/none/kustomization.yaml
new file mode 100644
index 00000000..3fbd0f93
--- /dev/null
+++ b/amq-broker-operator/instance/components/clustering/none/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/deploymentPlan/clustered
+        value: false
diff --git a/amq-broker-operator/instance/components/high-availability/README.adoc b/amq-broker-operator/instance/components/high-availability/README.adoc
new file mode 100644
index 00000000..4e878bf0
--- /dev/null
+++ b/amq-broker-operator/instance/components/high-availability/README.adoc
@@ -0,0 +1,12 @@
+= ActiveMQ Artemis Cluster Components
+
+For clusters, the following options are available:
+
+== Leader / Follower
+
+Requires use of one of the JDBC persistence components.
+
+== Clustering-based High Availability
+
+Requires use of one of the clustering components
+
diff --git a/amq-broker-operator/instance/components/high-availability/ha-cluster/_base/broker-ha-configs-bp.yaml b/amq-broker-operator/instance/components/high-availability/ha-cluster/_base/broker-ha-configs-bp.yaml
new file mode 100644
index 00000000..459cae95
--- /dev/null
+++ b/amq-broker-operator/instance/components/high-availability/ha-cluster/_base/broker-ha-configs-bp.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-ha-configs-bp
+type: Opaque
+stringData:
+  base-ha-configs.broker.properties: |
+    HAPolicyConfiguration=SHARED_STORE_PRIMARY
+  failover-on-shutdown.broker.properties: |
+    HAPolicyConfiguration.failoverOnServerShutdown=true
diff --git a/amq-broker-operator/instance/components/high-availability/ha-cluster/_base/kustomization.yaml b/amq-broker-operator/instance/components/high-availability/ha-cluster/_base/kustomization.yaml
new file mode 100644
index 00000000..25a6880e
--- /dev/null
+++ b/amq-broker-operator/instance/components/high-availability/ha-cluster/_base/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-ha-configs-bp.yaml
diff --git a/amq-broker-operator/instance/components/high-availability/ha-cluster/backup/kustomization.yaml b/amq-broker-operator/instance/components/high-availability/ha-cluster/backup/kustomization.yaml
new file mode 100644
index 00000000..de60f8be
--- /dev/null
+++ b/amq-broker-operator/instance/components/high-availability/ha-cluster/backup/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+components:
+  - ../_base
+
+patches:
+  - target:
+      group: ''
+      version: v1
+      kind: Secret
+      name: broker-ha-configs-bp
+    patch: |-
+      - op: replace
+        path: /stringData/base-ha-configs.broker.properties
+        value: HAPolicyConfiguration=SHARED_STORE_BACKUP
diff --git a/amq-broker-operator/instance/components/high-availability/ha-cluster/primary/kustomization.yaml b/amq-broker-operator/instance/components/high-availability/ha-cluster/primary/kustomization.yaml
new file mode 100644
index 00000000..913bf03f
--- /dev/null
+++ b/amq-broker-operator/instance/components/high-availability/ha-cluster/primary/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+components:
+  - ../_base
+
+patches:
+  - target:
+      group: ''
+      version: v1
+      kind: Secret
+      name: broker-ha-configs-bp
+    patch: |-
+      - op: replace
+        path: /stringData/base-ha-configs.broker.properties
+        value: HAPolicyConfiguration=SHARED_STORE_PRIMARY
diff --git a/amq-broker-operator/instance/components/high-availability/ha-leader-follower/_base/broker-ha-configs-bp.yaml b/amq-broker-operator/instance/components/high-availability/ha-leader-follower/_base/broker-ha-configs-bp.yaml
new file mode 100644
index 00000000..59ff6176
--- /dev/null
+++ b/amq-broker-operator/instance/components/high-availability/ha-leader-follower/_base/broker-ha-configs-bp.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-ha-configs-bp
+type: Opaque
+stringData:
+  base-ha-configs.broker.properties: |
+    HAPolicyConfiguration=SHARED_STORE_PRIMARY
+    criticalAnalyzer=false
diff --git a/amq-broker-operator/instance/components/high-availability/ha-leader-follower/_base/kustomization.yaml b/amq-broker-operator/instance/components/high-availability/ha-leader-follower/_base/kustomization.yaml
new file mode 100644
index 00000000..1b106be6
--- /dev/null
+++ b/amq-broker-operator/instance/components/high-availability/ha-leader-follower/_base/kustomization.yaml
@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-ha-configs-bp.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/deploymentPlan/livenessProbe
+        value:
+          livenessProbe:
+            exec:
+              command:
+                - test
+                - -f
+                - /home/jboss/amq-broker/lock/cli.lock
diff --git a/amq-broker-operator/instance/components/high-availability/ha-leader-follower/follower/kustomization.yaml b/amq-broker-operator/instance/components/high-availability/ha-leader-follower/follower/kustomization.yaml
new file mode 100644
index 00000000..ac0960e7
--- /dev/null
+++ b/amq-broker-operator/instance/components/high-availability/ha-leader-follower/follower/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+components:
+  - ../_base
+
+patches:
+  - target:
+      group: ''
+      version: v1
+      kind: Secret
+      name: broker-jdbc-configs-bp
+    patch: |-
+      - op: replace
+        path: /stringData/jdbc-lock-timing.broker.properties
+        value: |
+          storeConfiguration.jdbcLockAcquisitionTimeoutMillis=-1
+          storeConfiguration.jdbcLockExpirationMillis=6000
+          storeConfiguration.jdbcLockRenewPeriodMillis=3000
diff --git a/amq-broker-operator/instance/components/high-availability/ha-leader-follower/leader/kustomization.yaml b/amq-broker-operator/instance/components/high-availability/ha-leader-follower/leader/kustomization.yaml
new file mode 100644
index 00000000..b6961953
--- /dev/null
+++ b/amq-broker-operator/instance/components/high-availability/ha-leader-follower/leader/kustomization.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+components:
+  - ../_base
+
+patches:
+  - target:
+      group: ''
+      version: v1
+      kind: Secret
+      name: broker-jdbc-configs-bp
+    patch: |-
+      - op: replace
+        path: /stringData/jdbc-lock-timing.broker.properties
+        value: |
+          storeConfiguration.jdbcLockAcquisitionTimeoutMillis=-1
+          storeConfiguration.jdbcLockExpirationMillis=4000
+          storeConfiguration.jdbcLockRenewPeriodMillis=2000
diff --git a/amq-broker-operator/instance/components/logging/claim-template/broker-logging-config.yaml b/amq-broker-operator/instance/components/logging/claim-template/broker-logging-config.yaml
new file mode 100644
index 00000000..6c6f6373
--- /dev/null
+++ b/amq-broker-operator/instance/components/logging/claim-template/broker-logging-config.yaml
@@ -0,0 +1,108 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-logging-config
+type: Opaque
+stringData:
+  logging.properties: |
+    # Licensed to the Apache Software Foundation (ASF) under one or more
+    # contributor license agreements.  See the NOTICE file distributed with
+    # this work for additional information regarding copyright ownership.
+    # The ASF licenses this file to You under the Apache License, Version 2.0
+    # (the "License"); you may not use this file except in compliance with
+    # the License.  You may obtain a copy of the License at
+    #
+    # http://www.apache.org/licenses/LICENSE-2.0
+    #
+    # Unless required by applicable law or agreed to in writing, software
+    # distributed under the License is distributed on an "AS IS" BASIS,
+    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    # See the License for the specific language governing permissions and
+    # limitations under the License.
+
+    # Log4J 2 configuration
+
+    # Monitor config file every X seconds for updates
+    monitorInterval = 5
+
+    rootLogger.level = INFO
+    rootLogger.appenderRef.console.ref = console
+    rootLogger.appenderRef.log_file.ref = log_file
+
+    logger.activemq.name=org.apache.activemq
+    logger.activemq.level=INFO
+
+    logger.artemis_server.name=org.apache.activemq.artemis.core.server
+    logger.artemis_server.level=INFO
+
+    logger.artemis_journal.name=org.apache.activemq.artemis.journal
+    logger.artemis_journal.level=INFO
+
+    logger.artemis_utils.name=org.apache.activemq.artemis.utils
+    logger.artemis_utils.level=INFO
+
+    # CriticalAnalyzer: If you have issues with the CriticalAnalyzer, setting this to TRACE would give
+    # you extra troubleshooting info, but do not use TRACE regularly as it would incur extra CPU usage.
+    logger.critical_analyzer.name=org.apache.activemq.artemis.utils.critical
+    logger.critical_analyzer.level=INFO
+
+    # Audit loggers: to enable change levels from OFF to INFO
+    logger.audit_base.name = org.apache.activemq.audit.base
+    logger.audit_base.level = OFF
+    logger.audit_base.appenderRef.audit_log_file.ref = audit_log_file
+    logger.audit_base.additivity = false
+
+    logger.audit_resource.name = org.apache.activemq.audit.resource
+    logger.audit_resource.level = OFF
+    logger.audit_resource.appenderRef.audit_log_file.ref = audit_log_file
+    logger.audit_resource.additivity = false
+
+    logger.audit_message.name = org.apache.activemq.audit.message
+    logger.audit_message.level = OFF
+    logger.audit_message.appenderRef.audit_log_file.ref = audit_log_file
+    logger.audit_message.additivity = false
+
+    # Jetty logger levels
+    logger.jetty.name=org.eclipse.jetty
+    logger.jetty.level=WARN
+
+    # web console authenticator too verbose for impatient client
+    logger.authentication_filter.name=io.hawt.web.auth.AuthenticationFilter
+    logger.authentication_filter.level=ERROR
+
+    # Quorum related logger levels
+    logger.curator.name=org.apache.curator
+    logger.curator.level=WARN
+    logger.zookeeper.name=org.apache.zookeeper
+    logger.zookeeper.level=ERROR
+
+
+    # Console appender
+    appender.console.type=Console
+    appender.console.name=console
+    appender.console.layout.type=PatternLayout
+    appender.console.layout.pattern=%d %-5level [%logger] %msg%n
+
+    # Log file appender
+    appender.log_file.type = RollingFile
+    appender.log_file.name = log_file
+    appender.log_file.fileName = /opt/broker-logs/data/artemis.log
+    appender.log_file.filePattern = /opt/broker-logs/data/artemis.log.%d{yyyy-MM-dd}
+    appender.log_file.layout.type = PatternLayout
+    appender.log_file.layout.pattern = %d %-5level [%logger] %msg%n
+    appender.log_file.policies.type = Policies
+    appender.log_file.policies.cron.type = CronTriggeringPolicy
+    appender.log_file.policies.cron.schedule = 0 0 0 * * ?
+    appender.log_file.policies.cron.evaluateOnStartup = true
+
+    # Audit log file appender
+    appender.audit_log_file.type = RollingFile
+    appender.audit_log_file.name = audit_log_file
+    appender.audit_log_file.fileName = /opt/broker-logs/data/audit.log
+    appender.audit_log_file.filePattern = /opt/broker-logs/data/audit.log.%d{yyyy-MM-dd}
+    appender.audit_log_file.layout.type = PatternLayout
+    appender.audit_log_file.layout.pattern = %d [AUDIT](%t) %msg%n
+    appender.audit_log_file.policies.type = Policies
+    appender.audit_log_file.policies.cron.type = CronTriggeringPolicy
+    appender.audit_log_file.policies.cron.schedule = 0 0 0 * * ?
+    appender.audit_log_file.policies.cron.evaluateOnStartup = true
diff --git a/amq-broker-operator/instance/components/logging/claim-template/kustomization.yaml b/amq-broker-operator/instance/components/logging/claim-template/kustomization.yaml
new file mode 100644
index 00000000..8e03dec7
--- /dev/null
+++ b/amq-broker-operator/instance/components/logging/claim-template/kustomization.yaml
@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-logging-config.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: broker-logging-config
+
+      # Without adding a specific /spec/deploymentPlan/extraVolumeMounts entry, the operator defaults to mounting
+      # these volumes at path /opt/<volume-name>/data -- in this case: /opt/broker-logs/data
+      - op: add
+        path: /spec/deploymentPlan/extraVolumeClaimTemplates/-
+        value:
+          metadata:
+            name: broker-logs
+          spec:
+            accessModes:
+              - ReadWriteOnce
+            resources:
+              requests:
+                storage: 10Gi
diff --git a/amq-broker-operator/instance/components/logging/console-only/broker-logging-config.yaml b/amq-broker-operator/instance/components/logging/console-only/broker-logging-config.yaml
new file mode 100644
index 00000000..9d948131
--- /dev/null
+++ b/amq-broker-operator/instance/components/logging/console-only/broker-logging-config.yaml
@@ -0,0 +1,77 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-logging-config
+type: Opaque
+stringData:
+  logging.properties: |
+    # Licensed to the Apache Software Foundation (ASF) under one or more
+    # contributor license agreements.  See the NOTICE file distributed with
+    # this work for additional information regarding copyright ownership.
+    # The ASF licenses this file to You under the Apache License, Version 2.0
+    # (the "License"); you may not use this file except in compliance with
+    # the License.  You may obtain a copy of the License at
+    #
+    # http://www.apache.org/licenses/LICENSE-2.0
+    #
+    # Unless required by applicable law or agreed to in writing, software
+    # distributed under the License is distributed on an "AS IS" BASIS,
+    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    # See the License for the specific language governing permissions and
+    # limitations under the License.
+
+    # Log4J 2 configuration
+
+    # Monitor config file every X seconds for updates
+    monitorInterval = 5
+
+    rootLogger.level = INFO
+    rootLogger.appenderRef.console.ref = console
+
+    logger.activemq.name=org.apache.activemq
+    logger.activemq.level=INFO
+
+    logger.artemis_server.name=org.apache.activemq.artemis.core.server
+    logger.artemis_server.level=INFO
+
+    logger.artemis_journal.name=org.apache.activemq.artemis.journal
+    logger.artemis_journal.level=INFO
+
+    logger.artemis_utils.name=org.apache.activemq.artemis.utils
+    logger.artemis_utils.level=INFO
+
+    # CriticalAnalyzer: If you have issues with the CriticalAnalyzer, setting this to TRACE would give
+    # you extra troubleshooting info, but do not use TRACE regularly as it would incur extra CPU usage.
+    logger.critical_analyzer.name=org.apache.activemq.artemis.utils.critical
+    logger.critical_analyzer.level=INFO
+
+    # Audit loggers: to enable change levels from OFF to INFO
+    logger.audit_base.name = org.apache.activemq.audit.base
+    logger.audit_base.level = OFF
+
+    logger.audit_resource.name = org.apache.activemq.audit.resource
+    logger.audit_resource.level = OFF
+
+    logger.audit_message.name = org.apache.activemq.audit.message
+    logger.audit_message.level = OFF
+
+    # Jetty logger levels
+    logger.jetty.name=org.eclipse.jetty
+    logger.jetty.level=WARN
+
+    # web console authenticator too verbose for impatient client
+    logger.authentication_filter.name=io.hawt.web.auth.AuthenticationFilter
+    logger.authentication_filter.level=ERROR
+
+    # Quorum related logger levels
+    logger.curator.name=org.apache.curator
+    logger.curator.level=WARN
+    logger.zookeeper.name=org.apache.zookeeper
+    logger.zookeeper.level=ERROR
+
+
+    # Console appender
+    appender.console.type=Console
+    appender.console.name=console
+    appender.console.layout.type=PatternLayout
+    appender.console.layout.pattern=%d %-5level [%logger] %msg%n
diff --git a/amq-broker-operator/instance/components/logging/console-only/kustomization.yaml b/amq-broker-operator/instance/components/logging/console-only/kustomization.yaml
new file mode 100644
index 00000000..84f7eb62
--- /dev/null
+++ b/amq-broker-operator/instance/components/logging/console-only/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-logging-config.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: broker-logging-config
diff --git a/amq-broker-operator/instance/components/metrics/README.adoc b/amq-broker-operator/instance/components/metrics/README.adoc
new file mode 100644
index 00000000..20ef05a4
--- /dev/null
+++ b/amq-broker-operator/instance/components/metrics/README.adoc
@@ -0,0 +1,71 @@
+= ActiveMQ Artemis Metrics Options
+
+For metrics the following configs are available:
+
+== Web Console
+Configure the Web Console:
+
+Requirements :
+
+* Artemis Console must be exposed
+* managementRBACEnabled = true
+** jolokia commands are secured
+
+* jolokiaAgentEnabled = true
+
+== JMX - Jolokia External Monitoring
+Configure the JMX - Jolokia External:
+
+Requirements :
+
+* managementRBACEnabled = true
+** jolokia commands are secured
+
+== JMX - External HawtIO Console
+Configure the JMX - External HawtIO:
+
+JMX via separately deployed HawtIO console
+
+* managementRBACEnabled = false
+** jolokia commands are not secured
+** console should not be exposed
+* console expose = false
+
+== Broker Plugin - External Prometheus
+
+Configure the built in Broker Prometheus Plugin :
+
+Creates a Service Montior object for wconsj endpoint
+
+Metrics can be scraped via two different methods:
+
+* Directly from the configured ports
+* From the endpoint URL
+
+Requirements:
+
+* Update the spec/matchLabel/application: <application name>
+* Prometheus
+** External Prometheus or
+** Openshift Prometheus Plugin
+
+== Broker JVM
+
+Configure the jvm settings for:
+
+* memory metrics
+* garbage collection metrics
+* thread metrics
+
+Patches the ActiveMQArtemis object to inject secret
+
+Requirements :
+
+* Created as a secret
+* File name must be suffixed with -bp
+
+== Address Metrics
+
+Configure address specific metrics :
+
+Patches the ActiveMQArtemis object to activate address metrics on catch-all address settings.
diff --git a/amq-broker-operator/instance/components/metrics/address-metrics/kustomization.yaml b/amq-broker-operator/instance/components/metrics/address-metrics/kustomization.yaml
new file mode 100644
index 00000000..fec77216
--- /dev/null
+++ b/amq-broker-operator/instance/components/metrics/address-metrics/kustomization.yaml
@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - address-metrics-bp.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: test
+        path: /spec/addressSettings/addressSetting/0/match
+        value: '#'
+
+      - op: replace
+        path: /spec/addressSettings/addressSetting/0/enableMetrics
+        value: true
diff --git a/amq-broker-operator/instance/components/metrics/broker-external/external-hawtio/kustomization.yaml b/amq-broker-operator/instance/components/metrics/broker-external/external-hawtio/kustomization.yaml
new file mode 100644
index 00000000..97f719a2
--- /dev/null
+++ b/amq-broker-operator/instance/components/metrics/broker-external/external-hawtio/kustomization.yaml
@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/deploymentPlan/managementRBACEnabled
+        value: false
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/console/expose
+        value: false
+
diff --git a/amq-broker-operator/instance/components/metrics/broker-external/jolokia/kustomization.yaml b/amq-broker-operator/instance/components/metrics/broker-external/jolokia/kustomization.yaml
new file mode 100644
index 00000000..df4fbd01
--- /dev/null
+++ b/amq-broker-operator/instance/components/metrics/broker-external/jolokia/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/deploymentPlan/managementRBACEnabled
+        value: true
diff --git a/amq-broker-operator/instance/components/metrics/broker-external/prometheus/kustomization.yaml b/amq-broker-operator/instance/components/metrics/broker-external/prometheus/kustomization.yaml
new file mode 100644
index 00000000..15f99880
--- /dev/null
+++ b/amq-broker-operator/instance/components/metrics/broker-external/prometheus/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - service-monitor.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/deploymentPlan/enableMetricsPlugin
+        value: true
diff --git a/amq-broker-operator/instance/components/metrics/broker-external/prometheus/service-monitor.yaml b/amq-broker-operator/instance/components/metrics/broker-external/prometheus/service-monitor.yaml
new file mode 100644
index 00000000..b51a3e18
--- /dev/null
+++ b/amq-broker-operator/instance/components/metrics/broker-external/prometheus/service-monitor.yaml
@@ -0,0 +1,12 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: default
+  labels:
+    team: prometheus
+spec:
+  selector:
+    matchLabels:
+      application: default
+  endpoints:
+    - port: wconsj
diff --git a/amq-broker-operator/instance/components/metrics/broker-internal/jvm/broker-jvm-metrics-bp.yaml b/amq-broker-operator/instance/components/metrics/broker-internal/jvm/broker-jvm-metrics-bp.yaml
new file mode 100644
index 00000000..51e3bfa2
--- /dev/null
+++ b/amq-broker-operator/instance/components/metrics/broker-internal/jvm/broker-jvm-metrics-bp.yaml
@@ -0,0 +1,10 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: broker-jvm-metrics-bp
+type: Opaque
+stringData:
+  broker-jvm.broker.properties: |
+    metricsConfiguration.jvmGc=true
+    metricsConfiguration.jvmMemory=true
+    metricsConfiguration.jvmThread=true
diff --git a/amq-broker-operator/instance/components/metrics/broker-internal/jvm/kustomization.yaml b/amq-broker-operator/instance/components/metrics/broker-internal/jvm/kustomization.yaml
new file mode 100644
index 00000000..92e17d5b
--- /dev/null
+++ b/amq-broker-operator/instance/components/metrics/broker-internal/jvm/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-jvm-metrics-bp.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: broker-jvm-metrics-bp
diff --git a/amq-broker-operator/instance/components/metrics/broker-internal/web-console/kustomization.yaml b/amq-broker-operator/instance/components/metrics/broker-internal/web-console/kustomization.yaml
new file mode 100644
index 00000000..0f37f771
--- /dev/null
+++ b/amq-broker-operator/instance/components/metrics/broker-internal/web-console/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/deploymentPlan/managementRBACEnabled
+        value: true
+      - op: add
+        path: /spec/deploymentPlan/jolokiaAgentEnabled
+        value: true
diff --git a/amq-broker-operator/instance/components/other-broker-properties/broker-other-configs-bp.yaml b/amq-broker-operator/instance/components/other-broker-properties/broker-other-configs-bp.yaml
new file mode 100644
index 00000000..9a87ebbd
--- /dev/null
+++ b/amq-broker-operator/instance/components/other-broker-properties/broker-other-configs-bp.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-other-configs-bp
+type: Opaque
+stringData:
+  broker.properties: |
+    # This may be replaced by any other broker properties in an overlay
diff --git a/amq-broker-operator/instance/components/other-broker-properties/kustomization.yaml b/amq-broker-operator/instance/components/other-broker-properties/kustomization.yaml
new file mode 100644
index 00000000..0036eb2c
--- /dev/null
+++ b/amq-broker-operator/instance/components/other-broker-properties/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-other-configs-bp.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: add
+        path: /spec/deploymentPlan/extraMounts/secrets/-
+        value: broker-other-configs-bp
diff --git a/amq-broker-operator/instance/components/persistence/README.adoc b/amq-broker-operator/instance/components/persistence/README.adoc
new file mode 100644
index 00000000..6101c29d
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/README.adoc
@@ -0,0 +1,50 @@
+= ActiveMQ Artemis Persistence Components
+
+For persistence, the following options are available:
+
+== No persistence
+
+No components are necessary, because the base defaults to persistence disabled.
+For explicit disabling, the component `persistence/none` is available.
+
+== File-based persistence
+
+Use the `persistence/file` component to use filesystem based storage
+
+== JDBC-based persistence
+
+The following component options are available to select JDBC persistence
+
+=== Oracle database
+
+#TODO#
+
+=== PostgreSQL database
+
+Use the `persistence/jdbc/postgresql` component, along with customizations for driver JAR download location and database connection URL
+
+.Example Patches for PostgreSQL
+[source,yaml]
+----
+- target:
+    group: ''
+    version: v1
+    kind: ConfigMap
+    name: broker-jdbc-driver
+  patch: |-
+    - op: replace
+      path: /data/driver-url
+      value: 'https://jdbc.postgresql.org/download/postgresql-42.7.3.jar'
+- target:
+    group: ''
+    version: v1
+    kind: Secret
+    name: broker-jdbc-configs-bp
+  patch: |-
+    - op: replace
+      path: /stringData/jdbc-connection-url.broker.properties
+      value: storeConfiguration.jdbcConnectionUrl=jdbc:postgresql://postgresql.broker-database-dev.svc.cluster.local:5432/sampledb?user=user60C&password=test
+----
+
+=== #TODO: Add other database drivers#
+
diff --git a/amq-broker-operator/instance/components/persistence/file/kustomization.yaml b/amq-broker-operator/instance/components/persistence/file/kustomization.yaml
new file mode 100644
index 00000000..c13f3161
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/file/kustomization.yaml
@@ -0,0 +1,39 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      # Ask operator to create PVCs for pod persistence
+      - op: replace
+        path: /spec/deploymentPlan/persistenceEnabled
+        value: true
+
+      # Tell broker to enable persistence
+      - op: test
+        path: /spec/brokerProperties/1
+        value: |-
+          persistenceEnabled=false
+      - op: replace
+        path: /spec/brokerProperties/1
+        value: |-
+          persistenceEnabled=true
+
+      # Set storage size (which can be overridden in overlay)
+      - op: add
+        path: /spec/deploymentPlan/storage
+        value:
+          size: 4Gi
+          # storageClassName: gp3
+
+      # Set default catch-all address setting to PAGE instead of BLOCK
+      - op: test
+        path: /spec/addressSettings/addressSetting/0/match
+        value: '#'
+      - op: replace
+        path: /spec/addressSettings/addressSetting/0/addressFullPolicy
+        value: PAGE
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/_base/broker-jdbc-configs-bp.yaml b/amq-broker-operator/instance/components/persistence/jdbc/_base/broker-jdbc-configs-bp.yaml
new file mode 100644
index 00000000..eca40678
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/jdbc/_base/broker-jdbc-configs-bp.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: broker-jdbc-configs-bp
+type: Opaque
+stringData:
+  base-jdbc.broker.properties: |
+    storeConfiguration=DATABASE
+  jdbc-connection-url.broker.properties: |
+    # This property should be replaced in a kustomize overlay to point to real database
+    storeConfiguration.jdbcConnectionUrl=jdbc:postgresql://postgresql.broker-database-dev.svc.cluster.local:5432/sampledb
+    storeConfiguration.jdbcUser=__REPLACE_ME__
+    storeConfiguration.jdbcPassword=__REPLACE_ME__
+  jdbc-driver.broker.properties: |
+    # This property will be replaced in a kustomize component, depending upon driver used
+    storeConfiguration.jdbcDriverClassName=__COMPONENT_SPECIFIC__
+  jdbc-lock-timing.broker.properties: |
+    storeConfiguration.jdbcLockAcquisitionTimeoutMillis=-1
+    storeConfiguration.jdbcLockExpirationMillis=20000
+    storeConfiguration.jdbcLockRenewPeriodMillis=4000
+  jdbc-other.broker.properties: |
+    # This property may be replaced in a kustomize overlay with any other JDBC-specific configurations
+    storeConfiguration.maxPageSizeBytes=102400
+
+    storeConfiguration.jdbcNetworkTimeout=20000
+  jdbc-sync-timing.broker.properties: |
+    storeConfiguration.jdbcJournalSyncPeriodMillis=5
+    storeConfiguration.jdbcAllowedTimeDiff=250
+  jdbc-tables.broker.properties: |
+    # This property may be replaced in a kustomize overlay with tables
+    storeConfiguration.messageTableName=MESSAGES
+    storeConfiguration.bindingsTableName=BINDINGS
+    storeConfiguration.largeMessageTableName=LARGE_MESSAGES
+    storeConfiguration.pageStoreTableName=PAGE_STORE
+    storeConfiguration.nodeManagerTableName=NODE_MANAGER_STORE
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/_base/kustomization.yaml b/amq-broker-operator/instance/components/persistence/jdbc/_base/kustomization.yaml
new file mode 100644
index 00000000..1bef5e9a
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/jdbc/_base/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-jdbc-configs-bp.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    path: patch-broker.yaml
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/_base/patch-broker.yaml b/amq-broker-operator/instance/components/persistence/jdbc/_base/patch-broker.yaml
new file mode 100644
index 00000000..59a9e3ea
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/jdbc/_base/patch-broker.yaml
@@ -0,0 +1,52 @@
+#file: noinspection YAMLIncompatibleTypes
+
+# Ensure persistence is disabled for the operator so it doesn't create any PVCs
+- op: replace
+  path: /spec/deploymentPlan/persistenceEnabled
+  value: false
+
+# But enable persistence at the broker level
+- op: test
+  path: /spec/brokerProperties/1
+  value: |-
+    persistenceEnabled=false
+- op: replace
+  path: /spec/brokerProperties/1
+  value: |-
+    persistenceEnabled=true
+
+# Set default catch-all address setting to PAGE instead of BLOCK
+- op: test
+  path: /spec/addressSettings/addressSetting/0/match
+  value: '#'
+- op: replace
+  path: /spec/addressSettings/addressSetting/0/addressFullPolicy
+  value: PAGE
+
+# Add brokerProperties secrets
+- op: add
+  path: /spec/deploymentPlan/extraMounts/secrets/-
+  value: broker-jdbc-configs-bp
+
+# Add volume mount... volume to be created by other dependent components
+- op: add
+  path: /spec/deploymentPlan/extraVolumeMounts/-
+  value:
+    name: jdbc-jars
+    mountPath: /opt/jdbc-jars
+
+# Add environment variables to tell AMQ Artemis about the JDBC driver jar location
+- op: add
+  path: /spec/env/-
+  value:
+    name: ARTEMIS_EXTRA_LIBS
+    value: /opt/jdbc-jars
+
+- op: add
+  path: /spec/env/-
+  value:
+    name: DB_DRIVER_JAR_FILENAME
+    valueFrom:
+      configMapKeyRef:
+        name: broker-jdbc-driver
+        key: driver-jar-filename
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/_copy-driver/kustomization.yaml b/amq-broker-operator/instance/components/persistence/jdbc/_copy-driver/kustomization.yaml
new file mode 100644
index 00000000..0f225e90
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/jdbc/_copy-driver/kustomization.yaml
@@ -0,0 +1,54 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      # Keep emptyDir across containers within the pod, for copying driver JAR out of an image
+      - op: add
+        path: /spec/deploymentPlan/extraVolumes/-
+        value:
+          name: jdbc-jars
+          emptyDir:
+            sizeLimit: 1Gi
+
+      # Add environment variable for where to find the driver JAR within the container image
+      - op: add
+        path: /spec/env/-
+        value:
+          name: DB_DRIVER_SOURCE_PATH
+          valueFrom:
+            configMapKeyRef:
+              name: broker-jdbc-driver
+              key: driver-jar-source-path
+
+      # Add the script to copy JDBC driver JAR during init
+      - op: add
+        path: /spec/resourceTemplates/-
+        value:
+          selector:
+            apiGroup: apps/v1
+            kind: StatefulSet
+          patch:
+            apiVersion: apps/v1
+            kind: StatefulSet
+            spec:
+              template:
+                spec:
+                  initContainers:
+                    - name: jdbc-driver-init
+                      image: __REPLACE_IMAGE_VALUE__
+                      volumeMounts:
+                        - name: jdbc-jars
+                          mountPath: /opt/jdbc-jars
+                      command:
+                        - /bin/sh
+                      args:
+                        - '-c'
+                        - |
+                          cp "$DB_DRIVER_SOURCE_PATH"/"$DB_DRIVER_JAR_FILENAME" /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME"
+
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/broker-jdbc-jars.yaml b/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/broker-jdbc-jars.yaml
new file mode 100644
index 00000000..1b6dc878
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/broker-jdbc-jars.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: broker-jdbc-jars
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/kustomization.yaml b/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/kustomization.yaml
new file mode 100644
index 00000000..29a4199e
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/kustomization.yaml
@@ -0,0 +1,59 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  # Create PVC for holding downloaded JARs
+  - broker-jdbc-jars.yaml
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      # Add volume for PVC that holds downloaded JARs
+      - op: add
+        path: /spec/deploymentPlan/extraVolumes/-
+        value:
+          name: jdbc-jars
+          persistentVolumeClaim:
+            claimName: broker-jdbc-jars
+
+      # Add environment variable for driver URL
+      - op: add
+        path: /spec/env/-
+        value:
+          name: DB_DRIVER_URL
+          valueFrom:
+            configMapKeyRef:
+              name: broker-jdbc-driver
+              key: driver-url
+
+      # Add initContainer to automatically download JDBC driver if necessary
+      - op: add
+        path: /spec/resourceTemplates/-
+        value:
+          selector:
+            apiGroup: apps/v1
+            kind: StatefulSet
+          patch:
+            apiVersion: apps/v1
+            kind: StatefulSet
+            spec:
+              template:
+                spec:
+                  initContainers:
+                    - name: jdbc-driver-init
+                      image: 'curlimages/curl:8.6.0'
+                      volumeMounts:
+                        - name: jdbc-jars
+                          mountPath: /opt/jdbc-jars
+                      command:
+                        - /bin/sh
+                      args:
+                        - '-c'
+                        - |
+                          if ! [ -f /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME" ]; then
+                            curl "$DB_DRIVER_URL" --output /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME"
+                          fi
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/oracle/broker-jdbc-driver.yaml b/amq-broker-operator/instance/components/persistence/jdbc/oracle/broker-jdbc-driver.yaml
new file mode 100644
index 00000000..00eab024
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/jdbc/oracle/broker-jdbc-driver.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: broker-jdbc-driver
+data:
+  driver-jar-source-path: "/opt/oracle-driver"
+  driver-jar-filename: "ojdbc8.jar"
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/oracle/kustomization.yaml b/amq-broker-operator/instance/components/persistence/jdbc/oracle/kustomization.yaml
new file mode 100644
index 00000000..b272c28b
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/jdbc/oracle/kustomization.yaml
@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - broker-jdbc-driver.yaml
+
+components:
+  - ../_base
+  - ../_copy-driver
+
+patches:
+  - target:
+      group: ''
+      version: v1
+      kind: Secret
+      name: broker-jdbc-configs-bp
+    patch: |-
+      - op: replace
+        path: /stringData/jdbc-driver.broker.properties
+        value: storeConfiguration.jdbcDriverClassName=oracle.jdbc.driver.OracleDriver
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/postgresql/broker-jdbc-driver.yaml b/amq-broker-operator/instance/components/persistence/jdbc/postgresql/broker-jdbc-driver.yaml
new file mode 100644
index 00000000..066a8271
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/jdbc/postgresql/broker-jdbc-driver.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: broker-jdbc-driver
+data:
+  driver-url: "https://jdbc.postgresql.org/download/postgresql-42.7.3.jar"
+  driver-jar-filename: "postgres-connector.jar"
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/postgresql/kustomization.yaml b/amq-broker-operator/instance/components/persistence/jdbc/postgresql/kustomization.yaml
new file mode 100644
index 00000000..ca4fd4bd
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/jdbc/postgresql/kustomization.yaml
@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+components:
+  - ../_base
+  - ../_download-driver
+
+resources:
+  # ConfigMap for DB driver JAR download info
+  - broker-jdbc-driver.yaml
+
+patches:
+  - target:
+      group: ''
+      version: v1
+      kind: Secret
+      name: broker-jdbc-configs-bp
+    patch: |-
+      - op: replace
+        path: /stringData/jdbc-driver.broker.properties
+        value: storeConfiguration.jdbcDriverClassName=org.postgresql.Driver
diff --git a/amq-broker-operator/instance/components/persistence/none/kustomization.yaml b/amq-broker-operator/instance/components/persistence/none/kustomization.yaml
new file mode 100644
index 00000000..4b1c4566
--- /dev/null
+++ b/amq-broker-operator/instance/components/persistence/none/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - target:
+      group: broker.amq.io
+      version: v1beta1
+      kind: ActiveMQArtemis
+      name: default
+    patch: |-
+      - op: replace
+        path: /spec/deploymentPlan/persistenceEnabled
+        value: false
+
+      - op: test
+        path: /spec/brokerProperties/1
+        value: |-
+          persistenceEnabled=false
diff --git a/amq-broker-operator/instance/overlays/clustered-ephemeral-tls-init-container/keystore-inputs.yaml b/amq-broker-operator/instance/overlays/clustered-ephemeral-tls-init-container/keystore-inputs.yaml
new file mode 100644
index 00000000..6d944c69
--- /dev/null
+++ b/amq-broker-operator/instance/overlays/clustered-ephemeral-tls-init-container/keystore-inputs.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystore-inputs
+type: Opaque
+stringData:
+  keyStorePassword: 'super-secret-password'
+  trustStorePassword: 'changeit'
diff --git a/amq-broker-operator/instance/overlays/clustered-ephemeral-tls-init-container/kustomization.yaml b/amq-broker-operator/instance/overlays/clustered-ephemeral-tls-init-container/kustomization.yaml
new file mode 100644
index 00000000..08579a46
--- /dev/null
+++ b/amq-broker-operator/instance/overlays/clustered-ephemeral-tls-init-container/kustomization.yaml
@@ -0,0 +1,56 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../clustered-ephemeral
+  - keystore-inputs.yaml
+
+components:
+  - ../../components/acceptors/one-way-tls
+  - ../../components/certificates/init-build-keystore/init-container
+  - ../../components/certificates/init-build-keystore/console-ssl-keystore
+  - ../../components/certificates/init-build-keystore/acceptor-ssl-keystore-and-truststore
+
+replacements:
+  - source:
+      group: ''
+      version: v1
+      kind: Secret
+      name: keystore-inputs
+      fieldPath: stringData.keyStorePassword
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: console-ssl-keystore
+        fieldPaths:
+          - stringData.keyStorePassword
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: acceptor-ssl-keystore
+        fieldPaths:
+          - stringData.keyStorePassword
+  - source:
+      group: ''
+      version: v1
+      kind: Secret
+      name: keystore-inputs
+      fieldPath: stringData.trustStorePassword
+    targets:
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: console-ssl-keystore
+        fieldPaths:
+          - stringData.trustStorePassword
+      - select:
+          group: ''
+          version: v1
+          kind: Secret
+          name: acceptor-ssl-truststore
+        fieldPaths:
+          - stringData.trustStorePassword
diff --git a/amq-broker-operator/instance/overlays/clustered-ephemeral-tls-letsencrypt/kustomization.yaml b/amq-broker-operator/instance/overlays/clustered-ephemeral-tls-letsencrypt/kustomization.yaml
new file mode 100644
index 00000000..f337534d
--- /dev/null
+++ b/amq-broker-operator/instance/overlays/clustered-ephemeral-tls-letsencrypt/kustomization.yaml
@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../clustered-ephemeral
+
+components:
+  - ../../components/acceptors/one-way-tls
+  - ../../components/certificates/cert-manager/console-ssl-keystore
+  - ../../components/certificates/cert-manager/acceptor-ssl-keystore
+  - ../../components/certificates/public-ca-truststores/letsencrypt-prod
+  - ../../components/certificates/public-ca-truststores/letsencrypt-prod/console-ssl-keystore
+  - ../../components/certificates/public-ca-truststores/letsencrypt-prod/acceptor-ssl-truststore
+
+patches:
+  - target:
+      group: cert-manager.io
+      version: v1
+      kind: Certificate
+    patch: |-
+      - op: replace
+        path: /spec/issuerRef
+        value:
+          group: cert-manager.io
+          kind: ClusterIssuer
+          name: letsencrypt-prod
diff --git a/amq-broker-operator/instance/overlays/clustered-ephemeral/kustomization.yaml b/amq-broker-operator/instance/overlays/clustered-ephemeral/kustomization.yaml
new file mode 100644
index 00000000..227f8a2e
--- /dev/null
+++ b/amq-broker-operator/instance/overlays/clustered-ephemeral/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+components:
+  - ../../components/persistence/none
+  - ../../components/clustering/intra-namespace
diff --git a/amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/backup/kustomization.yaml b/amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/backup/kustomization.yaml
new file mode 100644
index 00000000..fbf69e42
--- /dev/null
+++ b/amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/backup/kustomization.yaml
@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../../base
+
+components:
+  - ../../../components/persistence/jdbc/postgresql
+  - ../../../components/clustering/cross-ocp-cluster
+  - ../../../components/high-availability/ha-cluster/backup
+  - ../../../components/certificates/cert-manager/cluster-ssl-keystore
+  - ../../../components/certificates/public-ca-truststores/letsencrypt-prod
+  - ../../../components/certificates/public-ca-truststores/letsencrypt-prod/cluster-ssl-truststore
+
+patches:
+  - target:
+      group: cert-manager.io
+      version: v1
+      kind: Certificate
+    patch: |-
+      - op: replace
+        path: /spec/issuerRef
+        value:
+          group: cert-manager.io
+          kind: ClusterIssuer
+          name: letsencrypt-prod
diff --git a/amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/primary/kustomization.yaml b/amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/primary/kustomization.yaml
new file mode 100644
index 00000000..dce1834c
--- /dev/null
+++ b/amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/primary/kustomization.yaml
@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../../base
+
+components:
+  - ../../../components/persistence/jdbc/postgresql
+  - ../../../components/clustering/cross-ocp-cluster
+  - ../../../components/high-availability/ha-cluster/primary
+  - ../../../components/certificates/cert-manager/cluster-ssl-keystore
+  - ../../../components/certificates/public-ca-truststores/letsencrypt-prod
+  - ../../../components/certificates/public-ca-truststores/letsencrypt-prod/cluster-ssl-truststore
+
+patches:
+  - target:
+      group: cert-manager.io
+      version: v1
+      kind: Certificate
+    patch: |-
+      - op: replace
+        path: /spec/issuerRef
+        value:
+          group: cert-manager.io
+          kind: ClusterIssuer
+          name: letsencrypt-prod
diff --git a/amq-broker-operator/operator/README.adoc b/amq-broker-operator/operator/README.adoc
new file mode 100644
index 00000000..5d2afa07
--- /dev/null
+++ b/amq-broker-operator/operator/README.adoc
@@ -0,0 +1,34 @@
+== AMQ Broker Operator
+
+Installs the AMQ Broker operator into the current namespace
+
+The current *overlays* available are for the following channels:
+
+* link:overlays/v7.12[amq-broker-operator-v7.12]
+
+=== Usage
+
+If you have cloned the `gitops-catalog` repository, you may install the AMQ Broker operator based on the overlay of your choice by running from the root `gitops-catalog` directory
+
+[source,shell]
+----
+oc apply -k amq-broker-operator/operator/overlays/<channel>
+----
+
+Or, without cloning:
+
+[source,shell]
+----
+oc apply -k https://github.com/redhat-cop/gitops-catalog/amq-broker-operator/operator/overlays/<channel>
+----
+
+As part of a different overlay in your own GitOps repository:
+
+[source,yaml]
+----
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - github.com/redhat-cop/gitops-catalog/amq-streams-operator/operator/overlays/<channel>?ref=main
+----
diff --git a/amq-broker-operator/operator/base/kustomization.yaml b/amq-broker-operator/operator/base/kustomization.yaml
new file mode 100644
index 00000000..00078e0a
--- /dev/null
+++ b/amq-broker-operator/operator/base/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - subscription.yaml
diff --git a/amq-broker-operator/operator/base/subscription.yaml b/amq-broker-operator/operator/base/subscription.yaml
new file mode 100644
index 00000000..cca10121
--- /dev/null
+++ b/amq-broker-operator/operator/base/subscription.yaml
@@ -0,0 +1,10 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: amq-broker-rhel8
+spec:
+  channel: default
+  installPlanApproval: Automatic
+  name: amq-broker-rhel8
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
diff --git a/amq-broker-operator/operator/components/metrics/kustomization.yaml b/amq-broker-operator/operator/components/metrics/kustomization.yaml
new file mode 100644
index 00000000..0335fc4b
--- /dev/null
+++ b/amq-broker-operator/operator/components/metrics/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - pod-monitor.yaml
diff --git a/amq-broker-operator/operator/components/metrics/pod-monitor.yaml b/amq-broker-operator/operator/components/metrics/pod-monitor.yaml
new file mode 100644
index 00000000..4534414f
--- /dev/null
+++ b/amq-broker-operator/operator/components/metrics/pod-monitor.yaml
@@ -0,0 +1,10 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: activemq-artemis-controller-manager
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  podMetricsEndpoints:
+    - port: http-metrics
diff --git a/amq-broker-operator/operator/overlays/v7.12/kustomization.yaml b/amq-broker-operator/operator/overlays/v7.12/kustomization.yaml
new file mode 100644
index 00000000..f53dc191
--- /dev/null
+++ b/amq-broker-operator/operator/overlays/v7.12/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+patches:
+  - target:
+      group: operators.coreos.com
+      version: v1alpha1
+      kind: Subscription
+      name: amq-broker-rhel8
+    path: patch-channel.yaml
diff --git a/amq-broker-operator/operator/overlays/v7.12/patch-channel.yaml b/amq-broker-operator/operator/overlays/v7.12/patch-channel.yaml
new file mode 100644
index 00000000..2adbd77c
--- /dev/null
+++ b/amq-broker-operator/operator/overlays/v7.12/patch-channel.yaml
@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/channel
+  value: '7.12.x'