The following files referenced in group PGT example does not exist in the ZTP source-cr dir.

https://github.com/openshift-kni/cnf-features-deploy/blob/master/ztp/gitops-subscriptions/argocd/example/policygentemplates/group-du-sno-ranGen.yaml#L197-L200 


And what was added in source-crs dir are not directly consumable by the ZTP generator. So they should be moved elsewhere. 
Example: 
- build.sh are meant to be executed prior to ZTP, 
- enable-ipsec.yaml will not work in ZTP as we already have an existing DisableSnoNetworkDiag.yaml against the exact same CR on spoke.  
   

   4.16 

    100%

 Follow the example in ZTP to configure ipsec: https://github.com/openshift-kni/cnf-features-deploy/blob/master/ztp/gitops-subscriptions/argocd/example/policygentemplates/group-du-sno-ranGen.yaml#L197-L200 
   
    

   Files in the example does not exist in ZTP source-crs dir and there is no instruction on how these files can be incorporated into ZTP.     

- files directly under source-crs dir are for day2 configs, and customer can decide which yamls they want to reference/include
- examples dir is a place to guide customer how they can reference these yamls with or without custom configs.
- extra-manifests under source-crs are for day0 configs during ocp install time, all of those are meant to be automatically applied by default.

---------------
For this feature specifically, I think these are the things could be done: 
- A readme under https://github.com/openshift-kni/cnf-features-deploy/tree/master/ztp/gitops-subscriptions/argocd. The build.sh can be embedded in the readme instead of a separate file, as it is meant to be executed prior to ZTP instead of consumed by ZTP. The readme should also explain how the MC (output of build.sh) can be added to customer git repo under source-crs to consume it in ZTP. 
-  Update group PGT example to apply network operator config under the DisableSnoNetworkDiag.yaml and in the comment, refer to the readme for other configs.