Add BareMetalSwitch CRD and controller for switch config generation

Introduces the BareMetalSwitch (BMS) CRD for defining Top-of-Rack
switches managed by the Ironic Networking Service. The controller
watches BMS resources and credential secrets, then generates two
output secrets:

1. Switch configs secret (IRONIC_SWITCH_CONFIGS_SECRET): a single
   INI-format file with per-switch sections including address,
   credentials, driver/device type, and optional fields.

2. Switch credentials secret (IRONIC_SWITCH_CREDENTIALS_SECRET): SSH
   private key files (keyed by <mac-address>.key) for switches using
   publickey authentication. Password-authenticated switches store
   credentials inline in the INI config instead.

The controller is only registered when IRONIC_NETWORKING_ENABLED=true
and requires IRONIC_SWITCH_CONFIGS_SECRET, IRONIC_SWITCH_CREDENTIALS_SECRET,
and IRONIC_SWITCH_CREDENTIALS_PATH to be set at startup.

Credential secret changes (e.g. password rotation, key replacement)
trigger config regeneration via a secret watch with a mapper that
filters to only secrets referenced by BMS resources.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Allain Legacy <alegacy@redhat.com>

Author: alegacy

apis/metal3.io/v1alpha1/baremetalswitch_types.go

@@ -0,0 +1,120 @@
+/*
+Copyright 2025 The Metal3 Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SwitchCredentialType defines the type of credential used for switch authentication.
+type SwitchCredentialType string
+
+const (
+	// SwitchCredentialTypePassword indicates password-based authentication.
+	SwitchCredentialTypePassword SwitchCredentialType = "password"
+	// SwitchCredentialTypePublicKey indicates SSH public key-based authentication.
+	SwitchCredentialTypePublicKey SwitchCredentialType = "publickey"
+)
+
+// SwitchCredentials defines the credentials used to access the switch.
+type SwitchCredentials struct {
+	// Type is the type of switch credentials.
+	// This is currently limited to "password", but will be expanded to others.
+	// +kubebuilder:validation:Enum=password;publickey
+	// +kubebuilder:default=password
+	Type SwitchCredentialType `json:"type"`
+
+	// The name of the secret containing the switch credentials.
+	// For password authentication, requires keys "username" and "password"
+	// For SSH key authentication, requires keys "username" and "ssh-privatekey".
+	// In both cases, an optional "enable-secret" key can be provided if needed
+	// to enable privileged mode.
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName"`
+}
+
+// BareMetalSwitchSpec defines the desired state of BareMetalSwitch.
+type BareMetalSwitchSpec struct {
+	// Address is the network address of the switch (IP address or hostname).
+	// +kubebuilder:validation:Required
+	Address string `json:"address"`
+
+	// MACAddress is the MAC address of the switch management interface.
+	// Used to correlate LLDP information from nodes to identify which switch they're connected to.
+	// +kubebuilder:validation:Pattern=`^[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}$`
+	// +kubebuilder:validation:Required
+	MACAddress string `json:"macAddress"`
+
+	// Driver specifies the driver to use. Currently only "generic-switch" is supported.
+	// +kubebuilder:validation:Enum=generic-switch
+	// +kubebuilder:default=generic-switch
+	// +optional
+	Driver string `json:"driver,omitempty"`
+
+	// DeviceType specifies the device type for the generic-switch driver.
+	// Must be one of the device types supported by networking-generic-switch.
+	// Examples: netmiko_cisco_ios, netmiko_dell_force10, netmiko_dell_os10,
+	//   netmiko_juniper_junos, netmiko_arista_eos
+	// See https://github.com/openstack/networking-generic-switch/blob/master/setup.cfg
+	// +kubebuilder:validation:Required
+	DeviceType string `json:"deviceType"`
+
+	// Credentials references the secret containing switch authentication credentials.
+	// +kubebuilder:validation:Required
+	Credentials SwitchCredentials `json:"credentials"`
+
+	// Port specifies the management port to connect to (e.g., SSH port 22, HTTPS port 443).
+	// If not specified, the driver will use its default port based on the device type.
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	// +optional
+	Port *int32 `json:"port,omitempty"`
+
+	// DisableCertificateVerification disables TLS certificate verification when using
+	// HTTPS to connect to the switch. This is required for self-signed certificates,
+	// but is insecure as it allows man-in-the-middle attacks.
+	// +optional
+	DisableCertificateVerification *bool `json:"disableCertificateVerification,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Namespaced,shortName=bms
+// +kubebuilder:printcolumn:name="Driver",type="string",JSONPath=".spec.driver",description="Switch driver type"
+// +kubebuilder:printcolumn:name="Device Type",type="string",JSONPath=".spec.deviceType",description="Switch device type"
+// +kubebuilder:printcolumn:name="Address",type="string",JSONPath=".spec.address",description="Switch address"
+// +kubebuilder:printcolumn:name="Credential Type",type="string",JSONPath=".spec.credentials.type",description="Credential Type"
+
+// BareMetalSwitch represents a Top-of-Rack switch managed by Ironic Networking.
+type BareMetalSwitch struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec BareMetalSwitchSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// BareMetalSwitchList contains a list of BareMetalSwitch.
+type BareMetalSwitchList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []BareMetalSwitch `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&BareMetalSwitch{}, &BareMetalSwitchList{})
+}

apis/metal3.io/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,136 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.5
+  name: baremetalswitches.metal3.io
+spec:
+  group: metal3.io
+  names:
+    kind: BareMetalSwitch
+    listKind: BareMetalSwitchList
+    plural: baremetalswitches
+    shortNames:
+    - bms
+    singular: baremetalswitch
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Switch driver type
+      jsonPath: .spec.driver
+      name: Driver
+      type: string
+    - description: Switch device type
+      jsonPath: .spec.deviceType
+      name: Device Type
+      type: string
+    - description: Switch address
+      jsonPath: .spec.address
+      name: Address
+      type: string
+    - description: Credential Type
+      jsonPath: .spec.credentials.type
+      name: Credential Type
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: BareMetalSwitch represents a Top-of-Rack switch managed by Ironic
+          Networking.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BareMetalSwitchSpec defines the desired state of BareMetalSwitch.
+            properties:
+              address:
+                description: Address is the network address of the switch (IP address
+                  or hostname).
+                type: string
+              credentials:
+                description: Credentials references the secret containing switch authentication
+                  credentials.
+                properties:
+                  secretName:
+                    description: |-
+                      The name of the secret containing the switch credentials.
+                      For password authentication, requires keys "username" and "password"
+                      For SSH key authentication, requires keys "username" and "ssh-privatekey".
+                      In both cases, an optional "enable-secret" key can be provided if needed
+                      to enable privileged mode.
+                    minLength: 1
+                    type: string
+                  type:
+                    default: password
+                    description: |-
+                      Type is the type of switch credentials.
+                      This is currently limited to "password", but will be expanded to others.
+                    enum:
+                    - password
+                    - publickey
+                    type: string
+                required:
+                - secretName
+                - type
+                type: object
+              deviceType:
+                description: |-
+                  DeviceType specifies the device type for the generic-switch driver.
+                  Must be one of the device types supported by networking-generic-switch.
+                  Examples: netmiko_cisco_ios, netmiko_dell_force10, netmiko_dell_os10,
+                    netmiko_juniper_junos, netmiko_arista_eos
+                  See https://github.com/openstack/networking-generic-switch/blob/master/setup.cfg
+                type: string
+              disableCertificateVerification:
+                description: |-
+                  DisableCertificateVerification disables TLS certificate verification when using
+                  HTTPS to connect to the switch. This is required for self-signed certificates,
+                  but is insecure as it allows man-in-the-middle attacks.
+                type: boolean
+              driver:
+                default: generic-switch
+                description: Driver specifies the driver to use. Currently only "generic-switch"
+                  is supported.
+                enum:
+                - generic-switch
+                type: string
+              macAddress:
+                description: |-
+                  MACAddress is the MAC address of the switch management interface.
+                  Used to correlate LLDP information from nodes to identify which switch they're connected to.
+                pattern: ^[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}$
+                type: string
+              port:
+                description: |-
+                  Port specifies the management port to connect to (e.g., SSH port 22, HTTPS port 443).
+                  If not specified, the driver will use its default port based on the device type.
+                format: int32
+                maximum: 65535
+                minimum: 1
+                type: integer
+            required:
+            - address
+            - credentials
+            - deviceType
+            - macAddress
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}

config/base/crds/bases/metal3.io_baremetalswitches.yaml

@@ -15,6 +15,7 @@ resources:
 - bases/metal3.io_hostupdatepolicies.yaml
 - bases/metal3.io_hostclaims.yaml
 - bases/metal3.io_hostdeploypolicies.yaml
+- bases/metal3.io_baremetalswitches.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patches:

config/base/crds/kustomization.yaml

@@ -89,6 +89,7 @@ rules:
 - apiGroups:
   - metal3.io
   resources:
+  - baremetalswitches
   - hostdeploypolicies
   verbs:
   - get

config/base/rbac/role.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../roles-rolebindings
+- namespace.yaml
+
+namespace: baremetalswitch