nscaledev
diff --git a/‎Makefile‎
Lines changed: 2 additions & 1 deletion b/‎Makefile‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎charts/region/Chart.yaml‎
Lines changed: 2 additions & 2 deletions b/‎charts/region/Chart.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎charts/region/crds/region.unikorn-cloud.org_identities.yaml‎
Lines changed: 52 additions & 34 deletions b/‎charts/region/crds/region.unikorn-cloud.org_identities.yaml‎
Lines changed: 52 additions & 34 deletions
diff --git a/‎charts/region/crds/region.unikorn-cloud.org_openstackidentities.yaml‎
Lines changed: 87 additions & 0 deletions b/‎charts/region/crds/region.unikorn-cloud.org_openstackidentities.yaml‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎charts/region/crds/region.unikorn-cloud.org_physicalnetworks.yaml‎
Lines changed: 0 additions & 1 deletion b/‎charts/region/crds/region.unikorn-cloud.org_physicalnetworks.yaml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎charts/region/templates/_helpers.tpl‎
Lines changed: 4 additions & 0 deletions b/‎charts/region/templates/_helpers.tpl‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎charts/region/templates/identity-controller/clusterrole.yaml‎
Lines changed: 47 additions & 0 deletions b/‎charts/region/templates/identity-controller/clusterrole.yaml‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎charts/region/templates/identity-controller/clusterrolebinding.yaml‎
Lines changed: 14 additions & 0 deletions b/‎charts/region/templates/identity-controller/clusterrolebinding.yaml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎charts/region/templates/identity-controller/deployment.yaml‎
Lines changed: 40 additions & 0 deletions b/‎charts/region/templates/identity-controller/deployment.yaml‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎charts/region/templates/identity-controller/role.yaml‎
Lines changed: 23 additions & 0 deletions b/‎charts/region/templates/identity-controller/role.yaml‎
Lines changed: 23 additions & 0 deletions
@@ -11,7 +11,8 @@ REVISION := $(shell git rev-parse HEAD)
 # for your host's architecture.  The latter are going to run in Kubernetes, so
 # want to be amd64.
 CONTROLLERS = \
-  unikorn-region-controller
+  unikorn-region-controller \
+  unikorn-identity-controller
 
 # Release will do cross compliation of all images for the 'all' target.
 # Note we aren't fucking about with docker here because that opens up a
 
@@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn's Region Controller
 
 type: application
 
-version: v0.1.32
-appVersion: v0.1.32
+version: v0.1.33
+appVersion: v0.1.33
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
 
 
@@ -57,38 +57,9 @@ spec:
           spec:
             description: IdentitySpec stores any state necessary to manage identity.
             properties:
-              openstack:
-                description: OpenStack is populated when the provider type is set
-                  to "openstack".
-                properties:
-                  cloud:
-                    description: Cloud is the cloud name in the cloud config to use.
-                    type: string
-                  cloudConfig:
-                    description: CloudConfig is a client compatible cloud configuration.
-                    format: byte
-                    type: string
-                  password:
-                    description: Password is the login for the user.
-                    type: string
-                  projectID:
-                    description: ProjectID is the ID of the project created for the
-                      identity.
-                    type: string
-                  serverGroupID:
-                    description: ServerGroupID is the ID of the server group created
-                      for the identity.
-                    type: string
-                  userID:
-                    description: UserID is the ID of the user created for the identity.
-                    type: string
-                required:
-                - cloud
-                - cloudConfig
-                - password
-                - projectID
-                - userID
-                type: object
+              pause:
+                description: Pause, if true, will inhibit reconciliation.
+                type: boolean
               provider:
                 description: Provider defines the provider type.
                 enum:
@@ -116,11 +87,58 @@ spec:
             - provider
             type: object
           status:
+            properties:
+              conditions:
+                description: Current service state of a cluster manager.
+                items:
+                  description: |-
+                    Condition is a generic condition type for use across all resource types.
+                    It's generic so that the underlying controller-manager functionality can
+                    be shared across all resources.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      enum:
+                      - Provisioning
+                      - Provisioned
+                      - Cancelled
+                      - Errored
+                      - Deprovisioning
+                      - Deprovisioned
+                      type: string
+                    status:
+                      description: |-
+                        Status is the status of the condition.
+                        Can be True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      enum:
+                      - Available
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
             type: object
         required:
         - spec
-        - status
         type: object
     served: true
     storage: true
-    subresources: {}
+    subresources:
+      status: {}
@@ -0,0 +1,87 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: openstackidentities.region.unikorn-cloud.org
+spec:
+  group: region.unikorn-cloud.org
+  names:
+    categories:
+    - unikorn
+    kind: OpenstackIdentity
+    listKind: OpenstackIdentityList
+    plural: openstackidentities
+    singular: openstackidentity
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.provider
+      name: provider
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OpenstackIdentity has no controller, its a database record of
+          state.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              applicationCredentialID:
+                description: ApplicationCredentialID is the ID of the user's application
+                  credential.
+                type: string
+              applicationCredentialSecret:
+                description: ApplicationCredentialSecret is the one-time secret for
+                  the application credential.
+                type: string
+              cloud:
+                description: Cloud is the cloud name in the cloud config to use.
+                type: string
+              cloudConfig:
+                description: CloudConfig is a client compatible cloud configuration.
+                format: byte
+                type: string
+              password:
+                description: Password is the login for the user.
+                type: string
+              projectID:
+                description: ProjectID is the ID of the project created for the identity.
+                type: string
+              serverGroupID:
+                description: ServerGroupID is the ID of the server group created for
+                  the identity.
+                type: string
+              userID:
+                description: UserID is the ID of the user created for the identity.
+                type: string
+            type: object
+          status:
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
@@ -85,7 +85,6 @@ spec:
             type: object
         required:
         - spec
-        - status
         type: object
     served: true
     storage: true
 
@@ -5,6 +5,10 @@ Create the container images
 {{- .Values.image | default (printf "%s/unikorn-region-controller:%s" (include "unikorn.defaultRepositoryPath" .) (.Values.tag | default .Chart.Version)) }}
 {{- end }}
 
+{{- define "unikorn.identityControllerImage" -}}
+{{- .Values.identityController.image | default (printf "%s/unikorn-identity-controller:%s" (include "unikorn.defaultRepositoryPath" .) (.Values.tag | default .Chart.Version)) }}
+{{- end }}
+
 {{/*
 Create image pull secrets
 */}}
 
@@ -0,0 +1,47 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: unikorn-identity-controller
+  labels:
+    {{- include "unikorn.labels" . | nindent 4 }}
+rules:
+# Orchestrate Unikorn resources (my job).
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - identities
+  verbs:
+  - list
+  - watch
+  - patch
+  - update
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - identities/status
+  verbs:
+  - update
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - openstackidentities
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - regions
+  verbs:
+  - list
+  - watch
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: unikorn-identity-controller
+  labels:
+    {{- include "unikorn.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: unikorn-identity-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: unikorn-identity-controller
@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: unikorn-identity-controller
+  labels:
+    {{- include "unikorn.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: unikorn-identity-controller
+  template:
+    metadata:
+      labels:
+        app: unikorn-identity-controller
+    spec:
+      containers:
+      - name: unikorn-identity-controller
+        image: {{ include "unikorn.identityControllerImage" . }}
+        args:
+        {{- include "unikorn.otlp.flags" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 6080
+        - name: prometheus
+          containerPort: 8080
+        - name: pprof
+          containerPort: 6060
+        resources:
+          requests:
+            cpu: "50m"
+            memory: 50Mi
+          limits:
+            cpu: "100m"
+            memory: 100Mi
+        securityContext:
+          readOnlyRootFilesystem: true
+      serviceAccountName: unikorn-identity-controller
+      securityContext:
+        runAsNonRoot: true
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: unikorn-identity-controller
+  labels:
+    {{- include "unikorn.labels" . | nindent 4 }}
+rules:
+# Controller prerequisites.
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - update