From 6576b23c2cb333d9adcb1f8d35cbbbdd3492f57a Mon Sep 17 00:00:00 2001
From: Georgios <georgios.daskalopoulos@swisscom.com>
Date: Tue, 21 Oct 2025 16:23:11 +0200
Subject: [PATCH 1/9] Add multi-cluster utilities & Readme

---
 multi-cluster-utilities/README.md             |  36 ++
 .../create-kubeconfig-secret.sh               | 313 ++++++++++++++++++
 multi-cluster-utilities/rules.yaml            |  51 +++
 3 files changed, 400 insertions(+)
 create mode 100644 multi-cluster-utilities/README.md
 create mode 100755 multi-cluster-utilities/create-kubeconfig-secret.sh
 create mode 100644 multi-cluster-utilities/rules.yaml

diff --git a/multi-cluster-utilities/README.md b/multi-cluster-utilities/README.md
new file mode 100644
index 00000000..51768c5a
--- /dev/null
+++ b/multi-cluster-utilities/README.md
@@ -0,0 +1,36 @@
+# Multicluster Configuration
+The create-kubeconfig-secret.sh is copied from [multicluster-runtime project](https://github.com/kubernetes-sigs/multicluster-runtime/tree/main), especially, from the `Kubeconfig Provider Example`.
+
+This Readme cover only what is relevant for setting up a `Management cluster` which runs the controller, and `Resource Clusters` which host the Netbox Operator Resources. For more information over the scripts, and how a multicluster setup could be setup with Kubeconfig provider please read [this](https://github.com/kubernetes-sigs/multicluster-runtime/blob/main/examples/kubeconfig/README.md)
+
+## 1. Create Management Cluster
+
+Follow the guide in project's root folder.
+If all the prerequisites are in place, then `make create-kind` creates the cluster which is going to be used for the all the controller's depedencies (netbox backend, databases etc).
+This cluster also contains RBAC for handling the netbox relates CRs, but those RBACs should not be necessary for our example.
+
+## 2. Create Resource Clusters
+
+Create your Resouce Clusters & Provision Netbox-Operator Custom Resource Definitions. For each resource cluster you want to create, execute:
+
+- `kind create cluster --name <res-cluster-name>`
+- `make install`
+
+Sidenote: kind create command changes the default context in which the kubectl commands point to. When you are done from this step, the kubectl context will be set at the last cluster you created.
+
+## 3. Establish cross-cluster access
+
+Set kubectl context back to `management cluster`
+`kubectl config use-context kind-kind`
+
+Execute RBAC scripts for kubeconfig provider, towards each cluster you created in the previous step.
+- `./create-kubeconfig-secret.sh -c <res-cluster-name>`
+
+For each cluster that gets configures as a 'Resource' cluster, a secret is populated in the 'Management' cluster.
+Make sure that the appropriate secrets are populated in the kind-kind cluster, with names `kind-<resource cluster name>`.
+
+## Limitations
+Currently the controller could be executed locally, not from the managment cluster.
+In order to make it executable from the management cluster:
+- ClusterRole `manager-role` needs to allow reading, listing and watching secrets.
+- The secrets generated from the `create-kubeconfig-secret` needs to point to the correct ip. currently it's pointing a localhost ip.
diff --git a/multi-cluster-utilities/create-kubeconfig-secret.sh b/multi-cluster-utilities/create-kubeconfig-secret.sh
new file mode 100755
index 00000000..dccae2f8
--- /dev/null
+++ b/multi-cluster-utilities/create-kubeconfig-secret.sh
@@ -0,0 +1,313 @@
+#!/bin/bash
+
+# Script to create a kubeconfig secret for the pod lister controller
+
+set -e
+
+# Default values
+NAMESPACE="default"
+SERVICE_ACCOUNT="multicluster-kubeconfig-provider"
+KUBECONFIG_CONTEXT=""
+SECRET_NAME=""
+ROLE_TYPE="clusterrole"
+RULES_FILE=""
+CREATE_RBAC="true"
+
+# Check for yq
+if ! command -v yq &>/dev/null; then
+  echo "ERROR: 'yq' is required but not installed. Please install yq (https://mikefarah.gitbook.io/yq/) and try again."
+  exit 1
+fi
+
+# Function to display usage information
+function show_help {
+  echo "Usage: $0 [options]"
+  echo "  -c, --context CONTEXT    Kubeconfig context to use (required)"
+  echo "  --name NAME              Name for the secret (defaults to context name)"
+  echo "  -n, --namespace NS       Namespace to create the secret in (default: ${NAMESPACE})"
+  echo "  -a, --service-account SA Service account name to use (default: ${SERVICE_ACCOUNT})"
+  echo "  -t, --role-type TYPE     Create Role or ClusterRole (role|clusterrole) (default: clusterrole)"
+  echo "  -r, --rules-file FILE    Path to rules file (default: rules.yaml in script directory)"
+  echo "  --skip-create-rbac       Skip creating RBAC resources (Role/ClusterRole and bindings)"
+  echo "  -h, --help               Show this help message"
+  echo ""
+  echo "Examples:"
+  echo "  $0 -c prod-cluster"
+  echo "  $0 -c prod-cluster -t role -r ./custom-rules.yaml"
+  echo "  $0 -c prod-cluster -t clusterrole"
+  echo "  $0 -c prod-cluster --skip-create-rbac"
+}
+
+# Function to create Role or ClusterRole
+function create_rbac {
+  local role_type="$1"
+  local rules_file="$2"
+  local role_name="$3"
+  local namespace="$4"
+  
+  if [ ! -f "$rules_file" ]; then
+    echo "ERROR: Rules file not found: $rules_file"
+    exit 1
+  fi
+  
+  echo "Creating ${role_type} '${role_name}'..."
+  
+  if [ "$role_type" = "role" ]; then
+    # Create Role
+    ROLE_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ${role_name}
+  namespace: ${namespace}
+rules:
+$(yq '.rules' "$rules_file")
+EOF
+)
+    
+    echo "$ROLE_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+    
+    # Create RoleBinding
+    ROLEBINDING_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ${role_name}-binding
+  namespace: ${namespace}
+subjects:
+- kind: ServiceAccount
+  name: ${SERVICE_ACCOUNT}
+  namespace: ${namespace}
+roleRef:
+  kind: Role
+  name: ${role_name}
+  apiGroup: rbac.authorization.k8s.io
+EOF
+)
+    
+    echo "$ROLEBINDING_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+    
+  else
+    # Create ClusterRole
+    CLUSTERROLE_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ${role_name}
+rules:
+$(yq '.rules' "$rules_file")
+EOF
+)
+    
+    echo "$CLUSTERROLE_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+    
+    # Create ClusterRoleBinding
+    CLUSTERROLEBINDING_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ${role_name}-binding
+subjects:
+- kind: ServiceAccount
+  name: ${SERVICE_ACCOUNT}
+  namespace: ${namespace}
+roleRef:
+  kind: ClusterRole
+  name: ${role_name}
+  apiGroup: rbac.authorization.k8s.io
+EOF
+)
+    
+    echo "$CLUSTERROLEBINDING_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+  fi
+  
+  echo "$(tr '[:lower:]' '[:upper:]' <<< ${role_type:0:1})${role_type:1} '${role_name}' created successfully!"
+}
+
+# Function to create service account if it doesn't exist
+function ensure_service_account {
+  local namespace="$1"
+  local service_account="$2"
+  
+  echo "Checking if service account '${service_account}' exists in namespace '${namespace}'..."
+  
+  # Check if service account exists
+  if ! kubectl --context=${KUBECONFIG_CONTEXT} get serviceaccount ${service_account} -n ${namespace} &>/dev/null; then
+    echo "Service account '${service_account}' not found in namespace '${namespace}'. Creating..."
+    
+    # Create the service account
+    SERVICE_ACCOUNT_YAML=$(cat <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ${service_account}
+  namespace: ${namespace}
+EOF
+)
+    
+    echo "$SERVICE_ACCOUNT_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+    echo "Service account '${service_account}' created successfully in namespace '${namespace}'"
+  else
+    echo "Service account '${service_account}' already exists in namespace '${namespace}'"
+  fi
+}
+
+# Parse command line options
+while [[ $# -gt 0 ]]; do
+  key="$1"
+  case $key in
+    --name)
+      SECRET_NAME="$2"
+      shift 2
+      ;;
+    -n|--namespace)
+      NAMESPACE="$2"
+      shift 2
+      ;;
+    -c|--context)
+      KUBECONFIG_CONTEXT="$2"
+      shift 2
+      ;;
+    -a|--service-account)
+      SERVICE_ACCOUNT="$2"
+      shift 2
+      ;;
+    -t|--role-type)
+      ROLE_TYPE="$2"
+      shift 2
+      ;;
+    -r|--rules-file)
+      RULES_FILE="$2"
+      shift 2
+      ;;
+    --skip-create-rbac)
+      CREATE_RBAC="false"
+      shift
+      ;;
+    -h|--help)
+      show_help
+      exit 0
+      ;;
+    *)
+      echo "Unknown option: $1"
+      show_help
+      exit 1
+      ;;
+  esac
+done
+
+# Validate required arguments
+if [ -z "$KUBECONFIG_CONTEXT" ]; then
+  echo "ERROR: Kubeconfig context is required (-c, --context)"
+  show_help
+  exit 1
+fi
+
+# Validate role type if specified
+if [ -n "$ROLE_TYPE" ] && [ "$ROLE_TYPE" != "role" ] && [ "$ROLE_TYPE" != "clusterrole" ]; then
+  echo "ERROR: Invalid role type '$ROLE_TYPE'. Must be 'role' or 'clusterrole'"
+  show_help
+  exit 1
+fi
+
+# Set default rules file if not specified
+if [ -z "$RULES_FILE" ]; then
+  RULES_FILE="$(dirname "$0")/rules.yaml"
+fi
+
+# Set secret name to context if not specified
+if [ -z "$SECRET_NAME" ]; then
+  SECRET_NAME="$KUBECONFIG_CONTEXT"
+fi
+
+# Create RBAC resources by default (unless --no-create-role is specified)
+if [ "$CREATE_RBAC" = "true" ]; then
+  create_rbac "$ROLE_TYPE" "$RULES_FILE" "$SECRET_NAME" "$NAMESPACE"
+fi
+
+# Get the cluster CA certificate from the remote cluster
+CLUSTER_CA=$(kubectl --context=${KUBECONFIG_CONTEXT} config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}')
+if [ -z "$CLUSTER_CA" ]; then
+  echo "ERROR: Could not get cluster CA certificate"
+  exit 1
+fi
+
+# Get the cluster server URL from the remote cluster
+CLUSTER_SERVER=$(kubectl --context=${KUBECONFIG_CONTEXT} config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}')
+if [ -z "$CLUSTER_SERVER" ]; then
+  echo "ERROR: Could not get cluster server URL"
+  exit 1
+fi
+
+# Ensure service account exists
+ensure_service_account "$NAMESPACE" "$SERVICE_ACCOUNT"
+
+# Get the service account token from the remote cluster
+SA_TOKEN=$(kubectl --context=${KUBECONFIG_CONTEXT} -n ${NAMESPACE} create token ${SERVICE_ACCOUNT} --duration=8760h)
+if [ -z "$SA_TOKEN" ]; then
+  echo "ERROR: Could not create service account token"
+  exit 1
+fi
+
+# Create a new kubeconfig using the service account token
+NEW_KUBECONFIG=$(cat <<EOF
+apiVersion: v1
+kind: Config
+clusters:
+- name: ${SECRET_NAME}
+  cluster:
+    server: ${CLUSTER_SERVER}
+    certificate-authority-data: ${CLUSTER_CA}
+contexts:
+- name: ${SECRET_NAME}
+  context:
+    cluster: ${SECRET_NAME}
+    user: ${SERVICE_ACCOUNT}
+current-context: ${SECRET_NAME}
+users:
+- name: ${SERVICE_ACCOUNT}
+  user:
+    token: ${SA_TOKEN}
+EOF
+)
+
+# Save kubeconfig temporarily for testing
+TEMP_KUBECONFIG=$(mktemp)
+echo "$NEW_KUBECONFIG" > "$TEMP_KUBECONFIG"
+
+# Verify the kubeconfig works
+echo "Verifying kubeconfig..."
+if ! kubectl --kubeconfig="$TEMP_KUBECONFIG" version &>/dev/null; then
+  rm "$TEMP_KUBECONFIG"
+  echo "ERROR: Failed to verify kubeconfig - unable to connect to cluster."
+  echo "- Ensure that the service account '${NAMESPACE}/${SERVICE_ACCOUNT}' on cluster '${KUBECONFIG_CONTEXT}' exists and is properly configured."
+  echo "- You may specify a namespace using the -n flag."
+  echo "- You may specify a service account using the -a flag."
+  exit 1
+fi
+echo "Kubeconfig verified successfully!"
+
+# Encode the verified kubeconfig
+KUBECONFIG_B64=$(cat "$TEMP_KUBECONFIG" | base64 -w0)
+rm "$TEMP_KUBECONFIG"
+
+# Generate and apply the secret
+SECRET_YAML=$(cat <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ${SECRET_NAME}
+  namespace: ${NAMESPACE}
+  labels:
+    sigs.k8s.io/multicluster-runtime-kubeconfig: "true"
+type: Opaque
+data:
+  kubeconfig: ${KUBECONFIG_B64}
+EOF
+)
+
+echo "Creating kubeconfig secret..."
+echo "$SECRET_YAML" | kubectl apply -f -
+
+echo "Secret '${SECRET_NAME}' created in namespace '${NAMESPACE}'"
+echo "The operator should now be able to discover and connect to this cluster" 
\ No newline at end of file
diff --git a/multi-cluster-utilities/rules.yaml b/multi-cluster-utilities/rules.yaml
new file mode 100644
index 00000000..35524338
--- /dev/null
+++ b/multi-cluster-utilities/rules.yaml
@@ -0,0 +1,51 @@
+# Rules required for controlled service account to manage NetBox Operator resources
+# Copied from config/rbac/role.yaml
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - netbox.dev
+  resources:
+  - ipaddressclaims
+  - ipaddresses
+  - iprangeclaims
+  - ipranges
+  - prefixclaims
+  - prefixes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - netbox.dev
+  resources:
+  - ipaddressclaims/finalizers
+  - ipaddresses/finalizers
+  - iprangeclaims/finalizers
+  - ipranges/finalizers
+  - prefixclaims/finalizers
+  - prefixes/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - netbox.dev
+  resources:
+  - ipaddressclaims/status
+  - ipaddresses/status
+  - iprangeclaims/status
+  - ipranges/status
+  - prefixclaims/status
+  - prefixes/status
+  verbs:
+  - get
+  - patch
+  - update
\ No newline at end of file

From e888b4024a5cbe1a59dc198b96557c5d0bdc74dc Mon Sep 17 00:00:00 2001
From: Georgios <georgios.daskalopoulos@swisscom.com>
Date: Tue, 21 Oct 2025 16:39:49 +0200
Subject: [PATCH 2/9] Add copy info on script

---
 .../create-kubeconfig-secret.sh               | 33 ++++++++++---------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/multi-cluster-utilities/create-kubeconfig-secret.sh b/multi-cluster-utilities/create-kubeconfig-secret.sh
index dccae2f8..9f35a04a 100755
--- a/multi-cluster-utilities/create-kubeconfig-secret.sh
+++ b/multi-cluster-utilities/create-kubeconfig-secret.sh
@@ -1,3 +1,4 @@
+# File copied from https://github.com/kubernetes-sigs/multicluster-runtime/blob/main/examples/kubeconfig/README.md
 #!/bin/bash
 
 # Script to create a kubeconfig secret for the pod lister controller
@@ -44,14 +45,14 @@ function create_rbac {
   local rules_file="$2"
   local role_name="$3"
   local namespace="$4"
-  
+
   if [ ! -f "$rules_file" ]; then
     echo "ERROR: Rules file not found: $rules_file"
     exit 1
   fi
-  
+
   echo "Creating ${role_type} '${role_name}'..."
-  
+
   if [ "$role_type" = "role" ]; then
     # Create Role
     ROLE_YAML=$(cat <<EOF
@@ -64,9 +65,9 @@ rules:
 $(yq '.rules' "$rules_file")
 EOF
 )
-    
+
     echo "$ROLE_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
-    
+
     # Create RoleBinding
     ROLEBINDING_YAML=$(cat <<EOF
 apiVersion: rbac.authorization.k8s.io/v1
@@ -84,9 +85,9 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
 EOF
 )
-    
+
     echo "$ROLEBINDING_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
-    
+
   else
     # Create ClusterRole
     CLUSTERROLE_YAML=$(cat <<EOF
@@ -98,9 +99,9 @@ rules:
 $(yq '.rules' "$rules_file")
 EOF
 )
-    
+
     echo "$CLUSTERROLE_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
-    
+
     # Create ClusterRoleBinding
     CLUSTERROLEBINDING_YAML=$(cat <<EOF
 apiVersion: rbac.authorization.k8s.io/v1
@@ -117,10 +118,10 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
 EOF
 )
-    
+
     echo "$CLUSTERROLEBINDING_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
   fi
-  
+
   echo "$(tr '[:lower:]' '[:upper:]' <<< ${role_type:0:1})${role_type:1} '${role_name}' created successfully!"
 }
 
@@ -128,13 +129,13 @@ EOF
 function ensure_service_account {
   local namespace="$1"
   local service_account="$2"
-  
+
   echo "Checking if service account '${service_account}' exists in namespace '${namespace}'..."
-  
+
   # Check if service account exists
   if ! kubectl --context=${KUBECONFIG_CONTEXT} get serviceaccount ${service_account} -n ${namespace} &>/dev/null; then
     echo "Service account '${service_account}' not found in namespace '${namespace}'. Creating..."
-    
+
     # Create the service account
     SERVICE_ACCOUNT_YAML=$(cat <<EOF
 apiVersion: v1
@@ -144,7 +145,7 @@ metadata:
   namespace: ${namespace}
 EOF
 )
-    
+
     echo "$SERVICE_ACCOUNT_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
     echo "Service account '${service_account}' created successfully in namespace '${namespace}'"
   else
@@ -310,4 +311,4 @@ echo "Creating kubeconfig secret..."
 echo "$SECRET_YAML" | kubectl apply -f -
 
 echo "Secret '${SECRET_NAME}' created in namespace '${NAMESPACE}'"
-echo "The operator should now be able to discover and connect to this cluster" 
\ No newline at end of file
+echo "The operator should now be able to discover and connect to this cluster"
\ No newline at end of file

From d181edb04881b25b15a2f64bb39c8f9af99fd204 Mon Sep 17 00:00:00 2001
From: Georgios Daskalopoulos <gdasky@gmail.com>
Date: Wed, 22 Oct 2025 12:37:43 +0200
Subject: [PATCH 3/9] Apply suggestions from code review

Apply Lea's suggestions for better README readability

Co-authored-by: bruelea <166021996+bruelea@users.noreply.github.com>
---
 multi-cluster-utilities/README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/multi-cluster-utilities/README.md b/multi-cluster-utilities/README.md
index 51768c5a..cef12d9e 100644
--- a/multi-cluster-utilities/README.md
+++ b/multi-cluster-utilities/README.md
@@ -1,7 +1,7 @@
 # Multicluster Configuration
 The create-kubeconfig-secret.sh is copied from [multicluster-runtime project](https://github.com/kubernetes-sigs/multicluster-runtime/tree/main), especially, from the `Kubeconfig Provider Example`.
 
-This Readme cover only what is relevant for setting up a `Management cluster` which runs the controller, and `Resource Clusters` which host the Netbox Operator Resources. For more information over the scripts, and how a multicluster setup could be setup with Kubeconfig provider please read [this](https://github.com/kubernetes-sigs/multicluster-runtime/blob/main/examples/kubeconfig/README.md)
+This Readme cover only what is relevant for setting up a `Management cluster` which hosts the kubernetes operator, and `Resource Clusters` which host the Netbox Operator Resources. For more information over the scripts, and how a multicluster setup could be setup with Kubeconfig provider please read [this](https://github.com/kubernetes-sigs/multicluster-runtime/blob/main/examples/kubeconfig/README.md)
 
 ## 1. Create Management Cluster
 
@@ -24,13 +24,13 @@ Set kubectl context back to `management cluster`
 `kubectl config use-context kind-kind`
 
 Execute RBAC scripts for kubeconfig provider, towards each cluster you created in the previous step.
-- `./create-kubeconfig-secret.sh -c <res-cluster-name>`
+- `./create-kubeconfig-secret.sh -c kind-<res-cluster-name>`
 
-For each cluster that gets configures as a 'Resource' cluster, a secret is populated in the 'Management' cluster.
-Make sure that the appropriate secrets are populated in the kind-kind cluster, with names `kind-<resource cluster name>`.
+For each cluster that gets configured as a 'Resource' cluster, a secret is populated in the 'Management' cluster.
+Make sure that the appropriate secrets are populated in the kind-kind cluster, with names `kind-<res-cluster-name>`.
 
 ## Limitations
-Currently the controller could be executed locally, not from the managment cluster.
+With the setup described in this README the kubernetes operator can be executed locally, but not in a pod on the managment cluster.
 In order to make it executable from the management cluster:
 - ClusterRole `manager-role` needs to allow reading, listing and watching secrets.
 - The secrets generated from the `create-kubeconfig-secret` needs to point to the correct ip. currently it's pointing a localhost ip.

From 763d8205dbd9a5db53fb5970c2bcdced0f72f1fd Mon Sep 17 00:00:00 2001
From: Georgios <georgios.daskalopoulos@swisscom.com>
Date: Wed, 22 Oct 2025 15:06:45 +0200
Subject: [PATCH 4/9] Add support for cluster deployment

---
 multi-cluster-utilities/README.md             |  30 +-
 .../create-kubeconfig-secret-cluster.sh       | 323 ++++++++++++++++++
 .../patch-netbox-clusterrole.sh               |  21 ++
 3 files changed, 368 insertions(+), 6 deletions(-)
 create mode 100755 multi-cluster-utilities/create-kubeconfig-secret-cluster.sh
 create mode 100755 multi-cluster-utilities/patch-netbox-clusterrole.sh

diff --git a/multi-cluster-utilities/README.md b/multi-cluster-utilities/README.md
index cef12d9e..3c7e074b 100644
--- a/multi-cluster-utilities/README.md
+++ b/multi-cluster-utilities/README.md
@@ -7,7 +7,7 @@ This Readme cover only what is relevant for setting up a `Management cluster` wh
 
 Follow the guide in project's root folder.
 If all the prerequisites are in place, then `make create-kind` creates the cluster which is going to be used for the all the controller's depedencies (netbox backend, databases etc).
-This cluster also contains RBAC for handling the netbox relates CRs, but those RBACs should not be necessary for our example.
+This cluster is also configured with the netbox-operator CRDs but the CRs are hosted and reconciled only in Resource Clusters.
 
 ## 2. Create Resource Clusters
 
@@ -29,8 +29,26 @@ Execute RBAC scripts for kubeconfig provider, towards each cluster you created i
 For each cluster that gets configured as a 'Resource' cluster, a secret is populated in the 'Management' cluster.
 Make sure that the appropriate secrets are populated in the kind-kind cluster, with names `kind-<res-cluster-name>`.
 
-## Limitations
-With the setup described in this README the kubernetes operator can be executed locally, but not in a pod on the managment cluster.
-In order to make it executable from the management cluster:
-- ClusterRole `manager-role` needs to allow reading, listing and watching secrets.
-- The secrets generated from the `create-kubeconfig-secret` needs to point to the correct ip. currently it's pointing a localhost ip.
+## 4-1. Execute manager process locally
+At this point, you should be able to sucesfully start netbox operator process locally after:
+- Establishing a port forward from Management cluster to your host for the Netbox service: `kubectl port-forward deploy/netbox 8080:8080 -n default`
+- Setting environment variable `export NETBOX_HOST=localhost:8080`
+
+## 4-2. Execute manager process on managment cluster
+Deploying the manager in the management cluster involves additional manual steps.
+
+From the project's parent directory, execute `make deploy-kind`
+
+### Patch cluster role of netbox operator manager
+ClusterRole `manager-role` needs to allow reading, listing and watching secrets.
+    - Execute `patch-netbox-clusterrole.sh`
+
+### Update secret in controller cluster
+The secrets generated from the `create-kubeconfig-secret` needs to reffer to the correct ip:port for each resource cluster. Currently it's pointing a localhost ip, which is only reachable from the host machine.
+- Execute script `create-kubeconfig-secret-cluster.sh -c kind-<res-cluster-name> --skip-create-rbac`
+    - This script updates the secret on management cluster, to use the IP of control-plane node of the resource cluster, retrieved from ``docker inspect <resouce-cluster>-control-plane | jq '.[0].NetworkSettings.Networks.kind.IPAddress'``
+    - The port of the K8s API server is assumed to be `6443`. You can check it with `docker inspect <resource-cluster>-control-plane | jq '.[0].NetworkSettings.Ports'`
+
+## 5. Test Reconciliation
+Apply an example CR in resource cluster and check if it's getting reconciled.
+`kubectl --context <resource-cluster> apply -f config/samples/netbox_v1_ipaddress.yaml`
\ No newline at end of file
diff --git a/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh b/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh
new file mode 100755
index 00000000..17cdcfb6
--- /dev/null
+++ b/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh
@@ -0,0 +1,323 @@
+# File copied from https://github.com/kubernetes-sigs/multicluster-runtime/blob/main/examples/kubeconfig/README.md
+#!/bin/bash
+
+# Script to create a kubeconfig secret for the pod lister controller
+
+set -e
+
+# Default values
+NAMESPACE="default"
+SERVICE_ACCOUNT="multicluster-kubeconfig-provider"
+KUBECONFIG_CONTEXT=""
+SECRET_NAME=""
+ROLE_TYPE="clusterrole"
+RULES_FILE=""
+CREATE_RBAC="true"
+
+# Check for yq
+if ! command -v yq &>/dev/null; then
+  echo "ERROR: 'yq' is required but not installed. Please install yq (https://mikefarah.gitbook.io/yq/) and try again."
+  exit 1
+fi
+
+# Function to display usage information
+function show_help {
+  echo "Usage: $0 [options]"
+  echo "  -c, --context CONTEXT    Kubeconfig context to use (required)"
+  echo "  --name NAME              Name for the secret (defaults to context name)"
+  echo "  -n, --namespace NS       Namespace to create the secret in (default: ${NAMESPACE})"
+  echo "  -a, --service-account SA Service account name to use (default: ${SERVICE_ACCOUNT})"
+  echo "  -t, --role-type TYPE     Create Role or ClusterRole (role|clusterrole) (default: clusterrole)"
+  echo "  -r, --rules-file FILE    Path to rules file (default: rules.yaml in script directory)"
+  echo "  --skip-create-rbac       Skip creating RBAC resources (Role/ClusterRole and bindings)"
+  echo "  -h, --help               Show this help message"
+  echo ""
+  echo "Examples:"
+  echo "  $0 -c prod-cluster"
+  echo "  $0 -c prod-cluster -t role -r ./custom-rules.yaml"
+  echo "  $0 -c prod-cluster -t clusterrole"
+  echo "  $0 -c prod-cluster --skip-create-rbac"
+}
+
+# Function to create Role or ClusterRole
+function create_rbac {
+  local role_type="$1"
+  local rules_file="$2"
+  local role_name="$3"
+  local namespace="$4"
+
+  if [ ! -f "$rules_file" ]; then
+    echo "ERROR: Rules file not found: $rules_file"
+    exit 1
+  fi
+
+  echo "Creating ${role_type} '${role_name}'..."
+
+  if [ "$role_type" = "role" ]; then
+    # Create Role
+    ROLE_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ${role_name}
+  namespace: ${namespace}
+rules:
+$(yq '.rules' "$rules_file")
+EOF
+)
+
+    echo "$ROLE_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+
+    # Create RoleBinding
+    ROLEBINDING_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ${role_name}-binding
+  namespace: ${namespace}
+subjects:
+- kind: ServiceAccount
+  name: ${SERVICE_ACCOUNT}
+  namespace: ${namespace}
+roleRef:
+  kind: Role
+  name: ${role_name}
+  apiGroup: rbac.authorization.k8s.io
+EOF
+)
+
+    echo "$ROLEBINDING_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+
+  else
+    # Create ClusterRole
+    CLUSTERROLE_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ${role_name}
+rules:
+$(yq '.rules' "$rules_file")
+EOF
+)
+
+    echo "$CLUSTERROLE_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+
+    # Create ClusterRoleBinding
+    CLUSTERROLEBINDING_YAML=$(cat <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ${role_name}-binding
+subjects:
+- kind: ServiceAccount
+  name: ${SERVICE_ACCOUNT}
+  namespace: ${namespace}
+roleRef:
+  kind: ClusterRole
+  name: ${role_name}
+  apiGroup: rbac.authorization.k8s.io
+EOF
+)
+
+    echo "$CLUSTERROLEBINDING_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+  fi
+
+  echo "$(tr '[:lower:]' '[:upper:]' <<< ${role_type:0:1})${role_type:1} '${role_name}' created successfully!"
+}
+
+# Function to create service account if it doesn't exist
+function ensure_service_account {
+  local namespace="$1"
+  local service_account="$2"
+
+  echo "Checking if service account '${service_account}' exists in namespace '${namespace}'..."
+
+  # Check if service account exists
+  if ! kubectl --context=${KUBECONFIG_CONTEXT} get serviceaccount ${service_account} -n ${namespace} &>/dev/null; then
+    echo "Service account '${service_account}' not found in namespace '${namespace}'. Creating..."
+
+    # Create the service account
+    SERVICE_ACCOUNT_YAML=$(cat <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ${service_account}
+  namespace: ${namespace}
+EOF
+)
+
+    echo "$SERVICE_ACCOUNT_YAML" | kubectl --context=${KUBECONFIG_CONTEXT} apply -f -
+    echo "Service account '${service_account}' created successfully in namespace '${namespace}'"
+  else
+    echo "Service account '${service_account}' already exists in namespace '${namespace}'"
+  fi
+}
+
+# Parse command line options
+while [[ $# -gt 0 ]]; do
+  key="$1"
+  case $key in
+    --name)
+      SECRET_NAME="$2"
+      shift 2
+      ;;
+    -n|--namespace)
+      NAMESPACE="$2"
+      shift 2
+      ;;
+    -c|--context)
+      KUBECONFIG_CONTEXT="$2"
+      shift 2
+      ;;
+    -a|--service-account)
+      SERVICE_ACCOUNT="$2"
+      shift 2
+      ;;
+    -t|--role-type)
+      ROLE_TYPE="$2"
+      shift 2
+      ;;
+    -r|--rules-file)
+      RULES_FILE="$2"
+      shift 2
+      ;;
+    --skip-create-rbac)
+      CREATE_RBAC="false"
+      shift
+      ;;
+    -h|--help)
+      show_help
+      exit 0
+      ;;
+    *)
+      echo "Unknown option: $1"
+      show_help
+      exit 1
+      ;;
+  esac
+done
+
+# Validate required arguments
+if [ -z "$KUBECONFIG_CONTEXT" ]; then
+  echo "ERROR: Kubeconfig context is required (-c, --context)"
+  show_help
+  exit 1
+fi
+
+# Validate role type if specified
+if [ -n "$ROLE_TYPE" ] && [ "$ROLE_TYPE" != "role" ] && [ "$ROLE_TYPE" != "clusterrole" ]; then
+  echo "ERROR: Invalid role type '$ROLE_TYPE'. Must be 'role' or 'clusterrole'"
+  show_help
+  exit 1
+fi
+
+# Set default rules file if not specified
+if [ -z "$RULES_FILE" ]; then
+  RULES_FILE="$(dirname "$0")/rules.yaml"
+fi
+
+# Set secret name to context if not specified
+if [ -z "$SECRET_NAME" ]; then
+  SECRET_NAME="$KUBECONFIG_CONTEXT"
+fi
+
+# Create RBAC resources by default (unless --no-create-role is specified)
+if [ "$CREATE_RBAC" = "true" ]; then
+  create_rbac "$ROLE_TYPE" "$RULES_FILE" "$SECRET_NAME" "$NAMESPACE"
+fi
+
+# Get the cluster CA certificate from the remote cluster
+CLUSTER_CA=$(kubectl --context=${KUBECONFIG_CONTEXT} config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}')
+if [ -z "$CLUSTER_CA" ]; then
+  echo "ERROR: Could not get cluster CA certificate"
+  exit 1
+fi
+
+# Get the cluster server URL from the remote cluster
+CLUSTER_SERVER=$(kubectl --context=${KUBECONFIG_CONTEXT} config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}')
+if [ -z "$CLUSTER_SERVER" ]; then
+  echo "ERROR: Could not get cluster server URL"
+  exit 1
+fi
+
+# Ensure service account exists
+ensure_service_account "$NAMESPACE" "$SERVICE_ACCOUNT"
+
+# Get the service account token from the remote cluster
+SA_TOKEN=$(kubectl --context=${KUBECONFIG_CONTEXT} -n ${NAMESPACE} create token ${SERVICE_ACCOUNT} --duration=8760h)
+if [ -z "$SA_TOKEN" ]; then
+  echo "ERROR: Could not create service account token"
+  exit 1
+fi
+
+# Get the cluster's external IP
+CONTROL_PLANE_NAME="${SECRET_NAME#kind-}"-control-plane
+CLUSTER_EXTERNAL_IP=$(docker inspect ${CONTROL_PLANE_NAME} | jq -r '.[0].NetworkSettings.Networks.kind.IPAddress')
+if [ -z "$CLUSTER_EXTERNAL_IP" ]; then
+  echo "ERROR: Could not get cluster external IP"
+  exit 1
+fi
+
+# Create a new kubeconfig using the service account token
+NEW_KUBECONFIG=$(cat <<EOF
+apiVersion: v1
+kind: Config
+clusters:
+- name: ${SECRET_NAME}
+  cluster:
+    server: https://${CLUSTER_EXTERNAL_IP}:6443
+    certificate-authority-data: ${CLUSTER_CA}
+contexts:
+- name: ${SECRET_NAME}
+  context:
+    cluster: ${SECRET_NAME}
+    user: ${SERVICE_ACCOUNT}
+current-context: ${SECRET_NAME}
+users:
+- name: ${SERVICE_ACCOUNT}
+  user:
+    token: ${SA_TOKEN}
+EOF
+)
+
+# Save kubeconfig temporarily for testing
+TEMP_KUBECONFIG=$(mktemp)
+echo "$NEW_KUBECONFIG" > "$TEMP_KUBECONFIG"
+
+# echo "$NEW_KUBECONFIG"
+# # Verify the kubeconfig works
+# echo "Verifying kubeconfig..."
+# if  kubectl --kubeconfig="$TEMP_KUBECONFIG" version &>/dev/null; then
+#   rm "$TEMP_KUBECONFIG"
+#   echo "ERROR: Failed to verify kubeconfig - unable to connect to cluster."
+#   echo "- Ensure that the service account '${NAMESPACE}/${SERVICE_ACCOUNT}' on cluster '${KUBECONFIG_CONTEXT}' exists and is properly configured."
+#   echo "- You may specify a namespace using the -n flag."
+#   echo "- You may specify a service account using the -a flag."
+#   exit 1
+# fi
+# echo "Kubeconfig verified successfully!"
+
+# Encode the verified kubeconfig
+KUBECONFIG_B64=$(cat "$TEMP_KUBECONFIG" | base64 -w0)
+rm "$TEMP_KUBECONFIG"
+
+# Generate and apply the secret
+SECRET_YAML=$(cat <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ${SECRET_NAME}
+  namespace: ${NAMESPACE}
+  labels:
+    sigs.k8s.io/multicluster-runtime-kubeconfig: "true"
+type: Opaque
+data:
+  kubeconfig: ${KUBECONFIG_B64}
+EOF
+)
+
+echo "Creating kubeconfig secret..."
+echo "$SECRET_YAML" | kubectl apply -f -
+
+echo "Secret '${SECRET_NAME}' created in namespace '${NAMESPACE}'"
+echo "The operator should now be able to discover and connect to this cluster"
\ No newline at end of file
diff --git a/multi-cluster-utilities/patch-netbox-clusterrole.sh b/multi-cluster-utilities/patch-netbox-clusterrole.sh
new file mode 100755
index 00000000..7cd08219
--- /dev/null
+++ b/multi-cluster-utilities/patch-netbox-clusterrole.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+#!/bin/bash
+
+# Define the patch payload
+patch_payload='
+[
+    {
+        "op": "add",
+        "path": "/rules/-",
+        "value": {
+            "apiGroups": [""],
+            "resources": ["secrets"],
+            "verbs": ["get", "list", "watch"]
+        }
+    }
+]
+'
+
+# Apply the patch using kubectl
+kubectl --context kind-kind patch clusterrole netbox-operator-manager-role --type json -p "${patch_payload}"
\ No newline at end of file

From 2866a90e306e6685d37098b7a2311d4a435e3e5f Mon Sep 17 00:00:00 2001
From: Georgios <georgios.daskalopoulos@swisscom.com>
Date: Tue, 4 Nov 2025 12:48:04 +0100
Subject: [PATCH 5/9] fix cluster names in readme

---
 multi-cluster-utilities/README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/multi-cluster-utilities/README.md b/multi-cluster-utilities/README.md
index 3c7e074b..2fe82eaf 100644
--- a/multi-cluster-utilities/README.md
+++ b/multi-cluster-utilities/README.md
@@ -46,9 +46,9 @@ ClusterRole `manager-role` needs to allow reading, listing and watching secrets.
 ### Update secret in controller cluster
 The secrets generated from the `create-kubeconfig-secret` needs to reffer to the correct ip:port for each resource cluster. Currently it's pointing a localhost ip, which is only reachable from the host machine.
 - Execute script `create-kubeconfig-secret-cluster.sh -c kind-<res-cluster-name> --skip-create-rbac`
-    - This script updates the secret on management cluster, to use the IP of control-plane node of the resource cluster, retrieved from ``docker inspect <resouce-cluster>-control-plane | jq '.[0].NetworkSettings.Networks.kind.IPAddress'``
-    - The port of the K8s API server is assumed to be `6443`. You can check it with `docker inspect <resource-cluster>-control-plane | jq '.[0].NetworkSettings.Ports'`
+    - This script updates the secret on management cluster, to use the IP of control-plane node of the resource cluster, retrieved from ``docker inspect <res-cluster-name>-control-plane | jq '.[0].NetworkSettings.Networks.kind.IPAddress'``
+    - The port of the K8s API server is assumed to be `6443`. You can check it with `docker inspect <res-cluster-name>-control-plane | jq '.[0].NetworkSettings.Ports'`
 
 ## 5. Test Reconciliation
 Apply an example CR in resource cluster and check if it's getting reconciled.
-`kubectl --context <resource-cluster> apply -f config/samples/netbox_v1_ipaddress.yaml`
\ No newline at end of file
+`kubectl --context kind-<res-cluster-name> apply -f config/samples/netbox_v1_ipaddress.yaml`
\ No newline at end of file

From a1d01d8a6efc8a67828866a35d7a7873b31a507f Mon Sep 17 00:00:00 2001
From: Georgios Daskalopoulos <gdasky@gmail.com>
Date: Tue, 4 Nov 2025 12:49:32 +0100
Subject: [PATCH 6/9] Add comment on copied file from multicluster runtime
 project

Co-authored-by: bruelea <166021996+bruelea@users.noreply.github.com>
---
 multi-cluster-utilities/create-kubeconfig-secret-cluster.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh b/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh
index 17cdcfb6..78b6d1e7 100755
--- a/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh
+++ b/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh
@@ -1,4 +1,5 @@
 # File copied from https://github.com/kubernetes-sigs/multicluster-runtime/blob/main/examples/kubeconfig/README.md
+// Modified by Swisscom (Schweiz) AG.
 #!/bin/bash
 
 # Script to create a kubeconfig secret for the pod lister controller

From 568fade0e6001d8033c66d135313b778d0c96dab Mon Sep 17 00:00:00 2001
From: Georgios <georgios.daskalopoulos@swisscom.com>
Date: Tue, 4 Nov 2025 13:04:17 +0100
Subject: [PATCH 7/9] adding new lines at the end of files

---
 multi-cluster-utilities/README.md                           | 2 +-
 multi-cluster-utilities/create-kubeconfig-secret-cluster.sh | 2 +-
 multi-cluster-utilities/create-kubeconfig-secret.sh         | 2 +-
 multi-cluster-utilities/patch-netbox-clusterrole.sh         | 2 +-
 multi-cluster-utilities/rules.yaml                          | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/multi-cluster-utilities/README.md b/multi-cluster-utilities/README.md
index 2fe82eaf..b17c2150 100644
--- a/multi-cluster-utilities/README.md
+++ b/multi-cluster-utilities/README.md
@@ -51,4 +51,4 @@ The secrets generated from the `create-kubeconfig-secret` needs to reffer to the
 
 ## 5. Test Reconciliation
 Apply an example CR in resource cluster and check if it's getting reconciled.
-`kubectl --context kind-<res-cluster-name> apply -f config/samples/netbox_v1_ipaddress.yaml`
\ No newline at end of file
+`kubectl --context kind-<res-cluster-name> apply -f config/samples/netbox_v1_ipaddress.yaml`
diff --git a/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh b/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh
index 78b6d1e7..62bf5f49 100755
--- a/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh
+++ b/multi-cluster-utilities/create-kubeconfig-secret-cluster.sh
@@ -321,4 +321,4 @@ echo "Creating kubeconfig secret..."
 echo "$SECRET_YAML" | kubectl apply -f -
 
 echo "Secret '${SECRET_NAME}' created in namespace '${NAMESPACE}'"
-echo "The operator should now be able to discover and connect to this cluster"
\ No newline at end of file
+echo "The operator should now be able to discover and connect to this cluster"
diff --git a/multi-cluster-utilities/create-kubeconfig-secret.sh b/multi-cluster-utilities/create-kubeconfig-secret.sh
index 9f35a04a..c1264a45 100755
--- a/multi-cluster-utilities/create-kubeconfig-secret.sh
+++ b/multi-cluster-utilities/create-kubeconfig-secret.sh
@@ -311,4 +311,4 @@ echo "Creating kubeconfig secret..."
 echo "$SECRET_YAML" | kubectl apply -f -
 
 echo "Secret '${SECRET_NAME}' created in namespace '${NAMESPACE}'"
-echo "The operator should now be able to discover and connect to this cluster"
\ No newline at end of file
+echo "The operator should now be able to discover and connect to this cluster"
diff --git a/multi-cluster-utilities/patch-netbox-clusterrole.sh b/multi-cluster-utilities/patch-netbox-clusterrole.sh
index 7cd08219..3ca28fdd 100755
--- a/multi-cluster-utilities/patch-netbox-clusterrole.sh
+++ b/multi-cluster-utilities/patch-netbox-clusterrole.sh
@@ -18,4 +18,4 @@ patch_payload='
 '
 
 # Apply the patch using kubectl
-kubectl --context kind-kind patch clusterrole netbox-operator-manager-role --type json -p "${patch_payload}"
\ No newline at end of file
+kubectl --context kind-kind patch clusterrole netbox-operator-manager-role --type json -p "${patch_payload}"
diff --git a/multi-cluster-utilities/rules.yaml b/multi-cluster-utilities/rules.yaml
index 35524338..0eb9558b 100644
--- a/multi-cluster-utilities/rules.yaml
+++ b/multi-cluster-utilities/rules.yaml
@@ -48,4 +48,4 @@ rules:
   verbs:
   - get
   - patch
-  - update
\ No newline at end of file
+  - update

From 163cfbb17e52d0019f3d650d061632da523c543f Mon Sep 17 00:00:00 2001
From: Georgios <georgios.daskalopoulos@swisscom.com>
Date: Tue, 4 Nov 2025 14:37:53 +0100
Subject: [PATCH 8/9] fix spelling mistakes

---
 multi-cluster-utilities/README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/multi-cluster-utilities/README.md b/multi-cluster-utilities/README.md
index b17c2150..34674cba 100644
--- a/multi-cluster-utilities/README.md
+++ b/multi-cluster-utilities/README.md
@@ -6,12 +6,12 @@ This Readme cover only what is relevant for setting up a `Management cluster` wh
 ## 1. Create Management Cluster
 
 Follow the guide in project's root folder.
-If all the prerequisites are in place, then `make create-kind` creates the cluster which is going to be used for the all the controller's depedencies (netbox backend, databases etc).
+If all the prerequisites are in place, then `make create-kind` creates the cluster which is going to be used for the all the controller's dependencies (netbox backend, databases etc).
 This cluster is also configured with the netbox-operator CRDs but the CRs are hosted and reconciled only in Resource Clusters.
 
 ## 2. Create Resource Clusters
 
-Create your Resouce Clusters & Provision Netbox-Operator Custom Resource Definitions. For each resource cluster you want to create, execute:
+Create your Resource Clusters & Provision Netbox-Operator Custom Resource Definitions. For each resource cluster you want to create, execute:
 
 - `kind create cluster --name <res-cluster-name>`
 - `make install`
@@ -30,11 +30,11 @@ For each cluster that gets configured as a 'Resource' cluster, a secret is popul
 Make sure that the appropriate secrets are populated in the kind-kind cluster, with names `kind-<res-cluster-name>`.
 
 ## 4-1. Execute manager process locally
-At this point, you should be able to sucesfully start netbox operator process locally after:
+At this point, you should be able to successfully start netbox operator process locally after:
 - Establishing a port forward from Management cluster to your host for the Netbox service: `kubectl port-forward deploy/netbox 8080:8080 -n default`
 - Setting environment variable `export NETBOX_HOST=localhost:8080`
 
-## 4-2. Execute manager process on managment cluster
+## 4-2. Execute manager process on management cluster
 Deploying the manager in the management cluster involves additional manual steps.
 
 From the project's parent directory, execute `make deploy-kind`
@@ -44,7 +44,7 @@ ClusterRole `manager-role` needs to allow reading, listing and watching secrets.
     - Execute `patch-netbox-clusterrole.sh`
 
 ### Update secret in controller cluster
-The secrets generated from the `create-kubeconfig-secret` needs to reffer to the correct ip:port for each resource cluster. Currently it's pointing a localhost ip, which is only reachable from the host machine.
+The secrets generated from the `create-kubeconfig-secret` needs to refer to the correct ip:port for each resource cluster. Currently it's pointing a localhost ip, which is only reachable from the host machine.
 - Execute script `create-kubeconfig-secret-cluster.sh -c kind-<res-cluster-name> --skip-create-rbac`
     - This script updates the secret on management cluster, to use the IP of control-plane node of the resource cluster, retrieved from ``docker inspect <res-cluster-name>-control-plane | jq '.[0].NetworkSettings.Networks.kind.IPAddress'``
     - The port of the K8s API server is assumed to be `6443`. You can check it with `docker inspect <res-cluster-name>-control-plane | jq '.[0].NetworkSettings.Ports'`

From d3f7f9bc804808d461f30706a3417f49caba9d1b Mon Sep 17 00:00:00 2001
From: Georgios <georgios.daskalopoulos@swisscom.com>
Date: Tue, 4 Nov 2025 14:38:25 +0100
Subject: [PATCH 9/9] fix yaml lint error

---
 multi-cluster-utilities/rules.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/multi-cluster-utilities/rules.yaml b/multi-cluster-utilities/rules.yaml
index 0eb9558b..5278e246 100644
--- a/multi-cluster-utilities/rules.yaml
+++ b/multi-cluster-utilities/rules.yaml
@@ -1,3 +1,4 @@
+---
 # Rules required for controlled service account to manage NetBox Operator resources
 # Copied from config/rbac/role.yaml
 rules: