feat: HardeningProfile bootstrap support -- CAPI template merge + ONT-native NodeMaintenance#25
Merged
Merged
Conversation
Governor directive (session/21): CODEBASE.md eliminated from all repos. The graphify knowledge graph at ~/ontai/graphify-out/graph.json is the sole authoritative source for codebase understanding. See root CONTEXT.md and CLAUDE.md for the Graphify Source of Truth Protocol.
PlatformTenant was a planned CRD for tenant coordination that was never implemented. Tenant coordination is handled by InfrastructureTalosCluster (mode=import or mode=bootstrap) plus the conductor role=tenant Deployment managed by the compiler enable bundle. Remove the forward-looking reference from Step 4b to prevent agents from attempting to implement a non-existent CRD category.
Replace /tmp/envtest-bins/1.35.0 (ephemeral, stale version) with the canonical ontai root Makefile target: make envtest-setup && export KUBEBUILDER_ASSETS=$(make -s envtest-path). Pinned to K8s 1.32.x.
- Remove ont-system talosconfig copy (PLATFORM-BL-TALOSCONFIG-ONTYSYSTEM-REMOVE):
ensureExecutorTalosconfig now copies only to seam-tenant-{cluster}; day-2
executor Jobs mount from Job namespace, never from ont-system.
- Canonical kubeconfig rename (PLATFORM-BL-KUBECONFIG-CANONICAL): removed
tenantKubeconfigSecretName constant and ensureTenantKubeconfigCopy; both import
and CAPI paths now read seam-mc-{cluster}-kubeconfig exclusively.
platform_security.go no longer writes target-cluster-kubeconfig.
PKI rotation e2e test updated to assert seam-mc-{cluster}-kubeconfig.
- CAPI tenant onboarding (PLATFORM-BL-CAPI-TENANT-ONBOARDING): step 8.5 added
to reconcileCAPIPath after CAPI Running: ensureCAPITalosconfig, ensureCAPIKubeconfig,
ensureTenantOnboarding called before ensureConductorReadyAndTransition.
- machineconfig-backup CRD and reconciler (PLATFORM-BL-MACHINECONFIG-BACKUP):
TalosMachineConfigBackup CRD, MachineConfigBackupReconciler, generic
ensureS3EnvSecretFor/resolveS3BackupSecretRef helpers. Registered in main.go.
…-native NodeMaintenance
CAPI path: ensureTalosConfigTemplate reads HardeningProfile when hardeningProfileRef is set,
merges SysctlParams into the CP-INV-009 base sysctl map, and appends MachineConfigPatches as
JSON patch objects. reconcileCAPIPath sets HardeningApplied=True after the template step.
ONT-native path: ensureBootstrapHardening creates a NodeMaintenance (operation=hardening-apply,
label ontai.dev/hardening-trigger=bootstrap) in seam-tenant-{cluster} after Ready. Validates
HardeningProfile.Valid=True before creation. Sets HardeningApplied=True when NodeMaintenance
reaches Ready=True. Returns RequeueAfter: 30s while pending. Idempotent via label check.
ConditionTypeHardeningApplied + reason aliases added to platform taloscluster_types.go.
4 unit tests: NilRef, CreatesNodeMaintenance, NoDuplicate, SetsAppliedWhenReady. All pass.
platform-schema.md §11, Decision 11.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ensureTalosConfigTemplatenow readsHardeningProfilewhenhardeningProfileRefis set; mergesSysctlParamsinto the CP-INV-009 base sysctl map, parses and appendsMachineConfigPatchesas JSON patch objects.reconcileCAPIPathsetsHardeningApplied=Trueafter template step when profile is referenced.ensureBootstrapHardeningintaloscluster_bootstrap_hardening.go. Called from main reconcile loop (Step G) after route result, for non-CAPI Ready clusters withhardeningProfileRefset. CreatesNodeMaintenance(operation=hardening-apply, labelontai.dev/hardening-trigger=bootstrap) inseam-tenant-{cluster}. SetsHardeningApplied=False/HardeningPendingwhile pending;HardeningApplied=TruewhenNodeMaintenance.Ready=True. ReturnsRequeueAfter: 30swhile pending.ConditionTypeHardeningApplied,ReasonHardeningApplied,ReasonHardeningPending,ReasonHardeningProfileNotValidaliased from seam-core conditions package inplatform/api/v1alpha1/taloscluster_types.goPLATFORM-BL-HARDENINGPROFILE-MERGETest plan
TestEnsureBootstrapHardening_NilRef: no action when ref absentTestEnsureBootstrapHardening_CreatesNodeMaintenance: NodeMaintenance created with correct label/operation; HardeningApplied=False/Pending returnedTestEnsureBootstrapHardening_NoDuplicate: no second NodeMaintenance when one already existsTestEnsureBootstrapHardening_SetsAppliedWhenReady: HardeningApplied=True when NodeMaintenance.Ready=Truego build ./...clean🤖 Generated with Claude Code