Skip to content

Add BMCUserSet type and controller implementation #662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
stefanhipfel wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add BMCUserSet type and controller implementation #662

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
157f2d5
adds new bmcuserset
Feb 7, 2026
cfa5612
add tests
stefanhipfel Feb 10, 2026
ee6f5f3
make check
stefanhipfel Feb 10, 2026
6e0ea42
make generate && make docs && make helm
stefanhipfel Feb 10, 2026
887644c
fixes tests
stefanhipfel Feb 10, 2026
067ff87
propagate annotations
stefanhipfel Feb 12, 2026
82d412b
fixes coderabbit issues
stefanhipfel Feb 24, 2026
26779f3
Fix CodeRabbit issues in BMCUserSet controller
stefanhipfel Apr 2, 2026
389f8b8
Resolve merge conflicts with main
stefanhipfel Apr 10, 2026
c41e0da
Update API reference documentation for BMCUserTemplate validation
stefanhipfel Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions PROJECT
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,14 @@ resources:
kind: BMCUser
path: github.com/ironcore-dev/metal-operator/api/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
domain: ironcore.dev
group: metal
kind: BMCUserSet
path: github.com/ironcore-dev/metal-operator/api/v1alpha1
version: v1alpha1
- api:
crdVersion: v1
controller: true
Expand Down
17 changes: 1 addition & 16 deletions api/v1alpha1/bmcuser_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,22 +10,7 @@ import (

// BMCUserSpec defines the desired state of BMCUser.
type BMCUserSpec struct {
// UserName is the username of the BMC user.
UserName string `json:"userName"`

// RoleID is the ID of the role to assign to the user.
RoleID string `json:"roleID"`

// Description is a description for the BMC user.
Description string `json:"description,omitempty"`

// RotationPeriod defines how often the password should be rotated.
// If not set, the password will not be rotated.
RotationPeriod *metav1.Duration `json:"rotationPeriod,omitempty"`

// BMCSecretRef references the BMCSecret containing the credentials for this user.
// If not set, the operator will generate a secure password based on BMC manufacturer requirements.
BMCSecretRef *v1.LocalObjectReference `json:"bmcSecretRef,omitempty"`
BMCUserTemplate `json:",inline"`

// BMCRef references the BMC this user should be created on.
BMCRef *v1.LocalObjectReference `json:"bmcRef,omitempty"`
Expand Down
81 changes: 81 additions & 0 deletions api/v1alpha1/bmcuserset_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
// SPDX-License-Identifier: Apache-2.0

package v1alpha1

import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// BMCUserTemplate defines the template for the BMCUser Resource to be applied to the BMCs.
type BMCUserTemplate struct {
// Username of the BMC user.
// +required
// +kubebuilder:validation:MinLength=1
UserName string `json:"userName"`
// RoleID is the ID of the role to assign to the user.
// The available roles depend on the BMC implementation.
// For Redfish, common role IDs are "Administrator", "Operator", "ReadOnly".
// +required
// +kubebuilder:validation:MinLength=1
RoleID string `json:"roleID"`
Comment thread
coderabbitai[bot] marked this conversation as resolved.
// Description is an optional description for the BMC user.
Description string `json:"description,omitempty"`
// RotationPeriod defines how often the password should be rotated.
// if not set, the password will not be rotated.
RotationPeriod *metav1.Duration `json:"rotationPeriod,omitempty"`
// BMCSecretRef references the BMCSecret containing the credentials for this user.
// If not set, the operator will generate a secure password based on BMC manufacturer requirements.
BMCSecretRef *corev1.LocalObjectReference `json:"bmcSecretRef,omitempty"`
}

// BMCUserSetSpec defines the desired state of BMCUserSet.
type BMCUserSetSpec struct {
// BMCSelector specifies a label selector to identify the BMCs that are to be selected.
// +required
BMCSelector metav1.LabelSelector `json:"bmcSelector"`

// BMCUserTemplate defines the template for the BMCUser Resource to be applied to the BMCs.
// +required
BMCUserTemplate BMCUserTemplate `json:"bmcUserTemplate"`
}

// BMCUserSetStatus defines the observed state of BMCUserSet.
type BMCUserSetStatus struct {
// FullyLabeledBMCs is the number of BMC in the set.
FullyLabeledBMCs int32 `json:"fullyLabeledBMCs,omitempty"`
// AvailableBMCUsers is the number of BMCUsers currently created by the set.
AvailableBMCUsers int32 `json:"availableBMCUsers,omitempty"`
}

// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:resource:scope=Cluster
// +kubebuilder:printcolumn:name="UserName",type=string,JSONPath=`.spec.bmcUserTemplate.userName`
// +kubebuilder:printcolumn:name="RoleID",type=string,JSONPath=`.spec.bmcUserTemplate.roleID`
// +kubebuilder:printcolumn:name="TotalBMCs",type="integer",JSONPath=`.status.fullyLabeledBMCs`
// +kubebuilder:printcolumn:name="AvailableBMCUsers",type="integer",JSONPath=`.status.availableBMCUsers`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"

// BMCUserSet is the Schema for the bmcusersets API.
type BMCUserSet struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

Spec BMCUserSetSpec `json:"spec,omitempty"`
Status BMCUserSetStatus `json:"status,omitempty"`
Comment on lines +62 to +67
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Make the root spec field required.

json:"spec,omitempty" lets a BMCUserSet through with no spec at all, which bypasses the nested required fields. This controller does not have a safe zero-value behavior for that case, so admission should reject it instead.

Suggested fix 
-	Spec   BMCUserSetSpec   `json:"spec,omitempty"`
+	// +required
+	Spec   BMCUserSetSpec   `json:"spec"`
 	Status BMCUserSetStatus `json:"status,omitempty"`

Based on learnings: "When a Kubernetes controller (reconciler) errors out and does not proceed if a CRD spec field is nil/empty, that field should not be treated as optional in the API schema."

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@api/v1alpha1/bmcuserset_types.go` around lines 60 - 65, The BMCUserSet root
Spec must be required: update the BMCUserSet type by removing the omitempty from
the Spec json tag (change `json:"spec,omitempty"` to `json:"spec"`) and add the
kubebuilder required marker above the Spec field (use
`+kubebuilder:validation:Required`) so the CRD schema will reject objects
missing Spec; reference the BMCUserSet struct and the Spec field and ensure the
BMCUserSetSpec type remains unchanged.

}

// +kubebuilder:object:root=true

// BMCUserSetList contains a list of BMCUserSet.
type BMCUserSetList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []BMCUserSet `json:"items"`
}

func init() {
SchemeBuilder.Register(&BMCUserSet{}, &BMCUserSetList{})
}
125 changes: 116 additions & 9 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions cmd/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -597,6 +597,13 @@ func main() { // nolint: gocyclo
setupLog.Error(err, "Failed to create controller", "controller", "BMCSettingsSet")
os.Exit(1)
}
if err := (&controller.BMCUserSetReconciler{
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
}).SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "BMCUserSet")
os.Exit(1)
}
if err = (&controller.BMCUserReconciler{
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
Expand Down
13 changes: 9 additions & 4 deletions config/crd/bases/metal.ironcore.dev_bmcusers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,18 +92,23 @@ spec:
type: object
x-kubernetes-map-type: atomic
description:
description: Description is a description for the BMC user.
description: Description is an optional description for the BMC user.
type: string
roleID:
description: RoleID is the ID of the role to assign to the user.
description: |-
RoleID is the ID of the role to assign to the user.
The available roles depend on the BMC implementation.
For Redfish, common role IDs are "Administrator", "Operator", "ReadOnly".
minLength: 1
type: string
rotationPeriod:
description: |-
RotationPeriod defines how often the password should be rotated.
If not set, the password will not be rotated.
if not set, the password will not be rotated.
type: string
userName:
description: UserName is the username of the BMC user.
description: Username of the BMC user.
minLength: 1
type: string
required:
- roleID
Expand Down
Loading
Loading