From 58b62689899f4fd450bbae9f41499a0c6ffaa9b6 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Mon, 29 Sep 2025 10:46:29 -0400
Subject: [PATCH 01/51] wip: moving the install steps for grafana and
 prometheus into the trait installable<T>

---
 harmony/src/domain/topology/k8s_anywhere.rs   | 116 ++++++++++++++++--
 .../application/features/monitoring.rs        |   5 +-
 .../application/features/rhob_monitoring.rs   |   4 +-
 .../application_monitoring_score.rs           |   8 +-
 .../rhobs_application_monitoring_score.rs     |   6 +-
 .../src/modules/monitoring/grafana/grafana.rs |  15 +++
 .../monitoring/grafana/helm/helm_grafana.rs   |  25 ++--
 harmony/src/modules/monitoring/grafana/mod.rs |   1 +
 .../crd/crd_alertmanager_config.rs            |  41 ++++++-
 .../monitoring/prometheus/prometheus.rs       |   2 +-
 .../k8s_prometheus_alerting_score.rs          |   6 +-
 harmony/src/modules/prometheus/prometheus.rs  |   8 +-
 .../modules/prometheus/rhob_alerting_score.rs |  10 +-
 13 files changed, 195 insertions(+), 52 deletions(-)
 create mode 100644 harmony/src/modules/monitoring/grafana/grafana.rs

diff --git a/harmony/src/domain/topology/k8s_anywhere.rs b/harmony/src/domain/topology/k8s_anywhere.rs
index e6c37ea..6dfb1a8 100644
--- a/harmony/src/domain/topology/k8s_anywhere.rs
+++ b/harmony/src/domain/topology/k8s_anywhere.rs
@@ -12,14 +12,17 @@ use crate::{
     inventory::Inventory,
     modules::{
         k3d::K3DInstallationScore,
-        monitoring::kube_prometheus::crd::{
-            crd_alertmanager_config::CRDPrometheus,
-            prometheus_operator::prometheus_operator_helm_chart_score,
-            rhob_alertmanager_config::RHOBObservability,
+        monitoring::{
+            grafana::{grafana::Grafana, helm::helm_grafana::grafana_helm_chart_score},
+            kube_prometheus::crd::{
+                crd_alertmanager_config::CRDPrometheus,
+                prometheus_operator::prometheus_operator_helm_chart_score,
+                rhob_alertmanager_config::RHOBObservability, service_monitor::ServiceMonitor,
+            },
         },
         prometheus::{
             k8s_prometheus_alerting_score::K8sPrometheusCRDAlertingScore,
-            prometheus::PrometheusApplicationMonitoring, rhob_alerting_score::RHOBAlertingScore,
+            prometheus::PrometheusMonitoring, rhob_alerting_score::RHOBAlertingScore,
         },
     },
     score::Score,
@@ -86,7 +89,43 @@ impl K8sclient for K8sAnywhereTopology {
 }
 
 #[async_trait]
-impl PrometheusApplicationMonitoring<CRDPrometheus> for K8sAnywhereTopology {
+impl Grafana for K8sAnywhereTopology {
+    async fn ensure_grafana_operator_ready(
+        &self,
+        inventory: &Inventory,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let client = self.k8s_client().await.unwrap();
+        let grafana_gvk = GroupVersionKind {
+            group: "grafana.integreatly.org".to_string(),
+            version: "v1beta1".to_string(),
+            kind: "Grafana".to_string(),
+        };
+        let name = "grafanas.grafana.integreatly.org";
+        let ns = "grafana";
+
+        let grafana_crd = client
+            .get_resource_json_value(name, Some(ns), &grafana_gvk)
+            .await;
+        match grafana_crd {
+            Ok(_) => {
+                return Ok(PreparationOutcome::Success {
+                    details: "Found grafana CRDs in cluster".to_string(),
+                });
+            }
+            Err(_) => {
+                return self
+                    .install_grafana_operator(inventory, Some("grafana"))
+                    .await;
+            }
+        };
+    }
+    async fn install_grafana(&self) -> Result<PreparationOutcome, PreparationError> {
+        todo!()
+    }
+}
+
+#[async_trait]
+impl PrometheusMonitoring<CRDPrometheus> for K8sAnywhereTopology {
     async fn install_prometheus(
         &self,
         sender: &CRDPrometheus,
@@ -101,7 +140,11 @@ impl PrometheusApplicationMonitoring<CRDPrometheus> for K8sAnywhereTopology {
         }
 
         let result = self
-            .get_k8s_prometheus_application_score(sender.clone(), receivers)
+            .get_k8s_prometheus_application_score(
+                sender.clone(),
+                receivers,
+                Some(sender.service_monitor.clone()),
+            )
             .await
             .interpret(inventory, self)
             .await;
@@ -117,10 +160,24 @@ impl PrometheusApplicationMonitoring<CRDPrometheus> for K8sAnywhereTopology {
             Err(err) => Err(PreparationError::new(err.to_string())),
         }
     }
+    async fn ensure_prometheus_operator(
+        &self,
+        sender: &CRDPrometheus,
+        inventory: &Inventory,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let po_result = self.ensure_prometheus_operator(sender).await?;
+
+        if po_result == PreparationOutcome::Noop {
+            debug!("Skipping Prometheus CR installation due to missing operator.");
+            return Ok(po_result);
+        } else {
+            todo!()
+        }
+    }
 }
 
 #[async_trait]
-impl PrometheusApplicationMonitoring<RHOBObservability> for K8sAnywhereTopology {
+impl PrometheusMonitoring<RHOBObservability> for K8sAnywhereTopology {
     async fn install_prometheus(
         &self,
         sender: &RHOBObservability,
@@ -154,6 +211,13 @@ impl PrometheusApplicationMonitoring<RHOBObservability> for K8sAnywhereTopology
             Err(err) => Err(PreparationError::new(err.to_string())),
         }
     }
+    async fn ensure_prometheus_operator(
+        &self,
+        sender: &RHOBObservability,
+        inventory: &Inventory,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        todo!()
+    }
 }
 
 impl Serialize for K8sAnywhereTopology {
@@ -253,12 +317,22 @@ impl K8sAnywhereTopology {
         &self,
         sender: CRDPrometheus,
         receivers: Option<Vec<Box<dyn AlertReceiver<CRDPrometheus>>>>,
+        service_monitors: Option<Vec<ServiceMonitor>>,
     ) -> K8sPrometheusCRDAlertingScore {
-        K8sPrometheusCRDAlertingScore {
-            sender,
-            receivers: receivers.unwrap_or_default(),
-            service_monitors: vec![],
-            prometheus_rules: vec![],
+        if let Some(sm) = service_monitors {
+            return K8sPrometheusCRDAlertingScore {
+                sender,
+                receivers: receivers.unwrap_or_default(),
+                service_monitors: sm,
+                prometheus_rules: vec![],
+            };
+        } else {
+            return K8sPrometheusCRDAlertingScore {
+                sender,
+                receivers: receivers.unwrap_or_default(),
+                service_monitors: vec![],
+                prometheus_rules: vec![],
+            };
         }
     }
 
@@ -527,6 +601,22 @@ impl K8sAnywhereTopology {
             details: "prometheus operator present in cluster".into(),
         })
     }
+
+    async fn install_grafana_operator(
+        &self,
+        inventory: &Inventory,
+        ns: Option<&str>,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let _grafana_operator_score = grafana_helm_chart_score(ns.unwrap(), true)
+            .interpret(inventory, self)
+            .await;
+        Ok(PreparationOutcome::Success {
+            details: format!(
+                "Successfully installed grafana operator in ns {}",
+                ns.unwrap()
+            ),
+        })
+    }
 }
 
 #[derive(Clone, Debug)]
diff --git a/harmony/src/modules/application/features/monitoring.rs b/harmony/src/modules/application/features/monitoring.rs
index 1a60d00..0fd155d 100644
--- a/harmony/src/modules/application/features/monitoring.rs
+++ b/harmony/src/modules/application/features/monitoring.rs
@@ -14,7 +14,7 @@ use crate::{
     topology::{HelmCommand, K8sclient, Topology, tenant::TenantManager},
 };
 use crate::{
-    modules::prometheus::prometheus::PrometheusApplicationMonitoring,
+    modules::prometheus::prometheus::PrometheusMonitoring,
     topology::oberservability::monitoring::AlertReceiver,
 };
 use async_trait::async_trait;
@@ -40,7 +40,7 @@ impl<
         + TenantManager
         + K8sclient
         + MultiTargetTopology
-        + PrometheusApplicationMonitoring<CRDPrometheus>
+        + PrometheusMonitoring<CRDPrometheus>
         + Ingress
         + std::fmt::Debug,
 > ApplicationFeature<T> for Monitoring
@@ -61,6 +61,7 @@ impl<
             sender: CRDPrometheus {
                 namespace: namespace.clone(),
                 client: topology.k8s_client().await.unwrap(),
+                service_monitor: vec![],
             },
             application: self.application.clone(),
             receivers: self.alert_receiver.clone(),
diff --git a/harmony/src/modules/application/features/rhob_monitoring.rs b/harmony/src/modules/application/features/rhob_monitoring.rs
index d87ef61..876dba9 100644
--- a/harmony/src/modules/application/features/rhob_monitoring.rs
+++ b/harmony/src/modules/application/features/rhob_monitoring.rs
@@ -18,7 +18,7 @@ use crate::{
     topology::{HelmCommand, K8sclient, Topology, tenant::TenantManager},
 };
 use crate::{
-    modules::prometheus::prometheus::PrometheusApplicationMonitoring,
+    modules::prometheus::prometheus::PrometheusMonitoring,
     topology::oberservability::monitoring::AlertReceiver,
 };
 use async_trait::async_trait;
@@ -42,7 +42,7 @@ impl<
         + MultiTargetTopology
         + Ingress
         + std::fmt::Debug
-        + PrometheusApplicationMonitoring<RHOBObservability>,
+        + PrometheusMonitoring<RHOBObservability>,
 > ApplicationFeature<T> for Monitoring
 {
     async fn ensure_installed(
diff --git a/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs b/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs
index 8246d15..2780edd 100644
--- a/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs
+++ b/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs
@@ -10,7 +10,7 @@ use crate::{
     modules::{
         application::Application,
         monitoring::kube_prometheus::crd::crd_alertmanager_config::CRDPrometheus,
-        prometheus::prometheus::PrometheusApplicationMonitoring,
+        prometheus::prometheus::PrometheusMonitoring,
     },
     score::Score,
     topology::{PreparationOutcome, Topology, oberservability::monitoring::AlertReceiver},
@@ -24,9 +24,7 @@ pub struct ApplicationMonitoringScore {
     pub receivers: Vec<Box<dyn AlertReceiver<CRDPrometheus>>>,
 }
 
-impl<T: Topology + PrometheusApplicationMonitoring<CRDPrometheus>> Score<T>
-    for ApplicationMonitoringScore
-{
+impl<T: Topology + PrometheusMonitoring<CRDPrometheus>> Score<T> for ApplicationMonitoringScore {
     fn create_interpret(&self) -> Box<dyn Interpret<T>> {
         Box::new(ApplicationMonitoringInterpret {
             score: self.clone(),
@@ -47,7 +45,7 @@ pub struct ApplicationMonitoringInterpret {
 }
 
 #[async_trait]
-impl<T: Topology + PrometheusApplicationMonitoring<CRDPrometheus>> Interpret<T>
+impl<T: Topology + PrometheusMonitoring<CRDPrometheus>> Interpret<T>
     for ApplicationMonitoringInterpret
 {
     async fn execute(
diff --git a/harmony/src/modules/monitoring/application_monitoring/rhobs_application_monitoring_score.rs b/harmony/src/modules/monitoring/application_monitoring/rhobs_application_monitoring_score.rs
index 5f5127f..6f45c88 100644
--- a/harmony/src/modules/monitoring/application_monitoring/rhobs_application_monitoring_score.rs
+++ b/harmony/src/modules/monitoring/application_monitoring/rhobs_application_monitoring_score.rs
@@ -12,7 +12,7 @@ use crate::{
         monitoring::kube_prometheus::crd::{
             crd_alertmanager_config::CRDPrometheus, rhob_alertmanager_config::RHOBObservability,
         },
-        prometheus::prometheus::PrometheusApplicationMonitoring,
+        prometheus::prometheus::PrometheusMonitoring,
     },
     score::Score,
     topology::{PreparationOutcome, Topology, oberservability::monitoring::AlertReceiver},
@@ -26,7 +26,7 @@ pub struct ApplicationRHOBMonitoringScore {
     pub receivers: Vec<Box<dyn AlertReceiver<RHOBObservability>>>,
 }
 
-impl<T: Topology + PrometheusApplicationMonitoring<RHOBObservability>> Score<T>
+impl<T: Topology + PrometheusMonitoring<RHOBObservability>> Score<T>
     for ApplicationRHOBMonitoringScore
 {
     fn create_interpret(&self) -> Box<dyn Interpret<T>> {
@@ -49,7 +49,7 @@ pub struct ApplicationRHOBMonitoringInterpret {
 }
 
 #[async_trait]
-impl<T: Topology + PrometheusApplicationMonitoring<RHOBObservability>> Interpret<T>
+impl<T: Topology + PrometheusMonitoring<RHOBObservability>> Interpret<T>
     for ApplicationRHOBMonitoringInterpret
 {
     async fn execute(
diff --git a/harmony/src/modules/monitoring/grafana/grafana.rs b/harmony/src/modules/monitoring/grafana/grafana.rs
new file mode 100644
index 0000000..411d7a6
--- /dev/null
+++ b/harmony/src/modules/monitoring/grafana/grafana.rs
@@ -0,0 +1,15 @@
+use async_trait::async_trait;
+
+use crate::{
+    inventory::Inventory,
+    topology::{PreparationError, PreparationOutcome},
+};
+
+#[async_trait]
+pub trait Grafana {
+    async fn ensure_grafana_operator_ready(
+        &self,
+        inventory: &Inventory,
+    ) -> Result<PreparationOutcome, PreparationError>;
+    async fn install_grafana(&self) -> Result<PreparationOutcome, PreparationError>;
+}
diff --git a/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs b/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs
index 3af6550..094beca 100644
--- a/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs
+++ b/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs
@@ -1,25 +1,22 @@
 use non_blank_string_rs::NonBlankString;
-use std::str::FromStr;
+use std::{collections::HashMap, str::FromStr};
 
 use crate::modules::helm::chart::HelmChartScore;
 
-pub fn grafana_helm_chart_score(ns: &str) -> HelmChartScore {
-    let values = r#"
-rbac:
-  namespaced: true
-sidecar:
-  dashboards:
-    enabled: true
-        "#
-    .to_string();
-
+pub fn grafana_helm_chart_score(ns: &str, scope: bool) -> HelmChartScore {
+    let mut values_overrides = HashMap::new();
+    values_overrides.insert(
+        NonBlankString::from_str("namespaceScope").unwrap(),
+        scope.to_string(),
+    );
     HelmChartScore {
         namespace: Some(NonBlankString::from_str(ns).unwrap()),
         release_name: NonBlankString::from_str("grafana").unwrap(),
-        chart_name: NonBlankString::from_str("oci://ghcr.io/grafana/helm-charts/grafana").unwrap(),
+        chart_name: NonBlankString::from_str("oci://ghcr.io/grafana/helm-charts/grafana-operator")
+            .unwrap(),
         chart_version: None,
-        values_overrides: None,
-        values_yaml: Some(values.to_string()),
+        values_overrides: Some(values_overrides),
+        values_yaml: None,
         create_namespace: true,
         install_only: true,
         repository: None,
diff --git a/harmony/src/modules/monitoring/grafana/mod.rs b/harmony/src/modules/monitoring/grafana/mod.rs
index c821bcb..8dccab1 100644
--- a/harmony/src/modules/monitoring/grafana/mod.rs
+++ b/harmony/src/modules/monitoring/grafana/mod.rs
@@ -1 +1,2 @@
+pub mod grafana;
 pub mod helm;
diff --git a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs
index 2165a4a..0ac8fc7 100644
--- a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs
+++ b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs
@@ -1,12 +1,25 @@
 use std::sync::Arc;
 
+use async_trait::async_trait;
 use kube::CustomResource;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
-use crate::topology::{
-    k8s::K8sClient,
-    oberservability::monitoring::{AlertReceiver, AlertSender},
+use crate::{
+    interpret::{InterpretError, Outcome},
+    inventory::Inventory,
+    modules::{
+        monitoring::{
+            grafana::grafana::Grafana, kube_prometheus::crd::service_monitor::ServiceMonitor,
+        },
+        prometheus::prometheus::PrometheusMonitoring,
+    },
+    topology::{
+        K8sclient, Topology,
+        installable::Installable,
+        k8s::K8sClient,
+        oberservability::monitoring::{AlertReceiver, AlertSender},
+    },
 };
 
 #[derive(CustomResource, Serialize, Deserialize, Debug, Clone, JsonSchema)]
@@ -26,6 +39,7 @@ pub struct AlertmanagerConfigSpec {
 pub struct CRDPrometheus {
     pub namespace: String,
     pub client: Arc<K8sClient>,
+    pub service_monitor: Vec<ServiceMonitor>,
 }
 
 impl AlertSender for CRDPrometheus {
@@ -48,3 +62,24 @@ impl Serialize for Box<dyn AlertReceiver<CRDPrometheus>> {
         todo!()
     }
 }
+
+#[async_trait]
+impl<T: Topology + K8sclient + PrometheusMonitoring<CRDPrometheus> + Grafana> Installable<T>
+    for CRDPrometheus
+{
+    async fn configure(&self, inventory: &Inventory, topology: &T) -> Result<(), InterpretError> {
+        topology.ensure_grafana_operator_ready(inventory).await?;
+        topology.ensure_prometheus_operator(self, inventory).await?;
+        Ok(())
+    }
+
+    async fn ensure_installed(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<(), InterpretError> {
+        topology.install_grafana().await?;
+        topology.install_prometheus(&self, inventory, None).await?;
+        Ok(())
+    }
+}
diff --git a/harmony/src/modules/monitoring/prometheus/prometheus.rs b/harmony/src/modules/monitoring/prometheus/prometheus.rs
index a207d5a..2fe0d06 100644
--- a/harmony/src/modules/monitoring/prometheus/prometheus.rs
+++ b/harmony/src/modules/monitoring/prometheus/prometheus.rs
@@ -114,7 +114,7 @@ impl Prometheus {
         };
 
         if let Some(ns) = namespace.as_deref() {
-            grafana_helm_chart_score(ns)
+            grafana_helm_chart_score(ns, false)
                 .interpret(inventory, topology)
                 .await
         } else {
diff --git a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
index 24ca918..2cb4ffb 100644
--- a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
+++ b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
@@ -39,7 +39,7 @@ use crate::{
 };
 use harmony_types::id::Id;
 
-use super::prometheus::PrometheusApplicationMonitoring;
+use super::prometheus::PrometheusMonitoring;
 
 #[derive(Clone, Debug, Serialize)]
 pub struct K8sPrometheusCRDAlertingScore {
@@ -49,7 +49,7 @@ pub struct K8sPrometheusCRDAlertingScore {
     pub prometheus_rules: Vec<RuleGroup>,
 }
 
-impl<T: Topology + K8sclient + PrometheusApplicationMonitoring<CRDPrometheus>> Score<T>
+impl<T: Topology + K8sclient + PrometheusMonitoring<CRDPrometheus>> Score<T>
     for K8sPrometheusCRDAlertingScore
 {
     fn create_interpret(&self) -> Box<dyn crate::interpret::Interpret<T>> {
@@ -75,7 +75,7 @@ pub struct K8sPrometheusCRDAlertingInterpret {
 }
 
 #[async_trait]
-impl<T: Topology + K8sclient + PrometheusApplicationMonitoring<CRDPrometheus>> Interpret<T>
+impl<T: Topology + K8sclient + PrometheusMonitoring<CRDPrometheus>> Interpret<T>
     for K8sPrometheusCRDAlertingInterpret
 {
     async fn execute(
diff --git a/harmony/src/modules/prometheus/prometheus.rs b/harmony/src/modules/prometheus/prometheus.rs
index d3940c7..efb89da 100644
--- a/harmony/src/modules/prometheus/prometheus.rs
+++ b/harmony/src/modules/prometheus/prometheus.rs
@@ -9,11 +9,17 @@ use crate::{
 };
 
 #[async_trait]
-pub trait PrometheusApplicationMonitoring<S: AlertSender> {
+pub trait PrometheusMonitoring<S: AlertSender> {
     async fn install_prometheus(
         &self,
         sender: &S,
         inventory: &Inventory,
         receivers: Option<Vec<Box<dyn AlertReceiver<S>>>>,
     ) -> Result<PreparationOutcome, PreparationError>;
+
+    async fn ensure_prometheus_operator(
+        &self,
+        sender: &S,
+        inventory: &Inventory,
+    ) -> Result<PreparationOutcome, PreparationError>;
 }
diff --git a/harmony/src/modules/prometheus/rhob_alerting_score.rs b/harmony/src/modules/prometheus/rhob_alerting_score.rs
index 95908d5..644e6f9 100644
--- a/harmony/src/modules/prometheus/rhob_alerting_score.rs
+++ b/harmony/src/modules/prometheus/rhob_alerting_score.rs
@@ -38,7 +38,7 @@ use crate::{
 };
 use harmony_types::id::Id;
 
-use super::prometheus::PrometheusApplicationMonitoring;
+use super::prometheus::PrometheusMonitoring;
 
 #[derive(Clone, Debug, Serialize)]
 pub struct RHOBAlertingScore {
@@ -48,8 +48,8 @@ pub struct RHOBAlertingScore {
     pub prometheus_rules: Vec<RuleGroup>,
 }
 
-impl<T: Topology + K8sclient + Ingress + PrometheusApplicationMonitoring<RHOBObservability>>
-    Score<T> for RHOBAlertingScore
+impl<T: Topology + K8sclient + Ingress + PrometheusMonitoring<RHOBObservability>> Score<T>
+    for RHOBAlertingScore
 {
     fn create_interpret(&self) -> Box<dyn crate::interpret::Interpret<T>> {
         Box::new(RHOBAlertingInterpret {
@@ -74,8 +74,8 @@ pub struct RHOBAlertingInterpret {
 }
 
 #[async_trait]
-impl<T: Topology + K8sclient + Ingress + PrometheusApplicationMonitoring<RHOBObservability>>
-    Interpret<T> for RHOBAlertingInterpret
+impl<T: Topology + K8sclient + Ingress + PrometheusMonitoring<RHOBObservability>> Interpret<T>
+    for RHOBAlertingInterpret
 {
     async fn execute(
         &self,

From 1f3796f50301b38746366c4d5e4909332db203dd Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Thu, 9 Oct 2025 12:26:05 -0400
Subject: [PATCH 02/51] refactor(prometheus): modified crd prometheus to impl
 the installable trait

---
 examples/try_rust_webapp/src/main.rs          |   2 +-
 harmony/src/domain/topology/k8s_anywhere.rs   | 208 ++++++++++++++----
 .../topology/oberservability/monitoring.rs    |   2 +
 .../application/features/monitoring.rs        |  17 +-
 .../application_monitoring_score.rs           |  79 ++-----
 .../src/modules/monitoring/grafana/grafana.rs |   4 +-
 .../monitoring/grafana/helm/helm_grafana.rs   |  17 +-
 .../crd/crd_alertmanager_config.rs            |   2 +-
 8 files changed, 219 insertions(+), 112 deletions(-)

diff --git a/examples/try_rust_webapp/src/main.rs b/examples/try_rust_webapp/src/main.rs
index 56a058d..7bfdf57 100644
--- a/examples/try_rust_webapp/src/main.rs
+++ b/examples/try_rust_webapp/src/main.rs
@@ -3,7 +3,7 @@ use harmony::{
     modules::{
         application::{
             ApplicationScore, RustWebFramework, RustWebapp,
-            features::{PackagingDeployment, rhob_monitoring::Monitoring},
+            features::{Monitoring, PackagingDeployment},
         },
         monitoring::alert_channel::discord_alert_channel::DiscordWebhook,
     },
diff --git a/harmony/src/domain/topology/k8s_anywhere.rs b/harmony/src/domain/topology/k8s_anywhere.rs
index 6dfb1a8..895f7da 100644
--- a/harmony/src/domain/topology/k8s_anywhere.rs
+++ b/harmony/src/domain/topology/k8s_anywhere.rs
@@ -1,7 +1,7 @@
-use std::{process::Command, sync::Arc};
+use std::{collections::BTreeMap, process::Command, sync::Arc};
 
 use async_trait::async_trait;
-use kube::api::GroupVersionKind;
+use kube::api::{GroupVersionKind, ObjectMeta};
 use log::{debug, info, warn};
 use serde::Serialize;
 use tokio::sync::OnceCell;
@@ -12,12 +12,20 @@ use crate::{
     inventory::Inventory,
     modules::{
         k3d::K3DInstallationScore,
+        k8s::ingress::{K8sIngressScore, PathType},
         monitoring::{
             grafana::{grafana::Grafana, helm::helm_grafana::grafana_helm_chart_score},
             kube_prometheus::crd::{
                 crd_alertmanager_config::CRDPrometheus,
+                crd_grafana::{
+                    Grafana as GrafanaCRD, GrafanaDashboard, GrafanaDashboardSpec,
+                    GrafanaDatasource, GrafanaDatasourceConfig, GrafanaDatasourceSpec, GrafanaSpec,
+                },
+                crd_prometheuses::LabelSelector,
+                grafana_default_dashboard::build_default_dashboard,
                 prometheus_operator::prometheus_operator_helm_chart_score,
-                rhob_alertmanager_config::RHOBObservability, service_monitor::ServiceMonitor,
+                rhob_alertmanager_config::RHOBObservability,
+                service_monitor::ServiceMonitor,
             },
         },
         prometheus::{
@@ -90,10 +98,11 @@ impl K8sclient for K8sAnywhereTopology {
 
 #[async_trait]
 impl Grafana for K8sAnywhereTopology {
-    async fn ensure_grafana_operator_ready(
+    async fn ensure_grafana_operator(
         &self,
         inventory: &Inventory,
     ) -> Result<PreparationOutcome, PreparationError> {
+        debug!("ensure grafana operator");
         let client = self.k8s_client().await.unwrap();
         let grafana_gvk = GroupVersionKind {
             group: "grafana.integreatly.org".to_string(),
@@ -112,6 +121,7 @@ impl Grafana for K8sAnywhereTopology {
                     details: "Found grafana CRDs in cluster".to_string(),
                 });
             }
+
             Err(_) => {
                 return self
                     .install_grafana_operator(inventory, Some("grafana"))
@@ -120,7 +130,41 @@ impl Grafana for K8sAnywhereTopology {
         };
     }
     async fn install_grafana(&self) -> Result<PreparationOutcome, PreparationError> {
-        todo!()
+        debug!("install grafana");
+        let ns = "grafana";
+
+        let mut label = BTreeMap::new();
+
+        label.insert("dashboards".to_string(), "grafana".to_string());
+        let label_selector = LabelSelector {
+            match_labels: label.clone(),
+            match_expressions: vec![],
+        };
+
+        let client = self.k8s_client().await?;
+
+        let datasource = self.build_grafana_datasource(ns, &label_selector);
+
+        client.apply(&datasource, Some(ns)).await?;
+
+        let dashboard = self.build_grafana_dashboard(ns, &label_selector);
+
+        client.apply(&dashboard, Some(ns)).await?;
+
+        let grafana = self.build_grafana(ns, &label);
+
+        client.apply(&grafana, Some(ns)).await?;
+
+        let grafana_ingress = self.build_grafana_ingress(ns).await;
+
+        grafana_ingress
+            .interpret(&Inventory::empty(), self)
+            .await
+            .map_err(|e| PreparationError::new(e.to_string()))?;
+
+        Ok(PreparationOutcome::Success {
+            details: "Installed grafana composants".to_string(),
+        })
     }
 }
 
@@ -129,49 +173,38 @@ impl PrometheusMonitoring<CRDPrometheus> for K8sAnywhereTopology {
     async fn install_prometheus(
         &self,
         sender: &CRDPrometheus,
-        inventory: &Inventory,
-        receivers: Option<Vec<Box<dyn AlertReceiver<CRDPrometheus>>>>,
+        _inventory: &Inventory,
+        _receivers: Option<Vec<Box<dyn AlertReceiver<CRDPrometheus>>>>,
     ) -> Result<PreparationOutcome, PreparationError> {
-        let po_result = self.ensure_prometheus_operator(sender).await?;
+        let client = self.k8s_client().await?;
 
-        if po_result == PreparationOutcome::Noop {
-            debug!("Skipping Prometheus CR installation due to missing operator.");
-            return Ok(po_result);
-        }
-
-        let result = self
-            .get_k8s_prometheus_application_score(
-                sender.clone(),
-                receivers,
-                Some(sender.service_monitor.clone()),
-            )
-            .await
-            .interpret(inventory, self)
-            .await;
-
-        match result {
-            Ok(outcome) => match outcome.status {
-                InterpretStatus::SUCCESS => Ok(PreparationOutcome::Success {
-                    details: outcome.message,
-                }),
-                InterpretStatus::NOOP => Ok(PreparationOutcome::Noop),
-                _ => Err(PreparationError::new(outcome.message)),
-            },
-            Err(err) => Err(PreparationError::new(err.to_string())),
+        for monitor in sender.service_monitor.iter() {
+            client
+                .apply(monitor, Some(&sender.namespace))
+                .await
+                .map_err(|e| PreparationError::new(e.to_string()))?;
         }
+        Ok(PreparationOutcome::Success {
+            details: "successfuly installed prometheus components".to_string(),
+        })
     }
+
     async fn ensure_prometheus_operator(
         &self,
         sender: &CRDPrometheus,
-        inventory: &Inventory,
+        _inventory: &Inventory,
     ) -> Result<PreparationOutcome, PreparationError> {
         let po_result = self.ensure_prometheus_operator(sender).await?;
 
-        if po_result == PreparationOutcome::Noop {
-            debug!("Skipping Prometheus CR installation due to missing operator.");
-            return Ok(po_result);
-        } else {
-            todo!()
+        match po_result {
+            PreparationOutcome::Success { details: _ } => {
+                debug!("Detected prometheus crds operator present in cluster.");
+                return Ok(po_result);
+            }
+            PreparationOutcome::Noop => {
+                debug!("Skipping Prometheus CR installation due to missing operator.");
+                return Ok(po_result);
+            }
         }
     }
 }
@@ -211,6 +244,7 @@ impl PrometheusMonitoring<RHOBObservability> for K8sAnywhereTopology {
             Err(err) => Err(PreparationError::new(err.to_string())),
         }
     }
+
     async fn ensure_prometheus_operator(
         &self,
         sender: &RHOBObservability,
@@ -300,6 +334,95 @@ impl K8sAnywhereTopology {
             .clone()
     }
 
+    fn build_grafana_datasource(
+        &self,
+        ns: &str,
+        label_selector: &LabelSelector,
+    ) -> GrafanaDatasource {
+        let mut json_data = BTreeMap::new();
+        json_data.insert("timeInterval".to_string(), "5s".to_string());
+
+        let graf_data_source = GrafanaDatasource {
+            metadata: ObjectMeta {
+                name: Some(format!("grafana-datasource-{}", ns)),
+                namespace: Some(ns.to_string()),
+                ..Default::default()
+            },
+            spec: GrafanaDatasourceSpec {
+                instance_selector: label_selector.clone(),
+                allow_cross_namespace_import: Some(false),
+                datasource: GrafanaDatasourceConfig {
+                    access: "proxy".to_string(),
+                    database: Some("prometheus".to_string()),
+                    json_data: Some(json_data),
+                    //this is fragile
+                    name: format!("prometheus-{}-0", ns),
+                    r#type: "prometheus".to_string(),
+                    url: format!("http://prometheus-operated.{}.svc.cluster.local:9090", ns),
+                },
+            },
+        };
+        graf_data_source
+    }
+
+    fn build_grafana_dashboard(
+        &self,
+        ns: &str,
+        label_selector: &LabelSelector,
+    ) -> GrafanaDashboard {
+        let json = build_default_dashboard(ns);
+        let graf_dashboard = GrafanaDashboard {
+            metadata: ObjectMeta {
+                name: Some(format!("grafana-dashboard-{}", ns)),
+                namespace: Some(ns.to_string()),
+                ..Default::default()
+            },
+            spec: GrafanaDashboardSpec {
+                resync_period: Some("30s".to_string()),
+                instance_selector: label_selector.clone(),
+                json,
+            },
+        };
+        graf_dashboard
+    }
+
+    fn build_grafana(&self, ns: &str, labels: &BTreeMap<String, String>) -> GrafanaCRD {
+        let grafana = GrafanaCRD {
+            metadata: ObjectMeta {
+                name: Some(format!("grafana-{}", ns)),
+                namespace: Some(ns.to_string()),
+                labels: Some(labels.clone()),
+                ..Default::default()
+            },
+            spec: GrafanaSpec {
+                config: None,
+                admin_user: None,
+                admin_password: None,
+                ingress: None,
+                persistence: None,
+                resources: None,
+            },
+        };
+        grafana
+    }
+
+    async fn build_grafana_ingress(&self, ns: &str) -> K8sIngressScore {
+        let domain = self.get_domain(&format!("grafana-{}", ns)).await.unwrap();
+        let name = format!("{}-grafana", ns);
+        let backend_service = format!("grafana-{}-service", ns);
+
+        K8sIngressScore {
+            name: fqdn::fqdn!(&name),
+            host: fqdn::fqdn!(&domain),
+            backend_service: fqdn::fqdn!(&backend_service),
+            port: 3000,
+            path: Some("/".to_string()),
+            path_type: Some(PathType::Prefix),
+            namespace: Some(fqdn::fqdn!(&ns)),
+            ingress_class_name: Some("openshift-default".to_string()),
+        }
+    }
+
     async fn get_cluster_observability_operator_prometheus_application_score(
         &self,
         sender: RHOBObservability,
@@ -607,7 +730,14 @@ impl K8sAnywhereTopology {
         inventory: &Inventory,
         ns: Option<&str>,
     ) -> Result<PreparationOutcome, PreparationError> {
-        let _grafana_operator_score = grafana_helm_chart_score(ns.unwrap(), true)
+        let namespace = ns.unwrap_or("grafana");
+        info!("installing grafana operator in ns {namespace}");
+        let tenant = self.get_k8s_tenant_manager()?.get_tenant_config().await;
+        let mut namespace_scope = false;
+        if tenant.is_some() {
+            namespace_scope = true;
+        }
+        let _grafana_operator_score = grafana_helm_chart_score(namespace, namespace_scope)
             .interpret(inventory, self)
             .await;
         Ok(PreparationOutcome::Success {
diff --git a/harmony/src/domain/topology/oberservability/monitoring.rs b/harmony/src/domain/topology/oberservability/monitoring.rs
index 1489e83..0c57ea4 100644
--- a/harmony/src/domain/topology/oberservability/monitoring.rs
+++ b/harmony/src/domain/topology/oberservability/monitoring.rs
@@ -30,6 +30,7 @@ impl<S: AlertSender + Installable<T>, T: Topology> Interpret<T> for AlertingInte
         inventory: &Inventory,
         topology: &T,
     ) -> Result<Outcome, InterpretError> {
+        debug!("hit sender configure for AlertingInterpret");
         self.sender.configure(inventory, topology).await?;
         for receiver in self.receivers.iter() {
             receiver.install(&self.sender).await?;
@@ -38,6 +39,7 @@ impl<S: AlertSender + Installable<T>, T: Topology> Interpret<T> for AlertingInte
             debug!("installing rule: {:#?}", rule);
             rule.install(&self.sender).await?;
         }
+        debug!("hit sender ensure installed for AlertingInterpret");
         self.sender.ensure_installed(inventory, topology).await?;
         Ok(Outcome::success(format!(
             "successfully installed alert sender {}",
diff --git a/harmony/src/modules/application/features/monitoring.rs b/harmony/src/modules/application/features/monitoring.rs
index 0fd155d..fd6ae2a 100644
--- a/harmony/src/modules/application/features/monitoring.rs
+++ b/harmony/src/modules/application/features/monitoring.rs
@@ -2,7 +2,11 @@ use crate::modules::application::{
     Application, ApplicationFeature, InstallationError, InstallationOutcome,
 };
 use crate::modules::monitoring::application_monitoring::application_monitoring_score::ApplicationMonitoringScore;
+use crate::modules::monitoring::grafana::grafana::Grafana;
 use crate::modules::monitoring::kube_prometheus::crd::crd_alertmanager_config::CRDPrometheus;
+use crate::modules::monitoring::kube_prometheus::crd::service_monitor::{
+    ServiceMonitor, ServiceMonitorSpec,
+};
 use crate::topology::MultiTargetTopology;
 use crate::topology::ingress::Ingress;
 use crate::{
@@ -22,6 +26,7 @@ use base64::{Engine as _, engine::general_purpose};
 use harmony_secret::SecretManager;
 use harmony_secret_derive::Secret;
 use harmony_types::net::Url;
+use kube::api::ObjectMeta;
 use log::{debug, info};
 use serde::{Deserialize, Serialize};
 use std::sync::Arc;
@@ -41,6 +46,7 @@ impl<
         + K8sclient
         + MultiTargetTopology
         + PrometheusMonitoring<CRDPrometheus>
+        + Grafana
         + Ingress
         + std::fmt::Debug,
 > ApplicationFeature<T> for Monitoring
@@ -57,11 +63,20 @@ impl<
             .unwrap_or_else(|| self.application.name());
         let domain = topology.get_domain("ntfy").await.unwrap();
 
+        let app_service_monitor = ServiceMonitor {
+            metadata: ObjectMeta {
+                name: Some(self.application.name()),
+                namespace: Some(namespace.clone()),
+                ..Default::default()
+            },
+            spec: ServiceMonitorSpec::default(),
+        };
+
         let mut alerting_score = ApplicationMonitoringScore {
             sender: CRDPrometheus {
                 namespace: namespace.clone(),
                 client: topology.k8s_client().await.unwrap(),
-                service_monitor: vec![],
+                service_monitor: vec![app_service_monitor],
             },
             application: self.application.clone(),
             receivers: self.alert_receiver.clone(),
diff --git a/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs b/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs
index 2780edd..0f6e0ec 100644
--- a/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs
+++ b/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs
@@ -1,21 +1,23 @@
 use std::sync::Arc;
 
-use async_trait::async_trait;
+use log::debug;
 use serde::Serialize;
 
 use crate::{
-    data::Version,
-    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
-    inventory::Inventory,
+    interpret::Interpret,
     modules::{
         application::Application,
-        monitoring::kube_prometheus::crd::crd_alertmanager_config::CRDPrometheus,
+        monitoring::{
+            grafana::grafana::Grafana, kube_prometheus::crd::crd_alertmanager_config::CRDPrometheus,
+        },
         prometheus::prometheus::PrometheusMonitoring,
     },
     score::Score,
-    topology::{PreparationOutcome, Topology, oberservability::monitoring::AlertReceiver},
+    topology::{
+        K8sclient, Topology,
+        oberservability::monitoring::{AlertReceiver, AlertingInterpret},
+    },
 };
-use harmony_types::id::Id;
 
 #[derive(Debug, Clone, Serialize)]
 pub struct ApplicationMonitoringScore {
@@ -24,10 +26,15 @@ pub struct ApplicationMonitoringScore {
     pub receivers: Vec<Box<dyn AlertReceiver<CRDPrometheus>>>,
 }
 
-impl<T: Topology + PrometheusMonitoring<CRDPrometheus>> Score<T> for ApplicationMonitoringScore {
+impl<T: Topology + PrometheusMonitoring<CRDPrometheus> + K8sclient + Grafana> Score<T>
+    for ApplicationMonitoringScore
+{
     fn create_interpret(&self) -> Box<dyn Interpret<T>> {
-        Box::new(ApplicationMonitoringInterpret {
-            score: self.clone(),
+        debug!("creating alerting interpret");
+        Box::new(AlertingInterpret {
+            sender: self.sender.clone(),
+            receivers: self.receivers.clone(),
+            rules: vec![],
         })
     }
 
@@ -38,55 +45,3 @@ impl<T: Topology + PrometheusMonitoring<CRDPrometheus>> Score<T> for Application
         )
     }
 }
-
-#[derive(Debug)]
-pub struct ApplicationMonitoringInterpret {
-    score: ApplicationMonitoringScore,
-}
-
-#[async_trait]
-impl<T: Topology + PrometheusMonitoring<CRDPrometheus>> Interpret<T>
-    for ApplicationMonitoringInterpret
-{
-    async fn execute(
-        &self,
-        inventory: &Inventory,
-        topology: &T,
-    ) -> Result<Outcome, InterpretError> {
-        let result = topology
-            .install_prometheus(
-                &self.score.sender,
-                inventory,
-                Some(self.score.receivers.clone()),
-            )
-            .await;
-
-        match result {
-            Ok(outcome) => match outcome {
-                PreparationOutcome::Success { details: _ } => {
-                    Ok(Outcome::success("Prometheus installed".into()))
-                }
-                PreparationOutcome::Noop => {
-                    Ok(Outcome::noop("Prometheus installation skipped".into()))
-                }
-            },
-            Err(err) => Err(InterpretError::from(err)),
-        }
-    }
-
-    fn get_name(&self) -> InterpretName {
-        InterpretName::ApplicationMonitoring
-    }
-
-    fn get_version(&self) -> Version {
-        todo!()
-    }
-
-    fn get_status(&self) -> InterpretStatus {
-        todo!()
-    }
-
-    fn get_children(&self) -> Vec<Id> {
-        todo!()
-    }
-}
diff --git a/harmony/src/modules/monitoring/grafana/grafana.rs b/harmony/src/modules/monitoring/grafana/grafana.rs
index 411d7a6..5ab57c2 100644
--- a/harmony/src/modules/monitoring/grafana/grafana.rs
+++ b/harmony/src/modules/monitoring/grafana/grafana.rs
@@ -1,4 +1,5 @@
 use async_trait::async_trait;
+use k8s_openapi::Resource;
 
 use crate::{
     inventory::Inventory,
@@ -7,9 +8,10 @@ use crate::{
 
 #[async_trait]
 pub trait Grafana {
-    async fn ensure_grafana_operator_ready(
+    async fn ensure_grafana_operator(
         &self,
         inventory: &Inventory,
     ) -> Result<PreparationOutcome, PreparationError>;
+
     async fn install_grafana(&self) -> Result<PreparationOutcome, PreparationError>;
 }
diff --git a/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs b/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs
index 094beca..2965ada 100644
--- a/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs
+++ b/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs
@@ -1,24 +1,27 @@
 use non_blank_string_rs::NonBlankString;
 use std::{collections::HashMap, str::FromStr};
 
-use crate::modules::helm::chart::HelmChartScore;
+use crate::modules::helm::chart::{HelmChartScore, HelmRepository};
 
-pub fn grafana_helm_chart_score(ns: &str, scope: bool) -> HelmChartScore {
+pub fn grafana_helm_chart_score(ns: &str, namespace_scope: bool) -> HelmChartScore {
     let mut values_overrides = HashMap::new();
     values_overrides.insert(
         NonBlankString::from_str("namespaceScope").unwrap(),
-        scope.to_string(),
+        namespace_scope.to_string(),
     );
     HelmChartScore {
         namespace: Some(NonBlankString::from_str(ns).unwrap()),
-        release_name: NonBlankString::from_str("grafana").unwrap(),
-        chart_name: NonBlankString::from_str("oci://ghcr.io/grafana/helm-charts/grafana-operator")
-            .unwrap(),
+        release_name: NonBlankString::from_str("grafana-operator").unwrap(),
+        chart_name: NonBlankString::from_str("grafana/grafana-operator").unwrap(),
         chart_version: None,
         values_overrides: Some(values_overrides),
         values_yaml: None,
         create_namespace: true,
         install_only: true,
-        repository: None,
+        repository: Some(HelmRepository::new(
+            "grafana".to_string(),
+            url::Url::parse("https://grafana.github.io/helm-charts").unwrap(),
+            true,
+        )),
     }
 }
diff --git a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs
index 0ac8fc7..ceeca41 100644
--- a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs
+++ b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs
@@ -68,7 +68,7 @@ impl<T: Topology + K8sclient + PrometheusMonitoring<CRDPrometheus> + Grafana> In
     for CRDPrometheus
 {
     async fn configure(&self, inventory: &Inventory, topology: &T) -> Result<(), InterpretError> {
-        topology.ensure_grafana_operator_ready(inventory).await?;
+        topology.ensure_grafana_operator(inventory).await?;
         topology.ensure_prometheus_operator(self, inventory).await?;
         Ok(())
     }

From dd3f07e5b73ab51be1b01543086b22acd6d35795 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Thu, 9 Oct 2025 15:28:42 -0400
Subject: [PATCH 03/51] doc for removing worker flag from cp on UPI

---
 docs/doc-remove-worker-flag.md | 58 ++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 docs/doc-remove-worker-flag.md

diff --git a/docs/doc-remove-worker-flag.md b/docs/doc-remove-worker-flag.md
new file mode 100644
index 0000000..bdb45a7
--- /dev/null
+++ b/docs/doc-remove-worker-flag.md
@@ -0,0 +1,58 @@
+1. ### **Titre : Retrait du flag *worker* sur les control planes (UPI)**
+
+1. ### **Contexte**
+   Dans certaines installations OpenShift UPI, les nodes de control plane (masters) héritent par erreur du label worker (node-role.kubernetes.io/worker).\
+   Cela provoque la planification de workloads non critiques (par ex. routers, Ceph pods, etc.) sur les control planes, ce qui compromet la stabilité et la séparation des rôles.
+
+1. ### **Symptômes observés**
+- Apres avoir ajouté des serveur dans HAProxy, tous les serveurs backend (wk0, wk1, wk2) apparaissent en état DOWN.\
+  Le trafic HTTP/HTTPS est redirigé vers les control planes au lieu des workers.
+- Les pods router-default sont déployés sur cp1 et cp2 plutôt que sur les workers.
+- Sur les masters, la commande suivante montre une écoute sur le port 80 :
+
+  ss -tlnp | grep 80
+
+  -> processus haproxy en écoute sur 0.0.0.0:80
+
+  -> meme chose pour port 443
+
+- Dans le namespace rook-ceph, certains pods (mon, mgr, operator) ne se planifient pas, sont aussi deployé sur les cp au lieu des worker nodes :
+
+1. ### **Cause**
+   En installation UPI, les rôles (master, worker) ne sont pas gérés par le Machine Config Operator (MCO).\
+   Les controls planes sont schedulable par default. Qui amene les trois roles, worker, master et control-plane.
+
+1. ### **Diagnostic**
+1. Vérifier les labels du node :
+
+   oc get nodes --show-labels | grep control-plane
+
+1. Inspecter la configuration du kubelet :
+
+   cat /etc/systemd/system/kubelet.service
+
+   Rechercher la ligne :
+
+   --node-labels=node-role.kubernetes.io/control-plane,node-role.kubernetes.io/master,node-role.kubernetes.io/worker
+
+   → présence du label worker confirme le problème.
+
+1. Vérifier que ce flag ne provient pas du MCO :
+
+   oc get machineconfig | grep rendered-master
+
+**Solution:**\
+Pour rendre les **control planes non planifiables** (c’est-à-dire empêcher tout déploiement de workloads dessus), il faut appliquer le patch suivant sur la ressource scheduler du cluster :\
+\```	
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+oc patch scheduler cluster --type merge -p '{"spec":{"mastersSchedulable":false}}'\
+\```\
+Cette commande **désactive la planification sur les masters** et **supprime efficacement le rôle worker** de leurs fonctions.
+
+Une fois le patch appliqué, il faut **déplacer les workloads** encore présents sur les control planes vers les **workers** à l’aide des commandes :
+
+\```\
+oc adm cordon <cp-node>\
+oc adm drain <cp-node> --ignore-daemonsets –delete-emptydir-data\
+\```
+

From e5eb7fde9fb938d2b32e1af6a6675857909b232d Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Thu, 9 Oct 2025 15:29:09 -0400
Subject: [PATCH 04/51] doc to clone and transfer a coreos disk

---
 docs/doc-clone-et-restaure-disque-coreos.md | 117 ++++++++++++++++++++
 1 file changed, 117 insertions(+)
 create mode 100644 docs/doc-clone-et-restaure-disque-coreos.md

diff --git a/docs/doc-clone-et-restaure-disque-coreos.md b/docs/doc-clone-et-restaure-disque-coreos.md
new file mode 100644
index 0000000..b1e9108
--- /dev/null
+++ b/docs/doc-clone-et-restaure-disque-coreos.md
@@ -0,0 +1,117 @@
+1. ### **Procédure de clonage et de restauration d’un disque CoreOS / Fedora OKD**
+   Ce processus décrit les étapes pour copier un disque système défectueux sur un nouveau disque d’entreprise, en conservant les **GUID**, **labels**, et **UUID** d’origine pour assurer la compatibilité avec le système CoreOS/OKD.
+
+1. ### **Étape 1 — Sauvegarde initiale**
+   Avant toute manipulation, **sauvegardez vos données**.\
+   Ensuite, clonez le disque d’origine vers le nouveau :
+
+   sudo dd if=/dev/old of=/dev/new bs=64K status=progress count=1000Mib
+
+1. ### **Étape 2 — Vérification et modification des partitions**
+   Afficher la table des partitions du nouveau disque :
+
+   sgdisk -p /dev/new
+
+   Modifier les partitions (si nécessaire) :
+
+   gdisk /dev/new
+
+   Dans gdisk, utiliser :
+
+- v → vérifier la table
+- p → afficher la table
+- d → supprimer une partition
+- n → recréer la partition (même numéro et type)
+  - Pour le **secteur de fin**, appuyer sur **Entrée** pour utiliser l’espace maximal.
+- w → écrire les changements
+
+Créer le système de fichiers XFS sur la nouvelle partition (ex. partition 4) :
+
+sudo mkfs.xfs -f /dev/new4
+
+1. ### **Étape 3 — Récupération des identifiants de l’ancien disque**
+   Obtenir le **GUID de partition** d’origine :
+
+   sgdisk -i <numéro\_partition> /dev/old\_disk
+
+   Lister les labels et les PARTUUIDs :
+
+   sgdisk -p /dev/old\_disk
+
+   blkid /dev/old\_disk\*
+
+1. ### **Étape 4 — Appliquer les anciens identifiants sur le nouveau disque**
+   Définir le même **PARTUUID** :
+
+   sgdisk -u <numéro\_partition>:<old\_partuuid> /dev/new
+
+   Définir le même **nom de partition** :
+
+   sgdisk -c <numéro\_partition>:"<old\_label>" /dev/new
+
+   Vérifier :
+
+   lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/old\_disk
+
+   lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/new
+
+1. ### **Étape 5 — Copier les données**
+   Monter les partitions avant la copie :
+
+   mkdir -p /mnt/old /mnt/new
+
+   mount /dev/old4 /mnt/old
+
+   mount /dev/new4 /mnt/new
+
+   Copier les données :
+
+   rsync -aAXHv --numeric-ids /mnt/old/ /mnt/new/
+
+1. ### **Étape 6 — Restaurer UUID et labels**
+   Obtenir l’ancien UUID :
+
+   blkid /dev/old4
+
+   Le définir sur la nouvelle partition :
+
+   sudo xfs\_admin -U <old\_uuid> /dev/new4
+
+   Vérifier et copier le **label** :
+
+   sgdisk -i 4 /dev/old\_disk | grep "Partition name"
+
+   sudo xfs\_admin -L <label\_name> /dev/new4
+
+1. ### **Étape 7 — Validation**
+   Comparer les deux disques :
+
+   sgdisk -p /dev/old\_disk
+
+   sgdisk -p /dev/new
+
+   lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/old\_disk
+
+   lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/new
+
+   blkid /dev/old\_disk\* | grep UUID=
+
+   blkid /dev/new\* | grep UUID=
+
+1. ### **Étape 8 — Finalisation**
+   Démonter les partitions :
+
+   umount /mnt/new
+
+   umount /mnt/old
+
+   Éteindre, **échanger les disques**, et vérifier le démarrage :
+
+1. Éteindre la machine.
+1. Retirer le disque défectueux.
+1. Définir le nouveau disque comme disque de démarrage principal dans le BIOS.
+1. Redémarrer et confirmer que le système démarre correctement.
+
+**Résultat attendu :**\
+Le nouveau disque est une copie fonctionnelle de l’ancien, avec partitions, labels, et UUID identiques. Aucun réajustement GRUB ni réinstallation n’est nécessaire pour Fedora CoreOS/OKD.
+

From 85bec66e5878f0eb9b496b37be614ab7d2f904e3 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Fri, 10 Oct 2025 12:09:26 -0400
Subject: [PATCH 05/51] wip: fixing grafana datasource for openshift which
 requires creating a token, sa, secret and inserting them into the
 grafanadatasource

---
 harmony/src/domain/topology/k8s_anywhere.rs   | 140 ++++++++++++++++--
 .../kube_prometheus/crd/crd_grafana.rs        |  34 ++++-
 2 files changed, 159 insertions(+), 15 deletions(-)

diff --git a/harmony/src/domain/topology/k8s_anywhere.rs b/harmony/src/domain/topology/k8s_anywhere.rs
index 895f7da..efbe33f 100644
--- a/harmony/src/domain/topology/k8s_anywhere.rs
+++ b/harmony/src/domain/topology/k8s_anywhere.rs
@@ -1,7 +1,15 @@
 use std::{collections::BTreeMap, process::Command, sync::Arc};
 
 use async_trait::async_trait;
-use kube::api::{GroupVersionKind, ObjectMeta};
+use k8s_openapi::api::{
+    authentication::v1::{TokenRequest, TokenRequestSpec},
+    core::v1::{Secret, ServiceAccount},
+    rbac::v1::{ClusterRoleBinding, RoleRef, Subject},
+};
+use kube::{
+    Api,
+    api::{GroupVersionKind, ObjectMeta, PostParams},
+};
 use log::{debug, info, warn};
 use serde::Serialize;
 use tokio::sync::OnceCell;
@@ -19,12 +27,14 @@ use crate::{
                 crd_alertmanager_config::CRDPrometheus,
                 crd_grafana::{
                     Grafana as GrafanaCRD, GrafanaDashboard, GrafanaDashboardSpec,
-                    GrafanaDatasource, GrafanaDatasourceConfig, GrafanaDatasourceSpec, GrafanaSpec,
+                    GrafanaDatasource, GrafanaDatasourceConfig, GrafanaDatasourceJsonData,
+                    GrafanaDatasourceSecureJsonData, GrafanaDatasourceSpec, GrafanaSpec,
                 },
                 crd_prometheuses::LabelSelector,
                 grafana_default_dashboard::build_default_dashboard,
                 prometheus_operator::prometheus_operator_helm_chart_score,
                 rhob_alertmanager_config::RHOBObservability,
+                role::build_prom_service_account,
                 service_monitor::ServiceMonitor,
             },
         },
@@ -142,8 +152,26 @@ impl Grafana for K8sAnywhereTopology {
         };
 
         let client = self.k8s_client().await?;
+        let url = format!("{}:9091", self.get_domain("thanos-querier").await.unwrap());
+    
+        let sa = self.build_service_account();
+        //TODO finish this section 
+        //needs apply Api<Secret> or something
+        client.apply(&sa, Some(ns)).await?;
 
-        let datasource = self.build_grafana_datasource(ns, &label_selector);
+        let token_request =self.get_token_request();
+        //this wont work needs a new function for apply secret
+        client.apply(&token_request, Some(ns)).await?;
+
+        let clusterrolebinding = self.build_cluster_rolebinding();
+
+        client.apply(&clusterrolebinding, Some(ns)).await?;
+
+        let secret = self.build_token_secret();
+        
+        client.apply(&secret, Some(ns)).await?;
+
+        let datasource = self.build_grafana_datasource(ns, &label_selector, &url);
 
         client.apply(&datasource, Some(ns)).await?;
 
@@ -334,35 +362,121 @@ impl K8sAnywhereTopology {
             .clone()
     }
 
+    pub fn build_service_account(&self, name: &str, namespace: &str) -> ServiceAccount {
+        build_prom_service_account(name.to_string(), namespace.to_string())
+    }
+
+    pub fn build_cluster_rolebinding(
+        &self,
+        ns: &str,
+        account_name: &str,
+        role: &str,
+    ) -> ClusterRoleBinding {
+        ClusterRoleBinding {
+            metadata: ObjectMeta {
+                name: Some(format!("{}-view-binding", account_name)),
+                ..Default::default()
+            },
+            role_ref: RoleRef {
+                api_group: "rbac.authorization.k8s.io".into(),
+                kind: "ClusterRole".into(),
+                name: role.into(),
+            },
+            subjects: Some(vec![Subject {
+                kind: "ServiceAccount".into(),
+                name: account_name.into(),
+                namespace: Some(ns.into()),
+                ..Default::default()
+            }]),
+        }
+    }
+
+    pub fn get_token_request(&self) -> TokenRequest {
+        TokenRequest {
+            spec: TokenRequestSpec {
+                audiences: vec!["https://kubernetes.default.svc".to_string()],
+                expiration_seconds: Some(3600),
+                ..Default::default()
+            },
+            ..Default::default()
+        }
+    }
+
+    pub fn build_token_secret(&self, token: &str, ns: &str) -> Secret {
+        Secret {
+            metadata: ObjectMeta {
+                name: Some("grafana-credentials".into()),
+                namespace: Some(ns.into()),
+                ..Default::default()
+            },
+            string_data: Some(std::collections::BTreeMap::from([(
+                "PROMETHEUS_TOKEN".into(),
+                format!("Bearer {}", token),
+            )])),
+            ..Default::default()
+        }
+    }
+
     fn build_grafana_datasource(
         &self,
         ns: &str,
         label_selector: &LabelSelector,
+        url: &str,
     ) -> GrafanaDatasource {
         let mut json_data = BTreeMap::new();
         json_data.insert("timeInterval".to_string(), "5s".to_string());
+        //
+        // let graf_data_source = GrafanaDatasource {
+        //     metadata: ObjectMeta {
+        //         name: Some(format!("grafana-datasource-{}", ns)),
+        //         namespace: Some(ns.to_string()),
+        //         ..Default::default()
+        //     },
+        //     spec: GrafanaDatasourceSpec {
+        //         instance_selector: label_selector.clone(),
+        //         allow_cross_namespace_import: Some(false),
+        //         datasource: GrafanaDatasourceConfig {
+        //             access: "proxy".to_string(),
+        //             database: Some("prometheus".to_string()),
+        //             json_data: Some(json_data),
+        //             //this is fragile
+        //             name: format!("prometheus-{}-0", ns),
+        //             r#type: "prometheus".to_string(),
+        //             url: url.to_string(),
+        //             //url: format!("http://prometheus-operated.{}.svc.cluster.local:9090", ns),
+        //         },
+        //     },
+        // };
+        // graf_data_source
 
-        let graf_data_source = GrafanaDatasource {
+        GrafanaDatasource {
             metadata: ObjectMeta {
-                name: Some(format!("grafana-datasource-{}", ns)),
+                name: Some("thanos-prometheus".to_string()),
                 namespace: Some(ns.to_string()),
                 ..Default::default()
             },
             spec: GrafanaDatasourceSpec {
                 instance_selector: label_selector.clone(),
-                allow_cross_namespace_import: Some(false),
+                allow_cross_namespace_import: Some(true),
                 datasource: GrafanaDatasourceConfig {
                     access: "proxy".to_string(),
-                    database: Some("prometheus".to_string()),
-                    json_data: Some(json_data),
-                    //this is fragile
-                    name: format!("prometheus-{}-0", ns),
+                    name: "OpenShift-Thanos".to_string(),
                     r#type: "prometheus".to_string(),
-                    url: format!("http://prometheus-operated.{}.svc.cluster.local:9090", ns),
+                    url: url.to_string(),
+                    database: None,
+                    json_data: Some(GrafanaDatasourceJsonData {
+                        time_interval: Some("60s".to_string()),
+                        http_header_name1: Some("Authorization".to_string()),
+                    }),
+                    secure_json_data: Some(GrafanaDatasourceSecureJsonData {
+                        http_header_value1: Some("Bearer eyJhbGc...".to_string()),
+                    }),
+                    is_default: Some(false),
+                    editable: Some(true),
+                    version: Some(1),
                 },
             },
-        };
-        graf_data_source
+        }
     }
 
     fn build_grafana_dashboard(
diff --git a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
index 793f639..4134670 100644
--- a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
+++ b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
@@ -133,13 +133,43 @@ pub struct GrafanaDatasourceSpec {
 pub struct GrafanaDatasourceConfig {
     pub access: String,
     pub database: Option<String>,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub json_data: Option<BTreeMap<String, String>>,
     pub name: String,
     pub r#type: String,
     pub url: String,
+    /// Represents jsonData in the GrafanaDatasource spec
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub json_data: Option<GrafanaDatasourceJsonData>,
+
+    /// Represents secureJsonData (secrets)
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub secure_json_data: Option<GrafanaDatasourceSecureJsonData>,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub is_default: Option<bool>,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub editable: Option<bool>,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub version: Option<i32>,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct GrafanaDatasourceJsonData {
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub time_interval: Option<String>,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub http_header_name1: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct GrafanaDatasourceSecureJsonData {
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub http_header_value1: Option<String>,
+}
 // ------------------------------------------------------------------------------------------------
 
 #[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, Default)]

From 06a0c44c3cfa982f0ce585ad815caec4270208f7 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Tue, 14 Oct 2025 15:53:42 -0400
Subject: [PATCH 06/51] wip: connected the thanos-datasource to grafana, need
 to complete connecting the openshift-userworkload-monitoring as well

---
 harmony/src/domain/topology/k8s.rs            |  17 +-
 harmony/src/domain/topology/k8s_anywhere.rs   | 194 ++++++++++++------
 .../kube_prometheus/crd/crd_grafana.rs        |  12 +-
 .../k8s_prometheus_alerting_score.rs          |  16 +-
 4 files changed, 165 insertions(+), 74 deletions(-)

diff --git a/harmony/src/domain/topology/k8s.rs b/harmony/src/domain/topology/k8s.rs
index 144533c..f1a783f 100644
--- a/harmony/src/domain/topology/k8s.rs
+++ b/harmony/src/domain/topology/k8s.rs
@@ -1,12 +1,20 @@
 use derive_new::new;
+use http::StatusCode;
 use k8s_openapi::{
     ClusterResourceScope, NamespaceResourceScope,
-    api::{apps::v1::Deployment, core::v1::Pod},
+    api::{
+        apps::v1::Deployment,
+        authentication::v1::{TokenRequest, TokenRequestSpec, TokenRequestStatus},
+        core::v1::{Pod, ServiceAccount},
+    },
     apimachinery::pkg::version::Info,
 };
 use kube::{
     Client, Config, Discovery, Error, Resource,
-    api::{Api, AttachParams, DeleteParams, ListParams, Patch, PatchParams, ResourceExt},
+    api::{
+        Api, AttachParams, DeleteParams, ListParams, ObjectMeta, Patch, PatchParams, PostParams,
+        ResourceExt,
+    },
     config::{KubeConfigOptions, Kubeconfig},
     core::ErrorResponse,
     runtime::reflector::Lookup,
@@ -54,6 +62,11 @@ impl K8sClient {
         })
     }
 
+    pub async fn service_account_api(&self, namespace: &str) -> Api<ServiceAccount> {
+        let api: Api<ServiceAccount> = Api::namespaced(self.client.clone(), namespace);
+        api
+    }
+
     pub async fn get_apiserver_version(&self) -> Result<Info, Error> {
         let client: Client = self.client.clone();
         let version_info: Info = client.apiserver_version().await?;
diff --git a/harmony/src/domain/topology/k8s_anywhere.rs b/harmony/src/domain/topology/k8s_anywhere.rs
index efbe33f..cb37ece 100644
--- a/harmony/src/domain/topology/k8s_anywhere.rs
+++ b/harmony/src/domain/topology/k8s_anywhere.rs
@@ -1,8 +1,12 @@
-use std::{collections::BTreeMap, process::Command, sync::Arc};
+use std::{
+    collections::{BTreeMap, HashMap},
+    process::Command,
+    sync::Arc,
+};
 
 use async_trait::async_trait;
 use k8s_openapi::api::{
-    authentication::v1::{TokenRequest, TokenRequestSpec},
+    authentication::v1::{TokenRequest, TokenRequestSpec, TokenRequestStatus},
     core::v1::{Secret, ServiceAccount},
     rbac::v1::{ClusterRoleBinding, RoleRef, Subject},
 };
@@ -150,39 +154,90 @@ impl Grafana for K8sAnywhereTopology {
             match_labels: label.clone(),
             match_expressions: vec![],
         };
-
+        debug!("getting client");
         let client = self.k8s_client().await?;
-        let url = format!("{}:9091", self.get_domain("thanos-querier").await.unwrap());
-    
-        let sa = self.build_service_account();
-        //TODO finish this section 
-        //needs apply Api<Secret> or something
-        client.apply(&sa, Some(ns)).await?;
-
-        let token_request =self.get_token_request();
-        //this wont work needs a new function for apply secret
-        client.apply(&token_request, Some(ns)).await?;
-
-        let clusterrolebinding = self.build_cluster_rolebinding();
-
-        client.apply(&clusterrolebinding, Some(ns)).await?;
-
-        let secret = self.build_token_secret();
-        
-        client.apply(&secret, Some(ns)).await?;
-
-        let datasource = self.build_grafana_datasource(ns, &label_selector, &url);
-
-        client.apply(&datasource, Some(ns)).await?;
-
-        let dashboard = self.build_grafana_dashboard(ns, &label_selector);
-
-        client.apply(&dashboard, Some(ns)).await?;
 
+        info!("creating grafanas crd");
         let grafana = self.build_grafana(ns, &label);
 
         client.apply(&grafana, Some(ns)).await?;
 
+        client
+            .wait_until_deployment_ready(
+                "grafana-grafana-deployment".to_string(),
+                Some("grafana"),
+                Some(15),
+            )
+            .await?;
+
+        let sa_name = "grafana-grafana-sa";
+
+        debug!("creating token for sevice account {sa_name}");
+        let token = self.create_service_account_token(sa_name, ns).await?;
+
+        debug!("creating secret");
+        let secret_name = "grafana-sa-secret";
+        let secret = self.build_token_secret(secret_name, &token.token, ns).await;
+
+        client.apply(&secret, Some(ns)).await?;
+
+        debug!("creating grafana clusterrole binding");
+        let clusterrolebinding =
+            self.build_cluster_rolebinding(sa_name, "cluster-monitoring-view", ns);
+
+        client.apply(&clusterrolebinding, Some(ns)).await?;
+
+        debug!("creating grafana datasource crd");
+
+        let token_str = format!("Bearer {}", token.token);
+
+        let thanos_url = format!(
+            "https://{}",
+            self.get_domain("thanos-querier-openshift-monitoring")
+                .await
+                .unwrap()
+        );
+
+        let thanos_openshift_datasource = self.build_grafana_datasource(
+            "thanos-openshift-monitoring",
+            ns,
+            &label_selector,
+            &thanos_url,
+            token_str.clone(),
+        );
+
+        client.apply(&thanos_openshift_datasource, Some(ns)).await?;
+
+        //TODO user workload datasource returns 503 -> need to figure out how to correctly add the
+        //userworkload thanos-ruler or prometheus-federate to the grafana datasource
+        //it may alrady be included in the overall monitoring stack
+
+        let user_thanos_url = format!(
+            "https://{}",
+            self.get_domain(
+                "thanos-ruler-openshift-user-workload-monitoring.apps.ncd0.harmony.mcd"
+            )
+            .await
+            .unwrap()
+        );
+
+        let thanos_openshift_userworkload_datasource = self.build_grafana_datasource(
+            "thanos-openshift-userworkload-monitoring",
+            ns,
+            &label_selector,
+            &user_thanos_url,
+            token_str.clone(),
+        );
+
+        client
+            .apply(&thanos_openshift_userworkload_datasource, Some(ns))
+            .await?;
+
+        debug!("creating grafana dashboard crd");
+        let dashboard = self.build_grafana_dashboard(ns, &label_selector);
+
+        client.apply(&dashboard, Some(ns)).await?;
+        debug!("creating grafana ingress");
         let grafana_ingress = self.build_grafana_ingress(ns).await;
 
         grafana_ingress
@@ -368,31 +423,36 @@ impl K8sAnywhereTopology {
 
     pub fn build_cluster_rolebinding(
         &self,
+        service_account_name: &str,
+        clusterrole_name: &str,
         ns: &str,
-        account_name: &str,
-        role: &str,
     ) -> ClusterRoleBinding {
         ClusterRoleBinding {
             metadata: ObjectMeta {
-                name: Some(format!("{}-view-binding", account_name)),
+                name: Some(format!("{}-view-binding", service_account_name)),
                 ..Default::default()
             },
             role_ref: RoleRef {
                 api_group: "rbac.authorization.k8s.io".into(),
                 kind: "ClusterRole".into(),
-                name: role.into(),
+                name: clusterrole_name.into(),
             },
             subjects: Some(vec![Subject {
                 kind: "ServiceAccount".into(),
-                name: account_name.into(),
+                name: service_account_name.into(),
                 namespace: Some(ns.into()),
                 ..Default::default()
             }]),
         }
     }
 
-    pub fn get_token_request(&self) -> TokenRequest {
+    pub fn get_token_request(&self, ns: &str) -> TokenRequest {
+        debug!("building token request");
         TokenRequest {
+            metadata: ObjectMeta {
+                namespace: Some(ns.to_string()),
+                ..Default::default()
+            },
             spec: TokenRequestSpec {
                 audiences: vec!["https://kubernetes.default.svc".to_string()],
                 expiration_seconds: Some(3600),
@@ -402,15 +462,39 @@ impl K8sAnywhereTopology {
         }
     }
 
-    pub fn build_token_secret(&self, token: &str, ns: &str) -> Secret {
+    pub async fn create_service_account_token(
+        &self,
+        service_account_name: &str,
+        ns: &str,
+    ) -> Result<TokenRequestStatus, PreparationError> {
+        debug!("creating service account token");
+        let token_request = self.get_token_request(ns);
+        let client = self.k8s_client().await?;
+        let pp = PostParams::default();
+        let token_requests_api = client.service_account_api(ns).await;
+
+        let data = serde_json::to_vec(&token_request).unwrap();
+
+        let created_token_request = token_requests_api
+            .create_subresource::<TokenRequest>("token", service_account_name, &pp, data)
+            .await?;
+
+        let status = created_token_request
+            .status
+            .ok_or_else(|| PreparationError::new("missing token request status".to_string()))?;
+
+        Ok(status)
+    }
+
+    pub async fn build_token_secret(&self, secret_name: &str, token: &str, ns: &str) -> Secret {
         Secret {
             metadata: ObjectMeta {
-                name: Some("grafana-credentials".into()),
+                name: Some(secret_name.into()),
                 namespace: Some(ns.into()),
                 ..Default::default()
             },
             string_data: Some(std::collections::BTreeMap::from([(
-                "PROMETHEUS_TOKEN".into(),
+                secret_name.into(),
                 format!("Bearer {}", token),
             )])),
             ..Default::default()
@@ -419,39 +503,18 @@ impl K8sAnywhereTopology {
 
     fn build_grafana_datasource(
         &self,
+        name: &str,
         ns: &str,
         label_selector: &LabelSelector,
         url: &str,
+        token: String,
     ) -> GrafanaDatasource {
         let mut json_data = BTreeMap::new();
         json_data.insert("timeInterval".to_string(), "5s".to_string());
-        //
-        // let graf_data_source = GrafanaDatasource {
-        //     metadata: ObjectMeta {
-        //         name: Some(format!("grafana-datasource-{}", ns)),
-        //         namespace: Some(ns.to_string()),
-        //         ..Default::default()
-        //     },
-        //     spec: GrafanaDatasourceSpec {
-        //         instance_selector: label_selector.clone(),
-        //         allow_cross_namespace_import: Some(false),
-        //         datasource: GrafanaDatasourceConfig {
-        //             access: "proxy".to_string(),
-        //             database: Some("prometheus".to_string()),
-        //             json_data: Some(json_data),
-        //             //this is fragile
-        //             name: format!("prometheus-{}-0", ns),
-        //             r#type: "prometheus".to_string(),
-        //             url: url.to_string(),
-        //             //url: format!("http://prometheus-operated.{}.svc.cluster.local:9090", ns),
-        //         },
-        //     },
-        // };
-        // graf_data_source
 
         GrafanaDatasource {
             metadata: ObjectMeta {
-                name: Some("thanos-prometheus".to_string()),
+                name: Some(name.to_string()),
                 namespace: Some(ns.to_string()),
                 ..Default::default()
             },
@@ -460,20 +523,21 @@ impl K8sAnywhereTopology {
                 allow_cross_namespace_import: Some(true),
                 datasource: GrafanaDatasourceConfig {
                     access: "proxy".to_string(),
-                    name: "OpenShift-Thanos".to_string(),
+                    name: name.to_string(),
                     r#type: "prometheus".to_string(),
                     url: url.to_string(),
                     database: None,
                     json_data: Some(GrafanaDatasourceJsonData {
                         time_interval: Some("60s".to_string()),
                         http_header_name1: Some("Authorization".to_string()),
+                        tls_skip_verify: Some(true),
+                        oauth_pass_thru: Some(true),
                     }),
                     secure_json_data: Some(GrafanaDatasourceSecureJsonData {
-                        http_header_value1: Some("Bearer eyJhbGc...".to_string()),
+                        http_header_value1: Some(token),
                     }),
                     is_default: Some(false),
                     editable: Some(true),
-                    version: Some(1),
                 },
             },
         }
diff --git a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
index 4134670..e58f4ca 100644
--- a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
+++ b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
@@ -132,6 +132,7 @@ pub struct GrafanaDatasourceSpec {
 #[serde(rename_all = "camelCase")]
 pub struct GrafanaDatasourceConfig {
     pub access: String,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub database: Option<String>,
     pub name: String,
     pub r#type: String,
@@ -149,9 +150,6 @@ pub struct GrafanaDatasourceConfig {
 
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub editable: Option<bool>,
-
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub version: Option<i32>,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
@@ -162,6 +160,14 @@ pub struct GrafanaDatasourceJsonData {
 
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub http_header_name1: Option<String>,
+
+    /// Disable TLS skip verification (false = verify)
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub tls_skip_verify: Option<bool>,
+
+    /// Auth type - set to "forward" for OpenShift OAuth identity
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub oauth_pass_thru: Option<bool>,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
diff --git a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
index 2cb4ffb..f9e8531 100644
--- a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
+++ b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
@@ -12,7 +12,7 @@ use crate::modules::monitoring::kube_prometheus::crd::crd_alertmanager_config::C
 use crate::modules::monitoring::kube_prometheus::crd::crd_default_rules::build_default_application_rules;
 use crate::modules::monitoring::kube_prometheus::crd::crd_grafana::{
     Grafana, GrafanaDashboard, GrafanaDashboardSpec, GrafanaDatasource, GrafanaDatasourceConfig,
-    GrafanaDatasourceSpec, GrafanaSpec,
+    GrafanaDatasourceJsonData, GrafanaDatasourceSpec, GrafanaSpec,
 };
 use crate::modules::monitoring::kube_prometheus::crd::crd_prometheus_rules::{
     PrometheusRule, PrometheusRuleSpec, RuleGroup,
@@ -466,10 +466,15 @@ impl K8sPrometheusCRDAlertingInterpret {
             match_labels: label.clone(),
             match_expressions: vec![],
         };
-        let mut json_data = BTreeMap::new();
-        json_data.insert("timeInterval".to_string(), "5s".to_string());
+        // let mut json_data = BTreeMap::new();
+        // json_data.insert("timeInterval".to_string(), "5s".to_string());
         let namespace = self.sender.namespace.clone();
-
+        let json_data = GrafanaDatasourceJsonData {
+            time_interval: Some("5s".to_string()),
+            http_header_name1: None,
+            tls_skip_verify: Some(true),
+            oauth_pass_thru: Some(true),
+        };
         let json = build_default_dashboard(&namespace);
 
         let graf_data_source = GrafanaDatasource {
@@ -495,6 +500,9 @@ impl K8sPrometheusCRDAlertingInterpret {
                         "http://prometheus-operated.{}.svc.cluster.local:9090",
                         self.sender.namespace.clone()
                     ),
+                    secure_json_data: None,
+                    is_default: None,
+                    editable: None,
                 },
             },
         };

From 7dff70edcf459751b9656184bccc157ebc88ce2a Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Wed, 15 Oct 2025 15:26:36 -0400
Subject: [PATCH 07/51] wip: fixed token expiration and configured grafana
 dashboard

---
 harmony/src/domain/topology/k8s_anywhere.rs   | 108 ++++++++++--------
 .../kube_prometheus/crd/crd_grafana.rs        |  51 ++++++++-
 .../k8s_prometheus_alerting_score.rs          |   8 +-
 3 files changed, 116 insertions(+), 51 deletions(-)

diff --git a/harmony/src/domain/topology/k8s_anywhere.rs b/harmony/src/domain/topology/k8s_anywhere.rs
index cb37ece..cb4ab2d 100644
--- a/harmony/src/domain/topology/k8s_anywhere.rs
+++ b/harmony/src/domain/topology/k8s_anywhere.rs
@@ -6,7 +6,9 @@ use std::{
 
 use async_trait::async_trait;
 use k8s_openapi::api::{
-    authentication::v1::{TokenRequest, TokenRequestSpec, TokenRequestStatus},
+    authentication::v1::{
+        BoundObjectReference, TokenRequest, TokenRequestSpec, TokenRequestStatus,
+    },
     core::v1::{Secret, ServiceAccount},
     rbac::v1::{ClusterRoleBinding, RoleRef, Subject},
 };
@@ -30,9 +32,11 @@ use crate::{
             kube_prometheus::crd::{
                 crd_alertmanager_config::CRDPrometheus,
                 crd_grafana::{
-                    Grafana as GrafanaCRD, GrafanaDashboard, GrafanaDashboardSpec,
-                    GrafanaDatasource, GrafanaDatasourceConfig, GrafanaDatasourceJsonData,
-                    GrafanaDatasourceSecureJsonData, GrafanaDatasourceSpec, GrafanaSpec,
+                    Grafana as GrafanaCRD, GrafanaCom, GrafanaDashboard,
+                    GrafanaDashboardDatasource, GrafanaDashboardSpec, GrafanaDatasource,
+                    GrafanaDatasourceConfig, GrafanaDatasourceJsonData,
+                    GrafanaDatasourceSecureJsonData, GrafanaDatasourceSpec, GrafanaSecretKeyRef,
+                    GrafanaSpec, GrafanaValueFrom, GrafanaValueSource,
                 },
                 crd_prometheuses::LabelSelector,
                 grafana_default_dashboard::build_default_dashboard,
@@ -166,22 +170,24 @@ impl Grafana for K8sAnywhereTopology {
             .wait_until_deployment_ready(
                 "grafana-grafana-deployment".to_string(),
                 Some("grafana"),
-                Some(15),
+                Some(30),
             )
             .await?;
 
         let sa_name = "grafana-grafana-sa";
 
-        debug!("creating token for sevice account {sa_name}");
-        let token = self.create_service_account_token(sa_name, ns).await?;
+        let token_secret_name = "grafana-sa-token-secret";
 
-        debug!("creating secret");
-        let secret_name = "grafana-sa-secret";
-        let secret = self.build_token_secret(secret_name, &token.token, ns).await;
+        // let sa_token_secret = self.build_sa_token_secret(token_secret_name, sa_name, ns);
+        //
+        // client.apply(&sa_token_secret, Some(ns)).await?;
 
+        let secret = self.build_token_secret(token_secret_name, ns).await;
         client.apply(&secret, Some(ns)).await?;
+        let token_request_status = self.create_service_account_token(sa_name, ns).await?;
 
         debug!("creating grafana clusterrole binding");
+
         let clusterrolebinding =
             self.build_cluster_rolebinding(sa_name, "cluster-monitoring-view", ns);
 
@@ -189,7 +195,7 @@ impl Grafana for K8sAnywhereTopology {
 
         debug!("creating grafana datasource crd");
 
-        let token_str = format!("Bearer {}", token.token);
+        // let token_str = format!("Bearer {}", token.token);
 
         let thanos_url = format!(
             "https://{}",
@@ -203,36 +209,11 @@ impl Grafana for K8sAnywhereTopology {
             ns,
             &label_selector,
             &thanos_url,
-            token_str.clone(),
+            &token_request_status.token, // Pass the secret name here
         );
 
         client.apply(&thanos_openshift_datasource, Some(ns)).await?;
 
-        //TODO user workload datasource returns 503 -> need to figure out how to correctly add the
-        //userworkload thanos-ruler or prometheus-federate to the grafana datasource
-        //it may alrady be included in the overall monitoring stack
-
-        let user_thanos_url = format!(
-            "https://{}",
-            self.get_domain(
-                "thanos-ruler-openshift-user-workload-monitoring.apps.ncd0.harmony.mcd"
-            )
-            .await
-            .unwrap()
-        );
-
-        let thanos_openshift_userworkload_datasource = self.build_grafana_datasource(
-            "thanos-openshift-userworkload-monitoring",
-            ns,
-            &label_selector,
-            &user_thanos_url,
-            token_str.clone(),
-        );
-
-        client
-            .apply(&thanos_openshift_userworkload_datasource, Some(ns))
-            .await?;
-
         debug!("creating grafana dashboard crd");
         let dashboard = self.build_grafana_dashboard(ns, &label_selector);
 
@@ -446,6 +427,30 @@ impl K8sAnywhereTopology {
         }
     }
 
+    pub fn build_sa_token_secret(
+        &self,
+        secret_name: &str,
+        service_account_name: &str,
+        ns: &str,
+    ) -> Secret {
+        let mut annotations = BTreeMap::new();
+        annotations.insert(
+            "kubernetes.io/service-account.name".to_string(),
+            service_account_name.to_string(),
+        );
+
+        Secret {
+            metadata: ObjectMeta {
+                name: Some(secret_name.into()),
+                namespace: Some(ns.into()),
+                annotations: Some(annotations),
+                ..Default::default()
+            },
+            type_: Some("kubernetes.io/service-account-token".to_string()),
+            ..Default::default()
+        }
+    }
+
     pub fn get_token_request(&self, ns: &str) -> TokenRequest {
         debug!("building token request");
         TokenRequest {
@@ -456,7 +461,11 @@ impl K8sAnywhereTopology {
             spec: TokenRequestSpec {
                 audiences: vec!["https://kubernetes.default.svc".to_string()],
                 expiration_seconds: Some(3600),
-                ..Default::default()
+                bound_object_ref: Some(BoundObjectReference {
+                    kind: Some("Secret".to_string()),
+                    name: Some("grafana-sa-token-secret".to_string()),
+                    ..Default::default()
+                }),
             },
             ..Default::default()
         }
@@ -486,17 +495,14 @@ impl K8sAnywhereTopology {
         Ok(status)
     }
 
-    pub async fn build_token_secret(&self, secret_name: &str, token: &str, ns: &str) -> Secret {
+    pub async fn build_token_secret(&self, secret_name: &str, ns: &str) -> Secret {
         Secret {
             metadata: ObjectMeta {
                 name: Some(secret_name.into()),
                 namespace: Some(ns.into()),
                 ..Default::default()
             },
-            string_data: Some(std::collections::BTreeMap::from([(
-                secret_name.into(),
-                format!("Bearer {}", token),
-            )])),
+            string_data: None,
             ..Default::default()
         }
     }
@@ -507,7 +513,7 @@ impl K8sAnywhereTopology {
         ns: &str,
         label_selector: &LabelSelector,
         url: &str,
-        token: String,
+        token: &str, // Pass in the secret name
     ) -> GrafanaDatasource {
         let mut json_data = BTreeMap::new();
         json_data.insert("timeInterval".to_string(), "5s".to_string());
@@ -521,6 +527,7 @@ impl K8sAnywhereTopology {
             spec: GrafanaDatasourceSpec {
                 instance_selector: label_selector.clone(),
                 allow_cross_namespace_import: Some(true),
+                values_from: None,
                 datasource: GrafanaDatasourceConfig {
                     access: "proxy".to_string(),
                     name: name.to_string(),
@@ -534,7 +541,7 @@ impl K8sAnywhereTopology {
                         oauth_pass_thru: Some(true),
                     }),
                     secure_json_data: Some(GrafanaDatasourceSecureJsonData {
-                        http_header_value1: Some(token),
+                        http_header_value1: Some(format!("Bearer {token}")),
                     }),
                     is_default: Some(false),
                     editable: Some(true),
@@ -548,7 +555,6 @@ impl K8sAnywhereTopology {
         ns: &str,
         label_selector: &LabelSelector,
     ) -> GrafanaDashboard {
-        let json = build_default_dashboard(ns);
         let graf_dashboard = GrafanaDashboard {
             metadata: ObjectMeta {
                 name: Some(format!("grafana-dashboard-{}", ns)),
@@ -558,7 +564,15 @@ impl K8sAnywhereTopology {
             spec: GrafanaDashboardSpec {
                 resync_period: Some("30s".to_string()),
                 instance_selector: label_selector.clone(),
-                json,
+                datasources: Some(vec![GrafanaDashboardDatasource {
+                    input_name: "DS_PROMETHEUS".to_string(),
+                    datasource_name: "thanos-openshift-monitoring".to_string(),
+                }]),
+                json: None,
+                grafana_com: Some(GrafanaCom {
+                    id: 17406,
+                    revision: None,
+                }),
             },
         };
         graf_dashboard
diff --git a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
index e58f4ca..c99adc1 100644
--- a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
+++ b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
@@ -103,9 +103,34 @@ pub struct GrafanaDashboardSpec {
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub resync_period: Option<String>,
 
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub datasources: Option<Vec<GrafanaDashboardDatasource>>,
+    
     pub instance_selector: LabelSelector,
 
-    pub json: String,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub json: Option<String>,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub grafana_com: Option<GrafanaCom>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct GrafanaDashboardDatasource {
+    pub input_name: String,
+    pub datasource_name: String,
+}
+
+// ------------------------------------------------------------------------------------------------
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct GrafanaCom {
+    pub id: u32,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub revision: Option<u32>,
 }
 
 // ------------------------------------------------------------------------------------------------
@@ -126,6 +151,30 @@ pub struct GrafanaDatasourceSpec {
     pub allow_cross_namespace_import: Option<bool>,
 
     pub datasource: GrafanaDatasourceConfig,
+
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub values_from: Option<Vec<GrafanaValueFrom>>,
+}
+
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct GrafanaValueFrom {
+    pub target_path: String,
+    pub value_from: GrafanaValueSource,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct GrafanaValueSource {
+    pub secret_key_ref: GrafanaSecretKeyRef,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct GrafanaSecretKeyRef {
+    pub name: String,
+    pub key: String,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
diff --git a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
index f9e8531..7873235 100644
--- a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
+++ b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
@@ -11,8 +11,7 @@ use std::process::Command;
 use crate::modules::monitoring::kube_prometheus::crd::crd_alertmanager_config::CRDPrometheus;
 use crate::modules::monitoring::kube_prometheus::crd::crd_default_rules::build_default_application_rules;
 use crate::modules::monitoring::kube_prometheus::crd::crd_grafana::{
-    Grafana, GrafanaDashboard, GrafanaDashboardSpec, GrafanaDatasource, GrafanaDatasourceConfig,
-    GrafanaDatasourceJsonData, GrafanaDatasourceSpec, GrafanaSpec,
+    Grafana, GrafanaDashboard, GrafanaDashboardSpec, GrafanaDatasource, GrafanaDatasourceConfig, GrafanaDatasourceJsonData, GrafanaDatasourceSpec, GrafanaSecretKeyRef, GrafanaSpec, GrafanaValueFrom, GrafanaValueSource
 };
 use crate::modules::monitoring::kube_prometheus::crd::crd_prometheus_rules::{
     PrometheusRule, PrometheusRuleSpec, RuleGroup,
@@ -504,6 +503,7 @@ impl K8sPrometheusCRDAlertingInterpret {
                     is_default: None,
                     editable: None,
                 },
+                values_from: None,
             },
         };
 
@@ -524,7 +524,9 @@ impl K8sPrometheusCRDAlertingInterpret {
             spec: GrafanaDashboardSpec {
                 resync_period: Some("30s".to_string()),
                 instance_selector: labels.clone(),
-                json,
+                json: Some(json),
+                grafana_com: None,
+                datasources: None,
             },
         };
 

From fc384599a1a31d2678cc11c1f9b067b146afae46 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Thu, 16 Oct 2025 14:07:23 -0400
Subject: [PATCH 08/51] feat: implementation of Installable for
 CRDPrometheusIntroduction of Grafana trait and its impl for k8sanywhereallows
 for CRDPrometheus to be installed via AlertingInterpret which standardizes
 the installation of alert receivers, alerting rules, and alert senders

---
 harmony/src/domain/topology/k8s_anywhere.rs   | 131 ++++++------------
 .../kube_prometheus/crd/crd_grafana.rs        |   3 +-
 .../k8s_prometheus_alerting_score.rs          |   4 +-
 3 files changed, 45 insertions(+), 93 deletions(-)

diff --git a/harmony/src/domain/topology/k8s_anywhere.rs b/harmony/src/domain/topology/k8s_anywhere.rs
index cb4ab2d..e45b65f 100644
--- a/harmony/src/domain/topology/k8s_anywhere.rs
+++ b/harmony/src/domain/topology/k8s_anywhere.rs
@@ -1,21 +1,12 @@
-use std::{
-    collections::{BTreeMap, HashMap},
-    process::Command,
-    sync::Arc,
-};
+use std::{collections::BTreeMap, process::Command, sync::Arc};
 
 use async_trait::async_trait;
+use base64::{Engine, engine::general_purpose};
 use k8s_openapi::api::{
-    authentication::v1::{
-        BoundObjectReference, TokenRequest, TokenRequestSpec, TokenRequestStatus,
-    },
-    core::v1::{Secret, ServiceAccount},
+    core::v1::Secret,
     rbac::v1::{ClusterRoleBinding, RoleRef, Subject},
 };
-use kube::{
-    Api,
-    api::{GroupVersionKind, ObjectMeta, PostParams},
-};
+use kube::api::{DynamicObject, GroupVersionKind, ObjectMeta};
 use log::{debug, info, warn};
 use serde::Serialize;
 use tokio::sync::OnceCell;
@@ -35,14 +26,11 @@ use crate::{
                     Grafana as GrafanaCRD, GrafanaCom, GrafanaDashboard,
                     GrafanaDashboardDatasource, GrafanaDashboardSpec, GrafanaDatasource,
                     GrafanaDatasourceConfig, GrafanaDatasourceJsonData,
-                    GrafanaDatasourceSecureJsonData, GrafanaDatasourceSpec, GrafanaSecretKeyRef,
-                    GrafanaSpec, GrafanaValueFrom, GrafanaValueSource,
+                    GrafanaDatasourceSecureJsonData, GrafanaDatasourceSpec, GrafanaSpec,
                 },
                 crd_prometheuses::LabelSelector,
-                grafana_default_dashboard::build_default_dashboard,
                 prometheus_operator::prometheus_operator_helm_chart_score,
                 rhob_alertmanager_config::RHOBObservability,
-                role::build_prom_service_account,
                 service_monitor::ServiceMonitor,
             },
         },
@@ -148,24 +136,23 @@ impl Grafana for K8sAnywhereTopology {
         };
     }
     async fn install_grafana(&self) -> Result<PreparationOutcome, PreparationError> {
-        debug!("install grafana");
         let ns = "grafana";
 
         let mut label = BTreeMap::new();
 
         label.insert("dashboards".to_string(), "grafana".to_string());
+
         let label_selector = LabelSelector {
             match_labels: label.clone(),
             match_expressions: vec![],
         };
-        debug!("getting client");
+
         let client = self.k8s_client().await?;
 
-        info!("creating grafanas crd");
         let grafana = self.build_grafana(ns, &label);
 
         client.apply(&grafana, Some(ns)).await?;
-
+        //TODO change this to a ensure ready or something better than just a timeout
         client
             .wait_until_deployment_ready(
                 "grafana-grafana-deployment".to_string(),
@@ -175,16 +162,25 @@ impl Grafana for K8sAnywhereTopology {
             .await?;
 
         let sa_name = "grafana-grafana-sa";
-
         let token_secret_name = "grafana-sa-token-secret";
 
-        // let sa_token_secret = self.build_sa_token_secret(token_secret_name, sa_name, ns);
-        //
-        // client.apply(&sa_token_secret, Some(ns)).await?;
+        let sa_token_secret = self.build_sa_token_secret(token_secret_name, sa_name, ns);
 
-        let secret = self.build_token_secret(token_secret_name, ns).await;
-        client.apply(&secret, Some(ns)).await?;
-        let token_request_status = self.create_service_account_token(sa_name, ns).await?;
+        client.apply(&sa_token_secret, Some(ns)).await?;
+        let secret_gvk = GroupVersionKind {
+            group: "".to_string(),
+            version: "v1".to_string(),
+            kind: "Secret".to_string(),
+        };
+
+        let secret = client
+            .get_resource_json_value(token_secret_name, Some(ns), &secret_gvk)
+            .await?;
+
+        let token = format!(
+            "Bearer {}",
+            self.extract_and_normalize_token(&secret).unwrap()
+        );
 
         debug!("creating grafana clusterrole binding");
 
@@ -195,8 +191,6 @@ impl Grafana for K8sAnywhereTopology {
 
         debug!("creating grafana datasource crd");
 
-        // let token_str = format!("Bearer {}", token.token);
-
         let thanos_url = format!(
             "https://{}",
             self.get_domain("thanos-querier-openshift-monitoring")
@@ -209,7 +203,7 @@ impl Grafana for K8sAnywhereTopology {
             ns,
             &label_selector,
             &thanos_url,
-            &token_request_status.token, // Pass the secret name here
+            &token,
         );
 
         client.apply(&thanos_openshift_datasource, Some(ns)).await?;
@@ -398,8 +392,21 @@ impl K8sAnywhereTopology {
             .clone()
     }
 
-    pub fn build_service_account(&self, name: &str, namespace: &str) -> ServiceAccount {
-        build_prom_service_account(name.to_string(), namespace.to_string())
+    fn extract_and_normalize_token(&self, secret: &DynamicObject) -> Option<String> {
+        let token_b64 = secret
+            .data
+            .get("token")
+            .or_else(|| secret.data.get("data").and_then(|d| d.get("token")))
+            .and_then(|v| v.as_str())?;
+
+        let bytes = general_purpose::STANDARD.decode(token_b64).ok()?;
+
+        let s = String::from_utf8(bytes).ok()?;
+
+        let cleaned = s
+            .trim_matches(|c: char| c.is_whitespace() || c == '\0')
+            .to_string();
+        Some(cleaned)
     }
 
     pub fn build_cluster_rolebinding(
@@ -451,69 +458,13 @@ impl K8sAnywhereTopology {
         }
     }
 
-    pub fn get_token_request(&self, ns: &str) -> TokenRequest {
-        debug!("building token request");
-        TokenRequest {
-            metadata: ObjectMeta {
-                namespace: Some(ns.to_string()),
-                ..Default::default()
-            },
-            spec: TokenRequestSpec {
-                audiences: vec!["https://kubernetes.default.svc".to_string()],
-                expiration_seconds: Some(3600),
-                bound_object_ref: Some(BoundObjectReference {
-                    kind: Some("Secret".to_string()),
-                    name: Some("grafana-sa-token-secret".to_string()),
-                    ..Default::default()
-                }),
-            },
-            ..Default::default()
-        }
-    }
-
-    pub async fn create_service_account_token(
-        &self,
-        service_account_name: &str,
-        ns: &str,
-    ) -> Result<TokenRequestStatus, PreparationError> {
-        debug!("creating service account token");
-        let token_request = self.get_token_request(ns);
-        let client = self.k8s_client().await?;
-        let pp = PostParams::default();
-        let token_requests_api = client.service_account_api(ns).await;
-
-        let data = serde_json::to_vec(&token_request).unwrap();
-
-        let created_token_request = token_requests_api
-            .create_subresource::<TokenRequest>("token", service_account_name, &pp, data)
-            .await?;
-
-        let status = created_token_request
-            .status
-            .ok_or_else(|| PreparationError::new("missing token request status".to_string()))?;
-
-        Ok(status)
-    }
-
-    pub async fn build_token_secret(&self, secret_name: &str, ns: &str) -> Secret {
-        Secret {
-            metadata: ObjectMeta {
-                name: Some(secret_name.into()),
-                namespace: Some(ns.into()),
-                ..Default::default()
-            },
-            string_data: None,
-            ..Default::default()
-        }
-    }
-
     fn build_grafana_datasource(
         &self,
         name: &str,
         ns: &str,
         label_selector: &LabelSelector,
         url: &str,
-        token: &str, // Pass in the secret name
+        token: &str,
     ) -> GrafanaDatasource {
         let mut json_data = BTreeMap::new();
         json_data.insert("timeInterval".to_string(), "5s".to_string());
diff --git a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
index c99adc1..386890e 100644
--- a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
+++ b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_grafana.rs
@@ -105,7 +105,7 @@ pub struct GrafanaDashboardSpec {
 
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub datasources: Option<Vec<GrafanaDashboardDatasource>>,
-    
+
     pub instance_selector: LabelSelector,
 
     #[serde(default, skip_serializing_if = "Option::is_none")]
@@ -156,7 +156,6 @@ pub struct GrafanaDatasourceSpec {
     pub values_from: Option<Vec<GrafanaValueFrom>>,
 }
 
-
 #[derive(Serialize, Deserialize, Debug, Clone, JsonSchema)]
 #[serde(rename_all = "camelCase")]
 pub struct GrafanaValueFrom {
diff --git a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
index 7873235..d7dca5e 100644
--- a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
+++ b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
@@ -11,7 +11,9 @@ use std::process::Command;
 use crate::modules::monitoring::kube_prometheus::crd::crd_alertmanager_config::CRDPrometheus;
 use crate::modules::monitoring::kube_prometheus::crd::crd_default_rules::build_default_application_rules;
 use crate::modules::monitoring::kube_prometheus::crd::crd_grafana::{
-    Grafana, GrafanaDashboard, GrafanaDashboardSpec, GrafanaDatasource, GrafanaDatasourceConfig, GrafanaDatasourceJsonData, GrafanaDatasourceSpec, GrafanaSecretKeyRef, GrafanaSpec, GrafanaValueFrom, GrafanaValueSource
+    Grafana, GrafanaDashboard, GrafanaDashboardSpec, GrafanaDatasource, GrafanaDatasourceConfig,
+    GrafanaDatasourceJsonData, GrafanaDatasourceSpec, GrafanaSecretKeyRef, GrafanaSpec,
+    GrafanaValueFrom, GrafanaValueSource,
 };
 use crate::modules::monitoring::kube_prometheus::crd::crd_prometheus_rules::{
     PrometheusRule, PrometheusRuleSpec, RuleGroup,

From ce91ee01685c48b81e46440e171440c92723577b Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Mon, 20 Oct 2025 15:31:06 -0400
Subject: [PATCH 09/51] fix: removed dead code, mapped error from grafana
 operator to preparation error rather than ignoring it, modified k8sprometheus
 score to unwrap_or_default() service monitors

---
 harmony/src/domain/topology/k8s_anywhere.rs   | 24 +++++++------------
 .../monitoring/grafana/helm/helm_grafana.rs   |  3 ++-
 .../k8s_prometheus_alerting_score.rs          |  2 --
 3 files changed, 10 insertions(+), 19 deletions(-)

diff --git a/harmony/src/domain/topology/k8s_anywhere.rs b/harmony/src/domain/topology/k8s_anywhere.rs
index e45b65f..cf56333 100644
--- a/harmony/src/domain/topology/k8s_anywhere.rs
+++ b/harmony/src/domain/topology/k8s_anywhere.rs
@@ -585,21 +585,12 @@ impl K8sAnywhereTopology {
         receivers: Option<Vec<Box<dyn AlertReceiver<CRDPrometheus>>>>,
         service_monitors: Option<Vec<ServiceMonitor>>,
     ) -> K8sPrometheusCRDAlertingScore {
-        if let Some(sm) = service_monitors {
-            return K8sPrometheusCRDAlertingScore {
-                sender,
-                receivers: receivers.unwrap_or_default(),
-                service_monitors: sm,
-                prometheus_rules: vec![],
-            };
-        } else {
-            return K8sPrometheusCRDAlertingScore {
-                sender,
-                receivers: receivers.unwrap_or_default(),
-                service_monitors: vec![],
-                prometheus_rules: vec![],
-            };
-        }
+        return K8sPrometheusCRDAlertingScore {
+            sender,
+            receivers: receivers.unwrap_or_default(),
+            service_monitors: service_monitors.unwrap_or_default(),
+            prometheus_rules: vec![],
+        };
     }
 
     async fn openshift_ingress_operator_available(&self) -> Result<(), PreparationError> {
@@ -882,7 +873,8 @@ impl K8sAnywhereTopology {
         }
         let _grafana_operator_score = grafana_helm_chart_score(namespace, namespace_scope)
             .interpret(inventory, self)
-            .await;
+            .await
+            .map_err(|e| PreparationError::new(e.to_string()));
         Ok(PreparationOutcome::Success {
             details: format!(
                 "Successfully installed grafana operator in ns {}",
diff --git a/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs b/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs
index 2965ada..c9ccacb 100644
--- a/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs
+++ b/harmony/src/modules/monitoring/grafana/helm/helm_grafana.rs
@@ -1,3 +1,4 @@
+use harmony_macros::hurl;
 use non_blank_string_rs::NonBlankString;
 use std::{collections::HashMap, str::FromStr};
 
@@ -20,7 +21,7 @@ pub fn grafana_helm_chart_score(ns: &str, namespace_scope: bool) -> HelmChartSco
         install_only: true,
         repository: Some(HelmRepository::new(
             "grafana".to_string(),
-            url::Url::parse("https://grafana.github.io/helm-charts").unwrap(),
+            hurl!("https://grafana.github.io/helm-charts"),
             true,
         )),
     }
diff --git a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
index d7dca5e..7093ee8 100644
--- a/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
+++ b/harmony/src/modules/prometheus/k8s_prometheus_alerting_score.rs
@@ -467,8 +467,6 @@ impl K8sPrometheusCRDAlertingInterpret {
             match_labels: label.clone(),
             match_expressions: vec![],
         };
-        // let mut json_data = BTreeMap::new();
-        // json_data.insert("timeInterval".to_string(), "5s".to_string());
         let namespace = self.sender.namespace.clone();
         let json_data = GrafanaDatasourceJsonData {
             time_interval: Some("5s".to_string()),

From 8126b233d8eed3fb6260c4d463585e9308de9422 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Wed, 22 Oct 2025 11:27:28 -0400
Subject: [PATCH 10/51] feat: implementation for opnsense os-node_exporter

---
 harmony/src/domain/topology/mod.rs            |  1 +
 harmony/src/infra/opnsense/mod.rs             |  1 +
 harmony/src/infra/opnsense/node_exporter.rs   | 44 ++++++++++++
 harmony/src/modules/opnsense/mod.rs           |  1 +
 harmony/src/modules/opnsense/node_exporter.rs | 70 +++++++++++++++++++
 opnsense-config-xml/src/data/opnsense.rs      | 20 +++++-
 opnsense-config/src/config/config.rs          |  7 +-
 opnsense-config/src/modules/mod.rs            |  1 +
 opnsense-config/src/modules/node_exporter.rs  | 55 +++++++++++++++
 9 files changed, 198 insertions(+), 2 deletions(-)
 create mode 100644 harmony/src/infra/opnsense/node_exporter.rs
 create mode 100644 harmony/src/modules/opnsense/node_exporter.rs
 create mode 100644 opnsense-config/src/modules/node_exporter.rs

diff --git a/harmony/src/domain/topology/mod.rs b/harmony/src/domain/topology/mod.rs
index 85e57d7..08c1c15 100644
--- a/harmony/src/domain/topology/mod.rs
+++ b/harmony/src/domain/topology/mod.rs
@@ -1,5 +1,6 @@
 mod ha_cluster;
 pub mod ingress;
+pub mod node_exporter;
 use harmony_types::net::IpAddress;
 mod host_binding;
 mod http;
diff --git a/harmony/src/infra/opnsense/mod.rs b/harmony/src/infra/opnsense/mod.rs
index 3878cfc..102d2b6 100644
--- a/harmony/src/infra/opnsense/mod.rs
+++ b/harmony/src/infra/opnsense/mod.rs
@@ -4,6 +4,7 @@ mod firewall;
 mod http;
 mod load_balancer;
 mod management;
+pub mod node_exporter;
 mod tftp;
 use std::sync::Arc;
 
diff --git a/harmony/src/infra/opnsense/node_exporter.rs b/harmony/src/infra/opnsense/node_exporter.rs
new file mode 100644
index 0000000..2c27b26
--- /dev/null
+++ b/harmony/src/infra/opnsense/node_exporter.rs
@@ -0,0 +1,44 @@
+use async_trait::async_trait;
+use log::debug;
+
+use crate::{
+    executors::ExecutorError, infra::opnsense::OPNSenseFirewall,
+    topology::node_exporter::NodeExporter,
+};
+
+#[async_trait]
+impl NodeExporter for OPNSenseFirewall {
+    async fn ensure_initialized(&self) -> Result<(), ExecutorError> {
+        let mut config = self.opnsense_config.write().await;
+        let node_exporter = config.node_exporter();
+        if let Some(config) = node_exporter.get_full_config() {
+            debug!(
+                "Node exporter available in opnsense config, assuming it is already installed. {config:?}"
+            );
+        } else {
+            config
+                .install_package("os-node_exporter")
+                .await
+                .map_err(|e| {
+                        ExecutorError::UnexpectedError(format!("Executor failed when trying to install os-node_exporter package with error {e:?}"
+                                ))
+                    })?;
+        }
+
+        config.node_exporter().enable(true);
+        Ok(())
+    }
+    async fn commit_config(&self) -> Result<(), ExecutorError> {
+        OPNSenseFirewall::commit_config(self).await
+    }
+
+    async fn reload_restart(&self) -> Result<(), ExecutorError> {
+        self.opnsense_config
+            .write()
+            .await
+            .node_exporter()
+            .reload_restart()
+            .await
+            .map_err(|e| ExecutorError::UnexpectedError(e.to_string()))
+    }
+}
diff --git a/harmony/src/modules/opnsense/mod.rs b/harmony/src/modules/opnsense/mod.rs
index 28b52cf..8988205 100644
--- a/harmony/src/modules/opnsense/mod.rs
+++ b/harmony/src/modules/opnsense/mod.rs
@@ -1,3 +1,4 @@
+pub mod node_exporter;
 mod shell;
 mod upgrade;
 pub use shell::*;
diff --git a/harmony/src/modules/opnsense/node_exporter.rs b/harmony/src/modules/opnsense/node_exporter.rs
new file mode 100644
index 0000000..d17f67a
--- /dev/null
+++ b/harmony/src/modules/opnsense/node_exporter.rs
@@ -0,0 +1,70 @@
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use log::info;
+use serde::Serialize;
+
+use crate::{
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    score::Score,
+    topology::{Topology, node_exporter::NodeExporter},
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct NodeExporterScore {}
+
+impl<T: Topology + NodeExporter> Score<T> for NodeExporterScore {
+    fn name(&self) -> String {
+        "NodeExporterScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(NodeExporterInterpret {})
+    }
+}
+
+#[derive(Debug)]
+pub struct NodeExporterInterpret {}
+
+#[async_trait]
+impl<T: Topology + NodeExporter> Interpret<T> for NodeExporterInterpret {
+    async fn execute(
+        &self,
+        _inventory: &Inventory,
+        node_exporter: &T,
+    ) -> Result<Outcome, InterpretError> {
+        info!(
+            "Making sure node exporter is initiailized: {:?}",
+            node_exporter.ensure_initialized().await?
+        );
+
+        info!("Applying Node Exporter configuration");
+
+        node_exporter.commit_config().await?;
+
+        info!("Reloading and restarting Node Exporter");
+
+        node_exporter.reload_restart().await?;
+
+        Ok(Outcome::success(format!(
+            "NodeExporter successfully configured"
+        )))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("NodeExporter")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}
diff --git a/opnsense-config-xml/src/data/opnsense.rs b/opnsense-config-xml/src/data/opnsense.rs
index fa5f985..4b384d4 100644
--- a/opnsense-config-xml/src/data/opnsense.rs
+++ b/opnsense-config-xml/src/data/opnsense.rs
@@ -433,7 +433,7 @@ pub struct OPNsenseXmlSection {
     #[yaserde(rename = "Interfaces")]
     pub interfaces: Option<ConfigInterfaces>,
     #[yaserde(rename = "NodeExporter")]
-    pub node_exporter: Option<RawXml>,
+    pub node_exporter: Option<NodeExporter>,
     #[yaserde(rename = "Kea")]
     pub kea: Option<RawXml>,
     pub monit: Option<Monit>,
@@ -1595,3 +1595,21 @@ pub struct Ifgroups {
     #[yaserde(attribute = true)]
     pub version: String,
 }
+
+#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
+pub struct NodeExporter {
+    pub enabled: u8,
+    pub listenaddress: Option<MaybeString>,
+    pub listenport: u16,
+    pub cpu: u8,
+    pub exec: u8,
+    pub filesystem: u8,
+    pub loadavg: u8,
+    pub meminfo: u8,
+    pub netdev: u8,
+    pub time: u8,
+    pub devstat: u8,
+    pub interrupts: u8,
+    pub ntp: u8,
+    pub zfs: u8,
+}
diff --git a/opnsense-config/src/config/config.rs b/opnsense-config/src/config/config.rs
index c2d0f60..30240e4 100644
--- a/opnsense-config/src/config/config.rs
+++ b/opnsense-config/src/config/config.rs
@@ -5,7 +5,8 @@ use crate::{
     error::Error,
     modules::{
         caddy::CaddyConfig, dhcp_legacy::DhcpConfigLegacyISC, dns::UnboundDnsConfig,
-        dnsmasq::DhcpConfigDnsMasq, load_balancer::LoadBalancerConfig, tftp::TftpConfig,
+        dnsmasq::DhcpConfigDnsMasq, load_balancer::LoadBalancerConfig,
+        node_exporter::NodeExporterConfig, tftp::TftpConfig,
     },
 };
 use log::{debug, info, trace, warn};
@@ -71,6 +72,10 @@ impl Config {
         LoadBalancerConfig::new(&mut self.opnsense, self.shell.clone())
     }
 
+    pub fn node_exporter(&mut self) -> NodeExporterConfig<'_> {
+        NodeExporterConfig::new(&mut self.opnsense, self.shell.clone())
+    }
+
     pub async fn upload_files(&self, source: &str, destination: &str) -> Result<String, Error> {
         self.shell.upload_folder(source, destination).await
     }
diff --git a/opnsense-config/src/modules/mod.rs b/opnsense-config/src/modules/mod.rs
index 3448075..eec16a2 100644
--- a/opnsense-config/src/modules/mod.rs
+++ b/opnsense-config/src/modules/mod.rs
@@ -4,4 +4,5 @@ pub mod dhcp_legacy;
 pub mod dns;
 pub mod dnsmasq;
 pub mod load_balancer;
+pub mod node_exporter;
 pub mod tftp;
diff --git a/opnsense-config/src/modules/node_exporter.rs b/opnsense-config/src/modules/node_exporter.rs
new file mode 100644
index 0000000..9a44876
--- /dev/null
+++ b/opnsense-config/src/modules/node_exporter.rs
@@ -0,0 +1,55 @@
+use std::sync::Arc;
+
+use opnsense_config_xml::{NodeExporter, OPNsense};
+
+use crate::{config::OPNsenseShell, Error};
+
+pub struct NodeExporterConfig<'a> {
+    opnsense: &'a mut OPNsense,
+    opnsense_shell: Arc<dyn OPNsenseShell>,
+}
+
+impl<'a> NodeExporterConfig<'a> {
+    pub fn new(opnsense: &'a mut OPNsense, opnsense_shell: Arc<dyn OPNsenseShell>) -> Self {
+        Self {
+            opnsense,
+            opnsense_shell,
+        }
+    }
+
+    pub fn get_full_config(&self) -> &Option<NodeExporter> {
+        &self.opnsense.opnsense.node_exporter
+    }
+    fn with_node_exporter<F, R>(&mut self, f: F) -> R
+    where
+        F: FnOnce(&mut NodeExporter) -> R,
+    {
+        match &mut self.opnsense.opnsense.node_exporter.as_mut() {
+            Some(node_exporter) => f(node_exporter),
+            None => unimplemented!(
+                "
+                node exporter is not yet installed"
+            ),
+        }
+    }
+
+    pub fn enable(&mut self, enabled: bool) {
+        self.with_node_exporter(|node_exporter| node_exporter.enabled = enabled as u8)
+    }
+
+    pub async fn reload_restart(&self) -> Result<(), Error> {
+        self.opnsense_shell
+            .exec("configctl node_exporter stop")
+            .await?;
+        self.opnsense_shell
+            .exec("configctl template reload OPNsense/NodeExporter")
+            .await?;
+        self.opnsense_shell
+            .exec("configctl node_exporter configtest")
+            .await?;
+        self.opnsense_shell
+            .exec("configctl node_exporter start")
+            .await?;
+        Ok(())
+    }
+}

From 5af13800b7774311fd73efd9682371dcb4373aa1 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Wed, 22 Oct 2025 11:51:22 -0400
Subject: [PATCH 11/51] fix: removed unimplemnted marco and returned Err
 instead some formatting error

---
 opnsense-config/src/modules/node_exporter.rs | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/opnsense-config/src/modules/node_exporter.rs b/opnsense-config/src/modules/node_exporter.rs
index 9a44876..fd7ee5c 100644
--- a/opnsense-config/src/modules/node_exporter.rs
+++ b/opnsense-config/src/modules/node_exporter.rs
@@ -20,21 +20,20 @@ impl<'a> NodeExporterConfig<'a> {
     pub fn get_full_config(&self) -> &Option<NodeExporter> {
         &self.opnsense.opnsense.node_exporter
     }
-    fn with_node_exporter<F, R>(&mut self, f: F) -> R
+
+    fn with_node_exporter<F, R>(&mut self, f: F) -> Result<R, &'static str>
     where
         F: FnOnce(&mut NodeExporter) -> R,
     {
         match &mut self.opnsense.opnsense.node_exporter.as_mut() {
-            Some(node_exporter) => f(node_exporter),
-            None => unimplemented!(
-                "
-                node exporter is not yet installed"
-            ),
+            Some(node_exporter) => Ok(f(node_exporter)),
+            None => Err("node exporter is not yet installed"),
         }
     }
 
-    pub fn enable(&mut self, enabled: bool) {
+    pub fn enable(&mut self, enabled: bool) -> Result<(), &'static str> {
         self.with_node_exporter(|node_exporter| node_exporter.enabled = enabled as u8)
+            .map(|_| ())
     }
 
     pub async fn reload_restart(&self) -> Result<(), Error> {

From 5ab58f025330488e60f89d4a40976815059ce24a Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Wed, 22 Oct 2025 14:39:12 -0400
Subject: [PATCH 12/51] fix: added impl node exporter for hacluster topology
 and dummy infra

---
 examples/nanodc/src/main.rs                  |   4 +-
 examples/okd_installation/src/topology.rs    |   1 +
 examples/okd_pxe/src/topology.rs             |   1 +
 examples/opnsense/src/main.rs                |   1 +
 examples/opnsense_node_exporter/Cargo.toml   |  20 ++++
 examples/opnsense_node_exporter/src/main.rs  | 110 +++++++++++++++++++
 harmony/src/domain/topology/ha_cluster.rs    |  36 +++++-
 harmony/src/domain/topology/node_exporter.rs |  17 +++
 8 files changed, 187 insertions(+), 3 deletions(-)
 create mode 100644 examples/opnsense_node_exporter/Cargo.toml
 create mode 100644 examples/opnsense_node_exporter/src/main.rs
 create mode 100644 harmony/src/domain/topology/node_exporter.rs

diff --git a/examples/nanodc/src/main.rs b/examples/nanodc/src/main.rs
index 57574d2..95b16a6 100644
--- a/examples/nanodc/src/main.rs
+++ b/examples/nanodc/src/main.rs
@@ -39,8 +39,7 @@ async fn main() {
     let gateway_ipv4 = Ipv4Addr::new(192, 168, 33, 1);
     let gateway_ip = IpAddr::V4(gateway_ipv4);
     let topology = harmony::topology::HAClusterTopology {
-        domain_name: "ncd0.harmony.mcd".to_string(), // TODO this must be set manually correctly
-        // when setting up the opnsense firewall
+        domain_name: "ncd0.harmony.mcd".to_string(),
         router: Arc::new(UnmanagedRouter::new(
             gateway_ip,
             Ipv4Cidr::new(lan_subnet, 24).unwrap(),
@@ -84,6 +83,7 @@ async fn main() {
             },
         ],
         switch: vec![],
+        node_exporter: opnsense.clone(),
     };
 
     let inventory = Inventory {
diff --git a/examples/okd_installation/src/topology.rs b/examples/okd_installation/src/topology.rs
index 31062f5..4df6ab5 100644
--- a/examples/okd_installation/src/topology.rs
+++ b/examples/okd_installation/src/topology.rs
@@ -59,6 +59,7 @@ pub async fn get_topology() -> HAClusterTopology {
         },
         workers: vec![],
         switch: vec![],
+        node_exporter: opnsense.clone(),
     }
 }
 
diff --git a/examples/okd_pxe/src/topology.rs b/examples/okd_pxe/src/topology.rs
index 707969a..63e3613 100644
--- a/examples/okd_pxe/src/topology.rs
+++ b/examples/okd_pxe/src/topology.rs
@@ -53,6 +53,7 @@ pub async fn get_topology() -> HAClusterTopology {
         },
         workers: vec![],
         switch: vec![],
+        node_exporter: opnsense.clone(),
     }
 }
 
diff --git a/examples/opnsense/src/main.rs b/examples/opnsense/src/main.rs
index fcfaf09..8f4039d 100644
--- a/examples/opnsense/src/main.rs
+++ b/examples/opnsense/src/main.rs
@@ -55,6 +55,7 @@ async fn main() {
         },
         workers: vec![],
         switch: vec![],
+        node_exporter: opnsense.clone(),
     };
 
     let inventory = Inventory {
diff --git a/examples/opnsense_node_exporter/Cargo.toml b/examples/opnsense_node_exporter/Cargo.toml
new file mode 100644
index 0000000..957bdd9
--- /dev/null
+++ b/examples/opnsense_node_exporter/Cargo.toml
@@ -0,0 +1,20 @@
+[package]
+name = "example-opnsense-node-exporter"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+harmony_secret = { path = "../../harmony_secret" }
+harmony_secret_derive = { path = "../../harmony_secret_derive" }
+cidr = { workspace = true }
+tokio = { workspace = true }
+harmony_macros = { path = "../../harmony_macros" }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
+serde.workspace = true
diff --git a/examples/opnsense_node_exporter/src/main.rs b/examples/opnsense_node_exporter/src/main.rs
new file mode 100644
index 0000000..4f1219d
--- /dev/null
+++ b/examples/opnsense_node_exporter/src/main.rs
@@ -0,0 +1,110 @@
+use std::{
+    net::{IpAddr, Ipv4Addr},
+    sync::Arc,
+};
+
+use cidr::Ipv4Cidr;
+use harmony::{
+    hardware::{HostCategory, Location, PhysicalHost, SwitchGroup},
+    infra::opnsense::OPNSenseManagementInterface,
+    inventory::Inventory,
+    modules::opnsense::node_exporter::NodeExporterScore,
+    topology::{HAClusterTopology, LogicalHost, UnmanagedRouter},
+};
+use harmony_macros::{ip, ipv4, mac_address};
+
+#[tokio::main]
+async fn main() {
+    let firewall = harmony::topology::LogicalHost {
+        ip: ip!("192.168.33.1"),
+        name: String::from("fw0"),
+    };
+
+    let opnsense = Arc::new(
+        harmony::infra::opnsense::OPNSenseFirewall::new(firewall, None, "root", "opnsense").await,
+    );
+    let lan_subnet = Ipv4Addr::new(192, 168, 33, 0);
+    let gateway_ipv4 = Ipv4Addr::new(192, 168, 33, 1);
+    let gateway_ip = IpAddr::V4(gateway_ipv4);
+    let topology = harmony::topology::HAClusterTopology {
+        domain_name: "ncd0.harmony.mcd".to_string(),
+        router: Arc::new(UnmanagedRouter::new(
+            gateway_ip,
+            Ipv4Cidr::new(lan_subnet, 24).unwrap(),
+        )),
+        load_balancer: opnsense.clone(),
+        firewall: opnsense.clone(),
+        tftp_server: opnsense.clone(),
+        http_server: opnsense.clone(),
+        dhcp_server: opnsense.clone(),
+        dns_server: opnsense.clone(),
+        control_plane: vec![
+            LogicalHost {
+                ip: ip!("192.168.33.20"),
+                name: "cp0".to_string(),
+            },
+            LogicalHost {
+                ip: ip!("192.168.33.21"),
+                name: "cp1".to_string(),
+            },
+            LogicalHost {
+                ip: ip!("192.168.33.22"),
+                name: "cp2".to_string(),
+            },
+        ],
+        bootstrap_host: LogicalHost {
+            ip: ip!("192.168.33.66"),
+            name: "bootstrap".to_string(),
+        },
+        workers: vec![
+            LogicalHost {
+                ip: ip!("192.168.33.30"),
+                name: "wk0".to_string(),
+            },
+            LogicalHost {
+                ip: ip!("192.168.33.31"),
+                name: "wk1".to_string(),
+            },
+            LogicalHost {
+                ip: ip!("192.168.33.32"),
+                name: "wk2".to_string(),
+            },
+        ],
+        switch: vec![],
+        node_exporter: opnsense.clone(),
+    };
+
+    let inventory = Inventory {
+        location: Location::new("I am mobile".to_string(), "earth".to_string()),
+        switch: SwitchGroup::from([]),
+        firewall_mgmt: Box::new(OPNSenseManagementInterface::new()),
+        storage_host: vec![],
+        worker_host: vec![
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:02:61:0F")),
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:02:61:26")),
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:02:61:70")),
+        ],
+        control_plane_host: vec![
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:02:60:FA")),
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:02:61:1A")),
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:01:BC:68")),
+        ],
+    };
+
+    let node_exporter_score = NodeExporterScore {};
+
+    harmony_cli::run(
+        inventory,
+        topology,
+        vec![Box::new(node_exporter_score)],
+        None,
+    )
+    .await
+    .unwrap();
+}
diff --git a/harmony/src/domain/topology/ha_cluster.rs b/harmony/src/domain/topology/ha_cluster.rs
index 7be2725..a3e650d 100644
--- a/harmony/src/domain/topology/ha_cluster.rs
+++ b/harmony/src/domain/topology/ha_cluster.rs
@@ -11,7 +11,6 @@ use kube::api::ObjectMeta;
 use log::debug;
 use log::info;
 
-use crate::data::FileContent;
 use crate::executors::ExecutorError;
 use crate::hardware::PhysicalHost;
 use crate::infra::brocade::BrocadeSwitchAuth;
@@ -21,6 +20,7 @@ use crate::modules::okd::crd::{
     nmstate::{self, NMState, NodeNetworkConfigurationPolicy, NodeNetworkConfigurationPolicySpec},
 };
 use crate::topology::PxeOptions;
+use crate::{data::FileContent, topology::node_exporter::NodeExporter};
 
 use super::{
     DHCPStaticEntry, DhcpServer, DnsRecord, DnsRecordType, DnsServer, Firewall, HostNetworkConfig,
@@ -43,6 +43,7 @@ pub struct HAClusterTopology {
     pub tftp_server: Arc<dyn TftpServer>,
     pub http_server: Arc<dyn HttpServer>,
     pub dns_server: Arc<dyn DnsServer>,
+    pub node_exporter: Arc<dyn NodeExporter>,
     pub bootstrap_host: LogicalHost,
     pub control_plane: Vec<LogicalHost>,
     pub workers: Vec<LogicalHost>,
@@ -333,6 +334,7 @@ impl HAClusterTopology {
             tftp_server: dummy_infra.clone(),
             http_server: dummy_infra.clone(),
             dns_server: dummy_infra.clone(),
+            node_exporter: dummy_infra.clone(),
             bootstrap_host: dummy_host,
             control_plane: vec![],
             workers: vec![],
@@ -516,6 +518,23 @@ impl Switch for HAClusterTopology {
         self.configure_bond(host, &config).await?;
         self.configure_port_channel(host, &config).await
     }
+
+    //TODO add snmp here
+}
+
+#[async_trait]
+impl NodeExporter for HAClusterTopology {
+    async fn ensure_initialized(&self) -> Result<(), ExecutorError> {
+        self.node_exporter.ensure_initialized().await
+    }
+
+    async fn commit_config(&self) -> Result<(), ExecutorError> {
+        self.node_exporter.commit_config().await
+    }
+
+    async fn reload_restart(&self) -> Result<(), ExecutorError> {
+        self.node_exporter.reload_restart().await
+    }
 }
 
 #[derive(Debug)]
@@ -704,3 +723,18 @@ impl DnsServer for DummyInfra {
         unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
     }
 }
+
+#[async_trait]
+impl NodeExporter for DummyInfra {
+    async fn ensure_initialized(&self) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+
+    async fn commit_config(&self) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+
+    async fn reload_restart(&self) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+}
diff --git a/harmony/src/domain/topology/node_exporter.rs b/harmony/src/domain/topology/node_exporter.rs
new file mode 100644
index 0000000..88e3cc9
--- /dev/null
+++ b/harmony/src/domain/topology/node_exporter.rs
@@ -0,0 +1,17 @@
+use async_trait::async_trait;
+
+use crate::executors::ExecutorError;
+
+#[async_trait]
+pub trait NodeExporter: Send + Sync {
+    async fn ensure_initialized(&self) -> Result<(), ExecutorError>;
+    async fn commit_config(&self) -> Result<(), ExecutorError>;
+    async fn reload_restart(&self) -> Result<(), ExecutorError>;
+}
+
+//TODO complete this impl
+impl std::fmt::Debug for dyn NodeExporter {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_fmt(format_args!("NodeExporter ",))
+    }
+}

From 008b03f979561da8652ac32154aea89e9d642852 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Thu, 23 Oct 2025 14:56:07 -0400
Subject: [PATCH 13/51] fix: changed documentation language to english

---
 docs/doc-clone-and-restore-coreos.md        | 127 ++++++++++++++++++++
 docs/doc-clone-et-restaure-disque-coreos.md | 117 ------------------
 2 files changed, 127 insertions(+), 117 deletions(-)
 create mode 100644 docs/doc-clone-and-restore-coreos.md
 delete mode 100644 docs/doc-clone-et-restaure-disque-coreos.md

diff --git a/docs/doc-clone-and-restore-coreos.md b/docs/doc-clone-and-restore-coreos.md
new file mode 100644
index 0000000..9b392ed
--- /dev/null
+++ b/docs/doc-clone-and-restore-coreos.md
@@ -0,0 +1,127 @@
+## Working procedure to clone and restore CoreOS disk from OKD Cluster
+
+### **Step 1 - take a backup**
+```
+sudo dd if=/dev/old of=/dev/backup status=progress 
+```
+
+### **Step 2 - clone beginning of old disk to new**
+```
+sudo dd if=/dev/old of=/dev/backup status=progress count=1000Mib
+```
+
+### **Step 3 - verify and modify disk partitions**
+list disk partitions
+```
+sgdisk -p /dev/new
+```
+if new disk is smaller than old disk and there is space on the xfs partition of the old disk, modify partitions of new disk
+```
+gdisk /dev/new
+```
+inside of gdisk commands
+```
+-v -> verify table
+-p -> print table
+-d -> select partition to delete partition
+-n -> recreate partition with same partition number as deleted partition
+```
+For end sector, either specify the new end or just press Enter for maximum available 
+When asked about partition type, enter the same type code (it will show the old one) 
+```
+p - >to verify 
+w -> to write
+```
+make xfs file system for new partition <new4>
+```
+sudo mkfs.xfs -f /dev/new4
+```
+
+### **Step 4 - copy old PARTUUID **
+
+**careful here**
+get old patuuid:
+```
+sgdisk -i <partition_number> /dev/old_disk  # Note the "Partition unique GUID"
+```
+get labels
+```
+sgdisk -p /dev/old_disk  # Shows partition names in the table
+
+blkid /dev/old_disk*  # Shows PARTUUIDs and labels for all partitions
+```
+set it on new disk
+```
+sgdisk -u <partition_number>:<old_partuuid> /dev/sdc
+```
+partition name:
+```
+sgdisk -c <partition_number>:"<old_name>" /dev/sdc
+```
+verify all:
+```
+lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/old_disk
+```
+
+### **Step 5 - Mount disks and copy files from old to new disk**
+
+mount files before copy:
+
+```
+mkdir -p /mnt/new
+mkdir -p /mnt/old
+mount /dev/old4 /mnt/old
+mount /dev/new4 /mnt/new
+```
+copy:
+```
+rsync -aAXHv --numeric-ids /source/ /destination/
+```
+
+### **Step 6 - Set correct UUID for new partition 4**
+to set correct uuid for partition 4
+```
+blkid /dev/old4
+```
+```
+xfs_admin -U <old_uuid> /dev/new_partition
+```
+to set labels
+get it 
+```
+sgdisk -i 4 /dev/sda | grep "Partition name"
+```
+set it
+```
+sgdisk -c 4:"<label_name>" /dev/sdc
+
+or
+
+(check existing with xfs_admin -l /dev/old_partition)
+Use xfs_admin -L <label> /dev/new_partition 
+```
+
+### **Step 7 - Verify**
+
+verify everything:
+```
+sgdisk -p /dev/sda  # Old disk
+sgdisk -p /dev/sdc  # New disk
+```
+```
+lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/sda
+lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/sdc
+```
+```
+blkid /dev/sda* | grep UUID=
+blkid /dev/sdc* | grep UUID=
+```
+
+## **Step 8 - Unmount devices and Finalize job**
+unmount old devices
+```
+umount /mnt/new
+umount /mnt/old
+```
+
+shutdown swap disk and verify it worked
diff --git a/docs/doc-clone-et-restaure-disque-coreos.md b/docs/doc-clone-et-restaure-disque-coreos.md
deleted file mode 100644
index b1e9108..0000000
--- a/docs/doc-clone-et-restaure-disque-coreos.md
+++ /dev/null
@@ -1,117 +0,0 @@
-1. ### **Procédure de clonage et de restauration d’un disque CoreOS / Fedora OKD**
-   Ce processus décrit les étapes pour copier un disque système défectueux sur un nouveau disque d’entreprise, en conservant les **GUID**, **labels**, et **UUID** d’origine pour assurer la compatibilité avec le système CoreOS/OKD.
-
-1. ### **Étape 1 — Sauvegarde initiale**
-   Avant toute manipulation, **sauvegardez vos données**.\
-   Ensuite, clonez le disque d’origine vers le nouveau :
-
-   sudo dd if=/dev/old of=/dev/new bs=64K status=progress count=1000Mib
-
-1. ### **Étape 2 — Vérification et modification des partitions**
-   Afficher la table des partitions du nouveau disque :
-
-   sgdisk -p /dev/new
-
-   Modifier les partitions (si nécessaire) :
-
-   gdisk /dev/new
-
-   Dans gdisk, utiliser :
-
-- v → vérifier la table
-- p → afficher la table
-- d → supprimer une partition
-- n → recréer la partition (même numéro et type)
-  - Pour le **secteur de fin**, appuyer sur **Entrée** pour utiliser l’espace maximal.
-- w → écrire les changements
-
-Créer le système de fichiers XFS sur la nouvelle partition (ex. partition 4) :
-
-sudo mkfs.xfs -f /dev/new4
-
-1. ### **Étape 3 — Récupération des identifiants de l’ancien disque**
-   Obtenir le **GUID de partition** d’origine :
-
-   sgdisk -i <numéro\_partition> /dev/old\_disk
-
-   Lister les labels et les PARTUUIDs :
-
-   sgdisk -p /dev/old\_disk
-
-   blkid /dev/old\_disk\*
-
-1. ### **Étape 4 — Appliquer les anciens identifiants sur le nouveau disque**
-   Définir le même **PARTUUID** :
-
-   sgdisk -u <numéro\_partition>:<old\_partuuid> /dev/new
-
-   Définir le même **nom de partition** :
-
-   sgdisk -c <numéro\_partition>:"<old\_label>" /dev/new
-
-   Vérifier :
-
-   lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/old\_disk
-
-   lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/new
-
-1. ### **Étape 5 — Copier les données**
-   Monter les partitions avant la copie :
-
-   mkdir -p /mnt/old /mnt/new
-
-   mount /dev/old4 /mnt/old
-
-   mount /dev/new4 /mnt/new
-
-   Copier les données :
-
-   rsync -aAXHv --numeric-ids /mnt/old/ /mnt/new/
-
-1. ### **Étape 6 — Restaurer UUID et labels**
-   Obtenir l’ancien UUID :
-
-   blkid /dev/old4
-
-   Le définir sur la nouvelle partition :
-
-   sudo xfs\_admin -U <old\_uuid> /dev/new4
-
-   Vérifier et copier le **label** :
-
-   sgdisk -i 4 /dev/old\_disk | grep "Partition name"
-
-   sudo xfs\_admin -L <label\_name> /dev/new4
-
-1. ### **Étape 7 — Validation**
-   Comparer les deux disques :
-
-   sgdisk -p /dev/old\_disk
-
-   sgdisk -p /dev/new
-
-   lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/old\_disk
-
-   lsblk -o NAME,SIZE,PARTUUID,PARTLABEL /dev/new
-
-   blkid /dev/old\_disk\* | grep UUID=
-
-   blkid /dev/new\* | grep UUID=
-
-1. ### **Étape 8 — Finalisation**
-   Démonter les partitions :
-
-   umount /mnt/new
-
-   umount /mnt/old
-
-   Éteindre, **échanger les disques**, et vérifier le démarrage :
-
-1. Éteindre la machine.
-1. Retirer le disque défectueux.
-1. Définir le nouveau disque comme disque de démarrage principal dans le BIOS.
-1. Redémarrer et confirmer que le système démarre correctement.
-
-**Résultat attendu :**\
-Le nouveau disque est une copie fonctionnelle de l’ancien, avec partitions, labels, et UUID identiques. Aucun réajustement GRUB ni réinstallation n’est nécessaire pour Fedora CoreOS/OKD.
-

From 1802b10ddf5f7b1ed0766ac0a05c5a009ca88c47 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Thu, 23 Oct 2025 15:31:45 -0400
Subject: [PATCH 14/51] fix:translated documentaion notes into English

---
 docs/doc-remove-worker-flag.md | 82 +++++++++++++++++-----------------
 1 file changed, 40 insertions(+), 42 deletions(-)

diff --git a/docs/doc-remove-worker-flag.md b/docs/doc-remove-worker-flag.md
index bdb45a7..5f88812 100644
--- a/docs/doc-remove-worker-flag.md
+++ b/docs/doc-remove-worker-flag.md
@@ -1,58 +1,56 @@
-1. ### **Titre : Retrait du flag *worker* sur les control planes (UPI)**
+## **Remove Worker flag from OKD Control Planes** 
 
-1. ### **Contexte**
-   Dans certaines installations OpenShift UPI, les nodes de control plane (masters) héritent par erreur du label worker (node-role.kubernetes.io/worker).\
-   Cela provoque la planification de workloads non critiques (par ex. routers, Ceph pods, etc.) sur les control planes, ce qui compromet la stabilité et la séparation des rôles.
+### **Context**
+On OKD user provisioned infrastructure the control plane nodes can have the flag node-role.kubernetes.io/worker which allows non critical workloads to be scheduled on the control-planes
 
-1. ### **Symptômes observés**
-- Apres avoir ajouté des serveur dans HAProxy, tous les serveurs backend (wk0, wk1, wk2) apparaissent en état DOWN.\
-  Le trafic HTTP/HTTPS est redirigé vers les control planes au lieu des workers.
-- Les pods router-default sont déployés sur cp1 et cp2 plutôt que sur les workers.
-- Sur les masters, la commande suivante montre une écoute sur le port 80 :
+### **Observed Symptoms**
+- After adding HAProxy servers to the backend each back end appears down 
+- Traffic is redirected to the control planes instead of workers
+- The pods router-default are incorrectly applied on the control planes rather than on the workers
+- Pods are being scheduled on the control planes causing cluster instability
 
+```
   ss -tlnp | grep 80
+```
+- shows process haproxy  is listening at 0.0.0.0:80 on cps
+- same problem for port 443
+- In namespace rook-ceph certain pods are deploted on cps rather than on worker nodes
 
-  -> processus haproxy en écoute sur 0.0.0.0:80
-
-  -> meme chose pour port 443
-
-- Dans le namespace rook-ceph, certains pods (mon, mgr, operator) ne se planifient pas, sont aussi deployé sur les cp au lieu des worker nodes :
-
-1. ### **Cause**
-   En installation UPI, les rôles (master, worker) ne sont pas gérés par le Machine Config Operator (MCO).\
-   Les controls planes sont schedulable par default. Qui amene les trois roles, worker, master et control-plane.
-
-1. ### **Diagnostic**
-1. Vérifier les labels du node :
+ ### **Cause**
+ - when intalling UPI, the roles (master, worker) are not managed by the Machine Config operator and the cps are made schedulable by default.
 
+ ### **Diagnostic**
+check node labels:
+```
    oc get nodes --show-labels | grep control-plane
+```
+Inspecter kubelet configuration:
 
-1. Inspecter la configuration du kubelet :
-
-   cat /etc/systemd/system/kubelet.service
-
-   Rechercher la ligne :
+```
+cat /etc/systemd/system/kubelet.service
+```
 
+find the line:
+```
    --node-labels=node-role.kubernetes.io/control-plane,node-role.kubernetes.io/master,node-role.kubernetes.io/worker
+```
+   → presence of label worker confirms the problem.
 
-   → présence du label worker confirme le problème.
-
-1. Vérifier que ce flag ne provient pas du MCO :
-
+Verify the flag doesnt come from MCO
+```
    oc get machineconfig | grep rendered-master
+```
 
-**Solution:**\
-Pour rendre les **control planes non planifiables** (c’est-à-dire empêcher tout déploiement de workloads dessus), il faut appliquer le patch suivant sur la ressource scheduler du cluster :\
-\```	
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-oc patch scheduler cluster --type merge -p '{"spec":{"mastersSchedulable":false}}'\
-\```\
-Cette commande **désactive la planification sur les masters** et **supprime efficacement le rôle worker** de leurs fonctions.
+**Solution:**
+To make the control planes non schedulable you must patch the cluster scheduler resource
 
-Une fois le patch appliqué, il faut **déplacer les workloads** encore présents sur les control planes vers les **workers** à l’aide des commandes :
+```	
+oc patch scheduler cluster --type merge -p '{"spec":{"mastersSchedulable":false}}'
+```
+after the patch is applied the workloads can be deplaced by draining the nodes
 
-\```\
-oc adm cordon <cp-node>\
-oc adm drain <cp-node> --ignore-daemonsets –delete-emptydir-data\
-\```
+```
+oc adm cordon <cp-node>
+oc adm drain <cp-node> --ignore-daemonsets –delete-emptydir-data
+```
 

From 609d7acb5d888a3c949159fd94d889eb94f9a0eb Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Fri, 24 Oct 2025 11:39:27 -0400
Subject: [PATCH 15/51] feat: impl clone_box for ScrapeTarget<CRDPrometheus>

---
 harmony/src/domain/topology/oberservability/monitoring.rs | 1 +
 .../application_monitoring_score.rs                       | 3 ++-
 .../kube_prometheus/crd/crd_alertmanager_config.rs        | 8 +++++++-
 harmony/src/modules/monitoring/scrape_target/server.rs    | 4 ++++
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/harmony/src/domain/topology/oberservability/monitoring.rs b/harmony/src/domain/topology/oberservability/monitoring.rs
index 951d061..6d7411c 100644
--- a/harmony/src/domain/topology/oberservability/monitoring.rs
+++ b/harmony/src/domain/topology/oberservability/monitoring.rs
@@ -87,4 +87,5 @@ pub trait AlertRule<S: AlertSender>: std::fmt::Debug + Send + Sync {
 #[async_trait]
 pub trait ScrapeTarget<S: AlertSender>: std::fmt::Debug + Send + Sync {
     async fn install(&self, sender: &S) -> Result<Outcome, InterpretError>;
+    fn clone_box(&self) -> Box<dyn ScrapeTarget<S>>;
 }
diff --git a/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs b/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs
index 0f6e0ec..8f6b624 100644
--- a/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs
+++ b/harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs
@@ -15,7 +15,7 @@ use crate::{
     score::Score,
     topology::{
         K8sclient, Topology,
-        oberservability::monitoring::{AlertReceiver, AlertingInterpret},
+        oberservability::monitoring::{AlertReceiver, AlertingInterpret, ScrapeTarget},
     },
 };
 
@@ -35,6 +35,7 @@ impl<T: Topology + PrometheusMonitoring<CRDPrometheus> + K8sclient + Grafana> Sc
             sender: self.sender.clone(),
             receivers: self.receivers.clone(),
             rules: vec![],
+            scrape_targets: None,
         })
     }
 
diff --git a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs
index ceeca41..88ec745 100644
--- a/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs
+++ b/harmony/src/modules/monitoring/kube_prometheus/crd/crd_alertmanager_config.rs
@@ -18,7 +18,7 @@ use crate::{
         K8sclient, Topology,
         installable::Installable,
         k8s::K8sClient,
-        oberservability::monitoring::{AlertReceiver, AlertSender},
+        oberservability::monitoring::{AlertReceiver, AlertSender, ScrapeTarget},
     },
 };
 
@@ -54,6 +54,12 @@ impl Clone for Box<dyn AlertReceiver<CRDPrometheus>> {
     }
 }
 
+impl Clone for Box<dyn ScrapeTarget<CRDPrometheus>> {
+    fn clone(&self) -> Self {
+        self.clone_box()
+    }
+}
+
 impl Serialize for Box<dyn AlertReceiver<CRDPrometheus>> {
     fn serialize<S>(&self, _serializer: S) -> Result<S::Ok, S::Error>
     where
diff --git a/harmony/src/modules/monitoring/scrape_target/server.rs b/harmony/src/modules/monitoring/scrape_target/server.rs
index ba41f49..178e914 100644
--- a/harmony/src/modules/monitoring/scrape_target/server.rs
+++ b/harmony/src/modules/monitoring/scrape_target/server.rs
@@ -73,4 +73,8 @@ impl ScrapeTarget<CRDPrometheus> for Server {
             self.name.clone()
         )))
     }
+
+    fn clone_box(&self) -> Box<dyn ScrapeTarget<CRDPrometheus>> {
+        Box::new(self.clone())
+    }
 }

From 44bf21718c3223f68c1d60f8dc75019102be2322 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Tue, 28 Oct 2025 14:41:15 -0400
Subject: [PATCH 16/51] wip: example score with impl topolgy for opnsense
 topology

---
 examples/opnsense_node_exporter/Cargo.toml  |   1 +
 examples/opnsense_node_exporter/src/main.rs | 111 +++++++-------------
 harmony/src/infra/opnsense/node_exporter.rs |   2 +-
 opnsense-config-xml/src/data/opnsense.rs    |  34 +++---
 4 files changed, 58 insertions(+), 90 deletions(-)

diff --git a/examples/opnsense_node_exporter/Cargo.toml b/examples/opnsense_node_exporter/Cargo.toml
index 957bdd9..5cc5c10 100644
--- a/examples/opnsense_node_exporter/Cargo.toml
+++ b/examples/opnsense_node_exporter/Cargo.toml
@@ -18,3 +18,4 @@ log = { workspace = true }
 env_logger = { workspace = true }
 url = { workspace = true }
 serde.workspace = true
+async-trait.workspace = true
diff --git a/examples/opnsense_node_exporter/src/main.rs b/examples/opnsense_node_exporter/src/main.rs
index 4f1219d..15664ab 100644
--- a/examples/opnsense_node_exporter/src/main.rs
+++ b/examples/opnsense_node_exporter/src/main.rs
@@ -3,99 +3,66 @@ use std::{
     sync::Arc,
 };
 
+use async_trait::async_trait;
 use cidr::Ipv4Cidr;
 use harmony::{
+    executors::ExecutorError,
     hardware::{HostCategory, Location, PhysicalHost, SwitchGroup},
     infra::opnsense::OPNSenseManagementInterface,
     inventory::Inventory,
     modules::opnsense::node_exporter::NodeExporterScore,
-    topology::{HAClusterTopology, LogicalHost, UnmanagedRouter},
+    topology::{
+        HAClusterTopology, LogicalHost, PreparationError, PreparationOutcome, Topology,
+        UnmanagedRouter, node_exporter::NodeExporter,
+    },
 };
 use harmony_macros::{ip, ipv4, mac_address};
 
+struct OpnSenseTopology {
+    node_exporter: Arc<dyn NodeExporter>,
+}
+
+#[async_trait]
+impl Topology for OpnSenseTopology {
+    async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
+        Ok(PreparationOutcome::Success{ details: "Success".to_string() })
+    }
+    fn name(&self) -> &str {
+        "OpnsenseTopology"
+    }
+}
+
+#[async_trait]
+impl NodeExporter for OpnSenseTopology {
+    async fn ensure_initialized(&self) -> Result<(), ExecutorError> {
+        self.node_exporter.ensure_initialized().await
+    }
+
+    async fn commit_config(&self) -> Result<(), ExecutorError> {
+        self.node_exporter.commit_config().await
+    }
+
+    async fn reload_restart(&self) -> Result<(), ExecutorError> {
+        self.node_exporter.reload_restart().await
+    }
+}
+
 #[tokio::main]
 async fn main() {
     let firewall = harmony::topology::LogicalHost {
-        ip: ip!("192.168.33.1"),
+        ip: ip!("192.168.1.1"),
         name: String::from("fw0"),
     };
 
     let opnsense = Arc::new(
         harmony::infra::opnsense::OPNSenseFirewall::new(firewall, None, "root", "opnsense").await,
     );
-    let lan_subnet = Ipv4Addr::new(192, 168, 33, 0);
-    let gateway_ipv4 = Ipv4Addr::new(192, 168, 33, 1);
-    let gateway_ip = IpAddr::V4(gateway_ipv4);
-    let topology = harmony::topology::HAClusterTopology {
-        domain_name: "ncd0.harmony.mcd".to_string(),
-        router: Arc::new(UnmanagedRouter::new(
-            gateway_ip,
-            Ipv4Cidr::new(lan_subnet, 24).unwrap(),
-        )),
-        load_balancer: opnsense.clone(),
-        firewall: opnsense.clone(),
-        tftp_server: opnsense.clone(),
-        http_server: opnsense.clone(),
-        dhcp_server: opnsense.clone(),
-        dns_server: opnsense.clone(),
-        control_plane: vec![
-            LogicalHost {
-                ip: ip!("192.168.33.20"),
-                name: "cp0".to_string(),
-            },
-            LogicalHost {
-                ip: ip!("192.168.33.21"),
-                name: "cp1".to_string(),
-            },
-            LogicalHost {
-                ip: ip!("192.168.33.22"),
-                name: "cp2".to_string(),
-            },
-        ],
-        bootstrap_host: LogicalHost {
-            ip: ip!("192.168.33.66"),
-            name: "bootstrap".to_string(),
-        },
-        workers: vec![
-            LogicalHost {
-                ip: ip!("192.168.33.30"),
-                name: "wk0".to_string(),
-            },
-            LogicalHost {
-                ip: ip!("192.168.33.31"),
-                name: "wk1".to_string(),
-            },
-            LogicalHost {
-                ip: ip!("192.168.33.32"),
-                name: "wk2".to_string(),
-            },
-        ],
-        switch: vec![],
+
+    let topology = OpnSenseTopology {
         node_exporter: opnsense.clone(),
     };
 
-    let inventory = Inventory {
-        location: Location::new("I am mobile".to_string(), "earth".to_string()),
-        switch: SwitchGroup::from([]),
-        firewall_mgmt: Box::new(OPNSenseManagementInterface::new()),
-        storage_host: vec![],
-        worker_host: vec![
-            PhysicalHost::empty(HostCategory::Server)
-                .mac_address(mac_address!("C4:62:37:02:61:0F")),
-            PhysicalHost::empty(HostCategory::Server)
-                .mac_address(mac_address!("C4:62:37:02:61:26")),
-            PhysicalHost::empty(HostCategory::Server)
-                .mac_address(mac_address!("C4:62:37:02:61:70")),
-        ],
-        control_plane_host: vec![
-            PhysicalHost::empty(HostCategory::Server)
-                .mac_address(mac_address!("C4:62:37:02:60:FA")),
-            PhysicalHost::empty(HostCategory::Server)
-                .mac_address(mac_address!("C4:62:37:02:61:1A")),
-            PhysicalHost::empty(HostCategory::Server)
-                .mac_address(mac_address!("C4:62:37:01:BC:68")),
-        ],
-    };
+    let inventory = Inventory::empty();
 
     let node_exporter_score = NodeExporterScore {};
 
diff --git a/harmony/src/infra/opnsense/node_exporter.rs b/harmony/src/infra/opnsense/node_exporter.rs
index 2c27b26..3a16ffc 100644
--- a/harmony/src/infra/opnsense/node_exporter.rs
+++ b/harmony/src/infra/opnsense/node_exporter.rs
@@ -25,7 +25,7 @@ impl NodeExporter for OPNSenseFirewall {
                     })?;
         }
 
-        config.node_exporter().enable(true);
+        config.node_exporter().enable(true).map_err(|e|ExecutorError::UnexpectedError(e.to_string()))?;
         Ok(())
     }
     async fn commit_config(&self) -> Result<(), ExecutorError> {
diff --git a/opnsense-config-xml/src/data/opnsense.rs b/opnsense-config-xml/src/data/opnsense.rs
index 4b384d4..a4bba5e 100644
--- a/opnsense-config-xml/src/data/opnsense.rs
+++ b/opnsense-config-xml/src/data/opnsense.rs
@@ -17,7 +17,7 @@ pub struct OPNsense {
     pub interfaces: NamedList<Interface>,
     pub dhcpd: NamedList<DhcpInterface>,
     pub snmpd: Snmpd,
-    pub syslog: Syslog,
+    pub syslog: Option<Syslog>,
     pub nat: Nat,
     pub filter: Filters,
     pub load_balancer: Option<LoadBalancer>,
@@ -190,7 +190,7 @@ pub struct System {
     pub webgui: WebGui,
     pub usevirtualterminal: u8,
     pub disablenatreflection: Option<String>,
-    pub disableconsolemenu: u8,
+    pub disableconsolemenu: Option<u8>,
     pub disablevlanhwfilter: u8,
     pub disablechecksumoffloading: u8,
     pub disablesegmentationoffloading: u8,
@@ -216,7 +216,7 @@ pub struct System {
     pub maximumfrags: Option<MaybeString>,
     pub aliasesresolveinterval: Option<MaybeString>,
     pub maximumtableentries: Option<MaybeString>,
-    pub language: String,
+    pub language: Option<String>,
     pub dnsserver: Option<MaybeString>,
     pub dns1gw: Option<String>,
     pub dns2gw: Option<String>,
@@ -233,16 +233,16 @@ pub struct System {
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Ssh {
     pub group: String,
-    pub noauto: u8,
-    pub interfaces: MaybeString,
-    pub kex: MaybeString,
-    pub ciphers: MaybeString,
-    pub macs: MaybeString,
-    pub keys: MaybeString,
-    pub enabled: String,
-    pub passwordauth: u8,
-    pub keysig: MaybeString,
-    pub permitrootlogin: u8,
+    pub noauto: Option<u8>,
+    pub interfaces: Option<MaybeString>,
+    pub kex: Option<MaybeString>,
+    pub ciphers: Option<MaybeString>,
+    pub macs: Option<MaybeString>,
+    pub keys: Option<MaybeString>,
+    pub enabled: Option<String>,
+    pub passwordauth: Option<u8>,
+    pub keysig: Option<MaybeString>,
+    pub permitrootlogin: Option<u8>,
     pub rekeylimit: Option<MaybeString>,
 }
 
@@ -306,11 +306,11 @@ pub struct WebGui {
     pub protocol: String,
     #[yaserde(rename = "ssl-certref")]
     pub ssl_certref: String,
-    pub port: MaybeString,
+    pub port: Option<MaybeString>,
     #[yaserde(rename = "ssl-ciphers")]
-    pub ssl_ciphers: MaybeString,
-    pub interfaces: MaybeString,
-    pub compression: MaybeString,
+    pub ssl_ciphers: Option<MaybeString>,
+    pub interfaces: Option<MaybeString>,
+    pub compression: Option<MaybeString>,
     pub nohttpreferercheck: Option<u8>,
 }
 

From 9ba939bde1db671e7caf6e78be500cb4f847f510 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Tue, 28 Oct 2025 15:45:02 -0400
Subject: [PATCH 17/51] wip: cargo fmt

---
 examples/opnsense_node_exporter/src/main.rs | 4 +++-
 harmony/src/infra/opnsense/node_exporter.rs | 5 ++++-
 opnsense-config/src/config/config.rs        | 1 +
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/examples/opnsense_node_exporter/src/main.rs b/examples/opnsense_node_exporter/src/main.rs
index 15664ab..4b16841 100644
--- a/examples/opnsense_node_exporter/src/main.rs
+++ b/examples/opnsense_node_exporter/src/main.rs
@@ -25,7 +25,9 @@ struct OpnSenseTopology {
 #[async_trait]
 impl Topology for OpnSenseTopology {
     async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
-        Ok(PreparationOutcome::Success{ details: "Success".to_string() })
+        Ok(PreparationOutcome::Success {
+            details: "Success".to_string(),
+        })
     }
     fn name(&self) -> &str {
         "OpnsenseTopology"
diff --git a/harmony/src/infra/opnsense/node_exporter.rs b/harmony/src/infra/opnsense/node_exporter.rs
index 3a16ffc..97d2a09 100644
--- a/harmony/src/infra/opnsense/node_exporter.rs
+++ b/harmony/src/infra/opnsense/node_exporter.rs
@@ -25,7 +25,10 @@ impl NodeExporter for OPNSenseFirewall {
                     })?;
         }
 
-        config.node_exporter().enable(true).map_err(|e|ExecutorError::UnexpectedError(e.to_string()))?;
+        config
+            .node_exporter()
+            .enable(true)
+            .map_err(|e| ExecutorError::UnexpectedError(e.to_string()))?;
         Ok(())
     }
     async fn commit_config(&self) -> Result<(), ExecutorError> {
diff --git a/opnsense-config/src/config/config.rs b/opnsense-config/src/config/config.rs
index 30240e4..236a89e 100644
--- a/opnsense-config/src/config/config.rs
+++ b/opnsense-config/src/config/config.rs
@@ -14,6 +14,7 @@ use opnsense_config_xml::OPNsense;
 use russh::client;
 use serde::Serialize;
 use sha2::Digest;
+use tokio::time::{sleep, Duration};
 
 use super::{ConfigManager, OPNsenseShell};
 

From c80ede706b4a71d23898dfe8e1411ebfc76db10a Mon Sep 17 00:00:00 2001
From: Ian Letourneau <ian@noma.to>
Date: Wed, 29 Oct 2025 17:09:16 +0000
Subject: [PATCH 18/51] fix(host_network): adjust bond & port-channel
 configuration (partial) (#175)

## Description
* Replace the CatalogSource approach to install the OperatorHub.io catalog by a more simple & straightforward way to install NMState
* Improve logging
* Add report summarizing the host network configuration that was applied (which host, bonds, port-channels)
* Fix command to find next available port channel id

## Extra info
Using the `apply_url` approach to install the NMState operator isn't the best approach: it's harder to maintain and upgrade. But it helps us achieve waht we wanted for now: install the NMState Operator to configure bonds on a host.

The preferred approach, installing an operator from the OperatorHub.io catalog, didn't work for now. We had a timeout error with DeadlineExceeded probably caused by an insufficient CPU/Memory allocation to query such a big catalog, even though we tweaked the RAM allocation (we couldn't find a way to do it for CPU).

Spent too much time on this so we stopped these efforts for now. It would be good to get back to it when we need to install something else from a custom catalog.

Reviewed-on: https://git.nationtech.io/NationTech/harmony/pulls/175
---
 brocade/src/lib.rs                            |   2 +
 brocade/src/network_operating_system.rs       |  44 ++++-
 brocade/src/shell.rs                          |   8 +-
 examples/nanodc/src/main.rs                   |   1 +
 examples/okd_installation/src/topology.rs     |   1 +
 examples/okd_pxe/src/topology.rs              |   1 +
 examples/opnsense/src/main.rs                 |   1 +
 harmony/src/domain/topology/ha_cluster.rs     | 156 ++++++++----------
 harmony/src/domain/topology/k8s.rs            | 114 ++++++++++---
 harmony/src/domain/topology/k8s_anywhere.rs   |   6 +-
 harmony/src/domain/topology/network.rs        |   8 +-
 harmony/src/infra/inventory/mod.rs            |   2 +-
 harmony/src/modules/k8s/resource.rs           |   6 +-
 harmony/src/modules/monitoring/ntfy/ntfy.rs   |   6 +-
 .../modules/okd/bootstrap_03_control_plane.rs |  32 +---
 .../okd/bootstrap_persist_network_bond.rs     | 130 +++++++++++++++
 harmony/src/modules/okd/crd/mod.rs            |  40 -----
 harmony/src/modules/okd/crd/nmstate.rs        |  73 +++++++-
 harmony/src/modules/okd/host_network.rs       | 145 +++++++++++++---
 harmony/src/modules/okd/installation.rs       |   3 +-
 harmony/src/modules/okd/mod.rs                |   2 +
 harmony_cli/src/cli_reporter.rs               |   2 +-
 22 files changed, 551 insertions(+), 232 deletions(-)
 create mode 100644 harmony/src/modules/okd/bootstrap_persist_network_bond.rs

diff --git a/brocade/src/lib.rs b/brocade/src/lib.rs
index 57b464a..c0b5b70 100644
--- a/brocade/src/lib.rs
+++ b/brocade/src/lib.rs
@@ -31,6 +31,7 @@ pub struct BrocadeOptions {
 pub struct TimeoutConfig {
     pub shell_ready: Duration,
     pub command_execution: Duration,
+    pub command_output: Duration,
     pub cleanup: Duration,
     pub message_wait: Duration,
 }
@@ -40,6 +41,7 @@ impl Default for TimeoutConfig {
         Self {
             shell_ready: Duration::from_secs(10),
             command_execution: Duration::from_secs(60), // Commands like `deploy` (for a LAG) can take a while
+            command_output: Duration::from_secs(5), // Delay to start logging "waiting for command output"
             cleanup: Duration::from_secs(10),
             message_wait: Duration::from_millis(500),
         }
diff --git a/brocade/src/network_operating_system.rs b/brocade/src/network_operating_system.rs
index 0ee4a88..f4db713 100644
--- a/brocade/src/network_operating_system.rs
+++ b/brocade/src/network_operating_system.rs
@@ -3,6 +3,7 @@ use std::str::FromStr;
 use async_trait::async_trait;
 use harmony_types::switch::{PortDeclaration, PortLocation};
 use log::{debug, info};
+use regex::Regex;
 
 use crate::{
     BrocadeClient, BrocadeInfo, Error, ExecutionMode, InterSwitchLink, InterfaceInfo,
@@ -103,13 +104,37 @@ impl NetworkOperatingSystemClient {
         };
 
         Some(Ok(InterfaceInfo {
-            name: format!("{} {}", interface_type, port_location),
+            name: format!("{interface_type} {port_location}"),
             port_location,
             interface_type,
             operating_mode,
             status,
         }))
     }
+
+    fn map_configure_interfaces_error(&self, err: Error) -> Error {
+        debug!("[Brocade] {err}");
+
+        if let Error::CommandError(message) = &err {
+            if message.contains("switchport")
+                && message.contains("Cannot configure aggregator member")
+            {
+                let re = Regex::new(r"\(conf-if-([a-zA-Z]+)-([\d/]+)\)#").unwrap();
+
+                if let Some(caps) = re.captures(message) {
+                    let interface_type = &caps[1];
+                    let port_location = &caps[2];
+                    let interface = format!("{interface_type} {port_location}");
+
+                    return Error::CommandError(format!(
+                        "Cannot configure interface '{interface}', it is a member of a port-channel (LAG)"
+                    ));
+                }
+            }
+        }
+
+        err
+    }
 }
 
 #[async_trait]
@@ -197,11 +222,10 @@ impl BrocadeClient for NetworkOperatingSystemClient {
             commands.push("exit".into());
         }
 
-        commands.push("write memory".into());
-
         self.shell
             .run_commands(commands, ExecutionMode::Regular)
-            .await?;
+            .await
+            .map_err(|err| self.map_configure_interfaces_error(err))?;
 
         info!("[Brocade] Interfaces configured.");
 
@@ -213,7 +237,7 @@ impl BrocadeClient for NetworkOperatingSystemClient {
 
         let output = self
             .shell
-            .run_command("show port-channel", ExecutionMode::Regular)
+            .run_command("show port-channel summary", ExecutionMode::Regular)
             .await?;
 
         let used_ids: Vec<u8> = output
@@ -248,7 +272,12 @@ impl BrocadeClient for NetworkOperatingSystemClient {
         ports: &[PortLocation],
     ) -> Result<(), Error> {
         info!(
-            "[Brocade] Configuring port-channel '{channel_name} {channel_id}' with ports: {ports:?}"
+            "[Brocade] Configuring port-channel '{channel_id} {channel_name}' with ports: {}",
+            ports
+                .iter()
+                .map(|p| format!("{p}"))
+                .collect::<Vec<String>>()
+                .join(", ")
         );
 
         let interfaces = self.get_interfaces().await?;
@@ -276,8 +305,6 @@ impl BrocadeClient for NetworkOperatingSystemClient {
             commands.push("exit".into());
         }
 
-        commands.push("write memory".into());
-
         self.shell
             .run_commands(commands, ExecutionMode::Regular)
             .await?;
@@ -294,7 +321,6 @@ impl BrocadeClient for NetworkOperatingSystemClient {
             "configure terminal".into(),
             format!("no interface port-channel {}", channel_name),
             "exit".into(),
-            "write memory".into(),
         ];
 
         self.shell
diff --git a/brocade/src/shell.rs b/brocade/src/shell.rs
index 28eceb8..9cd94a9 100644
--- a/brocade/src/shell.rs
+++ b/brocade/src/shell.rs
@@ -211,7 +211,7 @@ impl BrocadeSession {
         let mut output = Vec::new();
         let start = Instant::now();
         let read_timeout = Duration::from_millis(500);
-        let log_interval = Duration::from_secs(3);
+        let log_interval = Duration::from_secs(5);
         let mut last_log = Instant::now();
 
         loop {
@@ -221,7 +221,9 @@ impl BrocadeSession {
                 ));
             }
 
-            if start.elapsed() > Duration::from_secs(5) && last_log.elapsed() > log_interval {
+            if start.elapsed() > self.options.timeouts.command_output
+                && last_log.elapsed() > log_interval
+            {
                 info!("[Brocade] Waiting for command output...");
                 last_log = Instant::now();
             }
@@ -276,7 +278,7 @@ impl BrocadeSession {
         let output_lower = output.to_lowercase();
         if ERROR_PATTERNS.iter().any(|&p| output_lower.contains(p)) {
             return Err(Error::CommandError(format!(
-                "Command '{command}' failed: {}",
+                "Command error: {}",
                 output.trim()
             )));
         }
diff --git a/examples/nanodc/src/main.rs b/examples/nanodc/src/main.rs
index d00503f..629a8dc 100644
--- a/examples/nanodc/src/main.rs
+++ b/examples/nanodc/src/main.rs
@@ -61,6 +61,7 @@ async fn main() {
     let gateway_ipv4 = Ipv4Addr::new(192, 168, 33, 1);
     let gateway_ip = IpAddr::V4(gateway_ipv4);
     let topology = harmony::topology::HAClusterTopology {
+        kubeconfig: None,
         domain_name: "ncd0.harmony.mcd".to_string(), // TODO this must be set manually correctly
         // when setting up the opnsense firewall
         router: Arc::new(UnmanagedRouter::new(
diff --git a/examples/okd_installation/src/topology.rs b/examples/okd_installation/src/topology.rs
index 617a3a8..ce89402 100644
--- a/examples/okd_installation/src/topology.rs
+++ b/examples/okd_installation/src/topology.rs
@@ -59,6 +59,7 @@ pub async fn get_topology() -> HAClusterTopology {
     let gateway_ipv4 = ipv4!("192.168.1.1");
     let gateway_ip = IpAddr::V4(gateway_ipv4);
     harmony::topology::HAClusterTopology {
+        kubeconfig: None,
         domain_name: "demo.harmony.mcd".to_string(),
         router: Arc::new(UnmanagedRouter::new(
             gateway_ip,
diff --git a/examples/okd_pxe/src/topology.rs b/examples/okd_pxe/src/topology.rs
index 0cf4b72..7c1244c 100644
--- a/examples/okd_pxe/src/topology.rs
+++ b/examples/okd_pxe/src/topology.rs
@@ -54,6 +54,7 @@ pub async fn get_topology() -> HAClusterTopology {
     let gateway_ipv4 = ipv4!("192.168.1.1");
     let gateway_ip = IpAddr::V4(gateway_ipv4);
     harmony::topology::HAClusterTopology {
+        kubeconfig: None,
         domain_name: "demo.harmony.mcd".to_string(),
         router: Arc::new(UnmanagedRouter::new(
             gateway_ip,
diff --git a/examples/opnsense/src/main.rs b/examples/opnsense/src/main.rs
index d03643b..4422f65 100644
--- a/examples/opnsense/src/main.rs
+++ b/examples/opnsense/src/main.rs
@@ -57,6 +57,7 @@ async fn main() {
     let gateway_ipv4 = Ipv4Addr::new(10, 100, 8, 1);
     let gateway_ip = IpAddr::V4(gateway_ipv4);
     let topology = harmony::topology::HAClusterTopology {
+        kubeconfig: None,
         domain_name: "demo.harmony.mcd".to_string(),
         router: Arc::new(UnmanagedRouter::new(
             gateway_ip,
diff --git a/harmony/src/domain/topology/ha_cluster.rs b/harmony/src/domain/topology/ha_cluster.rs
index 59787a1..d65d9aa 100644
--- a/harmony/src/domain/topology/ha_cluster.rs
+++ b/harmony/src/domain/topology/ha_cluster.rs
@@ -4,19 +4,16 @@ use harmony_types::{
     net::{MacAddress, Url},
     switch::PortLocation,
 };
-use k8s_openapi::api::core::v1::Namespace;
 use kube::api::ObjectMeta;
 use log::debug;
 use log::info;
 
-use crate::data::FileContent;
-use crate::executors::ExecutorError;
-use crate::hardware::PhysicalHost;
-use crate::modules::okd::crd::{
-    InstallPlanApproval, OperatorGroup, OperatorGroupSpec, Subscription, SubscriptionSpec,
-    nmstate::{self, NMState, NodeNetworkConfigurationPolicy, NodeNetworkConfigurationPolicySpec},
-};
+use crate::modules::okd::crd::nmstate::{self, NodeNetworkConfigurationPolicy};
 use crate::topology::PxeOptions;
+use crate::{data::FileContent, modules::okd::crd::nmstate::NMState};
+use crate::{
+    executors::ExecutorError, modules::okd::crd::nmstate::NodeNetworkConfigurationPolicySpec,
+};
 
 use super::{
     DHCPStaticEntry, DhcpServer, DnsRecord, DnsRecordType, DnsServer, Firewall, HostNetworkConfig,
@@ -42,6 +39,7 @@ pub struct HAClusterTopology {
     pub bootstrap_host: LogicalHost,
     pub control_plane: Vec<LogicalHost>,
     pub workers: Vec<LogicalHost>,
+    pub kubeconfig: Option<String>,
 }
 
 #[async_trait]
@@ -60,9 +58,17 @@ impl Topology for HAClusterTopology {
 #[async_trait]
 impl K8sclient for HAClusterTopology {
     async fn k8s_client(&self) -> Result<Arc<K8sClient>, String> {
-        Ok(Arc::new(
-            K8sClient::try_default().await.map_err(|e| e.to_string())?,
-        ))
+        match &self.kubeconfig {
+            None => Ok(Arc::new(
+                K8sClient::try_default().await.map_err(|e| e.to_string())?,
+            )),
+            Some(kubeconfig) => {
+                let Some(client) = K8sClient::from_kubeconfig(&kubeconfig).await else {
+                    return Err("Failed to create k8s client".to_string());
+                };
+                Ok(Arc::new(client))
+            }
+        }
     }
 }
 
@@ -88,60 +94,48 @@ impl HAClusterTopology {
     }
 
     async fn ensure_nmstate_operator_installed(&self) -> Result<(), String> {
-        // FIXME: Find a way to check nmstate is already available (get pod -n openshift-nmstate)
-        debug!("Installing NMState operator...");
         let k8s_client = self.k8s_client().await?;
 
-        let nmstate_namespace = Namespace {
-            metadata: ObjectMeta {
-                name: Some("openshift-nmstate".to_string()),
-                finalizers: Some(vec!["kubernetes".to_string()]),
-                ..Default::default()
-            },
-            ..Default::default()
-        };
-        debug!("Creating NMState namespace: {nmstate_namespace:#?}");
-        k8s_client
-            .apply(&nmstate_namespace, None)
+        debug!("Installing NMState controller...");
+        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/nmstate.io_nmstates.yaml
+").unwrap(), Some("nmstate"))
             .await
             .map_err(|e| e.to_string())?;
 
-        let nmstate_operator_group = OperatorGroup {
-            metadata: ObjectMeta {
-                name: Some("openshift-nmstate".to_string()),
-                namespace: Some("openshift-nmstate".to_string()),
-                ..Default::default()
-            },
-            spec: OperatorGroupSpec {
-                target_namespaces: vec!["openshift-nmstate".to_string()],
-            },
-        };
-        debug!("Creating NMState operator group: {nmstate_operator_group:#?}");
-        k8s_client
-            .apply(&nmstate_operator_group, None)
+        debug!("Creating NMState namespace...");
+        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/namespace.yaml
+").unwrap(), Some("nmstate"))
             .await
             .map_err(|e| e.to_string())?;
 
-        let nmstate_subscription = Subscription {
-            metadata: ObjectMeta {
-                name: Some("kubernetes-nmstate-operator".to_string()),
-                namespace: Some("openshift-nmstate".to_string()),
-                ..Default::default()
-            },
-            spec: SubscriptionSpec {
-                channel: Some("stable".to_string()),
-                install_plan_approval: Some(InstallPlanApproval::Automatic),
-                name: "kubernetes-nmstate-operator".to_string(),
-                source: "redhat-operators".to_string(),
-                source_namespace: "openshift-marketplace".to_string(),
-            },
-        };
-        debug!("Subscribing to NMState Operator: {nmstate_subscription:#?}");
-        k8s_client
-            .apply(&nmstate_subscription, None)
+        debug!("Creating NMState service account...");
+        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/service_account.yaml
+").unwrap(), Some("nmstate"))
             .await
             .map_err(|e| e.to_string())?;
 
+        debug!("Creating NMState role...");
+        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/role.yaml
+").unwrap(), Some("nmstate"))
+            .await
+            .map_err(|e| e.to_string())?;
+
+        debug!("Creating NMState role binding...");
+        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/role_binding.yaml
+").unwrap(), Some("nmstate"))
+            .await
+            .map_err(|e| e.to_string())?;
+
+        debug!("Creating NMState operator...");
+        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/operator.yaml
+").unwrap(), Some("nmstate"))
+            .await
+            .map_err(|e| e.to_string())?;
+
+        k8s_client
+            .wait_until_deployment_ready("nmstate-operator", Some("nmstate"), None)
+            .await?;
+
         let nmstate = NMState {
             metadata: ObjectMeta {
                 name: Some("nmstate".to_string()),
@@ -162,11 +156,7 @@ impl HAClusterTopology {
         42 // FIXME: Find a better way to declare the bond id
     }
 
-    async fn configure_bond(
-        &self,
-        host: &PhysicalHost,
-        config: &HostNetworkConfig,
-    ) -> Result<(), SwitchError> {
+    async fn configure_bond(&self, config: &HostNetworkConfig) -> Result<(), SwitchError> {
         self.ensure_nmstate_operator_installed()
             .await
             .map_err(|e| {
@@ -175,29 +165,33 @@ impl HAClusterTopology {
                 ))
             })?;
 
-        let bond_config = self.create_bond_configuration(host, config);
-        debug!("Configuring bond for host {host:?}: {bond_config:#?}");
+        let bond_config = self.create_bond_configuration(config);
+        debug!(
+            "Applying NMState bond config for host {}: {bond_config:#?}",
+            config.host_id
+        );
         self.k8s_client()
             .await
             .unwrap()
             .apply(&bond_config, None)
             .await
-            .unwrap();
+            .map_err(|e| SwitchError::new(format!("Failed to configure bond: {e}")))?;
 
-        todo!()
+        Ok(())
     }
 
     fn create_bond_configuration(
         &self,
-        host: &PhysicalHost,
         config: &HostNetworkConfig,
     ) -> NodeNetworkConfigurationPolicy {
-        let host_name = host.id.clone();
-
+        let host_name = &config.host_id;
         let bond_id = self.get_next_bond_id();
         let bond_name = format!("bond{bond_id}");
+
+        info!("Configuring bond '{bond_name}' for host '{host_name}'...");
+
         let mut bond_mtu: Option<u32> = None;
-        let mut bond_mac_address: Option<String> = None;
+        let mut copy_mac_from: Option<String> = None;
         let mut bond_ports = Vec::new();
         let mut interfaces: Vec<nmstate::InterfaceSpec> = Vec::new();
 
@@ -223,14 +217,14 @@ impl HAClusterTopology {
                 ..Default::default()
             });
 
-            bond_ports.push(interface_name);
+            bond_ports.push(interface_name.clone());
 
             // Use the first port's details for the bond mtu and mac address
             if bond_mtu.is_none() {
                 bond_mtu = Some(switch_port.interface.mtu);
             }
-            if bond_mac_address.is_none() {
-                bond_mac_address = Some(switch_port.interface.mac_address.to_string());
+            if copy_mac_from.is_none() {
+                copy_mac_from = Some(interface_name);
             }
         }
 
@@ -239,8 +233,7 @@ impl HAClusterTopology {
             description: Some(format!("Network bond for host {host_name}")),
             r#type: "bond".to_string(),
             state: "up".to_string(),
-            mtu: bond_mtu,
-            mac_address: bond_mac_address,
+            copy_mac_from,
             ipv4: Some(nmstate::IpStackSpec {
                 dhcp: Some(true),
                 enabled: Some(true),
@@ -275,16 +268,12 @@ impl HAClusterTopology {
         }
     }
 
-    async fn configure_port_channel(
-        &self,
-        host: &PhysicalHost,
-        config: &HostNetworkConfig,
-    ) -> Result<(), SwitchError> {
+    async fn configure_port_channel(&self, config: &HostNetworkConfig) -> Result<(), SwitchError> {
         debug!("Configuring port channel: {config:#?}");
         let switch_ports = config.switch_ports.iter().map(|s| s.port.clone()).collect();
 
         self.switch_client
-            .configure_port_channel(&format!("Harmony_{}", host.id), switch_ports)
+            .configure_port_channel(&format!("Harmony_{}", config.host_id), switch_ports)
             .await
             .map_err(|e| SwitchError::new(format!("Failed to configure switch: {e}")))?;
 
@@ -299,6 +288,7 @@ impl HAClusterTopology {
         };
 
         Self {
+            kubeconfig: None,
             domain_name: "DummyTopology".to_string(),
             router: dummy_infra.clone(),
             load_balancer: dummy_infra.clone(),
@@ -480,13 +470,9 @@ impl Switch for HAClusterTopology {
         Ok(port)
     }
 
-    async fn configure_host_network(
-        &self,
-        host: &PhysicalHost,
-        config: HostNetworkConfig,
-    ) -> Result<(), SwitchError> {
-        self.configure_bond(host, &config).await?;
-        self.configure_port_channel(host, &config).await
+    async fn configure_host_network(&self, config: &HostNetworkConfig) -> Result<(), SwitchError> {
+        self.configure_bond(config).await?;
+        self.configure_port_channel(config).await
     }
 }
 
diff --git a/harmony/src/domain/topology/k8s.rs b/harmony/src/domain/topology/k8s.rs
index 4a91559..71129e1 100644
--- a/harmony/src/domain/topology/k8s.rs
+++ b/harmony/src/domain/topology/k8s.rs
@@ -14,6 +14,7 @@ use kube::{
     api::{Api, AttachParams, DeleteParams, ListParams, Patch, PatchParams, ResourceExt},
     config::{KubeConfigOptions, Kubeconfig},
     core::ErrorResponse,
+    discovery::{ApiCapabilities, Scope},
     error::DiscoveryError,
     runtime::reflector::Lookup,
 };
@@ -22,11 +23,12 @@ use kube::{
     api::{ApiResource, GroupVersionKind},
     runtime::wait::await_condition,
 };
-use log::{debug, error, info, trace};
+use log::{debug, error, info, trace, warn};
 use serde::{Serialize, de::DeserializeOwned};
 use serde_json::json;
 use similar::TextDiff;
 use tokio::{io::AsyncReadExt, time::sleep};
+use url::Url;
 
 #[derive(new, Clone)]
 pub struct K8sClient {
@@ -88,7 +90,8 @@ impl K8sClient {
         } else {
             Api::default_namespaced_with(self.client.clone(), &gvk)
         };
-        Ok(resource.get(name).await?)
+
+        resource.get(name).await
     }
 
     pub async fn get_deployment(
@@ -103,8 +106,9 @@ impl K8sClient {
             debug!("getting default namespace deployment");
             Api::default_namespaced(self.client.clone())
         };
+
         debug!("getting deployment {} in ns {}", name, namespace.unwrap());
-        Ok(deps.get_opt(name).await?)
+        deps.get_opt(name).await
     }
 
     pub async fn get_pod(&self, name: &str, namespace: Option<&str>) -> Result<Option<Pod>, Error> {
@@ -113,7 +117,8 @@ impl K8sClient {
         } else {
             Api::default_namespaced(self.client.clone())
         };
-        Ok(pods.get_opt(name).await?)
+
+        pods.get_opt(name).await
     }
 
     pub async fn scale_deployment(
@@ -156,9 +161,9 @@ impl K8sClient {
 
     pub async fn wait_until_deployment_ready(
         &self,
-        name: String,
+        name: &str,
         namespace: Option<&str>,
-        timeout: Option<u64>,
+        timeout: Option<Duration>,
     ) -> Result<(), String> {
         let api: Api<Deployment>;
 
@@ -168,9 +173,9 @@ impl K8sClient {
             api = Api::default_namespaced(self.client.clone());
         }
 
-        let establish = await_condition(api, name.as_str(), conditions::is_deployment_completed());
-        let t = timeout.unwrap_or(300);
-        let res = tokio::time::timeout(std::time::Duration::from_secs(t), establish).await;
+        let establish = await_condition(api, name, conditions::is_deployment_completed());
+        let timeout = timeout.unwrap_or(Duration::from_secs(120));
+        let res = tokio::time::timeout(timeout, establish).await;
 
         if res.is_ok() {
             Ok(())
@@ -260,7 +265,7 @@ impl K8sClient {
 
                 if let Some(s) = status.status {
                     let mut stdout_buf = String::new();
-                    if let Some(mut stdout) = process.stdout().take() {
+                    if let Some(mut stdout) = process.stdout() {
                         stdout
                             .read_to_string(&mut stdout_buf)
                             .await
@@ -366,14 +371,14 @@ impl K8sClient {
                 Ok(current) => {
                     trace!("Received current value {current:#?}");
                     // The resource exists, so we calculate and display a diff.
-                    println!("\nPerforming dry-run for resource: '{}'", name);
+                    println!("\nPerforming dry-run for resource: '{name}'");
                     let mut current_yaml = serde_yaml::to_value(&current).unwrap_or_else(|_| {
                         panic!("Could not serialize current value : {current:#?}")
                     });
                     if current_yaml.is_mapping() && current_yaml.get("status").is_some() {
                         let map = current_yaml.as_mapping_mut().unwrap();
                         let removed = map.remove_entry("status");
-                        trace!("Removed status {:?}", removed);
+                        trace!("Removed status {removed:?}");
                     } else {
                         trace!(
                             "Did not find status entry for current object {}/{}",
@@ -402,14 +407,14 @@ impl K8sClient {
                             similar::ChangeTag::Insert => "+",
                             similar::ChangeTag::Equal => " ",
                         };
-                        print!("{}{}", sign, change);
+                        print!("{sign}{change}");
                     }
                     // In a dry run, we return the new resource state that would have been applied.
                     Ok(resource.clone())
                 }
                 Err(Error::Api(ErrorResponse { code: 404, .. })) => {
                     // The resource does not exist, so the "diff" is the entire new resource.
-                    println!("\nPerforming dry-run for new resource: '{}'", name);
+                    println!("\nPerforming dry-run for new resource: '{name}'");
                     println!(
                         "Resource does not exist. It would be created with the following content:"
                     );
@@ -418,14 +423,14 @@ impl K8sClient {
 
                     // Print each line of the new resource with a '+' prefix.
                     for line in new_yaml.lines() {
-                        println!("+{}", line);
+                        println!("+{line}");
                     }
                     // In a dry run, we return the new resource state that would have been created.
                     Ok(resource.clone())
                 }
                 Err(e) => {
                     // Another API error occurred.
-                    error!("Failed to get resource '{}': {}", name, e);
+                    error!("Failed to get resource '{name}': {e}");
                     Err(e)
                 }
             }
@@ -440,7 +445,7 @@ impl K8sClient {
     where
         K: Resource + Clone + std::fmt::Debug + DeserializeOwned + serde::Serialize,
         <K as Resource>::Scope: ApplyStrategy<K>,
-        <K as kube::Resource>::DynamicType: Default,
+        <K as Resource>::DynamicType: Default,
     {
         let mut result = Vec::new();
         for r in resource.iter() {
@@ -505,10 +510,7 @@ impl K8sClient {
 
         // 6. Apply the object to the cluster using Server-Side Apply.
         //    This will create the resource if it doesn't exist, or update it if it does.
-        println!(
-            "Applying Argo Application '{}' in namespace '{}'...",
-            name, namespace
-        );
+        println!("Applying '{name}' in namespace '{namespace}'...",);
         let patch_params = PatchParams::apply("harmony"); // Use a unique field manager name
         let result = api.patch(name, &patch_params, &Patch::Apply(&obj)).await?;
 
@@ -517,6 +519,51 @@ impl K8sClient {
         Ok(())
     }
 
+    /// Apply a resource from a URL
+    ///
+    /// It is the equivalent of `kubectl apply -f <url>`
+    pub async fn apply_url(&self, url: Url, ns: Option<&str>) -> Result<(), Error> {
+        let patch_params = PatchParams::apply("harmony");
+        let discovery = kube::Discovery::new(self.client.clone()).run().await?;
+
+        let yaml = reqwest::get(url)
+            .await
+            .expect("Could not get URL")
+            .text()
+            .await
+            .expect("Could not get content from URL");
+
+        for doc in multidoc_deserialize(&yaml).expect("failed to parse YAML from file") {
+            let obj: DynamicObject =
+                serde_yaml::from_value(doc).expect("cannot apply without valid YAML");
+            let namespace = obj.metadata.namespace.as_deref().or(ns);
+            let type_meta = obj
+                .types
+                .as_ref()
+                .expect("cannot apply object without valid TypeMeta");
+            let gvk = GroupVersionKind::try_from(type_meta)
+                .expect("cannot apply object without valid GroupVersionKind");
+            let name = obj.name_any();
+
+            if let Some((ar, caps)) = discovery.resolve_gvk(&gvk) {
+                let api = get_dynamic_api(ar, caps, self.client.clone(), namespace, false);
+                trace!(
+                    "Applying {}: \n{}",
+                    gvk.kind,
+                    serde_yaml::to_string(&obj).expect("Failed to serialize YAML")
+                );
+                let data: serde_json::Value =
+                    serde_json::to_value(&obj).expect("Failed to serialize JSON");
+                let _r = api.patch(&name, &patch_params, &Patch::Apply(data)).await?;
+                debug!("applied {} {}", gvk.kind, name);
+            } else {
+                warn!("Cannot apply document for unknown {gvk:?}");
+            }
+        }
+
+        Ok(())
+    }
+
     pub(crate) async fn from_kubeconfig(path: &str) -> Option<K8sClient> {
         let k = match Kubeconfig::read_from(path) {
             Ok(k) => k,
@@ -536,6 +583,31 @@ impl K8sClient {
     }
 }
 
+fn get_dynamic_api(
+    resource: ApiResource,
+    capabilities: ApiCapabilities,
+    client: Client,
+    ns: Option<&str>,
+    all: bool,
+) -> Api<DynamicObject> {
+    if capabilities.scope == Scope::Cluster || all {
+        Api::all_with(client, &resource)
+    } else if let Some(namespace) = ns {
+        Api::namespaced_with(client, namespace, &resource)
+    } else {
+        Api::default_namespaced_with(client, &resource)
+    }
+}
+
+fn multidoc_deserialize(data: &str) -> Result<Vec<serde_yaml::Value>, serde_yaml::Error> {
+    use serde::Deserialize;
+    let mut docs = vec![];
+    for de in serde_yaml::Deserializer::from_str(data) {
+        docs.push(serde_yaml::Value::deserialize(de)?);
+    }
+    Ok(docs)
+}
+
 pub trait ApplyStrategy<K: Resource> {
     fn get_api(client: &Client, ns: Option<&str>) -> Api<K>;
 }
diff --git a/harmony/src/domain/topology/k8s_anywhere.rs b/harmony/src/domain/topology/k8s_anywhere.rs
index 3ef1aa4..226860b 100644
--- a/harmony/src/domain/topology/k8s_anywhere.rs
+++ b/harmony/src/domain/topology/k8s_anywhere.rs
@@ -1,4 +1,4 @@
-use std::{collections::BTreeMap, process::Command, sync::Arc};
+use std::{collections::BTreeMap, process::Command, sync::Arc, time::Duration};
 
 use async_trait::async_trait;
 use base64::{Engine, engine::general_purpose};
@@ -155,9 +155,9 @@ impl Grafana for K8sAnywhereTopology {
         //TODO change this to a ensure ready or something better than just a timeout
         client
             .wait_until_deployment_ready(
-                "grafana-grafana-deployment".to_string(),
+                "grafana-grafana-deployment",
                 Some("grafana"),
-                Some(30),
+                Some(Duration::from_secs(30)),
             )
             .await?;
 
diff --git a/harmony/src/domain/topology/network.rs b/harmony/src/domain/topology/network.rs
index b78f1a0..cf172ee 100644
--- a/harmony/src/domain/topology/network.rs
+++ b/harmony/src/domain/topology/network.rs
@@ -9,6 +9,7 @@ use std::{
 use async_trait::async_trait;
 use derive_new::new;
 use harmony_types::{
+    id::Id,
     net::{IpAddress, MacAddress},
     switch::PortLocation,
 };
@@ -191,15 +192,12 @@ pub trait Switch: Send + Sync {
         mac_address: &MacAddress,
     ) -> Result<Option<PortLocation>, SwitchError>;
 
-    async fn configure_host_network(
-        &self,
-        host: &PhysicalHost,
-        config: HostNetworkConfig,
-    ) -> Result<(), SwitchError>;
+    async fn configure_host_network(&self, config: &HostNetworkConfig) -> Result<(), SwitchError>;
 }
 
 #[derive(Clone, Debug, PartialEq)]
 pub struct HostNetworkConfig {
+    pub host_id: Id,
     pub switch_ports: Vec<SwitchPort>,
 }
 
diff --git a/harmony/src/infra/inventory/mod.rs b/harmony/src/infra/inventory/mod.rs
index 90d78ea..e0d80fe 100644
--- a/harmony/src/infra/inventory/mod.rs
+++ b/harmony/src/infra/inventory/mod.rs
@@ -11,7 +11,7 @@ pub struct InventoryRepositoryFactory;
 impl InventoryRepositoryFactory {
     pub async fn build() -> Result<Box<dyn InventoryRepository>, RepoError> {
         Ok(Box::new(
-            SqliteInventoryRepository::new(&(*DATABASE_URL)).await?,
+            SqliteInventoryRepository::new(&DATABASE_URL).await?,
         ))
     }
 }
diff --git a/harmony/src/modules/k8s/resource.rs b/harmony/src/modules/k8s/resource.rs
index d679326..57f9731 100644
--- a/harmony/src/modules/k8s/resource.rs
+++ b/harmony/src/modules/k8s/resource.rs
@@ -38,13 +38,15 @@ impl<
         + 'static
         + Send
         + Clone,
-    T: Topology,
+    T: Topology + K8sclient,
 > Score<T> for K8sResourceScore<K>
 where
     <K as kube::Resource>::DynamicType: Default,
 {
     fn create_interpret(&self) -> Box<dyn Interpret<T>> {
-        todo!()
+        Box::new(K8sResourceInterpret {
+            score: self.clone(),
+        })
     }
 
     fn name(&self) -> String {
diff --git a/harmony/src/modules/monitoring/ntfy/ntfy.rs b/harmony/src/modules/monitoring/ntfy/ntfy.rs
index 4ed342b..f82aaf7 100644
--- a/harmony/src/modules/monitoring/ntfy/ntfy.rs
+++ b/harmony/src/modules/monitoring/ntfy/ntfy.rs
@@ -100,11 +100,7 @@ impl<T: Topology + HelmCommand + K8sclient + MultiTargetTopology> Interpret<T> f
 
         info!("deploying ntfy...");
         client
-            .wait_until_deployment_ready(
-                "ntfy".to_string(),
-                Some(self.score.namespace.as_str()),
-                None,
-            )
+            .wait_until_deployment_ready("ntfy", Some(self.score.namespace.as_str()), None)
             .await?;
         info!("ntfy deployed");
 
diff --git a/harmony/src/modules/okd/bootstrap_03_control_plane.rs b/harmony/src/modules/okd/bootstrap_03_control_plane.rs
index af8e71f..5abe848 100644
--- a/harmony/src/modules/okd/bootstrap_03_control_plane.rs
+++ b/harmony/src/modules/okd/bootstrap_03_control_plane.rs
@@ -5,10 +5,8 @@ use crate::{
     interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
     inventory::{HostRole, Inventory},
     modules::{
-        dhcp::DhcpHostBindingScore,
-        http::IPxeMacBootFileScore,
-        inventory::DiscoverHostForRoleScore,
-        okd::{host_network::HostNetworkConfigurationScore, templates::BootstrapIpxeTpl},
+        dhcp::DhcpHostBindingScore, http::IPxeMacBootFileScore,
+        inventory::DiscoverHostForRoleScore, okd::templates::BootstrapIpxeTpl,
     },
     score::Score,
     topology::{HAClusterTopology, HostBinding},
@@ -205,28 +203,6 @@ impl OKDSetup03ControlPlaneInterpret {
 
         Ok(())
     }
-
-    /// Placeholder for automating network bonding configuration.
-    async fn persist_network_bond(
-        &self,
-        inventory: &Inventory,
-        topology: &HAClusterTopology,
-        hosts: &Vec<PhysicalHost>,
-    ) -> Result<(), InterpretError> {
-        info!("[ControlPlane] Ensuring persistent bonding");
-        let score = HostNetworkConfigurationScore {
-            hosts: hosts.clone(),
-        };
-        score.interpret(inventory, topology).await?;
-
-        inquire::Confirm::new(
-            "Network configuration for control plane nodes is not automated yet. Configure it manually if needed.",
-        )
-        .prompt()
-        .map_err(|e| InterpretError::new(format!("User prompt failed: {e}")))?;
-
-        Ok(())
-    }
 }
 
 #[async_trait]
@@ -265,10 +241,6 @@ impl Interpret<HAClusterTopology> for OKDSetup03ControlPlaneInterpret {
         // 4. Reboot the nodes to start the OS installation.
         self.reboot_targets(&nodes).await?;
 
-        // 5. Placeholder for post-boot network configuration (e.g., bonding).
-        self.persist_network_bond(inventory, topology, &nodes)
-            .await?;
-
         // TODO: Implement a step to wait for the control plane nodes to join the cluster
         // and for the cluster operators to become available. This would be similar to
         // the `wait-for bootstrap-complete` command.
diff --git a/harmony/src/modules/okd/bootstrap_persist_network_bond.rs b/harmony/src/modules/okd/bootstrap_persist_network_bond.rs
new file mode 100644
index 0000000..4aa47b6
--- /dev/null
+++ b/harmony/src/modules/okd/bootstrap_persist_network_bond.rs
@@ -0,0 +1,130 @@
+use crate::{
+    data::Version,
+    hardware::PhysicalHost,
+    infra::inventory::InventoryRepositoryFactory,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::{HostRole, Inventory},
+    modules::okd::host_network::HostNetworkConfigurationScore,
+    score::Score,
+    topology::HAClusterTopology,
+};
+use async_trait::async_trait;
+use derive_new::new;
+use harmony_types::id::Id;
+use log::info;
+use serde::Serialize;
+
+// -------------------------------------------------------------------------------------------------
+// Persist Network Bond
+// - Persist bonding via NMState
+// - Persist port channels on the Switch
+// -------------------------------------------------------------------------------------------------
+
+#[derive(Debug, Clone, Serialize, new)]
+pub struct OKDSetupPersistNetworkBondScore {}
+
+impl Score<HAClusterTopology> for OKDSetupPersistNetworkBondScore {
+    fn create_interpret(&self) -> Box<dyn Interpret<HAClusterTopology>> {
+        Box::new(OKDSetupPersistNetworkBondInterpet::new())
+    }
+
+    fn name(&self) -> String {
+        "OKDSetupPersistNetworkBondScore".to_string()
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct OKDSetupPersistNetworkBondInterpet {
+    version: Version,
+    status: InterpretStatus,
+}
+
+impl OKDSetupPersistNetworkBondInterpet {
+    pub fn new() -> Self {
+        let version = Version::from("1.0.0").unwrap();
+        Self {
+            version,
+            status: InterpretStatus::QUEUED,
+        }
+    }
+
+    /// Ensures that three physical hosts are discovered and available for the ControlPlane role.
+    /// It will trigger discovery if not enough hosts are found.
+    async fn get_nodes(
+        &self,
+        _inventory: &Inventory,
+        _topology: &HAClusterTopology,
+    ) -> Result<Vec<PhysicalHost>, InterpretError> {
+        const REQUIRED_HOSTS: usize = 3;
+        let repo = InventoryRepositoryFactory::build().await?;
+        let control_plane_hosts = repo.get_host_for_role(&HostRole::ControlPlane).await?;
+
+        if control_plane_hosts.len() < REQUIRED_HOSTS {
+            Err(InterpretError::new(format!(
+                "OKD Requires at least {} control plane hosts, but only found {}. Cannot proceed.",
+                REQUIRED_HOSTS,
+                control_plane_hosts.len()
+            )))
+        } else {
+            // Take exactly the number of required hosts to ensure consistency.
+            Ok(control_plane_hosts
+                .into_iter()
+                .take(REQUIRED_HOSTS)
+                .collect())
+        }
+    }
+
+    async fn persist_network_bond(
+        &self,
+        inventory: &Inventory,
+        topology: &HAClusterTopology,
+        hosts: &Vec<PhysicalHost>,
+    ) -> Result<(), InterpretError> {
+        info!("Ensuring persistent bonding");
+
+        let score = HostNetworkConfigurationScore {
+            hosts: hosts.clone(),
+        };
+        score.interpret(inventory, topology).await?;
+
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl Interpret<HAClusterTopology> for OKDSetupPersistNetworkBondInterpet {
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("OKDSetupPersistNetworkBondInterpet")
+    }
+
+    fn get_version(&self) -> Version {
+        self.version.clone()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        self.status.clone()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        vec![]
+    }
+
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &HAClusterTopology,
+    ) -> Result<Outcome, InterpretError> {
+        let nodes = self.get_nodes(inventory, topology).await?;
+
+        let res = self.persist_network_bond(inventory, topology, &nodes).await;
+
+        match res {
+            Ok(_) => Ok(Outcome::success(
+                "Network bond successfully persisted".into(),
+            )),
+            Err(_) => Err(InterpretError::new(
+                "Failed to persist network bond".to_string(),
+            )),
+        }
+    }
+}
diff --git a/harmony/src/modules/okd/crd/mod.rs b/harmony/src/modules/okd/crd/mod.rs
index c1a68ce..568db3f 100644
--- a/harmony/src/modules/okd/crd/mod.rs
+++ b/harmony/src/modules/okd/crd/mod.rs
@@ -1,41 +1 @@
-use kube::CustomResource;
-use schemars::JsonSchema;
-use serde::{Deserialize, Serialize};
-
 pub mod nmstate;
-
-#[derive(CustomResource, Deserialize, Serialize, Clone, Debug, JsonSchema)]
-#[kube(
-    group = "operators.coreos.com",
-    version = "v1",
-    kind = "OperatorGroup",
-    namespaced
-)]
-#[serde(rename_all = "camelCase")]
-pub struct OperatorGroupSpec {
-    pub target_namespaces: Vec<String>,
-}
-
-#[derive(CustomResource, Deserialize, Serialize, Clone, Debug, JsonSchema)]
-#[kube(
-    group = "operators.coreos.com",
-    version = "v1alpha1",
-    kind = "Subscription",
-    namespaced
-)]
-#[serde(rename_all = "camelCase")]
-pub struct SubscriptionSpec {
-    pub name: String,
-    pub source: String,
-    pub source_namespace: String,
-    pub channel: Option<String>,
-    pub install_plan_approval: Option<InstallPlanApproval>,
-}
-
-#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
-pub enum InstallPlanApproval {
-    #[serde(rename = "Automatic")]
-    Automatic,
-    #[serde(rename = "Manual")]
-    Manual,
-}
diff --git a/harmony/src/modules/okd/crd/nmstate.rs b/harmony/src/modules/okd/crd/nmstate.rs
index 5f71e4e..9f986e5 100644
--- a/harmony/src/modules/okd/crd/nmstate.rs
+++ b/harmony/src/modules/okd/crd/nmstate.rs
@@ -6,9 +6,16 @@ use serde::{Deserialize, Serialize};
 use serde_json::Value;
 
 #[derive(CustomResource, Deserialize, Serialize, Clone, Debug, JsonSchema)]
-#[kube(group = "nmstate.io", version = "v1", kind = "NMState", namespaced)]
+#[kube(
+    group = "nmstate.io",
+    version = "v1",
+    kind = "NMState",
+    plural = "nmstates",
+    namespaced = false
+)]
 #[serde(rename_all = "camelCase")]
 pub struct NMStateSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub probe_configuration: Option<ProbeConfig>,
 }
 
@@ -44,6 +51,7 @@ pub struct ProbeDns {
 )]
 #[serde(rename_all = "camelCase")]
 pub struct NodeNetworkConfigurationPolicySpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub node_selector: Option<BTreeMap<String, String>>,
     pub desired_state: DesiredStateSpec,
 }
@@ -58,37 +66,64 @@ pub struct DesiredStateSpec {
 #[serde(rename_all = "kebab-case")]
 pub struct InterfaceSpec {
     pub name: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub description: Option<String>,
     pub r#type: String,
     pub state: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub mac_address: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub copy_mac_from: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub mtu: Option<u32>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub controller: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub ipv4: Option<IpStackSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub ipv6: Option<IpStackSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub ethernet: Option<EthernetSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub link_aggregation: Option<BondSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub vlan: Option<VlanSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub vxlan: Option<VxlanSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub mac_vtap: Option<MacVtapSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub mac_vlan: Option<MacVlanSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub infiniband: Option<InfinibandSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub linux_bridge: Option<LinuxBridgeSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub ovs_bridge: Option<OvsBridgeSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub ethtool: Option<EthtoolSpec>,
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub struct IpStackSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub enabled: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub dhcp: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub autoconf: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub address: Option<Vec<IpAddressSpec>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub auto_dns: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub auto_gateway: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub auto_routes: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub dhcp_client_id: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub dhcp_duid: Option<String>,
 }
 
@@ -102,8 +137,11 @@ pub struct IpAddressSpec {
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub struct EthernetSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub speed: Option<u32>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub duplex: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub auto_negotiation: Option<bool>,
 }
 
@@ -112,6 +150,7 @@ pub struct EthernetSpec {
 pub struct BondSpec {
     pub mode: String,
     pub ports: Vec<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub options: Option<BTreeMap<String, Value>>,
 }
 
@@ -120,6 +159,7 @@ pub struct BondSpec {
 pub struct VlanSpec {
     pub base_iface: String,
     pub id: u16,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub protocol: Option<String>,
 }
 
@@ -129,8 +169,11 @@ pub struct VxlanSpec {
     pub base_iface: String,
     pub id: u32,
     pub remote: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub local: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub learning: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub destination_port: Option<u16>,
 }
 
@@ -139,6 +182,7 @@ pub struct VxlanSpec {
 pub struct MacVtapSpec {
     pub base_iface: String,
     pub mode: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub promiscuous: Option<bool>,
 }
 
@@ -147,6 +191,7 @@ pub struct MacVtapSpec {
 pub struct MacVlanSpec {
     pub base_iface: String,
     pub mode: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub promiscuous: Option<bool>,
 }
 
@@ -161,25 +206,35 @@ pub struct InfinibandSpec {
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub struct LinuxBridgeSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub options: Option<LinuxBridgeOptions>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub ports: Option<Vec<LinuxBridgePort>>,
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub struct LinuxBridgeOptions {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub mac_ageing_time: Option<u32>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub multicast_snooping: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub stp: Option<StpOptions>,
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub struct StpOptions {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub enabled: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub forward_delay: Option<u16>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub hello_time: Option<u16>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub max_age: Option<u16>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub priority: Option<u16>,
 }
 
@@ -187,15 +242,20 @@ pub struct StpOptions {
 #[serde(rename_all = "kebab-case")]
 pub struct LinuxBridgePort {
     pub name: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub vlan: Option<LinuxBridgePortVlan>,
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub struct LinuxBridgePortVlan {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub mode: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub trunk_tags: Option<Vec<VlanTag>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub tag: Option<u16>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub enable_native: Option<bool>,
 }
 
@@ -203,6 +263,7 @@ pub struct LinuxBridgePortVlan {
 #[serde(rename_all = "kebab-case")]
 pub struct VlanTag {
     pub id: u16,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub id_range: Option<VlanIdRange>,
 }
 
@@ -216,15 +277,20 @@ pub struct VlanIdRange {
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub struct OvsBridgeSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub options: Option<OvsBridgeOptions>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub ports: Option<Vec<OvsPortSpec>>,
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub struct OvsBridgeOptions {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub stp: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub rstp: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub mcast_snooping_enable: Option<bool>,
 }
 
@@ -232,8 +298,11 @@ pub struct OvsBridgeOptions {
 #[serde(rename_all = "kebab-case")]
 pub struct OvsPortSpec {
     pub name: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub link_aggregation: Option<BondSpec>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub vlan: Option<LinuxBridgePortVlan>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub r#type: Option<String>,
 }
 
@@ -246,6 +315,8 @@ pub struct EthtoolSpec {
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub struct EthtoolFecSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub auto: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub mode: Option<String>,
 }
diff --git a/harmony/src/modules/okd/host_network.rs b/harmony/src/modules/okd/host_network.rs
index 3bc8c3c..39fb027 100644
--- a/harmony/src/modules/okd/host_network.rs
+++ b/harmony/src/modules/okd/host_network.rs
@@ -39,30 +39,70 @@ impl HostNetworkConfigurationInterpret {
         &self,
         topology: &T,
         host: &PhysicalHost,
-    ) -> Result<(), InterpretError> {
-        let switch_ports = self.collect_switch_ports_for_host(topology, host).await?;
-        if !switch_ports.is_empty() {
-            topology
-                .configure_host_network(host, HostNetworkConfig { switch_ports })
-                .await
-                .map_err(|e| InterpretError::new(format!("Failed to configure host: {e}")))?;
+        current_host: &usize,
+        total_hosts: &usize,
+    ) -> Result<HostNetworkConfig, InterpretError> {
+        if host.network.is_empty() {
+            info!("[Host {current_host}/{total_hosts}] No interfaces to configure, skipping");
+            return Ok(HostNetworkConfig {
+                host_id: host.id.clone(),
+                switch_ports: vec![],
+            });
         }
 
-        Ok(())
+        let switch_ports = self
+            .collect_switch_ports_for_host(topology, host, current_host, total_hosts)
+            .await?;
+
+        let config = HostNetworkConfig {
+            host_id: host.id.clone(),
+            switch_ports,
+        };
+
+        if !config.switch_ports.is_empty() {
+            info!(
+                "[Host {current_host}/{total_hosts}] Found {} ports for {} interfaces",
+                config.switch_ports.len(),
+                host.network.len()
+            );
+
+            info!("[Host {current_host}/{total_hosts}] Configuring host network...");
+            topology
+                .configure_host_network(&config)
+                .await
+                .map_err(|e| InterpretError::new(format!("Failed to configure host: {e}")))?;
+        } else {
+            info!(
+                "[Host {current_host}/{total_hosts}] No ports found for {} interfaces, skipping",
+                host.network.len()
+            );
+        }
+
+        Ok(config)
     }
 
     async fn collect_switch_ports_for_host<T: Topology + Switch>(
         &self,
         topology: &T,
         host: &PhysicalHost,
+        current_host: &usize,
+        total_hosts: &usize,
     ) -> Result<Vec<SwitchPort>, InterpretError> {
         let mut switch_ports = vec![];
 
+        if host.network.is_empty() {
+            return Ok(switch_ports);
+        }
+
+        info!("[Host {current_host}/{total_hosts}] Collecting ports on switch...");
         for network_interface in &host.network {
             let mac_address = network_interface.mac_address;
 
             match topology.get_port_for_mac_address(&mac_address).await {
                 Ok(Some(port)) => {
+                    info!(
+                        "[Host {current_host}/{total_hosts}] Found port '{port}' for '{mac_address}'"
+                    );
                     switch_ports.push(SwitchPort {
                         interface: NetworkInterface {
                             name: network_interface.name.clone(),
@@ -73,7 +113,7 @@ impl HostNetworkConfigurationInterpret {
                         port,
                     });
                 }
-                Ok(None) => debug!("No port found for host '{}', skipping", host.id),
+                Ok(None) => debug!("No port found for '{mac_address}', skipping"),
                 Err(e) => {
                     return Err(InterpretError::new(format!(
                         "Failed to get port for host '{}': {}",
@@ -85,6 +125,47 @@ impl HostNetworkConfigurationInterpret {
 
         Ok(switch_ports)
     }
+
+    fn format_host_configuration(&self, configs: Vec<HostNetworkConfig>) -> Vec<String> {
+        let mut report = vec![
+            "Network Configuration Report".to_string(),
+            "------------------------------------------------------------------".to_string(),
+        ];
+
+        for config in configs {
+            let host = self
+                .score
+                .hosts
+                .iter()
+                .find(|h| h.id == config.host_id)
+                .unwrap();
+
+            println!("[Host] {host}");
+
+            if config.switch_ports.is_empty() {
+                report.push(format!(
+                    "⏭️ Host {}: SKIPPED (No matching switch ports found)",
+                    config.host_id
+                ));
+            } else {
+                let mappings: Vec<String> = config
+                    .switch_ports
+                    .iter()
+                    .map(|p| format!("[{} -> {}]", p.interface.name, p.port))
+                    .collect();
+
+                report.push(format!(
+                    "✅ Host {}: Bonded {} port(s) {}",
+                    config.host_id,
+                    config.switch_ports.len(),
+                    mappings.join(", ")
+                ));
+            }
+        }
+        report
+            .push("------------------------------------------------------------------".to_string());
+        report
+    }
 }
 
 #[async_trait]
@@ -114,27 +195,38 @@ impl<T: Topology + Switch> Interpret<T> for HostNetworkConfigurationInterpret {
             return Ok(Outcome::noop("No hosts to configure".into()));
         }
 
-        info!(
-            "Started network configuration for {} host(s)...",
-            self.score.hosts.len()
-        );
+        let host_count = self.score.hosts.len();
+        info!("Started network configuration for {host_count} host(s)...",);
 
+        info!("Setting up switch with sane defaults...");
         topology
             .setup_switch()
             .await
             .map_err(|e| InterpretError::new(format!("Switch setup failed: {e}")))?;
+        info!("Switch ready");
+
+        let mut current_host = 1;
+        let mut host_configurations = vec![];
 
-        let mut configured_host_count = 0;
         for host in &self.score.hosts {
-            self.configure_network_for_host(topology, host).await?;
-            configured_host_count += 1;
-        }
+            let host_configuration = self
+                .configure_network_for_host(topology, host, &current_host, &host_count)
+                .await?;
 
-        if configured_host_count > 0 {
-            Ok(Outcome::success(format!(
-                "Configured {configured_host_count}/{} host(s)",
-                self.score.hosts.len()
-            )))
+            host_configurations.push(host_configuration);
+            current_host += 1;
+        }
+        if current_host > 1 {
+            let details = self.format_host_configuration(host_configurations);
+
+            Ok(Outcome::success_with_details(
+                format!(
+                    "Configured {}/{} host(s)",
+                    current_host - 1,
+                    self.score.hosts.len()
+                ),
+                details,
+            ))
         } else {
             Ok(Outcome::noop("No hosts configured".into()))
         }
@@ -209,6 +301,7 @@ mod tests {
         assert_that!(*configured_host_networks).contains_exactly(vec![(
             HOST_ID.clone(),
             HostNetworkConfig {
+                host_id: HOST_ID.clone(),
                 switch_ports: vec![SwitchPort {
                     interface: EXISTING_INTERFACE.clone(),
                     port: PORT.clone(),
@@ -234,6 +327,7 @@ mod tests {
         assert_that!(*configured_host_networks).contains_exactly(vec![(
             HOST_ID.clone(),
             HostNetworkConfig {
+                host_id: HOST_ID.clone(),
                 switch_ports: vec![
                     SwitchPort {
                         interface: EXISTING_INTERFACE.clone(),
@@ -263,6 +357,7 @@ mod tests {
             (
                 HOST_ID.clone(),
                 HostNetworkConfig {
+                    host_id: HOST_ID.clone(),
                     switch_ports: vec![SwitchPort {
                         interface: EXISTING_INTERFACE.clone(),
                         port: PORT.clone(),
@@ -272,6 +367,7 @@ mod tests {
             (
                 ANOTHER_HOST_ID.clone(),
                 HostNetworkConfig {
+                    host_id: ANOTHER_HOST_ID.clone(),
                     switch_ports: vec![SwitchPort {
                         interface: ANOTHER_EXISTING_INTERFACE.clone(),
                         port: ANOTHER_PORT.clone(),
@@ -382,11 +478,10 @@ mod tests {
 
         async fn configure_host_network(
             &self,
-            host: &PhysicalHost,
-            config: HostNetworkConfig,
+            config: &HostNetworkConfig,
         ) -> Result<(), SwitchError> {
             let mut configured_host_networks = self.configured_host_networks.lock().unwrap();
-            configured_host_networks.push((host.id.clone(), config.clone()));
+            configured_host_networks.push((config.host_id.clone(), config.clone()));
 
             Ok(())
         }
diff --git a/harmony/src/modules/okd/installation.rs b/harmony/src/modules/okd/installation.rs
index 72603c8..3deb59a 100644
--- a/harmony/src/modules/okd/installation.rs
+++ b/harmony/src/modules/okd/installation.rs
@@ -50,7 +50,7 @@
 use crate::{
     modules::okd::{
         OKDSetup01InventoryScore, OKDSetup02BootstrapScore, OKDSetup03ControlPlaneScore,
-        OKDSetup04WorkersScore, OKDSetup05SanityCheckScore,
+        OKDSetup04WorkersScore, OKDSetup05SanityCheckScore, OKDSetupPersistNetworkBondScore,
         bootstrap_06_installation_report::OKDSetup06InstallationReportScore,
     },
     score::Score,
@@ -65,6 +65,7 @@ impl OKDInstallationPipeline {
             Box::new(OKDSetup01InventoryScore::new()),
             Box::new(OKDSetup02BootstrapScore::new()),
             Box::new(OKDSetup03ControlPlaneScore::new()),
+            Box::new(OKDSetupPersistNetworkBondScore::new()),
             Box::new(OKDSetup04WorkersScore::new()),
             Box::new(OKDSetup05SanityCheckScore::new()),
             Box::new(OKDSetup06InstallationReportScore::new()),
diff --git a/harmony/src/modules/okd/mod.rs b/harmony/src/modules/okd/mod.rs
index a12f132..8bb85ef 100644
--- a/harmony/src/modules/okd/mod.rs
+++ b/harmony/src/modules/okd/mod.rs
@@ -6,6 +6,7 @@ mod bootstrap_05_sanity_check;
 mod bootstrap_06_installation_report;
 pub mod bootstrap_dhcp;
 pub mod bootstrap_load_balancer;
+mod bootstrap_persist_network_bond;
 pub mod dhcp;
 pub mod dns;
 pub mod installation;
@@ -19,5 +20,6 @@ pub use bootstrap_03_control_plane::*;
 pub use bootstrap_04_workers::*;
 pub use bootstrap_05_sanity_check::*;
 pub use bootstrap_06_installation_report::*;
+pub use bootstrap_persist_network_bond::*;
 pub mod crd;
 pub mod host_network;
diff --git a/harmony_cli/src/cli_reporter.rs b/harmony_cli/src/cli_reporter.rs
index f6095cc..6c9823b 100644
--- a/harmony_cli/src/cli_reporter.rs
+++ b/harmony_cli/src/cli_reporter.rs
@@ -40,7 +40,7 @@ pub fn init() {
                 HarmonyEvent::HarmonyFinished => {
                     if !details.is_empty() {
                         println!(
-                            "\n{} All done! Here's what's next for you:",
+                            "\n{} All done! Here's a few info for you:",
                             theme::EMOJI_SUMMARY
                         );
                         for detail in details.iter() {

From 5f147fa67206e1e6d497fb9a4ab765de1cf7e912 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Wed, 29 Oct 2025 13:24:56 -0400
Subject: [PATCH 19/51] fix: opnsense-config reload_config() returns live
 config.xml rather than dropping it, allows function is_package_installed() to
 read live state after package installation rather than old config before
 installation

---
 opnsense-config/src/config/config.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/opnsense-config/src/config/config.rs b/opnsense-config/src/config/config.rs
index 236a89e..7c292c8 100644
--- a/opnsense-config/src/config/config.rs
+++ b/opnsense-config/src/config/config.rs
@@ -156,7 +156,8 @@ impl Config {
 
     async fn reload_config(&mut self) -> Result<(), Error> {
         info!("Reloading opnsense live config");
-        let (opnsense, sha2) = Self::get_opnsense_instance(self.repository.clone()).await?;
+        let (opnsense, _sha2) = Self::get_opnsense_instance(self.repository.clone()).await?;
+        self.opnsense = opnsense;
         Ok(())
     }
 

From c2fa4f1869c9d6cef0f50930c0fd98a603f3bf55 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Wed, 29 Oct 2025 13:53:58 -0400
Subject: [PATCH 20/51] fix:cargo fmt

---
 harmony/src/domain/topology/ha_cluster.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/harmony/src/domain/topology/ha_cluster.rs b/harmony/src/domain/topology/ha_cluster.rs
index 3411a90..f6c3a02 100644
--- a/harmony/src/domain/topology/ha_cluster.rs
+++ b/harmony/src/domain/topology/ha_cluster.rs
@@ -8,12 +8,15 @@ use kube::api::ObjectMeta;
 use log::debug;
 use log::info;
 
-use crate::{modules::okd::crd::nmstate::{self, NodeNetworkConfigurationPolicy}, topology::node_exporter::NodeExporter};
 use crate::topology::PxeOptions;
 use crate::{data::FileContent, modules::okd::crd::nmstate::NMState};
 use crate::{
     executors::ExecutorError, modules::okd::crd::nmstate::NodeNetworkConfigurationPolicySpec,
 };
+use crate::{
+    modules::okd::crd::nmstate::{self, NodeNetworkConfigurationPolicy},
+    topology::node_exporter::NodeExporter,
+};
 
 use super::{
     DHCPStaticEntry, DhcpServer, DnsRecord, DnsRecordType, DnsServer, Firewall, HostNetworkConfig,

From 95cfc03518e90095bbc3ae594bb1f07136554a7b Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Wed, 29 Oct 2025 17:24:35 -0400
Subject: [PATCH 21/51] feat(kube): Utility function to convert kube_openapi
 Resource to DynamicObject. This will allow initializing resources strongly
 typed and then bundle various types into a list of DynamicObject

---
 harmony/src/infra/kube.rs | 182 ++++++++++++++++++++++++++++++++++++++
 harmony/src/infra/mod.rs  |   1 +
 2 files changed, 183 insertions(+)
 create mode 100644 harmony/src/infra/kube.rs

diff --git a/harmony/src/infra/kube.rs b/harmony/src/infra/kube.rs
new file mode 100644
index 0000000..9fb1247
--- /dev/null
+++ b/harmony/src/infra/kube.rs
@@ -0,0 +1,182 @@
+use k8s_openapi::Resource as K8sResource;
+use kube::api::{ApiResource, DynamicObject, GroupVersionKind};
+use kube::core::TypeMeta;
+use serde::Serialize;
+use serde::de::DeserializeOwned;
+use serde_json::Value;
+
+/// Convert a typed Kubernetes resource `K` into a `DynamicObject`.
+///
+/// Requirements:
+/// - `K` must be a k8s_openapi resource (provides static GVK via `Resource`).
+/// - `K` must have standard Kubernetes shape (metadata + payload fields).
+///
+/// Notes:
+/// - We set `types` (apiVersion/kind) and copy `metadata`.
+/// - We place the remaining top-level fields into `obj.data` as JSON.
+/// - Scope is not encoded on the object itself; you still need the corresponding
+///   `DynamicResource` (derived from K::group/version/kind) when constructing an Api.
+///
+/// Example usage:
+///   let dyn_obj = kube_resource_to_dynamic(secret)?;
+///   let api: Api<DynamicObject> = Api::namespaced_with(client, "ns", &dr);
+///   api.patch(&dyn_obj.name_any(), &PatchParams::apply("mgr"), &Patch::Apply(dyn_obj)).await?;
+pub fn kube_resource_to_dynamic<K>(res: &K) -> Result<DynamicObject, String>
+where
+    K: K8sResource + Serialize + DeserializeOwned,
+{
+    // Serialize the typed resource to JSON so we can split metadata and payload
+    let mut v = serde_json::to_value(res).map_err(|e| format!("Failed to serialize : {e}"))?;
+    let obj = v
+        .as_object_mut()
+        .ok_or_else(|| "expected object JSON".to_string())?;
+
+    // Extract and parse metadata into kube::core::ObjectMeta
+    let metadata_value = obj
+        .remove("metadata")
+        .ok_or_else(|| "missing metadata".to_string())?;
+    let metadata: kube::core::ObjectMeta = serde_json::from_value(metadata_value)
+        .map_err(|e| format!("Failed to deserialize : {e}"))?;
+
+    // Name is required for DynamicObject::new; prefer metadata.name
+    let name = metadata
+        .name
+        .clone()
+        .ok_or_else(|| "metadata.name is required".to_string())?;
+
+    // Remaining fields (spec/status/data/etc.) become the dynamic payload
+    let payload = Value::Object(obj.clone());
+
+    // Construct the DynamicObject
+    let mut dyn_obj = DynamicObject::new(
+        &name,
+        &ApiResource::from_gvk(&GroupVersionKind::gvk(K::GROUP, K::VERSION, K::KIND)),
+    );
+    dyn_obj.types = Some(TypeMeta {
+        api_version: api_version_for::<K>(),
+        kind: K::KIND.into(),
+    });
+
+    // Preserve namespace/labels/annotations/etc.
+    dyn_obj.metadata = metadata;
+
+    // Attach payload
+    dyn_obj.data = payload;
+
+    Ok(dyn_obj)
+}
+
+/// Helper: compute apiVersion string ("group/version" or "v1" for core).
+fn api_version_for<K>() -> String
+where
+    K: K8sResource,
+{
+    let group = K::GROUP;
+    let version = K::VERSION;
+    if group.is_empty() {
+        version.to_string() // core/v1 => "v1"
+    } else {
+        format!("{}/{}", group, version)
+    }
+}
+#[cfg(test)]
+mod test {
+    use super::*;
+    use k8s_openapi::api::{
+        apps::v1::{Deployment, DeploymentSpec},
+        core::v1::{PodTemplateSpec, Secret},
+    };
+    use kube::api::ObjectMeta;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn secret_to_dynamic_roundtrip() {
+        // Create a sample Secret resource
+        let mut secret = Secret {
+            metadata: ObjectMeta {
+                name: Some("my-secret".to_string()),
+                ..Default::default()
+            },
+            type_: Some("kubernetes.io/service-account-token".to_string()),
+            ..Default::default()
+        };
+
+        // Convert to DynamicResource
+        let dynamic: DynamicObject =
+            kube_resource_to_dynamic(&secret).expect("Failed to convert Secret to DynamicResource");
+
+        // Serialize both the original and dynamic resources to Value
+        let original_value = serde_json::to_value(&secret).expect("Failed to serialize Secret");
+        let dynamic_value =
+            serde_json::to_value(&dynamic).expect("Failed to serialize DynamicResource");
+
+        // Assert that they are identical
+        assert_eq!(original_value, dynamic_value);
+
+        secret.metadata.namespace = Some("false".to_string());
+        let modified_value = serde_json::to_value(&secret).expect("Failed to serialize Secret");
+        assert_ne!(modified_value, dynamic_value);
+    }
+
+    #[test]
+    fn deployment_to_dynamic_roundtrip() {
+        // Create a sample Deployment with nested structures
+        let mut deployment = Deployment {
+            metadata: ObjectMeta {
+                name: Some("my-deployment".to_string()),
+                labels: Some({
+                    let mut map = std::collections::BTreeMap::new();
+                    map.insert("app".to_string(), "nginx".to_string());
+                    map
+                }),
+                ..Default::default()
+            },
+            spec: Some(DeploymentSpec {
+                replicas: Some(3),
+                selector: Default::default(),
+                template: PodTemplateSpec {
+                    metadata: Some(ObjectMeta {
+                        labels: Some({
+                            let mut map = std::collections::BTreeMap::new();
+                            map.insert("app".to_string(), "nginx".to_string());
+                            map
+                        }),
+                        ..Default::default()
+                    }),
+                    spec: Some(Default::default()), // PodSpec with empty containers for simplicity
+                },
+                ..Default::default()
+            }),
+            ..Default::default()
+        };
+
+        let dynamic = kube_resource_to_dynamic(&deployment).expect("Failed to convert Deployment");
+
+        let original_value = serde_json::to_value(&deployment).unwrap();
+        let dynamic_value = serde_json::to_value(&dynamic).unwrap();
+
+        assert_eq!(original_value, dynamic_value);
+
+        assert_eq!(
+            dynamic.data.get("spec").unwrap().get("replicas").unwrap(),
+            3
+        );
+        assert_eq!(
+            dynamic
+                .data
+                .get("spec")
+                .unwrap()
+                .get("template")
+                .unwrap()
+                .get("metadata")
+                .unwrap()
+                .get("labels")
+                .unwrap()
+                .get("app")
+                .unwrap()
+                .as_str()
+                .unwrap(),
+            "nginx".to_string()
+        );
+    }
+}
diff --git a/harmony/src/infra/mod.rs b/harmony/src/infra/mod.rs
index 203cf90..253176c 100644
--- a/harmony/src/infra/mod.rs
+++ b/harmony/src/infra/mod.rs
@@ -3,5 +3,6 @@ pub mod executors;
 pub mod hp_ilo;
 pub mod intel_amt;
 pub mod inventory;
+pub mod kube;
 pub mod opnsense;
 mod sqlx;

From 827a49e56b6f238337a0fc6397dd39a0411da6dd Mon Sep 17 00:00:00 2001
From: Ian Letourneau <letourneau.ian@gmail.com>
Date: Tue, 4 Nov 2025 17:25:30 -0500
Subject: [PATCH 22/51] fix(opnsense-config): mark Interface::enable as
 optional

---
 opnsense-config-xml/src/data/interfaces.rs | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/opnsense-config-xml/src/data/interfaces.rs b/opnsense-config-xml/src/data/interfaces.rs
index b06f392..5ceee7e 100644
--- a/opnsense-config-xml/src/data/interfaces.rs
+++ b/opnsense-config-xml/src/data/interfaces.rs
@@ -9,7 +9,7 @@ pub struct Interface {
     pub physical_interface_name: String,
     pub descr: Option<MaybeString>,
     pub mtu: Option<MaybeString>,
-    pub enable: MaybeString,
+    pub enable: Option<MaybeString>,
     pub lock: Option<MaybeString>,
     #[yaserde(rename = "spoofmac")]
     pub spoof_mac: Option<MaybeString>,
@@ -134,19 +134,15 @@ mod test {
   <interfaces>
     <paul>
       <if></if>
-      <enable/>
     </paul>
     <anotherpaul>
       <if></if>
-      <enable/>
     </anotherpaul>
     <thirdone>
       <if></if>
-      <enable/>
     </thirdone>
     <andgofor4>
       <if></if>
-      <enable/>
     </andgofor4>
   </interfaces>
   <bar>foo</bar>

From 9d4e6acac0eb1027b39ba522c680e6bbc5f23668 Mon Sep 17 00:00:00 2001
From: Ian Letourneau <ian@noma.to>
Date: Wed, 5 Nov 2025 23:38:24 +0000
Subject: [PATCH 23/51] fix(host_network): retrieve proper hostname and next
 available bond id (#182)

In order to query the current network state `NodeNetworkState` and to apply a `NodeNetworkConfigurationPolicy` for a given node, we first needed to find its hostname. As all we had was the UUID of a node.

We had different options available (e.g. updating the Harmony Inventory Agent to retrieve it, store it in the OKD installation pipeline on assignation, etc.). But for the sake of simplicity and for better flexibility (e.g. being able to run this score on a cluster that wasn't setup with Harmony), the `hostname` was retrieved directly in the cluster by running the equivalent of `kubectl get nodes -o yaml` and matching the nodes with the system UUID.

### Other changes
* Find the next available bond id for a node
* Apply a network config policy for a node (configuring a bond in our case)
* Adjust the CRDs for NMState

Note: to see a quick demo, watch the recording in https://git.nationtech.io/NationTech/harmony/pulls/183
Reviewed-on: https://git.nationtech.io/NationTech/harmony/pulls/182
Reviewed-by: johnride <jg@nationtech.io>
---
 harmony/src/domain/topology/ha_cluster.rs  | 133 +++++++--
 harmony/src/domain/topology/k8s.rs         |  59 +++-
 harmony/src/modules/inventory/discovery.rs |  11 +-
 harmony/src/modules/okd/crd/nmstate.rs     | 305 +++++++++++++++++++--
 4 files changed, 447 insertions(+), 61 deletions(-)

diff --git a/harmony/src/domain/topology/ha_cluster.rs b/harmony/src/domain/topology/ha_cluster.rs
index d65d9aa..8f65e53 100644
--- a/harmony/src/domain/topology/ha_cluster.rs
+++ b/harmony/src/domain/topology/ha_cluster.rs
@@ -1,10 +1,15 @@
 use async_trait::async_trait;
 use harmony_macros::ip;
 use harmony_types::{
+    id::Id,
     net::{MacAddress, Url},
     switch::PortLocation,
 };
-use kube::api::ObjectMeta;
+use k8s_openapi::api::core::v1::Node;
+use kube::{
+    ResourceExt,
+    api::{ObjectList, ObjectMeta},
+};
 use log::debug;
 use log::info;
 
@@ -22,7 +27,7 @@ use super::{
     Topology, k8s::K8sClient,
 };
 
-use std::collections::BTreeMap;
+use std::collections::{BTreeMap, HashSet};
 use std::sync::Arc;
 
 #[derive(Debug, Clone)]
@@ -63,7 +68,7 @@ impl K8sclient for HAClusterTopology {
                 K8sClient::try_default().await.map_err(|e| e.to_string())?,
             )),
             Some(kubeconfig) => {
-                let Some(client) = K8sClient::from_kubeconfig(&kubeconfig).await else {
+                let Some(client) = K8sClient::from_kubeconfig(kubeconfig).await else {
                     return Err("Failed to create k8s client".to_string());
                 };
                 Ok(Arc::new(client))
@@ -143,7 +148,10 @@ impl HAClusterTopology {
             },
             ..Default::default()
         };
-        debug!("Creating NMState: {nmstate:#?}");
+        debug!(
+            "Creating NMState:\n{}",
+            serde_yaml::to_string(&nmstate).unwrap()
+        );
         k8s_client
             .apply(&nmstate, None)
             .await
@@ -152,10 +160,6 @@ impl HAClusterTopology {
         Ok(())
     }
 
-    fn get_next_bond_id(&self) -> u8 {
-        42 // FIXME: Find a better way to declare the bond id
-    }
-
     async fn configure_bond(&self, config: &HostNetworkConfig) -> Result<(), SwitchError> {
         self.ensure_nmstate_operator_installed()
             .await
@@ -165,9 +169,23 @@ impl HAClusterTopology {
                 ))
             })?;
 
-        let bond_config = self.create_bond_configuration(config);
+        let hostname = self.get_hostname(&config.host_id).await.map_err(|e| {
+            SwitchError::new(format!(
+                "Can't configure bond, can't get hostname for host '{}': {e}",
+                config.host_id
+            ))
+        })?;
+        let bond_id = self.get_next_bond_id(&hostname).await.map_err(|e| {
+            SwitchError::new(format!(
+                "Can't configure bond, can't get an available bond id for host '{}': {e}",
+                config.host_id
+            ))
+        })?;
+        let bond_config = self.create_bond_configuration(&hostname, &bond_id, config);
+
         debug!(
-            "Applying NMState bond config for host {}: {bond_config:#?}",
+            "Applying NMState bond config for host {}:\n{}",
+            serde_yaml::to_string(&bond_config).unwrap(),
             config.host_id
         );
         self.k8s_client()
@@ -182,26 +200,24 @@ impl HAClusterTopology {
 
     fn create_bond_configuration(
         &self,
+        host: &str,
+        bond_name: &str,
         config: &HostNetworkConfig,
     ) -> NodeNetworkConfigurationPolicy {
-        let host_name = &config.host_id;
-        let bond_id = self.get_next_bond_id();
-        let bond_name = format!("bond{bond_id}");
-
-        info!("Configuring bond '{bond_name}' for host '{host_name}'...");
+        info!("Configuring bond '{bond_name}' for host '{host}'...");
 
         let mut bond_mtu: Option<u32> = None;
         let mut copy_mac_from: Option<String> = None;
         let mut bond_ports = Vec::new();
-        let mut interfaces: Vec<nmstate::InterfaceSpec> = Vec::new();
+        let mut interfaces: Vec<nmstate::Interface> = Vec::new();
 
         for switch_port in &config.switch_ports {
             let interface_name = switch_port.interface.name.clone();
 
-            interfaces.push(nmstate::InterfaceSpec {
+            interfaces.push(nmstate::Interface {
                 name: interface_name.clone(),
                 description: Some(format!("Member of bond {bond_name}")),
-                r#type: "ethernet".to_string(),
+                r#type: nmstate::InterfaceType::Ethernet,
                 state: "up".to_string(),
                 mtu: Some(switch_port.interface.mtu),
                 mac_address: Some(switch_port.interface.mac_address.to_string()),
@@ -228,10 +244,10 @@ impl HAClusterTopology {
             }
         }
 
-        interfaces.push(nmstate::InterfaceSpec {
-            name: bond_name.clone(),
-            description: Some(format!("Network bond for host {host_name}")),
-            r#type: "bond".to_string(),
+        interfaces.push(nmstate::Interface {
+            name: bond_name.to_string(),
+            description: Some(format!("Network bond for host {host}")),
+            r#type: nmstate::InterfaceType::Bond,
             state: "up".to_string(),
             copy_mac_from,
             ipv4: Some(nmstate::IpStackSpec {
@@ -255,19 +271,80 @@ impl HAClusterTopology {
 
         NodeNetworkConfigurationPolicy {
             metadata: ObjectMeta {
-                name: Some(format!("{host_name}-bond-config")),
+                name: Some(format!("{host}-bond-config")),
                 ..Default::default()
             },
             spec: NodeNetworkConfigurationPolicySpec {
                 node_selector: Some(BTreeMap::from([(
                     "kubernetes.io/hostname".to_string(),
-                    host_name.to_string(),
+                    host.to_string(),
                 )])),
-                desired_state: nmstate::DesiredStateSpec { interfaces },
+                desired_state: nmstate::NetworkState {
+                    interfaces,
+                    ..Default::default()
+                },
             },
         }
     }
 
+    async fn get_hostname(&self, host_id: &Id) -> Result<String, String> {
+        let nodes: ObjectList<Node> = self
+            .k8s_client()
+            .await
+            .unwrap()
+            .list_resources(None, None)
+            .await
+            .map_err(|e| format!("Failed to list nodes: {e}"))?;
+
+        let Some(node) = nodes.iter().find(|n| {
+            n.status
+                .as_ref()
+                .and_then(|s| s.node_info.as_ref())
+                .map(|i| i.system_uuid == host_id.to_string())
+                .unwrap_or(false)
+        }) else {
+            return Err(format!("No node found for host '{host_id}'"));
+        };
+
+        node.labels()
+            .get("kubernetes.io/hostname")
+            .ok_or(format!(
+                "Node '{host_id}' has no kubernetes.io/hostname label"
+            ))
+            .cloned()
+    }
+
+    async fn get_next_bond_id(&self, hostname: &str) -> Result<String, String> {
+        let network_state: Option<nmstate::NodeNetworkState> = self
+            .k8s_client()
+            .await
+            .unwrap()
+            .get_resource(hostname, None)
+            .await
+            .map_err(|e| format!("Failed to list nodes: {e}"))?;
+
+        let interfaces = vec![];
+        let existing_bonds: Vec<&nmstate::Interface> = network_state
+            .as_ref()
+            .and_then(|network_state| network_state.status.current_state.as_ref())
+            .map_or(&interfaces, |current_state| &current_state.interfaces)
+            .iter()
+            .filter(|i| i.r#type == nmstate::InterfaceType::Bond)
+            .collect();
+
+        let used_ids: HashSet<u32> = existing_bonds
+            .iter()
+            .filter_map(|i| {
+                i.name
+                    .strip_prefix("bond")
+                    .and_then(|id| id.parse::<u32>().ok())
+            })
+            .collect();
+
+        let next_id = (0..).find(|id| !used_ids.contains(id)).unwrap();
+        Ok(format!("bond{next_id}"))
+    }
+
     async fn configure_port_channel(&self, config: &HostNetworkConfig) -> Result<(), SwitchError> {
         debug!("Configuring port channel: {config:#?}");
         let switch_ports = config.switch_ports.iter().map(|s| s.port.clone()).collect();
@@ -458,16 +535,14 @@ impl HttpServer for HAClusterTopology {
 #[async_trait]
 impl Switch for HAClusterTopology {
     async fn setup_switch(&self) -> Result<(), SwitchError> {
-        self.switch_client.setup().await?;
-        Ok(())
+        self.switch_client.setup().await.map(|_| ())
     }
 
     async fn get_port_for_mac_address(
         &self,
         mac_address: &MacAddress,
     ) -> Result<Option<PortLocation>, SwitchError> {
-        let port = self.switch_client.find_port(mac_address).await?;
-        Ok(port)
+        self.switch_client.find_port(mac_address).await
     }
 
     async fn configure_host_network(&self, config: &HostNetworkConfig) -> Result<(), SwitchError> {
diff --git a/harmony/src/domain/topology/k8s.rs b/harmony/src/domain/topology/k8s.rs
index 71129e1..03c59e1 100644
--- a/harmony/src/domain/topology/k8s.rs
+++ b/harmony/src/domain/topology/k8s.rs
@@ -5,13 +5,15 @@ use k8s_openapi::{
     ClusterResourceScope, NamespaceResourceScope,
     api::{
         apps::v1::Deployment,
-        core::v1::{Pod, ServiceAccount},
+        core::v1::{Node, Pod, ServiceAccount},
     },
     apimachinery::pkg::version::Info,
 };
 use kube::{
     Client, Config, Discovery, Error, Resource,
-    api::{Api, AttachParams, DeleteParams, ListParams, Patch, PatchParams, ResourceExt},
+    api::{
+        Api, AttachParams, DeleteParams, ListParams, ObjectList, Patch, PatchParams, ResourceExt,
+    },
     config::{KubeConfigOptions, Kubeconfig},
     core::ErrorResponse,
     discovery::{ApiCapabilities, Scope},
@@ -564,7 +566,58 @@ impl K8sClient {
         Ok(())
     }
 
-    pub(crate) async fn from_kubeconfig(path: &str) -> Option<K8sClient> {
+    /// Gets a single named resource of a specific type `K`.
+    ///
+    /// This function uses the `ApplyStrategy` trait to correctly determine
+    /// whether to look in a specific namespace or in the entire cluster.
+    ///
+    /// Returns `Ok(None)` if the resource is not found (404).
+    pub async fn get_resource<K>(
+        &self,
+        name: &str,
+        namespace: Option<&str>,
+    ) -> Result<Option<K>, Error>
+    where
+        K: Resource + Clone + std::fmt::Debug + DeserializeOwned,
+        <K as Resource>::Scope: ApplyStrategy<K>,
+        <K as kube::Resource>::DynamicType: Default,
+    {
+        let api: Api<K> =
+            <<K as Resource>::Scope as ApplyStrategy<K>>::get_api(&self.client, namespace);
+
+        api.get_opt(name).await
+    }
+
+    /// Lists all resources of a specific type `K`.
+    ///
+    /// This function uses the `ApplyStrategy` trait to correctly determine
+    /// whether to list from a specific namespace or from the entire cluster.
+    pub async fn list_resources<K>(
+        &self,
+        namespace: Option<&str>,
+        list_params: Option<ListParams>,
+    ) -> Result<ObjectList<K>, Error>
+    where
+        K: Resource + Clone + std::fmt::Debug + DeserializeOwned,
+        <K as Resource>::Scope: ApplyStrategy<K>,
+        <K as kube::Resource>::DynamicType: Default,
+    {
+        let api: Api<K> =
+            <<K as Resource>::Scope as ApplyStrategy<K>>::get_api(&self.client, namespace);
+
+        let list_params = list_params.unwrap_or_default();
+        api.list(&list_params).await
+    }
+
+    /// Fetches a list of all Nodes in the cluster.
+    pub async fn get_nodes(
+        &self,
+        list_params: Option<ListParams>,
+    ) -> Result<ObjectList<Node>, Error> {
+        self.list_resources(None, list_params).await
+    }
+
+    pub async fn from_kubeconfig(path: &str) -> Option<K8sClient> {
         let k = match Kubeconfig::read_from(path) {
             Ok(k) => k,
             Err(e) => {
diff --git a/harmony/src/modules/inventory/discovery.rs b/harmony/src/modules/inventory/discovery.rs
index 143c56a..b02078b 100644
--- a/harmony/src/modules/inventory/discovery.rs
+++ b/harmony/src/modules/inventory/discovery.rs
@@ -74,7 +74,11 @@ impl<T: Topology> Interpret<T> for DiscoverHostForRoleInterpret {
 
             match ans {
                 Ok(choice) => {
-                    info!("Selected {} as the bootstrap node.", choice.summary());
+                    info!(
+                        "Selected {} as the {:?} node.",
+                        choice.summary(),
+                        self.score.role
+                    );
                     host_repo
                         .save_role_mapping(&self.score.role, &choice)
                         .await?;
@@ -90,10 +94,7 @@ impl<T: Topology> Interpret<T> for DiscoverHostForRoleInterpret {
                         "Failed to select node for role {:?} : {}",
                         self.score.role, e
                     );
-                    return Err(InterpretError::new(format!(
-                        "Could not select host : {}",
-                        e.to_string()
-                    )));
+                    return Err(InterpretError::new(format!("Could not select host : {e}")));
                 }
             }
         }
diff --git a/harmony/src/modules/okd/crd/nmstate.rs b/harmony/src/modules/okd/crd/nmstate.rs
index 9f986e5..f0eb4ae 100644
--- a/harmony/src/modules/okd/crd/nmstate.rs
+++ b/harmony/src/modules/okd/crd/nmstate.rs
@@ -1,6 +1,7 @@
 use std::collections::BTreeMap;
 
-use kube::CustomResource;
+use k8s_openapi::{ClusterResourceScope, Resource};
+use kube::{CustomResource, api::ObjectMeta};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
@@ -47,28 +48,223 @@ pub struct ProbeDns {
     group = "nmstate.io",
     version = "v1",
     kind = "NodeNetworkConfigurationPolicy",
-    namespaced
+    namespaced = false
 )]
 #[serde(rename_all = "camelCase")]
 pub struct NodeNetworkConfigurationPolicySpec {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub node_selector: Option<BTreeMap<String, String>>,
-    pub desired_state: DesiredStateSpec,
+    pub desired_state: NetworkState,
+}
+
+// Currently, kube-rs derive doesn't support resources without a `spec` field, so we have
+// to implement it ourselves.
+//
+// Ref:
+// - https://github.com/kube-rs/kube/issues/1763
+// - https://github.com/kube-rs/kube/discussions/1762
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct NodeNetworkState {
+    metadata: ObjectMeta,
+    pub status: NodeNetworkStateStatus,
+}
+
+impl Resource for NodeNetworkState {
+    const API_VERSION: &'static str = "nmstate.io/v1beta1";
+    const GROUP: &'static str = "nmstate.io";
+    const VERSION: &'static str = "v1beta1";
+    const KIND: &'static str = "NodeNetworkState";
+    const URL_PATH_SEGMENT: &'static str = "nodenetworkstates";
+    type Scope = ClusterResourceScope;
+}
+
+impl k8s_openapi::Metadata for NodeNetworkState {
+    type Ty = ObjectMeta;
+
+    fn metadata(&self) -> &Self::Ty {
+        &self.metadata
+    }
+
+    fn metadata_mut(&mut self) -> &mut Self::Ty {
+        &mut self.metadata
+    }
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct NodeNetworkStateStatus {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub current_state: Option<NetworkState>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub handler_nmstate_version: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub host_network_manager_version: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub last_successful_update_time: Option<String>,
+}
+
+/// The NetworkState is the top-level struct, representing the entire
+/// desired or current network state.
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
-pub struct DesiredStateSpec {
-    pub interfaces: Vec<InterfaceSpec>,
+#[serde(deny_unknown_fields)]
+pub struct NetworkState {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub hostname: Option<HostNameState>,
+    #[serde(rename = "dns-resolver", skip_serializing_if = "Option::is_none")]
+    pub dns: Option<DnsState>,
+    #[serde(rename = "route-rules", skip_serializing_if = "Option::is_none")]
+    pub rules: Option<RouteRuleState>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub routes: Option<RouteState>,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub interfaces: Vec<Interface>,
+    #[serde(rename = "ovs-db", skip_serializing_if = "Option::is_none")]
+    pub ovsdb: Option<OvsDbGlobalConfig>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ovn: Option<OvnConfiguration>,
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
-pub struct InterfaceSpec {
+pub struct HostNameState {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub running: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub config: Option<String>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct DnsState {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub running: Option<DnsResolverConfig>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub config: Option<DnsResolverConfig>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct DnsResolverConfig {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub search: Option<Vec<String>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub server: Option<Vec<String>>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct RouteRuleState {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub config: Option<Vec<RouteRule>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub running: Option<Vec<RouteRule>>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct RouteState {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub config: Option<Vec<Route>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub running: Option<Vec<Route>>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct RouteRule {
+    #[serde(rename = "ip-from", skip_serializing_if = "Option::is_none")]
+    pub ip_from: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub priority: Option<u32>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub route_table: Option<u32>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct Route {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub destination: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub metric: Option<u32>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub next_hop_address: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub next_hop_interface: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub table_id: Option<u32>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub mtu: Option<u32>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct OvsDbGlobalConfig {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub external_ids: Option<BTreeMap<String, String>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub other_config: Option<BTreeMap<String, String>>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct OvnConfiguration {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub bridge_mappings: Option<Vec<OvnBridgeMapping>>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct OvnBridgeMapping {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub localnet: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub bridge: Option<String>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[serde(untagged)]
+#[serde(rename_all = "kebab-case")]
+pub enum StpSpec {
+    Bool(bool),
+    Options(StpOptions),
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct LldpState {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub enabled: Option<bool>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct OvsDb {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub external_ids: Option<BTreeMap<String, String>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub other_config: Option<BTreeMap<String, String>>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct PatchState {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub peer: Option<String>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub struct Interface {
     pub name: String,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub description: Option<String>,
-    pub r#type: String,
+    pub r#type: InterfaceType,
     pub state: String,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub mac_address: Option<String>,
@@ -99,9 +295,81 @@ pub struct InterfaceSpec {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub linux_bridge: Option<LinuxBridgeSpec>,
     #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(alias = "bridge")]
     pub ovs_bridge: Option<OvsBridgeSpec>,
     #[serde(skip_serializing_if = "Option::is_none")]
-    pub ethtool: Option<EthtoolSpec>,
+    pub ethtool: Option<Value>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub accept_all_mac_addresses: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub identifier: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub lldp: Option<LldpState>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub permanent_mac_address: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub max_mtu: Option<u32>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub min_mtu: Option<u32>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub mptcp: Option<Value>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub profile_name: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub wait_ip: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ovs_db: Option<OvsDb>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub driver: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub patch: Option<PatchState>,
+}
+
+#[derive(Deserialize, Serialize, Clone, PartialEq, Eq, PartialOrd, Ord, Debug, JsonSchema)]
+#[serde(rename_all = "kebab-case")]
+pub enum InterfaceType {
+    #[serde(rename = "unknown")]
+    Unknown,
+    #[serde(rename = "dummy")]
+    Dummy,
+    #[serde(rename = "loopback")]
+    Loopback,
+    #[serde(rename = "linux-bridge")]
+    LinuxBridge,
+    #[serde(rename = "ovs-bridge")]
+    OvsBridge,
+    #[serde(rename = "ovs-interface")]
+    OvsInterface,
+    #[serde(rename = "bond")]
+    Bond,
+    #[serde(rename = "ipvlan")]
+    IpVlan,
+    #[serde(rename = "vlan")]
+    Vlan,
+    #[serde(rename = "vxlan")]
+    Vxlan,
+    #[serde(rename = "mac-vlan")]
+    Macvlan,
+    #[serde(rename = "mac-vtap")]
+    Macvtap,
+    #[serde(rename = "ethernet")]
+    Ethernet,
+    #[serde(rename = "infiniband")]
+    Infiniband,
+    #[serde(rename = "vrf")]
+    Vrf,
+    #[serde(rename = "veth")]
+    Veth,
+    #[serde(rename = "ipsec")]
+    Ipsec,
+    #[serde(rename = "hsr")]
+    Hrs,
+}
+
+impl Default for InterfaceType {
+    fn default() -> Self {
+        Self::Loopback
+    }
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
@@ -287,11 +555,15 @@ pub struct OvsBridgeSpec {
 #[serde(rename_all = "kebab-case")]
 pub struct OvsBridgeOptions {
     #[serde(skip_serializing_if = "Option::is_none")]
-    pub stp: Option<bool>,
+    pub stp: Option<StpSpec>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub rstp: Option<bool>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub mcast_snooping_enable: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub datapath: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub fail_mode: Option<String>,
 }
 
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
@@ -305,18 +577,3 @@ pub struct OvsPortSpec {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub r#type: Option<String>,
 }
-
-#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
-#[serde(rename_all = "kebab-case")]
-pub struct EthtoolSpec {
-    // TODO: Properly describe this spec (https://nmstate.io/devel/yaml_api.html#ethtool)
-}
-
-#[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
-#[serde(rename_all = "kebab-case")]
-pub struct EthtoolFecSpec {
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub auto: Option<bool>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub mode: Option<String>,
-}

From 06a004a65d7b0115e5c7c7fc4455d0252aa3244e Mon Sep 17 00:00:00 2001
From: Ian Letourneau <ian@noma.to>
Date: Thu, 6 Nov 2025 00:02:52 +0000
Subject: [PATCH 24/51] refactor(host_network): extract NetworkManager as a
 reusable component (#183)

The NetworkManager logic was implemented directly into the `HaClusterTopology`, which wasn't directly its concern and prevented us from being able to reuse that NetworkManaager implementations in the future for a different Topology.

* Extract a `NetworkManager` trait
* Implement a `OpenShiftNmStateNetworkManager` for `NetworkManager`
* Dynamically instantiate the NetworkManager in the Topology to delegate calls to it

Reviewed-on: https://git.nationtech.io/NationTech/harmony/pulls/183
Reviewed-by: johnride <jg@nationtech.io>
---
 examples/nanodc/src/main.rs               |   3 +-
 examples/okd_installation/src/topology.rs |   6 +-
 examples/okd_pxe/src/topology.rs          |   6 +-
 examples/opnsense/src/main.rs             |   3 +-
 harmony/src/domain/topology/ha_cluster.rs | 309 +++-------------------
 harmony/src/domain/topology/k8s.rs        |   2 +-
 harmony/src/domain/topology/network.rs    |  35 ++-
 harmony/src/infra/mod.rs                  |   1 +
 harmony/src/infra/network_manager.rs      | 259 ++++++++++++++++++
 harmony/src/modules/okd/host_network.rs   | 190 +++++++++++--
 10 files changed, 508 insertions(+), 306 deletions(-)
 create mode 100644 harmony/src/infra/network_manager.rs

diff --git a/examples/nanodc/src/main.rs b/examples/nanodc/src/main.rs
index 629a8dc..e487fab 100644
--- a/examples/nanodc/src/main.rs
+++ b/examples/nanodc/src/main.rs
@@ -1,6 +1,6 @@
 use std::{
     net::{IpAddr, Ipv4Addr},
-    sync::Arc,
+    sync::{Arc, OnceLock},
 };
 
 use brocade::BrocadeOptions;
@@ -107,6 +107,7 @@ async fn main() {
             },
         ],
         switch_client: switch_client.clone(),
+        network_manager: OnceLock::new(),
     };
 
     let inventory = Inventory {
diff --git a/examples/okd_installation/src/topology.rs b/examples/okd_installation/src/topology.rs
index ce89402..2bc9fd2 100644
--- a/examples/okd_installation/src/topology.rs
+++ b/examples/okd_installation/src/topology.rs
@@ -9,7 +9,10 @@ use harmony::{
 use harmony_macros::{ip, ipv4};
 use harmony_secret::{Secret, SecretManager};
 use serde::{Deserialize, Serialize};
-use std::{net::IpAddr, sync::Arc};
+use std::{
+    net::IpAddr,
+    sync::{Arc, OnceLock},
+};
 
 #[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
 struct OPNSenseFirewallConfig {
@@ -81,6 +84,7 @@ pub async fn get_topology() -> HAClusterTopology {
         },
         workers: vec![],
         switch_client: switch_client.clone(),
+        network_manager: OnceLock::new(),
     }
 }
 
diff --git a/examples/okd_pxe/src/topology.rs b/examples/okd_pxe/src/topology.rs
index 7c1244c..72695fa 100644
--- a/examples/okd_pxe/src/topology.rs
+++ b/examples/okd_pxe/src/topology.rs
@@ -10,7 +10,10 @@ use harmony::{
 use harmony_macros::{ip, ipv4};
 use harmony_secret::{Secret, SecretManager};
 use serde::{Deserialize, Serialize};
-use std::{net::IpAddr, sync::Arc};
+use std::{
+    net::IpAddr,
+    sync::{Arc, OnceLock},
+};
 
 pub async fn get_topology() -> HAClusterTopology {
     let firewall = harmony::topology::LogicalHost {
@@ -76,6 +79,7 @@ pub async fn get_topology() -> HAClusterTopology {
         },
         workers: vec![],
         switch_client: switch_client.clone(),
+        network_manager: OnceLock::new(),
     }
 }
 
diff --git a/examples/opnsense/src/main.rs b/examples/opnsense/src/main.rs
index 4422f65..e74f5da 100644
--- a/examples/opnsense/src/main.rs
+++ b/examples/opnsense/src/main.rs
@@ -1,6 +1,6 @@
 use std::{
     net::{IpAddr, Ipv4Addr},
-    sync::Arc,
+    sync::{Arc, OnceLock},
 };
 
 use brocade::BrocadeOptions;
@@ -79,6 +79,7 @@ async fn main() {
         },
         workers: vec![],
         switch_client: switch_client.clone(),
+        network_manager: OnceLock::new(),
     };
 
     let inventory = Inventory {
diff --git a/harmony/src/domain/topology/ha_cluster.rs b/harmony/src/domain/topology/ha_cluster.rs
index 8f65e53..558f97c 100644
--- a/harmony/src/domain/topology/ha_cluster.rs
+++ b/harmony/src/domain/topology/ha_cluster.rs
@@ -5,30 +5,21 @@ use harmony_types::{
     net::{MacAddress, Url},
     switch::PortLocation,
 };
-use k8s_openapi::api::core::v1::Node;
-use kube::{
-    ResourceExt,
-    api::{ObjectList, ObjectMeta},
-};
 use log::debug;
 use log::info;
 
-use crate::modules::okd::crd::nmstate::{self, NodeNetworkConfigurationPolicy};
+use crate::infra::network_manager::OpenShiftNmStateNetworkManager;
 use crate::topology::PxeOptions;
-use crate::{data::FileContent, modules::okd::crd::nmstate::NMState};
-use crate::{
-    executors::ExecutorError, modules::okd::crd::nmstate::NodeNetworkConfigurationPolicySpec,
-};
+use crate::{data::FileContent, executors::ExecutorError};
 
 use super::{
     DHCPStaticEntry, DhcpServer, DnsRecord, DnsRecordType, DnsServer, Firewall, HostNetworkConfig,
-    HttpServer, IpAddress, K8sclient, LoadBalancer, LoadBalancerService, LogicalHost,
-    PreparationError, PreparationOutcome, Router, Switch, SwitchClient, SwitchError, TftpServer,
-    Topology, k8s::K8sClient,
+    HttpServer, IpAddress, K8sclient, LoadBalancer, LoadBalancerService, LogicalHost, NetworkError,
+    NetworkManager, PreparationError, PreparationOutcome, Router, Switch, SwitchClient,
+    SwitchError, TftpServer, Topology, k8s::K8sClient,
 };
 
-use std::collections::{BTreeMap, HashSet};
-use std::sync::Arc;
+use std::sync::{Arc, OnceLock};
 
 #[derive(Debug, Clone)]
 pub struct HAClusterTopology {
@@ -45,6 +36,7 @@ pub struct HAClusterTopology {
     pub control_plane: Vec<LogicalHost>,
     pub workers: Vec<LogicalHost>,
     pub kubeconfig: Option<String>,
+    pub network_manager: OnceLock<Arc<dyn NetworkManager>>,
 }
 
 #[async_trait]
@@ -98,263 +90,12 @@ impl HAClusterTopology {
             .to_string()
     }
 
-    async fn ensure_nmstate_operator_installed(&self) -> Result<(), String> {
-        let k8s_client = self.k8s_client().await?;
+    pub async fn network_manager(&self) -> &dyn NetworkManager {
+        let k8s_client = self.k8s_client().await.unwrap();
 
-        debug!("Installing NMState controller...");
-        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/nmstate.io_nmstates.yaml
-").unwrap(), Some("nmstate"))
-            .await
-            .map_err(|e| e.to_string())?;
-
-        debug!("Creating NMState namespace...");
-        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/namespace.yaml
-").unwrap(), Some("nmstate"))
-            .await
-            .map_err(|e| e.to_string())?;
-
-        debug!("Creating NMState service account...");
-        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/service_account.yaml
-").unwrap(), Some("nmstate"))
-            .await
-            .map_err(|e| e.to_string())?;
-
-        debug!("Creating NMState role...");
-        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/role.yaml
-").unwrap(), Some("nmstate"))
-            .await
-            .map_err(|e| e.to_string())?;
-
-        debug!("Creating NMState role binding...");
-        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/role_binding.yaml
-").unwrap(), Some("nmstate"))
-            .await
-            .map_err(|e| e.to_string())?;
-
-        debug!("Creating NMState operator...");
-        k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/operator.yaml
-").unwrap(), Some("nmstate"))
-            .await
-            .map_err(|e| e.to_string())?;
-
-        k8s_client
-            .wait_until_deployment_ready("nmstate-operator", Some("nmstate"), None)
-            .await?;
-
-        let nmstate = NMState {
-            metadata: ObjectMeta {
-                name: Some("nmstate".to_string()),
-                ..Default::default()
-            },
-            ..Default::default()
-        };
-        debug!(
-            "Creating NMState:\n{}",
-            serde_yaml::to_string(&nmstate).unwrap()
-        );
-        k8s_client
-            .apply(&nmstate, None)
-            .await
-            .map_err(|e| e.to_string())?;
-
-        Ok(())
-    }
-
-    async fn configure_bond(&self, config: &HostNetworkConfig) -> Result<(), SwitchError> {
-        self.ensure_nmstate_operator_installed()
-            .await
-            .map_err(|e| {
-                SwitchError::new(format!(
-                    "Can't configure bond, NMState operator not available: {e}"
-                ))
-            })?;
-
-        let hostname = self.get_hostname(&config.host_id).await.map_err(|e| {
-            SwitchError::new(format!(
-                "Can't configure bond, can't get hostname for host '{}': {e}",
-                config.host_id
-            ))
-        })?;
-        let bond_id = self.get_next_bond_id(&hostname).await.map_err(|e| {
-            SwitchError::new(format!(
-                "Can't configure bond, can't get an available bond id for host '{}': {e}",
-                config.host_id
-            ))
-        })?;
-        let bond_config = self.create_bond_configuration(&hostname, &bond_id, config);
-
-        debug!(
-            "Applying NMState bond config for host {}:\n{}",
-            serde_yaml::to_string(&bond_config).unwrap(),
-            config.host_id
-        );
-        self.k8s_client()
-            .await
-            .unwrap()
-            .apply(&bond_config, None)
-            .await
-            .map_err(|e| SwitchError::new(format!("Failed to configure bond: {e}")))?;
-
-        Ok(())
-    }
-
-    fn create_bond_configuration(
-        &self,
-        host: &str,
-        bond_name: &str,
-        config: &HostNetworkConfig,
-    ) -> NodeNetworkConfigurationPolicy {
-        info!("Configuring bond '{bond_name}' for host '{host}'...");
-
-        let mut bond_mtu: Option<u32> = None;
-        let mut copy_mac_from: Option<String> = None;
-        let mut bond_ports = Vec::new();
-        let mut interfaces: Vec<nmstate::Interface> = Vec::new();
-
-        for switch_port in &config.switch_ports {
-            let interface_name = switch_port.interface.name.clone();
-
-            interfaces.push(nmstate::Interface {
-                name: interface_name.clone(),
-                description: Some(format!("Member of bond {bond_name}")),
-                r#type: nmstate::InterfaceType::Ethernet,
-                state: "up".to_string(),
-                mtu: Some(switch_port.interface.mtu),
-                mac_address: Some(switch_port.interface.mac_address.to_string()),
-                ipv4: Some(nmstate::IpStackSpec {
-                    enabled: Some(false),
-                    ..Default::default()
-                }),
-                ipv6: Some(nmstate::IpStackSpec {
-                    enabled: Some(false),
-                    ..Default::default()
-                }),
-                link_aggregation: None,
-                ..Default::default()
-            });
-
-            bond_ports.push(interface_name.clone());
-
-            // Use the first port's details for the bond mtu and mac address
-            if bond_mtu.is_none() {
-                bond_mtu = Some(switch_port.interface.mtu);
-            }
-            if copy_mac_from.is_none() {
-                copy_mac_from = Some(interface_name);
-            }
-        }
-
-        interfaces.push(nmstate::Interface {
-            name: bond_name.to_string(),
-            description: Some(format!("Network bond for host {host}")),
-            r#type: nmstate::InterfaceType::Bond,
-            state: "up".to_string(),
-            copy_mac_from,
-            ipv4: Some(nmstate::IpStackSpec {
-                dhcp: Some(true),
-                enabled: Some(true),
-                ..Default::default()
-            }),
-            ipv6: Some(nmstate::IpStackSpec {
-                dhcp: Some(true),
-                autoconf: Some(true),
-                enabled: Some(true),
-                ..Default::default()
-            }),
-            link_aggregation: Some(nmstate::BondSpec {
-                mode: "802.3ad".to_string(),
-                ports: bond_ports,
-                ..Default::default()
-            }),
-            ..Default::default()
-        });
-
-        NodeNetworkConfigurationPolicy {
-            metadata: ObjectMeta {
-                name: Some(format!("{host}-bond-config")),
-                ..Default::default()
-            },
-            spec: NodeNetworkConfigurationPolicySpec {
-                node_selector: Some(BTreeMap::from([(
-                    "kubernetes.io/hostname".to_string(),
-                    host.to_string(),
-                )])),
-                desired_state: nmstate::NetworkState {
-                    interfaces,
-                    ..Default::default()
-                },
-            },
-        }
-    }
-
-    async fn get_hostname(&self, host_id: &Id) -> Result<String, String> {
-        let nodes: ObjectList<Node> = self
-            .k8s_client()
-            .await
-            .unwrap()
-            .list_resources(None, None)
-            .await
-            .map_err(|e| format!("Failed to list nodes: {e}"))?;
-
-        let Some(node) = nodes.iter().find(|n| {
-            n.status
-                .as_ref()
-                .and_then(|s| s.node_info.as_ref())
-                .map(|i| i.system_uuid == host_id.to_string())
-                .unwrap_or(false)
-        }) else {
-            return Err(format!("No node found for host '{host_id}'"));
-        };
-
-        node.labels()
-            .get("kubernetes.io/hostname")
-            .ok_or(format!(
-                "Node '{host_id}' has no kubernetes.io/hostname label"
-            ))
-            .cloned()
-    }
-
-    async fn get_next_bond_id(&self, hostname: &str) -> Result<String, String> {
-        let network_state: Option<nmstate::NodeNetworkState> = self
-            .k8s_client()
-            .await
-            .unwrap()
-            .get_resource(hostname, None)
-            .await
-            .map_err(|e| format!("Failed to list nodes: {e}"))?;
-
-        let interfaces = vec![];
-        let existing_bonds: Vec<&nmstate::Interface> = network_state
+        self.network_manager
+            .get_or_init(|| Arc::new(OpenShiftNmStateNetworkManager::new(k8s_client.clone())))
             .as_ref()
-            .and_then(|network_state| network_state.status.current_state.as_ref())
-            .map_or(&interfaces, |current_state| &current_state.interfaces)
-            .iter()
-            .filter(|i| i.r#type == nmstate::InterfaceType::Bond)
-            .collect();
-
-        let used_ids: HashSet<u32> = existing_bonds
-            .iter()
-            .filter_map(|i| {
-                i.name
-                    .strip_prefix("bond")
-                    .and_then(|id| id.parse::<u32>().ok())
-            })
-            .collect();
-
-        let next_id = (0..).find(|id| !used_ids.contains(id)).unwrap();
-        Ok(format!("bond{next_id}"))
-    }
-
-    async fn configure_port_channel(&self, config: &HostNetworkConfig) -> Result<(), SwitchError> {
-        debug!("Configuring port channel: {config:#?}");
-        let switch_ports = config.switch_ports.iter().map(|s| s.port.clone()).collect();
-
-        self.switch_client
-            .configure_port_channel(&format!("Harmony_{}", config.host_id), switch_ports)
-            .await
-            .map_err(|e| SwitchError::new(format!("Failed to configure switch: {e}")))?;
-
-        Ok(())
     }
 
     pub fn autoload() -> Self {
@@ -378,6 +119,7 @@ impl HAClusterTopology {
             bootstrap_host: dummy_host,
             control_plane: vec![],
             workers: vec![],
+            network_manager: OnceLock::new(),
         }
     }
 }
@@ -545,9 +287,30 @@ impl Switch for HAClusterTopology {
         self.switch_client.find_port(mac_address).await
     }
 
-    async fn configure_host_network(&self, config: &HostNetworkConfig) -> Result<(), SwitchError> {
-        self.configure_bond(config).await?;
-        self.configure_port_channel(config).await
+    async fn configure_port_channel(&self, config: &HostNetworkConfig) -> Result<(), SwitchError> {
+        debug!("Configuring port channel: {config:#?}");
+        let switch_ports = config.switch_ports.iter().map(|s| s.port.clone()).collect();
+
+        self.switch_client
+            .configure_port_channel(&format!("Harmony_{}", config.host_id), switch_ports)
+            .await
+            .map_err(|e| SwitchError::new(format!("Failed to configure port-channel: {e}")))?;
+
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl NetworkManager for HAClusterTopology {
+    async fn ensure_network_manager_installed(&self) -> Result<(), NetworkError> {
+        self.network_manager()
+            .await
+            .ensure_network_manager_installed()
+            .await
+    }
+
+    async fn configure_bond(&self, config: &HostNetworkConfig) -> Result<(), NetworkError> {
+        self.network_manager().await.configure_bond(config).await
     }
 }
 
diff --git a/harmony/src/domain/topology/k8s.rs b/harmony/src/domain/topology/k8s.rs
index 03c59e1..fccf0d1 100644
--- a/harmony/src/domain/topology/k8s.rs
+++ b/harmony/src/domain/topology/k8s.rs
@@ -25,7 +25,7 @@ use kube::{
     api::{ApiResource, GroupVersionKind},
     runtime::wait::await_condition,
 };
-use log::{debug, error, info, trace, warn};
+use log::{debug, error, trace, warn};
 use serde::{Serialize, de::DeserializeOwned};
 use serde_json::json;
 use similar::TextDiff;
diff --git a/harmony/src/domain/topology/network.rs b/harmony/src/domain/topology/network.rs
index cf172ee..d9e4f72 100644
--- a/harmony/src/domain/topology/network.rs
+++ b/harmony/src/domain/topology/network.rs
@@ -15,7 +15,7 @@ use harmony_types::{
 };
 use serde::Serialize;
 
-use crate::{executors::ExecutorError, hardware::PhysicalHost};
+use crate::executors::ExecutorError;
 
 use super::{LogicalHost, k8s::K8sClient};
 
@@ -183,6 +183,37 @@ impl FromStr for DnsRecordType {
     }
 }
 
+#[async_trait]
+pub trait NetworkManager: Debug + Send + Sync {
+    async fn ensure_network_manager_installed(&self) -> Result<(), NetworkError>;
+    async fn configure_bond(&self, config: &HostNetworkConfig) -> Result<(), NetworkError>;
+}
+
+#[derive(Debug, Clone, new)]
+pub struct NetworkError {
+    msg: String,
+}
+
+impl fmt::Display for NetworkError {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.write_str(&self.msg)
+    }
+}
+
+impl Error for NetworkError {}
+
+impl From<kube::Error> for NetworkError {
+    fn from(value: kube::Error) -> Self {
+        NetworkError::new(value.to_string())
+    }
+}
+
+impl From<String> for NetworkError {
+    fn from(value: String) -> Self {
+        NetworkError::new(value)
+    }
+}
+
 #[async_trait]
 pub trait Switch: Send + Sync {
     async fn setup_switch(&self) -> Result<(), SwitchError>;
@@ -192,7 +223,7 @@ pub trait Switch: Send + Sync {
         mac_address: &MacAddress,
     ) -> Result<Option<PortLocation>, SwitchError>;
 
-    async fn configure_host_network(&self, config: &HostNetworkConfig) -> Result<(), SwitchError>;
+    async fn configure_port_channel(&self, config: &HostNetworkConfig) -> Result<(), SwitchError>;
 }
 
 #[derive(Clone, Debug, PartialEq)]
diff --git a/harmony/src/infra/mod.rs b/harmony/src/infra/mod.rs
index 253176c..b996afb 100644
--- a/harmony/src/infra/mod.rs
+++ b/harmony/src/infra/mod.rs
@@ -4,5 +4,6 @@ pub mod hp_ilo;
 pub mod intel_amt;
 pub mod inventory;
 pub mod kube;
+pub mod network_manager;
 pub mod opnsense;
 mod sqlx;
diff --git a/harmony/src/infra/network_manager.rs b/harmony/src/infra/network_manager.rs
new file mode 100644
index 0000000..89321fe
--- /dev/null
+++ b/harmony/src/infra/network_manager.rs
@@ -0,0 +1,259 @@
+use std::{
+    collections::{BTreeMap, HashSet},
+    sync::Arc,
+};
+
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use k8s_openapi::api::core::v1::Node;
+use kube::{
+    ResourceExt,
+    api::{ObjectList, ObjectMeta},
+};
+use log::{debug, info};
+
+use crate::{
+    modules::okd::crd::nmstate,
+    topology::{HostNetworkConfig, NetworkError, NetworkManager, k8s::K8sClient},
+};
+
+pub struct OpenShiftNmStateNetworkManager {
+    k8s_client: Arc<K8sClient>,
+}
+
+impl std::fmt::Debug for OpenShiftNmStateNetworkManager {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("OpenShiftNmStateNetworkManager").finish()
+    }
+}
+
+#[async_trait]
+impl NetworkManager for OpenShiftNmStateNetworkManager {
+    async fn ensure_network_manager_installed(&self) -> Result<(), NetworkError> {
+        debug!("Installing NMState controller...");
+        self.k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/nmstate.io_nmstates.yaml
+").unwrap(), Some("nmstate"))
+            .await?;
+
+        debug!("Creating NMState namespace...");
+        self.k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/namespace.yaml
+").unwrap(), Some("nmstate"))
+            .await?;
+
+        debug!("Creating NMState service account...");
+        self.k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/service_account.yaml
+").unwrap(), Some("nmstate"))
+            .await?;
+
+        debug!("Creating NMState role...");
+        self.k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/role.yaml
+").unwrap(), Some("nmstate"))
+            .await?;
+
+        debug!("Creating NMState role binding...");
+        self.k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/role_binding.yaml
+").unwrap(), Some("nmstate"))
+            .await?;
+
+        debug!("Creating NMState operator...");
+        self.k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/operator.yaml
+").unwrap(), Some("nmstate"))
+            .await?;
+
+        self.k8s_client
+            .wait_until_deployment_ready("nmstate-operator", Some("nmstate"), None)
+            .await?;
+
+        let nmstate = nmstate::NMState {
+            metadata: ObjectMeta {
+                name: Some("nmstate".to_string()),
+                ..Default::default()
+            },
+            ..Default::default()
+        };
+        debug!(
+            "Creating NMState:\n{}",
+            serde_yaml::to_string(&nmstate).unwrap()
+        );
+        self.k8s_client.apply(&nmstate, None).await?;
+
+        Ok(())
+    }
+
+    async fn configure_bond(&self, config: &HostNetworkConfig) -> Result<(), NetworkError> {
+        let hostname = self.get_hostname(&config.host_id).await.map_err(|e| {
+            NetworkError::new(format!(
+                "Can't configure bond, can't get hostname for host '{}': {e}",
+                config.host_id
+            ))
+        })?;
+        let bond_id = self.get_next_bond_id(&hostname).await.map_err(|e| {
+            NetworkError::new(format!(
+                "Can't configure bond, can't get an available bond id for host '{}': {e}",
+                config.host_id
+            ))
+        })?;
+        let bond_config = self.create_bond_configuration(&hostname, &bond_id, config);
+
+        debug!(
+            "Applying NMState bond config for host {}:\n{}",
+            config.host_id,
+            serde_yaml::to_string(&bond_config).unwrap(),
+        );
+        self.k8s_client
+            .apply(&bond_config, None)
+            .await
+            .map_err(|e| NetworkError::new(format!("Failed to configure bond: {e}")))?;
+
+        Ok(())
+    }
+}
+
+impl OpenShiftNmStateNetworkManager {
+    pub fn new(k8s_client: Arc<K8sClient>) -> Self {
+        Self { k8s_client }
+    }
+
+    fn create_bond_configuration(
+        &self,
+        host: &str,
+        bond_name: &str,
+        config: &HostNetworkConfig,
+    ) -> nmstate::NodeNetworkConfigurationPolicy {
+        info!("Configuring bond '{bond_name}' for host '{host}'...");
+
+        let mut bond_mtu: Option<u32> = None;
+        let mut copy_mac_from: Option<String> = None;
+        let mut bond_ports = Vec::new();
+        let mut interfaces: Vec<nmstate::Interface> = Vec::new();
+
+        for switch_port in &config.switch_ports {
+            let interface_name = switch_port.interface.name.clone();
+
+            interfaces.push(nmstate::Interface {
+                name: interface_name.clone(),
+                description: Some(format!("Member of bond {bond_name}")),
+                r#type: nmstate::InterfaceType::Ethernet,
+                state: "up".to_string(),
+                mtu: Some(switch_port.interface.mtu),
+                mac_address: Some(switch_port.interface.mac_address.to_string()),
+                ipv4: Some(nmstate::IpStackSpec {
+                    enabled: Some(false),
+                    ..Default::default()
+                }),
+                ipv6: Some(nmstate::IpStackSpec {
+                    enabled: Some(false),
+                    ..Default::default()
+                }),
+                link_aggregation: None,
+                ..Default::default()
+            });
+
+            bond_ports.push(interface_name.clone());
+
+            // Use the first port's details for the bond mtu and mac address
+            if bond_mtu.is_none() {
+                bond_mtu = Some(switch_port.interface.mtu);
+            }
+            if copy_mac_from.is_none() {
+                copy_mac_from = Some(interface_name);
+            }
+        }
+
+        interfaces.push(nmstate::Interface {
+            name: bond_name.to_string(),
+            description: Some(format!("Network bond for host {host}")),
+            r#type: nmstate::InterfaceType::Bond,
+            state: "up".to_string(),
+            copy_mac_from,
+            ipv4: Some(nmstate::IpStackSpec {
+                dhcp: Some(true),
+                enabled: Some(true),
+                ..Default::default()
+            }),
+            ipv6: Some(nmstate::IpStackSpec {
+                dhcp: Some(true),
+                autoconf: Some(true),
+                enabled: Some(true),
+                ..Default::default()
+            }),
+            link_aggregation: Some(nmstate::BondSpec {
+                mode: "802.3ad".to_string(),
+                ports: bond_ports,
+                ..Default::default()
+            }),
+            ..Default::default()
+        });
+
+        nmstate::NodeNetworkConfigurationPolicy {
+            metadata: ObjectMeta {
+                name: Some(format!("{host}-bond-config")),
+                ..Default::default()
+            },
+            spec: nmstate::NodeNetworkConfigurationPolicySpec {
+                node_selector: Some(BTreeMap::from([(
+                    "kubernetes.io/hostname".to_string(),
+                    host.to_string(),
+                )])),
+                desired_state: nmstate::NetworkState {
+                    interfaces,
+                    ..Default::default()
+                },
+            },
+        }
+    }
+
+    async fn get_hostname(&self, host_id: &Id) -> Result<String, String> {
+        let nodes: ObjectList<Node> = self
+            .k8s_client
+            .list_resources(None, None)
+            .await
+            .map_err(|e| format!("Failed to list nodes: {e}"))?;
+
+        let Some(node) = nodes.iter().find(|n| {
+            n.status
+                .as_ref()
+                .and_then(|s| s.node_info.as_ref())
+                .map(|i| i.system_uuid == host_id.to_string())
+                .unwrap_or(false)
+        }) else {
+            return Err(format!("No node found for host '{host_id}'"));
+        };
+
+        node.labels()
+            .get("kubernetes.io/hostname")
+            .ok_or(format!(
+                "Node '{host_id}' has no kubernetes.io/hostname label"
+            ))
+            .cloned()
+    }
+
+    async fn get_next_bond_id(&self, hostname: &str) -> Result<String, String> {
+        let network_state: Option<nmstate::NodeNetworkState> = self
+            .k8s_client
+            .get_resource(hostname, None)
+            .await
+            .map_err(|e| format!("Failed to list nodes: {e}"))?;
+
+        let interfaces = vec![];
+        let existing_bonds: Vec<&nmstate::Interface> = network_state
+            .as_ref()
+            .and_then(|network_state| network_state.status.current_state.as_ref())
+            .map_or(&interfaces, |current_state| &current_state.interfaces)
+            .iter()
+            .filter(|i| i.r#type == nmstate::InterfaceType::Bond)
+            .collect();
+
+        let used_ids: HashSet<u32> = existing_bonds
+            .iter()
+            .filter_map(|i| {
+                i.name
+                    .strip_prefix("bond")
+                    .and_then(|id| id.parse::<u32>().ok())
+            })
+            .collect();
+
+        let next_id = (0..).find(|id| !used_ids.contains(id)).unwrap();
+        Ok(format!("bond{next_id}"))
+    }
+}
diff --git a/harmony/src/modules/okd/host_network.rs b/harmony/src/modules/okd/host_network.rs
index 39fb027..e68c6df 100644
--- a/harmony/src/modules/okd/host_network.rs
+++ b/harmony/src/modules/okd/host_network.rs
@@ -1,6 +1,6 @@
 use async_trait::async_trait;
 use harmony_types::id::Id;
-use log::{debug, info};
+use log::info;
 use serde::Serialize;
 
 use crate::{
@@ -9,7 +9,7 @@ use crate::{
     interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
     inventory::Inventory,
     score::Score,
-    topology::{HostNetworkConfig, NetworkInterface, Switch, SwitchPort, Topology},
+    topology::{HostNetworkConfig, NetworkInterface, NetworkManager, Switch, SwitchPort, Topology},
 };
 
 #[derive(Debug, Clone, Serialize)]
@@ -17,7 +17,7 @@ pub struct HostNetworkConfigurationScore {
     pub hosts: Vec<PhysicalHost>,
 }
 
-impl<T: Topology + Switch> Score<T> for HostNetworkConfigurationScore {
+impl<T: Topology + NetworkManager + Switch> Score<T> for HostNetworkConfigurationScore {
     fn name(&self) -> String {
         "HostNetworkConfigurationScore".into()
     }
@@ -35,7 +35,7 @@ pub struct HostNetworkConfigurationInterpret {
 }
 
 impl HostNetworkConfigurationInterpret {
-    async fn configure_network_for_host<T: Topology + Switch>(
+    async fn configure_network_for_host<T: Topology + NetworkManager + Switch>(
         &self,
         topology: &T,
         host: &PhysicalHost,
@@ -67,10 +67,15 @@ impl HostNetworkConfigurationInterpret {
             );
 
             info!("[Host {current_host}/{total_hosts}] Configuring host network...");
+            topology.configure_bond(&config).await.map_err(|e| {
+                InterpretError::new(format!("Failed to configure host network: {e}"))
+            })?;
             topology
-                .configure_host_network(&config)
+                .configure_port_channel(&config)
                 .await
-                .map_err(|e| InterpretError::new(format!("Failed to configure host: {e}")))?;
+                .map_err(|e| {
+                    InterpretError::new(format!("Failed to configure host network: {e}"))
+                })?;
         } else {
             info!(
                 "[Host {current_host}/{total_hosts}] No ports found for {} interfaces, skipping",
@@ -113,7 +118,7 @@ impl HostNetworkConfigurationInterpret {
                         port,
                     });
                 }
-                Ok(None) => debug!("No port found for '{mac_address}', skipping"),
+                Ok(None) => {}
                 Err(e) => {
                     return Err(InterpretError::new(format!(
                         "Failed to get port for host '{}': {}",
@@ -169,7 +174,7 @@ impl HostNetworkConfigurationInterpret {
 }
 
 #[async_trait]
-impl<T: Topology + Switch> Interpret<T> for HostNetworkConfigurationInterpret {
+impl<T: Topology + NetworkManager + Switch> Interpret<T> for HostNetworkConfigurationInterpret {
     fn get_name(&self) -> InterpretName {
         InterpretName::Custom("HostNetworkConfigurationInterpret")
     }
@@ -198,6 +203,12 @@ impl<T: Topology + Switch> Interpret<T> for HostNetworkConfigurationInterpret {
         let host_count = self.score.hosts.len();
         info!("Started network configuration for {host_count} host(s)...",);
 
+        info!("Setting up NetworkManager...",);
+        topology
+            .ensure_network_manager_installed()
+            .await
+            .map_err(|e| InterpretError::new(format!("NetworkManager setup failed: {e}")))?;
+
         info!("Setting up switch with sane defaults...");
         topology
             .setup_switch()
@@ -242,7 +253,8 @@ mod tests {
     use crate::{
         hardware::HostCategory,
         topology::{
-            HostNetworkConfig, PreparationError, PreparationOutcome, SwitchError, SwitchPort,
+            HostNetworkConfig, NetworkError, PreparationError, PreparationOutcome, SwitchError,
+            SwitchPort,
         },
     };
     use std::{
@@ -290,15 +302,27 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn host_with_one_mac_address_should_create_bond_with_one_interface() {
+    async fn should_setup_network_manager() {
         let host = given_host(&HOST_ID, vec![EXISTING_INTERFACE.clone()]);
         let score = given_score(vec![host]);
         let topology = TopologyWithSwitch::new();
 
         let _ = score.interpret(&Inventory::empty(), &topology).await;
 
-        let configured_host_networks = topology.configured_host_networks.lock().unwrap();
-        assert_that!(*configured_host_networks).contains_exactly(vec![(
+        let network_manager_setup = topology.network_manager_setup.lock().unwrap();
+        assert_that!(*network_manager_setup).is_true();
+    }
+
+    #[tokio::test]
+    async fn host_with_one_mac_address_should_configure_bond_with_one_interface() {
+        let host = given_host(&HOST_ID, vec![EXISTING_INTERFACE.clone()]);
+        let score = given_score(vec![host]);
+        let topology = TopologyWithSwitch::new();
+
+        let _ = score.interpret(&Inventory::empty(), &topology).await;
+
+        let config = topology.configured_bonds.lock().unwrap();
+        assert_that!(*config).contains_exactly(vec![(
             HOST_ID.clone(),
             HostNetworkConfig {
                 host_id: HOST_ID.clone(),
@@ -311,7 +335,28 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn host_with_multiple_mac_addresses_should_create_one_bond_with_all_interfaces() {
+    async fn host_with_one_mac_address_should_configure_port_channel_with_one_interface() {
+        let host = given_host(&HOST_ID, vec![EXISTING_INTERFACE.clone()]);
+        let score = given_score(vec![host]);
+        let topology = TopologyWithSwitch::new();
+
+        let _ = score.interpret(&Inventory::empty(), &topology).await;
+
+        let config = topology.configured_port_channels.lock().unwrap();
+        assert_that!(*config).contains_exactly(vec![(
+            HOST_ID.clone(),
+            HostNetworkConfig {
+                host_id: HOST_ID.clone(),
+                switch_ports: vec![SwitchPort {
+                    interface: EXISTING_INTERFACE.clone(),
+                    port: PORT.clone(),
+                }],
+            },
+        )]);
+    }
+
+    #[tokio::test]
+    async fn host_with_multiple_mac_addresses_should_configure_one_bond_with_all_interfaces() {
         let score = given_score(vec![given_host(
             &HOST_ID,
             vec![
@@ -323,8 +368,8 @@ mod tests {
 
         let _ = score.interpret(&Inventory::empty(), &topology).await;
 
-        let configured_host_networks = topology.configured_host_networks.lock().unwrap();
-        assert_that!(*configured_host_networks).contains_exactly(vec![(
+        let config = topology.configured_bonds.lock().unwrap();
+        assert_that!(*config).contains_exactly(vec![(
             HOST_ID.clone(),
             HostNetworkConfig {
                 host_id: HOST_ID.clone(),
@@ -343,7 +388,40 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn multiple_hosts_should_create_one_bond_per_host() {
+    async fn host_with_multiple_mac_addresses_should_configure_one_port_channel_with_all_interfaces()
+     {
+        let score = given_score(vec![given_host(
+            &HOST_ID,
+            vec![
+                EXISTING_INTERFACE.clone(),
+                ANOTHER_EXISTING_INTERFACE.clone(),
+            ],
+        )]);
+        let topology = TopologyWithSwitch::new();
+
+        let _ = score.interpret(&Inventory::empty(), &topology).await;
+
+        let config = topology.configured_port_channels.lock().unwrap();
+        assert_that!(*config).contains_exactly(vec![(
+            HOST_ID.clone(),
+            HostNetworkConfig {
+                host_id: HOST_ID.clone(),
+                switch_ports: vec![
+                    SwitchPort {
+                        interface: EXISTING_INTERFACE.clone(),
+                        port: PORT.clone(),
+                    },
+                    SwitchPort {
+                        interface: ANOTHER_EXISTING_INTERFACE.clone(),
+                        port: ANOTHER_PORT.clone(),
+                    },
+                ],
+            },
+        )]);
+    }
+
+    #[tokio::test]
+    async fn multiple_hosts_should_configure_one_bond_per_host() {
         let score = given_score(vec![
             given_host(&HOST_ID, vec![EXISTING_INTERFACE.clone()]),
             given_host(&ANOTHER_HOST_ID, vec![ANOTHER_EXISTING_INTERFACE.clone()]),
@@ -352,8 +430,43 @@ mod tests {
 
         let _ = score.interpret(&Inventory::empty(), &topology).await;
 
-        let configured_host_networks = topology.configured_host_networks.lock().unwrap();
-        assert_that!(*configured_host_networks).contains_exactly(vec![
+        let config = topology.configured_bonds.lock().unwrap();
+        assert_that!(*config).contains_exactly(vec![
+            (
+                HOST_ID.clone(),
+                HostNetworkConfig {
+                    host_id: HOST_ID.clone(),
+                    switch_ports: vec![SwitchPort {
+                        interface: EXISTING_INTERFACE.clone(),
+                        port: PORT.clone(),
+                    }],
+                },
+            ),
+            (
+                ANOTHER_HOST_ID.clone(),
+                HostNetworkConfig {
+                    host_id: ANOTHER_HOST_ID.clone(),
+                    switch_ports: vec![SwitchPort {
+                        interface: ANOTHER_EXISTING_INTERFACE.clone(),
+                        port: ANOTHER_PORT.clone(),
+                    }],
+                },
+            ),
+        ]);
+    }
+
+    #[tokio::test]
+    async fn multiple_hosts_should_configure_one_port_channel_per_host() {
+        let score = given_score(vec![
+            given_host(&HOST_ID, vec![EXISTING_INTERFACE.clone()]),
+            given_host(&ANOTHER_HOST_ID, vec![ANOTHER_EXISTING_INTERFACE.clone()]),
+        ]);
+        let topology = TopologyWithSwitch::new();
+
+        let _ = score.interpret(&Inventory::empty(), &topology).await;
+
+        let config = topology.configured_port_channels.lock().unwrap();
+        assert_that!(*config).contains_exactly(vec![
             (
                 HOST_ID.clone(),
                 HostNetworkConfig {
@@ -384,8 +497,10 @@ mod tests {
 
         let _ = score.interpret(&Inventory::empty(), &topology).await;
 
-        let configured_host_networks = topology.configured_host_networks.lock().unwrap();
-        assert_that!(*configured_host_networks).is_empty();
+        let config = topology.configured_port_channels.lock().unwrap();
+        assert_that!(*config).is_empty();
+        let config = topology.configured_bonds.lock().unwrap();
+        assert_that!(*config).is_empty();
     }
 
     fn given_score(hosts: Vec<PhysicalHost>) -> HostNetworkConfigurationScore {
@@ -422,26 +537,33 @@ mod tests {
         }
     }
 
+    #[derive(Debug)]
     struct TopologyWithSwitch {
         available_ports: Arc<Mutex<Vec<PortLocation>>>,
-        configured_host_networks: Arc<Mutex<Vec<(Id, HostNetworkConfig)>>>,
+        configured_port_channels: Arc<Mutex<Vec<(Id, HostNetworkConfig)>>>,
         switch_setup: Arc<Mutex<bool>>,
+        network_manager_setup: Arc<Mutex<bool>>,
+        configured_bonds: Arc<Mutex<Vec<(Id, HostNetworkConfig)>>>,
     }
 
     impl TopologyWithSwitch {
         fn new() -> Self {
             Self {
                 available_ports: Arc::new(Mutex::new(vec![PORT.clone(), ANOTHER_PORT.clone()])),
-                configured_host_networks: Arc::new(Mutex::new(vec![])),
+                configured_port_channels: Arc::new(Mutex::new(vec![])),
                 switch_setup: Arc::new(Mutex::new(false)),
+                network_manager_setup: Arc::new(Mutex::new(false)),
+                configured_bonds: Arc::new(Mutex::new(vec![])),
             }
         }
 
         fn new_port_not_found() -> Self {
             Self {
                 available_ports: Arc::new(Mutex::new(vec![])),
-                configured_host_networks: Arc::new(Mutex::new(vec![])),
+                configured_port_channels: Arc::new(Mutex::new(vec![])),
                 switch_setup: Arc::new(Mutex::new(false)),
+                network_manager_setup: Arc::new(Mutex::new(false)),
+                configured_bonds: Arc::new(Mutex::new(vec![])),
             }
         }
     }
@@ -457,6 +579,22 @@ mod tests {
         }
     }
 
+    #[async_trait]
+    impl NetworkManager for TopologyWithSwitch {
+        async fn ensure_network_manager_installed(&self) -> Result<(), NetworkError> {
+            let mut network_manager_installed = self.network_manager_setup.lock().unwrap();
+            *network_manager_installed = true;
+            Ok(())
+        }
+
+        async fn configure_bond(&self, config: &HostNetworkConfig) -> Result<(), NetworkError> {
+            let mut configured_bonds = self.configured_bonds.lock().unwrap();
+            configured_bonds.push((config.host_id.clone(), config.clone()));
+
+            Ok(())
+        }
+    }
+
     #[async_trait]
     impl Switch for TopologyWithSwitch {
         async fn setup_switch(&self) -> Result<(), SwitchError> {
@@ -476,12 +614,12 @@ mod tests {
             Ok(Some(ports.remove(0)))
         }
 
-        async fn configure_host_network(
+        async fn configure_port_channel(
             &self,
             config: &HostNetworkConfig,
         ) -> Result<(), SwitchError> {
-            let mut configured_host_networks = self.configured_host_networks.lock().unwrap();
-            configured_host_networks.push((config.host_id.clone(), config.clone()));
+            let mut configured_port_channels = self.configured_port_channels.lock().unwrap();
+            configured_port_channels.push((config.host_id.clone(), config.clone()));
 
             Ok(())
         }

From 66d346a10c01c8966927a1259c68e2f0e61f20a2 Mon Sep 17 00:00:00 2001
From: Ian Letourneau <ian@noma.to>
Date: Thu, 6 Nov 2025 00:07:20 +0000
Subject: [PATCH 25/51] fix(host_network): skip configuration for host with
 only 1 interface/port (#185)

Reviewed-on: https://git.nationtech.io/NationTech/harmony/pulls/185
Reviewed-by: johnride <jg@nationtech.io>
---
 harmony/src/modules/okd/host_network.rs | 199 ++++++++++++++++--------
 1 file changed, 134 insertions(+), 65 deletions(-)

diff --git a/harmony/src/modules/okd/host_network.rs b/harmony/src/modules/okd/host_network.rs
index e68c6df..ee68942 100644
--- a/harmony/src/modules/okd/host_network.rs
+++ b/harmony/src/modules/okd/host_network.rs
@@ -1,6 +1,6 @@
 use async_trait::async_trait;
 use harmony_types::id::Id;
-use log::info;
+use log::{info, warn};
 use serde::Serialize;
 
 use crate::{
@@ -49,6 +49,13 @@ impl HostNetworkConfigurationInterpret {
                 switch_ports: vec![],
             });
         }
+        if host.network.len() == 1 {
+            info!("[Host {current_host}/{total_hosts}] Only one interface to configure, skipping");
+            return Ok(HostNetworkConfig {
+                host_id: host.id.clone(),
+                switch_ports: vec![],
+            });
+        }
 
         let switch_ports = self
             .collect_switch_ports_for_host(topology, host, current_host, total_hosts)
@@ -59,7 +66,7 @@ impl HostNetworkConfigurationInterpret {
             switch_ports,
         };
 
-        if !config.switch_ports.is_empty() {
+        if config.switch_ports.len() > 1 {
             info!(
                 "[Host {current_host}/{total_hosts}] Found {} ports for {} interfaces",
                 config.switch_ports.len(),
@@ -76,11 +83,16 @@ impl HostNetworkConfigurationInterpret {
                 .map_err(|e| {
                     InterpretError::new(format!("Failed to configure host network: {e}"))
                 })?;
-        } else {
+        } else if config.switch_ports.is_empty() {
             info!(
                 "[Host {current_host}/{total_hosts}] No ports found for {} interfaces, skipping",
                 host.network.len()
             );
+        } else {
+            warn!(
+                "[Host {current_host}/{total_hosts}] Found a single port for {} interfaces, skipping",
+                host.network.len()
+            );
         }
 
         Ok(config)
@@ -138,15 +150,6 @@ impl HostNetworkConfigurationInterpret {
         ];
 
         for config in configs {
-            let host = self
-                .score
-                .hosts
-                .iter()
-                .find(|h| h.id == config.host_id)
-                .unwrap();
-
-            println!("[Host] {host}");
-
             if config.switch_ports.is_empty() {
                 report.push(format!(
                     "⏭️ Host {}: SKIPPED (No matching switch ports found)",
@@ -227,6 +230,7 @@ impl<T: Topology + NetworkManager + Switch> Interpret<T> for HostNetworkConfigur
             host_configurations.push(host_configuration);
             current_host += 1;
         }
+
         if current_host > 1 {
             let details = self.format_host_configuration(host_configurations);
 
@@ -279,6 +283,18 @@ mod tests {
             speed_mbps: None,
             mtu: 1,
         };
+        pub static ref YET_ANOTHER_EXISTING_INTERFACE: NetworkInterface = NetworkInterface {
+            mac_address: MacAddress::try_from("AA:BB:CC:DD:EE:F3".to_string()).unwrap(),
+            name: "interface-3".into(),
+            speed_mbps: None,
+            mtu: 1,
+        };
+        pub static ref LAST_EXISTING_INTERFACE: NetworkInterface = NetworkInterface {
+            mac_address: MacAddress::try_from("AA:BB:CC:DD:EE:F4".to_string()).unwrap(),
+            name: "interface-4".into(),
+            speed_mbps: None,
+            mtu: 1,
+        };
         pub static ref UNKNOWN_INTERFACE: NetworkInterface = NetworkInterface {
             mac_address: MacAddress::try_from("11:22:33:44:55:61".to_string()).unwrap(),
             name: "unknown-interface".into(),
@@ -287,6 +303,8 @@ mod tests {
         };
         pub static ref PORT: PortLocation = PortLocation(1, 0, 42);
         pub static ref ANOTHER_PORT: PortLocation = PortLocation(2, 0, 42);
+        pub static ref YET_ANOTHER_PORT: PortLocation = PortLocation(1, 0, 45);
+        pub static ref LAST_PORT: PortLocation = PortLocation(2, 0, 45);
     }
 
     #[tokio::test]
@@ -314,7 +332,7 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn host_with_one_mac_address_should_configure_bond_with_one_interface() {
+    async fn host_with_one_mac_address_should_skip_host_configuration() {
         let host = given_host(&HOST_ID, vec![EXISTING_INTERFACE.clone()]);
         let score = given_score(vec![host]);
         let topology = TopologyWithSwitch::new();
@@ -322,37 +340,9 @@ mod tests {
         let _ = score.interpret(&Inventory::empty(), &topology).await;
 
         let config = topology.configured_bonds.lock().unwrap();
-        assert_that!(*config).contains_exactly(vec![(
-            HOST_ID.clone(),
-            HostNetworkConfig {
-                host_id: HOST_ID.clone(),
-                switch_ports: vec![SwitchPort {
-                    interface: EXISTING_INTERFACE.clone(),
-                    port: PORT.clone(),
-                }],
-            },
-        )]);
-    }
-
-    #[tokio::test]
-    async fn host_with_one_mac_address_should_configure_port_channel_with_one_interface() {
-        let host = given_host(&HOST_ID, vec![EXISTING_INTERFACE.clone()]);
-        let score = given_score(vec![host]);
-        let topology = TopologyWithSwitch::new();
-
-        let _ = score.interpret(&Inventory::empty(), &topology).await;
-
+        assert_that!(*config).is_empty();
         let config = topology.configured_port_channels.lock().unwrap();
-        assert_that!(*config).contains_exactly(vec![(
-            HOST_ID.clone(),
-            HostNetworkConfig {
-                host_id: HOST_ID.clone(),
-                switch_ports: vec![SwitchPort {
-                    interface: EXISTING_INTERFACE.clone(),
-                    port: PORT.clone(),
-                }],
-            },
-        )]);
+        assert_that!(*config).is_empty();
     }
 
     #[tokio::test]
@@ -423,8 +413,20 @@ mod tests {
     #[tokio::test]
     async fn multiple_hosts_should_configure_one_bond_per_host() {
         let score = given_score(vec![
-            given_host(&HOST_ID, vec![EXISTING_INTERFACE.clone()]),
-            given_host(&ANOTHER_HOST_ID, vec![ANOTHER_EXISTING_INTERFACE.clone()]),
+            given_host(
+                &HOST_ID,
+                vec![
+                    EXISTING_INTERFACE.clone(),
+                    ANOTHER_EXISTING_INTERFACE.clone(),
+                ],
+            ),
+            given_host(
+                &ANOTHER_HOST_ID,
+                vec![
+                    YET_ANOTHER_EXISTING_INTERFACE.clone(),
+                    LAST_EXISTING_INTERFACE.clone(),
+                ],
+            ),
         ]);
         let topology = TopologyWithSwitch::new();
 
@@ -436,20 +438,32 @@ mod tests {
                 HOST_ID.clone(),
                 HostNetworkConfig {
                     host_id: HOST_ID.clone(),
-                    switch_ports: vec![SwitchPort {
-                        interface: EXISTING_INTERFACE.clone(),
-                        port: PORT.clone(),
-                    }],
+                    switch_ports: vec![
+                        SwitchPort {
+                            interface: EXISTING_INTERFACE.clone(),
+                            port: PORT.clone(),
+                        },
+                        SwitchPort {
+                            interface: ANOTHER_EXISTING_INTERFACE.clone(),
+                            port: ANOTHER_PORT.clone(),
+                        },
+                    ],
                 },
             ),
             (
                 ANOTHER_HOST_ID.clone(),
                 HostNetworkConfig {
                     host_id: ANOTHER_HOST_ID.clone(),
-                    switch_ports: vec![SwitchPort {
-                        interface: ANOTHER_EXISTING_INTERFACE.clone(),
-                        port: ANOTHER_PORT.clone(),
-                    }],
+                    switch_ports: vec![
+                        SwitchPort {
+                            interface: YET_ANOTHER_EXISTING_INTERFACE.clone(),
+                            port: YET_ANOTHER_PORT.clone(),
+                        },
+                        SwitchPort {
+                            interface: LAST_EXISTING_INTERFACE.clone(),
+                            port: LAST_PORT.clone(),
+                        },
+                    ],
                 },
             ),
         ]);
@@ -458,8 +472,20 @@ mod tests {
     #[tokio::test]
     async fn multiple_hosts_should_configure_one_port_channel_per_host() {
         let score = given_score(vec![
-            given_host(&HOST_ID, vec![EXISTING_INTERFACE.clone()]),
-            given_host(&ANOTHER_HOST_ID, vec![ANOTHER_EXISTING_INTERFACE.clone()]),
+            given_host(
+                &HOST_ID,
+                vec![
+                    EXISTING_INTERFACE.clone(),
+                    ANOTHER_EXISTING_INTERFACE.clone(),
+                ],
+            ),
+            given_host(
+                &ANOTHER_HOST_ID,
+                vec![
+                    YET_ANOTHER_EXISTING_INTERFACE.clone(),
+                    LAST_EXISTING_INTERFACE.clone(),
+                ],
+            ),
         ]);
         let topology = TopologyWithSwitch::new();
 
@@ -471,27 +497,39 @@ mod tests {
                 HOST_ID.clone(),
                 HostNetworkConfig {
                     host_id: HOST_ID.clone(),
-                    switch_ports: vec![SwitchPort {
-                        interface: EXISTING_INTERFACE.clone(),
-                        port: PORT.clone(),
-                    }],
+                    switch_ports: vec![
+                        SwitchPort {
+                            interface: EXISTING_INTERFACE.clone(),
+                            port: PORT.clone(),
+                        },
+                        SwitchPort {
+                            interface: ANOTHER_EXISTING_INTERFACE.clone(),
+                            port: ANOTHER_PORT.clone(),
+                        },
+                    ],
                 },
             ),
             (
                 ANOTHER_HOST_ID.clone(),
                 HostNetworkConfig {
                     host_id: ANOTHER_HOST_ID.clone(),
-                    switch_ports: vec![SwitchPort {
-                        interface: ANOTHER_EXISTING_INTERFACE.clone(),
-                        port: ANOTHER_PORT.clone(),
-                    }],
+                    switch_ports: vec![
+                        SwitchPort {
+                            interface: YET_ANOTHER_EXISTING_INTERFACE.clone(),
+                            port: YET_ANOTHER_PORT.clone(),
+                        },
+                        SwitchPort {
+                            interface: LAST_EXISTING_INTERFACE.clone(),
+                            port: LAST_PORT.clone(),
+                        },
+                    ],
                 },
             ),
         ]);
     }
 
     #[tokio::test]
-    async fn port_not_found_for_mac_address_should_not_configure_interface() {
+    async fn port_not_found_for_mac_address_should_not_configure_host() {
         let score = given_score(vec![given_host(&HOST_ID, vec![UNKNOWN_INTERFACE.clone()])]);
         let topology = TopologyWithSwitch::new_port_not_found();
 
@@ -503,6 +541,22 @@ mod tests {
         assert_that!(*config).is_empty();
     }
 
+    #[tokio::test]
+    async fn only_one_port_found_for_multiple_mac_addresses_should_not_configure_host() {
+        let score = given_score(vec![given_host(
+            &HOST_ID,
+            vec![EXISTING_INTERFACE.clone(), UNKNOWN_INTERFACE.clone()],
+        )]);
+        let topology = TopologyWithSwitch::new_single_port_found();
+
+        let _ = score.interpret(&Inventory::empty(), &topology).await;
+
+        let config = topology.configured_port_channels.lock().unwrap();
+        assert_that!(*config).is_empty();
+        let config = topology.configured_bonds.lock().unwrap();
+        assert_that!(*config).is_empty();
+    }
+
     fn given_score(hosts: Vec<PhysicalHost>) -> HostNetworkConfigurationScore {
         HostNetworkConfigurationScore { hosts }
     }
@@ -549,7 +603,12 @@ mod tests {
     impl TopologyWithSwitch {
         fn new() -> Self {
             Self {
-                available_ports: Arc::new(Mutex::new(vec![PORT.clone(), ANOTHER_PORT.clone()])),
+                available_ports: Arc::new(Mutex::new(vec![
+                    PORT.clone(),
+                    ANOTHER_PORT.clone(),
+                    YET_ANOTHER_PORT.clone(),
+                    LAST_PORT.clone(),
+                ])),
                 configured_port_channels: Arc::new(Mutex::new(vec![])),
                 switch_setup: Arc::new(Mutex::new(false)),
                 network_manager_setup: Arc::new(Mutex::new(false)),
@@ -566,6 +625,16 @@ mod tests {
                 configured_bonds: Arc::new(Mutex::new(vec![])),
             }
         }
+
+        fn new_single_port_found() -> Self {
+            Self {
+                available_ports: Arc::new(Mutex::new(vec![PORT.clone()])),
+                configured_port_channels: Arc::new(Mutex::new(vec![])),
+                switch_setup: Arc::new(Mutex::new(false)),
+                network_manager_setup: Arc::new(Mutex::new(false)),
+                configured_bonds: Arc::new(Mutex::new(vec![])),
+            }
+        }
     }
 
     #[async_trait]

From 51a5afbb6d01d327c180913737c613dc9bcfead7 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Fri, 7 Nov 2025 09:04:27 -0500
Subject: [PATCH 26/51] fix: added some extra details

---
 docs/doc-clone-and-restore-coreos.md | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/docs/doc-clone-and-restore-coreos.md b/docs/doc-clone-and-restore-coreos.md
index 9b392ed..5d7ad3e 100644
--- a/docs/doc-clone-and-restore-coreos.md
+++ b/docs/doc-clone-and-restore-coreos.md
@@ -7,7 +7,7 @@ sudo dd if=/dev/old of=/dev/backup status=progress
 
 ### **Step 2 - clone beginning of old disk to new**
 ```
-sudo dd if=/dev/old of=/dev/backup status=progress count=1000Mib
+sudo dd if=/dev/old of=/dev/backup status=progress count=1000 bs=1M
 ```
 
 ### **Step 3 - verify and modify disk partitions**
@@ -74,11 +74,25 @@ mount /dev/old4 /mnt/old
 mount /dev/new4 /mnt/new
 ```
 copy:
+
+with -n flag can run as dry-run
+```
+rsync -aAXHvn --numeric-ids /source/ /destination/
+```
+
 ```
 rsync -aAXHv --numeric-ids /source/ /destination/
 ```
 
 ### **Step 6 - Set correct UUID for new partition 4**
+to set uuid with xfs_admin you must unmount first
+
+unmount old devices
+```
+umount /mnt/new
+umount /mnt/old
+```
+
 to set correct uuid for partition 4
 ```
 blkid /dev/old4
@@ -117,11 +131,3 @@ blkid /dev/sda* | grep UUID=
 blkid /dev/sdc* | grep UUID=
 ```
 
-## **Step 8 - Unmount devices and Finalize job**
-unmount old devices
-```
-umount /mnt/new
-umount /mnt/old
-```
-
-shutdown swap disk and verify it worked

From 5953bc58f44fe38c87471905916c43e3eedf72e7 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Mon, 10 Nov 2025 14:57:22 -0500
Subject: [PATCH 27/51] feat: added function to enable snmp-server for brocade
 switches

---
 brocade/src/fast_iron.rs                | 17 ++++++++++++++++-
 brocade/src/lib.rs                      | 14 ++++++++++++++
 brocade/src/network_operating_system.rs | 16 +++++++++++++++-
 harmony/src/infra/brocade.rs            |  6 +++++-
 4 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/brocade/src/fast_iron.rs b/brocade/src/fast_iron.rs
index 5a3474e..c3eb374 100644
--- a/brocade/src/fast_iron.rs
+++ b/brocade/src/fast_iron.rs
@@ -1,7 +1,8 @@
 use super::BrocadeClient;
 use crate::{
     BrocadeInfo, Error, ExecutionMode, InterSwitchLink, InterfaceInfo, MacAddressEntry,
-    PortChannelId, PortOperatingMode, parse_brocade_mac_address, shell::BrocadeShell,
+    PortChannelId, PortOperatingMode, SecurityLevel, parse_brocade_mac_address,
+    shell::BrocadeShell,
 };
 
 use async_trait::async_trait;
@@ -209,4 +210,18 @@ impl BrocadeClient for FastIronClient {
         info!("[Brocade] Port-channel '{channel_name}' cleared.");
         Ok(())
     }
+
+    async fn enable_snmp(&self, user_name: &str, auth: &str, des: &str) -> Result<(), Error> {
+        let commands = vec![
+            "configure terminal".into(),
+            "snmp-server view ALL 1 included".into(),
+            "snmp-server group public v3 priv read ALL".into(),
+            format!("snmp-server user {user_name} groupname public auth md5 {auth} priv des {des}"),
+            "exit".into(),
+        ];
+        self.shell
+            .run_commands(commands, ExecutionMode::Regular)
+            .await?;
+        Ok(())
+    }
 }
diff --git a/brocade/src/lib.rs b/brocade/src/lib.rs
index c0b5b70..32ca31f 100644
--- a/brocade/src/lib.rs
+++ b/brocade/src/lib.rs
@@ -237,6 +237,15 @@ pub trait BrocadeClient: std::fmt::Debug {
         ports: &[PortLocation],
     ) -> Result<(), Error>;
 
+    /// Enables Simple Network Management Protocol (SNMP) server for switch
+    ///
+    /// # Parameters
+    ///
+    ///  * `user_name`: The user name for the snmp server
+    ///  * `auth`: The password for authentication process for verifying the identity of a device
+    ///  * `des`: The Data Encryption Standard algorithm key
+    async fn enable_snmp(&self, user_name: &str, auth: &str, des: &str) -> Result<(), Error>;
+
     /// Removes all configuration associated with the specified Port-Channel name.
     ///
     /// This operation should be idempotent; attempting to clear a non-existent
@@ -300,6 +309,11 @@ fn parse_brocade_mac_address(value: &str) -> Result<MacAddress, String> {
     Ok(MacAddress(bytes))
 }
 
+#[derive(Debug)]
+pub enum SecurityLevel {
+    AuthPriv(String),
+}
+
 #[derive(Debug)]
 pub enum Error {
     NetworkError(String),
diff --git a/brocade/src/network_operating_system.rs b/brocade/src/network_operating_system.rs
index f4db713..bfb45ed 100644
--- a/brocade/src/network_operating_system.rs
+++ b/brocade/src/network_operating_system.rs
@@ -8,7 +8,7 @@ use regex::Regex;
 use crate::{
     BrocadeClient, BrocadeInfo, Error, ExecutionMode, InterSwitchLink, InterfaceInfo,
     InterfaceStatus, InterfaceType, MacAddressEntry, PortChannelId, PortOperatingMode,
-    parse_brocade_mac_address, shell::BrocadeShell,
+    SecurityLevel, parse_brocade_mac_address, shell::BrocadeShell,
 };
 
 #[derive(Debug)]
@@ -330,4 +330,18 @@ impl BrocadeClient for NetworkOperatingSystemClient {
         info!("[Brocade] Port-channel '{channel_name}' cleared.");
         Ok(())
     }
+
+    async fn enable_snmp(&self, user_name: &str, auth: &str, des: &str) -> Result<(), Error> {
+        let commands = vec![
+            "configure terminal".into(),
+            "snmp-server view ALL 1 included".into(),
+            "snmp-server group public v3 priv read ALL".into(),
+            format!("snmp-server user {user_name} groupname public auth md5 {auth} priv des {des}"),
+            "exit".into(),
+        ];
+        self.shell
+            .run_commands(commands, ExecutionMode::Regular)
+            .await?;
+        Ok(())
+    }
 }
diff --git a/harmony/src/infra/brocade.rs b/harmony/src/infra/brocade.rs
index 774c8f8..0cac5ed 100644
--- a/harmony/src/infra/brocade.rs
+++ b/harmony/src/infra/brocade.rs
@@ -121,7 +121,7 @@ mod tests {
     use async_trait::async_trait;
     use brocade::{
         BrocadeClient, BrocadeInfo, Error, InterSwitchLink, InterfaceInfo, InterfaceStatus,
-        InterfaceType, MacAddressEntry, PortChannelId, PortOperatingMode,
+        InterfaceType, MacAddressEntry, PortChannelId, PortOperatingMode, SecurityLevel,
     };
     use harmony_types::switch::PortLocation;
 
@@ -279,6 +279,10 @@ mod tests {
         async fn clear_port_channel(&self, _channel_name: &str) -> Result<(), Error> {
             todo!()
         }
+
+        async fn enable_snmp(&self, user_name: &str, auth: &str, des: &str) -> Result<(), Error> {
+            todo!()
+        }
     }
 
     impl FakeBrocadeClient {

From 755a4b7749de39c441ce0e4bba97e460ce61370b Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Mon, 10 Nov 2025 22:14:39 -0500
Subject: [PATCH 28/51] feat(inventory-agent): Discover algorithm by scanning a
 subnet of ips, slower than mdns but more reliable and versatile

---
 Cargo.lock                                    |  25 +++
 empty_database.sqlite                         | Bin 0 -> 32768 bytes
 examples/cli/src/main.rs                      |   3 +-
 examples/harmony_inventory_builder/Cargo.toml |  15 ++
 .../harmony_inventory_builder/build_docker.sh |  11 ++
 .../docker/Dockerfile                         |  10 +
 .../harmony_inventory_builder/src/main.rs     |  36 ++++
 harmony/src/domain/interpret/mod.rs           |   2 +
 harmony/src/domain/topology/tenant/k8s.rs     |   2 +-
 harmony/src/modules/inventory/discovery.rs    |  39 ++--
 harmony/src/modules/inventory/mod.rs          | 160 +++++++++++++--
 .../src/modules/okd/bootstrap_01_prepare.rs   |   4 +-
 .../modules/okd/bootstrap_03_control_plane.rs |  51 ++---
 harmony_inventory_agent/build_docker.sh       |  11 ++
 harmony_inventory_agent/docker/.gitignore     |   1 +
 harmony_inventory_agent/docker/Dockerfile     |  17 ++
 .../harmony-inventory-agent-daemonset.yaml    | 117 +++++++++++
 harmony_inventory_agent/src/hwinfo.rs         | 183 +++++++++++++++---
 .../src/local_presence/advertise.rs           |   7 +-
 harmony_inventory_agent/src/main.rs           |   2 +-
 20 files changed, 610 insertions(+), 86 deletions(-)
 create mode 100644 empty_database.sqlite
 create mode 100644 examples/harmony_inventory_builder/Cargo.toml
 create mode 100755 examples/harmony_inventory_builder/build_docker.sh
 create mode 100644 examples/harmony_inventory_builder/docker/Dockerfile
 create mode 100644 examples/harmony_inventory_builder/src/main.rs
 create mode 100755 harmony_inventory_agent/build_docker.sh
 create mode 100644 harmony_inventory_agent/docker/.gitignore
 create mode 100644 harmony_inventory_agent/docker/Dockerfile
 create mode 100644 harmony_inventory_agent/harmony-inventory-agent-daemonset.yaml

diff --git a/Cargo.lock b/Cargo.lock
index 7d9cdcf..f0504aa 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1853,6 +1853,18 @@ dependencies = [
  "url",
 ]
 
+[[package]]
+name = "example-penpot"
+version = "0.1.0"
+dependencies = [
+ "harmony",
+ "harmony_cli",
+ "harmony_macros",
+ "harmony_types",
+ "tokio",
+ "url",
+]
+
 [[package]]
 name = "example-pxe"
 version = "0.1.0"
@@ -2479,6 +2491,19 @@ dependencies = [
  "tokio",
 ]
 
+[[package]]
+name = "harmony_inventory_builder"
+version = "0.1.0"
+dependencies = [
+ "cidr",
+ "harmony",
+ "harmony_cli",
+ "harmony_macros",
+ "harmony_types",
+ "tokio",
+ "url",
+]
+
 [[package]]
 name = "harmony_macros"
 version = "0.1.0"
diff --git a/empty_database.sqlite b/empty_database.sqlite
new file mode 100644
index 0000000000000000000000000000000000000000..a59fb387613059b9a265cc4acac6045b5fd7bd9d
GIT binary patch
literal 32768
zcmeI&PiWIn90%~ET^d(6D?3>9vUixU(ABLSI-TfjXPnipoozZcJ%rds7uSC_sZ1y0
zh9c@g@XtZfvnZZCs8>agdYF^p(TRExkBT6OFKIiMI=x%I57Or4y}Z2N=e-u*Ym*0}
znxT>-g;Gv2NH4RNVOeGuAq>NC^jJlYT56&v=21&*?c^Wt9JA?EvDNdP;aj#cYc6{p
zw?0@CYwd5jM6*Z`fB*y_009U<00Izzz<(kz!n?daA3JU+hqJ1FJWCf5vaTL4tNC<&
zcGX})3`ru9LgA=L>gsmpm7Ll|?-XYIF5cVS&CWJkZB7()LoOAvs+?1bMJ<2yj|;r5
z-9L&+r<>5EWk@6@i9=$7j3gq%p~N`ZFOHK?N{UBfw1r_YCUsdgtrlo?NgR_%EKZM9
zG+HS#`(eNC7K$A2^$YBbSIcMADJ?T4R~wKGEvFVIPU>1($yyh6SGB8=*lux*cFA7X
z9gh)vebT9Ay2uH&q-%w|O#8H3Ob!Y&?M~h+&_|xMgzUH2b4@lIds!7`S?gBB%XRG0
zuWXW042A4V(!SSfyM^sdE^l058H=Pk(n{GVSb5pr4LM-XbF%_VMg8nK&I(Va_fN?=
z?Py6csDfUfci2L#FSQ3r!jU053zpA-%D`q+Jzdg@<^$~GTPfD^x}jvVYDPB8Bg0}+
z3Js4e1x$x!Pbd|Y$Y3gwpz}yxs#3XKFQ@6JK_}sOJSv8MLsd%C6KZ-=FXu=&8V@hE
zSt(Pe)O6YGl{J}a-Tw_e;Ba}9{=Y%jW5|K}D^B_~W3BC5>50SB$9V407bFNk00Izz
z00bZa0SG_<0uX=z1eObA96Z<E+njZ_P4aWoclOfFDq?LCRX3}GJ;BZXK)~PAM}oor
zU|)almVr+TfyGU)&fL5pJni`5dq00;wxfOh-kl*&<i4<O;o!FOPZr-YGmm{kPtV7E
zqZ@VvZYeC!36-ZfFTT7zQr%M`=0=mg!Xxg^o!)i*<A>teuan2xULT%*(S9uWZT{-Q
zp^dNKjXvA_CZXNydOmyQ(Yn=N<{n-%Mh8+q-83qP=QHE^MqiL1009U<00Izz00bZa
z0SG_<0ucD$1>8=Kt!!5~nw?y8+oZXtVE+D3|MZUp0SG_<0uX=z1Rwwb2tWV=5P(1f
z3z)zEWBuR21B}oh009U<00Izz00bZa0SG_<0#pF&e@p`iKmY;|fB*y_009U<00Izz
zK;sMG|No6Y#)uFC5P$##AOHafKmY;|fB*y_fb~D-00bZa0SG_<0uX=z1Rwwb2tc6m
G1%3g_wwIIu

literal 0
HcmV?d00001

diff --git a/examples/cli/src/main.rs b/examples/cli/src/main.rs
index a8bc901..6edd536 100644
--- a/examples/cli/src/main.rs
+++ b/examples/cli/src/main.rs
@@ -2,7 +2,7 @@ use harmony::{
     inventory::Inventory,
     modules::{
         dummy::{ErrorScore, PanicScore, SuccessScore},
-        inventory::LaunchDiscoverInventoryAgentScore,
+        inventory::{HarmonyDiscoveryStrategy, LaunchDiscoverInventoryAgentScore},
     },
     topology::LocalhostTopology,
 };
@@ -18,6 +18,7 @@ async fn main() {
             Box::new(PanicScore {}),
             Box::new(LaunchDiscoverInventoryAgentScore {
                 discovery_timeout: Some(10),
+                discovery_strategy: HarmonyDiscoveryStrategy::MDNS,
             }),
         ],
         None,
diff --git a/examples/harmony_inventory_builder/Cargo.toml b/examples/harmony_inventory_builder/Cargo.toml
new file mode 100644
index 0000000..19002e1
--- /dev/null
+++ b/examples/harmony_inventory_builder/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "harmony_inventory_builder"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_macros = { path = "../../harmony_macros" }
+harmony_types = { path = "../../harmony_types" }
+tokio.workspace = true
+url.workspace = true
+cidr.workspace = true
diff --git a/examples/harmony_inventory_builder/build_docker.sh b/examples/harmony_inventory_builder/build_docker.sh
new file mode 100755
index 0000000..f952175
--- /dev/null
+++ b/examples/harmony_inventory_builder/build_docker.sh
@@ -0,0 +1,11 @@
+cargo build -p harmony_inventory_builder --release --target x86_64-unknown-linux-musl
+
+SCRIPT_DIR="$(dirname ${0})"
+
+cd "${SCRIPT_DIR}/docker/"
+
+cp ../../../target/x86_64-unknown-linux-musl/release/harmony_inventory_builder .
+
+docker build . -t hub.nationtech.io/harmony/harmony_inventory_builder
+
+docker push hub.nationtech.io/harmony/harmony_inventory_builder
diff --git a/examples/harmony_inventory_builder/docker/Dockerfile b/examples/harmony_inventory_builder/docker/Dockerfile
new file mode 100644
index 0000000..ea06187
--- /dev/null
+++ b/examples/harmony_inventory_builder/docker/Dockerfile
@@ -0,0 +1,10 @@
+FROM debian:12-slim
+
+RUN mkdir  /app
+WORKDIR /app/
+
+COPY harmony_inventory_builder /app/
+
+ENV RUST_LOG=info
+
+CMD ["sleep", "infinity"]
diff --git a/examples/harmony_inventory_builder/src/main.rs b/examples/harmony_inventory_builder/src/main.rs
new file mode 100644
index 0000000..cfd017f
--- /dev/null
+++ b/examples/harmony_inventory_builder/src/main.rs
@@ -0,0 +1,36 @@
+use harmony::{
+    inventory::{HostRole, Inventory},
+    modules::inventory::{DiscoverHostForRoleScore, HarmonyDiscoveryStrategy},
+    topology::LocalhostTopology,
+};
+use harmony_macros::cidrv4;
+
+#[tokio::main]
+async fn main() {
+    let discover_worker = DiscoverHostForRoleScore {
+        role: HostRole::Worker,
+        number_desired_hosts: 3,
+        discovery_strategy: HarmonyDiscoveryStrategy::SUBNET {
+            cidr: cidrv4!("192.168.0.1/25"),
+            port: 25000,
+        },
+    };
+
+    let discover_control_plane = DiscoverHostForRoleScore {
+        role: HostRole::ControlPlane,
+        number_desired_hosts: 3,
+        discovery_strategy: HarmonyDiscoveryStrategy::SUBNET {
+            cidr: cidrv4!("192.168.0.1/25"),
+            port: 25000,
+        },
+    };
+
+    harmony_cli::run(
+        Inventory::autoload(),
+        LocalhostTopology::new(),
+        vec![Box::new(discover_worker), Box::new(discover_control_plane)],
+        None,
+    )
+    .await
+    .unwrap();
+}
diff --git a/harmony/src/domain/interpret/mod.rs b/harmony/src/domain/interpret/mod.rs
index f9a509d..0c9b326 100644
--- a/harmony/src/domain/interpret/mod.rs
+++ b/harmony/src/domain/interpret/mod.rs
@@ -4,6 +4,8 @@ use std::error::Error;
 use async_trait::async_trait;
 use derive_new::new;
 
+use crate::inventory::HostRole;
+
 use super::{
     data::Version, executors::ExecutorError, inventory::Inventory, topology::PreparationError,
 };
diff --git a/harmony/src/domain/topology/tenant/k8s.rs b/harmony/src/domain/topology/tenant/k8s.rs
index 8085127..d7d99c0 100644
--- a/harmony/src/domain/topology/tenant/k8s.rs
+++ b/harmony/src/domain/topology/tenant/k8s.rs
@@ -14,7 +14,7 @@ use k8s_openapi::{
     },
     apimachinery::pkg::util::intstr::IntOrString,
 };
-use kube::Resource;
+use kube::{Resource, api::DynamicObject};
 use log::debug;
 use serde::de::DeserializeOwned;
 use serde_json::json;
diff --git a/harmony/src/modules/inventory/discovery.rs b/harmony/src/modules/inventory/discovery.rs
index b02078b..3890a1a 100644
--- a/harmony/src/modules/inventory/discovery.rs
+++ b/harmony/src/modules/inventory/discovery.rs
@@ -5,11 +5,10 @@ use serde::{Deserialize, Serialize};
 
 use crate::{
     data::Version,
-    hardware::PhysicalHost,
     infra::inventory::InventoryRepositoryFactory,
     interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
     inventory::{HostRole, Inventory},
-    modules::inventory::LaunchDiscoverInventoryAgentScore,
+    modules::inventory::{HarmonyDiscoveryStrategy, LaunchDiscoverInventoryAgentScore},
     score::Score,
     topology::Topology,
 };
@@ -17,11 +16,13 @@ use crate::{
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct DiscoverHostForRoleScore {
     pub role: HostRole,
+    pub number_desired_hosts: i16,
+    pub discovery_strategy : HarmonyDiscoveryStrategy,
 }
 
 impl<T: Topology> Score<T> for DiscoverHostForRoleScore {
     fn name(&self) -> String {
-        "DiscoverInventoryAgentScore".to_string()
+        format!("DiscoverHostForRoleScore({:?})", self.role)
     }
 
     fn create_interpret(&self) -> Box<dyn Interpret<T>> {
@@ -48,13 +49,15 @@ impl<T: Topology> Interpret<T> for DiscoverHostForRoleInterpret {
         );
         LaunchDiscoverInventoryAgentScore {
             discovery_timeout: None,
+            discovery_strategy: self.score.discovery_strategy.clone(),
         }
         .interpret(inventory, topology)
         .await?;
 
-        let host: PhysicalHost;
+        let mut chosen_hosts = vec![];
         let host_repo = InventoryRepositoryFactory::build().await?;
 
+        let mut assigned_hosts = 0;
         loop {
             let all_hosts = host_repo.get_all_hosts().await?;
 
@@ -75,15 +78,24 @@ impl<T: Topology> Interpret<T> for DiscoverHostForRoleInterpret {
             match ans {
                 Ok(choice) => {
                     info!(
-                        "Selected {} as the {:?} node.",
-                        choice.summary(),
-                        self.score.role
+                        "Assigned role {:?} for node {}",
+                        self.score.role,
+                        choice.summary()
                     );
                     host_repo
                         .save_role_mapping(&self.score.role, &choice)
                         .await?;
-                    host = choice;
-                    break;
+                    chosen_hosts.push(choice);
+                    assigned_hosts += 1;
+
+                    info!(
+                        "Found {assigned_hosts} hosts for role {:?}",
+                        self.score.role
+                    );
+
+                    if assigned_hosts == self.score.number_desired_hosts {
+                        break;
+                    }
                 }
                 Err(inquire::InquireError::OperationCanceled) => {
                     info!("Refresh requested. Fetching list of discovered hosts again...");
@@ -100,8 +112,13 @@ impl<T: Topology> Interpret<T> for DiscoverHostForRoleInterpret {
         }
 
         Ok(Outcome::success(format!(
-            "Successfully discovered host {} for role {:?}",
-            host.summary(),
+            "Successfully discovered {} hosts {} for role {:?}",
+            self.score.number_desired_hosts,
+            chosen_hosts
+                .iter()
+                .map(|h| h.summary())
+                .collect::<Vec<String>>()
+                .join(", "),
             self.score.role
         )))
     }
diff --git a/harmony/src/modules/inventory/mod.rs b/harmony/src/modules/inventory/mod.rs
index 174231b..8cf92f1 100644
--- a/harmony/src/modules/inventory/mod.rs
+++ b/harmony/src/modules/inventory/mod.rs
@@ -1,6 +1,10 @@
 mod discovery;
 pub mod inspect;
+use std::net::Ipv4Addr;
+
+use cidr::{Ipv4Cidr, Ipv4Inet};
 pub use discovery::*;
+use tokio::time::{Duration, timeout};
 
 use async_trait::async_trait;
 use harmony_inventory_agent::local_presence::DiscoveryEvent;
@@ -24,6 +28,7 @@ use harmony_types::id::Id;
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct LaunchDiscoverInventoryAgentScore {
     pub discovery_timeout: Option<u64>,
+    pub discovery_strategy: HarmonyDiscoveryStrategy,
 }
 
 impl<T: Topology> Score<T> for LaunchDiscoverInventoryAgentScore {
@@ -43,6 +48,12 @@ struct DiscoverInventoryAgentInterpret {
     score: LaunchDiscoverInventoryAgentScore,
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum HarmonyDiscoveryStrategy {
+    MDNS,
+    SUBNET { cidr: cidr::Ipv4Cidr, port: u16 },
+}
+
 #[async_trait]
 impl<T: Topology> Interpret<T> for DiscoverInventoryAgentInterpret {
     async fn execute(
@@ -57,6 +68,37 @@ impl<T: Topology> Interpret<T> for DiscoverInventoryAgentInterpret {
             ),
         };
 
+        match self.score.discovery_strategy {
+            HarmonyDiscoveryStrategy::MDNS => self.launch_mdns_discovery().await,
+            HarmonyDiscoveryStrategy::SUBNET { cidr, port } => {
+                self.launch_cidr_discovery(&cidr, port).await
+            }
+        };
+
+        Ok(Outcome::success(
+            "Discovery process completed successfully".to_string(),
+        ))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::DiscoverInventoryAgent
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}
+
+impl DiscoverInventoryAgentInterpret {
+    async fn launch_mdns_discovery(&self) {
         harmony_inventory_agent::local_presence::discover_agents(
             self.score.discovery_timeout,
             |event: DiscoveryEvent| -> Result<(), String> {
@@ -112,6 +154,8 @@ impl<T: Topology> Interpret<T> for DiscoverInventoryAgentInterpret {
                                 cpus,
                             };
 
+                            // FIXME only save the host when it is new or something changed in it.
+                            // we currently are saving the host every time it is discovered.
                             let repo = InventoryRepositoryFactory::build()
                                 .await
                                 .map_err(|e| format!("Could not build repository : {e}"))
@@ -132,25 +176,111 @@ impl<T: Topology> Interpret<T> for DiscoverInventoryAgentInterpret {
                 Ok(())
             },
         )
-        .await;
-        Ok(Outcome::success(
-            "Discovery process completed successfully".to_string(),
-        ))
+        .await
     }
 
-    fn get_name(&self) -> InterpretName {
-        InterpretName::DiscoverInventoryAgent
-    }
+    // async fn launch_cidr_discovery(&self, cidr : &Ipv4Cidr, port: u16) {
+    //     todo!("launnch cidr discovery for {cidr} : {port}
+    //         - Iterate over all possible addresses in cidr
+    //         - make calls in batches of 20 attempting to reach harmony inventory agent on <addr, port> using same as above harmony_inventory_agent::client::get_host_inventory(&address, port)
+    //         - Log warn when response is 404, it means the port was used by something else unexpected
+    //         - Log error when response is 5xx
+    //         - Log debug when no response (timeout 15 seconds)
+    //         - Log info when found and response is 2xx
+    //         ");
+    // }
+    async fn launch_cidr_discovery(&self, cidr: &Ipv4Cidr, port: u16) {
+        let addrs: Vec<Ipv4Inet> = cidr.iter().collect();
+        let total = addrs.len();
+        info!(
+            "Starting CIDR discovery for {} hosts on {}/{} (port {})",
+            total,
+            cidr.network_length(),
+            cidr,
+            port
+        );
 
-    fn get_version(&self) -> Version {
-        todo!()
-    }
+        let batch_size: usize = 20;
+        let timeout_secs = 5;
+        let request_timeout = Duration::from_secs(timeout_secs);
 
-    fn get_status(&self) -> InterpretStatus {
-        todo!()
-    }
+        let mut current_batch = 0;
+        let num_batches = addrs.len() / batch_size;
 
-    fn get_children(&self) -> Vec<Id> {
-        todo!()
+        for batch in addrs.chunks(batch_size) {
+            current_batch += 1;
+            info!("Starting query batch {current_batch} of {num_batches}, timeout {timeout_secs}");
+            let mut tasks = Vec::with_capacity(batch.len());
+
+            for addr in batch {
+                let addr = addr.address().to_string();
+                let port = port;
+
+                let task = tokio::spawn(async move {
+                    match timeout(
+                        request_timeout,
+                        harmony_inventory_agent::client::get_host_inventory(&addr, port),
+                    )
+                    .await
+                    {
+                        Ok(Ok(host)) => {
+                            info!("Found and response is 2xx for {addr}:{port}");
+
+                            // Reuse the same conversion to PhysicalHost as MDNS flow
+                            let harmony_inventory_agent::hwinfo::PhysicalHost {
+                                storage_drives,
+                                storage_controller,
+                                memory_modules,
+                                cpus,
+                                chipset,
+                                network_interfaces,
+                                management_interface,
+                                host_uuid,
+                            } = host;
+
+                            let host = PhysicalHost {
+                                id: Id::from(host_uuid),
+                                category: HostCategory::Server,
+                                network: network_interfaces,
+                                storage: storage_drives,
+                                labels: vec![Label {
+                                    name: "discovered-by".to_string(),
+                                    value: "harmony-inventory-agent".to_string(),
+                                }],
+                                memory_modules,
+                                cpus,
+                            };
+
+                            // Save host to inventory
+                            let repo = InventoryRepositoryFactory::build()
+                                .await
+                                .map_err(|e| format!("Could not build repository : {e}"))
+                                .unwrap();
+                            if let Err(e) = repo.save(&host).await {
+                                log::debug!("Failed to save host {}: {e}", host.id);
+                            } else {
+                                info!("Saved host id {}, summary : {}", host.id, host.summary());
+                            }
+                        }
+                        Ok(Err(e)) => {
+                            log::info!("Error querying inventory agent on {addr}:{port} : {e}");
+                        }
+                        Err(_) => {
+                            // Timeout for this host
+                            log::debug!("No response (timeout) for {addr}:{port}");
+                        }
+                    }
+                });
+
+                tasks.push(task);
+            }
+
+            // Wait for this batch to complete
+            for t in tasks {
+                let _ = t.await;
+            }
+        }
+
+        info!("CIDR discovery completed");
     }
 }
diff --git a/harmony/src/modules/okd/bootstrap_01_prepare.rs b/harmony/src/modules/okd/bootstrap_01_prepare.rs
index 57b71d9..1bf1b40 100644
--- a/harmony/src/modules/okd/bootstrap_01_prepare.rs
+++ b/harmony/src/modules/okd/bootstrap_01_prepare.rs
@@ -4,7 +4,7 @@ use crate::{
     infra::inventory::InventoryRepositoryFactory,
     interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
     inventory::{HostRole, Inventory},
-    modules::inventory::DiscoverHostForRoleScore,
+    modules::inventory::{DiscoverHostForRoleScore, HarmonyDiscoveryStrategy},
     score::Score,
     topology::HAClusterTopology,
 };
@@ -104,6 +104,8 @@ When you can dig them, confirm to continue.
             bootstrap_host = hosts.into_iter().next().to_owned();
             DiscoverHostForRoleScore {
                 role: HostRole::Bootstrap,
+                number_desired_hosts: 1,
+                discovery_strategy: HarmonyDiscoveryStrategy::MDNS,
             }
             .interpret(inventory, topology)
             .await?;
diff --git a/harmony/src/modules/okd/bootstrap_03_control_plane.rs b/harmony/src/modules/okd/bootstrap_03_control_plane.rs
index 5abe848..2ad3bf5 100644
--- a/harmony/src/modules/okd/bootstrap_03_control_plane.rs
+++ b/harmony/src/modules/okd/bootstrap_03_control_plane.rs
@@ -6,7 +6,7 @@ use crate::{
     inventory::{HostRole, Inventory},
     modules::{
         dhcp::DhcpHostBindingScore, http::IPxeMacBootFileScore,
-        inventory::DiscoverHostForRoleScore, okd::templates::BootstrapIpxeTpl,
+        inventory::{DiscoverHostForRoleScore, HarmonyDiscoveryStrategy}, okd::templates::BootstrapIpxeTpl,
     },
     score::Score,
     topology::{HAClusterTopology, HostBinding},
@@ -58,38 +58,39 @@ impl OKDSetup03ControlPlaneInterpret {
         inventory: &Inventory,
         topology: &HAClusterTopology,
     ) -> Result<Vec<PhysicalHost>, InterpretError> {
-        const REQUIRED_HOSTS: usize = 3;
+        const REQUIRED_HOSTS: i16 = 3;
         let repo = InventoryRepositoryFactory::build().await?;
-        let mut control_plane_hosts = repo.get_host_for_role(&HostRole::ControlPlane).await?;
+        let control_plane_hosts = repo.get_host_for_role(&HostRole::ControlPlane).await?;
 
-        while control_plane_hosts.len() < REQUIRED_HOSTS {
-            info!(
-                "Discovery of {} control plane hosts in progress, current number {}",
-                REQUIRED_HOSTS,
-                control_plane_hosts.len()
-            );
-            // This score triggers the discovery agent for a specific role.
-            DiscoverHostForRoleScore {
-                role: HostRole::ControlPlane,
-            }
-            .interpret(inventory, topology)
-            .await?;
-            control_plane_hosts = repo.get_host_for_role(&HostRole::ControlPlane).await?;
+        info!(
+            "Discovery of {} control plane hosts in progress, current number {}",
+            REQUIRED_HOSTS,
+            control_plane_hosts.len()
+        );
+        // This score triggers the discovery agent for a specific role.
+        DiscoverHostForRoleScore {
+            role: HostRole::ControlPlane,
+            number_desired_hosts: REQUIRED_HOSTS,
+            discovery_strategy: HarmonyDiscoveryStrategy::MDNS,
         }
+        .interpret(inventory, topology)
+        .await?;
 
-        if control_plane_hosts.len() < REQUIRED_HOSTS {
-            Err(InterpretError::new(format!(
+        let control_plane_hosts = repo.get_host_for_role(&HostRole::ControlPlane).await?;
+
+        if control_plane_hosts.len() < REQUIRED_HOSTS as usize {
+            return Err(InterpretError::new(format!(
                 "OKD Requires at least {} control plane hosts, but only found {}. Cannot proceed.",
                 REQUIRED_HOSTS,
                 control_plane_hosts.len()
-            )))
-        } else {
-            // Take exactly the number of required hosts to ensure consistency.
-            Ok(control_plane_hosts
-                .into_iter()
-                .take(REQUIRED_HOSTS)
-                .collect())
+            )));
         }
+
+        // Take exactly the number of required hosts to ensure consistency.
+        Ok(control_plane_hosts
+            .into_iter()
+            .take(REQUIRED_HOSTS as usize)
+            .collect())
     }
 
     /// Configures DHCP host bindings for all control plane nodes.
diff --git a/harmony_inventory_agent/build_docker.sh b/harmony_inventory_agent/build_docker.sh
new file mode 100755
index 0000000..521ea9b
--- /dev/null
+++ b/harmony_inventory_agent/build_docker.sh
@@ -0,0 +1,11 @@
+cargo build -p harmony_inventory_agent --release --target x86_64-unknown-linux-musl
+
+SCRIPT_DIR="$(dirname ${0})"
+
+cd "${SCRIPT_DIR}/docker/"
+
+cp ../../target/x86_64-unknown-linux-musl/release/harmony_inventory_agent .
+
+docker build . -t hub.nationtech.io/harmony/harmony_inventory_agent
+
+docker push hub.nationtech.io/harmony/harmony_inventory_agent
diff --git a/harmony_inventory_agent/docker/.gitignore b/harmony_inventory_agent/docker/.gitignore
new file mode 100644
index 0000000..052a676
--- /dev/null
+++ b/harmony_inventory_agent/docker/.gitignore
@@ -0,0 +1 @@
+harmony_inventory_agent
diff --git a/harmony_inventory_agent/docker/Dockerfile b/harmony_inventory_agent/docker/Dockerfile
new file mode 100644
index 0000000..0c4e066
--- /dev/null
+++ b/harmony_inventory_agent/docker/Dockerfile
@@ -0,0 +1,17 @@
+FROM debian:12-slim
+
+# install packages required to make these commands available : lspci, lsmod, dmidecode, smartctl, ip
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends pciutils kmod dmidecode smartmontools iproute2 && \
+    rm -rf /var/lib/apt/lists/*
+
+
+RUN mkdir  /app
+WORKDIR /app/
+
+COPY harmony_inventory_agent /app/
+
+ENV RUST_LOG=info
+
+CMD [ "/app/harmony_inventory_agent" ]
+
diff --git a/harmony_inventory_agent/harmony-inventory-agent-daemonset.yaml b/harmony_inventory_agent/harmony-inventory-agent-daemonset.yaml
new file mode 100644
index 0000000..e9fa401
--- /dev/null
+++ b/harmony_inventory_agent/harmony-inventory-agent-daemonset.yaml
@@ -0,0 +1,117 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: harmony-inventory-agent
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: harmony-inventory-agent
+  namespace: harmony-inventory-agent
+---
+# Grant the built-in "privileged" SCC to the SA
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: use-privileged-scc
+  namespace: harmony-inventory-agent
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: use-privileged-scc
+  namespace: harmony-inventory-agent
+subjects:
+- kind: ServiceAccount
+  name: harmony-inventory-agent
+  namespace: harmony-inventory-agent
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: use-privileged-scc
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: harmony-inventory-agent
+  namespace: harmony-inventory-agent
+spec:
+  selector:
+    matchLabels:
+      app: harmony-inventory-agent
+  template:
+    metadata:
+      labels:
+        app: harmony-inventory-agent
+    spec:
+      serviceAccountName: harmony-inventory-agent
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      tolerations:
+      - key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+        effect: "NoSchedule"
+      containers:
+      - name: inventory-agent
+        image: hub.nationtech.io/harmony/harmony_inventory_agent
+        imagePullPolicy: Always
+        env:
+          - name: RUST_LOG
+            value: "harmony_inventory_agent=trace,info"
+        resources:
+          limits:
+            cpu: 200m
+            memory: 256Mi
+          requests:
+            cpu: 100m
+            memory: 128Mi
+        securityContext:
+          privileged: true
+          # optional: leave the rest unset since privileged SCC allows it
+          #
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: harmony-inventory-builder
+  namespace: harmony-inventory-agent
+spec:
+  replicas: 1
+  strategy: {}
+  selector:
+    matchLabels:
+      app: harmony-inventory-builder
+  template:
+    metadata:
+      labels:
+        app: harmony-inventory-builder
+    spec:
+      serviceAccountName: harmony-inventory-agent
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+      - name: inventory-agent
+        image: hub.nationtech.io/harmony/harmony_inventory_builder
+        imagePullPolicy: Always
+        env:
+          - name: RUST_LOG
+            value: "harmony_inventory_builder=trace,info"
+        resources:
+          limits:
+            cpu: 200m
+            memory: 256Mi
+          requests:
+            cpu: 100m
+            memory: 128Mi
+        securityContext:
+          privileged: true
+          # optional: leave the rest unset since privileged SCC allows it
diff --git a/harmony_inventory_agent/src/hwinfo.rs b/harmony_inventory_agent/src/hwinfo.rs
index 5fffb61..960c1f0 100644
--- a/harmony_inventory_agent/src/hwinfo.rs
+++ b/harmony_inventory_agent/src/hwinfo.rs
@@ -1,5 +1,5 @@
 use harmony_types::net::MacAddress;
-use log::{debug, warn};
+use log::{debug, trace, warn};
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use std::fs;
@@ -121,20 +121,48 @@ pub struct ManagementInterface {
 
 impl PhysicalHost {
     pub fn gather() -> Result<Self, String> {
+        trace!("Start gathering physical host information");
         let mut sys = System::new_all();
+        trace!("System new_all called");
         sys.refresh_all();
+        trace!("System refresh_all called");
 
         Self::all_tools_available()?;
 
+        trace!("All tools_available success");
+
+        let storage_drives = Self::gather_storage_drives()?;
+        trace!("got storage drives");
+
+        let storage_controller = Self::gather_storage_controller()?;
+        trace!("got storage controller");
+
+        let memory_modules = Self::gather_memory_modules()?;
+        trace!("got memory_modules");
+
+        let cpus = Self::gather_cpus(&sys)?;
+        trace!("got cpus");
+
+        let chipset = Self::gather_chipset()?;
+        trace!("got chipsets");
+
+        let network_interfaces = Self::gather_network_interfaces()?;
+        trace!("got network_interfaces");
+
+        let management_interface = Self::gather_management_interface()?;
+        trace!("got management_interface");
+
+        let host_uuid = Self::get_host_uuid()?;
+
         Ok(Self {
-            storage_drives: Self::gather_storage_drives()?,
-            storage_controller: Self::gather_storage_controller()?,
-            memory_modules: Self::gather_memory_modules()?,
-            cpus: Self::gather_cpus(&sys)?,
-            chipset: Self::gather_chipset()?,
-            network_interfaces: Self::gather_network_interfaces()?,
-            management_interface: Self::gather_management_interface()?,
-            host_uuid: Self::get_host_uuid()?,
+            storage_drives,
+            storage_controller,
+            memory_modules,
+            cpus,
+            chipset,
+            network_interfaces,
+            management_interface,
+            host_uuid,
         })
     }
 
@@ -208,6 +236,8 @@ impl PhysicalHost {
             ));
         }
 
+        debug!("All tools found!");
+
         Ok(())
     }
 
@@ -231,7 +261,10 @@ impl PhysicalHost {
     fn gather_storage_drives() -> Result<Vec<StorageDrive>, String> {
         let mut drives = Vec::new();
 
+        trace!("Starting storage drive discovery using lsblk");
+
         // Use lsblk with JSON output for robust parsing
+        trace!("Executing 'lsblk -d -o NAME,MODEL,SERIAL,SIZE,ROTA,WWN -n -e 7 --json'");
         let output = Command::new("lsblk")
             .args([
                 "-d",
@@ -245,13 +278,18 @@ impl PhysicalHost {
             .output()
             .map_err(|e| format!("Failed to execute lsblk: {}", e))?;
 
+        trace!(
+            "lsblk command executed successfully (status: {:?})",
+            output.status
+        );
+
         if !output.status.success() {
-            return Err(format!(
-                "lsblk command failed: {}",
-                String::from_utf8_lossy(&output.stderr)
-            ));
+            let stderr_str = String::from_utf8_lossy(&output.stderr);
+            debug!("lsblk command failed: {stderr_str}");
+            return Err(format!("lsblk command failed: {stderr_str}"));
         }
 
+        trace!("Parsing lsblk JSON output");
         let json: Value = serde_json::from_slice(&output.stdout)
             .map_err(|e| format!("Failed to parse lsblk JSON output: {}", e))?;
 
@@ -260,6 +298,8 @@ impl PhysicalHost {
             .and_then(|v| v.as_array())
             .ok_or("Invalid lsblk JSON: missing 'blockdevices' array")?;
 
+        trace!("Found {} blockdevices in lsblk output", blockdevices.len());
+
         for device in blockdevices {
             let name = device
                 .get("name")
@@ -268,52 +308,72 @@ impl PhysicalHost {
                 .to_string();
 
             if name.is_empty() {
+                trace!("Skipping unnamed device entry: {:?}", device);
                 continue;
             }
 
+            trace!("Inspecting block device: {name}");
+
+            // Extract metadata fields
             let model = device
                 .get("model")
                 .and_then(|v| v.as_str())
                 .map(|s| s.trim().to_string())
                 .unwrap_or_default();
+            trace!("Model for {name}: '{}'", model);
 
             let serial = device
                 .get("serial")
                 .and_then(|v| v.as_str())
                 .map(|s| s.trim().to_string())
                 .unwrap_or_default();
+            trace!("Serial for {name}: '{}'", serial);
 
             let size_str = device
                 .get("size")
                 .and_then(|v| v.as_str())
                 .ok_or("Missing 'size' in lsblk device")?;
+            trace!("Reported size for {name}: {}", size_str);
             let size_bytes = Self::parse_size(size_str)?;
+            trace!("Parsed size for {name}: {} bytes", size_bytes);
 
             let rotational = device
                 .get("rota")
                 .and_then(|v| v.as_bool())
                 .ok_or("Missing 'rota' in lsblk device")?;
+            trace!("Rotational flag for {name}: {}", rotational);
 
             let wwn = device
                 .get("wwn")
                 .and_then(|v| v.as_str())
                 .map(|s| s.trim().to_string())
                 .filter(|s| !s.is_empty() && s != "null");
+            trace!("WWN for {name}: {:?}", wwn);
 
             let device_path = Path::new("/sys/block").join(&name);
+            trace!("Sysfs path for {name}: {:?}", device_path);
 
+            trace!("Reading logical block size for {name}");
             let logical_block_size = Self::read_sysfs_u32(
                 &device_path.join("queue/logical_block_size"),
             )
             .map_err(|e| format!("Failed to read logical block size for {}: {}", name, e))?;
+            trace!("Logical block size for {name}: {}", logical_block_size);
 
+            trace!("Reading physical block size for {name}");
             let physical_block_size = Self::read_sysfs_u32(
                 &device_path.join("queue/physical_block_size"),
             )
             .map_err(|e| format!("Failed to read physical block size for {}: {}", name, e))?;
+            trace!("Physical block size for {name}: {}", physical_block_size);
 
+            trace!("Determining interface type for {name}");
             let interface_type = Self::get_interface_type(&name, &device_path)?;
+            trace!("Interface type for {name}: {}", interface_type);
+
+            trace!("Getting SMART status for {name}");
             let smart_status = Self::get_smart_status(&name)?;
+            trace!("SMART status for {name}: {:?}", smart_status);
 
             let mut drive = StorageDrive {
                 name: name.clone(),
@@ -330,19 +390,31 @@ impl PhysicalHost {
 
             // Enhance with additional sysfs info if available
             if device_path.exists() {
+                trace!("Enhancing drive {name} with extra sysfs metadata");
                 if drive.model.is_empty() {
+                    trace!("Reading model from sysfs for {name}");
                     drive.model = Self::read_sysfs_string(&device_path.join("device/model"))
-                        .unwrap_or(format!("Failed to read model for {}", name));
+                        .unwrap_or_else(|_| format!("Failed to read model for {}", name));
                 }
                 if drive.serial.is_empty() {
+                    trace!("Reading serial from sysfs for {name}");
                     drive.serial = Self::read_sysfs_string(&device_path.join("device/serial"))
-                        .unwrap_or(format!("Failed to read serial for {}", name));
+                        .unwrap_or_else(|_| format!("Failed to read serial for {}", name));
                 }
+            } else {
+                trace!(
+                    "Sysfs path {:?} not found for drive {name}, skipping extra metadata",
+                    device_path
+                );
             }
 
+            debug!("Discovered storage drive: {drive:?}");
             drives.push(drive);
         }
 
+        debug!("Discovered total {} storage drives", drives.len());
+        trace!("All discovered dives: {drives:?}");
+
         Ok(drives)
     }
 
@@ -418,6 +490,8 @@ impl PhysicalHost {
             }
         }
 
+        debug!("Found storage controller {controller:?}");
+
         Ok(controller)
     }
 
@@ -486,6 +560,7 @@ impl PhysicalHost {
             }
         }
 
+        debug!("Found memory modules {modules:?}");
         Ok(modules)
     }
 
@@ -501,22 +576,30 @@ impl PhysicalHost {
             frequency_mhz: global_cpu.frequency(),
         });
 
+        debug!("Found cpus {cpus:?}");
+
         Ok(cpus)
     }
 
     fn gather_chipset() -> Result<Chipset, String> {
-        Ok(Chipset {
+        let chipset = Chipset {
             name: Self::read_dmi("baseboard-product-name")?,
             vendor: Self::read_dmi("baseboard-manufacturer")?,
-        })
+        };
+
+        debug!("Found chipset {chipset:?}");
+
+        Ok(chipset)
     }
 
     fn gather_network_interfaces() -> Result<Vec<NetworkInterface>, String> {
         let mut interfaces = Vec::new();
         let sys_net_path = Path::new("/sys/class/net");
+        trace!("Reading /sys/class/net");
 
         let entries = fs::read_dir(sys_net_path)
             .map_err(|e| format!("Failed to read /sys/class/net: {}", e))?;
+        trace!("Got entries {entries:?}");
 
         for entry in entries {
             let entry = entry.map_err(|e| format!("Failed to read directory entry: {}", e))?;
@@ -525,6 +608,7 @@ impl PhysicalHost {
                 .into_string()
                 .map_err(|_| "Invalid UTF-8 in interface name")?;
             let iface_path = entry.path();
+            trace!("Inspecting interface {iface_name} path {iface_path:?}");
 
             // Skip virtual interfaces
             if iface_name.starts_with("lo")
@@ -535,70 +619,101 @@ impl PhysicalHost {
                 || iface_name.starts_with("tun")
                 || iface_name.starts_with("wg")
             {
+                trace!(
+                    "Skipping interface {iface_name} because it appears to be virtual/unsupported"
+                );
                 continue;
             }
 
             // Check if it's a physical interface by looking for device directory
             if !iface_path.join("device").exists() {
+                trace!(
+                    "Skipping interface {iface_name} since {iface_path:?}/device does not exist"
+                );
                 continue;
             }
 
+            trace!("Reading MAC address for {iface_name}");
             let mac_address = Self::read_sysfs_string(&iface_path.join("address"))
                 .map_err(|e| format!("Failed to read MAC address for {}: {}", iface_name, e))?;
             let mac_address = MacAddress::try_from(mac_address).map_err(|e| e.to_string())?;
+            trace!("MAC address for {iface_name}: {mac_address}");
 
-            let speed_mbps = if iface_path.join("speed").exists() {
-                match Self::read_sysfs_u32(&iface_path.join("speed")) {
-                    Ok(speed) => Some(speed),
+            let speed_path = iface_path.join("speed");
+            let speed_mbps = if speed_path.exists() {
+                trace!("Reading speed for {iface_name} from {:?}", speed_path);
+                match Self::read_sysfs_u32(&speed_path) {
+                    Ok(speed) => {
+                        trace!("Speed for {iface_name}: {speed} Mbps");
+                        Some(speed)
+                    }
                     Err(e) => {
                         debug!(
-                            "Failed to read speed for {}: {} . This is expected to fail on wifi interfaces.",
+                            "Failed to read speed for {}: {} (this may be expected on Wi‑Fi interfaces)",
                             iface_name, e
                         );
                         None
                     }
                 }
             } else {
+                trace!("Speed file not found for {iface_name}, skipping");
                 None
             };
 
+            trace!("Reading operstate for {iface_name}");
             let operstate = Self::read_sysfs_string(&iface_path.join("operstate"))
                 .map_err(|e| format!("Failed to read operstate for {}: {}", iface_name, e))?;
+            trace!("Operstate for {iface_name}: {operstate}");
 
+            trace!("Reading MTU for {iface_name}");
             let mtu = Self::read_sysfs_u32(&iface_path.join("mtu"))
                 .map_err(|e| format!("Failed to read MTU for {}: {}", iface_name, e))?;
+            trace!("MTU for {iface_name}: {mtu}");
 
+            trace!("Reading driver for {iface_name}");
             let driver =
                 Self::read_sysfs_symlink_basename(&iface_path.join("device/driver/module"))
                     .map_err(|e| format!("Failed to read driver for {}: {}", iface_name, e))?;
+            trace!("Driver for {iface_name}: {driver}");
 
+            trace!("Reading firmware version for {iface_name}");
             let firmware_version = Self::read_sysfs_opt_string(
                 &iface_path.join("device/firmware_version"),
             )
             .map_err(|e| format!("Failed to read firmware version for {}: {}", iface_name, e))?;
+            trace!("Firmware version for {iface_name}: {firmware_version:?}");
 
-            // Get IP addresses using ip command with JSON output
+            trace!("Fetching IP addresses for {iface_name}");
             let (ipv4_addresses, ipv6_addresses) = Self::get_interface_ips_json(&iface_name)
                 .map_err(|e| format!("Failed to get IP addresses for {}: {}", iface_name, e))?;
+            trace!("Interface {iface_name} has IPv4: {ipv4_addresses:?}, IPv6: {ipv6_addresses:?}");
 
-            interfaces.push(NetworkInterface {
-                name: iface_name,
+            let is_up = operstate == "up";
+            trace!("Constructing NetworkInterface for {iface_name} (is_up={is_up})");
+
+            let iface = NetworkInterface {
+                name: iface_name.clone(),
                 mac_address,
                 speed_mbps,
-                is_up: operstate == "up",
+                is_up,
                 mtu,
                 ipv4_addresses,
                 ipv6_addresses,
                 driver,
                 firmware_version,
-            });
+            };
+
+            debug!("Discovered interface: {iface:?}");
+            interfaces.push(iface);
         }
 
+        debug!("Discovered total {} network interfaces", interfaces.len());
+        trace!("Interfaces collected: {interfaces:?}");
         Ok(interfaces)
     }
 
     fn gather_management_interface() -> Result<Option<ManagementInterface>, String> {
-        if Path::new("/dev/ipmi0").exists() {
+        let mgmt = if Path::new("/dev/ipmi0").exists() {
             Ok(Some(ManagementInterface {
                 kind: "IPMI".to_string(),
                 address: None,
@@ -612,11 +727,16 @@ impl PhysicalHost {
             }))
         } else {
             Ok(None)
-        }
+        };
+
+        debug!("Found management interface {mgmt:?}");
+        mgmt
     }
 
     fn get_host_uuid() -> Result<String, String> {
-        Self::read_dmi("system-uuid")
+        let uuid = Self::read_dmi("system-uuid");
+        debug!("Found uuid {uuid:?}");
+        uuid
     }
 
     // Helper methods
@@ -709,7 +829,8 @@ impl PhysicalHost {
             Ok("Ramdisk".to_string())
         } else {
             // Try to determine from device path
-            let subsystem = Self::read_sysfs_string(&device_path.join("device/subsystem"))?;
+            let subsystem = Self::read_sysfs_string(&device_path.join("device/subsystem"))
+                .unwrap_or(String::new());
             Ok(subsystem
                 .split('/')
                 .next_back()
@@ -779,6 +900,8 @@ impl PhysicalHost {
         size.map(|s| s as u64)
     }
 
+    // FIXME when scanning an interface that is part of a bond/bridge we won't get an address on the
+    // interface, we should be looking at the bond/bridge device. For example, br-ex on k8s nodes.
     fn get_interface_ips_json(iface_name: &str) -> Result<(Vec<String>, Vec<String>), String> {
         let mut ipv4 = Vec::new();
         let mut ipv6 = Vec::new();
diff --git a/harmony_inventory_agent/src/local_presence/advertise.rs b/harmony_inventory_agent/src/local_presence/advertise.rs
index 3ccb4f6..d26b619 100644
--- a/harmony_inventory_agent/src/local_presence/advertise.rs
+++ b/harmony_inventory_agent/src/local_presence/advertise.rs
@@ -1,4 +1,4 @@
-use log::{debug, error, info, warn};
+use log::{debug, error, info, trace, warn};
 use mdns_sd::{ServiceDaemon, ServiceInfo};
 use std::collections::HashMap;
 
@@ -12,6 +12,7 @@ use crate::{
 /// This function is synchronous and non-blocking. It spawns a background Tokio task
 /// to handle the mDNS advertisement for the lifetime of the application.
 pub fn advertise(service_port: u16) -> Result<(), PresenceError> {
+    trace!("starting advertisement process for port {service_port}");
     let host_id = match PhysicalHost::gather() {
         Ok(host) => Some(host.host_uuid),
         Err(e) => {
@@ -20,11 +21,15 @@ pub fn advertise(service_port: u16) -> Result<(), PresenceError> {
         }
     };
 
+    trace!("Found host id {host_id:?}");
+
     let instance_name = format!(
         "inventory-agent-{}",
         host_id.clone().unwrap_or("unknown".to_string())
     );
 
+    trace!("Found host id {host_id:?}, name : {instance_name}");
+
     let spawned_msg = format!("Spawned local presence advertisement task for '{instance_name}'.");
 
     tokio::spawn(async move {
diff --git a/harmony_inventory_agent/src/main.rs b/harmony_inventory_agent/src/main.rs
index d93ea4f..f66de78 100644
--- a/harmony_inventory_agent/src/main.rs
+++ b/harmony_inventory_agent/src/main.rs
@@ -28,7 +28,7 @@ async fn inventory() -> impl Responder {
 async fn main() -> std::io::Result<()> {
     env_logger::init();
 
-    let port = env::var("HARMONY_INVENTORY_AGENT_PORT").unwrap_or_else(|_| "8080".to_string());
+    let port = env::var("HARMONY_INVENTORY_AGENT_PORT").unwrap_or_else(|_| "25000".to_string());
     let port = port
         .parse::<u16>()
         .expect(&format!("Invalid port number, cannot parse to u16 {port}"));

From 43b04edbaeada2e31465204f8fa8fb5f0c98d78d Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Mon, 10 Nov 2025 22:59:37 -0500
Subject: [PATCH 29/51] feat(brocade): Add feature and example to remove port
 channel and configure switchport

---
 brocade/examples/main.rs                  |   5 +-
 brocade/src/fast_iron.rs                  |   2 +-
 brocade/src/lib.rs                        |  10 +-
 brocade/src/network_operating_system.rs   |   7 +-
 brocade/src/shell.rs                      |  13 +-
 brocade/src/ssh.rs                        |  34 +++--
 examples/brocade_switch/Cargo.toml        |  19 +++
 examples/brocade_switch/src/main.rs       | 157 ++++++++++++++++++++++
 harmony/src/domain/topology/ha_cluster.rs |  15 ++-
 harmony/src/domain/topology/network.rs    |   8 ++
 harmony/src/infra/brocade.rs              |  35 +++--
 harmony/src/modules/dhcp.rs               |   3 +
 harmony/src/modules/okd/host_network.rs   |  13 +-
 harmony_types/src/switch.rs               |   4 +-
 14 files changed, 286 insertions(+), 39 deletions(-)
 create mode 100644 examples/brocade_switch/Cargo.toml
 create mode 100644 examples/brocade_switch/src/main.rs

diff --git a/brocade/examples/main.rs b/brocade/examples/main.rs
index 34dec21..de8623d 100644
--- a/brocade/examples/main.rs
+++ b/brocade/examples/main.rs
@@ -26,13 +26,12 @@ async fn main() {
 
     let brocade = brocade::init(
         &switch_addresses,
-        22,
         &config.username,
         &config.password,
-        Some(BrocadeOptions {
+        BrocadeOptions {
             dry_run: true,
             ..Default::default()
-        }),
+        },
     )
     .await
     .expect("Brocade client failed to connect");
diff --git a/brocade/src/fast_iron.rs b/brocade/src/fast_iron.rs
index 5a3474e..9c260d1 100644
--- a/brocade/src/fast_iron.rs
+++ b/brocade/src/fast_iron.rs
@@ -140,7 +140,7 @@ impl BrocadeClient for FastIronClient {
 
     async fn configure_interfaces(
         &self,
-        _interfaces: Vec<(String, PortOperatingMode)>,
+        _interfaces: &Vec<(String, PortOperatingMode)>,
     ) -> Result<(), Error> {
         todo!()
     }
diff --git a/brocade/src/lib.rs b/brocade/src/lib.rs
index c0b5b70..6a6afa4 100644
--- a/brocade/src/lib.rs
+++ b/brocade/src/lib.rs
@@ -14,6 +14,7 @@ use async_trait::async_trait;
 use harmony_types::net::MacAddress;
 use harmony_types::switch::{PortDeclaration, PortLocation};
 use regex::Regex;
+use serde::Serialize;
 
 mod fast_iron;
 mod network_operating_system;
@@ -118,7 +119,7 @@ impl fmt::Display for InterfaceType {
 }
 
 /// Defines the primary configuration mode of a switch interface, representing mutually exclusive roles.
-#[derive(Debug, PartialEq, Eq, Clone)]
+#[derive(Debug, PartialEq, Eq, Clone, Serialize)]
 pub enum PortOperatingMode {
     /// The interface is explicitly configured for Brocade fabric roles (ISL or Trunk enabled).
     Fabric,
@@ -141,12 +142,11 @@ pub enum InterfaceStatus {
 
 pub async fn init(
     ip_addresses: &[IpAddr],
-    port: u16,
     username: &str,
     password: &str,
-    options: Option<BrocadeOptions>,
+    options: BrocadeOptions,
 ) -> Result<Box<dyn BrocadeClient + Send + Sync>, Error> {
-    let shell = BrocadeShell::init(ip_addresses, port, username, password, options).await?;
+    let shell = BrocadeShell::init(ip_addresses, username, password, options).await?;
 
     let version_info = shell
         .with_session(ExecutionMode::Regular, |session| {
@@ -208,7 +208,7 @@ pub trait BrocadeClient: std::fmt::Debug {
     /// Configures a set of interfaces to be operated with a specified mode (access ports, ISL, etc.).
     async fn configure_interfaces(
         &self,
-        interfaces: Vec<(String, PortOperatingMode)>,
+        interfaces: &Vec<(String, PortOperatingMode)>,
     ) -> Result<(), Error>;
 
     /// Scans the existing configuration to find the next available (unused)
diff --git a/brocade/src/network_operating_system.rs b/brocade/src/network_operating_system.rs
index f4db713..ccd9544 100644
--- a/brocade/src/network_operating_system.rs
+++ b/brocade/src/network_operating_system.rs
@@ -187,7 +187,7 @@ impl BrocadeClient for NetworkOperatingSystemClient {
 
     async fn configure_interfaces(
         &self,
-        interfaces: Vec<(String, PortOperatingMode)>,
+        interfaces: &Vec<(String, PortOperatingMode)>,
     ) -> Result<(), Error> {
         info!("[Brocade] Configuring {} interface(s)...", interfaces.len());
 
@@ -204,9 +204,12 @@ impl BrocadeClient for NetworkOperatingSystemClient {
                 PortOperatingMode::Trunk => {
                     commands.push("switchport".into());
                     commands.push("switchport mode trunk".into());
-                    commands.push("no spanning-tree shutdown".into());
+                    commands.push("switchport trunk allowed vlan all".into());
+                    commands.push("no switchport trunk tag native-vlan".into());
+                    commands.push("spanning-tree shutdown".into());
                     commands.push("no fabric isl enable".into());
                     commands.push("no fabric trunk enable".into());
+                    commands.push("no shutdown".into());
                 }
                 PortOperatingMode::Access => {
                     commands.push("switchport".into());
diff --git a/brocade/src/shell.rs b/brocade/src/shell.rs
index 9cd94a9..f72c31b 100644
--- a/brocade/src/shell.rs
+++ b/brocade/src/shell.rs
@@ -16,7 +16,6 @@ use tokio::time::timeout;
 #[derive(Debug)]
 pub struct BrocadeShell {
     ip: IpAddr,
-    port: u16,
     username: String,
     password: String,
     options: BrocadeOptions,
@@ -27,33 +26,31 @@ pub struct BrocadeShell {
 impl BrocadeShell {
     pub async fn init(
         ip_addresses: &[IpAddr],
-        port: u16,
         username: &str,
         password: &str,
-        options: Option<BrocadeOptions>,
+        options: BrocadeOptions,
     ) -> Result<Self, Error> {
         let ip = ip_addresses
             .first()
             .ok_or_else(|| Error::ConfigurationError("No IP addresses provided".to_string()))?;
 
-        let base_options = options.unwrap_or_default();
-        let options = ssh::try_init_client(username, password, ip, base_options).await?;
+        let brocade_ssh_client_options =
+            ssh::try_init_client(username, password, ip, options).await?;
 
         Ok(Self {
             ip: *ip,
-            port,
             username: username.to_string(),
             password: password.to_string(),
             before_all_commands: vec![],
             after_all_commands: vec![],
-            options,
+            options: brocade_ssh_client_options,
         })
     }
 
     pub async fn open_session(&self, mode: ExecutionMode) -> Result<BrocadeSession, Error> {
         BrocadeSession::open(
             self.ip,
-            self.port,
+            self.options.ssh.port,
             &self.username,
             &self.password,
             self.options.clone(),
diff --git a/brocade/src/ssh.rs b/brocade/src/ssh.rs
index 08ff96f..cb804c7 100644
--- a/brocade/src/ssh.rs
+++ b/brocade/src/ssh.rs
@@ -2,6 +2,7 @@ use std::borrow::Cow;
 use std::sync::Arc;
 
 use async_trait::async_trait;
+use log::debug;
 use russh::client::Handler;
 use russh::kex::DH_G1_SHA1;
 use russh::kex::ECDH_SHA2_NISTP256;
@@ -10,29 +11,43 @@ use russh_keys::key::SSH_RSA;
 use super::BrocadeOptions;
 use super::Error;
 
-#[derive(Default, Clone, Debug)]
+#[derive(Clone, Debug)]
 pub struct SshOptions {
     pub preferred_algorithms: russh::Preferred,
+    pub port: u16,
+}
+
+impl Default for SshOptions {
+    fn default() -> Self {
+        Self {
+            preferred_algorithms: Default::default(),
+            port: 22,
+        }
+    }
 }
 
 impl SshOptions {
-    fn ecdhsa_sha2_nistp256() -> Self {
+    fn ecdhsa_sha2_nistp256(port: u16) -> Self {
         Self {
             preferred_algorithms: russh::Preferred {
                 kex: Cow::Borrowed(&[ECDH_SHA2_NISTP256]),
                 key: Cow::Borrowed(&[SSH_RSA]),
                 ..Default::default()
             },
+            port,
+            ..Default::default()
         }
     }
 
-    fn legacy() -> Self {
+    fn legacy(port: u16) -> Self {
         Self {
             preferred_algorithms: russh::Preferred {
                 kex: Cow::Borrowed(&[DH_G1_SHA1]),
                 key: Cow::Borrowed(&[SSH_RSA]),
                 ..Default::default()
             },
+            port,
+            ..Default::default()
         }
     }
 }
@@ -57,18 +72,21 @@ pub async fn try_init_client(
     ip: &std::net::IpAddr,
     base_options: BrocadeOptions,
 ) -> Result<BrocadeOptions, Error> {
+    let mut default = SshOptions::default();
+    default.port = base_options.ssh.port;
     let ssh_options = vec![
-        SshOptions::default(),
-        SshOptions::ecdhsa_sha2_nistp256(),
-        SshOptions::legacy(),
+        default,
+        SshOptions::ecdhsa_sha2_nistp256(base_options.ssh.port),
+        SshOptions::legacy(base_options.ssh.port),
     ];
 
     for ssh in ssh_options {
         let opts = BrocadeOptions {
-            ssh,
+            ssh: ssh.clone(),
             ..base_options.clone()
         };
-        let client = create_client(*ip, 22, username, password, &opts).await;
+        debug!("Creating client {ip}:{} {username}", ssh.port);
+        let client = create_client(*ip, ssh.port, username, password, &opts).await;
 
         match client {
             Ok(_) => {
diff --git a/examples/brocade_switch/Cargo.toml b/examples/brocade_switch/Cargo.toml
new file mode 100644
index 0000000..6ac6a6c
--- /dev/null
+++ b/examples/brocade_switch/Cargo.toml
@@ -0,0 +1,19 @@
+[package]
+name = "brocade-switch"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_macros = { path = "../../harmony_macros" }
+harmony_types = { path = "../../harmony_types" }
+tokio.workspace = true
+url.workspace = true
+async-trait.workspace = true
+serde.workspace = true
+log.workspace = true
+env_logger.workspace = true
+brocade = { path = "../../brocade" }
diff --git a/examples/brocade_switch/src/main.rs b/examples/brocade_switch/src/main.rs
new file mode 100644
index 0000000..a99263d
--- /dev/null
+++ b/examples/brocade_switch/src/main.rs
@@ -0,0 +1,157 @@
+use std::str::FromStr;
+
+use async_trait::async_trait;
+use brocade::{BrocadeOptions, PortOperatingMode};
+use harmony::{
+    data::Version,
+    infra::brocade::BrocadeSwitchClient,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    score::Score,
+    topology::{
+        HostNetworkConfig, PortConfig, PreparationError, PreparationOutcome, Switch, SwitchClient,
+        SwitchError, Topology,
+    },
+};
+use harmony_macros::ip;
+use harmony_types::{id::Id, net::MacAddress, switch::PortLocation};
+use log::{debug, info};
+use serde::Serialize;
+
+#[tokio::main]
+async fn main() {
+    let switch_score = BrocadeSwitchScore {
+        port_channels_to_clear: vec![
+            Id::from_str("17").unwrap(),
+            Id::from_str("19").unwrap(),
+            Id::from_str("18").unwrap(),
+        ],
+        ports_to_configure: vec![
+            (PortLocation(2, 0, 17), PortOperatingMode::Trunk),
+            (PortLocation(2, 0, 19), PortOperatingMode::Trunk),
+            (PortLocation(1, 0, 18), PortOperatingMode::Trunk),
+        ],
+    };
+    harmony_cli::run(
+        Inventory::autoload(),
+        SwitchTopology::new().await,
+        vec![Box::new(switch_score)],
+        None,
+    )
+    .await
+    .unwrap();
+}
+
+#[derive(Clone, Debug, Serialize)]
+struct BrocadeSwitchScore {
+    port_channels_to_clear: Vec<Id>,
+    ports_to_configure: Vec<PortConfig>,
+}
+
+impl<T: Topology + Switch> Score<T> for BrocadeSwitchScore {
+    fn name(&self) -> String {
+        "BrocadeSwitchScore".to_string()
+    }
+
+    #[doc(hidden)]
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(BrocadeSwitchInterpret {
+            score: self.clone(),
+        })
+    }
+}
+
+#[derive(Debug)]
+struct BrocadeSwitchInterpret {
+    score: BrocadeSwitchScore,
+}
+
+#[async_trait]
+impl<T: Topology + Switch> Interpret<T> for BrocadeSwitchInterpret {
+    async fn execute(
+        &self,
+        _inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        info!("Applying switch configuration {:?}", self.score);
+        debug!(
+            "Clearing port channel {:?}",
+            self.score.port_channels_to_clear
+        );
+        topology
+            .clear_port_channel(&self.score.port_channels_to_clear)
+            .await
+            .map_err(|e| InterpretError::new(e.to_string()))?;
+        debug!("Configuring interfaces {:?}", self.score.ports_to_configure);
+        topology
+            .configure_interface(&self.score.ports_to_configure)
+            .await
+            .map_err(|e| InterpretError::new(e.to_string()))?;
+        Ok(Outcome::success("switch configured".to_string()))
+    }
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("BrocadeSwitchInterpret")
+    }
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}
+
+struct SwitchTopology {
+    client: Box<dyn SwitchClient>,
+}
+
+#[async_trait]
+impl Topology for SwitchTopology {
+    fn name(&self) -> &str {
+        "SwitchTopology"
+    }
+
+    async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
+        Ok(PreparationOutcome::Noop)
+    }
+}
+
+impl SwitchTopology {
+    async fn new() -> Self {
+        let mut options = BrocadeOptions::default();
+        options.ssh.port = 2222;
+        let client =
+            BrocadeSwitchClient::init(&vec![ip!("127.0.0.1")], &"admin", &"password", options)
+                .await
+                .expect("Failed to connect to switch");
+
+        let client = Box::new(client);
+        Self { client }
+    }
+}
+
+#[async_trait]
+impl Switch for SwitchTopology {
+    async fn setup_switch(&self) -> Result<(), SwitchError> {
+        todo!()
+    }
+
+    async fn get_port_for_mac_address(
+        &self,
+        _mac_address: &MacAddress,
+    ) -> Result<Option<PortLocation>, SwitchError> {
+        todo!()
+    }
+
+    async fn configure_port_channel(&self, _config: &HostNetworkConfig) -> Result<(), SwitchError> {
+        todo!()
+    }
+    async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError> {
+        self.client.clear_port_channel(ids).await
+    }
+    async fn configure_interface(&self, ports: &Vec<PortConfig>) -> Result<(), SwitchError> {
+        self.client.configure_interface(ports).await
+    }
+}
diff --git a/harmony/src/domain/topology/ha_cluster.rs b/harmony/src/domain/topology/ha_cluster.rs
index 558f97c..dc6d4ac 100644
--- a/harmony/src/domain/topology/ha_cluster.rs
+++ b/harmony/src/domain/topology/ha_cluster.rs
@@ -1,4 +1,5 @@
 use async_trait::async_trait;
+use brocade::PortOperatingMode;
 use harmony_macros::ip;
 use harmony_types::{
     id::Id,
@@ -8,7 +9,7 @@ use harmony_types::{
 use log::debug;
 use log::info;
 
-use crate::infra::network_manager::OpenShiftNmStateNetworkManager;
+use crate::{infra::network_manager::OpenShiftNmStateNetworkManager, topology::PortConfig};
 use crate::topology::PxeOptions;
 use crate::{data::FileContent, executors::ExecutorError};
 
@@ -298,6 +299,16 @@ impl Switch for HAClusterTopology {
 
         Ok(())
     }
+
+    async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError> {
+        todo!()
+    }
+    async fn configure_interface(
+        &self,
+        ports: &Vec<PortConfig>,
+    ) -> Result<(), SwitchError> {
+        todo!()
+    }
 }
 
 #[async_trait]
@@ -521,4 +532,6 @@ impl SwitchClient for DummyInfra {
     ) -> Result<u8, SwitchError> {
         unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
     }
+    async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError> {todo!()}
+    async fn configure_interface(&self, ports: &Vec<PortConfig>) -> Result<(), SwitchError> {todo!()}
 }
diff --git a/harmony/src/domain/topology/network.rs b/harmony/src/domain/topology/network.rs
index d9e4f72..ad2efe0 100644
--- a/harmony/src/domain/topology/network.rs
+++ b/harmony/src/domain/topology/network.rs
@@ -7,6 +7,7 @@ use std::{
 };
 
 use async_trait::async_trait;
+use brocade::PortOperatingMode;
 use derive_new::new;
 use harmony_types::{
     id::Id,
@@ -214,6 +215,8 @@ impl From<String> for NetworkError {
     }
 }
 
+pub type PortConfig = (PortLocation, PortOperatingMode);
+
 #[async_trait]
 pub trait Switch: Send + Sync {
     async fn setup_switch(&self) -> Result<(), SwitchError>;
@@ -224,6 +227,8 @@ pub trait Switch: Send + Sync {
     ) -> Result<Option<PortLocation>, SwitchError>;
 
     async fn configure_port_channel(&self, config: &HostNetworkConfig) -> Result<(), SwitchError>;
+    async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError>;
+    async fn configure_interface(&self, ports: &Vec<PortConfig>) -> Result<(), SwitchError>;
 }
 
 #[derive(Clone, Debug, PartialEq)]
@@ -283,6 +288,9 @@ pub trait SwitchClient: Debug + Send + Sync {
         channel_name: &str,
         switch_ports: Vec<PortLocation>,
     ) -> Result<u8, SwitchError>;
+
+    async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError>;
+    async fn configure_interface(&self, ports: &Vec<PortConfig>) -> Result<(), SwitchError>;
 }
 
 #[cfg(test)]
diff --git a/harmony/src/infra/brocade.rs b/harmony/src/infra/brocade.rs
index 774c8f8..6e45ce7 100644
--- a/harmony/src/infra/brocade.rs
+++ b/harmony/src/infra/brocade.rs
@@ -1,12 +1,13 @@
 use async_trait::async_trait;
 use brocade::{BrocadeClient, BrocadeOptions, InterSwitchLink, InterfaceStatus, PortOperatingMode};
 use harmony_types::{
+    id::Id,
     net::{IpAddress, MacAddress},
     switch::{PortDeclaration, PortLocation},
 };
 use option_ext::OptionExt;
 
-use crate::topology::{SwitchClient, SwitchError};
+use crate::topology::{PortConfig, SwitchClient, SwitchError};
 
 #[derive(Debug)]
 pub struct BrocadeSwitchClient {
@@ -18,9 +19,9 @@ impl BrocadeSwitchClient {
         ip_addresses: &[IpAddress],
         username: &str,
         password: &str,
-        options: Option<BrocadeOptions>,
+        options: BrocadeOptions,
     ) -> Result<Self, brocade::Error> {
-        let brocade = brocade::init(ip_addresses, 22, username, password, options).await?;
+        let brocade = brocade::init(ip_addresses, username, password, options).await?;
         Ok(Self { brocade })
     }
 }
@@ -59,7 +60,7 @@ impl SwitchClient for BrocadeSwitchClient {
         }
 
         self.brocade
-            .configure_interfaces(interfaces)
+            .configure_interfaces(&interfaces)
             .await
             .map_err(|e| SwitchError::new(e.to_string()))?;
 
@@ -111,6 +112,24 @@ impl SwitchClient for BrocadeSwitchClient {
 
         Ok(channel_id)
     }
+    async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError> {
+        for i in ids {
+            self.brocade
+                .clear_port_channel(&i.to_string())
+                .await
+                .map_err(|e| SwitchError::new(e.to_string()))?;
+        }
+        Ok(())
+    }
+    async fn configure_interface(&self, ports: &Vec<PortConfig>) -> Result<(), SwitchError> {
+        // FIXME hardcoded TenGigabitEthernet = bad
+        let ports = ports.iter().map(|p| (format!("TenGigabitEthernet {}", p.0), p.1.clone())).collect();
+        self.brocade
+            .configure_interfaces(&ports)
+            .await
+            .map_err(|e| SwitchError::new(e.to_string()))?;
+        Ok(())
+    }
 }
 
 #[cfg(test)]
@@ -147,8 +166,8 @@ mod tests {
 
         let configured_interfaces = brocade.configured_interfaces.lock().unwrap();
         assert_that!(*configured_interfaces).contains_exactly(vec![
-            (first_interface.name.clone(), PortOperatingMode::Access),
-            (second_interface.name.clone(), PortOperatingMode::Access),
+            (first_interface.port_location, PortOperatingMode::Access),
+            (second_interface.port_location, PortOperatingMode::Access),
         ]);
     }
 
@@ -255,10 +274,10 @@ mod tests {
 
         async fn configure_interfaces(
             &self,
-            interfaces: Vec<(String, PortOperatingMode)>,
+            interfaces: &Vec<(String, PortOperatingMode)>,
         ) -> Result<(), Error> {
             let mut configured_interfaces = self.configured_interfaces.lock().unwrap();
-            *configured_interfaces = interfaces;
+            *configured_interfaces = interfaces.clone();
 
             Ok(())
         }
diff --git a/harmony/src/modules/dhcp.rs b/harmony/src/modules/dhcp.rs
index e261220..149b1c0 100644
--- a/harmony/src/modules/dhcp.rs
+++ b/harmony/src/modules/dhcp.rs
@@ -19,8 +19,11 @@ pub struct DhcpScore {
     pub host_binding: Vec<HostBinding>,
     pub next_server: Option<IpAddress>,
     pub boot_filename: Option<String>,
+    /// Boot filename to be provided to PXE clients identifying as BIOS
     pub filename: Option<String>,
+    /// Boot filename to be provided to PXE clients identifying as uefi but NOT iPXE
     pub filename64: Option<String>,
+    /// Boot filename to be provided to PXE clients identifying as iPXE
     pub filenameipxe: Option<String>,
     pub dhcp_range: (IpAddress, IpAddress),
     pub domain: Option<String>,
diff --git a/harmony/src/modules/okd/host_network.rs b/harmony/src/modules/okd/host_network.rs
index ee68942..a84cf19 100644
--- a/harmony/src/modules/okd/host_network.rs
+++ b/harmony/src/modules/okd/host_network.rs
@@ -251,14 +251,14 @@ impl<T: Topology + NetworkManager + Switch> Interpret<T> for HostNetworkConfigur
 #[cfg(test)]
 mod tests {
     use assertor::*;
+    use brocade::PortOperatingMode;
     use harmony_types::{net::MacAddress, switch::PortLocation};
     use lazy_static::lazy_static;
 
     use crate::{
         hardware::HostCategory,
         topology::{
-            HostNetworkConfig, NetworkError, PreparationError, PreparationOutcome, SwitchError,
-            SwitchPort,
+            HostNetworkConfig, NetworkError, PortConfig, PreparationError, PreparationOutcome, SwitchError, SwitchPort
         },
     };
     use std::{
@@ -692,5 +692,14 @@ mod tests {
 
             Ok(())
         }
+        async fn clear_port_channel(&self, ids: &Vec<Id>) -> Result<(), SwitchError> {
+            todo!()
+        }
+        async fn configure_interface(
+            &self,
+            port_config: &Vec<PortConfig>,
+        ) -> Result<(), SwitchError> {
+            todo!()
+        }
     }
 }
diff --git a/harmony_types/src/switch.rs b/harmony_types/src/switch.rs
index 2d32754..359e776 100644
--- a/harmony_types/src/switch.rs
+++ b/harmony_types/src/switch.rs
@@ -1,5 +1,7 @@
 use std::{fmt, str::FromStr};
 
+use serde::Serialize;
+
 /// Simple error type for port parsing failures.
 #[derive(Debug)]
 pub enum PortParseError {
@@ -21,7 +23,7 @@ impl fmt::Display for PortParseError {
 /// Represents the atomic, physical location of a switch port: `<Stack>/<Module>/<Port>`.
 ///
 /// Example: `1/1/1`
-#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Clone)]
+#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Clone, Serialize)]
 pub struct PortLocation(pub u8, pub u8, pub u8);
 
 impl fmt::Display for PortLocation {

From a0a8d5277c3adbab92df6571d6050b0532a437e1 Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Tue, 11 Nov 2025 09:06:36 -0500
Subject: [PATCH 30/51] fix: opnsense definitions more accurate for various
 resources such as ProxyGeneral, System, StaticMap, Job, etc. Also fixed
 brocade crate export and some warnings

---
 brocade/src/lib.rs                         |  2 +-
 harmony/src/domain/hardware/mod.rs         |  8 +--
 harmony/src/infra/kube.rs                  |  2 +-
 harmony/src/infra/opnsense/mod.rs          |  1 -
 opnsense-config-xml/src/data/opnsense.rs   | 64 +++++++++++++---------
 opnsense-config/src/modules/dhcp_legacy.rs |  9 +--
 6 files changed, 47 insertions(+), 39 deletions(-)

diff --git a/brocade/src/lib.rs b/brocade/src/lib.rs
index 6a6afa4..3dfb4d4 100644
--- a/brocade/src/lib.rs
+++ b/brocade/src/lib.rs
@@ -19,7 +19,7 @@ use serde::Serialize;
 mod fast_iron;
 mod network_operating_system;
 mod shell;
-mod ssh;
+pub mod ssh;
 
 #[derive(Default, Clone, Debug)]
 pub struct BrocadeOptions {
diff --git a/harmony/src/domain/hardware/mod.rs b/harmony/src/domain/hardware/mod.rs
index 1b1a72c..5b590e7 100644
--- a/harmony/src/domain/hardware/mod.rs
+++ b/harmony/src/domain/hardware/mod.rs
@@ -152,10 +152,10 @@ impl PhysicalHost {
     pub fn parts_list(&self) -> String {
         let PhysicalHost {
             id,
-            category,
+            category: _,
             network,
             storage,
-            labels,
+            labels: _,
             memory_modules,
             cpus,
         } = self;
@@ -226,8 +226,8 @@ impl PhysicalHost {
                 speed_mhz,
                 manufacturer,
                 part_number,
-                serial_number,
-                rank,
+                serial_number: _,
+                rank: _,
             } = mem;
             parts_list.push_str(&format!(
                 "\n{}Gb, {}Mhz, Manufacturer ({}), Part Number ({})",
diff --git a/harmony/src/infra/kube.rs b/harmony/src/infra/kube.rs
index 9fb1247..de4d4ea 100644
--- a/harmony/src/infra/kube.rs
+++ b/harmony/src/infra/kube.rs
@@ -121,7 +121,7 @@ mod test {
     #[test]
     fn deployment_to_dynamic_roundtrip() {
         // Create a sample Deployment with nested structures
-        let mut deployment = Deployment {
+        let deployment = Deployment {
             metadata: ObjectMeta {
                 name: Some("my-deployment".to_string()),
                 labels: Some({
diff --git a/harmony/src/infra/opnsense/mod.rs b/harmony/src/infra/opnsense/mod.rs
index 3878cfc..b5223e4 100644
--- a/harmony/src/infra/opnsense/mod.rs
+++ b/harmony/src/infra/opnsense/mod.rs
@@ -8,7 +8,6 @@ mod tftp;
 use std::sync::Arc;
 
 pub use management::*;
-use opnsense_config_xml::Host;
 use tokio::sync::RwLock;
 
 use crate::{executors::ExecutorError, topology::LogicalHost};
diff --git a/opnsense-config-xml/src/data/opnsense.rs b/opnsense-config-xml/src/data/opnsense.rs
index fa5f985..8a2f64f 100644
--- a/opnsense-config-xml/src/data/opnsense.rs
+++ b/opnsense-config-xml/src/data/opnsense.rs
@@ -195,7 +195,7 @@ pub struct System {
     pub disablechecksumoffloading: u8,
     pub disablesegmentationoffloading: u8,
     pub disablelargereceiveoffloading: u8,
-    pub ipv6allow: u8,
+    pub ipv6allow: Option<u8>,
     pub powerd_ac_mode: String,
     pub powerd_battery_mode: String,
     pub powerd_normal_mode: String,
@@ -226,6 +226,7 @@ pub struct System {
     pub dns6gw: Option<String>,
     pub dns7gw: Option<String>,
     pub dns8gw: Option<String>,
+    pub prefer_ipv4: Option<String>,
     pub dnsallowoverride: u8,
     pub dnsallowoverride_exclude: Option<MaybeString>,
 }
@@ -329,6 +330,7 @@ pub struct Range {
 pub struct StaticMap {
     pub mac: String,
     pub ipaddr: String,
+    pub cid: Option<MaybeString>,
     pub hostname: String,
     pub descr: Option<MaybeString>,
     pub winsserver: MaybeString,
@@ -764,9 +766,19 @@ pub struct Jobs {
 pub struct Job {
     #[yaserde(attribute = true)]
     pub uuid: MaybeString,
-    #[yaserde(rename = "name")]
-    pub name: MaybeString,
+    pub name: Option<MaybeString>,
     // Add other fields as needed
+    pub origin: Option<MaybeString>,
+    pub enabled: Option<MaybeString>,
+    pub minutes: Option<MaybeString>,
+    pub hours: Option<MaybeString>,
+    pub days: Option<MaybeString>,
+    pub months: Option<MaybeString>,
+    pub weekdays: Option<MaybeString>,
+    pub who: Option<MaybeString>,
+    pub command: Option<MaybeString>,
+    pub parameters: Option<MaybeString>,
+    pub description: Option<MaybeString>,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
@@ -895,28 +907,28 @@ pub struct Proxy {
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct ProxyGeneral {
     pub enabled: i8,
-    pub error_pages: String,
+    pub error_pages: Option<MaybeString>,
     #[yaserde(rename = "icpPort")]
     pub icp_port: MaybeString,
     pub logging: Logging,
     #[yaserde(rename = "alternateDNSservers")]
     pub alternate_dns_servers: MaybeString,
     #[yaserde(rename = "dnsV4First")]
-    pub dns_v4_first: i8,
+    pub dns_v4_first: Option<MaybeString>,
     #[yaserde(rename = "forwardedForHandling")]
-    pub forwarded_for_handling: String,
+    pub forwarded_for_handling: Option<MaybeString>,
     #[yaserde(rename = "uriWhitespaceHandling")]
-    pub uri_whitespace_handling: String,
+    pub uri_whitespace_handling: Option<MaybeString>,
     #[yaserde(rename = "enablePinger")]
     pub enable_pinger: i8,
     #[yaserde(rename = "useViaHeader")]
-    pub use_via_header: i8,
+    pub use_via_header: Option<MaybeString>,
     #[yaserde(rename = "suppressVersion")]
-    pub suppress_version: i32,
+    pub suppress_version: Option<MaybeString>,
     #[yaserde(rename = "connecttimeout")]
-    pub connect_timeout: MaybeString,
+    pub connect_timeout: Option<MaybeString>,
     #[yaserde(rename = "VisibleEmail")]
-    pub visible_email: String,
+    pub visible_email: Option<MaybeString>,
     #[yaserde(rename = "VisibleHostname")]
     pub visible_hostname: MaybeString,
     pub cache: Cache,
@@ -953,7 +965,7 @@ pub struct LocalCache {
     pub cache_mem: i32,
     pub maximum_object_size: MaybeString,
     pub maximum_object_size_in_memory: MaybeString,
-    pub memory_cache_mode: String,
+    pub memory_cache_mode: MaybeString,
     pub size: i32,
     pub l1: i32,
     pub l2: i32,
@@ -965,13 +977,13 @@ pub struct LocalCache {
 pub struct Traffic {
     pub enabled: i32,
     #[yaserde(rename = "maxDownloadSize")]
-    pub max_download_size: i32,
+    pub max_download_size: MaybeString,
     #[yaserde(rename = "maxUploadSize")]
-    pub max_upload_size: i32,
+    pub max_upload_size: MaybeString,
     #[yaserde(rename = "OverallBandwidthTrotteling")]
-    pub overall_bandwidth_trotteling: i32,
+    pub overall_bandwidth_trotteling: MaybeString,
     #[yaserde(rename = "perHostTrotteling")]
-    pub per_host_trotteling: i32,
+    pub per_host_trotteling: MaybeString,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
@@ -988,7 +1000,7 @@ pub struct ParentProxy {
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Forward {
-    pub interfaces: String,
+    pub interfaces: MaybeString,
     pub port: i32,
     pub sslbumpport: i32,
     pub sslbump: i32,
@@ -1033,9 +1045,9 @@ pub struct Acl {
     pub google_apps: MaybeString,
     pub youtube: MaybeString,
     #[yaserde(rename = "safePorts")]
-    pub safe_ports: String,
+    pub safe_ports: MaybeString,
     #[yaserde(rename = "sslPorts")]
-    pub ssl_ports: String,
+    pub ssl_ports: MaybeString,
     #[yaserde(rename = "remoteACLs")]
     pub remote_acls: RemoteAcls,
 }
@@ -1051,9 +1063,9 @@ pub struct RemoteAcls {
 pub struct Icap {
     pub enable: i32,
     #[yaserde(rename = "RequestURL")]
-    pub request_url: String,
+    pub request_url: MaybeString,
     #[yaserde(rename = "ResponseURL")]
-    pub response_url: String,
+    pub response_url: MaybeString,
     #[yaserde(rename = "SendClientIP")]
     pub send_client_ip: i32,
     #[yaserde(rename = "SendUsername")]
@@ -1061,7 +1073,7 @@ pub struct Icap {
     #[yaserde(rename = "EncodeUsername")]
     pub encode_username: i32,
     #[yaserde(rename = "UsernameHeader")]
-    pub username_header: String,
+    pub username_header: MaybeString,
     #[yaserde(rename = "EnablePreview")]
     pub enable_preview: i32,
     #[yaserde(rename = "PreviewSize")]
@@ -1076,9 +1088,9 @@ pub struct Authentication {
     pub method: MaybeString,
     #[yaserde(rename = "authEnforceGroup")]
     pub auth_enforce_group: MaybeString,
-    pub realm: String,
-    pub credentialsttl: i32, // This field is already in snake_case
-    pub children: i32,
+    pub realm: MaybeString,
+    pub credentialsttl: MaybeString, // This field is already in snake_case
+    pub children: MaybeString,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
@@ -1293,6 +1305,7 @@ pub struct WireguardServerItem {
     pub peers: String,
     pub endpoint: MaybeString,
     pub peer_dns: MaybeString,
+    pub debug: Option<MaybeString>,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
@@ -1477,6 +1490,7 @@ pub struct Ppp {
     pub ports: Option<MaybeString>,
     pub username: Option<MaybeString>,
     pub password: Option<MaybeString>,
+    pub provider: Option<MaybeString>,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
diff --git a/opnsense-config/src/modules/dhcp_legacy.rs b/opnsense-config/src/modules/dhcp_legacy.rs
index 1d36ac6..b644073 100644
--- a/opnsense-config/src/modules/dhcp_legacy.rs
+++ b/opnsense-config/src/modules/dhcp_legacy.rs
@@ -86,10 +86,7 @@ impl<'a> DhcpConfigLegacyISC<'a> {
             mac,
             ipaddr: ipaddr.to_string(),
             hostname,
-            descr: Default::default(),
-            winsserver: Default::default(),
-            dnsserver: Default::default(),
-            ntpserver: Default::default(),
+            ..Default::default()
         };
 
         existing_mappings.push(static_map);
@@ -126,9 +123,7 @@ impl<'a> DhcpConfigLegacyISC<'a> {
                 ipaddr: entry["ipaddr"].as_str().unwrap_or_default().to_string(),
                 hostname: entry["hostname"].as_str().unwrap_or_default().to_string(),
                 descr: entry["descr"].as_str().map(MaybeString::from),
-                winsserver: MaybeString::default(),
-                dnsserver: MaybeString::default(),
-                ntpserver: MaybeString::default(),
+                ..Default::default()
             })
             .collect();
 

From 83c1cc82b64c2839c9734b29dd28432141be4570 Mon Sep 17 00:00:00 2001
From: Ian Letourneau <ian@noma.to>
Date: Tue, 11 Nov 2025 14:12:56 +0000
Subject: [PATCH 31/51] fix(host_network): remove extra fields from bond config
 to prevent clashes (#186)

Also alias `port` to support both `port` and `ports` as per the nmstate spec.

Reviewed-on: https://git.nationtech.io/NationTech/harmony/pulls/186
---
 harmony/src/infra/network_manager.rs   |  4 +---
 harmony/src/modules/okd/crd/nmstate.rs |  1 +
 harmony_types/src/net.rs               | 10 +++++++++-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/harmony/src/infra/network_manager.rs b/harmony/src/infra/network_manager.rs
index 89321fe..e5dbd24 100644
--- a/harmony/src/infra/network_manager.rs
+++ b/harmony/src/infra/network_manager.rs
@@ -135,8 +135,6 @@ impl OpenShiftNmStateNetworkManager {
                 description: Some(format!("Member of bond {bond_name}")),
                 r#type: nmstate::InterfaceType::Ethernet,
                 state: "up".to_string(),
-                mtu: Some(switch_port.interface.mtu),
-                mac_address: Some(switch_port.interface.mac_address.to_string()),
                 ipv4: Some(nmstate::IpStackSpec {
                     enabled: Some(false),
                     ..Default::default()
@@ -162,7 +160,7 @@ impl OpenShiftNmStateNetworkManager {
 
         interfaces.push(nmstate::Interface {
             name: bond_name.to_string(),
-            description: Some(format!("Network bond for host {host}")),
+            description: Some(format!("HARMONY - Network bond for host {host}")),
             r#type: nmstate::InterfaceType::Bond,
             state: "up".to_string(),
             copy_mac_from,
diff --git a/harmony/src/modules/okd/crd/nmstate.rs b/harmony/src/modules/okd/crd/nmstate.rs
index f0eb4ae..3055766 100644
--- a/harmony/src/modules/okd/crd/nmstate.rs
+++ b/harmony/src/modules/okd/crd/nmstate.rs
@@ -417,6 +417,7 @@ pub struct EthernetSpec {
 #[serde(rename_all = "kebab-case")]
 pub struct BondSpec {
     pub mode: String,
+    #[serde(alias = "port")]
     pub ports: Vec<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub options: Option<BTreeMap<String, Value>>,
diff --git a/harmony_types/src/net.rs b/harmony_types/src/net.rs
index 51de86e..6086e54 100644
--- a/harmony_types/src/net.rs
+++ b/harmony_types/src/net.rs
@@ -1,6 +1,6 @@
 use serde::{Deserialize, Serialize};
 
-#[derive(Copy, Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize, PartialOrd, Ord)]
+#[derive(Copy, Clone, PartialEq, Eq, Hash, Serialize, Deserialize, PartialOrd, Ord)]
 pub struct MacAddress(pub [u8; 6]);
 
 impl MacAddress {
@@ -19,6 +19,14 @@ impl From<&MacAddress> for String {
     }
 }
 
+impl std::fmt::Debug for MacAddress {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_tuple("MacAddress")
+            .field(&String::from(self))
+            .finish()
+    }
+}
+
 impl std::fmt::Display for MacAddress {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         f.write_str(&String::from(self))

From d3634a631397bc7a799a4c188107f747ef42474a Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Tue, 11 Nov 2025 09:53:59 -0500
Subject: [PATCH 32/51] fix(types): Switch port location failed on port channel
 interfaces

---
 Cargo.lock                                | 30 ++++++++++++++---------
 brocade/examples/main.rs                  | 21 ++++++++++------
 examples/nanodc/src/main.rs               |  4 +--
 examples/okd_installation/src/topology.rs |  4 +--
 examples/okd_pxe/src/topology.rs          |  4 +--
 examples/opnsense/src/main.rs             |  4 +--
 harmony_types/Cargo.toml                  |  1 +
 harmony_types/src/switch.rs               | 18 +++++++++++---
 8 files changed, 56 insertions(+), 30 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f0504aa..321b2b1 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -690,6 +690,23 @@ dependencies = [
  "tokio",
 ]
 
+[[package]]
+name = "brocade-switch"
+version = "0.1.0"
+dependencies = [
+ "async-trait",
+ "brocade",
+ "env_logger",
+ "harmony",
+ "harmony_cli",
+ "harmony_macros",
+ "harmony_types",
+ "log",
+ "serde",
+ "tokio",
+ "url",
+]
+
 [[package]]
 name = "brotli"
 version = "8.0.2"
@@ -1853,18 +1870,6 @@ dependencies = [
  "url",
 ]
 
-[[package]]
-name = "example-penpot"
-version = "0.1.0"
-dependencies = [
- "harmony",
- "harmony_cli",
- "harmony_macros",
- "harmony_types",
- "tokio",
- "url",
-]
-
 [[package]]
 name = "example-pxe"
 version = "0.1.0"
@@ -2569,6 +2574,7 @@ dependencies = [
 name = "harmony_types"
 version = "0.1.0"
 dependencies = [
+ "log",
  "rand 0.9.2",
  "serde",
  "url",
diff --git a/brocade/examples/main.rs b/brocade/examples/main.rs
index de8623d..47d4a63 100644
--- a/brocade/examples/main.rs
+++ b/brocade/examples/main.rs
@@ -1,6 +1,6 @@
 use std::net::{IpAddr, Ipv4Addr};
 
-use brocade::BrocadeOptions;
+use brocade::{BrocadeOptions, ssh};
 use harmony_secret::{Secret, SecretManager};
 use harmony_types::switch::PortLocation;
 use serde::{Deserialize, Serialize};
@@ -16,20 +16,26 @@ async fn main() {
     env_logger::Builder::from_env(env_logger::Env::default().default_filter_or("info")).init();
 
     // let ip = IpAddr::V4(Ipv4Addr::new(10, 0, 0, 250)); // old brocade @ ianlet
-    let ip = IpAddr::V4(Ipv4Addr::new(192, 168, 55, 101)); // brocade @ sto1
+    let ip = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)); // brocade @ sto1
     // let ip = IpAddr::V4(Ipv4Addr::new(192, 168, 4, 11)); // brocade @ st
     let switch_addresses = vec![ip];
 
-    let config = SecretManager::get_or_prompt::<BrocadeSwitchAuth>()
-        .await
-        .unwrap();
+    // let config = SecretManager::get_or_prompt::<BrocadeSwitchAuth>()
+    //     .await
+    //     .unwrap();
 
     let brocade = brocade::init(
         &switch_addresses,
-        &config.username,
-        &config.password,
+        // &config.username,
+        // &config.password,
+        "admin",
+        "password",
         BrocadeOptions {
             dry_run: true,
+            ssh: ssh::SshOptions {
+                port: 2222,
+                ..Default::default()
+            },
             ..Default::default()
         },
     )
@@ -53,6 +59,7 @@ async fn main() {
     }
 
     println!("--------------");
+    todo!();
     let channel_name = "1";
     brocade.clear_port_channel(channel_name).await.unwrap();
 
diff --git a/examples/nanodc/src/main.rs b/examples/nanodc/src/main.rs
index e487fab..ee19074 100644
--- a/examples/nanodc/src/main.rs
+++ b/examples/nanodc/src/main.rs
@@ -39,10 +39,10 @@ async fn main() {
         .expect("Failed to get credentials");
 
     let switches: Vec<IpAddr> = vec![ip!("192.168.33.101")];
-    let brocade_options = Some(BrocadeOptions {
+    let brocade_options = BrocadeOptions {
         dry_run: *harmony::config::DRY_RUN,
         ..Default::default()
-    });
+    };
     let switch_client = BrocadeSwitchClient::init(
         &switches,
         &switch_auth.username,
diff --git a/examples/okd_installation/src/topology.rs b/examples/okd_installation/src/topology.rs
index 2bc9fd2..6af30fd 100644
--- a/examples/okd_installation/src/topology.rs
+++ b/examples/okd_installation/src/topology.rs
@@ -31,10 +31,10 @@ pub async fn get_topology() -> HAClusterTopology {
         .expect("Failed to get credentials");
 
     let switches: Vec<IpAddr> = vec![ip!("192.168.1.101")]; // TODO: Adjust me
-    let brocade_options = Some(BrocadeOptions {
+    let brocade_options = BrocadeOptions {
         dry_run: *harmony::config::DRY_RUN,
         ..Default::default()
-    });
+    };
     let switch_client = BrocadeSwitchClient::init(
         &switches,
         &switch_auth.username,
diff --git a/examples/okd_pxe/src/topology.rs b/examples/okd_pxe/src/topology.rs
index 72695fa..c32bf16 100644
--- a/examples/okd_pxe/src/topology.rs
+++ b/examples/okd_pxe/src/topology.rs
@@ -26,10 +26,10 @@ pub async fn get_topology() -> HAClusterTopology {
         .expect("Failed to get credentials");
 
     let switches: Vec<IpAddr> = vec![ip!("192.168.1.101")]; // TODO: Adjust me
-    let brocade_options = Some(BrocadeOptions {
+    let brocade_options = BrocadeOptions {
         dry_run: *harmony::config::DRY_RUN,
         ..Default::default()
-    });
+    };
     let switch_client = BrocadeSwitchClient::init(
         &switches,
         &switch_auth.username,
diff --git a/examples/opnsense/src/main.rs b/examples/opnsense/src/main.rs
index e74f5da..9cfd4cf 100644
--- a/examples/opnsense/src/main.rs
+++ b/examples/opnsense/src/main.rs
@@ -35,10 +35,10 @@ async fn main() {
         .expect("Failed to get credentials");
 
     let switches: Vec<IpAddr> = vec![ip!("192.168.5.101")]; // TODO: Adjust me
-    let brocade_options = Some(BrocadeOptions {
+    let brocade_options = BrocadeOptions {
         dry_run: *harmony::config::DRY_RUN,
         ..Default::default()
-    });
+    };
     let switch_client = BrocadeSwitchClient::init(
         &switches,
         &switch_auth.username,
diff --git a/harmony_types/Cargo.toml b/harmony_types/Cargo.toml
index f02874e..d1ac556 100644
--- a/harmony_types/Cargo.toml
+++ b/harmony_types/Cargo.toml
@@ -9,3 +9,4 @@ license.workspace = true
 serde.workspace = true
 url.workspace = true
 rand.workspace = true
+log.workspace = true
diff --git a/harmony_types/src/switch.rs b/harmony_types/src/switch.rs
index 359e776..611207d 100644
--- a/harmony_types/src/switch.rs
+++ b/harmony_types/src/switch.rs
@@ -1,5 +1,5 @@
 use std::{fmt, str::FromStr};
-
+use log::trace;
 use serde::Serialize;
 
 /// Simple error type for port parsing failures.
@@ -72,6 +72,11 @@ impl FromStr for PortLocation {
 pub enum PortDeclaration {
     /// A single switch port defined by its location. Example: `PortDeclaration::Single(1/1/1)`
     Single(PortLocation),
+    /// A Named port, often used for virtual ports such as PortChannels. Example
+    /// ```rust
+    /// PortDeclaration::Named("1".to_string())
+    /// ```
+    Named(String),
     /// A strictly sequential range defined by two endpoints using the hyphen separator (`-`).
     /// All ports between the endpoints (inclusive) are implicitly included.
     /// Example: `PortDeclaration::Range(1/1/1, 1/1/4)`
@@ -132,8 +137,14 @@ impl PortDeclaration {
             return Ok(PortDeclaration::Set(start_port, end_port));
         }
 
-        let location = PortLocation::from_str(port_str)?;
-        Ok(PortDeclaration::Single(location))
+        match PortLocation::from_str(port_str) {
+            Ok(loc) => Ok(PortDeclaration::Single(loc)),
+            Err(e) => {
+                trace!("Failed to parse PortLocation {port_str} : {e}");
+                trace!("Falling back on named port");
+                Ok(PortDeclaration::Named(port_str.to_string()))
+            }
+        }
     }
 }
 
@@ -143,6 +154,7 @@ impl fmt::Display for PortDeclaration {
             PortDeclaration::Single(port) => write!(f, "{port}"),
             PortDeclaration::Range(start, end) => write!(f, "{start}-{end}"),
             PortDeclaration::Set(start, end) => write!(f, "{start}*{end}"),
+            PortDeclaration::Named(name) => write!(f, "{name}"),
         }
     }
 }

From 8ee3f8a4adbbc762dded2f1287ea9db0507749ea Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Tue, 11 Nov 2025 11:32:42 -0500
Subject: [PATCH 33/51] chore: Update harmony-inventory-agent binary as some
 fixes were introduced : port is 25000 now and nbd devices wont make the
 inventory crash

---
 data/pxe/okd/http_files/harmony_inventory_agent | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/pxe/okd/http_files/harmony_inventory_agent b/data/pxe/okd/http_files/harmony_inventory_agent
index 1d802f7..47c7aaa 100755
--- a/data/pxe/okd/http_files/harmony_inventory_agent
+++ b/data/pxe/okd/http_files/harmony_inventory_agent
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:5244fa8968fe15c2415de6cc487e6112f8aedd9989951e018f9bdb536b1016d2
-size 8139216
+oid sha256:78b2cf5b2faa1a6b637c0d6ba3d37f427ee9f1b087e8605b95acce83dc417aa1
+size 8187248

From 29c82db70d11f18c158151c139b8dcaf163bfe82 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Wed, 12 Nov 2025 13:21:55 -0500
Subject: [PATCH 34/51] fix: added fields missing for haproxy after most recent
 update

---
 opnsense-config-xml/src/data/haproxy.rs  | 29 +++++++++++++++++++++++-
 opnsense-config-xml/src/data/opnsense.rs |  5 +++-
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/opnsense-config-xml/src/data/haproxy.rs b/opnsense-config-xml/src/data/haproxy.rs
index b0aedc2..a7622db 100644
--- a/opnsense-config-xml/src/data/haproxy.rs
+++ b/opnsense-config-xml/src/data/haproxy.rs
@@ -106,11 +106,38 @@ pub struct HAProxy {
     pub groups: MaybeString,
     pub users: MaybeString,
     pub cpus: MaybeString,
-    pub resolvers: MaybeString,
+    pub resolvers: HAProxyResolvers,
     pub mailers: MaybeString,
     pub maintenance: Maintenance,
 }
 
+#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
+pub struct HAProxyResolvers {
+    #[yaserde(rename = "resolver")]
+    pub resolver: Resolver,
+
+}
+
+#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
+pub struct Resolver {
+    pub id: String,
+    pub enabled: i32,
+    pub name: String,
+    pub description: MaybeString,
+    pub nameservers: String,
+    pub parse_resolv_conf: String,
+    pub resolve_retries: i32,
+    pub timeout_resolve: String,
+    pub timeout_retry: String,
+    pub accepted_payload_size: MaybeString,
+    pub hold_valid: MaybeString,
+    pub hold_obsolete: MaybeString,
+    pub hold_refused: MaybeString,
+    pub hold_nx: MaybeString,
+    pub hold_timeout: MaybeString,
+    pub hold_other: MaybeString,
+}
+
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Maintenance {
     #[yaserde(rename = "cronjobs")]
diff --git a/opnsense-config-xml/src/data/opnsense.rs b/opnsense-config-xml/src/data/opnsense.rs
index fa5f985..9880423 100644
--- a/opnsense-config-xml/src/data/opnsense.rs
+++ b/opnsense-config-xml/src/data/opnsense.rs
@@ -8,6 +8,8 @@ use yaserde_derive::{YaDeserialize, YaSerialize};
 
 use super::{Interface, Pischem};
 
+
+
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 #[yaserde(rename = "opnsense")]
 pub struct OPNsense {
@@ -216,7 +218,7 @@ pub struct System {
     pub maximumfrags: Option<MaybeString>,
     pub aliasesresolveinterval: Option<MaybeString>,
     pub maximumtableentries: Option<MaybeString>,
-    pub language: String,
+    pub language: Option<String>,
     pub dnsserver: Option<MaybeString>,
     pub dns1gw: Option<String>,
     pub dns2gw: Option<String>,
@@ -1291,6 +1293,7 @@ pub struct WireguardServerItem {
     pub gateway: MaybeString,
     pub carp_depend_on: MaybeString,
     pub peers: String,
+    pub debug: MaybeString,
     pub endpoint: MaybeString,
     pub peer_dns: MaybeString,
 }

From 93ac89157a33e2606f53e9aa56897aa6822f8062 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Fri, 14 Nov 2025 12:49:00 -0500
Subject: [PATCH 35/51] feat: added score to enable snmp_server on brocade
 switch and a working example

---
 brocade/src/fast_iron.rs                 |   4 +-
 brocade/src/network_operating_system.rs  |   4 +-
 examples/brocade_snmp_server/Cargo.toml  |  20 ++++
 examples/brocade_snmp_server/src/main.rs |  22 +++++
 harmony/src/modules/brocade.rs           | 117 +++++++++++++++++++++++
 harmony/src/modules/mod.rs               |   1 +
 6 files changed, 166 insertions(+), 2 deletions(-)
 create mode 100644 examples/brocade_snmp_server/Cargo.toml
 create mode 100644 examples/brocade_snmp_server/src/main.rs
 create mode 100644 harmony/src/modules/brocade.rs

diff --git a/brocade/src/fast_iron.rs b/brocade/src/fast_iron.rs
index c3eb374..6e256a8 100644
--- a/brocade/src/fast_iron.rs
+++ b/brocade/src/fast_iron.rs
@@ -216,7 +216,9 @@ impl BrocadeClient for FastIronClient {
             "configure terminal".into(),
             "snmp-server view ALL 1 included".into(),
             "snmp-server group public v3 priv read ALL".into(),
-            format!("snmp-server user {user_name} groupname public auth md5 {auth} priv des {des}"),
+            format!(
+                "snmp-server user {user_name} groupname public auth md5 auth-password {auth} priv des priv-password {des}"
+            ),
             "exit".into(),
         ];
         self.shell
diff --git a/brocade/src/network_operating_system.rs b/brocade/src/network_operating_system.rs
index bfb45ed..1985aba 100644
--- a/brocade/src/network_operating_system.rs
+++ b/brocade/src/network_operating_system.rs
@@ -336,7 +336,9 @@ impl BrocadeClient for NetworkOperatingSystemClient {
             "configure terminal".into(),
             "snmp-server view ALL 1 included".into(),
             "snmp-server group public v3 priv read ALL".into(),
-            format!("snmp-server user {user_name} groupname public auth md5 {auth} priv des {des}"),
+            format!(
+                "snmp-server user {user_name} groupname public auth md5 auth-password {auth} priv des priv-password {des}"
+            ),
             "exit".into(),
         ];
         self.shell
diff --git a/examples/brocade_snmp_server/Cargo.toml b/examples/brocade_snmp_server/Cargo.toml
new file mode 100644
index 0000000..0f476a8
--- /dev/null
+++ b/examples/brocade_snmp_server/Cargo.toml
@@ -0,0 +1,20 @@
+[package]
+name = "brocade-snmp-server"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+harmony = { path = "../../harmony" }
+brocade = { path = "../../brocade" }
+harmony_secret = { path = "../../harmony_secret" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+harmony_macros = { path = "../../harmony_macros" }
+tokio = { workspace = true }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
+base64.workspace = true
+serde.workspace = true
diff --git a/examples/brocade_snmp_server/src/main.rs b/examples/brocade_snmp_server/src/main.rs
new file mode 100644
index 0000000..ff9b671
--- /dev/null
+++ b/examples/brocade_snmp_server/src/main.rs
@@ -0,0 +1,22 @@
+use std::net::{IpAddr, Ipv4Addr};
+
+use harmony::{
+    inventory::Inventory, modules::brocade::BrocadeEnableSnmpScore, topology::K8sAnywhereTopology,
+};
+
+#[tokio::main]
+async fn main() {
+    let brocade_snmp_server = BrocadeEnableSnmpScore {
+        server_ips: vec![IpAddr::V4(Ipv4Addr::new(192, 168, 1, 111))],
+        dry_run: true,
+    };
+
+    harmony_cli::run(
+        Inventory::autoload(),
+        K8sAnywhereTopology::from_env(),
+        vec![Box::new(brocade_snmp_server)],
+        None,
+    )
+    .await
+    .unwrap();
+}
diff --git a/harmony/src/modules/brocade.rs b/harmony/src/modules/brocade.rs
new file mode 100644
index 0000000..7264609
--- /dev/null
+++ b/harmony/src/modules/brocade.rs
@@ -0,0 +1,117 @@
+use std::net::{IpAddr, Ipv4Addr};
+
+use async_trait::async_trait;
+use brocade::BrocadeOptions;
+use harmony_secret::{Secret, SecretManager};
+use harmony_types::id::Id;
+use serde::{Deserialize, Serialize};
+
+use crate::{
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct BrocadeEnableSnmpScore {
+    pub server_ips: Vec<IpAddr>,
+    pub dry_run: bool,
+}
+
+impl<T: Topology> Score<T> for BrocadeEnableSnmpScore {
+    fn name(&self) -> String {
+        "BrocadeEnableSnmpScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(BrocadeEnableSnmpInterpret {
+            score: self.clone(),
+        })
+    }
+}
+
+#[derive(Debug, Clone, Serialize)]
+pub struct BrocadeEnableSnmpInterpret {
+    score: BrocadeEnableSnmpScore,
+}
+
+#[derive(Secret, Clone, Debug, Serialize, Deserialize)]
+struct BrocadeSwitchAuth {
+    username: String,
+    password: String,
+}
+
+#[derive(Secret, Clone, Debug, Serialize, Deserialize)]
+struct BrocadeSnmpAuth {
+    username: String,
+    auth_password: String,
+    des_password: String,
+}
+
+#[async_trait]
+impl<T: Topology> Interpret<T> for BrocadeEnableSnmpInterpret {
+    async fn execute(
+        &self,
+        _inventory: &Inventory,
+        _topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let switch_addresses = &self.score.server_ips;
+
+        let snmp_auth = SecretManager::get_or_prompt::<BrocadeSnmpAuth>()
+            .await
+            .unwrap();
+
+        let config = SecretManager::get_or_prompt::<BrocadeSwitchAuth>()
+            .await
+            .unwrap();
+
+        let brocade = brocade::init(
+            &switch_addresses,
+            22,
+            &config.username,
+            &config.password,
+            Some(BrocadeOptions {
+                dry_run: self.score.dry_run,
+                ..Default::default()
+            }),
+        )
+        .await
+        .expect("Brocade client failed to connect");
+
+        brocade
+            .enable_snmp(
+                &snmp_auth.username,
+                &snmp_auth.auth_password,
+                &snmp_auth.des_password,
+            )
+            .await
+            .map_err(|e| InterpretError::new(e.to_string()))?;
+
+        Ok(Outcome::success(format!(
+            "Activated snmp server for Brocade at {}",
+            switch_addresses
+                .iter()
+                .map(|s| s.to_string())
+                .collect::<Vec<_>>()
+                .join(", ")
+        )))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("BrocadeEnableSnmpInterpret")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}
diff --git a/harmony/src/modules/mod.rs b/harmony/src/modules/mod.rs
index 682e16b..a5a2ad1 100644
--- a/harmony/src/modules/mod.rs
+++ b/harmony/src/modules/mod.rs
@@ -1,4 +1,5 @@
 pub mod application;
+pub mod brocade;
 pub mod cert_manager;
 pub mod dhcp;
 pub mod dns;

From 43a17811ccbb0688f8a34588a5e3f5f4a598e6ed Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Fri, 14 Nov 2025 12:53:43 -0500
Subject: [PATCH 36/51] fix formatting

---
 opnsense-config-xml/src/data/haproxy.rs  | 1 -
 opnsense-config-xml/src/data/opnsense.rs | 2 --
 2 files changed, 3 deletions(-)

diff --git a/opnsense-config-xml/src/data/haproxy.rs b/opnsense-config-xml/src/data/haproxy.rs
index a7622db..e82cb33 100644
--- a/opnsense-config-xml/src/data/haproxy.rs
+++ b/opnsense-config-xml/src/data/haproxy.rs
@@ -115,7 +115,6 @@ pub struct HAProxy {
 pub struct HAProxyResolvers {
     #[yaserde(rename = "resolver")]
     pub resolver: Resolver,
-
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
diff --git a/opnsense-config-xml/src/data/opnsense.rs b/opnsense-config-xml/src/data/opnsense.rs
index 9880423..debbfbf 100644
--- a/opnsense-config-xml/src/data/opnsense.rs
+++ b/opnsense-config-xml/src/data/opnsense.rs
@@ -8,8 +8,6 @@ use yaserde_derive::{YaDeserialize, YaSerialize};
 
 use super::{Interface, Pischem};
 
-
-
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 #[yaserde(rename = "opnsense")]
 pub struct OPNsense {

From bfde5f58ed77b954ff240bd997ca71b36389a517 Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Tue, 9 Dec 2025 11:23:30 -0500
Subject: [PATCH 37/51] adr: Higher order topologies

These types of Topologies will orchestrate behavior in regular Topologies.

For example, a FailoverTopology is a Higher Order, it will orchestrate its capabilities between a primary and a replica topology. A great use case for this is a database deployment. The FailoverTopology will deploy both instances, connect them, and the able to execute the appropriate actions to promote de replica to primary and revert back to original state.

Other use cases are ShardedTopology, DecentralizedTopology, etc.
---
 adr/015-higher-order-topologies.md         | 114 +++++++++++++++
 adr/015-higher-order-topologies/example.rs | 153 +++++++++++++++++++++
 2 files changed, 267 insertions(+)
 create mode 100644 adr/015-higher-order-topologies.md
 create mode 100644 adr/015-higher-order-topologies/example.rs

diff --git a/adr/015-higher-order-topologies.md b/adr/015-higher-order-topologies.md
new file mode 100644
index 0000000..41c3172
--- /dev/null
+++ b/adr/015-higher-order-topologies.md
@@ -0,0 +1,114 @@
+# Architecture Decision Record: Higher-Order Topologies
+
+**Initial Author:** Jean-Gabriel Gill-Couture  
+**Initial Date:** 2025-12-08  
+**Last Updated Date:** 2025-12-08  
+
+## Status
+
+Implemented
+
+## Context
+
+Harmony models infrastructure as **Topologies** (deployment targets like `K8sAnywhereTopology`, `LinuxHostTopology`) implementing **Capabilities** (tech traits like `PostgreSQL`, `Docker`).
+
+**Higher-Order Topologies** (e.g., `FailoverTopology<T>`) compose/orchestrate capabilities *across* multiple underlying topologies (e.g., primary+replica `T`).
+
+Naive design requires manual `impl Capability for HigherOrderTopology<T>` *per T per capability*, causing:
+- **Impl explosion**: N topologies × M capabilities = N×M boilerplate.
+- **ISP violation**: Topologies forced to impl unrelated capabilities.
+- **Maintenance hell**: New topology needs impls for *all* orchestrated capabilities; new capability needs impls for *all* topologies/higher-order.
+- **Barrier to extension**: Users can't easily add topologies without todos/panics.
+
+This makes scaling Harmony impractical as ecosystem grows.
+
+## Decision
+
+Use **blanket trait impls** on higher-order topologies to *automatically* derive orchestration:
+
+````rust
+/// Higher-Order Topology: Orchestrates capabilities across sub-topologies.
+pub struct FailoverTopology<T> {
+    /// Primary sub-topology.
+    primary: T,
+    /// Replica sub-topology.
+    replica: T,
+}
+
+/// Automatically provides PostgreSQL failover for *any* `T: PostgreSQL`.
+/// Delegates to primary for queries; orchestrates deploy across both.
+#[async_trait]
+impl<T: PostgreSQL> PostgreSQL for FailoverTopology<T> {
+    async fn deploy(&self, config: &PostgreSQLConfig) -> Result<String, String> {
+        // Deploy primary; extract certs/endpoint;
+        // deploy replica with pg_basebackup + TLS passthrough.
+        // (Full impl logged/elaborated.)
+    }
+
+    // Delegate queries to primary.
+    async fn get_replication_certs(&self, cluster_name: &str) -> Result<ReplicationCerts, String> {
+        self.primary.get_replication_certs(cluster_name).await
+    }
+    // ...
+}
+
+/// Similarly for other capabilities.
+#[async_trait]
+impl<T: Docker> Docker for FailoverTopology<T> {
+    // Failover Docker orchestration.
+}
+````
+
+**Key properties:**
+- **Auto-derivation**: `Failover<K8sAnywhere>` gets `PostgreSQL` iff `K8sAnywhere: PostgreSQL`.
+- **No boilerplate**: One blanket impl per capability *per higher-order type*.
+
+## Rationale
+
+- **Composition via generics**: Rust trait solver auto-selects impls; zero runtime cost.
+- **Compile-time safety**: Missing `T: Capability` → compile error (no panics).
+- **Scalable**: O(capabilities) impls per higher-order; new `T` auto-works.
+- **ISP-respecting**: Capabilities only surface if sub-topology provides.
+- **Centralized logic**: Orchestration (e.g., cert propagation) in one place.
+
+**Example usage:**
+````rust
+// ✅ Works: K8sAnywhere: PostgreSQL → Failover provides failover PG
+let pg_failover: FailoverTopology<K8sAnywhereTopology> = ...;
+pg_failover.deploy_pg(config).await;
+
+// ✅ Works: LinuxHost: Docker → Failover provides failover Docker
+let docker_failover: FailoverTopology<LinuxHostTopology> = ...;
+docker_failover.deploy_docker(...).await;
+
+// ❌ Compile fail: K8sAnywhere !: Docker
+let invalid: FailoverTopology<K8sAnywhereTopology>;
+invalid.deploy_docker(...); // `T: Docker` bound unsatisfied
+````
+
+## Consequences
+
+**Pros:**
+- **Extensible**: New topology `AWSTopology: PostgreSQL` → instant `Failover<AWSTopology>: PostgreSQL`.
+- **Lean**: No useless impls (e.g., no `K8sAnywhere: Docker`).
+- **Observable**: Logs trace every step.
+
+**Cons:**
+- **Monomorphization**: Generics generate code per T (mitigated: few Ts).
+- **Delegation opacity**: Relies on rustdoc/logs for internals.
+
+## Alternatives considered
+
+| Approach | Pros | Cons |
+|----------|------|------|
+| **Manual per-T impls**<br>`impl PG for Failover<K8s> {..}`<br>`impl PG for Failover<Linux> {..}` | Explicit control | N×M explosion; violates ISP; hard to extend. |
+| **Dynamic trait objects**<br>`Box<dyn AnyCapability>` | Runtime flex | Perf hit; type erasure; error-prone dispatch. |
+| **Mega-topology trait**<br>All-in-one `OrchestratedTopology` | Simple wiring | Monolithic; poor composition. |
+| **Registry dispatch**<br>Runtime capability lookup | Decoupled | Complex; no compile safety; perf/debug overhead. |
+
+**Selected**: Blanket impls leverage Rust generics for safe, zero-cost composition.
+
+## Additional Notes
+
+- Applies to `MultisiteTopology<T>`, `ShardedTopology<T>`, etc.
+- `FailoverTopology` in `failover.rs` is first implementation.
diff --git a/adr/015-higher-order-topologies/example.rs b/adr/015-higher-order-topologies/example.rs
new file mode 100644
index 0000000..8c8911d
--- /dev/null
+++ b/adr/015-higher-order-topologies/example.rs
@@ -0,0 +1,153 @@
+//! Example of Higher-Order Topologies in Harmony.
+//! Demonstrates how `FailoverTopology<T>` automatically provides failover for *any* capability
+//! supported by a sub-topology `T` via blanket trait impls.
+//! 
+//! Key insight: No manual impls per T or capability -- scales effortlessly.
+//! Users can:
+//! - Write new `Topology` (impl capabilities on a struct).
+//! - Compose with `FailoverTopology` (gets capabilities if T has them).
+//! - Compile fails if capability missing (safety).
+
+use async_trait::async_trait;
+use tokio;
+
+/// Capability trait: Deploy and manage PostgreSQL.
+#[async_trait]
+pub trait PostgreSQL {
+    async fn deploy(&self, config: &PostgreSQLConfig) -> Result<String, String>;
+    async fn get_replication_certs(&self, cluster_name: &str) -> Result<ReplicationCerts, String>;
+}
+
+/// Capability trait: Deploy Docker.
+#[async_trait]
+pub trait Docker {
+    async fn deploy_docker(&self) -> Result<String, String>;
+}
+
+/// Configuration for PostgreSQL deployments.
+#[derive(Clone)]
+pub struct PostgreSQLConfig;
+
+/// Replication certificates.
+#[derive(Clone)]
+pub struct ReplicationCerts;
+
+/// Concrete topology: Kubernetes Anywhere (supports PostgreSQL).
+#[derive(Clone)]
+pub struct K8sAnywhereTopology;
+
+#[async_trait]
+impl PostgreSQL for K8sAnywhereTopology {
+    async fn deploy(&self, _config: &PostgreSQLConfig) -> Result<String, String> {
+        // Real impl: Use k8s helm chart, operator, etc.
+        Ok("K8sAnywhere PostgreSQL deployed".to_string())
+    }
+
+    async fn get_replication_certs(&self, _cluster_name: &str) -> Result<ReplicationCerts, String> {
+        Ok(ReplicationCerts)
+    }
+}
+
+/// Concrete topology: Linux Host (supports Docker).
+#[derive(Clone)]
+pub struct LinuxHostTopology;
+
+#[async_trait]
+impl Docker for LinuxHostTopology {
+    async fn deploy_docker(&self) -> Result<String, String> {
+        // Real impl: Install/configure Docker on host.
+        Ok("LinuxHost Docker deployed".to_string())
+    }
+}
+
+/// Higher-Order Topology: Composes multiple sub-topologies (primary + replica).
+/// Automatically derives *all* capabilities of `T` with failover orchestration.
+/// 
+/// - If `T: PostgreSQL`, then `FailoverTopology<T>: PostgreSQL` (blanket impl).
+/// - Same for `Docker`, etc. No boilerplate!
+/// - Compile-time safe: Missing `T: Capability` → error.
+#[derive(Clone)]
+pub struct FailoverTopology<T> {
+    /// Primary sub-topology.
+    pub primary: T,
+    /// Replica sub-topology.
+    pub replica: T,
+}
+
+/// Blanket impl: Failover PostgreSQL if T provides PostgreSQL.
+/// Delegates reads to primary; deploys to both.
+#[async_trait]
+impl<T: PostgreSQL + Send + Sync + Clone> PostgreSQL for FailoverTopology<T> {
+    async fn deploy(&self, config: &PostgreSQLConfig) -> Result<String, String> {
+        // Orchestrate: Deploy primary first, then replica (e.g., via pg_basebackup).
+        let primary_result = self.primary.deploy(config).await?;
+        let replica_result = self.replica.deploy(config).await?;
+        Ok(format!("Failover PG deployed: {} | {}", primary_result, replica_result))
+    }
+
+    async fn get_replication_certs(&self, cluster_name: &str) -> Result<ReplicationCerts, String> {
+        // Delegate to primary (replica follows).
+        self.primary.get_replication_certs(cluster_name).await
+    }
+}
+
+/// Blanket impl: Failover Docker if T provides Docker.
+#[async_trait]
+impl<T: Docker + Send + Sync + Clone> Docker for FailoverTopology<T> {
+    async fn deploy_docker(&self) -> Result<String, String> {
+        // Orchestrate across primary + replica.
+        let primary_result = self.primary.deploy_docker().await?;
+        let replica_result = self.replica.deploy_docker().await?;
+        Ok(format!("Failover Docker deployed: {} | {}", primary_result, replica_result))
+    }
+}
+
+#[tokio::main]
+async fn main() {
+    let config = PostgreSQLConfig;
+
+    println!("=== ✅ PostgreSQL Failover (K8sAnywhere supports PG) ===");
+    let pg_failover = FailoverTopology {
+        primary: K8sAnywhereTopology,
+        replica: K8sAnywhereTopology,
+    };
+    let result = pg_failover.deploy(&config).await.unwrap();
+    println!("Result: {}", result);
+
+    println!("\n=== ✅ Docker Failover (LinuxHost supports Docker) ===");
+    let docker_failover = FailoverTopology {
+        primary: LinuxHostTopology,
+        replica: LinuxHostTopology,
+    };
+    let result = docker_failover.deploy_docker().await.unwrap();
+    println!("Result: {}", result);
+
+    println!("\n=== ❌ Would fail to compile (K8sAnywhere !: Docker) ===");
+    // let invalid = FailoverTopology {
+    //     primary: K8sAnywhereTopology,
+    //     replica: K8sAnywhereTopology,
+    // };
+    // invalid.deploy_docker().await.unwrap(); // Error: `K8sAnywhereTopology: Docker` not satisfied!
+    // Very clear error message :
+    // error[E0599]: the method `deploy_docker` exists for struct `FailoverTopology<K8sAnywhereTopology>`, but its trait bounds were not satisfied
+    //   --> src/main.rs:90:9
+    //    |
+    //  4 | pub struct FailoverTopology<T> {
+    //    | ------------------------------ method `deploy_docker` not found for this struct because it doesn't satisfy `FailoverTopology<K8sAnywhereTopology>: Docker`
+    // ...
+    // 37 | struct K8sAnywhereTopology;
+    //    | -------------------------- doesn't satisfy `K8sAnywhereTopology: Docker`
+    // ...
+    // 90 | invalid.deploy_docker(); // `T: Docker` bound unsatisfied
+    //    |         ^^^^^^^^^^^^^ method cannot be called on `FailoverTopology<K8sAnywhereTopology>` due to unsatisfied trait bounds
+    //    |
+    // note: trait bound `K8sAnywhereTopology: Docker` was not satisfied
+    //   --> src/main.rs:61:9
+    //    |
+    // 61 | impl<T: Docker + Send + Sync> Docker for FailoverTopology<T> {
+    //    |         ^^^^^^                ------     -------------------
+    //    |         |
+    //    |         unsatisfied trait bound introduced here
+    // note: the trait `Docker` must be implemented
+}
+

From a953284386e7416617a0038c0ede55db57741d48 Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Tue, 9 Dec 2025 23:04:15 -0500
Subject: [PATCH 38/51] doc: Add note about counter-intuitive behavior of
 nmstate

---
 harmony/src/infra/network_manager.rs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/harmony/src/infra/network_manager.rs b/harmony/src/infra/network_manager.rs
index e5dbd24..a5a2f77 100644
--- a/harmony/src/infra/network_manager.rs
+++ b/harmony/src/infra/network_manager.rs
@@ -17,6 +17,12 @@ use crate::{
     topology::{HostNetworkConfig, NetworkError, NetworkManager, k8s::K8sClient},
 };
 
+/// TODO document properly the non-intuitive behavior or "roll forward only" of nmstate in general
+/// It is documented in nmstate official doc, but worth mentionning here :
+///
+/// - You create a bond, nmstate will apply it
+/// - You delete de bond from nmstate, it will NOT delete it
+/// - To delete it you have to update it with configuration set to null
 pub struct OpenShiftNmStateNetworkManager {
     k8s_client: Arc<K8sClient>,
 }
@@ -31,6 +37,7 @@ impl std::fmt::Debug for OpenShiftNmStateNetworkManager {
 impl NetworkManager for OpenShiftNmStateNetworkManager {
     async fn ensure_network_manager_installed(&self) -> Result<(), NetworkError> {
         debug!("Installing NMState controller...");
+        // TODO use operatorhub maybe?
         self.k8s_client.apply_url(url::Url::parse("https://github.com/nmstate/kubernetes-nmstate/releases/download/v0.84.0/nmstate.io_nmstates.yaml
 ").unwrap(), Some("nmstate"))
             .await?;

From 50bd5c5bbaa9daeb677ffec5023722e87fa92930 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Wed, 10 Dec 2025 12:15:07 -0500
Subject: [PATCH 39/51] feat(OKDInstallation): Implemented bootstrap of okd
 worker node, added features to allow both control plane and worker node to
 use the same bootstrap_okd_node score

---
 Cargo.lock                                    |  15 +
 harmony/src/domain/inventory/mod.rs           |  13 +
 .../modules/okd/bootstrap_03_control_plane.rs | 172 +---------
 .../src/modules/okd/bootstrap_04_workers.rs   |  23 +-
 harmony/src/modules/okd/bootstrap_okd_node.rs | 296 ++++++++++++++++++
 harmony/src/modules/okd/mod.rs                |   2 +
 harmony/src/modules/okd/okd_node.rs           |  69 ++++
 7 files changed, 410 insertions(+), 180 deletions(-)
 create mode 100644 harmony/src/modules/okd/bootstrap_okd_node.rs
 create mode 100644 harmony/src/modules/okd/okd_node.rs

diff --git a/Cargo.lock b/Cargo.lock
index 7d9cdcf..ab3b102 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -6049,6 +6049,21 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"
 
+[[package]]
+name = "test-score"
+version = "0.1.0"
+dependencies = [
+ "base64 0.22.1",
+ "env_logger",
+ "harmony",
+ "harmony_cli",
+ "harmony_macros",
+ "harmony_types",
+ "log",
+ "tokio",
+ "url",
+]
+
 [[package]]
 name = "thiserror"
 version = "1.0.69"
diff --git a/harmony/src/domain/inventory/mod.rs b/harmony/src/domain/inventory/mod.rs
index 7d160d7..f7cc1ef 100644
--- a/harmony/src/domain/inventory/mod.rs
+++ b/harmony/src/domain/inventory/mod.rs
@@ -1,4 +1,6 @@
 mod repository;
+use std::fmt;
+
 pub use repository::*;
 
 #[derive(Debug, new, Clone)]
@@ -71,3 +73,14 @@ pub enum HostRole {
     Worker,
     Storage,
 }
+
+impl fmt::Display for HostRole {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        match self {
+            HostRole::Bootstrap => write!(f, "Bootstrap"),
+            HostRole::ControlPlane => write!(f, "ControlPlane"),
+            HostRole::Worker => write!(f, "Worker"),
+            HostRole::Storage => write!(f, "Storage"),
+        }
+    }
+}
diff --git a/harmony/src/modules/okd/bootstrap_03_control_plane.rs b/harmony/src/modules/okd/bootstrap_03_control_plane.rs
index 5abe848..7e882ab 100644
--- a/harmony/src/modules/okd/bootstrap_03_control_plane.rs
+++ b/harmony/src/modules/okd/bootstrap_03_control_plane.rs
@@ -5,8 +5,10 @@ use crate::{
     interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
     inventory::{HostRole, Inventory},
     modules::{
-        dhcp::DhcpHostBindingScore, http::IPxeMacBootFileScore,
-        inventory::DiscoverHostForRoleScore, okd::templates::BootstrapIpxeTpl,
+        dhcp::DhcpHostBindingScore,
+        http::IPxeMacBootFileScore,
+        inventory::DiscoverHostForRoleScore,
+        okd::{bootstrap_okd_node::OKDNodeInterpret, templates::BootstrapIpxeTpl},
     },
     score::Score,
     topology::{HAClusterTopology, HostBinding},
@@ -50,159 +52,6 @@ impl OKDSetup03ControlPlaneInterpret {
             status: InterpretStatus::QUEUED,
         }
     }
-
-    /// Ensures that three physical hosts are discovered and available for the ControlPlane role.
-    /// It will trigger discovery if not enough hosts are found.
-    async fn get_nodes(
-        &self,
-        inventory: &Inventory,
-        topology: &HAClusterTopology,
-    ) -> Result<Vec<PhysicalHost>, InterpretError> {
-        const REQUIRED_HOSTS: usize = 3;
-        let repo = InventoryRepositoryFactory::build().await?;
-        let mut control_plane_hosts = repo.get_host_for_role(&HostRole::ControlPlane).await?;
-
-        while control_plane_hosts.len() < REQUIRED_HOSTS {
-            info!(
-                "Discovery of {} control plane hosts in progress, current number {}",
-                REQUIRED_HOSTS,
-                control_plane_hosts.len()
-            );
-            // This score triggers the discovery agent for a specific role.
-            DiscoverHostForRoleScore {
-                role: HostRole::ControlPlane,
-            }
-            .interpret(inventory, topology)
-            .await?;
-            control_plane_hosts = repo.get_host_for_role(&HostRole::ControlPlane).await?;
-        }
-
-        if control_plane_hosts.len() < REQUIRED_HOSTS {
-            Err(InterpretError::new(format!(
-                "OKD Requires at least {} control plane hosts, but only found {}. Cannot proceed.",
-                REQUIRED_HOSTS,
-                control_plane_hosts.len()
-            )))
-        } else {
-            // Take exactly the number of required hosts to ensure consistency.
-            Ok(control_plane_hosts
-                .into_iter()
-                .take(REQUIRED_HOSTS)
-                .collect())
-        }
-    }
-
-    /// Configures DHCP host bindings for all control plane nodes.
-    async fn configure_host_binding(
-        &self,
-        inventory: &Inventory,
-        topology: &HAClusterTopology,
-        nodes: &Vec<PhysicalHost>,
-    ) -> Result<(), InterpretError> {
-        info!("[ControlPlane] Configuring host bindings for control plane nodes.");
-
-        // Ensure the topology definition matches the number of physical nodes found.
-        if topology.control_plane.len() != nodes.len() {
-            return Err(InterpretError::new(format!(
-                "Mismatch between logical control plane hosts defined in topology ({}) and physical nodes found ({}).",
-                topology.control_plane.len(),
-                nodes.len()
-            )));
-        }
-
-        // Create a binding for each physical host to its corresponding logical host.
-        let bindings: Vec<HostBinding> = topology
-            .control_plane
-            .iter()
-            .zip(nodes.iter())
-            .map(|(logical_host, physical_host)| {
-                info!(
-                    "Creating binding: Logical Host '{}' -> Physical Host ID '{}'",
-                    logical_host.name, physical_host.id
-                );
-                HostBinding {
-                    logical_host: logical_host.clone(),
-                    physical_host: physical_host.clone(),
-                }
-            })
-            .collect();
-
-        DhcpHostBindingScore {
-            host_binding: bindings,
-            domain: Some(topology.domain_name.clone()),
-        }
-        .interpret(inventory, topology)
-        .await?;
-
-        Ok(())
-    }
-
-    /// Renders and deploys a per-MAC iPXE boot file for each control plane node.
-    async fn configure_ipxe(
-        &self,
-        inventory: &Inventory,
-        topology: &HAClusterTopology,
-        nodes: &Vec<PhysicalHost>,
-    ) -> Result<(), InterpretError> {
-        info!("[ControlPlane] Rendering per-MAC iPXE configurations.");
-
-        // The iPXE script content is the same for all control plane nodes,
-        // pointing to the 'master.ign' ignition file.
-        let content = BootstrapIpxeTpl {
-            http_ip: &topology.http_server.get_ip().to_string(),
-            scos_path: "scos",
-            ignition_http_path: "okd_ignition_files",
-            installation_device: "/dev/sda", // This might need to be configurable per-host in the future
-            ignition_file_name: "master.ign", // Control plane nodes use the master ignition file
-        }
-        .to_string();
-
-        debug!("[ControlPlane] iPXE content template:\n{content}");
-
-        // Create and apply an iPXE boot file for each node.
-        for node in nodes {
-            let mac_address = node.get_mac_address();
-            if mac_address.is_empty() {
-                return Err(InterpretError::new(format!(
-                    "Physical host with ID '{}' has no MAC addresses defined.",
-                    node.id
-                )));
-            }
-            info!(
-                "[ControlPlane] Applying iPXE config for node ID '{}' with MACs: {:?}",
-                node.id, mac_address
-            );
-
-            IPxeMacBootFileScore {
-                mac_address,
-                content: content.clone(),
-            }
-            .interpret(inventory, topology)
-            .await?;
-        }
-
-        Ok(())
-    }
-
-    /// Prompts the user to reboot the target control plane nodes.
-    async fn reboot_targets(&self, nodes: &Vec<PhysicalHost>) -> Result<(), InterpretError> {
-        let node_ids: Vec<String> = nodes.iter().map(|n| n.id.to_string()).collect();
-        info!("[ControlPlane] Requesting reboot for control plane nodes: {node_ids:?}",);
-
-        let confirmation = inquire::Confirm::new(
-                &format!("Please reboot the {} control plane nodes ({}) to apply their PXE configuration. Press enter when ready.", nodes.len(), node_ids.join(", ")),
-        )
-        .prompt()
-        .map_err(|e| InterpretError::new(format!("User prompt failed: {e}")))?;
-
-        if !confirmation {
-            return Err(InterpretError::new(
-                "User aborted the operation.".to_string(),
-            ));
-        }
-
-        Ok(())
-    }
 }
 
 #[async_trait]
@@ -228,19 +77,10 @@ impl Interpret<HAClusterTopology> for OKDSetup03ControlPlaneInterpret {
         inventory: &Inventory,
         topology: &HAClusterTopology,
     ) -> Result<Outcome, InterpretError> {
-        // 1. Ensure we have 3 physical hosts for the control plane.
-        let nodes = self.get_nodes(inventory, topology).await?;
-
-        // 2. Create DHCP reservations for the control plane nodes.
-        self.configure_host_binding(inventory, topology, &nodes)
+        OKDNodeInterpret::new(HostRole::ControlPlane)
+            .execute(inventory, topology)
             .await?;
 
-        // 3. Create iPXE files for each control plane node to boot from the master ignition.
-        self.configure_ipxe(inventory, topology, &nodes).await?;
-
-        // 4. Reboot the nodes to start the OS installation.
-        self.reboot_targets(&nodes).await?;
-
         // TODO: Implement a step to wait for the control plane nodes to join the cluster
         // and for the cluster operators to become available. This would be similar to
         // the `wait-for bootstrap-complete` command.
diff --git a/harmony/src/modules/okd/bootstrap_04_workers.rs b/harmony/src/modules/okd/bootstrap_04_workers.rs
index 461cab9..62bf2ad 100644
--- a/harmony/src/modules/okd/bootstrap_04_workers.rs
+++ b/harmony/src/modules/okd/bootstrap_04_workers.rs
@@ -1,13 +1,13 @@
 use async_trait::async_trait;
 use derive_new::new;
 use harmony_types::id::Id;
-use log::info;
 use serde::Serialize;
 
 use crate::{
     data::Version,
     interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
-    inventory::Inventory,
+    inventory::{HostRole, Inventory},
+    modules::okd::bootstrap_okd_node::OKDNodeInterpret,
     score::Score,
     topology::HAClusterTopology,
 };
@@ -23,7 +23,7 @@ pub struct OKDSetup04WorkersScore {}
 
 impl Score<HAClusterTopology> for OKDSetup04WorkersScore {
     fn create_interpret(&self) -> Box<dyn Interpret<HAClusterTopology>> {
-        Box::new(OKDSetup04WorkersInterpret::new(self.clone()))
+        Box::new(OKDSetup04WorkersInterpret::new())
     }
 
     fn name(&self) -> String {
@@ -33,25 +33,18 @@ impl Score<HAClusterTopology> for OKDSetup04WorkersScore {
 
 #[derive(Debug, Clone)]
 pub struct OKDSetup04WorkersInterpret {
-    score: OKDSetup04WorkersScore,
     version: Version,
     status: InterpretStatus,
 }
 
 impl OKDSetup04WorkersInterpret {
-    pub fn new(score: OKDSetup04WorkersScore) -> Self {
+    pub fn new() -> Self {
         let version = Version::from("1.0.0").unwrap();
         Self {
             version,
-            score,
             status: InterpretStatus::QUEUED,
         }
     }
-
-    async fn render_and_reboot(&self) -> Result<(), InterpretError> {
-        info!("[Workers] Rendering per-MAC PXE for workers and rebooting");
-        Ok(())
-    }
 }
 
 #[async_trait]
@@ -74,10 +67,12 @@ impl Interpret<HAClusterTopology> for OKDSetup04WorkersInterpret {
 
     async fn execute(
         &self,
-        _inventory: &Inventory,
-        _topology: &HAClusterTopology,
+        inventory: &Inventory,
+        topology: &HAClusterTopology,
     ) -> Result<Outcome, InterpretError> {
-        self.render_and_reboot().await?;
+        OKDNodeInterpret::new(HostRole::Worker)
+            .execute(inventory, topology)
+            .await?;
         Ok(Outcome::success("Workers provisioned".into()))
     }
 }
diff --git a/harmony/src/modules/okd/bootstrap_okd_node.rs b/harmony/src/modules/okd/bootstrap_okd_node.rs
new file mode 100644
index 0000000..a5eb7c2
--- /dev/null
+++ b/harmony/src/modules/okd/bootstrap_okd_node.rs
@@ -0,0 +1,296 @@
+use async_trait::async_trait;
+use derive_new::new;
+use harmony_types::id::Id;
+use log::{debug, info};
+use serde::Serialize;
+
+use crate::{
+    data::Version,
+    hardware::PhysicalHost,
+    infra::inventory::InventoryRepositoryFactory,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::{HostRole, Inventory},
+    modules::{
+        dhcp::DhcpHostBindingScore,
+        http::IPxeMacBootFileScore,
+        inventory::DiscoverHostForRoleScore,
+        okd::{
+            okd_node::{
+                BootstrapRole, ControlPlaneRole, OKDRoleProperties, StorageRole, WorkerRole,
+            },
+            templates::BootstrapIpxeTpl,
+        },
+    },
+    score::Score,
+    topology::{HAClusterTopology, HostBinding, LogicalHost},
+};
+
+#[derive(Debug, Clone, Serialize, new)]
+pub struct OKDNodeScore {
+    host_role: HostRole,
+}
+
+impl Score<HAClusterTopology> for OKDNodeScore {
+    fn name(&self) -> String {
+        "OKDNodeScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<HAClusterTopology>> {
+        Box::new(OKDNodeInterpret::new(self.host_role.clone()))
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct OKDNodeInterpret {
+    host_role: HostRole,
+}
+
+impl OKDNodeInterpret {
+    pub fn new(host_role: HostRole) -> Self {
+        Self { host_role }
+    }
+
+    fn okd_role_properties(&self, role: &HostRole) -> &'static dyn OKDRoleProperties {
+        match role {
+            HostRole::Bootstrap => &BootstrapRole,
+            HostRole::ControlPlane => &ControlPlaneRole,
+            HostRole::Worker => &WorkerRole,
+            HostRole::Storage => &StorageRole,
+        }
+    }
+
+    async fn get_nodes(
+        &self,
+        inventory: &Inventory,
+        topology: &HAClusterTopology,
+    ) -> Result<Vec<PhysicalHost>, InterpretError> {
+        let repo = InventoryRepositoryFactory::build().await?;
+
+        let mut hosts = repo.get_host_for_role(&self.host_role).await?;
+
+        let okd_host_properties = self.okd_role_properties(&self.host_role);
+
+        let required_hosts: usize = okd_host_properties.required_hosts();
+
+        while hosts.len() < required_hosts {
+            info!(
+                "Discovery of {} {} hosts in progress, current number {}",
+                required_hosts,
+                self.host_role,
+                hosts.len()
+            );
+            // This score triggers the discovery agent for a specific role.
+            DiscoverHostForRoleScore {
+                role: self.host_role.clone(),
+            }
+            .interpret(inventory, topology)
+            .await?;
+            hosts = repo.get_host_for_role(&self.host_role).await?;
+        }
+
+        if hosts.len() < required_hosts {
+            Err(InterpretError::new(format!(
+                "OKD Requires at least {} {} hosts, but only found {}. Cannot proceed.",
+                required_hosts,
+                self.host_role,
+                hosts.len()
+            )))
+        } else {
+            // Take exactly the number of required hosts to ensure consistency.
+            Ok(hosts.into_iter().take(required_hosts).collect())
+        }
+    }
+
+    /// Configures DHCP host bindings for all nodes.
+    async fn configure_host_binding(
+        &self,
+        inventory: &Inventory,
+        topology: &HAClusterTopology,
+        nodes: &Vec<PhysicalHost>,
+    ) -> Result<(), InterpretError> {
+        info!(
+            "[{}] Configuring host bindings for {} plane nodes.",
+            self.host_role, self.host_role,
+        );
+
+        let host_properties = self.okd_role_properties(&self.host_role);
+
+        self.validate_host_node_match(nodes, host_properties.logical_hosts(topology))?;
+
+        let bindings: Vec<HostBinding> =
+            self.host_bindings(nodes, host_properties.logical_hosts(topology));
+
+        DhcpHostBindingScore {
+            host_binding: bindings,
+            domain: Some(topology.domain_name.clone()),
+        }
+        .interpret(inventory, topology)
+        .await?;
+
+        Ok(())
+    }
+
+    // Ensure the topology definition matches the number of physical nodes found.
+    fn validate_host_node_match(
+        &self,
+        nodes: &Vec<PhysicalHost>,
+        hosts: &Vec<LogicalHost>,
+    ) -> Result<(), InterpretError> {
+        if hosts.len() != nodes.len() {
+            return Err(InterpretError::new(format!(
+                "Mismatch between logical hosts defined in topology ({}) and physical nodes found ({}).",
+                hosts.len(),
+                nodes.len()
+            )));
+        }
+        Ok(())
+    }
+
+    // Create a binding for each physical host to its corresponding logical host.
+    fn host_bindings(
+        &self,
+        nodes: &Vec<PhysicalHost>,
+        hosts: &Vec<LogicalHost>,
+    ) -> Vec<HostBinding> {
+        hosts
+            .iter()
+            .zip(nodes.iter())
+            .map(|(logical_host, physical_host)| {
+                info!(
+                    "Creating binding: Logical Host '{}' -> Physical Host ID '{}'",
+                    logical_host.name, physical_host.id
+                );
+                HostBinding {
+                    logical_host: logical_host.clone(),
+                    physical_host: physical_host.clone(),
+                }
+            })
+            .collect()
+    }
+
+    /// Renders and deploys a per-MAC iPXE boot file for each node.
+    async fn configure_ipxe(
+        &self,
+        inventory: &Inventory,
+        topology: &HAClusterTopology,
+        nodes: &Vec<PhysicalHost>,
+    ) -> Result<(), InterpretError> {
+        info!(
+            "[{}] Rendering per-MAC iPXE configurations.",
+            self.host_role
+        );
+
+        let okd_role_properties = self.okd_role_properties(&self.host_role);
+        // The iPXE script content is the same for all control plane nodes,
+        // pointing to the 'master.ign' ignition file.
+        let content = BootstrapIpxeTpl {
+            http_ip: &topology.http_server.get_ip().to_string(),
+            scos_path: "scos",
+            ignition_http_path: "okd_ignition_files",
+            //TODO must be refactored to not only use /dev/sda
+            installation_device: "/dev/sda", // This might need to be configurable per-host in the future
+            ignition_file_name: okd_role_properties.ignition_file(),
+        }
+        .to_string();
+
+        debug!("[{}] iPXE content template:\n{content}", self.host_role);
+
+        // Create and apply an iPXE boot file for each node.
+        for node in nodes {
+            let mac_address = node.get_mac_address();
+            if mac_address.is_empty() {
+                return Err(InterpretError::new(format!(
+                    "Physical host with ID '{}' has no MAC addresses defined.",
+                    node.id
+                )));
+            }
+            info!(
+                "[{}] Applying iPXE config for node ID '{}' with MACs: {:?}",
+                self.host_role, node.id, mac_address
+            );
+
+            IPxeMacBootFileScore {
+                mac_address,
+                content: content.clone(),
+            }
+            .interpret(inventory, topology)
+            .await?;
+        }
+
+        Ok(())
+    }
+
+    /// Prompts the user to reboot the target control plane nodes.
+    async fn reboot_targets(&self, nodes: &Vec<PhysicalHost>) -> Result<(), InterpretError> {
+        let node_ids: Vec<String> = nodes.iter().map(|n| n.id.to_string()).collect();
+        info!(
+            "[{}] Requesting reboot for control plane nodes: {node_ids:?}",
+            self.host_role
+        );
+
+        let confirmation = inquire::Confirm::new(
+                &format!("Please reboot the {} {} nodes ({}) to apply their PXE configuration. Press enter when ready.", nodes.len(), self.host_role, node_ids.join(", ")),
+        )
+        .prompt()
+        .map_err(|e| InterpretError::new(format!("User prompt failed: {e}")))?;
+
+        if !confirmation {
+            return Err(InterpretError::new(
+                "User aborted the operation.".to_string(),
+            ));
+        }
+
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl Interpret<HAClusterTopology> for OKDNodeInterpret {
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &HAClusterTopology,
+    ) -> Result<Outcome, InterpretError> {
+        // 1. Ensure we have the specfied number of physical hosts.
+        let nodes = self.get_nodes(inventory, topology).await?;
+
+        // 2. Create DHCP reservations for the nodes.
+        self.configure_host_binding(inventory, topology, &nodes)
+            .await?;
+
+        // 3. Create iPXE files for each node to boot from the ignition.
+        self.configure_ipxe(inventory, topology, &nodes).await?;
+
+        // 4. Reboot the nodes to start the OS installation.
+        self.reboot_targets(&nodes).await?;
+
+        // TODO: Implement a step to wait for the control plane nodes to join the cluster
+        // and for the cluster operators to become available. This would be similar to
+        // the `wait-for bootstrap-complete` command.
+        info!(
+            "[{}] Provisioning initiated. Monitor the cluster convergence manually.",
+            self.host_role
+        );
+
+        Ok(Outcome::success(format!(
+            "{} provisioning has been successfully initiated.",
+            self.host_role
+        )))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("OKDNodeSetup".into())
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}
diff --git a/harmony/src/modules/okd/mod.rs b/harmony/src/modules/okd/mod.rs
index 8bb85ef..1cf66bc 100644
--- a/harmony/src/modules/okd/mod.rs
+++ b/harmony/src/modules/okd/mod.rs
@@ -6,12 +6,14 @@ mod bootstrap_05_sanity_check;
 mod bootstrap_06_installation_report;
 pub mod bootstrap_dhcp;
 pub mod bootstrap_load_balancer;
+pub mod bootstrap_okd_node;
 mod bootstrap_persist_network_bond;
 pub mod dhcp;
 pub mod dns;
 pub mod installation;
 pub mod ipxe;
 pub mod load_balancer;
+pub mod okd_node;
 pub mod templates;
 pub mod upgrade;
 pub use bootstrap_01_prepare::*;
diff --git a/harmony/src/modules/okd/okd_node.rs b/harmony/src/modules/okd/okd_node.rs
new file mode 100644
index 0000000..687ae5a
--- /dev/null
+++ b/harmony/src/modules/okd/okd_node.rs
@@ -0,0 +1,69 @@
+use crate::topology::{HAClusterTopology, LogicalHost};
+
+pub trait OKDRoleProperties {
+    fn ignition_file(&self) -> &'static str;
+    fn required_hosts(&self) -> usize;
+    fn logical_hosts<'a>(&self, t: &'a HAClusterTopology) -> &'a Vec<LogicalHost>;
+}
+
+pub struct BootstrapRole;
+pub struct ControlPlaneRole;
+pub struct WorkerRole;
+pub struct StorageRole;
+
+impl OKDRoleProperties for BootstrapRole {
+    fn ignition_file(&self) -> &'static str {
+        "bootstrap.ign"
+    }
+
+    fn required_hosts(&self) -> usize {
+        1
+    }
+
+    fn logical_hosts<'a>(&self, t: &'a HAClusterTopology) -> &'a Vec<LogicalHost> {
+        todo!()
+    }
+}
+
+impl OKDRoleProperties for ControlPlaneRole {
+    fn ignition_file(&self) -> &'static str {
+        "master.ign"
+    }
+
+    fn required_hosts(&self) -> usize {
+        3
+    }
+
+    fn logical_hosts<'a>(&self, t: &'a HAClusterTopology) -> &'a Vec<LogicalHost> {
+        &t.control_plane
+    }
+}
+
+impl OKDRoleProperties for WorkerRole {
+    fn ignition_file(&self) -> &'static str {
+        "worker.ign"
+    }
+
+    fn required_hosts(&self) -> usize {
+        2
+    }
+
+    fn logical_hosts<'a>(&self, t: &'a HAClusterTopology) -> &'a Vec<LogicalHost> {
+        &t.workers
+    }
+}
+
+//TODO unsure if this is to be implemented here or not
+impl OKDRoleProperties for StorageRole {
+    fn ignition_file(&self) -> &'static str {
+        todo!()
+    }
+
+    fn required_hosts(&self) -> usize {
+        todo!()
+    }
+
+    fn logical_hosts<'a>(&self, t: &'a HAClusterTopology) -> &'a Vec<LogicalHost> {
+        todo!()
+    }
+}

From 8103932f23b93a9c16c1d36bac1c894ff90c2089 Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Tue, 2 Dec 2025 11:44:24 -0500
Subject: [PATCH 40/51] doc: Initial documentation for the MultisitePostgreSQL
 module

---
 docs/modules/Multisite_PostgreSQL.md | 105 +++++++++++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 docs/modules/Multisite_PostgreSQL.md

diff --git a/docs/modules/Multisite_PostgreSQL.md b/docs/modules/Multisite_PostgreSQL.md
new file mode 100644
index 0000000..c139290
--- /dev/null
+++ b/docs/modules/Multisite_PostgreSQL.md
@@ -0,0 +1,105 @@
+# Design Document: Harmony PostgreSQL Module
+
+**Status:** Draft
+**Last Updated:** 2025-12-01
+**Context:** Multi-site Data Replication & Orchestration
+
+## 1. Overview
+
+The Harmony PostgreSQL Module provides a high-level abstraction for deploying and managing high-availability PostgreSQL clusters across geographically distributed Kubernetes/OKD sites.
+
+Instead of manually configuring complex replication slots, firewalls, and operator settings on each cluster, users define a single intent (a **Score**), and Harmony orchestrates the underlying infrastructure (the **Arrangement**) to establish a Primary-Replica architecture.
+
+Currently, the implementation relies on the **CloudNativePG (CNPG)** operator as the backing engine.
+
+## 2. Architecture
+
+### 2.1 The Abstraction Model
+Following **ADR 003 (Infrastructure Abstraction)**, Harmony separates the *intent* from the *implementation*.
+
+1.  **The Score (Intent):** The user defines a `MultisitePostgreSQL` resource. This describes *what* is needed (e.g., "A Postgres 15 cluster with 10GB storage, Primary on Site A, Replica on Site B").
+2.  **The Interpret (Action):** Harmony MultisitePostgreSQLInterpret processes this Score and orchestrates the deployment on both sites to reach the state defined in the Score.
+3.  **The Capability (Implementation):** The PostgreSQL Capability is implemented by the K8sTopology and the interpret can deploy it, configure it and fetch information about it. The concrete implementation will rely on the mature CloudnativePG operator to manage all the Kubernetes resources required.
+
+### 2.2 Network Connectivity (TLS Passthrough)
+
+One of the critical challenges in multi-site orchestration is secure connectivity between clusters that may have dynamic IPs or strict firewalls.
+
+To solve this, we utilize **OKD/OpenShift Routes with TLS Passthrough**.
+
+*   **Mechanism:** The Primary site exposes a `Route` configured for `termination: passthrough`.
+*   **Routing:** The OpenShift HAProxy router inspects the **SNI (Server Name Indication)** header of the incoming TCP connection to route traffic to the correct PostgreSQL Pod.
+*   **Security:** SSL is **not** terminated at the ingress router. The encrypted stream is passed directly to the PostgreSQL instance. Mutual TLS (mTLS) authentication is handled natively by CNPG between the Primary and Replica instances.
+*   **Dynamic IPs:** Because connections are established via DNS hostnames (the Route URL), this architecture is resilient to dynamic IP changes at the Primary site.
+
+#### Traffic Flow Diagram
+
+```text
+[ Site B: Replica ]                 [ Site A: Primary ]
+      |                                     |
+(CNPG Instance) --[Encrypted TCP]--> (OKD HAProxy Router)
+      |           (Port 443)                |
+      |                                     |
+      |                            [SNI Inspection]
+      |                                     |
+      |                                     v
+      |                            (PostgreSQL Primary Pod)
+      |                                   (Port 5432)
+```
+
+## 3. Design Decisions
+
+### Why CloudNativePG?
+We selected CloudNativePG because it relies exclusively on standard Kubernetes primitives and uses the native PostgreSQL replication protocol (WAL shipping/Streaming). This aligns with Harmony's goal of being "K8s Native."
+
+### Why TLS Passthrough instead of VPN/NodePort?
+*   **NodePort:** Requires static IPs and opening non-standard ports on the firewall, which violates our security constraints.
+*   **VPN (e.g., Wireguard/Tailscale):** While secure, it introduces significant complexity (sidecars, key management) and external dependencies.
+*   **TLS Passthrough:** Leverages the existing Ingress/Router infrastructure already present in OKD. It requires zero additional software and respects multi-tenancy (Routes are namespaced).
+
+### Configuration Philosophy (YAGNI)
+The current design exposes a **generic configuration surface**. Users can configure standard parameters (Storage size, CPU/Memory requests, Postgres version).
+
+**We explicitly do not expose advanced CNPG or PostgreSQL configurations at this stage.**
+
+*   **Reasoning:** We aim to keep the API surface small and manageable.
+*   **Future Path:** We plan to implement a "pass-through" mechanism to allow sending raw config maps or custom parameters to the underlying engine (CNPG) *only when a concrete use case arises*. Until then, we adhere to the **YAGNI (You Ain't Gonna Need It)** principle to avoid premature optimization and API bloat.
+
+## 4. Usage Guide
+
+To deploy a multi-site cluster, apply the `MultisitePostgreSQL` resource to the Harmony Control Plane.
+
+### Example Manifest
+
+```yaml
+apiVersion: harmony.io/v1alpha1
+kind: MultisitePostgreSQL
+metadata:
+  name: finance-db
+  namespace: tenant-a
+spec:
+  version: "15"
+  storage: "10Gi"
+  resources:
+    requests:
+      cpu: "500m"
+      memory: "1Gi"
+  
+  # Topology Definition
+  topology:
+    primary:
+      site: "site-paris" # The name of the cluster in Harmony
+    replicas:
+      - site: "site-newyork"
+```
+
+### What happens next?
+1.  Harmony detects the CR.
+2.  **On Site Paris:** It deploys a CNPG Cluster (Primary) and creates a Passthrough Route `postgres-finance-db.apps.site-paris.example.com`.
+3.  **On Site New York:** It deploys a CNPG Cluster (Replica) configured with `externalClusters` pointing to the Paris Route.
+4.  Data begins replicating immediately over the encrypted channel.
+
+## 5. Troubleshooting
+
+*   **Connection Refused:** Ensure the Primary site's Route is successfully admitted by the Ingress Controller.
+*   **Certificate Errors:** CNPG manages mTLS automatically. If errors persist, ensure the CA secrets were correctly propagated by Harmony from Primary to Replica namespaces.

From 357ca93d9049483f8c6f31de9611a5f44fc8e350 Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Mon, 8 Dec 2025 23:11:43 -0500
Subject: [PATCH 41/51] wip: FailoverTopology implementation for PostgreSQL on
 the way!

---
 harmony/src/domain/topology/failover.rs      | 141 +++++++++++
 harmony/src/domain/topology/mod.rs           |   2 +
 harmony/src/modules/mod.rs                   |   1 +
 harmony/src/modules/postgresql/capability.rs |  81 +++++++
 harmony/src/modules/postgresql/mod.rs        |   7 +
 harmony/src/modules/postgresql/score.rs      | 236 +++++++++++++++++++
 harmony_types/src/lib.rs                     |   1 +
 harmony_types/src/storage.rs                 |   6 +
 8 files changed, 475 insertions(+)
 create mode 100644 harmony/src/domain/topology/failover.rs
 create mode 100644 harmony/src/modules/postgresql/capability.rs
 create mode 100644 harmony/src/modules/postgresql/mod.rs
 create mode 100644 harmony/src/modules/postgresql/score.rs
 create mode 100644 harmony_types/src/storage.rs

diff --git a/harmony/src/domain/topology/failover.rs b/harmony/src/domain/topology/failover.rs
new file mode 100644
index 0000000..dfeb557
--- /dev/null
+++ b/harmony/src/domain/topology/failover.rs
@@ -0,0 +1,141 @@
+use async_trait::async_trait;
+
+use log::{debug, info};
+use std::collections::HashMap;
+
+use crate::{
+    modules::postgresql::capability::{
+        BootstrapConfig, BootstrapStrategy, ExternalClusterConfig, PostgreSQL,
+        PostgreSQLClusterRole, PostgreSQLConfig, PostgreSQLEndpoint, ReplicaConfig,
+        ReplicationCerts,
+    },
+    topology::{PreparationError, PreparationOutcome, Topology},
+};
+
+pub struct FailoverTopology<T> {
+    primary: T,
+    replica: T,
+}
+
+#[async_trait]
+impl<T: Send + Sync> Topology for FailoverTopology<T> {
+    fn name(&self) -> &str {
+        "FailoverTopology"
+    }
+
+    async fn ensure_ready(&self) -> Result<PreparationOutcome, PreparationError> {
+        todo!()
+    }
+}
+
+#[async_trait]
+impl<T: PostgreSQL> PostgreSQL for FailoverTopology<T> {
+    async fn deploy(&self, config: &PostgreSQLConfig) -> Result<String, String> {
+        info!(
+            "Starting deployment of failover topology '{}'",
+            config.cluster_name
+        );
+
+        let primary_config = PostgreSQLConfig {
+            cluster_name: config.cluster_name.clone(),
+            instances: config.instances,
+            storage_size: config.storage_size.clone(),
+            role: PostgreSQLClusterRole::Primary,
+        };
+
+        info!(
+            "Deploying primary cluster '{{}}' ({} instances, {:?} storage)",
+            primary_config.cluster_name, primary_config.storage_size
+        );
+
+        let primary_cluster_name = self.primary.deploy(&primary_config).await?;
+
+        info!("Primary cluster '{primary_cluster_name}' deployed successfully");
+
+        info!("Retrieving replication certificates for primary '{primary_cluster_name}'");
+
+        let certs = self
+            .primary
+            .get_replication_certs(&primary_cluster_name)
+            .await?;
+
+        info!("Replication certificates retrieved successfully");
+
+        info!("Retrieving public endpoint for primary '{primary_cluster_name}");
+
+        let endpoint = self
+            .primary
+            .get_public_endpoint(&primary_cluster_name)
+            .await?
+            .ok_or_else(|| "No public endpoint configured on primary cluster".to_string())?;
+
+        info!(
+            "Public endpoint '{}:{}' retrieved for primary",
+            endpoint.host, endpoint.port
+        );
+
+        info!("Configuring replica connection parameters and bootstrap");
+
+        let mut connection_parameters = HashMap::new();
+        connection_parameters.insert("host".to_string(), endpoint.host);
+        connection_parameters.insert("port".to_string(), endpoint.port.to_string());
+        connection_parameters.insert("dbname".to_string(), "postgres".to_string());
+        connection_parameters.insert("user".to_string(), "streaming_replica".to_string());
+        connection_parameters.insert("sslmode".to_string(), "verify-ca".to_string());
+        connection_parameters.insert("sslnegotiation".to_string(), "direct".to_string());
+
+        debug!("Replica connection parameters: {:?}", connection_parameters);
+
+        let external_cluster = ExternalClusterConfig {
+            name: primary_cluster_name.clone(),
+            connection_parameters,
+        };
+
+        let bootstrap_config = BootstrapConfig {
+            strategy: BootstrapStrategy::PgBasebackup,
+        };
+
+        let replica_cluster_config = ReplicaConfig {
+            primary_cluster_name: primary_cluster_name.clone(),
+            replication_certs: certs,
+            bootstrap: bootstrap_config,
+            external_cluster,
+        };
+
+        let replica_config = PostgreSQLConfig {
+            cluster_name: format!("{}-replica", primary_cluster_name),
+            instances: config.instances,
+            storage_size: config.storage_size.clone(),
+            role: PostgreSQLClusterRole::Replica(replica_cluster_config),
+        };
+
+        info!(
+            "Deploying replica cluster '{}' ({} instances, {:?} storage) on replica topology",
+            replica_config.cluster_name, replica_config.instances, replica_config.storage_size
+        );
+
+        self.replica.deploy(&replica_config).await?;
+
+        info!(
+            "Replica cluster '{}' deployed successfully; failover topology '{}' ready",
+            replica_config.cluster_name, config.cluster_name
+        );
+
+        Ok(primary_cluster_name)
+    }
+
+    async fn get_replication_certs(&self, cluster_name: &str) -> Result<ReplicationCerts, String> {
+        self.primary.get_replication_certs(cluster_name).await
+    }
+
+    async fn get_endpoint(&self, cluster_name: &str) -> Result<PostgreSQLEndpoint, String> {
+        self.primary.get_endpoint(cluster_name).await
+    }
+
+    async fn get_public_endpoint(
+        &self,
+        cluster_name: &str,
+    ) -> Result<Option<PostgreSQLEndpoint>, String> {
+        self.primary.get_public_endpoint(cluster_name).await
+    }
+}
diff --git a/harmony/src/domain/topology/mod.rs b/harmony/src/domain/topology/mod.rs
index 85e57d7..62efa00 100644
--- a/harmony/src/domain/topology/mod.rs
+++ b/harmony/src/domain/topology/mod.rs
@@ -1,5 +1,7 @@
 mod ha_cluster;
 pub mod ingress;
+mod failover;
+pub use failover::*;
 use harmony_types::net::IpAddress;
 mod host_binding;
 mod http;
diff --git a/harmony/src/modules/mod.rs b/harmony/src/modules/mod.rs
index 682e16b..1ae4d4a 100644
--- a/harmony/src/modules/mod.rs
+++ b/harmony/src/modules/mod.rs
@@ -17,3 +17,4 @@ pub mod prometheus;
 pub mod storage;
 pub mod tenant;
 pub mod tftp;
+pub mod postgresql;
diff --git a/harmony/src/modules/postgresql/capability.rs b/harmony/src/modules/postgresql/capability.rs
new file mode 100644
index 0000000..2779956
--- /dev/null
+++ b/harmony/src/modules/postgresql/capability.rs
@@ -0,0 +1,81 @@
+use async_trait::async_trait;
+use harmony_types::storage::StorageSize;
+use std::collections::HashMap;
+
+#[async_trait]
+pub trait PostgreSQL {
+    async fn deploy(&self, config: &PostgreSQLConfig) -> Result<String, String>;
+
+    /// Extracts PostgreSQL-specific replication certs (PEM format) from a deployed primary cluster.
+    /// Abstracts away storage/retrieval details (e.g., secrets, files).
+    async fn get_replication_certs(&self, cluster_name: &str) -> Result<ReplicationCerts, String>;
+
+    /// Gets the internal/private endpoint (e.g., k8s service FQDN:5432) for the cluster.
+    async fn get_endpoint(&self, cluster_name: &str) -> Result<PostgreSQLEndpoint, String>;
+
+    /// Gets the public/externally routable endpoint if configured (e.g., OKD Route:443 for TLS passthrough).
+    /// Returns None if no public endpoint (internal-only cluster).
+    /// UNSTABLE: This is opinionated for initial multisite use cases. Networking abstraction is complex
+    /// (cf. k8s Ingress -> Gateway API evolution); may move to higher-order Networking/PostgreSQLNetworking trait.
+    async fn get_public_endpoint(&self, cluster_name: &str) -> Result<Option<PostgreSQLEndpoint>, String>;
+}
+
+#[derive(Clone, Debug)]
+pub struct PostgreSQLConfig {
+    pub cluster_name: String,
+    pub instances: u32,
+    pub storage_size: StorageSize,
+    pub role: PostgreSQLClusterRole,
+}
+
+#[derive(Clone, Debug)]
+pub enum PostgreSQLClusterRole {
+    Primary,
+    Replica(ReplicaClusterConfig),
+}
+
+#[derive(Clone, Debug)]
+pub struct ReplicaConfig {
+    /// Name of the primary cluster this replica will sync from
+    pub primary_cluster_name: String,
+    /// Certs extracted from primary via Topology::get_replication_certs()
+    pub replication_certs: ReplicationCerts,
+    /// Bootstrap method (e.g., pg_basebackup from primary)
+    pub bootstrap: BootstrapConfig,
+    /// External cluster connection details for CNPG spec.externalClusters
+    pub external_cluster: ExternalClusterConfig,
+}
+
+#[derive(Clone, Debug)]
+pub struct BootstrapConfig {
+    pub strategy: BootstrapStrategy,
+}
+
+#[derive(Clone, Debug)]
+pub enum BootstrapStrategy {
+    PgBasebackup,
+}
+
+#[derive(Clone, Debug)]
+pub struct ExternalClusterConfig {
+    /// Name used in CNPG externalClusters list
+    pub name: String,
+    /// Connection params (host/port set by multisite logic, sslmode='verify-ca', etc.)
+    pub connection_parameters: HashMap<String, String>,
+}
+
+#[derive(Clone, Debug)]
+pub struct ReplicationCerts {
+    /// PEM-encoded CA cert from primary
+    pub ca_cert_pem: String,
+    /// PEM-encoded streaming_replica client cert (tls.crt)
+    pub streaming_replica_cert_pem: String,
+    /// PEM-encoded streaming_replica client key (tls.key)
+    pub streaming_replica_key_pem: String,
+}
+
+#[derive(Clone, Debug)]
+pub struct PostgreSQLEndpoint {
+    pub host: String,
+    pub port: u16,
+}
diff --git a/harmony/src/modules/postgresql/mod.rs b/harmony/src/modules/postgresql/mod.rs
new file mode 100644
index 0000000..482f013
--- /dev/null
+++ b/harmony/src/modules/postgresql/mod.rs
@@ -0,0 +1,7 @@
+
+pub mod capability;
+mod score;
+
+
+pub mod failover;
+
diff --git a/harmony/src/modules/postgresql/score.rs b/harmony/src/modules/postgresql/score.rs
new file mode 100644
index 0000000..419c06b
--- /dev/null
+++ b/harmony/src/modules/postgresql/score.rs
@@ -0,0 +1,236 @@
+use crate::{
+    domain::{data::Version, interpret::InterpretStatus},
+    interpret::{Interpret, InterpretError, InterpretName, Outcome},
+    inventory::Inventory,
+    modules::postgresql::capability::PostgreSQL,
+    score::Score,
+    topology::Topology,
+};
+
+use super::capability::*;
+
+use derive_new::new;
+use harmony_types::{id::Id, storage::StorageSize};
+
+use async_trait::async_trait;
+use log::info;
+use serde::Serialize;
+
+pub struct PostgreSQLScore {
+    config: PostgreSQLConfig,
+}
+
+#[derive(Debug, Clone)]
+pub struct PostgreSQLInterpret {
+    config: PostgreSQLConfig,
+    version: Version,
+    status: InterpretStatus,
+}
+
+impl PostgreSQLInterpret {
+    pub fn new(config: PostgreSQLConfig) -> Self {
+        let version = Version::from("1.0.0").expect("Version should be valid");
+        Self {
+            config,
+            version,
+            status: InterpretStatus::QUEUED,
+        }
+    }
+}
+
+impl<T: Topology + PostgreSQL> Score<T> for PostgreSQLScore {
+    fn name(&self) -> String {
+        "PostgreSQLScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(PostgreSQLInterpret::new(self.config.clone()))
+    }
+}
+
+#[async_trait]
+impl<T: Topology + PostgreSQL> Interpret<T> for PostgreSQLInterpret {
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("PostgreSQLInterpret")
+    }
+
+    fn get_version(&self) -> crate::domain::data::Version {
+        self.version.clone()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        self.status.clone()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+
+    async fn execute(
+        &self,
+        _inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        info!(
+            "Executing PostgreSQLInterpret with config {:?}",
+            self.config
+        );
+
+        let cluster_name = topology
+            .deploy(&self.config)
+            .await
+            .map_err(|e| InterpretError::from(e))?;
+
+        Ok(Outcome::success(format!(
+            "Deployed PostgreSQL cluster `{cluster_name}`"
+        )))
+    }
+}
+
+#[derive(Debug, new, Clone, Serialize)]
+pub struct MultisitePostgreSQLScore {
+    pub cluster_name: String,
+    pub primary_site: Id,
+    pub replica_sites: Vec<Id>,
+    pub instances: u32,
+    pub storage_size: StorageSize,
+}
+
+impl<T: FailoverTopology + crate::modules::postgresql::capability::PostgreSQL> Score<T> for MultisitePostgreSQLScore {
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(MultisitePostgreSQLInterpret::new(self.clone()))
+    }
+
+    fn name(&self) -> String {
+        "MultisitePostgreSQLScore".to_string()
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct MultisitePostgreSQLInterpret {
+    score: MultisitePostgreSQLScore,
+    version: Version,
+    status: InterpretStatus,
+}
+
+impl MultisitePostgreSQLInterpret {
+    pub fn new(score: MultisitePostgreSQLScore) -> Self {
+        let version = Version::from("1.0.0").expect("Version should be valid");
+        Self {
+            score,
+            version,
+            status: InterpretStatus::QUEUED,
+        }
+    }
+}
+
+#[async_trait]
+impl<T: MultisiteTopology + PostgreSQL> Interpret<T> for MultisitePostgreSQLInterpret {
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("MultisitePostgreSQLInterpret")
+    }
+
+    fn get_version(&self) -> Version {
+        self.version.clone()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        self.status.clone()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!("Track child interprets per site")
+    }
+
+async fn execute(
+    &self,
+    inventory: &Inventory,
+    topology: &T,
+) -> Result<Outcome, InterpretError> {
+
+        info!(
+            "Orchestrating multisite PostgreSQL: primary {:?}, replicas {:?}",
+            self.score.primary_site, self.score.replica_sites
+        );
+
+        // 1. Deploy primary
+        let primary_topo = topology.primary();
+
+        let primary_config = PostgreSQLConfig {
+            cluster_name: self.score.cluster_name.clone(),
+            instances: self.score.instances,
+            storage_size: self.score.storage_size.clone(),
+            role: ClusterRole::Primary,
+        };
+        let primary_cluster_name = primary_topo
+            .deploy(&primary_config)
+            .await
+            .map_err(|e| InterpretError::from(format!("Primary deploy failed: {e}")))?;
+
+        // 2. Extract certs & public endpoint from primary
+        let certs = primary_topo
+            .get_replication_certs(&primary_cluster_name)
+            .await
+            .map_err(|e| InterpretError::from(format!("Certs extract failed: {e}")))?;
+        let public_endpoint = primary_topo
+            .get_public_endpoint(&primary_cluster_name)
+            .await??
+            .ok_or_else(|| InterpretError::from("No public endpoint on primary"))?;
+
+        // 3. Deploy replicas
+        for replica_site in &self.score.replica_sites {
+let replica_topo = topology.replica();
+
+                .map_err(|e| {
+                    InterpretError::from(format!(
+                        "Replica site {:?} lookup failed: {e}",
+                        replica_site
+                    ))
+                })?;
+
+            let connection_params: HashMap<String, String> = [
+                ("host".to_string(), public_endpoint.host.clone()),
+                ("port".to_string(), public_endpoint.port.to_string()),
+                ("dbname".to_string(), "postgres".to_string()),
+                ("user".to_string(), "streaming_replica".to_string()),
+                ("sslmode".to_string(), "verify-ca".to_string()),
+                ("sslnegotiation".to_string(), "direct".to_string()),
+            ]
+            .into_iter()
+            .collect();
+
+            let external_cluster = ExternalClusterConfig {
+                name: "primary-cluster".to_string(),
+                connection_parameters: connection_params,
+            };
+
+            let replica_config_struct = ReplicaConfig {
+                primary_cluster_name: primary_cluster_name.clone(),
+                replication_certs: certs.clone(),
+                bootstrap: BootstrapConfig {
+                    strategy: BootstrapStrategy::PgBasebackup,
+                },
+                external_cluster,
+            };
+
+            let replica_config = PostgreSQLConfig {
+                cluster_name: format!("{}-replica-{}", self.score.cluster_name, replica_site),
+                instances: self.score.instances,
+                storage_size: self.score.storage_size.clone(),
+                role: ClusterRole::Replica(replica_config_struct),
+            };
+
+            let _replica_cluster = replica_topo.deploy(&replica_config).await.map_err(|e| {
+                InterpretError::from(format!("Replica {:?} deploy failed: {e}", replica_site))
+            })?;
+        }
+
+        Ok(Outcome::success(format!(
+            "Multisite PostgreSQL `{}` deployed: primary `{}`, {} replicas",
+            self.score.cluster_name,
+            primary_cluster_name,
+            self.score.replica_sites.len()
+        )))
+    }
+}
diff --git a/harmony_types/src/lib.rs b/harmony_types/src/lib.rs
index 098379a..38a296f 100644
--- a/harmony_types/src/lib.rs
+++ b/harmony_types/src/lib.rs
@@ -1,3 +1,4 @@
 pub mod id;
 pub mod net;
 pub mod switch;
+pub mod storage;
diff --git a/harmony_types/src/storage.rs b/harmony_types/src/storage.rs
new file mode 100644
index 0000000..bd5fd95
--- /dev/null
+++ b/harmony_types/src/storage.rs
@@ -0,0 +1,6 @@
+use serde::{Deserialize, Serialize};
+
+#[derive(Copy, Clone, PartialEq, Eq, Hash, Serialize, Deserialize, PartialOrd, Ord, Debug)]
+pub struct StorageSize {
+    size_bytes: u64,
+}

From d5fadf4f4454a2b32e11ee3bf5486cfd2551e22a Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Wed, 10 Dec 2025 14:20:24 -0500
Subject: [PATCH 42/51] fix: deleted storage node role, fixed erroneous
 comment, modified score name to be in line with clean code naming
 conventions, fixed how the OKDNodeInstallationScore is called via
 OKDSetup03ControlPlaneScore and OKDSetup04WorkersScore

---
 harmony/src/domain/inventory/mod.rs           |  2 -
 .../modules/okd/bootstrap_03_control_plane.rs | 77 ++-----------------
 .../src/modules/okd/bootstrap_04_workers.rs   | 58 +-------------
 harmony/src/modules/okd/bootstrap_okd_node.rs | 21 +++--
 harmony/src/modules/okd/okd_node.rs           | 15 ----
 5 files changed, 23 insertions(+), 150 deletions(-)

diff --git a/harmony/src/domain/inventory/mod.rs b/harmony/src/domain/inventory/mod.rs
index f7cc1ef..10fabda 100644
--- a/harmony/src/domain/inventory/mod.rs
+++ b/harmony/src/domain/inventory/mod.rs
@@ -71,7 +71,6 @@ pub enum HostRole {
     Bootstrap,
     ControlPlane,
     Worker,
-    Storage,
 }
 
 impl fmt::Display for HostRole {
@@ -80,7 +79,6 @@ impl fmt::Display for HostRole {
             HostRole::Bootstrap => write!(f, "Bootstrap"),
             HostRole::ControlPlane => write!(f, "ControlPlane"),
             HostRole::Worker => write!(f, "Worker"),
-            HostRole::Storage => write!(f, "Storage"),
         }
     }
 }
diff --git a/harmony/src/modules/okd/bootstrap_03_control_plane.rs b/harmony/src/modules/okd/bootstrap_03_control_plane.rs
index 7e882ab..87b90f6 100644
--- a/harmony/src/modules/okd/bootstrap_03_control_plane.rs
+++ b/harmony/src/modules/okd/bootstrap_03_control_plane.rs
@@ -1,22 +1,8 @@
 use crate::{
-    data::Version,
-    hardware::PhysicalHost,
-    infra::inventory::InventoryRepositoryFactory,
-    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
-    inventory::{HostRole, Inventory},
-    modules::{
-        dhcp::DhcpHostBindingScore,
-        http::IPxeMacBootFileScore,
-        inventory::DiscoverHostForRoleScore,
-        okd::{bootstrap_okd_node::OKDNodeInterpret, templates::BootstrapIpxeTpl},
-    },
-    score::Score,
-    topology::{HAClusterTopology, HostBinding},
+    interpret::Interpret, inventory::HostRole, modules::okd::bootstrap_okd_node::OKDNodeInterpret,
+    score::Score, topology::HAClusterTopology,
 };
-use async_trait::async_trait;
 use derive_new::new;
-use harmony_types::id::Id;
-use log::{debug, info};
 use serde::Serialize;
 
 // -------------------------------------------------------------------------------------------------
@@ -30,64 +16,13 @@ pub struct OKDSetup03ControlPlaneScore {}
 
 impl Score<HAClusterTopology> for OKDSetup03ControlPlaneScore {
     fn create_interpret(&self) -> Box<dyn Interpret<HAClusterTopology>> {
-        Box::new(OKDSetup03ControlPlaneInterpret::new())
+        // TODO: Implement a step to wait for the control plane nodes to join the cluster
+        // and for the cluster operators to become available. This would be similar to
+        // the `wait-for bootstrap-complete` command.
+        Box::new(OKDNodeInterpret::new(HostRole::ControlPlane))
     }
 
     fn name(&self) -> String {
         "OKDSetup03ControlPlaneScore".to_string()
     }
 }
-
-#[derive(Debug, Clone)]
-pub struct OKDSetup03ControlPlaneInterpret {
-    version: Version,
-    status: InterpretStatus,
-}
-
-impl OKDSetup03ControlPlaneInterpret {
-    pub fn new() -> Self {
-        let version = Version::from("1.0.0").unwrap();
-        Self {
-            version,
-            status: InterpretStatus::QUEUED,
-        }
-    }
-}
-
-#[async_trait]
-impl Interpret<HAClusterTopology> for OKDSetup03ControlPlaneInterpret {
-    fn get_name(&self) -> InterpretName {
-        InterpretName::Custom("OKDSetup03ControlPlane")
-    }
-
-    fn get_version(&self) -> Version {
-        self.version.clone()
-    }
-
-    fn get_status(&self) -> InterpretStatus {
-        self.status.clone()
-    }
-
-    fn get_children(&self) -> Vec<Id> {
-        vec![]
-    }
-
-    async fn execute(
-        &self,
-        inventory: &Inventory,
-        topology: &HAClusterTopology,
-    ) -> Result<Outcome, InterpretError> {
-        OKDNodeInterpret::new(HostRole::ControlPlane)
-            .execute(inventory, topology)
-            .await?;
-
-        // TODO: Implement a step to wait for the control plane nodes to join the cluster
-        // and for the cluster operators to become available. This would be similar to
-        // the `wait-for bootstrap-complete` command.
-        info!("[ControlPlane] Provisioning initiated. Monitor the cluster convergence manually.");
-
-        Ok(Outcome::success(
-            "Control plane provisioning has been successfully initiated.".into(),
-        ))
-    }
-}
diff --git a/harmony/src/modules/okd/bootstrap_04_workers.rs b/harmony/src/modules/okd/bootstrap_04_workers.rs
index 62bf2ad..c73dce1 100644
--- a/harmony/src/modules/okd/bootstrap_04_workers.rs
+++ b/harmony/src/modules/okd/bootstrap_04_workers.rs
@@ -1,15 +1,9 @@
-use async_trait::async_trait;
 use derive_new::new;
-use harmony_types::id::Id;
 use serde::Serialize;
 
 use crate::{
-    data::Version,
-    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
-    inventory::{HostRole, Inventory},
-    modules::okd::bootstrap_okd_node::OKDNodeInterpret,
-    score::Score,
-    topology::HAClusterTopology,
+    interpret::Interpret, inventory::HostRole, modules::okd::bootstrap_okd_node::OKDNodeInterpret,
+    score::Score, topology::HAClusterTopology,
 };
 
 // -------------------------------------------------------------------------------------------------
@@ -23,56 +17,10 @@ pub struct OKDSetup04WorkersScore {}
 
 impl Score<HAClusterTopology> for OKDSetup04WorkersScore {
     fn create_interpret(&self) -> Box<dyn Interpret<HAClusterTopology>> {
-        Box::new(OKDSetup04WorkersInterpret::new())
+        Box::new(OKDNodeInterpret::new(HostRole::Worker))
     }
 
     fn name(&self) -> String {
         "OKDSetup04WorkersScore".to_string()
     }
 }
-
-#[derive(Debug, Clone)]
-pub struct OKDSetup04WorkersInterpret {
-    version: Version,
-    status: InterpretStatus,
-}
-
-impl OKDSetup04WorkersInterpret {
-    pub fn new() -> Self {
-        let version = Version::from("1.0.0").unwrap();
-        Self {
-            version,
-            status: InterpretStatus::QUEUED,
-        }
-    }
-}
-
-#[async_trait]
-impl Interpret<HAClusterTopology> for OKDSetup04WorkersInterpret {
-    fn get_name(&self) -> InterpretName {
-        InterpretName::Custom("OKDSetup04Workers")
-    }
-
-    fn get_version(&self) -> Version {
-        self.version.clone()
-    }
-
-    fn get_status(&self) -> InterpretStatus {
-        self.status.clone()
-    }
-
-    fn get_children(&self) -> Vec<Id> {
-        vec![]
-    }
-
-    async fn execute(
-        &self,
-        inventory: &Inventory,
-        topology: &HAClusterTopology,
-    ) -> Result<Outcome, InterpretError> {
-        OKDNodeInterpret::new(HostRole::Worker)
-            .execute(inventory, topology)
-            .await?;
-        Ok(Outcome::success("Workers provisioned".into()))
-    }
-}
diff --git a/harmony/src/modules/okd/bootstrap_okd_node.rs b/harmony/src/modules/okd/bootstrap_okd_node.rs
index a5eb7c2..d5b1d94 100644
--- a/harmony/src/modules/okd/bootstrap_okd_node.rs
+++ b/harmony/src/modules/okd/bootstrap_okd_node.rs
@@ -26,11 +26,11 @@ use crate::{
 };
 
 #[derive(Debug, Clone, Serialize, new)]
-pub struct OKDNodeScore {
+pub struct OKDNodeInstallationScore {
     host_role: HostRole,
 }
 
-impl Score<HAClusterTopology> for OKDNodeScore {
+impl Score<HAClusterTopology> for OKDNodeInstallationScore {
     fn name(&self) -> String {
         "OKDNodeScore".to_string()
     }
@@ -55,7 +55,6 @@ impl OKDNodeInterpret {
             HostRole::Bootstrap => &BootstrapRole,
             HostRole::ControlPlane => &ControlPlaneRole,
             HostRole::Worker => &WorkerRole,
-            HostRole::Storage => &StorageRole,
         }
     }
 
@@ -263,10 +262,18 @@ impl Interpret<HAClusterTopology> for OKDNodeInterpret {
 
         // 4. Reboot the nodes to start the OS installation.
         self.reboot_targets(&nodes).await?;
-
-        // TODO: Implement a step to wait for the control plane nodes to join the cluster
-        // and for the cluster operators to become available. This would be similar to
-        // the `wait-for bootstrap-complete` command.
+        // TODO: Implement a step to validate that the installation of the nodes is
+        // complete and for the cluster operators to become available.
+        //
+        // The OpenShift installer only provides two wait commands which currently need to be
+        // run manually:
+        //   - `openshift-install wait-for bootstrap-complete`
+        //   - `openshift-install wait-for install-complete`
+        //
+        // There is no installer command that waits specifically for worker node
+        // provisioning. Worker nodes join asynchronously (via ignition + CSR approval),
+        // and the cluster becomes fully functional only once all nodes are Ready and the
+        // cluster operators report Available=True.
         info!(
             "[{}] Provisioning initiated. Monitor the cluster convergence manually.",
             self.host_role
diff --git a/harmony/src/modules/okd/okd_node.rs b/harmony/src/modules/okd/okd_node.rs
index 687ae5a..39ca53b 100644
--- a/harmony/src/modules/okd/okd_node.rs
+++ b/harmony/src/modules/okd/okd_node.rs
@@ -52,18 +52,3 @@ impl OKDRoleProperties for WorkerRole {
         &t.workers
     }
 }
-
-//TODO unsure if this is to be implemented here or not
-impl OKDRoleProperties for StorageRole {
-    fn ignition_file(&self) -> &'static str {
-        todo!()
-    }
-
-    fn required_hosts(&self) -> usize {
-        todo!()
-    }
-
-    fn logical_hosts<'a>(&self, t: &'a HAClusterTopology) -> &'a Vec<LogicalHost> {
-        todo!()
-    }
-}

From d39b1957cd78a4a7ffd00f2f39ff9516e9927e69 Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Wed, 10 Dec 2025 16:58:58 -0500
Subject: [PATCH 43/51] feat(k8s_app): OperatorhubCatalogSourceScore can now
 install the operatorhub catalogsource on a cluster that already has operator
 lifecycle manager installed

---
 examples/operatorhub_catalog/Cargo.toml       |  18 ++
 examples/operatorhub_catalog/src/main.rs      |  23 +++
 .../catalogsources_operators_coreos_com.rs    | 157 ++++++++++++++++++
 harmony/src/modules/k8s/apps/crd/mod.rs       |   4 +
 harmony/src/modules/k8s/apps/mod.rs           |   4 +
 harmony/src/modules/k8s/apps/operatorhub.rs   | 107 ++++++++++++
 harmony/src/modules/k8s/mod.rs                |   1 +
 7 files changed, 314 insertions(+)
 create mode 100644 examples/operatorhub_catalog/Cargo.toml
 create mode 100644 examples/operatorhub_catalog/src/main.rs
 create mode 100644 harmony/src/modules/k8s/apps/crd/catalogsources_operators_coreos_com.rs
 create mode 100644 harmony/src/modules/k8s/apps/crd/mod.rs
 create mode 100644 harmony/src/modules/k8s/apps/mod.rs
 create mode 100644 harmony/src/modules/k8s/apps/operatorhub.rs

diff --git a/examples/operatorhub_catalog/Cargo.toml b/examples/operatorhub_catalog/Cargo.toml
new file mode 100644
index 0000000..df76819
--- /dev/null
+++ b/examples/operatorhub_catalog/Cargo.toml
@@ -0,0 +1,18 @@
+[package]
+name = "example-operatorhub-catalogsource"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+publish = false
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+cidr = { workspace = true }
+tokio = { workspace = true }
+harmony_macros = { path = "../../harmony_macros" }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
diff --git a/examples/operatorhub_catalog/src/main.rs b/examples/operatorhub_catalog/src/main.rs
new file mode 100644
index 0000000..fae94b7
--- /dev/null
+++ b/examples/operatorhub_catalog/src/main.rs
@@ -0,0 +1,23 @@
+use std::str::FromStr;
+
+use harmony::{
+    inventory::Inventory,
+    modules::{k8s::apps::OperatorHubCatalogSourceScore, tenant::TenantScore},
+    topology::{tenant::TenantConfig, K8sAnywhereTopology},
+};
+use harmony_types::id::Id;
+
+#[tokio::main]
+async fn main() {
+
+    let operatorhub_catalog = OperatorHubCatalogSourceScore::default();
+
+    harmony_cli::run(
+        Inventory::autoload(),
+        K8sAnywhereTopology::from_env(),
+        vec![Box::new(operatorhub_catalog)],
+        None,
+    )
+    .await
+    .unwrap();
+}
diff --git a/harmony/src/modules/k8s/apps/crd/catalogsources_operators_coreos_com.rs b/harmony/src/modules/k8s/apps/crd/catalogsources_operators_coreos_com.rs
new file mode 100644
index 0000000..2f45b88
--- /dev/null
+++ b/harmony/src/modules/k8s/apps/crd/catalogsources_operators_coreos_com.rs
@@ -0,0 +1,157 @@
+use std::collections::BTreeMap;
+
+use k8s_openapi::{
+    api::core::v1::{Affinity, Toleration},
+    apimachinery::pkg::apis::meta::v1::ObjectMeta,
+};
+use kube::CustomResource;
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+use serde_json::Value;
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
+#[kube(
+    group = "operators.coreos.com",
+    version = "v1alpha1",
+    kind = "CatalogSource",
+    plural = "catalogsources",
+    namespaced = true,
+    schema = "disabled"
+)]
+#[serde(rename_all = "camelCase")]
+pub struct CatalogSourceSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub address: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub config_map: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub description: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub display_name: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub grpc_pod_config: Option<GrpcPodConfig>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub icon: Option<Icon>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub image: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub priority: Option<i64>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub publisher: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub run_as_root: Option<bool>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub secrets: Option<Vec<String>>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub source_type: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub update_strategy: Option<UpdateStrategy>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct GrpcPodConfig {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub affinity: Option<Affinity>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub extract_content: Option<ExtractContent>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub memory_target: Option<Value>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub node_selector: Option<BTreeMap<String, String>>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub priority_class_name: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub security_context_config: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub tolerations: Option<Vec<Toleration>>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct ExtractContent {
+    pub cache_dir: String,
+    pub catalog_dir: String,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct Icon {
+    pub base64data: String,
+    pub mediatype: String,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct UpdateStrategy {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub registry_poll: Option<RegistryPoll>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct RegistryPoll {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub interval: Option<String>,
+}
+
+impl Default for CatalogSource {
+    fn default() -> Self {
+        Self {
+            metadata: ObjectMeta::default(),
+            spec: CatalogSourceSpec {
+                address: None,
+                config_map: None,
+                description: None,
+                display_name: None,
+                grpc_pod_config: None,
+                icon: None,
+                image: None,
+                priority: None,
+                publisher: None,
+                run_as_root: None,
+                secrets: None,
+                source_type: None,
+                update_strategy: None,
+            },
+        }
+    }
+}
+
+impl Default for CatalogSourceSpec {
+    fn default() -> Self {
+        Self {
+            address: None,
+            config_map: None,
+            description: None,
+            display_name: None,
+            grpc_pod_config: None,
+            icon: None,
+            image: None,
+            priority: None,
+            publisher: None,
+            run_as_root: None,
+            secrets: None,
+            source_type: None,
+            update_strategy: None,
+        }
+    }
+}
diff --git a/harmony/src/modules/k8s/apps/crd/mod.rs b/harmony/src/modules/k8s/apps/crd/mod.rs
new file mode 100644
index 0000000..01bcf06
--- /dev/null
+++ b/harmony/src/modules/k8s/apps/crd/mod.rs
@@ -0,0 +1,4 @@
+
+mod catalogsources_operators_coreos_com;
+pub use catalogsources_operators_coreos_com::*;
+
diff --git a/harmony/src/modules/k8s/apps/mod.rs b/harmony/src/modules/k8s/apps/mod.rs
new file mode 100644
index 0000000..59f34b9
--- /dev/null
+++ b/harmony/src/modules/k8s/apps/mod.rs
@@ -0,0 +1,4 @@
+mod operatorhub;
+pub use operatorhub::*;
+pub mod crd;
+
diff --git a/harmony/src/modules/k8s/apps/operatorhub.rs b/harmony/src/modules/k8s/apps/operatorhub.rs
new file mode 100644
index 0000000..344aa61
--- /dev/null
+++ b/harmony/src/modules/k8s/apps/operatorhub.rs
@@ -0,0 +1,107 @@
+// Write operatorhub catalog score
+// for now this will only support on OKD with the default catalog and operatorhub setup and does not verify OLM state or anything else. Very opinionated and bare-bones to start
+
+use k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta;
+use serde::Serialize;
+
+use crate::interpret::Interpret;
+use crate::modules::k8s::apps::crd::{
+    CatalogSource, CatalogSourceSpec, RegistryPoll, UpdateStrategy,
+};
+use crate::modules::k8s::resource::K8sResourceScore;
+use crate::score::Score;
+use crate::topology::{K8sclient, Topology};
+
+/// Installs the CatalogSource in a cluster which already has the required services and CRDs installed.
+///
+/// ```rust
+/// use harmony::modules::k8s::apps::OperatorHubCatalogSourceScore;
+///
+/// let score = OperatorHubCatalogSourceScore::default();
+/// ```
+///
+/// Required services:
+/// - catalog-operator
+/// - olm-operator
+///
+/// They are installed by default with OKD/Openshift
+///
+/// **Warning** : this initial implementation does not manage the dependencies. They must already
+/// exist in the cluster.
+#[derive(Debug, Clone, Serialize)]
+pub struct OperatorHubCatalogSourceScore {
+    pub name: String,
+    pub namespace: String,
+    pub image: String,
+}
+
+impl OperatorHubCatalogSourceScore {
+    pub fn new(name: &str, namespace: &str, image: &str) -> Self {
+        Self {
+            name: name.to_string(),
+            namespace: namespace.to_string(),
+            image: image.to_string(),
+        }
+    }
+}
+
+impl Default for OperatorHubCatalogSourceScore {
+    /// This default implementation will create this k8s resource :
+    ///
+    /// ```yaml
+    /// apiVersion: operators.coreos.com/v1alpha1
+    /// kind: CatalogSource
+    /// metadata:
+    ///   name: operatorhubio-catalog
+    ///   namespace: openshift-marketplace
+    /// spec:
+    ///   sourceType: grpc
+    ///   image: quay.io/operatorhubio/catalog:latest
+    ///   displayName: Operatorhub Operators
+    ///   publisher: OperatorHub.io
+    ///   updateStrategy:
+    ///     registryPoll:
+    ///       interval: 60m
+    /// ```
+    fn default() -> Self {
+        OperatorHubCatalogSourceScore {
+            name: "operatorhubio-catalog".to_string(),
+            namespace: "openshift-marketplace".to_string(),
+            image: "quay.io/operatorhubio/catalog:latest".to_string(),
+        }
+    }
+}
+
+impl<T: Topology + K8sclient> Score<T> for OperatorHubCatalogSourceScore {
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let metadata = ObjectMeta {
+            name: Some(self.name.clone()),
+            namespace: Some(self.namespace.clone()),
+            ..ObjectMeta::default()
+        };
+
+        let spec = CatalogSourceSpec {
+            source_type: Some("grpc".to_string()),
+            image: Some(self.image.clone()),
+            display_name: Some("Operatorhub Operators".to_string()),
+            publisher: Some("OperatorHub.io".to_string()),
+            update_strategy: Some(UpdateStrategy {
+                registry_poll: Some(RegistryPoll {
+                    interval: Some("60m".to_string()),
+                }),
+            }),
+            ..CatalogSourceSpec::default()
+        };
+
+        let catalog_source = CatalogSource {
+            metadata,
+            spec: spec,
+        };
+
+        K8sResourceScore::single(catalog_source, Some(self.namespace.clone())).create_interpret()
+    }
+
+    fn name(&self) -> String {
+        format!("OperatorHubCatalogSourceScore({})", self.name)
+    }
+}
diff --git a/harmony/src/modules/k8s/mod.rs b/harmony/src/modules/k8s/mod.rs
index 90781f9..7002d14 100644
--- a/harmony/src/modules/k8s/mod.rs
+++ b/harmony/src/modules/k8s/mod.rs
@@ -2,3 +2,4 @@ pub mod deployment;
 pub mod ingress;
 pub mod namespace;
 pub mod resource;
+pub mod apps;

From 1b19638df4cb8f578ebc7332abd67ee7185f027f Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Wed, 10 Dec 2025 17:00:28 -0500
Subject: [PATCH 44/51] wip(failover): Started implementation of the
 FailoverTopology with PostgreSQL capability

This is our first Higher Order Topology (see ADR-015)
---
 Cargo.lock                                   |  15 ++
 examples/operatorhub_catalog/src/main.rs     |   3 +-
 harmony/src/domain/topology/failover.rs      | 128 +---------------
 harmony/src/domain/topology/mod.rs           |   2 +-
 harmony/src/modules/k8s/apps/crd/mod.rs      |   2 -
 harmony/src/modules/k8s/apps/mod.rs          |   1 -
 harmony/src/modules/k8s/mod.rs               |   2 +-
 harmony/src/modules/mod.rs                   |   2 +-
 harmony/src/modules/postgresql/capability.rs |  24 +--
 harmony/src/modules/postgresql/failover.rs   | 125 +++++++++++++++
 harmony/src/modules/postgresql/mod.rs        |   3 -
 harmony/src/modules/postgresql/score.rs      | 152 +------------------
 harmony_types/src/lib.rs                     |   2 +-
 13 files changed, 164 insertions(+), 297 deletions(-)
 create mode 100644 harmony/src/modules/postgresql/failover.rs

diff --git a/Cargo.lock b/Cargo.lock
index 7d9cdcf..e8bee18 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1835,6 +1835,21 @@ dependencies = [
  "url",
 ]
 
+[[package]]
+name = "example-operatorhub-catalogsource"
+version = "0.1.0"
+dependencies = [
+ "cidr",
+ "env_logger",
+ "harmony",
+ "harmony_cli",
+ "harmony_macros",
+ "harmony_types",
+ "log",
+ "tokio",
+ "url",
+]
+
 [[package]]
 name = "example-opnsense"
 version = "0.1.0"
diff --git a/examples/operatorhub_catalog/src/main.rs b/examples/operatorhub_catalog/src/main.rs
index fae94b7..66ba72a 100644
--- a/examples/operatorhub_catalog/src/main.rs
+++ b/examples/operatorhub_catalog/src/main.rs
@@ -3,13 +3,12 @@ use std::str::FromStr;
 use harmony::{
     inventory::Inventory,
     modules::{k8s::apps::OperatorHubCatalogSourceScore, tenant::TenantScore},
-    topology::{tenant::TenantConfig, K8sAnywhereTopology},
+    topology::{K8sAnywhereTopology, tenant::TenantConfig},
 };
 use harmony_types::id::Id;
 
 #[tokio::main]
 async fn main() {
-
     let operatorhub_catalog = OperatorHubCatalogSourceScore::default();
 
     harmony_cli::run(
diff --git a/harmony/src/domain/topology/failover.rs b/harmony/src/domain/topology/failover.rs
index dfeb557..6df9cea 100644
--- a/harmony/src/domain/topology/failover.rs
+++ b/harmony/src/domain/topology/failover.rs
@@ -1,20 +1,10 @@
 use async_trait::async_trait;
 
-use log::{debug, info};
-use std::collections::HashMap;
-
-use crate::{
-    modules::postgresql::capability::{
-        BootstrapConfig, BootstrapStrategy, ExternalClusterConfig, PostgreSQL,
-        PostgreSQLClusterRole, PostgreSQLConfig, PostgreSQLEndpoint, ReplicaConfig,
-        ReplicationCerts,
-    },
-    topology::{PreparationError, PreparationOutcome, Topology},
-};
+use crate::topology::{PreparationError, PreparationOutcome, Topology};
 
 pub struct FailoverTopology<T> {
-    primary: T,
-    replica: T,
+    pub primary: T,
+    pub replica: T,
 }
 
 #[async_trait]
@@ -27,115 +17,3 @@ impl<T: Send + Sync> Topology for FailoverTopology<T> {
         todo!()
     }
 }
-
-#[async_trait]
-impl<T: PostgreSQL> PostgreSQL for FailoverTopology<T> {
-    async fn deploy(&self, config: &PostgreSQLConfig) -> Result<String, String> {
-        info!(
-            "Starting deployment of failover topology '{}'",
-            config.cluster_name
-        );
-
-        let primary_config = PostgreSQLConfig {
-            cluster_name: config.cluster_name.clone(),
-            instances: config.instances,
-            storage_size: config.storage_size.clone(),
-            role: PostgreSQLClusterRole::Primary,
-        };
-
-        info!(
-            "Deploying primary cluster '{{}}' ({} instances, {:?} storage)",
-            primary_config.cluster_name, primary_config.storage_size
-        );
-
-        let primary_cluster_name = self.primary.deploy(&primary_config).await?;
-
-        info!("Primary cluster '{primary_cluster_name}' deployed successfully");
-
-        info!("Retrieving replication certificates for primary '{primary_cluster_name}'");
-
-        let certs = self
-            .primary
-            .get_replication_certs(&primary_cluster_name)
-            .await?;
-
-        info!("Replication certificates retrieved successfully");
-
-        info!("Retrieving public endpoint for primary '{primary_cluster_name}");
-
-        let endpoint = self
-            .primary
-            .get_public_endpoint(&primary_cluster_name)
-            .await?
-            .ok_or_else(|| "No public endpoint configured on primary cluster".to_string())?;
-
-        info!(
-            "Public endpoint '{}:{}' retrieved for primary",
-            endpoint.host, endpoint.port
-        );
-
-        info!("Configuring replica connection parameters and bootstrap");
-
-        let mut connection_parameters = HashMap::new();
-        connection_parameters.insert("host".to_string(), endpoint.host);
-        connection_parameters.insert("port".to_string(), endpoint.port.to_string());
-        connection_parameters.insert("dbname".to_string(), "postgres".to_string());
-        connection_parameters.insert("user".to_string(), "streaming_replica".to_string());
-        connection_parameters.insert("sslmode".to_string(), "verify-ca".to_string());
-        connection_parameters.insert("sslnegotiation".to_string(), "direct".to_string());
-
-        debug!("Replica connection parameters: {:?}", connection_parameters);
-
-        let external_cluster = ExternalClusterConfig {
-            name: primary_cluster_name.clone(),
-            connection_parameters,
-        };
-
-        let bootstrap_config = BootstrapConfig {
-            strategy: BootstrapStrategy::PgBasebackup,
-        };
-
-        let replica_cluster_config = ReplicaConfig {
-            primary_cluster_name: primary_cluster_name.clone(),
-            replication_certs: certs,
-            bootstrap: bootstrap_config,
-            external_cluster,
-        };
-
-        let replica_config = PostgreSQLConfig {
-            cluster_name: format!("{}-replica", primary_cluster_name),
-            instances: config.instances,
-            storage_size: config.storage_size.clone(),
-            role: PostgreSQLClusterRole::Replica(replica_cluster_config),
-        };
-
-        info!(
-            "Deploying replica cluster '{}' ({} instances, {:?} storage) on replica topology",
-            replica_config.cluster_name, replica_config.instances, replica_config.storage_size
-        );
-
-        self.replica.deploy(&replica_config).await?;
-
-        info!(
-            "Replica cluster '{}' deployed successfully; failover topology '{}' ready",
-            replica_config.cluster_name, config.cluster_name
-        );
-
-        Ok(primary_cluster_name)
-    }
-
-    async fn get_replication_certs(&self, cluster_name: &str) -> Result<ReplicationCerts, String> {
-        self.primary.get_replication_certs(cluster_name).await
-    }
-
-    async fn get_endpoint(&self, cluster_name: &str) -> Result<PostgreSQLEndpoint, String> {
-        self.primary.get_endpoint(cluster_name).await
-    }
-
-    async fn get_public_endpoint(
-        &self,
-        cluster_name: &str,
-    ) -> Result<Option<PostgreSQLEndpoint>, String> {
-        self.primary.get_public_endpoint(cluster_name).await
-    }
-}
diff --git a/harmony/src/domain/topology/mod.rs b/harmony/src/domain/topology/mod.rs
index 62efa00..64e12d0 100644
--- a/harmony/src/domain/topology/mod.rs
+++ b/harmony/src/domain/topology/mod.rs
@@ -1,6 +1,6 @@
+mod failover;
 mod ha_cluster;
 pub mod ingress;
-mod failover;
 pub use failover::*;
 use harmony_types::net::IpAddress;
 mod host_binding;
diff --git a/harmony/src/modules/k8s/apps/crd/mod.rs b/harmony/src/modules/k8s/apps/crd/mod.rs
index 01bcf06..e83b27b 100644
--- a/harmony/src/modules/k8s/apps/crd/mod.rs
+++ b/harmony/src/modules/k8s/apps/crd/mod.rs
@@ -1,4 +1,2 @@
-
 mod catalogsources_operators_coreos_com;
 pub use catalogsources_operators_coreos_com::*;
-
diff --git a/harmony/src/modules/k8s/apps/mod.rs b/harmony/src/modules/k8s/apps/mod.rs
index 59f34b9..9a505c8 100644
--- a/harmony/src/modules/k8s/apps/mod.rs
+++ b/harmony/src/modules/k8s/apps/mod.rs
@@ -1,4 +1,3 @@
 mod operatorhub;
 pub use operatorhub::*;
 pub mod crd;
-
diff --git a/harmony/src/modules/k8s/mod.rs b/harmony/src/modules/k8s/mod.rs
index 7002d14..56c9201 100644
--- a/harmony/src/modules/k8s/mod.rs
+++ b/harmony/src/modules/k8s/mod.rs
@@ -1,5 +1,5 @@
+pub mod apps;
 pub mod deployment;
 pub mod ingress;
 pub mod namespace;
 pub mod resource;
-pub mod apps;
diff --git a/harmony/src/modules/mod.rs b/harmony/src/modules/mod.rs
index 1ae4d4a..910b535 100644
--- a/harmony/src/modules/mod.rs
+++ b/harmony/src/modules/mod.rs
@@ -13,8 +13,8 @@ pub mod load_balancer;
 pub mod monitoring;
 pub mod okd;
 pub mod opnsense;
+pub mod postgresql;
 pub mod prometheus;
 pub mod storage;
 pub mod tenant;
 pub mod tftp;
-pub mod postgresql;
diff --git a/harmony/src/modules/postgresql/capability.rs b/harmony/src/modules/postgresql/capability.rs
index 2779956..9bb2148 100644
--- a/harmony/src/modules/postgresql/capability.rs
+++ b/harmony/src/modules/postgresql/capability.rs
@@ -1,9 +1,10 @@
 use async_trait::async_trait;
 use harmony_types::storage::StorageSize;
+use serde::Serialize;
 use std::collections::HashMap;
 
 #[async_trait]
-pub trait PostgreSQL {
+pub trait PostgreSQL: Send + Sync {
     async fn deploy(&self, config: &PostgreSQLConfig) -> Result<String, String>;
 
     /// Extracts PostgreSQL-specific replication certs (PEM format) from a deployed primary cluster.
@@ -17,10 +18,13 @@ pub trait PostgreSQL {
     /// Returns None if no public endpoint (internal-only cluster).
     /// UNSTABLE: This is opinionated for initial multisite use cases. Networking abstraction is complex
     /// (cf. k8s Ingress -> Gateway API evolution); may move to higher-order Networking/PostgreSQLNetworking trait.
-    async fn get_public_endpoint(&self, cluster_name: &str) -> Result<Option<PostgreSQLEndpoint>, String>;
+    async fn get_public_endpoint(
+        &self,
+        cluster_name: &str,
+    ) -> Result<Option<PostgreSQLEndpoint>, String>;
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Serialize)]
 pub struct PostgreSQLConfig {
     pub cluster_name: String,
     pub instances: u32,
@@ -28,13 +32,13 @@ pub struct PostgreSQLConfig {
     pub role: PostgreSQLClusterRole,
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Serialize)]
 pub enum PostgreSQLClusterRole {
     Primary,
-    Replica(ReplicaClusterConfig),
+    Replica(ReplicaConfig),
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Serialize)]
 pub struct ReplicaConfig {
     /// Name of the primary cluster this replica will sync from
     pub primary_cluster_name: String,
@@ -46,17 +50,17 @@ pub struct ReplicaConfig {
     pub external_cluster: ExternalClusterConfig,
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Serialize)]
 pub struct BootstrapConfig {
     pub strategy: BootstrapStrategy,
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Serialize)]
 pub enum BootstrapStrategy {
     PgBasebackup,
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Serialize)]
 pub struct ExternalClusterConfig {
     /// Name used in CNPG externalClusters list
     pub name: String,
@@ -64,7 +68,7 @@ pub struct ExternalClusterConfig {
     pub connection_parameters: HashMap<String, String>,
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Serialize)]
 pub struct ReplicationCerts {
     /// PEM-encoded CA cert from primary
     pub ca_cert_pem: String,
diff --git a/harmony/src/modules/postgresql/failover.rs b/harmony/src/modules/postgresql/failover.rs
new file mode 100644
index 0000000..9e54b2f
--- /dev/null
+++ b/harmony/src/modules/postgresql/failover.rs
@@ -0,0 +1,125 @@
+use async_trait::async_trait;
+use log::debug;
+use log::info;
+use std::collections::HashMap;
+
+use crate::{
+    modules::postgresql::capability::{
+        BootstrapConfig, BootstrapStrategy, ExternalClusterConfig, PostgreSQL,
+        PostgreSQLClusterRole, PostgreSQLConfig, PostgreSQLEndpoint, ReplicaConfig,
+        ReplicationCerts,
+    },
+    topology::FailoverTopology,
+};
+
+#[async_trait]
+impl<T: PostgreSQL> PostgreSQL for FailoverTopology<T> {
+    async fn deploy(&self, config: &PostgreSQLConfig) -> Result<String, String> {
+        info!(
+            "Starting deployment of failover topology '{}'",
+            config.cluster_name
+        );
+
+        let primary_config = PostgreSQLConfig {
+            cluster_name: config.cluster_name.clone(),
+            instances: config.instances,
+            storage_size: config.storage_size.clone(),
+            role: PostgreSQLClusterRole::Primary,
+        };
+
+        info!(
+            "Deploying primary cluster '{{}}' ({} instances, {:?} storage)",
+            primary_config.cluster_name, primary_config.storage_size
+        );
+
+        let primary_cluster_name = self.primary.deploy(&primary_config).await?;
+
+        info!("Primary cluster '{primary_cluster_name}' deployed successfully");
+
+        info!("Retrieving replication certificates for primary '{primary_cluster_name}'");
+
+        let certs = self
+            .primary
+            .get_replication_certs(&primary_cluster_name)
+            .await?;
+
+        info!("Replication certificates retrieved successfully");
+
+        info!("Retrieving public endpoint for primary '{primary_cluster_name}");
+
+        let endpoint = self
+            .primary
+            .get_public_endpoint(&primary_cluster_name)
+            .await?
+            .ok_or_else(|| "No public endpoint configured on primary cluster".to_string())?;
+
+        info!(
+            "Public endpoint '{}:{}' retrieved for primary",
+            endpoint.host, endpoint.port
+        );
+
+        info!("Configuring replica connection parameters and bootstrap");
+
+        let mut connection_parameters = HashMap::new();
+        connection_parameters.insert("host".to_string(), endpoint.host);
+        connection_parameters.insert("port".to_string(), endpoint.port.to_string());
+        connection_parameters.insert("dbname".to_string(), "postgres".to_string());
+        connection_parameters.insert("user".to_string(), "streaming_replica".to_string());
+        connection_parameters.insert("sslmode".to_string(), "verify-ca".to_string());
+        connection_parameters.insert("sslnegotiation".to_string(), "direct".to_string());
+
+        debug!("Replica connection parameters: {:?}", connection_parameters);
+
+        let external_cluster = ExternalClusterConfig {
+            name: primary_cluster_name.clone(),
+            connection_parameters,
+        };
+
+        let bootstrap_config = BootstrapConfig {
+            strategy: BootstrapStrategy::PgBasebackup,
+        };
+
+        let replica_cluster_config = ReplicaConfig {
+            primary_cluster_name: primary_cluster_name.clone(),
+            replication_certs: certs,
+            bootstrap: bootstrap_config,
+            external_cluster,
+        };
+
+        let replica_config = PostgreSQLConfig {
+            cluster_name: format!("{}-replica", primary_cluster_name),
+            instances: config.instances,
+            storage_size: config.storage_size.clone(),
+            role: PostgreSQLClusterRole::Replica(replica_cluster_config),
+        };
+
+        info!(
+            "Deploying replica cluster '{}' ({} instances, {:?} storage) on replica topology",
+            replica_config.cluster_name, replica_config.instances, replica_config.storage_size
+        );
+
+        self.replica.deploy(&replica_config).await?;
+
+        info!(
+            "Replica cluster '{}' deployed successfully; failover topology '{}' ready",
+            replica_config.cluster_name, config.cluster_name
+        );
+
+        Ok(primary_cluster_name)
+    }
+
+    async fn get_replication_certs(&self, cluster_name: &str) -> Result<ReplicationCerts, String> {
+        self.primary.get_replication_certs(cluster_name).await
+    }
+
+    async fn get_endpoint(&self, cluster_name: &str) -> Result<PostgreSQLEndpoint, String> {
+        self.primary.get_endpoint(cluster_name).await
+    }
+
+    async fn get_public_endpoint(
+        &self,
+        cluster_name: &str,
+    ) -> Result<Option<PostgreSQLEndpoint>, String> {
+        self.primary.get_public_endpoint(cluster_name).await
+    }
+}
diff --git a/harmony/src/modules/postgresql/mod.rs b/harmony/src/modules/postgresql/mod.rs
index 482f013..fd47d6f 100644
--- a/harmony/src/modules/postgresql/mod.rs
+++ b/harmony/src/modules/postgresql/mod.rs
@@ -1,7 +1,4 @@
-
 pub mod capability;
 mod score;
 
-
 pub mod failover;
-
diff --git a/harmony/src/modules/postgresql/score.rs b/harmony/src/modules/postgresql/score.rs
index 419c06b..5c6f428 100644
--- a/harmony/src/modules/postgresql/score.rs
+++ b/harmony/src/modules/postgresql/score.rs
@@ -9,13 +9,13 @@ use crate::{
 
 use super::capability::*;
 
-use derive_new::new;
-use harmony_types::{id::Id, storage::StorageSize};
+use harmony_types::id::Id;
 
 use async_trait::async_trait;
 use log::info;
 use serde::Serialize;
 
+#[derive(Clone, Debug, Serialize)]
 pub struct PostgreSQLScore {
     config: PostgreSQLConfig,
 }
@@ -86,151 +86,3 @@ impl<T: Topology + PostgreSQL> Interpret<T> for PostgreSQLInterpret {
         )))
     }
 }
-
-#[derive(Debug, new, Clone, Serialize)]
-pub struct MultisitePostgreSQLScore {
-    pub cluster_name: String,
-    pub primary_site: Id,
-    pub replica_sites: Vec<Id>,
-    pub instances: u32,
-    pub storage_size: StorageSize,
-}
-
-impl<T: FailoverTopology + crate::modules::postgresql::capability::PostgreSQL> Score<T> for MultisitePostgreSQLScore {
-
-    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
-        Box::new(MultisitePostgreSQLInterpret::new(self.clone()))
-    }
-
-    fn name(&self) -> String {
-        "MultisitePostgreSQLScore".to_string()
-    }
-}
-
-#[derive(Debug, Clone)]
-pub struct MultisitePostgreSQLInterpret {
-    score: MultisitePostgreSQLScore,
-    version: Version,
-    status: InterpretStatus,
-}
-
-impl MultisitePostgreSQLInterpret {
-    pub fn new(score: MultisitePostgreSQLScore) -> Self {
-        let version = Version::from("1.0.0").expect("Version should be valid");
-        Self {
-            score,
-            version,
-            status: InterpretStatus::QUEUED,
-        }
-    }
-}
-
-#[async_trait]
-impl<T: MultisiteTopology + PostgreSQL> Interpret<T> for MultisitePostgreSQLInterpret {
-    fn get_name(&self) -> InterpretName {
-        InterpretName::Custom("MultisitePostgreSQLInterpret")
-    }
-
-    fn get_version(&self) -> Version {
-        self.version.clone()
-    }
-
-    fn get_status(&self) -> InterpretStatus {
-        self.status.clone()
-    }
-
-    fn get_children(&self) -> Vec<Id> {
-        todo!("Track child interprets per site")
-    }
-
-async fn execute(
-    &self,
-    inventory: &Inventory,
-    topology: &T,
-) -> Result<Outcome, InterpretError> {
-
-        info!(
-            "Orchestrating multisite PostgreSQL: primary {:?}, replicas {:?}",
-            self.score.primary_site, self.score.replica_sites
-        );
-
-        // 1. Deploy primary
-        let primary_topo = topology.primary();
-
-        let primary_config = PostgreSQLConfig {
-            cluster_name: self.score.cluster_name.clone(),
-            instances: self.score.instances,
-            storage_size: self.score.storage_size.clone(),
-            role: ClusterRole::Primary,
-        };
-        let primary_cluster_name = primary_topo
-            .deploy(&primary_config)
-            .await
-            .map_err(|e| InterpretError::from(format!("Primary deploy failed: {e}")))?;
-
-        // 2. Extract certs & public endpoint from primary
-        let certs = primary_topo
-            .get_replication_certs(&primary_cluster_name)
-            .await
-            .map_err(|e| InterpretError::from(format!("Certs extract failed: {e}")))?;
-        let public_endpoint = primary_topo
-            .get_public_endpoint(&primary_cluster_name)
-            .await??
-            .ok_or_else(|| InterpretError::from("No public endpoint on primary"))?;
-
-        // 3. Deploy replicas
-        for replica_site in &self.score.replica_sites {
-let replica_topo = topology.replica();
-
-                .map_err(|e| {
-                    InterpretError::from(format!(
-                        "Replica site {:?} lookup failed: {e}",
-                        replica_site
-                    ))
-                })?;
-
-            let connection_params: HashMap<String, String> = [
-                ("host".to_string(), public_endpoint.host.clone()),
-                ("port".to_string(), public_endpoint.port.to_string()),
-                ("dbname".to_string(), "postgres".to_string()),
-                ("user".to_string(), "streaming_replica".to_string()),
-                ("sslmode".to_string(), "verify-ca".to_string()),
-                ("sslnegotiation".to_string(), "direct".to_string()),
-            ]
-            .into_iter()
-            .collect();
-
-            let external_cluster = ExternalClusterConfig {
-                name: "primary-cluster".to_string(),
-                connection_parameters: connection_params,
-            };
-
-            let replica_config_struct = ReplicaConfig {
-                primary_cluster_name: primary_cluster_name.clone(),
-                replication_certs: certs.clone(),
-                bootstrap: BootstrapConfig {
-                    strategy: BootstrapStrategy::PgBasebackup,
-                },
-                external_cluster,
-            };
-
-            let replica_config = PostgreSQLConfig {
-                cluster_name: format!("{}-replica-{}", self.score.cluster_name, replica_site),
-                instances: self.score.instances,
-                storage_size: self.score.storage_size.clone(),
-                role: ClusterRole::Replica(replica_config_struct),
-            };
-
-            let _replica_cluster = replica_topo.deploy(&replica_config).await.map_err(|e| {
-                InterpretError::from(format!("Replica {:?} deploy failed: {e}", replica_site))
-            })?;
-        }
-
-        Ok(Outcome::success(format!(
-            "Multisite PostgreSQL `{}` deployed: primary `{}`, {} replicas",
-            self.score.cluster_name,
-            primary_cluster_name,
-            self.score.replica_sites.len()
-        )))
-    }
-}
diff --git a/harmony_types/src/lib.rs b/harmony_types/src/lib.rs
index 38a296f..1ebdb97 100644
--- a/harmony_types/src/lib.rs
+++ b/harmony_types/src/lib.rs
@@ -1,4 +1,4 @@
 pub mod id;
 pub mod net;
-pub mod switch;
 pub mod storage;
+pub mod switch;

From 3e14ebd62c6ffd6a30567fad6b488ce3b63ff459 Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Wed, 10 Dec 2025 22:55:08 -0500
Subject: [PATCH 45/51] feat: cnpg operator score

---
 harmony/src/modules/k8s/apps/crd/mod.rs       |  2 +
 .../crd/subscriptions_operators_coreos_com.rs | 68 +++++++++++++++++++
 harmony/src/modules/postgresql/mod.rs         |  2 +
 harmony/src/modules/postgresql/operator.rs    | 66 ++++++++++++++++++
 4 files changed, 138 insertions(+)
 create mode 100644 harmony/src/modules/k8s/apps/crd/subscriptions_operators_coreos_com.rs
 create mode 100644 harmony/src/modules/postgresql/operator.rs

diff --git a/harmony/src/modules/k8s/apps/crd/mod.rs b/harmony/src/modules/k8s/apps/crd/mod.rs
index e83b27b..e45f172 100644
--- a/harmony/src/modules/k8s/apps/crd/mod.rs
+++ b/harmony/src/modules/k8s/apps/crd/mod.rs
@@ -1,2 +1,4 @@
 mod catalogsources_operators_coreos_com;
 pub use catalogsources_operators_coreos_com::*;
+mod subscriptions_operators_coreos_com;
+pub use subscriptions_operators_coreos_com::*;
diff --git a/harmony/src/modules/k8s/apps/crd/subscriptions_operators_coreos_com.rs b/harmony/src/modules/k8s/apps/crd/subscriptions_operators_coreos_com.rs
new file mode 100644
index 0000000..981cd09
--- /dev/null
+++ b/harmony/src/modules/k8s/apps/crd/subscriptions_operators_coreos_com.rs
@@ -0,0 +1,68 @@
+use k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta;
+use kube::CustomResource;
+use serde::{Deserialize, Serialize};
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
+#[kube(
+    group = "operators.coreos.com",
+    version = "v1alpha1",
+    kind = "Subscription",
+    plural = "subscriptions",
+    namespaced = true,
+    schema = "disabled"
+)]
+#[serde(rename_all = "camelCase")]
+pub struct SubscriptionSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub channel: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub config: Option<SubscriptionConfig>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub install_plan_approval: Option<String>,
+
+    pub name: String,
+
+    pub source: String,
+
+    pub source_namespace: String,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub starting_csv: Option<String>,
+}
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct SubscriptionConfig {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub env: Option<Vec<k8s_openapi::api::core::v1::EnvVar>>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub node_selector: Option<std::collections::BTreeMap<String, String>>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub tolerations: Option<Vec<k8s_openapi::api::core::v1::Toleration>>,
+}
+
+impl Default for Subscription {
+    fn default() -> Self {
+        Subscription {
+            metadata: ObjectMeta::default(),
+            spec: SubscriptionSpec::default(),
+        }
+    }
+}
+
+impl Default for SubscriptionSpec {
+    fn default() -> SubscriptionSpec {
+        SubscriptionSpec {
+            name: String::new(),
+            source: String::new(),
+            source_namespace: String::new(),
+            channel: None,
+            config: None,
+            install_plan_approval: None,
+            starting_csv: None,
+        }
+    }
+}
diff --git a/harmony/src/modules/postgresql/mod.rs b/harmony/src/modules/postgresql/mod.rs
index fd47d6f..539a298 100644
--- a/harmony/src/modules/postgresql/mod.rs
+++ b/harmony/src/modules/postgresql/mod.rs
@@ -2,3 +2,5 @@ pub mod capability;
 mod score;
 
 pub mod failover;
+mod operator;
+pub use operator::*;
diff --git a/harmony/src/modules/postgresql/operator.rs b/harmony/src/modules/postgresql/operator.rs
new file mode 100644
index 0000000..4f442e6
--- /dev/null
+++ b/harmony/src/modules/postgresql/operator.rs
@@ -0,0 +1,66 @@
+use k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta;
+use serde::Serialize;
+
+use crate::interpret::Interpret;
+use crate::modules::k8s::apps::crd::{Subscription, SubscriptionSpec};
+use crate::modules::k8s::resource::K8sResourceScore;
+use crate::score::Score;
+use crate::topology::{K8sclient, Topology};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CloudNativePgOperatorScore {
+    pub namespace: String,
+    pub channel: String,
+    pub install_plan_approval: String,
+    pub source: String,
+    pub source_namespace: String,
+}
+
+impl Default for CloudNativePgOperatorScore {
+    fn default() -> Self {
+        Self {
+            namespace: "cnpg-system".to_string(),
+            channel: "stable".to_string(),
+            install_plan_approval: "Automatic".to_string(),
+            source: "operatorhubio-catalog".to_string(),
+            source_namespace: "openshift-marketplace".to_string(),
+        }
+    }
+}
+
+impl CloudNativePgOperatorScore {
+    pub fn new(namespace: &str) -> Self {
+        Self {
+            namespace: namespace.to_string(),
+            ..Default::default()
+        }
+    }
+}
+
+impl<T: Topology + K8sclient> Score<T> for CloudNativePgOperatorScore {
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let metadata = ObjectMeta {
+            name: Some("cloudnative-pg".to_string()),
+            namespace: Some(self.namespace.clone()),
+            ..ObjectMeta::default()
+        };
+
+        let spec = SubscriptionSpec {
+            channel: Some(self.channel.clone()),
+            config: None,
+            install_plan_approval: Some(self.install_plan_approval.clone()),
+            name: "cloudnative-pg".to_string(),
+            source: self.source.clone(),
+            source_namespace: self.source_namespace.clone(),
+            starting_csv: None,
+        };
+
+        let subscription = Subscription { metadata, spec };
+
+        K8sResourceScore::single(subscription, Some(self.namespace.clone())).create_interpret()
+    }
+
+    fn name(&self) -> String {
+        format!("CloudNativePgOperatorScore({})", self.namespace)
+    }
+}

From f242aafebb799b2807434a503f79aac385d97cc7 Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Thu, 11 Dec 2025 12:18:28 -0500
Subject: [PATCH 46/51] feat: Subscription for cnpg-operator fixed default
 values, tested and added to operatorhub example.

---
 examples/operatorhub_catalog/src/main.rs   |  8 ++---
 harmony/src/modules/postgresql/operator.rs | 40 ++++++++++++++++++++--
 2 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/examples/operatorhub_catalog/src/main.rs b/examples/operatorhub_catalog/src/main.rs
index 66ba72a..8e35024 100644
--- a/examples/operatorhub_catalog/src/main.rs
+++ b/examples/operatorhub_catalog/src/main.rs
@@ -2,19 +2,19 @@ use std::str::FromStr;
 
 use harmony::{
     inventory::Inventory,
-    modules::{k8s::apps::OperatorHubCatalogSourceScore, tenant::TenantScore},
-    topology::{K8sAnywhereTopology, tenant::TenantConfig},
+    modules::{k8s::apps::OperatorHubCatalogSourceScore, postgresql::CloudNativePgOperatorScore},
+    topology::K8sAnywhereTopology,
 };
-use harmony_types::id::Id;
 
 #[tokio::main]
 async fn main() {
     let operatorhub_catalog = OperatorHubCatalogSourceScore::default();
+    let cnpg_operator = CloudNativePgOperatorScore::default();
 
     harmony_cli::run(
         Inventory::autoload(),
         K8sAnywhereTopology::from_env(),
-        vec![Box::new(operatorhub_catalog)],
+        vec![Box::new(operatorhub_catalog), Box::new(cnpg_operator)],
         None,
     )
     .await
diff --git a/harmony/src/modules/postgresql/operator.rs b/harmony/src/modules/postgresql/operator.rs
index 4f442e6..d908361 100644
--- a/harmony/src/modules/postgresql/operator.rs
+++ b/harmony/src/modules/postgresql/operator.rs
@@ -7,6 +7,42 @@ use crate::modules::k8s::resource::K8sResourceScore;
 use crate::score::Score;
 use crate::topology::{K8sclient, Topology};
 
+/// Install the CloudNativePg (CNPG) Operator via an OperatorHub `Subscription`.
+///
+/// This Score creates a a `Subscription` Custom Resource in the specified namespace.
+///
+/// The default implementation pulls the `cloudnative-pg` operator from the
+/// `operatorhubio-catalog` source.
+///
+/// # Goals
+/// - Deploy the CNPG Operator to manage PostgreSQL clusters in OpenShift/OKD environments.
+///
+/// # Usage
+/// ```
+/// use harmony::modules::postgresql::CloudNativePgOperatorScore;
+/// let score = CloudNativePgOperatorScore::default();
+/// ```
+///
+/// Or, you can take control of most relevant fiedls this way :
+///
+/// ```
+/// use harmony::modules::postgresql::CloudNativePgOperatorScore;
+///
+/// let score = CloudNativePgOperatorScore {
+///     namespace: "custom-cnpg-namespace".to_string(),
+///     channel: "unstable-i-want-bleedingedge-v498437".to_string(),
+///     install_plan_approval: "Manual".to_string(),
+///     source: "operatorhubio-catalog-but-different".to_string(),
+///     source_namespace: "i-customize-everything-marketplace".to_string(),
+/// };
+/// ```
+///
+/// # Limitations
+/// - **OperatorHub dependency**: Requires OperatorHub catalog sources (e.g., `operatorhubio-catalog` in `openshift-marketplace`).
+/// - **OKD/OpenShift assumption**: Catalog/source names and namespaces are hardcoded for OKD-like setups; adjust for upstream OpenShift.
+/// - **Hardcoded values in Default implementation**: Operator name (`cloudnative-pg`), channel (`stable-v1`), automatic install plan approval.
+/// - **No config options**: Does not support custom `SubscriptionConfig` (env vars, node selectors, tolerations).
+/// - **Single namespace**: Targets one namespace per score instance.
 #[derive(Debug, Clone, Serialize)]
 pub struct CloudNativePgOperatorScore {
     pub namespace: String,
@@ -19,8 +55,8 @@ pub struct CloudNativePgOperatorScore {
 impl Default for CloudNativePgOperatorScore {
     fn default() -> Self {
         Self {
-            namespace: "cnpg-system".to_string(),
-            channel: "stable".to_string(),
+            namespace: "openshift-operators".to_string(),
+            channel: "stable-v1".to_string(),
             install_plan_approval: "Automatic".to_string(),
             source: "operatorhubio-catalog".to_string(),
             source_namespace: "openshift-marketplace".to_string(),

From c6f859f97332edd5bcff64110ceaafeefcab86ad Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Tue, 16 Dec 2025 15:30:49 -0500
Subject: [PATCH 47/51] fix(OPNSense): update fields for haproxyy and opnsense
 following most recent update and upgrade to opnsense

---
 opnsense-config-xml/src/data/haproxy.rs  |  2 +-
 opnsense-config-xml/src/data/opnsense.rs | 20 ++++++++++++--------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/opnsense-config-xml/src/data/haproxy.rs b/opnsense-config-xml/src/data/haproxy.rs
index e82cb33..1114038 100644
--- a/opnsense-config-xml/src/data/haproxy.rs
+++ b/opnsense-config-xml/src/data/haproxy.rs
@@ -114,7 +114,7 @@ pub struct HAProxy {
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct HAProxyResolvers {
     #[yaserde(rename = "resolver")]
-    pub resolver: Resolver,
+    pub resolver: Option<Resolver>,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
diff --git a/opnsense-config-xml/src/data/opnsense.rs b/opnsense-config-xml/src/data/opnsense.rs
index debbfbf..ad743cd 100644
--- a/opnsense-config-xml/src/data/opnsense.rs
+++ b/opnsense-config-xml/src/data/opnsense.rs
@@ -136,6 +136,7 @@ pub struct Rule {
     pub updated: Option<Updated>,
     pub created: Option<Created>,
     pub disabled: Option<MaybeString>,
+    pub log: Option<u32>,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
@@ -1140,6 +1141,7 @@ pub struct UnboundGeneral {
     pub local_zone_type: String,
     pub outgoing_interface: MaybeString,
     pub enable_wpad: MaybeString,
+    pub safesearch: MaybeString,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
@@ -1193,15 +1195,15 @@ pub struct Acls {
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Dnsbl {
-    pub enabled: i32,
-    pub safesearch: MaybeString,
+    pub enabled: Option<i32>,
+    pub safesearch: Option<MaybeString>,
     #[yaserde(rename = "type")]
-    pub r#type: MaybeString,
-    pub lists: MaybeString,
-    pub whitelists: MaybeString,
-    pub blocklists: MaybeString,
-    pub wildcards: MaybeString,
-    pub address: MaybeString,
+    pub r#type: Option<MaybeString>,
+    pub lists: Option<MaybeString>,
+    pub whitelists: Option<MaybeString>,
+    pub blocklists: Option<MaybeString>,
+    pub wildcards: Option<MaybeString>,
+    pub address: Option<MaybeString>,
     pub nxdomain: Option<i32>,
 }
 
@@ -1229,6 +1231,7 @@ pub struct Host {
     pub ttl: Option<MaybeString>,
     pub server: String,
     pub description: Option<String>,
+    pub txtdata: MaybeString,
 }
 
 impl Host {
@@ -1244,6 +1247,7 @@ impl Host {
             ttl: Some(MaybeString::default()),
             mx: MaybeString::default(),
             description: None,
+            txtdata: MaybeString::default(),
         }
     }
 }

From 22875fe8f310f894e977ecbd710481c8be01dba5 Mon Sep 17 00:00:00 2001
From: Willem <wrolleman@nationtech.io>
Date: Wed, 17 Dec 2025 15:00:48 -0500
Subject: [PATCH 48/51] fix: updated test xml structures to match with new
 fields added to opnsense

---
 .../src/tests/data/config-25.7-dnsmasq-static-host.xml       | 1 +
 opnsense-config/src/tests/data/config-full-1.xml             | 5 +++++
 .../src/tests/data/config-full-25.7-dnsmasq-options.xml      | 1 +
 .../tests/data/config-full-25.7-dummy-dnsmasq-options.xml    | 1 +
 opnsense-config/src/tests/data/config-full-25.7.xml          | 1 +
 opnsense-config/src/tests/data/config-full-ncd0.xml          | 1 +
 opnsense-config/src/tests/data/config-opnsense-25.1.xml      | 1 +
 .../data/config-structure-with-dhcp-staticmap-entry.xml      | 5 +++++
 opnsense-config/src/tests/data/config-structure.xml          | 5 +++++
 opnsense-config/src/tests/data/config-vm-test.xml            | 1 +
 .../src/tests/data/config-vm-test_cheat_descr.xml            | 1 +
 opnsense-config/src/tests/data/config-vm-test_linted.xml     | 1 +
 12 files changed, 24 insertions(+)

diff --git a/opnsense-config/src/tests/data/config-25.7-dnsmasq-static-host.xml b/opnsense-config/src/tests/data/config-25.7-dnsmasq-static-host.xml
index f36e4f7..737766c 100644
--- a/opnsense-config/src/tests/data/config-25.7-dnsmasq-static-host.xml
+++ b/opnsense-config/src/tests/data/config-25.7-dnsmasq-static-host.xml
@@ -612,6 +612,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad>0</enable_wpad>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity>0</hideidentity>
diff --git a/opnsense-config/src/tests/data/config-full-1.xml b/opnsense-config/src/tests/data/config-full-1.xml
index 378d577..9b417f2 100644
--- a/opnsense-config/src/tests/data/config-full-1.xml
+++ b/opnsense-config/src/tests/data/config-full-1.xml
@@ -2003,6 +2003,7 @@
         <cacheflush/>
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
+        <safesearch/>
         <enable_wpad/>
       </general>
       <advanced>
@@ -2071,6 +2072,7 @@
           <mx/>
           <server>192.168.20.161</server>
           <description>Some app local</description>
+          <txtdata/>
         </host>
         <host uuid="dd593e95-02bc-476f-8610-fa1ee454e950">
           <enabled>1</enabled>
@@ -2081,6 +2083,7 @@
           <mx/>
           <server>192.168.20.161</server>
           <description>Some app local</description>
+          <txtdata/>
         </host>
         <host uuid="e1606f96-dd38-471f-a3d7-ad25e41e810d">
           <enabled>1</enabled>
@@ -2091,6 +2094,7 @@
           <mx/>
           <server>192.168.20.161</server>
           <description>Some app local</description>
+          <txtdata/>
         </host>
       </hosts>
       <aliases/>
@@ -2117,6 +2121,7 @@
             <endpoint/>
             <peer_dns/>
             <carp_depend_on/>
+            <debug/>
             <peers>03031aec-2e84-462e-9eab-57762dde667a,98e6ca3d-1de9-449b-be80-77022221b509,67c0ace5-e802-4d2b-a536-f8b7a2db6f99,74b60fff-7844-4097-9966-f1c2b1ad29ff,3de82ad5-bc1b-4b91-9598-f906e58ac937,a95e6b5e-24a4-40b5-bb41-b79e784f6f1c,6c9a12c6-c1ca-4c14-866b-975406a30590,c33b308b-7125-4688-9561-989ace8787b5,e43f004a-23bf-4027-8fb0-953fbb40479f</peers>
           </server>
         </servers>
diff --git a/opnsense-config/src/tests/data/config-full-25.7-dnsmasq-options.xml b/opnsense-config/src/tests/data/config-full-25.7-dnsmasq-options.xml
index 879d8d6..d2303a9 100644
--- a/opnsense-config/src/tests/data/config-full-25.7-dnsmasq-options.xml
+++ b/opnsense-config/src/tests/data/config-full-25.7-dnsmasq-options.xml
@@ -614,6 +614,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad>0</enable_wpad>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity>0</hideidentity>
diff --git a/opnsense-config/src/tests/data/config-full-25.7-dummy-dnsmasq-options.xml b/opnsense-config/src/tests/data/config-full-25.7-dummy-dnsmasq-options.xml
index 5e22137..f7d7739 100644
--- a/opnsense-config/src/tests/data/config-full-25.7-dummy-dnsmasq-options.xml
+++ b/opnsense-config/src/tests/data/config-full-25.7-dummy-dnsmasq-options.xml
@@ -750,6 +750,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad>0</enable_wpad>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity>0</hideidentity>
diff --git a/opnsense-config/src/tests/data/config-full-25.7.xml b/opnsense-config/src/tests/data/config-full-25.7.xml
index 1cd4909..eccdee3 100644
--- a/opnsense-config/src/tests/data/config-full-25.7.xml
+++ b/opnsense-config/src/tests/data/config-full-25.7.xml
@@ -709,6 +709,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad>0</enable_wpad>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity>0</hideidentity>
diff --git a/opnsense-config/src/tests/data/config-full-ncd0.xml b/opnsense-config/src/tests/data/config-full-ncd0.xml
index 9243cf2..6cb6186 100644
--- a/opnsense-config/src/tests/data/config-full-ncd0.xml
+++ b/opnsense-config/src/tests/data/config-full-ncd0.xml
@@ -951,6 +951,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad/>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity>0</hideidentity>
diff --git a/opnsense-config/src/tests/data/config-opnsense-25.1.xml b/opnsense-config/src/tests/data/config-opnsense-25.1.xml
index c6bc1a8..0c9a6f1 100644
--- a/opnsense-config/src/tests/data/config-opnsense-25.1.xml
+++ b/opnsense-config/src/tests/data/config-opnsense-25.1.xml
@@ -808,6 +808,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad/>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity/>
diff --git a/opnsense-config/src/tests/data/config-structure-with-dhcp-staticmap-entry.xml b/opnsense-config/src/tests/data/config-structure-with-dhcp-staticmap-entry.xml
index f41b055..2266fb0 100644
--- a/opnsense-config/src/tests/data/config-structure-with-dhcp-staticmap-entry.xml
+++ b/opnsense-config/src/tests/data/config-structure-with-dhcp-staticmap-entry.xml
@@ -726,6 +726,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad/>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity>0</hideidentity>
@@ -793,6 +794,7 @@
           <mx/>
           <server>192.168.20.161</server>
           <description>Some app local</description>
+          <txtdata/>
         </host>
         <host uuid="dd593e95-02bc-476f-8610-fa1ee454e950">
           <enabled>1</enabled>
@@ -803,6 +805,7 @@
           <mx/>
           <server>192.168.20.161</server>
           <description>Some app local</description>
+          <txtdata/>
         </host>
         <host uuid="e1606f96-dd38-471f-a3d7-ad25e41e810d">
           <enabled>1</enabled>
@@ -813,6 +816,7 @@
           <mx/>
           <server>192.168.20.161</server>
           <description>Some app local</description>
+          <txtdata/>
         </host>
       </hosts>
       <aliases/>
@@ -838,6 +842,7 @@
             <gateway/>
             <carp_depend_on/>
             <peers>03031aec-2e84-462e-9eab-57762dde667a,98e6ca3d-1de9-449b-be80-77022221b509,67c0ace5-e802-4d2b-a536-f8b7a2db6f99,74b60fff-7844-4097-9966-f1c2b1ad29ff,3de82ad5-bc1b-4b91-9598-f906e58ac937,a95e6b5e-24a4-40b5-bb41-b79e784f6f1c,6c9a12c6-c1ca-4c14-866b-975406a30590,c33b308b-7125-4688-9561-989ace8787b5,e43f004a-23bf-4027-8fb0-953fbb40479f</peers>
+            <debug/>
             <endpoint/>
             <peer_dns/>
           </server>
diff --git a/opnsense-config/src/tests/data/config-structure.xml b/opnsense-config/src/tests/data/config-structure.xml
index 32c9317..ae26f76 100644
--- a/opnsense-config/src/tests/data/config-structure.xml
+++ b/opnsense-config/src/tests/data/config-structure.xml
@@ -718,6 +718,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad/>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity>0</hideidentity>
@@ -785,6 +786,7 @@
           <mx/>
           <server>192.168.20.161</server>
           <description>Some app local</description>
+          <txtdata/>
         </host>
         <host uuid="dd593e95-02bc-476f-8610-fa1ee454e950">
           <enabled>1</enabled>
@@ -795,6 +797,7 @@
           <mx/>
           <server>192.168.20.161</server>
           <description>Some app local</description>
+          <txtdata/>
         </host>
         <host uuid="e1606f96-dd38-471f-a3d7-ad25e41e810d">
           <enabled>1</enabled>
@@ -805,6 +808,7 @@
           <mx/>
           <server>192.168.20.161</server>
           <description>Some app local</description>
+          <txtdata/>
         </host>
       </hosts>
       <aliases/>
@@ -832,6 +836,7 @@
             <gateway/>
             <carp_depend_on/>
             <peers>03031aec-2e84-462e-9eab-57762dde667a,98e6ca3d-1de9-449b-be80-77022221b509,67c0ace5-e802-4d2b-a536-f8b7a2db6f99,74b60fff-7844-4097-9966-f1c2b1ad29ff,3de82ad5-bc1b-4b91-9598-f906e58ac937,a95e6b5e-24a4-40b5-bb41-b79e784f6f1c,6c9a12c6-c1ca-4c14-866b-975406a30590,c33b308b-7125-4688-9561-989ace8787b5,e43f004a-23bf-4027-8fb0-953fbb40479f</peers>
+            <debug/>
           </server>
         </servers>
       </server>
diff --git a/opnsense-config/src/tests/data/config-vm-test.xml b/opnsense-config/src/tests/data/config-vm-test.xml
index 1d176b4..06429df 100644
--- a/opnsense-config/src/tests/data/config-vm-test.xml
+++ b/opnsense-config/src/tests/data/config-vm-test.xml
@@ -869,6 +869,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad/>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity/>
diff --git a/opnsense-config/src/tests/data/config-vm-test_cheat_descr.xml b/opnsense-config/src/tests/data/config-vm-test_cheat_descr.xml
index 4f1442a..a38a712 100644
--- a/opnsense-config/src/tests/data/config-vm-test_cheat_descr.xml
+++ b/opnsense-config/src/tests/data/config-vm-test_cheat_descr.xml
@@ -862,6 +862,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad/>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity/>
diff --git a/opnsense-config/src/tests/data/config-vm-test_linted.xml b/opnsense-config/src/tests/data/config-vm-test_linted.xml
index 1d176b4..06429df 100644
--- a/opnsense-config/src/tests/data/config-vm-test_linted.xml
+++ b/opnsense-config/src/tests/data/config-vm-test_linted.xml
@@ -869,6 +869,7 @@
         <local_zone_type>transparent</local_zone_type>
         <outgoing_interface/>
         <enable_wpad/>
+        <safesearch/>
       </general>
       <advanced>
         <hideidentity/>

From 5cce9f8e7467bd19d6d45f9f00c2c222468ea434 Mon Sep 17 00:00:00 2001
From: Jean-Gabriel Gill-Couture <jg@nationtech.io>
Date: Fri, 19 Dec 2025 10:12:44 -0500
Subject: [PATCH 49/51] adr: draft ADR proposing harmony agent and
 nats-jetstram for decentralized workload management

---
 ...h-For-Decentralized-Workload-Management.md | 90 +++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 adr/016-Harmony-Agent-And-Global-Mesh-For-Decentralized-Workload-Management.md

diff --git a/adr/016-Harmony-Agent-And-Global-Mesh-For-Decentralized-Workload-Management.md b/adr/016-Harmony-Agent-And-Global-Mesh-For-Decentralized-Workload-Management.md
new file mode 100644
index 0000000..5c99aec
--- /dev/null
+++ b/adr/016-Harmony-Agent-And-Global-Mesh-For-Decentralized-Workload-Management.md
@@ -0,0 +1,90 @@
+# Architecture Decision Record: Global Orchestration Mesh & The Harmony Agent
+
+**Status:** Proposed
+**Date:** 2025-12-19
+
+## Context
+
+Harmony is designed to enable a truly decentralized infrastructure where independent clusters—owned by different organizations or running on diverse hardware—can collaborate reliably. This vision combines the decentralization of Web3 with the performance and capabilities of Web2.
+
+Currently, Harmony operates as a stateless CLI tool, invoked manually or via CI runners. While effective for deployment, this model presents a critical limitation: **a CLI cannot react to real-time events.**
+
+To achieve automated failover and dynamic workload management, we need a system that is "always on." Relying on manual intervention or scheduled CI jobs to recover from a cluster failure creates unacceptable latency and prevents us from scaling to thousands of nodes.
+
+Furthermore, we face a challenge in serving diverse workloads:
+*   **Financial workloads** require absolute consistency (CP - Consistency/Partition Tolerance).
+*   **AI/Inference workloads** require maximum availability (AP - Availability/Partition Tolerance).
+
+There are many more use cases, but those are the two extremes.
+
+We need a unified architecture that automates cluster coordination and supports both consistency models without requiring a complete re-architecture in the future.
+
+## Decision
+
+We propose a fundamental architectural evolution. It has been clear since the start of Harmony that it would be necessary to transition Harmony from a purely ephemeral CLI tool to a system that includes a persistent **Harmony Agent**. This Agent will connect to a **Global Orchestration Mesh** based on a strongly consistent protocol.
+
+The proposal consists of four key pillars:
+
+### 1. The Harmony Agent (New Component)
+We will develop a long-running process (Daemon/Agent) to be deployed alongside workloads.
+*   **Shift from CLI:** Unlike the CLI, which applies configuration and exits, the Agent maintains a persistent connection to the mesh.
+*   **Responsibility:** It actively monitors cluster health, participates in consensus, and executes lifecycle commands (start/stop/fence) instantly when the mesh dictates a state change.
+
+### 2. The Technology: NATS JetStream
+We will utilize **NATS JetStream** as the underlying transport and consensus layer for the Agent and the Mesh.
+*   **Why not raw Raft?** Implementing a raw Raft library requires building and maintaining the transport layer, log compaction, snapshotting, and peer discovery manually. NATS JetStream provides a battle-tested, distributed log and Key-Value store (based on Raft) out of the box, along with a high-performance pub/sub system for event propagation.
+*   **Role:** It will act as the "source of truth" for the cluster state.
+
+### 3. Strong Consistency at the Mesh Layer
+The mesh will operate with **Strong Consistency** by default.
+*   All critical cluster state changes (topology updates, lease acquisitions, leadership elections) will require consensus among the Agents.
+*   This ensures that in the event of a network partition, we have a mathematical guarantee of which side holds the valid state, preventing data corruption.
+
+### 4. Public UX: The `FailoverStrategy` Abstraction
+To keep the user experience stable and simple, we will expose the complexity of the mesh through a high-level configuration API, tentatively called `FailoverStrategy`.
+
+The user defines the *intent* in their config, and the Harmony Agent automates the *execution*:
+
+*   **`FailoverStrategy::AbsoluteConsistency`**:
+    *   *Use Case:* Banking, Transactional DBs.
+    *   *Behavior:* If the mesh detects a partition, the Agent on the minority side immediately halts workloads. No split-brain is ever allowed.
+*   **`FailoverStrategy::SplitBrainAllowed`**:
+    *   *Use Case:* LLM Inference, Stateless Web Servers.
+    *   *Behavior:* If a partition occurs, the Agent keeps workloads running to maximize uptime. State is reconciled when connectivity returns.
+
+## Rationale
+
+**The Necessity of an Agent**
+You cannot automate what you do not monitor. Moving to an Agent-based model is the only way to achieve sub-second reaction times to infrastructure failures. It transforms Harmony from a deployment tool into a self-healing platform.
+
+**Scaling & Decentralization**
+To allow independent clusters to collaborate, they need a shared language. A strongly consistent mesh allows Cluster A (Organization X) and Cluster B (Organization Y) to agree on workload placement without a central authority.
+
+**Why Strong Consistency First?**
+It is technically feasible to relax a strongly consistent system to allow for "Split Brain" behavior (AP) when the user requests it. However, it is nearly impossible to take an eventually consistent system and force it to be strongly consistent (CP) later. By starting with strict constraints, we cover the hardest use cases (Finance) immediately.
+
+**Future Topologies**
+While our immediate need is `FailoverTopology` (Multi-site), this architecture supports any future topology logic:
+*   **`CostTopology`**: Agents negotiate to route workloads to the cluster with the cheapest spot instances.
+*   **`HorizontalTopology`**: Spreading a single workload across 100 clusters for massive scale.
+*   **`GeoTopology`**: Ensuring data stays within specific legal jurisdictions.
+
+The mesh provides the *capability* (consensus and messaging); the topology provides the *logic*.
+
+## Consequences
+
+**Positive**
+*   **Automation:** Eliminates manual failover, enabling massive scale.
+*   **Reliability:** Guarantees data safety for critical workloads by default.
+*   **Flexibility:** A single codebase serves both high-frequency trading and AI inference.
+*   **Stability:** The public API remains abstract, allowing us to optimize the mesh internals without breaking user code.
+
+**Negative**
+*   **Deployment Complexity:** Users must now deploy and maintain a running service (the Agent) rather than just downloading a binary.
+*   **Engineering Complexity:** Integrating NATS JetStream and handling distributed state machines is significantly more complex than the current CLI logic.
+
+## Implementation Plan (Short Term)
+1.  **Agent Bootstrap:** Create the initial scaffold for the Harmony Agent (daemon).
+2.  **Mesh Integration:** Prototype NATS JetStream embedding within the Agent.
+3.  **Strategy Implementation:** Add `FailoverStrategy` to the configuration schema and implement the logic in the Agent to read and act on it.
+4.  **Migration:** Transition the current manual failover scripts into event-driven logic handled by the Agent.

From 2b19d8c3e81d39cd6620f67998ad96c9e1bcbc99 Mon Sep 17 00:00:00 2001
From: wjro <wrolleman@nationtech.io>
Date: Tue, 6 Jan 2026 10:51:53 -0500
Subject: [PATCH 50/51] fix: changed name to switch_ips for more clarity

---
 examples/brocade_snmp_server/src/main.rs | 2 +-
 harmony/src/modules/brocade.rs           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/brocade_snmp_server/src/main.rs b/examples/brocade_snmp_server/src/main.rs
index ff9b671..4624489 100644
--- a/examples/brocade_snmp_server/src/main.rs
+++ b/examples/brocade_snmp_server/src/main.rs
@@ -7,7 +7,7 @@ use harmony::{
 #[tokio::main]
 async fn main() {
     let brocade_snmp_server = BrocadeEnableSnmpScore {
-        server_ips: vec![IpAddr::V4(Ipv4Addr::new(192, 168, 1, 111))],
+        switch_ips: vec![IpAddr::V4(Ipv4Addr::new(192, 168, 1, 111))],
         dry_run: true,
     };
 
diff --git a/harmony/src/modules/brocade.rs b/harmony/src/modules/brocade.rs
index 7264609..de6b957 100644
--- a/harmony/src/modules/brocade.rs
+++ b/harmony/src/modules/brocade.rs
@@ -16,7 +16,7 @@ use crate::{
 
 #[derive(Debug, Clone, Serialize)]
 pub struct BrocadeEnableSnmpScore {
-    pub server_ips: Vec<IpAddr>,
+    pub switch_ips: Vec<IpAddr>,
     pub dry_run: bool,
 }
 
@@ -57,7 +57,7 @@ impl<T: Topology> Interpret<T> for BrocadeEnableSnmpInterpret {
         _inventory: &Inventory,
         _topology: &T,
     ) -> Result<Outcome, InterpretError> {
-        let switch_addresses = &self.score.server_ips;
+        let switch_addresses = &self.score.switch_ips;
 
         let snmp_auth = SecretManager::get_or_prompt::<BrocadeSnmpAuth>()
             .await

From fdf1dfaa30803d2031628e0335e6d9c9ae6717a8 Mon Sep 17 00:00:00 2001
From: wjro <wrolleman@nationtech.io>
Date: Tue, 6 Jan 2026 14:17:04 -0500
Subject: [PATCH 51/51] fix: leave implementers to define their Debug, so
 removed impl Debug for dyn NodeExporter

---
 Cargo.lock                                   | 52 ++++++++++++++------
 examples/opnsense_node_exporter/src/main.rs  |  1 +
 harmony/src/domain/topology/node_exporter.rs | 14 +++---
 3 files changed, 45 insertions(+), 22 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 65f2d8b..5c45111 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -690,6 +690,24 @@ dependencies = [
  "tokio",
 ]
 
+[[package]]
+name = "brocade-snmp-server"
+version = "0.1.0"
+dependencies = [
+ "base64 0.22.1",
+ "brocade",
+ "env_logger",
+ "harmony",
+ "harmony_cli",
+ "harmony_macros",
+ "harmony_secret",
+ "harmony_types",
+ "log",
+ "serde",
+ "tokio",
+ "url",
+]
+
 [[package]]
 name = "brocade-switch"
 version = "0.1.0"
@@ -1885,6 +1903,25 @@ dependencies = [
  "url",
 ]
 
+[[package]]
+name = "example-opnsense-node-exporter"
+version = "0.1.0"
+dependencies = [
+ "async-trait",
+ "cidr",
+ "env_logger",
+ "harmony",
+ "harmony_cli",
+ "harmony_macros",
+ "harmony_secret",
+ "harmony_secret_derive",
+ "harmony_types",
+ "log",
+ "serde",
+ "tokio",
+ "url",
+]
+
 [[package]]
 name = "example-pxe"
 version = "0.1.0"
@@ -6095,21 +6132,6 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"
 
-[[package]]
-name = "test-score"
-version = "0.1.0"
-dependencies = [
- "base64 0.22.1",
- "env_logger",
- "harmony",
- "harmony_cli",
- "harmony_macros",
- "harmony_types",
- "log",
- "tokio",
- "url",
-]
-
 [[package]]
 name = "thiserror"
 version = "1.0.69"
diff --git a/examples/opnsense_node_exporter/src/main.rs b/examples/opnsense_node_exporter/src/main.rs
index 4b16841..d71d2ed 100644
--- a/examples/opnsense_node_exporter/src/main.rs
+++ b/examples/opnsense_node_exporter/src/main.rs
@@ -18,6 +18,7 @@ use harmony::{
 };
 use harmony_macros::{ip, ipv4, mac_address};
 
+#[derive(Debug)]
 struct OpnSenseTopology {
     node_exporter: Arc<dyn NodeExporter>,
 }
diff --git a/harmony/src/domain/topology/node_exporter.rs b/harmony/src/domain/topology/node_exporter.rs
index 88e3cc9..1e6ef67 100644
--- a/harmony/src/domain/topology/node_exporter.rs
+++ b/harmony/src/domain/topology/node_exporter.rs
@@ -3,15 +3,15 @@ use async_trait::async_trait;
 use crate::executors::ExecutorError;
 
 #[async_trait]
-pub trait NodeExporter: Send + Sync {
+pub trait NodeExporter: Send + Sync + std::fmt::Debug {
     async fn ensure_initialized(&self) -> Result<(), ExecutorError>;
     async fn commit_config(&self) -> Result<(), ExecutorError>;
     async fn reload_restart(&self) -> Result<(), ExecutorError>;
 }
 
-//TODO complete this impl
-impl std::fmt::Debug for dyn NodeExporter {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.write_fmt(format_args!("NodeExporter ",))
-    }
-}
+// //TODO complete this impl
+// impl std::fmt::Debug for dyn NodeExporter {
+//     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+//         f.write_fmt(format_args!("NodeExporter ",))
+//     }
+// }