fix: modified discordwebhookreceiver to use a generic initialize_alert_receiver function from k8sanywhere topology

Updates  to use  for managing
Discord webhook adapter deployments. This prevents redundant installations
by ensuring that the deployment interpret for a given adapter
configuration is executed only once.

The internal state now uses a  keyed by the alertreceiver ID to
track and initialize each receiver's .

.cargo/config.toml

@@ -0,0 +1,5 @@
+[target.x86_64-pc-windows-msvc]
+rustflags = ["-C", "link-arg=/STACK:8000000"]
+
+[target.x86_64-pc-windows-gnu]
+rustflags = ["-C", "link-arg=-Wl,--stack,8000000"]

.gitea/workflows/check.yml

@@ -0,0 +1,14 @@
+name: Run Check Script
+on:
+  push:
+  pull_request:
+
+jobs:
+  check:
+    runs-on: rust-cargo
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Run check script
+        run: bash check.sh

CONTRIBUTING.md

@@ -0,0 +1,36 @@
+# Contributing to the Harmony project
+
+## Write small P-R
+
+Aim for the smallest piece of work that is mergeable.
+
+Mergeable means that :
+
+- it does not break the build
+- it moves the codebase one step forward
+
+P-Rs can be many things, they do not have to be complete features.
+
+### What a P-R **should** be
+
+- Introduce a new trait : This will be the place to discuss the new trait addition, its design and implementation
+- A new implementation of a trait : a new concrete implementation of the LoadBalancer trait
+- A new CI check : something that improves quality, robustness, ci performance
+- Documentation improvements
+- Refactoring
+- Bugfix
+
+### What a P-R **should not** be
+
+- Large. Anything over 200 lines (excluding generated lines) should have a very good reason to be this large.
+- A mix of refactoring, bug fixes and new features.
+- Introducing multiple new features or ideas at once.
+- Multiple new implementations of a trait/functionnality at once
+
+The general idea is to keep P-Rs small and single purpose.
+
+## Commit message formatting
+
+We follow conventional commits guidelines.
+
+https://www.conventionalcommits.org/en/v1.0.0/

Cargo.toml

@@ -9,6 +9,8 @@ members = [
   "harmony_tui",
   "opnsense-config",
   "opnsense-config-xml",
+  "harmony_cli",
+  "k3d",
 ]
 
 [workspace.package]
@@ -21,22 +23,24 @@ log = "0.4.22"
 env_logger = "0.11.5"
 derive-new = "0.7.0"
 async-trait = "0.1.82"
-tokio = { version = "1.40.0", features = ["io-std", "fs"] }
+tokio = { version = "1.40.0", features = ["io-std", "fs", "macros", "rt-multi-thread"] }
 cidr = "0.2.3"
 russh = "0.45.0"
 russh-keys = "0.45.0"
 rand = "0.8.5"
 url = "2.5.4"
 kube = "0.98.0"
-k8s-openapi = { version = "0.24.0", features = [ "v1_30" ] }
+k8s-openapi = { version = "0.24.0", features = ["v1_30"] }
 serde_yaml = "0.9.34"
 serde-value = "0.7.0"
 http = "1.2.0"
+inquire = "0.7.5"
+convert_case =  "0.8.0"
 
 [workspace.dependencies.uuid]
 version = "1.11.0"
 features = [
-    "v4",                # Lets you generate random UUIDs
-    "fast-rng",          # Use a faster (but still sufficiently random) RNG
-    "macro-diagnostics", # Enable better diagnostics for compile-time UUIDs
+  "v4",                # Lets you generate random UUIDs
+  "fast-rng",          # Use a faster (but still sufficiently random) RNG
+  "macro-diagnostics", # Enable better diagnostics for compile-time UUIDs
 ]

README.md

@@ -8,6 +8,164 @@ This will launch Harmony's minimalist terminal ui which embeds a few demo scores
 
 Usage instructions will be displayed at the bottom of the TUI.
 
+`cargo run --bin example-cli -- --help`
+
+This is the harmony CLI, a minimal implementation
+
+The current help text:
+
+````
+Usage: example-cli [OPTIONS]
+
+Options:
+  -y, --yes              Run score(s) or not
+  -f, --filter <FILTER>  Filter query
+  -i, --interactive      Run interactive TUI or not
+  -a, --all              Run all or nth, defaults to all
+  -n, --number <NUMBER>  Run nth matching, zero indexed [default: 0]
+  -l, --list             list scores, will also be affected by run filter
+  -h, --help             Print help
+  -V, --version          Print version```
+
 ## Core architecture
 
 ![Harmony Core Architecture](docs/diagrams/Harmony_Core_Architecture.drawio.svg)
+````
+## Supporting a new field in OPNSense `config.xml`
+
+Two steps:
+- Supporting the field in `opnsense-config-xml`
+- Enabling Harmony to control the field
+
+We'll use the `filename` field in the `dhcpcd` section of the file as an example.
+
+### Supporting the field
+
+As type checking if enforced, every field from `config.xml` must be known by the code. Each subsection of `config.xml` has its `.rs` file. For the `dhcpcd` section, we'll modify `opnsense-config-xml/src/data/dhcpd.rs`.
+
+When a new field appears in the xml file, an error like this will be thrown and Harmony will panic :
+```
+     Running `/home/stremblay/nt/dir/harmony/target/debug/example-nanodc`
+Found unauthorized element filename
+thread 'main' panicked at opnsense-config-xml/src/data/opnsense.rs:54:14:
+OPNSense received invalid string, should be full XML: ()
+
+```
+
+Define the missing field (`filename`) in the `DhcpInterface` struct of `opnsense-config-xml/src/data/dhcpd.rs`:
+```
+pub struct DhcpInterface {
+    ...
+    pub filename: Option<String>,
+```
+
+Harmony should now be fixed, build and run.
+
+### Controlling the field
+
+Define the `xml field setter` in `opnsense-config/src/modules/dhcpd.rs`.
+```
+impl<'a> DhcpConfig<'a> {
+    ...
+    pub fn set_filename(&mut self, filename: &str) {
+        self.enable_netboot();
+        self.get_lan_dhcpd().filename = Some(filename.to_string());
+    }
+    ...
+```
+
+Define the `value setter` in the `DhcpServer trait`  in `domain/topology/network.rs`
+```
+#[async_trait]
+pub trait DhcpServer: Send + Sync {
+    ...
+    async fn set_filename(&self, filename: &str) -> Result<(), ExecutorError>;
+    ...
+```
+
+Implement the `value setter` in each `DhcpServer` implementation.
+`infra/opnsense/dhcp.rs`:
+```
+#[async_trait]
+impl DhcpServer for OPNSenseFirewall {
+    ...
+    async fn set_filename(&self, filename: &str) -> Result<(), ExecutorError> {
+        {
+            let mut writable_opnsense = self.opnsense_config.write().await;
+            writable_opnsense.dhcp().set_filename(filename);
+            debug!("OPNsense dhcp server set filename {filename}");
+        }
+
+        Ok(())
+    }
+    ...
+```
+
+`domain/topology/ha_cluster.rs`
+```
+#[async_trait]
+impl DhcpServer for DummyInfra {
+    ...
+    async fn set_filename(&self, _filename: &str) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+    ...
+```
+
+Add the new field to the DhcpScore in `modules/dhcp.rs`
+```
+pub struct DhcpScore {
+    ...
+    pub filename: Option<String>,
+```
+
+Define it in its implementation in `modules/okd/dhcp.rs`
+```
+impl OKDDhcpScore {
+        ...
+        Self {
+            dhcp_score: DhcpScore {
+                ...
+                filename: Some("undionly.kpxe".to_string()),
+```
+
+Define it in its implementation in `modules/okd/bootstrap_dhcp.rs`
+```
+impl OKDDhcpScore {
+        ...
+        Self {
+            dhcp_score: DhcpScore::new(
+                ...
+                Some("undionly.kpxe".to_string()),
+```
+
+Update the interpret (function called by the `execute` fn of the interpret) so it now updates the `filename` field value in `modules/dhcp.rs`
+```
+impl DhcpInterpret {
+        ...
+        let filename_outcome = match &self.score.filename {
+            Some(filename) => {
+                let dhcp_server = Arc::new(topology.dhcp_server.clone());
+                dhcp_server.set_filename(&filename).await?;
+                Outcome::new(
+                    InterpretStatus::SUCCESS,
+                    format!("Dhcp Interpret Set filename to {filename}"),
+                )
+            }
+            None => Outcome::noop(),
+        };
+
+        if next_server_outcome.status == InterpretStatus::NOOP
+            && boot_filename_outcome.status == InterpretStatus::NOOP
+            && filename_outcome.status == InterpretStatus::NOOP
+
+            ...
+
+            Ok(Outcome::new(
+            InterpretStatus::SUCCESS,
+            format!(
+                "Dhcp Interpret Set next boot to [{:?}], boot_filename to [{:?}], filename to [{:?}]",
+                self.score.boot_filename, self.score.boot_filename, self.score.filename
+            )
+            ...
+```

adr/000-ADR-Template.md

@@ -1,6 +1,6 @@
 # Architecture Decision Record: \<Title\>
 
-Name: \<Name\>
+Initial Author: \<Name\>
 
 Initial Date: \<Date\>
 

adr/009-helm-and-kustomize-handling.md

@@ -1,6 +1,6 @@
 # Architecture Decision Record: Helm and Kustomize Handling
 
-Name: Taha Hawa
+Initial Author: Taha Hawa
 
 Initial Date: 2025-04-15
 

adr/010-monitoring-and-alerting.md

@@ -0,0 +1,68 @@
+# Architecture Decision Record: Monitoring and Alerting
+
+Initial Author : Willem Rolleman
+Date : April 28 2025
+
+## Status
+
+Proposed
+
+## Context
+
+A harmony user should be able to initialize a monitoring stack easily, either at the first run of Harmony, or that integrates with existing proects and infra without creating multiple instances of the monitoring stack or overwriting existing alerts/configurations.The user also needs a simple way to configure the stack so that it watches the projects. There should be reasonable defaults configured that are easily customizable for each project    
+
+## Decision
+
+Create MonitoringStack score that creates a maestro to launch the monitoring stack or not if it is already present. 
+The MonitoringStack score can be passed to the maestro in the vec! scores list
+
+## Rationale
+
+Having the score launch a maestro will allow the user to easily create a new monitoring stack and keeps composants grouped together. The MonitoringScore can handle all the logic for adding alerts, ensuring that the stack is running etc. 
+
+## Alerternatives considered
+
+- ### Implement alerting and monitoring stack using existing HelmScore for each project
+    - **Pros**:
+        - Each project can choose to use the monitoring and alerting stack that they choose
+        - Less overhead in terms of care harmony code
+        - can add Box::new(grafana::grafanascore(namespace)) 
+    - **Cons**:
+        - No default solution implemented
+        - Dev needs to chose what they use
+        - Increases complexity of score projects
+        - Each project will create a new monitoring and alerting instance rather than joining the existing one
+
+
+- ### Use OKD grafana and prometheus
+    - **Pros**:
+        - Minimal config to do in Harmony
+    - **Cons**:
+        - relies on OKD so will not working for local testing via k3d
+
+- ### Create a monitoring and alerting crate similar to harmony tui
+    - **Pros**:
+        - Creates a default solution that can be implemented once by harmony
+        - can create a join function that will allow a project to connect to the existing solution
+        - eliminates risk of creating multiple instances of grafana or prometheus
+    - **Cons**:
+        - more complex than using a helm score
+        - management of values files for individual functions becomes more complicated, ie how do you create alerts for one project via helm install that doesnt overwrite the other alerts 
+
+- ### Add monitoring to Maestro struct so whether the monitoring stack is used must be defined 
+    - **Pros**:
+        - less for the user to define
+        - may be easier to set defaults 
+    - **Cons**:
+        - feels counterintuitive 
+        - would need to modify the structure of the maestro and how it operates which seems like a bad idea
+        - unclear how to allow user to pass custom values/configs to the monitoring stack for subsequent projects
+
+- ### Create MonitoringStack score to add to scores vec! which loads a maestro to install stack if not ready or add custom endpoints/alerts to existing stack
+    - **Pros**:
+        - Maestro already accepts a list of scores to initialize
+        - leaving out the monitoring score simply means the user does not want monitoring
+        - if the monitoring stack is already created, the MonitoringStack score doesn't necessarily need to be added to each project
+        - composants of the monitoring stack are bundled together and can be expaned or modified from the same place
+    - **Cons**:
+        - maybe need to create  

adr/011-multi-tenant-cluster.md

@@ -0,0 +1,160 @@
+# Architecture Decision Record: Multi-Tenancy Strategy for Harmony Managed Clusters
+
+Initial Author: Jean-Gabriel Gill-Couture
+
+Initial Date: 2025-05-26
+
+## Status
+
+Proposed
+
+## Context
+
+Harmony manages production OKD/Kubernetes clusters that serve multiple clients with varying trust levels and operational requirements. We need a multi-tenancy strategy that provides:
+
+1. **Strong isolation** between client workloads while maintaining operational simplicity
+2. **Controlled API access** allowing clients self-service capabilities within defined boundaries
+3. **Security-first approach** protecting both the cluster infrastructure and tenant data
+4. **Harmony-native implementation** using our Score/Interpret pattern for automated tenant provisioning
+5. **Scalable management** supporting both small trusted clients and larger enterprise customers
+
+The official Kubernetes multi-tenancy documentation identifies two primary models: namespace-based isolation and virtual control planes per tenant. Given Harmony's focus on operational simplicity, provider-agnostic abstractions (ADR-003), and hexagonal architecture (ADR-002), we must choose an approach that balances security, usability, and maintainability.
+
+Our clients represent a hybrid tenancy model:
+- **Customer multi-tenancy**: Each client operates independently with no cross-tenant trust
+- **Team multi-tenancy**: Individual clients may have multiple team members requiring coordinated access
+- **API access requirement**: Unlike pure SaaS scenarios, clients need controlled Kubernetes API access for self-service operations
+
+The official kubernetes documentation on multi tenancy heavily inspired this ADR : https://kubernetes.io/docs/concepts/security/multi-tenancy/
+
+## Decision
+
+Implement **namespace-based multi-tenancy** with the following architecture:
+
+### 1. Network Security Model
+- **Private cluster access**: Kubernetes API and OpenShift console accessible only via WireGuard VPN
+- **No public exposure**: Control plane endpoints remain internal to prevent unauthorized access attempts
+- **VPN-based authentication**: Initial access control through WireGuard client certificates
+
+### 2. Tenant Isolation Strategy
+- **Dedicated namespace per tenant**: Each client receives an isolated namespace with access limited only to the required resources and operations
+- **Complete network isolation**: NetworkPolicies prevent cross-namespace communication while allowing full egress to public internet
+- **Resource governance**: ResourceQuotas and LimitRanges enforce CPU, memory, and storage consumption limits
+- **Storage access control**: Clients can create PersistentVolumeClaims but cannot directly manipulate PersistentVolumes or access other tenants' storage
+
+### 3. Access Control Framework
+- **Principle of Least Privilege**: RBAC grants only necessary permissions within tenant namespace scope
+- **Namespace-scoped**: Clients can create/modify/delete resources within their namespace
+- **Cluster-level restrictions**: No access to cluster-wide resources, other namespaces, or sensitive cluster operations
+- **Whitelisted operations**: Controlled self-service capabilities for ingress, secrets, configmaps, and workload management
+
+### 4. Identity Management Evolution
+- **Phase 1**: Manual provisioning of VPN access and Kubernetes ServiceAccounts/Users
+- **Phase 2**: Migration to Keycloak-based identity management (aligning with ADR-006) for centralized authentication and lifecycle management
+
+### 5. Harmony Integration
+- **TenantScore implementation**: Declarative tenant provisioning using Harmony's Score/Interpret pattern
+- **Topology abstraction**: Tenant configuration abstracted from underlying Kubernetes implementation details
+- **Automated deployment**: Complete tenant setup automated through Harmony's orchestration capabilities
+
+## Rationale
+
+### Network Security Through VPN Access
+- **Defense in depth**: VPN requirement adds critical security layer preventing unauthorized cluster access
+- **Simplified firewall rules**: No need for complex public endpoint protections or rate limiting
+- **Audit capability**: VPN access provides clear audit trail of cluster connections
+- **Aligns with enterprise practices**: Most enterprise customers already use VPN infrastructure
+
+### Namespace Isolation vs Virtual Control Planes
+Following Kubernetes official guidance, namespace isolation provides:
+- **Lower resource overhead**: Virtual control planes require dedicated etcd, API server, and controller manager per tenant
+- **Operational simplicity**: Single control plane to maintain, upgrade, and monitor
+- **Cross-tenant service integration**: Enables future controlled cross-tenant communication if required
+- **Proven stability**: Namespace-based isolation is well-tested and widely deployed
+- **Cost efficiency**: Significantly lower infrastructure costs compared to dedicated control planes
+
+### Hybrid Tenancy Model Suitability
+Our approach addresses both customer and team multi-tenancy requirements:
+- **Customer isolation**: Strong network and RBAC boundaries prevent cross-tenant interference
+- **Team collaboration**: Multiple team members can share namespace access through group-based RBAC
+- **Self-service balance**: Controlled API access enables client autonomy without compromising security
+
+### Harmony Architecture Alignment
+- **Provider agnostic**: TenantScore abstracts multi-tenancy concepts, enabling future support for other Kubernetes distributions
+- **Hexagonal architecture**: Tenant management becomes an infrastructure capability accessed through well-defined ports
+- **Declarative automation**: Tenant lifecycle fully managed through Harmony's Score execution model
+
+## Consequences
+
+### Positive Consequences
+- **Strong security posture**: VPN + namespace isolation provides robust tenant separation
+- **Operational efficiency**: Single cluster management with automated tenant provisioning
+- **Client autonomy**: Self-service capabilities reduce operational support burden
+- **Scalable architecture**: Can support hundreds of tenants per cluster without architectural changes
+- **Future flexibility**: Foundation supports evolution to more sophisticated multi-tenancy models
+- **Cost optimization**: Shared infrastructure maximizes resource utilization
+
+### Negative Consequences
+- **VPN operational overhead**: Requires VPN infrastructure management
+- **Manual provisioning complexity**: Phase 1 manual user management creates administrative burden
+- **Network policy dependency**: Requires CNI with NetworkPolicy support (OVN-Kubernetes provides this and is the OKD/Openshift default)
+- **Cluster-wide resource limitations**: Some advanced Kubernetes features require cluster-wide access
+- **Single point of failure**: Cluster outage affects all tenants simultaneously
+
+### Migration Challenges
+- **Legacy client integration**: Existing clients may need VPN client setup and credential migration
+- **Monitoring complexity**: Per-tenant observability requires careful metric and log segmentation
+- **Backup considerations**: Tenant data backup must respect isolation boundaries
+
+## Alternatives Considered
+
+### Alternative 1: Virtual Control Plane Per Tenant
+**Pros**: Complete control plane isolation, full Kubernetes API access per tenant
+**Cons**: 3-5x higher resource usage, complex cross-tenant networking, operational complexity scales linearly with tenants
+
+**Rejected**: Resource overhead incompatible with cost-effective multi-tenancy goals
+
+### Alternative 2: Dedicated Clusters Per Tenant
+**Pros**: Maximum isolation, independent upgrade cycles, simplified security model
+**Cons**: Exponential operational complexity, prohibitive costs, resource waste
+
+**Rejected**: Operational overhead makes this approach unsustainable for multiple clients
+
+### Alternative 3: Public API with Advanced Authentication
+**Pros**: No VPN requirement, potentially simpler client access
+**Cons**: Larger attack surface, complex rate limiting and DDoS protection, increased security monitoring requirements
+
+**Rejected**: Risk/benefit analysis favors VPN-based access control
+
+### Alternative 4: Service Mesh Based Isolation
+**Pros**: Fine-grained traffic control, encryption, advanced observability
+**Cons**: Significant operational complexity, performance overhead, steep learning curve
+
+**Rejected**: Complexity overhead outweighs benefits for current requirements; remains option for future enhancement
+
+## Additional Notes
+
+### Implementation Roadmap
+1. **Phase 1**: Implement VPN access and manual tenant provisioning
+2. **Phase 2**: Deploy TenantScore automation for namespace, RBAC, and NetworkPolicy management
+3. **Phase 3**: Integrate Keycloak for centralized identity management
+4. **Phase 4**: Add advanced monitoring and per-tenant observability
+
+### TenantScore Structure Preview
+```rust
+pub struct TenantScore {
+    pub tenant_config: TenantConfig,
+    pub resource_quotas: ResourceQuotaConfig,
+    pub network_isolation: NetworkIsolationPolicy,
+    pub storage_access: StorageAccessConfig,
+    pub rbac_config: RBACConfig,
+}
+```
+
+### Future Enhancements
+- **Cross-tenant service mesh**: For approved inter-tenant communication
+- **Advanced monitoring**: Per-tenant Prometheus/Grafana instances
+- **Backup automation**: Tenant-scoped backup policies
+- **Cost allocation**: Detailed per-tenant resource usage tracking
+
+This ADR establishes the foundation for secure, scalable multi-tenancy in Harmony-managed clusters while maintaining operational simplicity and cost effectiveness. A follow-up ADR will detail the Tenant abstraction and user management mechanisms within the Harmony framework.

check.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+set -e
+cargo check --all-targets --all-features --keep-going
+cargo fmt --check
+cargo test

data/watchguard/pxe-http-files/.gitattributes

@@ -0,0 +1 @@
+slitaz/* filter=lfs diff=lfs merge=lfs -text

data/watchguard/pxe-http-files/boot.ipxe

@@ -0,0 +1,6 @@
+#!ipxe
+
+set base-url http://192.168.33.1:8080
+set hostfile ${base-url}/byMAC/01-${mac:hexhyp}.ipxe
+
+chain ${hostfile} || chain ${base-url}/default.ipxe

data/watchguard/pxe-http-files/byMAC/01-c4-62-37-01-bc-68.ipxe

@@ -0,0 +1,35 @@
+#!ipxe
+menu PXE Boot Menu - [${mac}]
+item okdinstallation  Install OKD
+item slitaz  Boot to Slitaz - old linux for debugging
+choose selected
+
+goto ${selected}
+
+:local
+exit
+
+#################################
+# okdinstallation
+#################################
+:okdinstallation
+set base-url http://192.168.33.1:8080
+set kernel-image fcos/fedora-coreos-39.20231101.3.0-live-kernel-x86_64
+set live-rootfs fcos/fedora-coreos-39.20231101.3.0-live-rootfs.x86_64.img
+set live-initramfs fcos/fedora-coreos-39.20231101.3.0-live-initramfs.x86_64.img
+set install-disk /dev/nvme0n1
+set ignition-file ncd0/master.ign
+
+kernel ${base-url}/${kernel-image} initrd=main coreos.live.rootfs_url=${base-url}/${live-rootfs} coreos.inst.install_dev=${install-disk} coreos.inst.ignition_url=${base-url}/${ignition-file}  ip=enp1s0:dhcp
+initrd --name main ${base-url}/${live-initramfs}
+boot
+
+#################################
+# slitaz
+#################################
+:slitaz
+set server_ip 192.168.33.1:8080
+set base_url http://${server_ip}/slitaz
+kernel ${base_url}/vmlinuz-2.6.37-slitaz rw root=/dev/null vga=788 initrd=rootfs.gz
+initrd ${base_url}/rootfs.gz
+boot

data/watchguard/pxe-http-files/byMAC/01-c4-62-37-02-60-fa.ipxe

@@ -0,0 +1,35 @@
+#!ipxe
+menu PXE Boot Menu - [${mac}]
+item okdinstallation  Install OKD
+item slitaz  Boot to Slitaz - old linux for debugging
+choose selected
+
+goto ${selected}
+
+:local
+exit
+
+#################################
+# okdinstallation
+#################################
+:okdinstallation
+set base-url http://192.168.33.1:8080
+set kernel-image fcos/fedora-coreos-39.20231101.3.0-live-kernel-x86_64
+set live-rootfs fcos/fedora-coreos-39.20231101.3.0-live-rootfs.x86_64.img
+set live-initramfs fcos/fedora-coreos-39.20231101.3.0-live-initramfs.x86_64.img
+set install-disk /dev/nvme0n1
+set ignition-file ncd0/master.ign
+
+kernel ${base-url}/${kernel-image} initrd=main coreos.live.rootfs_url=${base-url}/${live-rootfs} coreos.inst.install_dev=${install-disk} coreos.inst.ignition_url=${base-url}/${ignition-file}  ip=enp1s0:dhcp
+initrd --name main ${base-url}/${live-initramfs}
+boot
+
+#################################
+# slitaz
+#################################
+:slitaz
+set server_ip 192.168.33.1:8080
+set base_url http://${server_ip}/slitaz
+kernel ${base_url}/vmlinuz-2.6.37-slitaz rw root=/dev/null vga=788 initrd=rootfs.gz
+initrd ${base_url}/rootfs.gz
+boot

data/watchguard/pxe-http-files/byMAC/01-c4-62-37-02-61-0f.ipxe

@@ -0,0 +1,35 @@
+#!ipxe
+menu PXE Boot Menu - [${mac}]
+item okdinstallation  Install OKD
+item slitaz  Slitaz - an old linux image for debugging
+choose selected
+
+goto ${selected}
+
+:local
+exit
+
+#################################
+# okdinstallation
+#################################
+:okdinstallation
+set base-url http://192.168.33.1:8080
+set kernel-image fcos/fedora-coreos-39.20231101.3.0-live-kernel-x86_64
+set live-rootfs fcos/fedora-coreos-39.20231101.3.0-live-rootfs.x86_64.img
+set live-initramfs fcos/fedora-coreos-39.20231101.3.0-live-initramfs.x86_64.img
+set install-disk /dev/sda
+set ignition-file ncd0/worker.ign
+
+kernel ${base-url}/${kernel-image} initrd=main coreos.live.rootfs_url=${base-url}/${live-rootfs} coreos.inst.install_dev=${install-disk} coreos.inst.ignition_url=${base-url}/${ignition-file}  ip=enp1s0:dhcp
+initrd --name main ${base-url}/${live-initramfs}
+boot
+
+#################################
+# slitaz
+#################################
+:slitaz
+set server_ip 192.168.33.1:8080
+set base_url http://${server_ip}/slitaz
+kernel ${base_url}/vmlinuz-2.6.37-slitaz rw root=/dev/null vga=788 initrd=rootfs.gz
+initrd ${base_url}/rootfs.gz
+boot

data/watchguard/pxe-http-files/byMAC/01-c4-62-37-02-61-1a.ipxe

@@ -0,0 +1,35 @@
+#!ipxe
+menu PXE Boot Menu - [${mac}]
+item okdinstallation  Install OKD
+item slitaz  Boot to Slitaz - old linux for debugging
+choose selected
+
+goto ${selected}
+
+:local
+exit
+
+#################################
+# okdinstallation
+#################################
+:okdinstallation
+set base-url http://192.168.33.1:8080
+set kernel-image fcos/fedora-coreos-39.20231101.3.0-live-kernel-x86_64
+set live-rootfs fcos/fedora-coreos-39.20231101.3.0-live-rootfs.x86_64.img
+set live-initramfs fcos/fedora-coreos-39.20231101.3.0-live-initramfs.x86_64.img
+set install-disk /dev/nvme0n1
+set ignition-file ncd0/master.ign
+
+kernel ${base-url}/${kernel-image} initrd=main coreos.live.rootfs_url=${base-url}/${live-rootfs} coreos.inst.install_dev=${install-disk} coreos.inst.ignition_url=${base-url}/${ignition-file}  ip=enp1s0:dhcp
+initrd --name main ${base-url}/${live-initramfs}
+boot
+
+#################################
+# slitaz
+#################################
+:slitaz
+set server_ip 192.168.33.1:8080
+set base_url http://${server_ip}/slitaz
+kernel ${base_url}/vmlinuz-2.6.37-slitaz rw root=/dev/null vga=788 initrd=rootfs.gz
+initrd ${base_url}/rootfs.gz
+boot

data/watchguard/pxe-http-files/byMAC/01-c4-62-37-02-61-26.ipxe

@@ -0,0 +1,35 @@
+#!ipxe
+menu PXE Boot Menu - [${mac}]
+item okdinstallation  Install OKD
+item slitaz  Slitaz - an old linux image for debugging
+choose selected
+
+goto ${selected}
+
+:local
+exit
+
+#################################
+# okdinstallation
+#################################
+:okdinstallation
+set base-url http://192.168.33.1:8080
+set kernel-image fcos/fedora-coreos-39.20231101.3.0-live-kernel-x86_64
+set live-rootfs fcos/fedora-coreos-39.20231101.3.0-live-rootfs.x86_64.img
+set live-initramfs fcos/fedora-coreos-39.20231101.3.0-live-initramfs.x86_64.img
+set install-disk /dev/sda
+set ignition-file ncd0/worker.ign
+
+kernel ${base-url}/${kernel-image} initrd=main coreos.live.rootfs_url=${base-url}/${live-rootfs} coreos.inst.install_dev=${install-disk} coreos.inst.ignition_url=${base-url}/${ignition-file}  ip=enp1s0:dhcp
+initrd --name main ${base-url}/${live-initramfs}
+boot
+
+#################################
+# slitaz
+#################################
+:slitaz
+set server_ip 192.168.33.1:8080
+set base_url http://${server_ip}/slitaz
+kernel ${base_url}/vmlinuz-2.6.37-slitaz rw root=/dev/null vga=788 initrd=rootfs.gz
+initrd ${base_url}/rootfs.gz
+boot

data/watchguard/pxe-http-files/byMAC/01-c4-62-37-02-61-70.ipxe

@@ -0,0 +1,37 @@
+#!ipxe
+menu PXE Boot Menu - [${mac}]
+item okdinstallation  Install OKD
+item slitaz  Slitaz - an old linux image for debugging
+choose selected
+
+goto ${selected}
+
+:local
+exit
+# This is the bootstrap node
+# it will become wk2
+
+#################################
+# okdinstallation
+#################################
+:okdinstallation
+set base-url http://192.168.33.1:8080
+set kernel-image fcos/fedora-coreos-39.20231101.3.0-live-kernel-x86_64
+set live-rootfs fcos/fedora-coreos-39.20231101.3.0-live-rootfs.x86_64.img
+set live-initramfs fcos/fedora-coreos-39.20231101.3.0-live-initramfs.x86_64.img
+set install-disk /dev/sda
+set ignition-file ncd0/worker.ign
+
+kernel ${base-url}/${kernel-image} initrd=main coreos.live.rootfs_url=${base-url}/${live-rootfs} coreos.inst.install_dev=${install-disk} coreos.inst.ignition_url=${base-url}/${ignition-file}  ip=enp1s0:dhcp
+initrd --name main ${base-url}/${live-initramfs}
+boot
+
+#################################
+# slitaz
+#################################
+:slitaz
+set server_ip 192.168.33.1:8080
+set base_url http://${server_ip}/slitaz
+kernel ${base_url}/vmlinuz-2.6.37-slitaz rw root=/dev/null vga=788 initrd=rootfs.gz
+initrd ${base_url}/rootfs.gz
+boot

data/watchguard/pxe-http-files/default.ipxe

@@ -0,0 +1,71 @@
+#!ipxe
+menu PXE Boot Menu - [${mac}]
+item local  Boot from Hard Disk
+item slitaz Boot slitaz live environment [tux|root:root]
+#item ubuntu-server Ubuntu 24.04.1 live server
+#item ubuntu-desktop Ubuntu 24.04.1 desktop
+#item systemrescue System Rescue 11.03
+item memtest memtest
+#choose --default local --timeout 5000 selected
+choose selected
+
+goto ${selected}
+
+:local
+exit
+
+#################################
+# slitaz
+#################################
+:slitaz
+set server_ip 192.168.33.1:8080
+set base_url http://${server_ip}/slitaz
+kernel ${base_url}/vmlinuz-2.6.37-slitaz rw root=/dev/null vga=788 initrd=rootfs.gz
+initrd ${base_url}/rootfs.gz
+boot
+
+#################################
+# Ubuntu Server
+#################################
+:ubuntu-server
+set server_ip 192.168.33.1:8080
+set base_url http://${server_ip}/ubuntu/live-server-24.04.1
+
+kernel ${base_url}/vmlinuz ip=dhcp url=${base_url}/ubuntu-24.04.1-live-server-amd64.iso autoinstall ds=nocloud
+initrd ${base_url}/initrd
+boot
+
+#################################
+# Ubuntu Desktop
+#################################
+:ubuntu-desktop
+set server_ip 192.168.33.1:8080
+set base_url http://${server_ip}/ubuntu/desktop-24.04.1
+
+kernel ${base_url}/vmlinuz ip=dhcp url=${base_url}/ubuntu-24.04.1-desktop-amd64.iso autoinstall ds=nocloud
+initrd ${base_url}/initrd
+boot
+
+#################################
+# System Rescue
+#################################
+:systemrescue
+set base-url http://192.168.33.1:8080/systemrescue
+
+kernel ${base-url}/vmlinuz initrd=sysresccd.img boot=systemrescue docache
+initrd ${base-url}/sysresccd.img
+boot
+
+#################################
+# MemTest86 (BIOS/UEFI)
+#################################
+:memtest
+iseq ${platform} efi && goto memtest_efi || goto memtest_bios
+
+:memtest_efi
+kernel http://192.168.33.1:8080/memtest/memtest64.efi
+boot
+
+:memtest_bios
+kernel http://192.168.33.1:8080/memtest/memtest64.bin
+boot

data/watchguard/pxe-http-files/paul

@@ -1 +0,0 @@
-hey i am paul

examples/cli/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "example-cli"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+publish = false
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+cidr = { workspace = true }
+tokio = { workspace = true }
+harmony_macros = { path = "../../harmony_macros" }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
+assert_cmd = "2.0.16"

examples/cli/src/main.rs

@@ -0,0 +1,20 @@
+use harmony::{
+    inventory::Inventory,
+    maestro::Maestro,
+    modules::dummy::{ErrorScore, PanicScore, SuccessScore},
+    topology::LocalhostTopology,
+};
+
+#[tokio::main]
+async fn main() {
+    let inventory = Inventory::autoload();
+    let topology = LocalhostTopology::new();
+    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
+
+    maestro.register_all(vec![
+        Box::new(SuccessScore {}),
+        Box::new(ErrorScore {}),
+        Box::new(PanicScore {}),
+    ]);
+    harmony_cli::init(maestro, None).await.unwrap();
+}

examples/kube-rs/Cargo.toml

@@ -18,3 +18,4 @@ kube = "0.98.0"
 k8s-openapi = { version = "0.24.0", features = [ "v1_30" ] }
 http = "1.2.0"
 serde_yaml = "0.9.34"
+inquire.workspace = true

examples/kube-rs/src/main.rs

@@ -1,20 +1,32 @@
 use std::collections::BTreeMap;
 
 use harmony_macros::yaml;
+use inquire::Confirm;
 use k8s_openapi::{
     api::{
         apps::v1::{Deployment, DeploymentSpec},
-        core::v1::{Container, Node, Pod, PodSpec, PodTemplateSpec},
+        core::v1::{Container, PodSpec, PodTemplateSpec},
     },
     apimachinery::pkg::apis::meta::v1::LabelSelector,
 };
 use kube::{
-    Api, Client, Config, ResourceExt,
-    api::{ListParams, ObjectMeta, PostParams},
+    Api, Client, ResourceExt,
+    api::{ObjectMeta, PostParams},
 };
 
 #[tokio::main]
 async fn main() {
+    let confirmation = Confirm::new(
+        "This will install various ressources to your default kubernetes cluster. Are you sure?",
+    )
+    .with_default(false)
+    .prompt()
+    .expect("Unexpected prompt error");
+
+    if !confirmation {
+        return;
+    }
+
     let client = Client::try_default()
         .await
         .expect("Should instanciate client from defaults");
@@ -42,8 +54,7 @@ async fn main() {
     //     println!("found node {} status {:?}", n.name_any(), n.status.unwrap())
     // }
 
-    let nginxdeployment = nginx_deployment_2();
-    let nginxdeployment = nginx_deployment_serde();
+    assert_eq!(nginx_deployment(), nginx_macro());
     assert_eq!(nginx_deployment_2(), nginx_macro());
     assert_eq!(nginx_deployment_serde(), nginx_macro());
     let nginxdeployment = nginx_macro();
@@ -149,6 +160,7 @@ fn nginx_deployment_2() -> Deployment {
 
     deployment
 }
+
 fn nginx_deployment() -> Deployment {
     let deployment = Deployment {
         metadata: ObjectMeta {

examples/lamp/Cargo.toml

@@ -8,7 +8,7 @@ publish = false
 
 [dependencies]
 harmony = { path = "../../harmony" }
-#harmony_tui = { path = "../../harmony_tui" }
+harmony_cli = { path = "../../harmony_cli" }
 harmony_types = { path = "../../harmony_types" }
 cidr = { workspace = true }
 tokio = { workspace = true }

examples/lamp/php/index.php

@@ -1,3 +1,85 @@
 <?php
-print_r("Hello this is from PHP")
+
+ini_set('display_errors', 1);
+error_reporting(E_ALL);
+
+$host = getenv('MYSQL_HOST') ?: '';
+$user = getenv('MYSQL_USER') ?: 'root';
+$pass = getenv('MYSQL_PASSWORD') ?: '';
+$db   = 'testfill';
+$charset = 'utf8mb4';
+
+$dsn = "mysql:host=$host;charset=$charset";
+$options = [
+    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+];
+
+try {
+    $pdo = new PDO($dsn, $user, $pass, $options);
+    $pdo->exec("CREATE DATABASE IF NOT EXISTS `$db`");
+    $pdo->exec("USE `$db`");
+    $pdo->exec("
+        CREATE TABLE IF NOT EXISTS filler (
+            id INT AUTO_INCREMENT PRIMARY KEY,
+            data LONGBLOB
+        )
+    ");
+} catch (\PDOException $e) {
+    die("❌ DB connection failed: " . $e->getMessage());
+}
+
+function getDbStats($pdo, $db) {
+    $stmt = $pdo->query("
+        SELECT 
+            ROUND(SUM(data_length + index_length) / 1024 / 1024 / 1024, 2) AS total_size_gb,
+            SUM(table_rows) AS total_rows
+        FROM information_schema.tables
+        WHERE table_schema = '$db'
+    ");
+    $result = $stmt->fetch();
+    $sizeGb = $result['total_size_gb'] ?? '0';
+    $rows = $result['total_rows'] ?? '0';
+    $avgMb = ($rows > 0) ? round(($sizeGb * 1024) / $rows, 2) : 0;
+    return [$sizeGb, $rows, $avgMb];
+}
+
+list($dbSize, $rowCount, $avgRowMb) = getDbStats($pdo, $db);
+
+$message = '';
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['fill'])) {
+    $iterations = 1024;
+    $data = str_repeat(random_bytes(1024), 1024); // 1MB
+    $stmt = $pdo->prepare("INSERT INTO filler (data) VALUES (:data)");
+
+    for ($i = 0; $i < $iterations; $i++) {
+        $stmt->execute([':data' => $data]);
+    }
+
+    list($dbSize, $rowCount, $avgRowMb) = getDbStats($pdo, $db);
+
+    $message = "<p style='color: green;'>✅ 1GB inserted into MariaDB successfully.</p>";
+}
 ?>
+
+<!DOCTYPE html>
+<html>
+<head>
+    <title>MariaDB Filler</title>
+</head>
+<body>
+    <h1>MariaDB Storage Filler</h1>
+    <?= $message ?>
+    <ul>
+        <li><strong>📦 MariaDB Used Size:</strong> <?= $dbSize ?> GB</li>
+        <li><strong>📊 Total Rows:</strong> <?= $rowCount ?></li>
+        <li><strong>📐 Average Row Size:</strong> <?= $avgRowMb ?> MB</li>
+    </ul>
+
+    <form method="post">
+        <button name="fill" value="1" type="submit">Insert 1GB into DB</button>
+    </form>
+</body>
+</html>
+

examples/lamp/src/main.rs

@@ -1,24 +1,56 @@
 use harmony::{
     data::Version,
+    inventory::Inventory,
     maestro::Maestro,
-    modules::lamp::{LAMPConfig, LAMPScore},
-    topology::{HAClusterTopology, Url},
+    modules::{
+        lamp::{LAMPConfig, LAMPScore},
+        monitoring::monitoring_alerting::{AlertChannel, MonitoringAlertingStackScore},
+    },
+    topology::{K8sAnywhereTopology, Url},
 };
 
 #[tokio::main]
 async fn main() {
+    // This here is the whole configuration to
+    // - setup a local K3D cluster
+    // - Build a docker image with the PHP project builtin and production grade settings
+    // - Deploy a mariadb database using a production grade helm chart
+    // - Deploy the new container using a kubernetes deployment
+    // - Configure networking between the PHP container and the database
+    // - Provision a public route and an SSL certificate automatically on production environments
+    //
+    // Enjoy :)
     let lamp_stack = LAMPScore {
         name: "harmony-lamp-demo".to_string(),
         domain: Url::Url(url::Url::parse("https://lampdemo.harmony.nationtech.io").unwrap()),
         php_version: Version::from("8.4.4").unwrap(),
+        // This config can be extended as needed for more complicated configurations
         config: LAMPConfig {
             project_root: "./php".into(),
+            database_size: format!("4Gi").into(),
             ..Default::default()
         },
     };
 
-    Maestro::<HAClusterTopology>::load_from_env()
-        .interpret(Box::new(lamp_stack))
-        .await
-        .unwrap();
+    // You can choose the type of Topology you want, we suggest starting with the
+    // K8sAnywhereTopology as it is the most automatic one that enables you to easily deploy
+    // locally, to development environment from a CI, to staging, and to production with settings
+    // that automatically adapt to each environment grade.
+    let mut maestro = Maestro::<K8sAnywhereTopology>::initialize(
+        Inventory::autoload(),
+        K8sAnywhereTopology::new(),
+    )
+    .await
+    .unwrap();
+
+    let url = url::Url::parse("https://discord.com/api/webhooks/dummy_channel/dummy_token")
+        .expect("invalid URL");
+
+    let mut monitoring_stack_score = MonitoringAlertingStackScore::new();
+    monitoring_stack_score.namespace = Some(lamp_stack.config.namespace.clone());
+
+    maestro.register_all(vec![Box::new(lamp_stack), Box::new(monitoring_stack_score)]);
+    // Here we bootstrap the CLI, this gives some nice features if you need them
+    harmony_cli::init(maestro, None).await.unwrap();
 }
+// That's it, end of the infra as code.

examples/nanodc/rook-cephcluster/install-rook-cephcluster.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+helm install --create-namespace --namespace rook-ceph rook-ceph-cluster \
+   --set operatorNamespace=rook-ceph rook-release/rook-ceph-cluster -f values.yaml

examples/nanodc/rook-cephcluster/values.yaml

@@ -0,0 +1,721 @@
+# Default values for a single rook-ceph cluster
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# -- Namespace of the main rook operator
+operatorNamespace: rook-ceph
+
+# -- The metadata.name of the CephCluster CR
+# @default -- The same as the namespace
+clusterName:
+
+# -- Optional override of the target kubernetes version
+kubeVersion:
+
+# -- Cluster ceph.conf override
+configOverride:
+# configOverride: |
+#   [global]
+#   mon_allow_pool_delete = true
+#   osd_pool_default_size = 3
+#   osd_pool_default_min_size = 2
+
+# Installs a debugging toolbox deployment
+toolbox:
+  # -- Enable Ceph debugging pod deployment. See [toolbox](../Troubleshooting/ceph-toolbox.md)
+  enabled: true
+  # -- Toolbox image, defaults to the image used by the Ceph cluster
+  image: #quay.io/ceph/ceph:v19.2.2
+  # -- Toolbox tolerations
+  tolerations: []
+  # -- Toolbox affinity
+  affinity: {}
+  # -- Toolbox container security context
+  containerSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 2016
+    runAsGroup: 2016
+    capabilities:
+      drop: ["ALL"]
+  # -- Toolbox resources
+  resources:
+    limits:
+      memory: "1Gi"
+    requests:
+      cpu: "100m"
+      memory: "128Mi"
+  # -- Set the priority class for the toolbox if desired
+  priorityClassName:
+
+monitoring:
+  # -- Enable Prometheus integration, will also create necessary RBAC rules to allow Operator to create ServiceMonitors.
+  # Monitoring requires Prometheus to be pre-installed
+  enabled: false
+  # -- Whether to disable the metrics reported by Ceph. If false, the prometheus mgr module and Ceph exporter are enabled
+  metricsDisabled: false
+  # -- Whether to create the Prometheus rules for Ceph alerts
+  createPrometheusRules: false
+  # -- The namespace in which to create the prometheus rules, if different from the rook cluster namespace.
+  # If you have multiple rook-ceph clusters in the same k8s cluster, choose the same namespace (ideally, namespace with prometheus
+  # deployed) to set rulesNamespaceOverride for all the clusters. Otherwise, you will get duplicate alerts with multiple alert definitions.
+  rulesNamespaceOverride:
+  # Monitoring settings for external clusters:
+  # externalMgrEndpoints: <list of endpoints>
+  # externalMgrPrometheusPort: <port>
+  # Scrape interval for prometheus
+  # interval: 10s
+  # allow adding custom labels and annotations to the prometheus rule
+  prometheusRule:
+    # -- Labels applied to PrometheusRule
+    labels: {}
+    # -- Annotations applied to PrometheusRule
+    annotations: {}
+
+# -- Create & use PSP resources. Set this to the same value as the rook-ceph chart.
+pspEnable: false
+
+# imagePullSecrets option allow to pull docker images from private docker registry. Option will be passed to all service accounts.
+# imagePullSecrets:
+# - name: my-registry-secret
+
+# All values below are taken from the CephCluster CRD
+# -- Cluster configuration.
+# @default -- See [below](#ceph-cluster-spec)
+cephClusterSpec:
+  # This cluster spec example is for a converged cluster where all the Ceph daemons are running locally,
+  # as in the host-based example (cluster.yaml). For a different configuration such as a
+  # PVC-based cluster (cluster-on-pvc.yaml), external cluster (cluster-external.yaml),
+  # or stretch cluster (cluster-stretched.yaml), replace this entire `cephClusterSpec`
+  # with the specs from those examples.
+
+  # For more details, check https://rook.io/docs/rook/v1.10/CRDs/Cluster/ceph-cluster-crd/
+  cephVersion:
+    # The container image used to launch the Ceph daemon pods (mon, mgr, osd, mds, rgw).
+    # v18 is Reef, v19 is Squid
+    # RECOMMENDATION: In production, use a specific version tag instead of the general v18 flag, which pulls the latest release and could result in different
+    # versions running within the cluster. See tags available at https://hub.docker.com/r/ceph/ceph/tags/.
+    # If you want to be more precise, you can always use a timestamp tag such as quay.io/ceph/ceph:v19.2.2-20250409
+    # This tag might not contain a new Ceph version, just security fixes from the underlying operating system, which will reduce vulnerabilities
+    image: quay.io/ceph/ceph:v19.2.2
+    # Whether to allow unsupported versions of Ceph. Currently Reef and Squid are supported.
+    # Future versions such as Tentacle (v20) would require this to be set to `true`.
+    # Do not set to true in production.
+    allowUnsupported: false
+
+  # The path on the host where configuration files will be persisted. Must be specified. If there are multiple clusters, the directory must be unique for each cluster.
+  # Important: if you reinstall the cluster, make sure you delete this directory from each host or else the mons will fail to start on the new cluster.
+  # In Minikube, the '/data' directory is configured to persist across reboots. Use "/data/rook" in Minikube environment.
+  dataDirHostPath: /var/lib/rook
+
+  # Whether or not upgrade should continue even if a check fails
+  # This means Ceph's status could be degraded and we don't recommend upgrading but you might decide otherwise
+  # Use at your OWN risk
+  # To understand Rook's upgrade process of Ceph, read https://rook.io/docs/rook/v1.10/Upgrade/ceph-upgrade/
+  skipUpgradeChecks: false
+
+  # Whether or not continue if PGs are not clean during an upgrade
+  continueUpgradeAfterChecksEvenIfNotHealthy: false
+
+  # WaitTimeoutForHealthyOSDInMinutes defines the time (in minutes) the operator would wait before an OSD can be stopped for upgrade or restart.
+  # If the timeout exceeds and OSD is not ok to stop, then the operator would skip upgrade for the current OSD and proceed with the next one
+  # if `continueUpgradeAfterChecksEvenIfNotHealthy` is `false`. If `continueUpgradeAfterChecksEvenIfNotHealthy` is `true`, then operator would
+  # continue with the upgrade of an OSD even if its not ok to stop after the timeout. This timeout won't be applied if `skipUpgradeChecks` is `true`.
+  # The default wait timeout is 10 minutes.
+  waitTimeoutForHealthyOSDInMinutes: 10
+
+  # Whether or not requires PGs are clean before an OSD upgrade. If set to `true` OSD upgrade process won't start until PGs are healthy.
+  # This configuration will be ignored if `skipUpgradeChecks` is `true`.
+  # Default is false.
+  upgradeOSDRequiresHealthyPGs: false
+
+  mon:
+    # Set the number of mons to be started. Generally recommended to be 3.
+    # For highest availability, an odd number of mons should be specified.
+    count: 3
+    # The mons should be on unique nodes. For production, at least 3 nodes are recommended for this reason.
+    # Mons should only be allowed on the same node for test environments where data loss is acceptable.
+    allowMultiplePerNode: false
+
+  mgr:
+    # When higher availability of the mgr is needed, increase the count to 2.
+    # In that case, one mgr will be active and one in standby. When Ceph updates which
+    # mgr is active, Rook will update the mgr services to match the active mgr.
+    count: 2
+    allowMultiplePerNode: false
+    modules:
+      # List of modules to optionally enable or disable.
+      # Note the "dashboard" and "monitoring" modules are already configured by other settings in the cluster CR.
+      # - name: rook
+      #   enabled: true
+
+  # enable the ceph dashboard for viewing cluster status
+  dashboard:
+    enabled: true
+    # serve the dashboard under a subpath (useful when you are accessing the dashboard via a reverse proxy)
+    # urlPrefix: /ceph-dashboard
+    # serve the dashboard at the given port.
+    # port: 8443
+    # Serve the dashboard using SSL (if using ingress to expose the dashboard and `ssl: true` you need to set
+    # the corresponding "backend protocol" annotation(s) for your ingress controller of choice)
+    ssl: true
+
+  # Network configuration, see: https://github.com/rook/rook/blob/master/Documentation/CRDs/Cluster/ceph-cluster-crd.md#network-configuration-settings
+  network:
+    connections:
+      # Whether to encrypt the data in transit across the wire to prevent eavesdropping the data on the network.
+      # The default is false. When encryption is enabled, all communication between clients and Ceph daemons, or between Ceph daemons will be encrypted.
+      # When encryption is not enabled, clients still establish a strong initial authentication and data integrity is still validated with a crc check.
+      # IMPORTANT: Encryption requires the 5.11 kernel for the latest nbd and cephfs drivers. Alternatively for testing only,
+      # you can set the "mounter: rbd-nbd" in the rbd storage class, or "mounter: fuse" in the cephfs storage class.
+      # The nbd and fuse drivers are *not* recommended in production since restarting the csi driver pod will disconnect the volumes.
+      encryption:
+        enabled: false
+      # Whether to compress the data in transit across the wire. The default is false.
+      # The kernel requirements above for encryption also apply to compression.
+      compression:
+        enabled: false
+      # Whether to require communication over msgr2. If true, the msgr v1 port (6789) will be disabled
+      # and clients will be required to connect to the Ceph cluster with the v2 port (3300).
+      # Requires a kernel that supports msgr v2 (kernel 5.11 or CentOS 8.4 or newer).
+      requireMsgr2: false
+  #   # enable host networking
+  #   provider: host
+  #   # EXPERIMENTAL: enable the Multus network provider
+  #   provider: multus
+  #   selectors:
+  #     # The selector keys are required to be `public` and `cluster`.
+  #     # Based on the configuration, the operator will do the following:
+  #     #   1. if only the `public` selector key is specified both public_network and cluster_network Ceph settings will listen on that interface
+  #     #   2. if both `public` and `cluster` selector keys are specified the first one will point to 'public_network' flag and the second one to 'cluster_network'
+  #     #
+  #     # In order to work, each selector value must match a NetworkAttachmentDefinition object in Multus
+  #     #
+  #     # public: public-conf --> NetworkAttachmentDefinition object name in Multus
+  #     # cluster: cluster-conf --> NetworkAttachmentDefinition object name in Multus
+  #   # Provide internet protocol version. IPv6, IPv4 or empty string are valid options. Empty string would mean IPv4
+  #   ipFamily: "IPv6"
+  #   # Ceph daemons to listen on both IPv4 and Ipv6 networks
+  #   dualStack: false
+
+  # enable the crash collector for ceph daemon crash collection
+  crashCollector:
+    disable: false
+    # Uncomment daysToRetain to prune ceph crash entries older than the
+    # specified number of days.
+    # daysToRetain: 30
+
+  # enable log collector, daemons will log on files and rotate
+  logCollector:
+    enabled: true
+    periodicity: daily # one of: hourly, daily, weekly, monthly
+    maxLogSize: 500M # SUFFIX may be 'M' or 'G'. Must be at least 1M.
+
+  # automate [data cleanup process](https://github.com/rook/rook/blob/master/Documentation/Storage-Configuration/ceph-teardown.md#delete-the-data-on-hosts) in cluster destruction.
+  cleanupPolicy:
+    # Since cluster cleanup is destructive to data, confirmation is required.
+    # To destroy all Rook data on hosts during uninstall, confirmation must be set to "yes-really-destroy-data".
+    # This value should only be set when the cluster is about to be deleted. After the confirmation is set,
+    # Rook will immediately stop configuring the cluster and only wait for the delete command.
+    # If the empty string is set, Rook will not destroy any data on hosts during uninstall.
+    confirmation: ""
+    # sanitizeDisks represents settings for sanitizing OSD disks on cluster deletion
+    sanitizeDisks:
+      # method indicates if the entire disk should be sanitized or simply ceph's metadata
+      # in both case, re-install is possible
+      # possible choices are 'complete' or 'quick' (default)
+      method: quick
+      # dataSource indicate where to get random bytes from to write on the disk
+      # possible choices are 'zero' (default) or 'random'
+      # using random sources will consume entropy from the system and will take much more time then the zero source
+      dataSource: zero
+      # iteration overwrite N times instead of the default (1)
+      # takes an integer value
+      iteration: 1
+    # allowUninstallWithVolumes defines how the uninstall should be performed
+    # If set to true, cephCluster deletion does not wait for the PVs to be deleted.
+    allowUninstallWithVolumes: false
+
+  # To control where various services will be scheduled by kubernetes, use the placement configuration sections below.
+  # The example under 'all' would have all services scheduled on kubernetes nodes labeled with 'role=storage-node' and
+  # tolerate taints with a key of 'storage-node'.
+  # placement:
+  #   all:
+  #     nodeAffinity:
+  #       requiredDuringSchedulingIgnoredDuringExecution:
+  #         nodeSelectorTerms:
+  #           - matchExpressions:
+  #             - key: role
+  #               operator: In
+  #               values:
+  #               - storage-node
+  #     podAffinity:
+  #     podAntiAffinity:
+  #     topologySpreadConstraints:
+  #     tolerations:
+  #     - key: storage-node
+  #       operator: Exists
+  #   # The above placement information can also be specified for mon, osd, and mgr components
+  #   mon:
+  #   # Monitor deployments may contain an anti-affinity rule for avoiding monitor
+  #   # collocation on the same node. This is a required rule when host network is used
+  #   # or when AllowMultiplePerNode is false. Otherwise this anti-affinity rule is a
+  #   # preferred rule with weight: 50.
+  #   osd:
+  #   mgr:
+  #   cleanup:
+
+  # annotations:
+  #   all:
+  #   mon:
+  #   osd:
+  #   cleanup:
+  #   prepareosd:
+  #   # If no mgr annotations are set, prometheus scrape annotations will be set by default.
+  #   mgr:
+  #   dashboard:
+
+  # labels:
+  #   all:
+  #   mon:
+  #   osd:
+  #   cleanup:
+  #   mgr:
+  #   prepareosd:
+  #   # monitoring is a list of key-value pairs. It is injected into all the monitoring resources created by operator.
+  #   # These labels can be passed as LabelSelector to Prometheus
+  #   monitoring:
+  #   dashboard:
+
+  resources:
+    mgr:
+      limits:
+        memory: "1Gi"
+      requests:
+        cpu: "500m"
+        memory: "512Mi"
+    mon:
+      limits:
+        memory: "2Gi"
+      requests:
+        cpu: "1000m"
+        memory: "1Gi"
+    osd:
+      limits:
+        memory: "4Gi"
+      requests:
+        cpu: "1000m"
+        memory: "4Gi"
+    prepareosd:
+      # limits: It is not recommended to set limits on the OSD prepare job
+      #         since it's a one-time burst for memory that must be allowed to
+      #         complete without an OOM kill.  Note however that if a k8s
+      #         limitRange guardrail is defined external to Rook, the lack of
+      #         a limit here may result in a sync failure, in which case a
+      #         limit should be added.  1200Mi may suffice for up to 15Ti
+      #         OSDs ; for larger devices 2Gi may be required.
+      #         cf. https://github.com/rook/rook/pull/11103
+      requests:
+        cpu: "500m"
+        memory: "50Mi"
+    mgr-sidecar:
+      limits:
+        memory: "100Mi"
+      requests:
+        cpu: "100m"
+        memory: "40Mi"
+    crashcollector:
+      limits:
+        memory: "60Mi"
+      requests:
+        cpu: "100m"
+        memory: "60Mi"
+    logcollector:
+      limits:
+        memory: "1Gi"
+      requests:
+        cpu: "100m"
+        memory: "100Mi"
+    cleanup:
+      limits:
+        memory: "1Gi"
+      requests:
+        cpu: "500m"
+        memory: "100Mi"
+    exporter:
+      limits:
+        memory: "128Mi"
+      requests:
+        cpu: "50m"
+        memory: "50Mi"
+
+  # The option to automatically remove OSDs that are out and are safe to destroy.
+  removeOSDsIfOutAndSafeToRemove: false
+
+  # priority classes to apply to ceph resources
+  priorityClassNames:
+    mon: system-node-critical
+    osd: system-node-critical
+    mgr: system-cluster-critical
+
+  storage: # cluster level storage configuration and selection
+    useAllNodes: true
+    useAllDevices: true
+    # deviceFilter:
+    # config:
+    #   crushRoot: "custom-root" # specify a non-default root label for the CRUSH map
+    #   metadataDevice: "md0" # specify a non-rotational storage so ceph-volume will use it as block db device of bluestore.
+    #   databaseSizeMB: "1024" # uncomment if the disks are smaller than 100 GB
+    #   osdsPerDevice: "1" # this value can be overridden at the node or device level
+    #   encryptedDevice: "true" # the default value for this option is "false"
+    # # Individual nodes and their config can be specified as well, but 'useAllNodes' above must be set to false. Then, only the named
+    # # nodes below will be used as storage resources. Each node's 'name' field should match their 'kubernetes.io/hostname' label.
+    # nodes:
+    #   - name: "172.17.4.201"
+    #     devices: # specific devices to use for storage can be specified for each node
+    #       - name: "sdb"
+    #       - name: "nvme01" # multiple osds can be created on high performance devices
+    #         config:
+    #           osdsPerDevice: "5"
+    #       - name: "/dev/disk/by-id/ata-ST4000DM004-XXXX" # devices can be specified using full udev paths
+    #     config: # configuration can be specified at the node level which overrides the cluster level config
+    #   - name: "172.17.4.301"
+    #     deviceFilter: "^sd."
+
+  # The section for configuring management of daemon disruptions during upgrade or fencing.
+  disruptionManagement:
+    # If true, the operator will create and manage PodDisruptionBudgets for OSD, Mon, RGW, and MDS daemons. OSD PDBs are managed dynamically
+    # via the strategy outlined in the [design](https://github.com/rook/rook/blob/master/design/ceph/ceph-managed-disruptionbudgets.md). The operator will
+    # block eviction of OSDs by default and unblock them safely when drains are detected.
+    managePodBudgets: true
+    # A duration in minutes that determines how long an entire failureDomain like `region/zone/host` will be held in `noout` (in addition to the
+    # default DOWN/OUT interval) when it is draining. This is only relevant when  `managePodBudgets` is `true`. The default value is `30` minutes.
+    osdMaintenanceTimeout: 30
+
+  # Configure the healthcheck and liveness probes for ceph pods.
+  # Valid values for daemons are 'mon', 'osd', 'status'
+  healthCheck:
+    daemonHealth:
+      mon:
+        disabled: false
+        interval: 45s
+      osd:
+        disabled: false
+        interval: 60s
+      status:
+        disabled: false
+        interval: 60s
+    # Change pod liveness probe, it works for all mon, mgr, and osd pods.
+    livenessProbe:
+      mon:
+        disabled: false
+      mgr:
+        disabled: false
+      osd:
+        disabled: false
+
+ingress:
+  # -- Enable an ingress for the ceph-dashboard
+  dashboard:
+    # {}
+    # labels:
+       # external-dns/private: "true"
+     annotations:
+       "route.openshift.io/termination": "passthrough"
+       # external-dns.alpha.kubernetes.io/hostname: dashboard.example.com
+       # nginx.ingress.kubernetes.io/rewrite-target: /ceph-dashboard/$2
+       # If the dashboard has ssl: true the following will make sure the NGINX Ingress controller can expose the dashboard correctly
+       # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+       # nginx.ingress.kubernetes.io/server-snippet: |
+       #   proxy_ssl_verify off;
+     host:
+       name: ceph.apps.ncd0.harmony.mcd
+       path: null # TODO the chart does not allow removing the path, and it causes openshift to fail creating a route, because path is not supported with termination mode passthrough
+       pathType: ImplementationSpecific
+     tls:
+     - {}
+    #   secretName: testsecret-tls
+    # Note: Only one of ingress class annotation or the `ingressClassName:` can be used at a time
+    # to set the ingress class
+    # ingressClassName: openshift-default
+    # labels:
+    #   external-dns/private: "true"
+    # annotations:
+    #   external-dns.alpha.kubernetes.io/hostname: dashboard.example.com
+    #   nginx.ingress.kubernetes.io/rewrite-target: /ceph-dashboard/$2
+    # If the dashboard has ssl: true the following will make sure the NGINX Ingress controller can expose the dashboard correctly
+    #   nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    #   nginx.ingress.kubernetes.io/server-snippet: |
+    #     proxy_ssl_verify off;
+    # host:
+    #   name: dashboard.example.com
+    #   path: "/ceph-dashboard(/|$)(.*)"
+    #   pathType: Prefix
+    # tls:
+    # - hosts:
+    #     - dashboard.example.com
+    #   secretName: testsecret-tls
+    ## Note: Only one of ingress class annotation or the `ingressClassName:` can be used at a time
+    ## to set the ingress class
+    # ingressClassName: nginx
+
+# -- A list of CephBlockPool configurations to deploy
+# @default -- See [below](#ceph-block-pools)
+cephBlockPools:
+  - name: ceph-blockpool
+    # see https://github.com/rook/rook/blob/master/Documentation/CRDs/Block-Storage/ceph-block-pool-crd.md#spec for available configuration
+    spec:
+      failureDomain: host
+      replicated:
+        size: 3
+      # Enables collecting RBD per-image IO statistics by enabling dynamic OSD performance counters. Defaults to false.
+      # For reference: https://docs.ceph.com/docs/latest/mgr/prometheus/#rbd-io-statistics
+      # enableRBDStats: true
+    storageClass:
+      enabled: true
+      name: ceph-block
+      annotations: {}
+      labels: {}
+      isDefault: true
+      reclaimPolicy: Delete
+      allowVolumeExpansion: true
+      volumeBindingMode: "Immediate"
+      mountOptions: []
+      # see https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies
+      allowedTopologies: []
+      #        - matchLabelExpressions:
+      #            - key: rook-ceph-role
+      #              values:
+      #                - storage-node
+      # see https://github.com/rook/rook/blob/master/Documentation/Storage-Configuration/Block-Storage-RBD/block-storage.md#provision-storage for available configuration
+      parameters:
+        # (optional) mapOptions is a comma-separated list of map options.
+        # For krbd options refer
+        # https://docs.ceph.com/docs/latest/man/8/rbd/#kernel-rbd-krbd-options
+        # For nbd options refer
+        # https://docs.ceph.com/docs/latest/man/8/rbd-nbd/#options
+        # mapOptions: lock_on_read,queue_depth=1024
+
+        # (optional) unmapOptions is a comma-separated list of unmap options.
+        # For krbd options refer
+        # https://docs.ceph.com/docs/latest/man/8/rbd/#kernel-rbd-krbd-options
+        # For nbd options refer
+        # https://docs.ceph.com/docs/latest/man/8/rbd-nbd/#options
+        # unmapOptions: force
+
+        # RBD image format. Defaults to "2".
+        imageFormat: "2"
+
+        # RBD image features, equivalent to OR'd bitfield value: 63
+        # Available for imageFormat: "2". Older releases of CSI RBD
+        # support only the `layering` feature. The Linux kernel (KRBD) supports the
+        # full feature complement as of 5.4
+        imageFeatures: layering
+
+        # These secrets contain Ceph admin credentials.
+        csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
+        csi.storage.k8s.io/provisioner-secret-namespace: "{{ .Release.Namespace }}"
+        csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
+        csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}"
+        csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
+        csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}"
+        # Specify the filesystem type of the volume. If not specified, csi-provisioner
+        # will set default as `ext4`. Note that `xfs` is not recommended due to potential deadlock
+        # in hyperconverged settings where the volume is mounted on the same node as the osds.
+        csi.storage.k8s.io/fstype: ext4
+
+# -- A list of CephFileSystem configurations to deploy
+# @default -- See [below](#ceph-file-systems)
+cephFileSystems:
+  - name: ceph-filesystem
+    # see https://github.com/rook/rook/blob/master/Documentation/CRDs/Shared-Filesystem/ceph-filesystem-crd.md#filesystem-settings for available configuration
+    spec:
+      metadataPool:
+        replicated:
+          size: 3
+      dataPools:
+        - failureDomain: host
+          replicated:
+            size: 3
+          # Optional and highly recommended, 'data0' by default, see https://github.com/rook/rook/blob/master/Documentation/CRDs/Shared-Filesystem/ceph-filesystem-crd.md#pools
+          name: data0
+      metadataServer:
+        activeCount: 1
+        activeStandby: true
+        resources:
+          limits:
+            memory: "4Gi"
+          requests:
+            cpu: "1000m"
+            memory: "4Gi"
+        priorityClassName: system-cluster-critical
+    storageClass:
+      enabled: true
+      isDefault: false
+      name: ceph-filesystem
+      # (Optional) specify a data pool to use, must be the name of one of the data pools above, 'data0' by default
+      pool: data0
+      reclaimPolicy: Delete
+      allowVolumeExpansion: true
+      volumeBindingMode: "Immediate"
+      annotations: {}
+      labels: {}
+      mountOptions: []
+      # see https://github.com/rook/rook/blob/master/Documentation/Storage-Configuration/Shared-Filesystem-CephFS/filesystem-storage.md#provision-storage for available configuration
+      parameters:
+        # The secrets contain Ceph admin credentials.
+        csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
+        csi.storage.k8s.io/provisioner-secret-namespace: "{{ .Release.Namespace }}"
+        csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
+        csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}"
+        csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
+        csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}"
+        # Specify the filesystem type of the volume. If not specified, csi-provisioner
+        # will set default as `ext4`. Note that `xfs` is not recommended due to potential deadlock
+        # in hyperconverged settings where the volume is mounted on the same node as the osds.
+        csi.storage.k8s.io/fstype: ext4
+
+# -- Settings for the filesystem snapshot class
+# @default -- See [CephFS Snapshots](../Storage-Configuration/Ceph-CSI/ceph-csi-snapshot.md#cephfs-snapshots)
+cephFileSystemVolumeSnapshotClass:
+  enabled: false
+  name: ceph-filesystem
+  isDefault: true
+  deletionPolicy: Delete
+  annotations: {}
+  labels: {}
+  # see https://rook.io/docs/rook/v1.10/Storage-Configuration/Ceph-CSI/ceph-csi-snapshot/#cephfs-snapshots for available configuration
+  parameters: {}
+
+# -- Settings for the block pool snapshot class
+# @default -- See [RBD Snapshots](../Storage-Configuration/Ceph-CSI/ceph-csi-snapshot.md#rbd-snapshots)
+cephBlockPoolsVolumeSnapshotClass:
+  enabled: false
+  name: ceph-block
+  isDefault: false
+  deletionPolicy: Delete
+  annotations: {}
+  labels: {}
+  # see https://rook.io/docs/rook/v1.10/Storage-Configuration/Ceph-CSI/ceph-csi-snapshot/#rbd-snapshots for available configuration
+  parameters: {}
+
+# -- A list of CephObjectStore configurations to deploy
+# @default -- See [below](#ceph-object-stores)
+cephObjectStores:
+  - name: ceph-objectstore
+    # see https://github.com/rook/rook/blob/master/Documentation/CRDs/Object-Storage/ceph-object-store-crd.md#object-store-settings for available configuration
+    spec:
+      metadataPool:
+        failureDomain: host
+        replicated:
+          size: 3
+      dataPool:
+        failureDomain: host
+        erasureCoded:
+          dataChunks: 2
+          codingChunks: 1
+        parameters:
+          bulk: "true"
+      preservePoolsOnDelete: true
+      gateway:
+        port: 80
+        resources:
+          limits:
+            memory: "2Gi"
+          requests:
+            cpu: "1000m"
+            memory: "1Gi"
+        # securePort: 443
+        # sslCertificateRef:
+        instances: 1
+        priorityClassName: system-cluster-critical
+        # opsLogSidecar:
+        #   resources:
+        #     limits:
+        #       memory: "100Mi"
+        #     requests:
+        #       cpu: "100m"
+        #       memory: "40Mi"
+    storageClass:
+      enabled: true
+      name: ceph-bucket
+      reclaimPolicy: Delete
+      volumeBindingMode: "Immediate"
+      annotations: {}
+      labels: {}
+      # see https://github.com/rook/rook/blob/master/Documentation/Storage-Configuration/Object-Storage-RGW/ceph-object-bucket-claim.md#storageclass for available configuration
+      parameters:
+        # note: objectStoreNamespace and objectStoreName are configured by the chart
+        region: us-east-1
+    ingress:
+      # Enable an ingress for the ceph-objectstore
+      enabled: true
+      # The ingress port by default will be the object store's "securePort" (if set), or the gateway "port".
+      # To override those defaults, set this ingress port to the desired port.
+      # port: 80
+      # annotations: {}
+      host:
+        name: objectstore.apps.ncd0.harmony.mcd
+        path: /
+        pathType: Prefix
+      # tls:
+      # - hosts:
+      #     - objectstore.example.com
+      #   secretName: ceph-objectstore-tls
+      # ingressClassName: nginx
+## cephECBlockPools are disabled by default, please remove the comments and set desired values to enable it
+## For erasure coded a replicated metadata pool is required.
+## https://rook.io/docs/rook/latest/CRDs/Shared-Filesystem/ceph-filesystem-crd/#erasure-coded
+#cephECBlockPools:
+#  - name: ec-pool
+#    spec:
+#      metadataPool:
+#        replicated:
+#          size: 2
+#      dataPool:
+#        failureDomain: osd
+#        erasureCoded:
+#          dataChunks: 2
+#          codingChunks: 1
+#        deviceClass: hdd
+#
+#    parameters:
+#      # clusterID is the namespace where the rook cluster is running
+#      # If you change this namespace, also change the namespace below where the secret namespaces are defined
+#      clusterID: rook-ceph # namespace:cluster
+#      # (optional) mapOptions is a comma-separated list of map options.
+#      # For krbd options refer
+#      # https://docs.ceph.com/docs/latest/man/8/rbd/#kernel-rbd-krbd-options
+#      # For nbd options refer
+#      # https://docs.ceph.com/docs/latest/man/8/rbd-nbd/#options
+#      # mapOptions: lock_on_read,queue_depth=1024
+#
+#      # (optional) unmapOptions is a comma-separated list of unmap options.
+#      # For krbd options refer
+#      # https://docs.ceph.com/docs/latest/man/8/rbd/#kernel-rbd-krbd-options
+#      # For nbd options refer
+#      # https://docs.ceph.com/docs/latest/man/8/rbd-nbd/#options
+#      # unmapOptions: force
+#
+#      # RBD image format. Defaults to "2".
+#      imageFormat: "2"
+#
+#      # RBD image features, equivalent to OR'd bitfield value: 63
+#      # Available for imageFormat: "2". Older releases of CSI RBD
+#      # support only the `layering` feature. The Linux kernel (KRBD) supports the
+#      # full feature complement as of 5.4
+#      # imageFeatures: layering,fast-diff,object-map,deep-flatten,exclusive-lock
+#      imageFeatures: layering
+#
+#    storageClass:
+#      provisioner: rook-ceph.rbd.csi.ceph.com # csi-provisioner-name
+#      enabled: true
+#      name: rook-ceph-block
+#      isDefault: false
+#      annotations: { }
+#      labels: { }
+#      allowVolumeExpansion: true
+#      reclaimPolicy: Delete
+
+# -- CSI driver name prefix for cephfs, rbd and nfs.
+# @default -- `namespace name where rook-ceph operator is deployed`
+csiDriverNamePrefix:

examples/nanodc/rook-operator/install-rook-operator.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+helm repo add rook-release https://charts.rook.io/release
+helm install --create-namespace --namespace rook-ceph rook-ceph rook-release/rook-ceph -f values.yaml

examples/nanodc/rook-operator/values.yaml

@@ -0,0 +1,674 @@
+# Default values for rook-ceph-operator
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  # -- Image
+  repository: docker.io/rook/ceph
+  # -- Image tag
+  # @default -- `master`
+  tag: v1.17.1
+  # -- Image pull policy
+  pullPolicy: IfNotPresent
+
+crds:
+  # -- Whether the helm chart should create and update the CRDs. If false, the CRDs must be
+  # managed independently with deploy/examples/crds.yaml.
+  # **WARNING** Only set during first deployment. If later disabled the cluster may be DESTROYED.
+  # If the CRDs are deleted in this case, see
+  # [the disaster recovery guide](https://rook.io/docs/rook/latest/Troubleshooting/disaster-recovery/#restoring-crds-after-deletion)
+  # to restore them.
+  enabled: true
+
+# -- Pod resource requests & limits
+resources:
+  limits:
+    memory: 512Mi
+  requests:
+    cpu: 200m
+    memory: 128Mi
+
+# -- Kubernetes [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) to add to the Deployment.
+nodeSelector: {}
+# Constraint rook-ceph-operator Deployment to nodes with label `disktype: ssd`.
+# For more info, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+#  disktype: ssd
+
+# -- List of Kubernetes [`tolerations`](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to add to the Deployment.
+tolerations: []
+
+# -- Delay to use for the `node.kubernetes.io/unreachable` pod failure toleration to override
+# the Kubernetes default of 5 minutes
+unreachableNodeTolerationSeconds: 5
+
+# -- Whether the operator should watch cluster CRD in its own namespace or not
+currentNamespaceOnly: false
+
+# -- Custom pod labels for the operator
+operatorPodLabels: {}
+
+# -- Pod annotations
+annotations: {}
+
+# -- Global log level for the operator.
+# Options: `ERROR`, `WARNING`, `INFO`, `DEBUG`
+logLevel: INFO
+
+# -- If true, create & use RBAC resources
+rbacEnable: true
+
+rbacAggregate:
+  # -- If true, create a ClusterRole aggregated to [user facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) for objectbucketclaims
+  enableOBCs: false
+
+# -- If true, create & use PSP resources
+pspEnable: false
+
+# -- Set the priority class for the rook operator deployment if desired
+priorityClassName:
+
+# -- Set the container security context for the operator
+containerSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 2016
+  runAsGroup: 2016
+  capabilities:
+    drop: ["ALL"]
+# -- If true, loop devices are allowed to be used for osds in test clusters
+allowLoopDevices: false
+
+# Settings for whether to disable the drivers or other daemons if they are not
+# needed
+csi:
+  # -- Enable Ceph CSI RBD driver
+  enableRbdDriver: true
+  # -- Enable Ceph CSI CephFS driver
+  enableCephfsDriver: true
+  # -- Disable the CSI driver.
+  disableCsiDriver: "false"
+
+  # -- Enable host networking for CSI CephFS and RBD nodeplugins. This may be necessary
+  # in some network configurations where the SDN does not provide access to an external cluster or
+  # there is significant drop in read/write performance
+  enableCSIHostNetwork: true
+  # -- Enable Snapshotter in CephFS provisioner pod
+  enableCephfsSnapshotter: true
+  # -- Enable Snapshotter in NFS provisioner pod
+  enableNFSSnapshotter: true
+  # -- Enable Snapshotter in RBD provisioner pod
+  enableRBDSnapshotter: true
+  # -- Enable Host mount for `/etc/selinux` directory for Ceph CSI nodeplugins
+  enablePluginSelinuxHostMount: false
+  # -- Enable Ceph CSI PVC encryption support
+  enableCSIEncryption: false
+
+  # -- Enable volume group snapshot feature. This feature is
+  # enabled by default as long as the necessary CRDs are available in the cluster.
+  enableVolumeGroupSnapshot: true
+  # -- PriorityClassName to be set on csi driver plugin pods
+  pluginPriorityClassName: system-node-critical
+
+  # -- PriorityClassName to be set on csi driver provisioner pods
+  provisionerPriorityClassName: system-cluster-critical
+
+  # -- Policy for modifying a volume's ownership or permissions when the RBD PVC is being mounted.
+  # supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
+  rbdFSGroupPolicy: "File"
+
+  # -- Policy for modifying a volume's ownership or permissions when the CephFS PVC is being mounted.
+  # supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
+  cephFSFSGroupPolicy: "File"
+
+  # -- Policy for modifying a volume's ownership or permissions when the NFS PVC is being mounted.
+  # supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
+  nfsFSGroupPolicy: "File"
+
+  # -- OMAP generator generates the omap mapping between the PV name and the RBD image
+  # which helps CSI to identify the rbd images for CSI operations.
+  # `CSI_ENABLE_OMAP_GENERATOR` needs to be enabled when we are using rbd mirroring feature.
+  # By default OMAP generator is disabled and when enabled, it will be deployed as a
+  # sidecar with CSI provisioner pod, to enable set it to true.
+  enableOMAPGenerator: false
+
+  # -- Set CephFS Kernel mount options to use https://docs.ceph.com/en/latest/man/8/mount.ceph/#options.
+  # Set to "ms_mode=secure" when connections.encrypted is enabled in CephCluster CR
+  cephFSKernelMountOptions:
+
+  # -- Enable adding volume metadata on the CephFS subvolumes and RBD images.
+  # Not all users might be interested in getting volume/snapshot details as metadata on CephFS subvolume and RBD images.
+  # Hence enable metadata is false by default
+  enableMetadata: false
+
+  # -- Set replicas for csi provisioner deployment
+  provisionerReplicas: 2
+
+  # -- Cluster name identifier to set as metadata on the CephFS subvolume and RBD images. This will be useful
+  # in cases like for example, when two container orchestrator clusters (Kubernetes/OCP) are using a single ceph cluster
+  clusterName:
+
+  # -- Set logging level for cephCSI containers maintained by the cephCSI.
+  # Supported values from 0 to 5. 0 for general useful logs, 5 for trace level verbosity.
+  logLevel: 0
+
+  # -- Set logging level for Kubernetes-csi sidecar containers.
+  # Supported values from 0 to 5. 0 for general useful logs (the default), 5 for trace level verbosity.
+  # @default -- `0`
+  sidecarLogLevel:
+
+  # -- CSI driver name prefix for cephfs, rbd and nfs.
+  # @default -- `namespace name where rook-ceph operator is deployed`
+  csiDriverNamePrefix:
+
+  # -- CSI RBD plugin daemonset update strategy, supported values are OnDelete and RollingUpdate
+  # @default -- `RollingUpdate`
+  rbdPluginUpdateStrategy:
+
+  # -- A maxUnavailable parameter of CSI RBD plugin daemonset update strategy.
+  # @default -- `1`
+  rbdPluginUpdateStrategyMaxUnavailable:
+
+  # -- CSI CephFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate
+  # @default -- `RollingUpdate`
+  cephFSPluginUpdateStrategy:
+
+  # -- A maxUnavailable parameter of CSI cephFS plugin daemonset update strategy.
+  # @default -- `1`
+  cephFSPluginUpdateStrategyMaxUnavailable:
+
+  # -- CSI NFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate
+  # @default -- `RollingUpdate`
+  nfsPluginUpdateStrategy:
+
+  # -- Set GRPC timeout for csi containers (in seconds). It should be >= 120. If this value is not set or is invalid, it defaults to 150
+  grpcTimeoutInSeconds: 150
+
+  # -- Burst to use while communicating with the kubernetes apiserver.
+  kubeApiBurst:
+
+  # -- QPS to use while communicating with the kubernetes apiserver.
+  kubeApiQPS:
+
+  # -- The volume of the CephCSI RBD plugin DaemonSet
+  csiRBDPluginVolume:
+  #  - name: lib-modules
+  #    hostPath:
+  #      path: /run/booted-system/kernel-modules/lib/modules/
+  #  - name: host-nix
+  #    hostPath:
+  #      path: /nix
+
+  # -- The volume mounts of the CephCSI RBD plugin DaemonSet
+  csiRBDPluginVolumeMount:
+  #  - name: host-nix
+  #    mountPath: /nix
+  #    readOnly: true
+
+  # -- The volume of the CephCSI CephFS plugin DaemonSet
+  csiCephFSPluginVolume:
+  #  - name: lib-modules
+  #    hostPath:
+  #      path: /run/booted-system/kernel-modules/lib/modules/
+  #  - name: host-nix
+  #    hostPath:
+  #      path: /nix
+
+  # -- The volume mounts of the CephCSI CephFS plugin DaemonSet
+  csiCephFSPluginVolumeMount:
+  #  - name: host-nix
+  #    mountPath: /nix
+  #    readOnly: true
+
+  # -- CEPH CSI RBD provisioner resource requirement list
+  # csi-omap-generator resources will be applied only if `enableOMAPGenerator` is set to `true`
+  # @default -- see values.yaml
+  csiRBDProvisionerResource: |
+    - name : csi-provisioner
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 100m
+        limits:
+          memory: 256Mi
+    - name : csi-resizer
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 100m
+        limits:
+          memory: 256Mi
+    - name : csi-attacher
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 100m
+        limits:
+          memory: 256Mi
+    - name : csi-snapshotter
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 100m
+        limits:
+          memory: 256Mi
+    - name : csi-rbdplugin
+      resource:
+        requests:
+          memory: 512Mi
+        limits:
+          memory: 1Gi
+    - name : csi-omap-generator
+      resource:
+        requests:
+          memory: 512Mi
+          cpu: 250m
+        limits:
+          memory: 1Gi
+    - name : liveness-prometheus
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+
+  # -- CEPH CSI RBD plugin resource requirement list
+  # @default -- see values.yaml
+  csiRBDPluginResource: |
+    - name : driver-registrar
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+    - name : csi-rbdplugin
+      resource:
+        requests:
+          memory: 512Mi
+          cpu: 250m
+        limits:
+          memory: 1Gi
+    - name : liveness-prometheus
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+
+  # -- CEPH CSI CephFS provisioner resource requirement list
+  # @default -- see values.yaml
+  csiCephFSProvisionerResource: |
+    - name : csi-provisioner
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 100m
+        limits:
+          memory: 256Mi
+    - name : csi-resizer
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 100m
+        limits:
+          memory: 256Mi
+    - name : csi-attacher
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 100m
+        limits:
+          memory: 256Mi
+    - name : csi-snapshotter
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 100m
+        limits:
+          memory: 256Mi
+    - name : csi-cephfsplugin
+      resource:
+        requests:
+          memory: 512Mi
+          cpu: 250m
+        limits:
+          memory: 1Gi
+    - name : liveness-prometheus
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+
+  # -- CEPH CSI CephFS plugin resource requirement list
+  # @default -- see values.yaml
+  csiCephFSPluginResource: |
+    - name : driver-registrar
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+    - name : csi-cephfsplugin
+      resource:
+        requests:
+          memory: 512Mi
+          cpu: 250m
+        limits:
+          memory: 1Gi
+    - name : liveness-prometheus
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+
+  # -- CEPH CSI NFS provisioner resource requirement list
+  # @default -- see values.yaml
+  csiNFSProvisionerResource: |
+    - name : csi-provisioner
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 100m
+        limits:
+          memory: 256Mi
+    - name : csi-nfsplugin
+      resource:
+        requests:
+          memory: 512Mi
+          cpu: 250m
+        limits:
+          memory: 1Gi
+    - name : csi-attacher
+      resource:
+        requests:
+          memory: 512Mi
+          cpu: 250m
+        limits:
+          memory: 1Gi
+
+  # -- CEPH CSI NFS plugin resource requirement list
+  # @default -- see values.yaml
+  csiNFSPluginResource: |
+    - name : driver-registrar
+      resource:
+        requests:
+          memory: 128Mi
+          cpu: 50m
+        limits:
+          memory: 256Mi
+    - name : csi-nfsplugin
+      resource:
+        requests:
+          memory: 512Mi
+          cpu: 250m
+        limits:
+          memory: 1Gi
+
+  # Set provisionerTolerations and provisionerNodeAffinity for provisioner pod.
+  # The CSI provisioner would be best to start on the same nodes as other ceph daemons.
+
+  # -- Array of tolerations in YAML format which will be added to CSI provisioner deployment
+  provisionerTolerations:
+  #    - key: key
+  #      operator: Exists
+  #      effect: NoSchedule
+
+  # -- The node labels for affinity of the CSI provisioner deployment [^1]
+  provisionerNodeAffinity: #key1=value1,value2; key2=value3
+  # Set pluginTolerations and pluginNodeAffinity for plugin daemonset pods.
+  # The CSI plugins need to be started on all the nodes where the clients need to mount the storage.
+
+  # -- Array of tolerations in YAML format which will be added to CephCSI plugin DaemonSet
+  pluginTolerations:
+  #    - key: key
+  #      operator: Exists
+  #      effect: NoSchedule
+
+  # -- The node labels for affinity of the CephCSI RBD plugin DaemonSet [^1]
+  pluginNodeAffinity: # key1=value1,value2; key2=value3
+
+  # -- Enable Ceph CSI Liveness sidecar deployment
+  enableLiveness: false
+
+  # -- CSI CephFS driver metrics port
+  # @default -- `9081`
+  cephfsLivenessMetricsPort:
+
+  # -- CSI Addons server port
+  # @default -- `9070`
+  csiAddonsPort:
+  # -- CSI Addons server port for the RBD provisioner
+  # @default -- `9070`
+  csiAddonsRBDProvisionerPort:
+  # -- CSI Addons server port for the Ceph FS provisioner
+  # @default -- `9070`
+  csiAddonsCephFSProvisionerPort:
+
+  # -- Enable Ceph Kernel clients on kernel < 4.17. If your kernel does not support quotas for CephFS
+  # you may want to disable this setting. However, this will cause an issue during upgrades
+  # with the FUSE client. See the [upgrade guide](https://rook.io/docs/rook/v1.2/ceph-upgrade.html)
+  forceCephFSKernelClient: true
+
+  # -- Ceph CSI RBD driver metrics port
+  # @default -- `8080`
+  rbdLivenessMetricsPort:
+
+  serviceMonitor:
+    # -- Enable ServiceMonitor for Ceph CSI drivers
+    enabled: false
+    # -- Service monitor scrape interval
+    interval: 10s
+    # -- ServiceMonitor additional labels
+    labels: {}
+    # -- Use a different namespace for the ServiceMonitor
+    namespace:
+
+  # -- Kubelet root directory path (if the Kubelet uses a different path for the `--root-dir` flag)
+  # @default -- `/var/lib/kubelet`
+  kubeletDirPath:
+
+  # -- Duration in seconds that non-leader candidates will wait to force acquire leadership.
+  # @default -- `137s`
+  csiLeaderElectionLeaseDuration:
+
+  # -- Deadline in seconds that the acting leader will retry refreshing leadership before giving up.
+  # @default -- `107s`
+  csiLeaderElectionRenewDeadline:
+
+  # -- Retry period in seconds the LeaderElector clients should wait between tries of actions.
+  # @default -- `26s`
+  csiLeaderElectionRetryPeriod:
+
+  cephcsi:
+    # -- Ceph CSI image repository
+    repository: quay.io/cephcsi/cephcsi
+    # -- Ceph CSI image tag
+    tag: v3.14.0
+
+  registrar:
+    # -- Kubernetes CSI registrar image repository
+    repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
+    # -- Registrar image tag
+    tag: v2.13.0
+
+  provisioner:
+    # -- Kubernetes CSI provisioner image repository
+    repository: registry.k8s.io/sig-storage/csi-provisioner
+    # -- Provisioner image tag
+    tag: v5.1.0
+
+  snapshotter:
+    # -- Kubernetes CSI snapshotter image repository
+    repository: registry.k8s.io/sig-storage/csi-snapshotter
+    # -- Snapshotter image tag
+    tag: v8.2.0
+
+  attacher:
+    # -- Kubernetes CSI Attacher image repository
+    repository: registry.k8s.io/sig-storage/csi-attacher
+    # -- Attacher image tag
+    tag: v4.8.0
+
+  resizer:
+    # -- Kubernetes CSI resizer image repository
+    repository: registry.k8s.io/sig-storage/csi-resizer
+    # -- Resizer image tag
+    tag: v1.13.1
+
+  # -- Image pull policy
+  imagePullPolicy: IfNotPresent
+
+  # -- Labels to add to the CSI CephFS Deployments and DaemonSets Pods
+  cephfsPodLabels: #"key1=value1,key2=value2"
+
+  # -- Labels to add to the CSI NFS Deployments and DaemonSets Pods
+  nfsPodLabels: #"key1=value1,key2=value2"
+
+  # -- Labels to add to the CSI RBD Deployments and DaemonSets Pods
+  rbdPodLabels: #"key1=value1,key2=value2"
+
+  csiAddons:
+    # -- Enable CSIAddons
+    enabled: false
+    # -- CSIAddons sidecar image repository
+    repository: quay.io/csiaddons/k8s-sidecar
+    # -- CSIAddons sidecar image tag
+    tag: v0.12.0
+
+  nfs:
+    # -- Enable the nfs csi driver
+    enabled: false
+
+  topology:
+    # -- Enable topology based provisioning
+    enabled: false
+    # NOTE: the value here serves as an example and needs to be
+    # updated with node labels that define domains of interest
+    # -- domainLabels define which node labels to use as domains
+    # for CSI nodeplugins to advertise their domains
+    domainLabels:
+    # - kubernetes.io/hostname
+    # - topology.kubernetes.io/zone
+    # - topology.rook.io/rack
+
+  # -- Whether to skip any attach operation altogether for CephFS PVCs. See more details
+  # [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object).
+  # If cephFSAttachRequired is set to false it skips the volume attachments and makes the creation
+  # of pods using the CephFS PVC fast. **WARNING** It's highly discouraged to use this for
+  # CephFS RWO volumes. Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details.
+  cephFSAttachRequired: true
+  # -- Whether to skip any attach operation altogether for RBD PVCs. See more details
+  # [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object).
+  # If set to false it skips the volume attachments and makes the creation of pods using the RBD PVC fast.
+  # **WARNING** It's highly discouraged to use this for RWO volumes as it can cause data corruption.
+  # csi-addons operations like Reclaimspace and PVC Keyrotation will also not be supported if set
+  # to false since we'll have no VolumeAttachments to determine which node the PVC is mounted on.
+  # Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details.
+  rbdAttachRequired: true
+  # -- Whether to skip any attach operation altogether for NFS PVCs. See more details
+  # [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object).
+  # If cephFSAttachRequired is set to false it skips the volume attachments and makes the creation
+  # of pods using the NFS PVC fast. **WARNING** It's highly discouraged to use this for
+  # NFS RWO volumes. Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details.
+  nfsAttachRequired: true
+
+# -- Enable discovery daemon
+enableDiscoveryDaemon: false
+# -- Set the discovery daemon device discovery interval (default to 60m)
+discoveryDaemonInterval: 60m
+
+# -- The timeout for ceph commands in seconds
+cephCommandsTimeoutSeconds: "15"
+
+# -- If true, run rook operator on the host network
+useOperatorHostNetwork:
+
+# -- If true, scale down the rook operator.
+# This is useful for administrative actions where the rook operator must be scaled down, while using gitops style tooling
+# to deploy your helm charts.
+scaleDownOperator: false
+
+## Rook Discover configuration
+## toleration: NoSchedule, PreferNoSchedule or NoExecute
+## tolerationKey: Set this to the specific key of the taint to tolerate
+## tolerations: Array of tolerations in YAML format which will be added to agent deployment
+## nodeAffinity: Set to labels of the node to match
+
+discover:
+  # -- Toleration for the discover pods.
+  # Options: `NoSchedule`, `PreferNoSchedule` or `NoExecute`
+  toleration:
+  # -- The specific key of the taint to tolerate
+  tolerationKey:
+  # -- Array of tolerations in YAML format which will be added to discover deployment
+  tolerations:
+  #   - key: key
+  #     operator: Exists
+  #     effect: NoSchedule
+  # -- The node labels for affinity of `discover-agent` [^1]
+  nodeAffinity:
+  #   key1=value1,value2; key2=value3
+  #
+  #   or
+  #
+  #   requiredDuringSchedulingIgnoredDuringExecution:
+  #     nodeSelectorTerms:
+  #       - matchExpressions:
+  #           - key: storage-node
+  #             operator: Exists
+  # -- Labels to add to the discover pods
+  podLabels: # "key1=value1,key2=value2"
+  # -- Add resources to discover daemon pods
+  resources:
+  #   - limits:
+  #       memory: 512Mi
+  #   - requests:
+  #       cpu: 100m
+  #       memory: 128Mi
+
+# -- Custom label to identify node hostname. If not set `kubernetes.io/hostname` will be used
+customHostnameLabel:
+
+# -- Runs Ceph Pods as privileged to be able to write to `hostPaths` in OpenShift with SELinux restrictions.
+hostpathRequiresPrivileged: false
+
+# -- Whether to create all Rook pods to run on the host network, for example in environments where a CNI is not enabled
+enforceHostNetwork: false
+
+# -- Disable automatic orchestration when new devices are discovered.
+disableDeviceHotplug: false
+
+# -- The revision history limit for all pods created by Rook. If blank, the K8s default is 10.
+revisionHistoryLimit:
+
+# -- Blacklist certain disks according to the regex provided.
+discoverDaemonUdev:
+
+# -- imagePullSecrets option allow to pull docker images from private docker registry. Option will be passed to all service accounts.
+imagePullSecrets:
+# - name: my-registry-secret
+
+# -- Whether the OBC provisioner should watch on the operator namespace or not, if not the namespace of the cluster will be used
+enableOBCWatchOperatorNamespace: true
+
+# -- Specify the prefix for the OBC provisioner in place of the cluster namespace
+# @default -- `ceph cluster namespace`
+obcProvisionerNamePrefix:
+
+# -- Many OBC additional config fields may be risky for administrators to allow users control over.
+# The safe and default-allowed fields are 'maxObjects' and 'maxSize'.
+# Other fields should be considered risky. To allow all additional configs, use this value:
+#   "maxObjects,maxSize,bucketMaxObjects,bucketMaxSize,bucketPolicy,bucketLifecycle,bucketOwner"
+# @default -- "maxObjects,maxSize"
+obcAllowAdditionalConfigFields: "maxObjects,maxSize"
+
+monitoring:
+  # -- Enable monitoring. Requires Prometheus to be pre-installed.
+  # Enabling will also create RBAC rules to allow Operator to create ServiceMonitors
+  enabled: false

examples/nanodc/src/main.rs

@@ -1,29 +1,145 @@
+use std::{
+    net::{IpAddr, Ipv4Addr},
+    sync::Arc,
+};
+
+use cidr::Ipv4Cidr;
 use harmony::{
+    hardware::{FirewallGroup, HostCategory, Location, PhysicalHost, SwitchGroup},
+    infra::opnsense::OPNSenseManagementInterface,
     inventory::Inventory,
     maestro::Maestro,
     modules::{
-        dummy::{ErrorScore, PanicScore, SuccessScore},
-        k8s::deployment::K8sDeploymentScore,
+        http::HttpScore,
+        ipxe::IpxeScore,
+        okd::{
+            bootstrap_dhcp::OKDBootstrapDhcpScore,
+            bootstrap_load_balancer::OKDBootstrapLoadBalancerScore, dhcp::OKDDhcpScore,
+            dns::OKDDnsScore,
+        },
+        tftp::TftpScore,
     },
-    topology::HAClusterTopology,
+    topology::{LogicalHost, UnmanagedRouter, Url},
 };
+use harmony_macros::{ip, mac_address};
 
 #[tokio::main]
 async fn main() {
-    let inventory = Inventory::autoload();
-    let topology = HAClusterTopology::autoload();
-    let mut maestro = Maestro::new(inventory, topology);
+    let firewall = harmony::topology::LogicalHost {
+        ip: ip!("192.168.33.1"),
+        name: String::from("fw0"),
+    };
 
+    let opnsense = Arc::new(
+        harmony::infra::opnsense::OPNSenseFirewall::new(firewall, None, "root", "opnsense").await,
+    );
+    let lan_subnet = Ipv4Addr::new(192, 168, 33, 0);
+    let gateway_ipv4 = Ipv4Addr::new(192, 168, 33, 1);
+    let gateway_ip = IpAddr::V4(gateway_ipv4);
+    let topology = harmony::topology::HAClusterTopology {
+        domain_name: "ncd0.harmony.mcd".to_string(), // TODO this must be set manually correctly
+        // when setting up the opnsense firewall
+        router: Arc::new(UnmanagedRouter::new(
+            gateway_ip,
+            Ipv4Cidr::new(lan_subnet, 24).unwrap(),
+        )),
+        load_balancer: opnsense.clone(),
+        firewall: opnsense.clone(),
+        tftp_server: opnsense.clone(),
+        http_server: opnsense.clone(),
+        dhcp_server: opnsense.clone(),
+        dns_server: opnsense.clone(),
+        control_plane: vec![
+            LogicalHost {
+                ip: ip!("192.168.33.20"),
+                name: "cp0".to_string(),
+            },
+            LogicalHost {
+                ip: ip!("192.168.33.21"),
+                name: "cp1".to_string(),
+            },
+            LogicalHost {
+                ip: ip!("192.168.33.22"),
+                name: "cp2".to_string(),
+            },
+        ],
+        bootstrap_host: LogicalHost {
+            ip: ip!("192.168.33.66"),
+            name: "bootstrap".to_string(),
+        },
+        workers: vec![
+            LogicalHost {
+                ip: ip!("192.168.33.30"),
+                name: "wk0".to_string(),
+            },
+            LogicalHost {
+                ip: ip!("192.168.33.31"),
+                name: "wk1".to_string(),
+            },
+            LogicalHost {
+                ip: ip!("192.168.33.32"),
+                name: "wk2".to_string(),
+            },
+        ],
+        switch: vec![],
+    };
+
+    let inventory = Inventory {
+        location: Location::new("I am mobile".to_string(), "earth".to_string()),
+        switch: SwitchGroup::from([]),
+        firewall: FirewallGroup::from([PhysicalHost::empty(HostCategory::Firewall)
+            .management(Arc::new(OPNSenseManagementInterface::new()))]),
+        storage_host: vec![],
+        worker_host: vec![
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:02:61:0F")),
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:02:61:26")),
+            // thisone
+            // Then create the ipxe file
+            // set the dns static leases
+            // bootstrap nodes
+            // start ceph cluster
+            // try installation of lampscore
+            // bingo?
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:02:61:70")),
+        ],
+        control_plane_host: vec![
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:02:60:FA")),
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:02:61:1A")),
+            PhysicalHost::empty(HostCategory::Server)
+                .mac_address(mac_address!("C4:62:37:01:BC:68")),
+        ],
+    };
+
+    // TODO regroup smaller scores in a larger one such as this
+    // let okd_boostrap_preparation();
+
+    let bootstrap_dhcp_score = OKDBootstrapDhcpScore::new(&topology, &inventory);
+    let bootstrap_load_balancer_score = OKDBootstrapLoadBalancerScore::new(&topology);
+    let dhcp_score = OKDDhcpScore::new(&topology, &inventory);
+    let dns_score = OKDDnsScore::new(&topology);
+    let load_balancer_score =
+        harmony::modules::okd::load_balancer::OKDLoadBalancerScore::new(&topology);
+
+    let tftp_score = TftpScore::new(Url::LocalFolder("./data/watchguard/tftpboot".to_string()));
+    let http_score = HttpScore::new(Url::LocalFolder(
+        "./data/watchguard/pxe-http-files".to_string(),
+    ));
+    let ipxe_score = IpxeScore::new();
+    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
     maestro.register_all(vec![
-        // ADD scores :
-        // 1. OPNSense setup scores
-        // 2. Bootstrap node setup
-        // 3. Control plane setup
-        // 4. Workers setup
-        // 5. Various tools and apps setup
-        Box::new(SuccessScore {}),
-        Box::new(ErrorScore {}),
-        Box::new(PanicScore {}),
+        Box::new(dns_score),
+        Box::new(bootstrap_dhcp_score),
+        Box::new(bootstrap_load_balancer_score),
+        Box::new(load_balancer_score),
+        Box::new(tftp_score),
+        Box::new(http_score),
+        Box::new(ipxe_score),
+        Box::new(dhcp_score),
     ]);
     harmony_tui::init(maestro).await.unwrap();
 }

examples/opnsense/src/main.rs

@@ -84,7 +84,7 @@ async fn main() {
     let http_score = HttpScore::new(Url::LocalFolder(
         "./data/watchguard/pxe-http-files".to_string(),
     ));
-    let mut maestro = Maestro::new(inventory, topology);
+    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
     maestro.register_all(vec![
         Box::new(dns_score),
         Box::new(dhcp_score),

examples/tui/src/main.rs

@@ -1,20 +1,70 @@
+use std::net::{SocketAddr, SocketAddrV4};
+
 use harmony::{
     inventory::Inventory,
     maestro::Maestro,
-    modules::dummy::{ErrorScore, PanicScore, SuccessScore},
-    topology::HAClusterTopology,
+    modules::{
+        dns::DnsScore,
+        dummy::{ErrorScore, PanicScore, SuccessScore},
+        load_balancer::LoadBalancerScore,
+    },
+    topology::{
+        BackendServer, DummyInfra, HealthCheck, HttpMethod, HttpStatusCode, LoadBalancerService,
+    },
 };
+use harmony_macros::ipv4;
 
 #[tokio::main]
 async fn main() {
     let inventory = Inventory::autoload();
-    let topology = HAClusterTopology::autoload();
-    let mut maestro = Maestro::new(inventory, topology);
+    let topology = DummyInfra {};
+    let mut maestro = Maestro::initialize(inventory, topology).await.unwrap();
 
     maestro.register_all(vec![
         Box::new(SuccessScore {}),
         Box::new(ErrorScore {}),
         Box::new(PanicScore {}),
+        Box::new(DnsScore::new(vec![], None)),
+        Box::new(build_large_score()),
     ]);
     harmony_tui::init(maestro).await.unwrap();
 }
+
+fn build_large_score() -> LoadBalancerScore {
+    let backend_server = BackendServer {
+        address: "192.168.0.0".to_string(),
+        port: 342,
+    };
+    let lb_service = LoadBalancerService {
+        backend_servers: vec![
+            backend_server.clone(),
+            backend_server.clone(),
+            backend_server.clone(),
+        ],
+        listening_port: SocketAddr::V4(SocketAddrV4::new(ipv4!("192.168.0.0"), 49387)),
+        health_check: Some(HealthCheck::HTTP(
+            "/some_long_ass_path_to_see_how_it_is_displayed_but_it_has_to_be_even_longer"
+                .to_string(),
+            HttpMethod::GET,
+            HttpStatusCode::Success2xx,
+        )),
+    };
+    LoadBalancerScore {
+        public_services: vec![
+            lb_service.clone(),
+            lb_service.clone(),
+            lb_service.clone(),
+            lb_service.clone(),
+            lb_service.clone(),
+            lb_service.clone(),
+        ],
+        private_services: vec![
+            lb_service.clone(),
+            lb_service.clone(),
+            lb_service.clone(),
+            lb_service.clone(),
+            lb_service.clone(),
+            lb_service.clone(),
+        ],
+    }
+}

harmony/Cargo.toml

@@ -7,26 +7,46 @@ license.workspace = true
 
 [dependencies]
 libredfish = "0.1.1"
-reqwest = {version = "0.11", features = ["blocking", "json"] }
+reqwest = { version = "0.11", features = ["blocking", "json"] }
 russh = "0.45.0"
 rust-ipmi = "0.1.1"
 semver = "1.0.23"
 serde = { version = "1.0.209", features = ["derive"] }
 serde_json = "1.0.127"
-tokio = { workspace = true }
-derive-new = { workspace = true }
-log = { workspace = true }
-env_logger = { workspace = true }
-async-trait = { workspace = true }
-cidr = { workspace = true }
+tokio.workspace = true
+derive-new.workspace = true
+log.workspace = true
+env_logger.workspace = true
+async-trait.workspace = true
+cidr.workspace = true
 opnsense-config = { path = "../opnsense-config" }
 opnsense-config-xml = { path = "../opnsense-config-xml" }
 harmony_macros = { path = "../harmony_macros" }
 harmony_types = { path = "../harmony_types" }
-uuid = { workspace = true }
-url = { workspace = true }
-kube = { workspace = true }
-k8s-openapi = { workspace = true }
-serde_yaml = { workspace = true }
-http = { workspace = true }
-serde-value = { workspace = true }
+uuid.workspace = true
+url.workspace = true
+kube.workspace = true
+k8s-openapi.workspace = true
+serde_yaml.workspace = true
+http.workspace = true
+serde-value.workspace = true
+inquire.workspace = true
+helm-wrapper-rs = "0.4.0"
+non-blank-string-rs = "1.0.4"
+k3d-rs = { path = "../k3d" }
+directories = "6.0.0"
+lazy_static = "1.5.0"
+dockerfile_builder = "0.1.5"
+temp-file = "0.1.9"
+convert_case.workspace = true
+email_address = "0.2.9"
+fqdn = { version = "0.4.6", features = [
+    "domain-label-cannot-start-or-end-with-hyphen",
+    "domain-label-length-limited-to-63",
+    "domain-name-without-special-chars",
+    "domain-name-length-limited-to-255",
+    "punycode",
+    "serde",
+] }
+temp-dir = "0.1.14"
+dyn-clone = "1.0.19"

harmony/src/domain/config.rs

@@ -0,0 +1,13 @@
+use lazy_static::lazy_static;
+use std::path::PathBuf;
+
+lazy_static! {
+    pub static ref HARMONY_CONFIG_DIR: PathBuf = directories::BaseDirs::new()
+        .unwrap()
+        .data_dir()
+        .join("harmony");
+    pub static ref REGISTRY_URL: String =
+        std::env::var("HARMONY_REGISTRY_URL").unwrap_or_else(|_| "hub.nationtech.io".to_string());
+    pub static ref REGISTRY_PROJECT: String =
+        std::env::var("HARMONY_REGISTRY_PROJECT").unwrap_or_else(|_| "harmony".to_string());
+}

harmony/src/domain/data/id.rs

@@ -1,6 +1,6 @@
 use serde::{Deserialize, Serialize};
 
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
 pub struct Id {
     value: String,
 }

harmony/src/domain/hardware/mod.rs

@@ -138,7 +138,8 @@ impl ManagementInterface for ManualManagementInterface {
     }
 
     fn get_supported_protocol_names(&self) -> String {
-        todo!()
+        // todo!()
+        "none".to_string()
     }
 }
 

harmony/src/domain/interpret/mod.rs

@@ -7,7 +7,6 @@ use super::{
     data::{Id, Version},
     executors::ExecutorError,
     inventory::Inventory,
-    topology::Topology,
 };
 
 pub enum InterpretName {
@@ -16,9 +15,11 @@ pub enum InterpretName {
     LoadBalancer,
     Tftp,
     Http,
+    Ipxe,
     Dummy,
     Panic,
     OPNSense,
+    K3dInstallation,
 }
 
 impl std::fmt::Display for InterpretName {
@@ -29,9 +30,11 @@ impl std::fmt::Display for InterpretName {
             InterpretName::LoadBalancer => f.write_str("LoadBalancer"),
             InterpretName::Tftp => f.write_str("Tftp"),
             InterpretName::Http => f.write_str("Http"),
+            InterpretName::Ipxe => f.write_str("iPXE"),
             InterpretName::Dummy => f.write_str("Dummy"),
             InterpretName::Panic => f.write_str("Panic"),
             InterpretName::OPNSense => f.write_str("OPNSense"),
+            InterpretName::K3dInstallation => f.write_str("K3dInstallation"),
         }
     }
 }

harmony/src/domain/maestro/mod.rs

@@ -1,9 +1,9 @@
-use std::sync::{Arc, RwLock};
+use std::sync::{Arc, Mutex, RwLock};
 
-use log::info;
+use log::{info, warn};
 
 use super::{
-    interpret::{InterpretError, Outcome},
+    interpret::{InterpretError, InterpretStatus, Outcome},
     inventory::Inventory,
     score::Score,
     topology::Topology,
@@ -15,6 +15,7 @@ pub struct Maestro<T: Topology> {
     inventory: Inventory,
     topology: T,
     scores: Arc<RwLock<ScoreVec<T>>>,
+    topology_preparation_result: Mutex<Option<Outcome>>,
 }
 
 impl<T: Topology> Maestro<T> {
@@ -23,32 +24,32 @@ impl<T: Topology> Maestro<T> {
             inventory,
             topology,
             scores: Arc::new(RwLock::new(Vec::new())),
+            topology_preparation_result: None.into(),
         }
     }
 
-    // Load the inventory and inventory from environment.
-    // This function is able to discover the context that it is running in, such as k8s clusters, aws cloud, linux host, etc.
-    // When the HARMONY_TOPOLOGY environment variable is not set, it will default to install k3s
-    // locally (lazily, if not installed yet, when the first execution occurs) and use that as a topology
-    // So, by default, the inventory is a single host that the binary is running on, and the
-    // topology is a single node k3s
-    //
-    // By default :
-    // - Linux => k3s
-    // - macos, windows => docker compose
-    //
-    // To run more complex cases like OKDHACluster, either provide the default target in the
-    // harmony infrastructure as code or as an environment variable
-    pub fn load_from_env() -> Self {
-        // Load env var HARMONY_TOPOLOGY
-        match std::env::var("HARMONY_TOPOLOGY") {
-            Ok(_) => todo!(),
-            Err(_) => todo!(),
-        }
+    pub async fn initialize(inventory: Inventory, topology: T) -> Result<Self, InterpretError> {
+        let instance = Self::new(inventory, topology);
+        instance.prepare_topology().await?;
+        Ok(instance)
     }
 
-    pub fn start(&mut self) {
-        info!("Starting Maestro");
+    /// Ensures the associated Topology is ready for operations.
+    /// Delegates the readiness check and potential setup actions to the Topology.
+    pub async fn prepare_topology(&self) -> Result<Outcome, InterpretError> {
+        info!("Ensuring topology '{}' is ready...", self.topology.name());
+        let outcome = self.topology.ensure_ready().await?;
+        info!(
+            "Topology '{}' readiness check complete: {}",
+            self.topology.name(),
+            outcome.status
+        );
+
+        self.topology_preparation_result
+            .lock()
+            .unwrap()
+            .replace(outcome.clone());
+        Ok(outcome)
     }
 
     pub fn register_all(&mut self, mut scores: ScoreVec<T>) {
@@ -56,7 +57,26 @@ impl<T: Topology> Maestro<T> {
         score_mut.append(&mut scores);
     }
 
+    fn is_topology_initialized(&self) -> bool {
+        let result = self.topology_preparation_result.lock().unwrap();
+        if let Some(outcome) = result.as_ref() {
+            match outcome.status {
+                InterpretStatus::SUCCESS => return true,
+                _ => return false,
+            }
+        } else {
+            false
+        }
+    }
+
     pub async fn interpret(&self, score: Box<dyn Score<T>>) -> Result<Outcome, InterpretError> {
+        if !self.is_topology_initialized() {
+            warn!(
+                "Launching interpret for score {} but Topology {} is not fully initialized!",
+                score.name(),
+                self.topology.name(),
+            );
+        }
         info!("Running score {score:?}");
         let interpret = score.create_interpret();
         info!("Launching interpret {interpret:?}");

harmony/src/domain/mod.rs

@@ -1,3 +1,4 @@
+pub mod config;
 pub mod data;
 pub mod executors;
 pub mod filter;

harmony/src/domain/score.rs

@@ -1,10 +1,12 @@
+use std::collections::BTreeMap;
+
 use serde::Serialize;
 use serde_value::Value;
 
 use super::{interpret::Interpret, topology::Topology};
 
 pub trait Score<T: Topology>:
-    std::fmt::Debug + Send + Sync + CloneBoxScore<T> + SerializeScore<T>
+    std::fmt::Debug + ScoreToString<T> + Send + Sync + CloneBoxScore<T> + SerializeScore<T>
 {
     fn create_interpret(&self) -> Box<dyn Interpret<T>>;
     fn name(&self) -> String;
@@ -39,3 +41,191 @@ where
         Box::new(self.clone())
     }
 }
+
+pub trait ScoreToString<T: Topology> {
+    fn print_score_details(&self) -> String;
+    fn format_value_as_string(&self, val: &Value, indent: usize) -> String;
+    fn format_map(&self, map: &BTreeMap<Value, Value>, indent: usize) -> String;
+    fn wrap_or_truncate(&self, s: &str, width: usize) -> Vec<String>;
+}
+
+impl<S, T> ScoreToString<T> for S
+where
+    T: Topology,
+    S: Score<T> + 'static,
+{
+    fn print_score_details(&self) -> String {
+        let mut output = String::new();
+        output += "\n";
+        output += &self.format_value_as_string(&self.serialize(), 0);
+        output += "\n";
+        output
+    }
+    fn format_map(&self, map: &BTreeMap<Value, Value>, indent: usize) -> String {
+        let pad = " ".repeat(indent * 2);
+        let mut output = String::new();
+
+        output += &format!(
+            "{}+--------------------------+--------------------------------------------------+\n",
+            pad
+        );
+        output += &format!("{}| {:<24} | {:<48} |\n", pad, "score_name", self.name());
+        output += &format!(
+            "{}+--------------------------+--------------------------------------------------+\n",
+            pad
+        );
+
+        for (k, v) in map {
+            let key_str = match k {
+                Value::String(s) => s.clone(),
+                other => format!("{:?}", other),
+            };
+
+            let formatted_val = self.format_value_as_string(v, indent + 1);
+            let lines = formatted_val.lines().map(|line| line.trim_start());
+
+            let wrapped_lines: Vec<_> = lines
+                .flat_map(|line| self.wrap_or_truncate(line.trim_start(), 48))
+                .collect();
+
+            if let Some(first) = wrapped_lines.first() {
+                output += &format!("{}| {:<24} | {:<48} |\n", pad, key_str, first);
+                for line in &wrapped_lines[1..] {
+                    output += &format!("{}| {:<24} | {:<48} |\n", pad, "", line);
+                }
+            }
+
+            //            let first_line = lines.next().unwrap_or("");
+            //            output += &format!("{}| {:<24} | {:<48} |\n", pad, key_str, first_line);
+            //
+            //            for line in lines {
+            //                output += &format!("{}| {:<24} | {:<48} |\n", pad, "", line);
+            //            }
+        }
+
+        output += &format!(
+            "{}+--------------------------+--------------------------------------------------+\n\n",
+            pad
+        );
+
+        output
+    }
+
+    fn wrap_or_truncate(&self, s: &str, width: usize) -> Vec<String> {
+        let mut lines = Vec::new();
+        let mut current = s;
+
+        while !current.is_empty() {
+            if current.len() <= width {
+                lines.push(current.to_string());
+                break;
+            }
+
+            // Try to wrap at whitespace if possible
+            let mut split_index = current[..width].rfind(' ').unwrap_or(width);
+            if split_index == 0 {
+                split_index = width;
+            }
+
+            lines.push(current[..split_index].trim_end().to_string());
+            current = current[split_index..].trim_start();
+        }
+
+        lines
+    }
+
+    fn format_value_as_string(&self, val: &Value, indent: usize) -> String {
+        let pad = " ".repeat(indent * 2);
+        let mut output = String::new();
+
+        match val {
+            Value::Bool(b) => output += &format!("{}{}\n", pad, b),
+            Value::U8(u) => output += &format!("{}{}\n", pad, u),
+            Value::U16(u) => output += &format!("{}{}\n", pad, u),
+            Value::U32(u) => output += &format!("{}{}\n", pad, u),
+            Value::U64(u) => output += &format!("{}{}\n", pad, u),
+            Value::I8(i) => output += &format!("{}{}\n", pad, i),
+            Value::I16(i) => output += &format!("{}{}\n", pad, i),
+            Value::I32(i) => output += &format!("{}{}\n", pad, i),
+            Value::I64(i) => output += &format!("{}{}\n", pad, i),
+            Value::F32(f) => output += &format!("{}{}\n", pad, f),
+            Value::F64(f) => output += &format!("{}{}\n", pad, f),
+            Value::Char(c) => output += &format!("{}{}\n", pad, c),
+            Value::String(s) => output += &format!("{}{:<48}\n", pad, s),
+            Value::Unit => output += &format!("{}<unit>\n", pad),
+            Value::Bytes(bytes) => output += &format!("{}{:?}\n", pad, bytes),
+
+            Value::Option(opt) => match opt {
+                Some(inner) => {
+                    output += &format!("{}Option:\n", pad);
+                    output += &self.format_value_as_string(inner, indent + 1);
+                }
+                None => output += &format!("{}None\n", pad),
+            },
+
+            Value::Newtype(inner) => {
+                output += &format!("{}Newtype:\n", pad);
+                output += &self.format_value_as_string(inner, indent + 1);
+            }
+
+            Value::Seq(seq) => {
+                if seq.is_empty() {
+                    output += &format!("{}[]\n", pad);
+                } else {
+                    output += &format!("{}[\n", pad);
+                    for item in seq {
+                        output += &self.format_value_as_string(item, indent + 1);
+                    }
+                    output += &format!("{}]\n", pad);
+                }
+            }
+
+            Value::Map(map) => {
+                if map.is_empty() {
+                    output += &format!("{}<empty map>\n", pad);
+                } else if indent == 0 {
+                    output += &self.format_map(map, indent);
+                } else {
+                    for (k, v) in map {
+                        let key_str = match k {
+                            Value::String(s) => s.clone(),
+                            other => format!("{:?}", other),
+                        };
+
+                        let val_str = self
+                            .format_value_as_string(v, indent + 1)
+                            .trim()
+                            .to_string();
+                        let val_lines: Vec<_> = val_str.lines().collect();
+
+                        output +=
+                            &format!("{}{}: {}\n", pad, key_str, val_lines.first().unwrap_or(&""));
+                        for line in val_lines.iter().skip(1) {
+                            output += &format!("{}  {}\n", pad, line);
+                        }
+                    }
+                }
+            }
+        }
+
+        output
+    }
+}
+
+//TODO write test to check that the output is what it should be
+//
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::modules::dns::DnsScore;
+    use crate::topology::HAClusterTopology;
+
+    #[test]
+    fn test_format_values_as_string() {
+        let dns_score = Box::new(DnsScore::new(vec![], None));
+        let print_score_output =
+            <DnsScore as ScoreToString<HAClusterTopology>>::print_score_details(&dns_score);
+        let expected_empty_dns_score_table = "\n+--------------------------+--------------------------------------------------+\n| score_name               | DnsScore                                         |\n+--------------------------+--------------------------------------------------+\n| dns_entries              | []                                               |\n| register_dhcp_leases     | None                                             |\n+--------------------------+--------------------------------------------------+\n\n\n";
+        assert_eq!(print_score_output, expected_empty_dns_score_table);
+    }
+}

harmony/src/domain/topology/ha_cluster.rs

@@ -1,8 +1,11 @@
 use async_trait::async_trait;
 use harmony_macros::ip;
 use harmony_types::net::MacAddress;
+use log::info;
 
 use crate::executors::ExecutorError;
+use crate::interpret::InterpretError;
+use crate::interpret::Outcome;
 
 use super::DHCPStaticEntry;
 use super::DhcpServer;
@@ -12,16 +15,16 @@ use super::DnsServer;
 use super::Firewall;
 use super::HttpServer;
 use super::IpAddress;
+use super::K8sclient;
 use super::LoadBalancer;
 use super::LoadBalancerService;
 use super::LogicalHost;
-use super::OcK8sclient;
 use super::Router;
 use super::TftpServer;
 
 use super::Topology;
 use super::Url;
-use super::openshift::OpenshiftClient;
+use super::k8s::K8sClient;
 use std::sync::Arc;
 
 #[derive(Debug, Clone)]
@@ -40,16 +43,24 @@ pub struct HAClusterTopology {
     pub switch: Vec<LogicalHost>,
 }
 
+#[async_trait]
 impl Topology for HAClusterTopology {
     fn name(&self) -> &str {
         todo!()
     }
+    async fn ensure_ready(&self) -> Result<Outcome, InterpretError> {
+        todo!(
+            "ensure_ready, not entirely sure what it should do here, probably something like verify that the hosts are reachable and all services are up and ready."
+        )
+    }
 }
 
 #[async_trait]
-impl OcK8sclient for HAClusterTopology {
-    async fn oc_client(&self) -> Result<Arc<OpenshiftClient>, kube::Error> {
-        Ok(Arc::new(OpenshiftClient::try_default().await?))
+impl K8sclient for HAClusterTopology {
+    async fn k8s_client(&self) -> Result<Arc<K8sClient>, String> {
+        Ok(Arc::new(
+            K8sClient::try_default().await.map_err(|e| e.to_string())?,
+        ))
     }
 }
 
@@ -157,6 +168,16 @@ impl DhcpServer for HAClusterTopology {
     async fn commit_config(&self) -> Result<(), ExecutorError> {
         self.dhcp_server.commit_config().await
     }
+
+    async fn set_filename(&self, filename: &str) -> Result<(), ExecutorError> {
+        self.dhcp_server.set_filename(filename).await
+    }
+    async fn set_filename64(&self, filename64: &str) -> Result<(), ExecutorError> {
+        self.dhcp_server.set_filename64(filename64).await
+    }
+    async fn set_filenameipxe(&self, filenameipxe: &str) -> Result<(), ExecutorError> {
+        self.dhcp_server.set_filenameipxe(filenameipxe).await
+    }
 }
 
 #[async_trait]
@@ -215,7 +236,20 @@ impl HttpServer for HAClusterTopology {
 }
 
 #[derive(Debug)]
-struct DummyInfra;
+pub struct DummyInfra;
+
+#[async_trait]
+impl Topology for DummyInfra {
+    fn name(&self) -> &str {
+        todo!()
+    }
+
+    async fn ensure_ready(&self) -> Result<Outcome, InterpretError> {
+        let dummy_msg = "This is a dummy infrastructure that does nothing";
+        info!("{dummy_msg}");
+        Ok(Outcome::success(dummy_msg.to_string()))
+    }
+}
 
 const UNIMPLEMENTED_DUMMY_INFRA: &str = "This is a dummy infrastructure, no operation is supported";
 
@@ -269,6 +303,15 @@ impl DhcpServer for DummyInfra {
     async fn set_boot_filename(&self, _boot_filename: &str) -> Result<(), ExecutorError> {
         unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
     }
+    async fn set_filename(&self, _filename: &str) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+    async fn set_filename64(&self, _filename: &str) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
+    async fn set_filenameipxe(&self, _filenameipxe: &str) -> Result<(), ExecutorError> {
+        unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
+    }
     fn get_ip(&self) -> IpAddress {
         unimplemented!("{}", UNIMPLEMENTED_DUMMY_INFRA)
     }

harmony/src/domain/topology/helm_command.rs

@@ -0,0 +1 @@
+pub trait HelmCommand {}

harmony/src/domain/topology/k8s.rs

@@ -0,0 +1,88 @@
+use derive_new::new;
+use k8s_openapi::NamespaceResourceScope;
+use kube::{
+    Api, Client, Config, Error, Resource,
+    api::PostParams,
+    config::{KubeConfigOptions, Kubeconfig},
+};
+use log::error;
+use serde::de::DeserializeOwned;
+
+#[derive(new)]
+pub struct K8sClient {
+    client: Client,
+}
+
+impl K8sClient {
+    pub async fn try_default() -> Result<Self, Error> {
+        Ok(Self {
+            client: Client::try_default().await?,
+        })
+    }
+
+    pub async fn apply_all<
+        K: Resource<Scope = NamespaceResourceScope>
+            + std::fmt::Debug
+            + Sync
+            + DeserializeOwned
+            + Default
+            + serde::Serialize
+            + Clone,
+    >(
+        &self,
+        resource: &Vec<K>,
+    ) -> Result<Vec<K>, kube::Error>
+    where
+        <K as kube::Resource>::DynamicType: Default,
+    {
+        let mut result = vec![];
+        for r in resource.iter() {
+            let api: Api<K> = Api::all(self.client.clone());
+            result.push(api.create(&PostParams::default(), &r).await?);
+        }
+        Ok(result)
+    }
+
+    pub async fn apply_namespaced<K>(
+        &self,
+        resource: &Vec<K>,
+        ns: Option<&str>,
+    ) -> Result<Vec<K>, Error>
+    where
+        K: Resource<Scope = NamespaceResourceScope>
+            + Clone
+            + std::fmt::Debug
+            + DeserializeOwned
+            + serde::Serialize
+            + Default,
+        <K as kube::Resource>::DynamicType: Default,
+    {
+        let mut resources = Vec::new();
+        for r in resource.iter() {
+            let api: Api<K> = match ns {
+                Some(ns) => Api::namespaced(self.client.clone(), ns),
+                None => Api::default_namespaced(self.client.clone()),
+            };
+            resources.push(api.create(&PostParams::default(), &r).await?);
+        }
+        Ok(resources)
+    }
+
+    pub(crate) async fn from_kubeconfig(path: &str) -> Option<K8sClient> {
+        let k = match Kubeconfig::read_from(path) {
+            Ok(k) => k,
+            Err(e) => {
+                error!("Failed to load kubeconfig from {path} : {e}");
+                return None;
+            }
+        };
+        Some(K8sClient::new(
+            Client::try_from(
+                Config::from_custom_kubeconfig(k, &KubeConfigOptions::default())
+                    .await
+                    .unwrap(),
+            )
+            .unwrap(),
+        ))
+    }
+}

harmony/src/domain/topology/k8s_anywhere.rs

@@ -0,0 +1,288 @@
+use std::{collections::HashMap, process::Command, sync::Arc};
+
+use async_trait::async_trait;
+use inquire::Confirm;
+use log::{info, warn};
+use tokio::sync::{Mutex, OnceCell};
+
+use crate::score::Score;
+use crate::{
+    executors::ExecutorError,
+    interpret::{InterpretError, Outcome},
+    inventory::Inventory,
+    maestro::Maestro,
+    modules::k3d::K3DInstallationScore,
+    topology::LocalhostTopology,
+};
+
+use super::{
+    HelmCommand, K8sclient, Topology,
+    k8s::K8sClient,
+    oberservability::monitoring::{AlertReceiver, AlertReceiverProvision},
+    tenant::{
+        ResourceLimits, TenantConfig, TenantManager, TenantNetworkPolicy, k8s::K8sTenantManager,
+    },
+};
+
+struct K8sState {
+    client: Arc<K8sClient>,
+    source: K8sSource,
+    message: String,
+}
+
+#[derive(Debug)]
+enum K8sSource {
+    LocalK3d,
+    Kubeconfig,
+}
+
+pub struct K8sAnywhereTopology {
+    k8s_state: OnceCell<Option<K8sState>>,
+    tenant_manager: OnceCell<K8sTenantManager>,
+    pub alert_receivers: Mutex<HashMap<String, OnceCell<AlertReceiver>>>,
+}
+
+#[async_trait]
+impl K8sclient for K8sAnywhereTopology {
+    async fn k8s_client(&self) -> Result<Arc<K8sClient>, String> {
+        let state = match self.k8s_state.get() {
+            Some(state) => state,
+            None => return Err("K8s state not initialized yet".to_string()),
+        };
+
+        let state = match state {
+            Some(state) => state,
+            None => return Err("K8s client initialized but empty".to_string()),
+        };
+
+        Ok(state.client.clone())
+    }
+}
+
+impl K8sAnywhereTopology {
+    pub fn new() -> Self {
+        Self {
+            k8s_state: OnceCell::new(),
+            tenant_manager: OnceCell::new(),
+            alert_receivers: Mutex::new(HashMap::new()),
+        }
+    }
+
+    pub async fn initialize_alert_receiver<C>(
+        &self,
+        config: &C,
+        inventory: &Inventory,
+    ) -> Result<AlertReceiver, InterpretError>
+    where
+        Self: Topology + HelmCommand,
+        C: AlertReceiverProvision<Self> + Send + Sync,
+    {
+        let score = config.get_deployment_score();
+        let interpret = score.create_interpret();
+        interpret.execute(inventory, self).await?;
+
+        Ok(AlertReceiver {
+            receiver_id: config.alert_receiver_id(),
+            receiver_installed: true,
+        })
+    }
+
+    fn is_helm_available(&self) -> Result<(), String> {
+        let version_result = Command::new("helm")
+            .arg("version")
+            .output()
+            .map_err(|e| format!("Failed to execute 'helm -version': {}", e))?;
+
+        if !version_result.status.success() {
+            return Err("Failed to run 'helm -version'".to_string());
+        }
+
+        // Print the version output
+        let version_output = String::from_utf8_lossy(&version_result.stdout);
+        println!("Helm version: {}", version_output.trim());
+
+        Ok(())
+    }
+
+    async fn try_load_system_kubeconfig(&self) -> Option<K8sClient> {
+        todo!("Use kube-rs default behavior to load system kubeconfig");
+    }
+
+    async fn try_load_kubeconfig(&self, path: &str) -> Option<K8sClient> {
+        K8sClient::from_kubeconfig(path).await
+    }
+
+    fn get_k3d_installation_score(&self) -> K3DInstallationScore {
+        K3DInstallationScore::default()
+    }
+
+    async fn try_install_k3d(&self) -> Result<(), InterpretError> {
+        let maestro = Maestro::initialize(Inventory::autoload(), LocalhostTopology::new()).await?;
+        let k3d_score = self.get_k3d_installation_score();
+        maestro.interpret(Box::new(k3d_score)).await?;
+        Ok(())
+    }
+
+    async fn try_get_or_install_k8s_client(&self) -> Result<Option<K8sState>, InterpretError> {
+        let k8s_anywhere_config = K8sAnywhereConfig {
+            kubeconfig: std::env::var("KUBECONFIG").ok().map(|v| v.to_string()),
+            use_system_kubeconfig: std::env::var("HARMONY_USE_SYSTEM_KUBECONFIG")
+                .map_or_else(|_| false, |v| v.parse().ok().unwrap_or(false)),
+            autoinstall: std::env::var("HARMONY_AUTOINSTALL")
+                .map_or_else(|_| false, |v| v.parse().ok().unwrap_or(false)),
+        };
+
+        if k8s_anywhere_config.use_system_kubeconfig {
+            match self.try_load_system_kubeconfig().await {
+                Some(_client) => todo!(),
+                None => todo!(),
+            }
+        }
+
+        if let Some(kubeconfig) = k8s_anywhere_config.kubeconfig {
+            match self.try_load_kubeconfig(&kubeconfig).await {
+                Some(client) => {
+                    return Ok(Some(K8sState {
+                        client: Arc::new(client),
+                        source: K8sSource::Kubeconfig,
+                        message: format!("Loaded k8s client from kubeconfig {kubeconfig}"),
+                    }));
+                }
+                None => {
+                    return Err(InterpretError::new(format!(
+                        "Failed to load kubeconfig from {kubeconfig}"
+                    )));
+                }
+            }
+        }
+
+        info!("No kubernetes configuration found");
+
+        if !k8s_anywhere_config.autoinstall {
+            let confirmation = Confirm::new( "Harmony autoinstallation is not activated, do you wish to launch autoinstallation? : ")
+                .with_default(false)
+                .prompt()
+                .expect("Unexpected prompt error");
+
+            if !confirmation {
+                warn!(
+                    "Installation cancelled, K8sAnywhere could not initialize a valid Kubernetes client"
+                );
+                return Ok(None);
+            }
+        }
+
+        info!("Starting K8sAnywhere installation");
+        self.try_install_k3d().await?;
+        let k3d_score = self.get_k3d_installation_score();
+        // I feel like having to rely on the k3d_rs crate here is a smell
+        // I think we should have a way to interact more deeply with scores/interpret. Maybe the
+        // K3DInstallationScore should expose a method to get_client ? Not too sure what would be a
+        // good implementation due to the stateful nature of the k3d thing. Which is why I went
+        // with this solution for now
+        let k3d = k3d_rs::K3d::new(k3d_score.installation_path, Some(k3d_score.cluster_name));
+        let state = match k3d.get_client().await {
+            Ok(client) => K8sState {
+                client: Arc::new(K8sClient::new(client)),
+                source: K8sSource::LocalK3d,
+                message: "Successfully installed K3D cluster and acquired client".to_string(),
+            },
+            Err(_) => todo!(),
+        };
+
+        Ok(Some(state))
+    }
+
+    fn get_k8s_tenant_manager(&self) -> Result<&K8sTenantManager, ExecutorError> {
+        match self.tenant_manager.get() {
+            Some(t) => Ok(t),
+            None => Err(ExecutorError::UnexpectedError(
+                "K8sTenantManager not available".to_string(),
+            )),
+        }
+    }
+}
+
+struct K8sAnywhereConfig {
+    /// The path of the KUBECONFIG file that Harmony should use to interact with the Kubernetes
+    /// cluster
+    ///
+    /// Default : None
+    kubeconfig: Option<String>,
+
+    /// Whether to use the system KUBECONFIG, either the environment variable or the file in the
+    /// default or configured location
+    ///
+    /// Default : false
+    use_system_kubeconfig: bool,
+
+    /// Whether to install automatically a kubernetes cluster
+    ///
+    /// When enabled, autoinstall will setup a K3D cluster on the localhost. https://k3d.io/stable/
+    ///
+    /// Default: true
+    autoinstall: bool,
+}
+
+#[async_trait]
+impl Topology for K8sAnywhereTopology {
+    fn name(&self) -> &str {
+        "K8sAnywhereTopology"
+    }
+
+    async fn ensure_ready(&self) -> Result<Outcome, InterpretError> {
+        let k8s_state = self
+            .k8s_state
+            .get_or_try_init(|| self.try_get_or_install_k8s_client())
+            .await?;
+
+        let k8s_state: &K8sState = k8s_state.as_ref().ok_or(InterpretError::new(
+            "No K8s client could be found or installed".to_string(),
+        ))?;
+
+        match self.is_helm_available() {
+            Ok(()) => Ok(Outcome::success(format!(
+                "{} + helm available",
+                k8s_state.message.clone()
+            ))),
+            Err(e) => Err(InterpretError::new(format!("helm unavailable: {}", e))),
+        }
+    }
+}
+
+impl HelmCommand for K8sAnywhereTopology {}
+
+#[async_trait]
+impl TenantManager for K8sAnywhereTopology {
+    async fn provision_tenant(&self, config: &TenantConfig) -> Result<(), ExecutorError> {
+        self.get_k8s_tenant_manager()?
+            .provision_tenant(config)
+            .await
+    }
+
+    async fn update_tenant_resource_limits(
+        &self,
+        tenant_name: &str,
+        new_limits: &ResourceLimits,
+    ) -> Result<(), ExecutorError> {
+        self.get_k8s_tenant_manager()?
+            .update_tenant_resource_limits(tenant_name, new_limits)
+            .await
+    }
+
+    async fn update_tenant_network_policy(
+        &self,
+        tenant_name: &str,
+        new_policy: &TenantNetworkPolicy,
+    ) -> Result<(), ExecutorError> {
+        self.get_k8s_tenant_manager()?
+            .update_tenant_network_policy(tenant_name, new_policy)
+            .await
+    }
+
+    async fn deprovision_tenant(&self, tenant_name: &str) -> Result<(), ExecutorError> {
+        self.get_k8s_tenant_manager()?
+            .deprovision_tenant(tenant_name)
+            .await
+    }
+}

harmony/src/domain/topology/load_balancer.rs

@@ -7,6 +7,12 @@ use serde::Serialize;
 use super::{IpAddress, LogicalHost};
 use crate::executors::ExecutorError;
 
+impl std::fmt::Debug for dyn LoadBalancer {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_fmt(format_args!("LoadBalancer {}", self.get_ip()))
+    }
+}
+
 #[async_trait]
 pub trait LoadBalancer: Send + Sync {
     fn get_ip(&self) -> IpAddress;
@@ -32,11 +38,6 @@ pub trait LoadBalancer: Send + Sync {
     }
 }
 
-impl std::fmt::Debug for dyn LoadBalancer {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.write_fmt(format_args!("LoadBalancer {}", self.get_ip()))
-    }
-}
 #[derive(Debug, PartialEq, Clone, Serialize)]
 pub struct LoadBalancerService {
     pub backend_servers: Vec<BackendServer>,
@@ -46,6 +47,7 @@ pub struct LoadBalancerService {
 
 #[derive(Debug, PartialEq, Clone, Serialize)]
 pub struct BackendServer {
+    // TODO should not be a string, probably IPAddress
     pub address: String,
     pub port: u16,
 }

harmony/src/domain/topology/localhost.rs

@@ -0,0 +1,25 @@
+use async_trait::async_trait;
+use derive_new::new;
+
+use crate::interpret::{InterpretError, Outcome};
+
+use super::{HelmCommand, Topology};
+
+#[derive(new)]
+pub struct LocalhostTopology;
+
+#[async_trait]
+impl Topology for LocalhostTopology {
+    fn name(&self) -> &str {
+        "LocalHostTopology"
+    }
+
+    async fn ensure_ready(&self) -> Result<Outcome, InterpretError> {
+        Ok(Outcome::success(
+            "Localhost is Chuck Norris, always ready.".to_string(),
+        ))
+    }
+}
+
+// TODO: Delete this, temp for test
+impl HelmCommand for LocalhostTopology {}

harmony/src/domain/topology/mod.rs

@@ -1,10 +1,17 @@
 mod ha_cluster;
 mod host_binding;
 mod http;
+mod k8s_anywhere;
+mod localhost;
+pub mod oberservability;
+pub mod tenant;
+pub use k8s_anywhere::*;
+pub use localhost::*;
+pub mod k8s;
 mod load_balancer;
-pub mod openshift;
 mod router;
 mod tftp;
+use async_trait::async_trait;
 pub use ha_cluster::*;
 pub use load_balancer::*;
 pub use router::*;
@@ -15,10 +22,43 @@ pub use network::*;
 use serde::Serialize;
 pub use tftp::*;
 
+mod helm_command;
+pub use helm_command::*;
+
 use std::net::IpAddr;
 
-pub trait Topology {
+use super::interpret::{InterpretError, Outcome};
+
+/// Represents a logical view of an infrastructure environment providing specific capabilities.
+///
+/// A Topology acts as a self-contained "package" responsible for managing access
+/// to its underlying resources and ensuring they are in a ready state before use.
+/// It defines the contract for the capabilities it provides through implemented
+/// capability traits (e.g., `HasK8sCapability`, `HasDnsServer`).
+#[async_trait]
+pub trait Topology: Send + Sync {
+    /// Returns a unique identifier or name for this specific topology instance.
+    /// This helps differentiate between multiple instances of potentially the same type.
     fn name(&self) -> &str;
+
+    /// Ensures that the topology and its required underlying components or services
+    /// are ready to provide their declared capabilities.
+    ///
+    /// Implementations of this method MUST be idempotent. Subsequent calls after a
+    /// successful readiness check should ideally be cheap NO-OPs.
+    ///
+    /// This method encapsulates the logic for:
+    /// 1.  **Checking Current State:** Assessing if the required resources/services are already running and configured.
+    /// 2.  **Discovery:** Identifying the runtime environment (e.g., local Docker, AWS, existing cluster).
+    /// 3.  **Initialization/Bootstrapping:** Performing necessary setup actions if not already ready. This might involve:
+    ///     *   Making API calls.
+    ///     *   Running external commands (e.g., `k3d`, `docker`).
+    ///     *   **Internal Orchestration:** For complex topologies, this method might manage dependencies on other sub-topologies, ensuring *their* `ensure_ready` is called first. Using nested `Maestros` to run setup `Scores` against these sub-topologies is the recommended pattern for non-trivial bootstrapping, allowing reuse of Harmony's core orchestration logic.
+    ///
+    /// # Returns
+    /// - `Ok(Outcome)`: Indicates the topology is now ready. The `Outcome` status might be `SUCCESS` if actions were taken, or `NOOP` if it was already ready. The message should provide context.
+    /// - `Err(TopologyError)`: Indicates the topology could not reach a ready state due to configuration issues, discovery failures, bootstrap errors, or unsupported environments.
+    async fn ensure_ready(&self) -> Result<Outcome, InterpretError>;
 }
 
 pub type IpAddress = IpAddr;

harmony/src/domain/topology/network.rs

@@ -6,7 +6,7 @@ use serde::Serialize;
 
 use crate::executors::ExecutorError;
 
-use super::{IpAddress, LogicalHost, openshift::OpenshiftClient};
+use super::{IpAddress, LogicalHost, k8s::K8sClient};
 
 #[derive(Debug)]
 pub struct DHCPStaticEntry {
@@ -42,8 +42,8 @@ pub struct NetworkDomain {
     pub name: String,
 }
 #[async_trait]
-pub trait OcK8sclient: Send + Sync + std::fmt::Debug {
-    async fn oc_client(&self) -> Result<Arc<OpenshiftClient>, kube::Error>;
+pub trait K8sclient: Send + Sync {
+    async fn k8s_client(&self) -> Result<Arc<K8sClient>, String>;
 }
 
 #[async_trait]
@@ -53,6 +53,9 @@ pub trait DhcpServer: Send + Sync + std::fmt::Debug {
     async fn list_static_mappings(&self) -> Vec<(MacAddress, IpAddress)>;
     async fn set_next_server(&self, ip: IpAddress) -> Result<(), ExecutorError>;
     async fn set_boot_filename(&self, boot_filename: &str) -> Result<(), ExecutorError>;
+    async fn set_filename(&self, filename: &str) -> Result<(), ExecutorError>;
+    async fn set_filename64(&self, filename64: &str) -> Result<(), ExecutorError>;
+    async fn set_filenameipxe(&self, filenameipxe: &str) -> Result<(), ExecutorError>;
     fn get_ip(&self) -> IpAddress;
     fn get_host(&self) -> LogicalHost;
     async fn commit_config(&self) -> Result<(), ExecutorError>;

harmony/src/domain/topology/oberservability/mod.rs

@@ -0,0 +1 @@
+pub mod monitoring;

harmony/src/domain/topology/oberservability/monitoring.rs

@@ -0,0 +1,55 @@
+use async_trait::async_trait;
+use dyn_clone::DynClone;
+use serde::Serialize;
+
+use std::fmt::Debug;
+
+use crate::interpret::InterpretError;
+
+use crate::inventory::Inventory;
+use crate::score::Score;
+use crate::topology::HelmCommand;
+use crate::{interpret::Outcome, topology::Topology};
+
+/// Represents an entity responsible for collecting and organizing observability data
+/// from various telemetry sources such as Prometheus or Datadog
+/// A `Monitor` abstracts the logic required to scrape, aggregate, and structure
+/// monitoring data, enabling consistent processing regardless of the underlying data source.
+#[async_trait]
+pub trait Monitor<T: Topology>: Debug + Send + Sync {
+    async fn deploy_monitor(
+        &self,
+        topology: &T,
+        alert_receivers: Vec<AlertReceiver>,
+    ) -> Result<Outcome, InterpretError>;
+
+    async fn delete_monitor(
+        &self,
+        topolgy: &T,
+        alert_receivers: Vec<AlertReceiver>,
+    ) -> Result<Outcome, InterpretError>;
+}
+
+#[async_trait]
+pub trait EnsureAlertReceiver<T: Topology>: Debug + DynClone + Send + Sync {
+    async fn ensure_alert_receiver(
+        &self,
+        inventory: Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError>;
+}
+
+dyn_clone::clone_trait_object!(<T> EnsureAlertReceiver<T>);
+
+#[derive(Debug, Clone, Serialize)]
+pub struct AlertReceiver {
+    pub receiver_id: String,
+    pub receiver_installed: bool,
+}
+
+/// Provides the ability to turn an alert config into an executable score
+/// for the topology
+pub trait AlertReceiverProvision<T: Topology + HelmCommand> {
+    fn get_deployment_score(&self) -> Box<dyn Score<T>>;
+    fn alert_receiver_id(&self) -> String;
+}

harmony/src/domain/topology/openshift.rs

@@ -1,55 +0,0 @@
-use k8s_openapi::NamespaceResourceScope;
-use kube::{Api, Client, Error, Resource, api::PostParams};
-use serde::de::DeserializeOwned;
-
-pub struct OpenshiftClient {
-    client: Client,
-}
-
-impl OpenshiftClient {
-    pub async fn try_default() -> Result<Self, Error> {
-        Ok(Self {
-            client: Client::try_default().await?,
-        })
-    }
-
-    pub async fn apply_all<
-        K: Resource<Scope = NamespaceResourceScope>
-            + std::fmt::Debug
-            + Sync
-            + DeserializeOwned
-            + Default
-            + serde::Serialize
-            + Clone,
-    >(
-        &self,
-        resource: &Vec<K>,
-    ) -> Result<Vec<K>, kube::Error>
-    where
-        <K as kube::Resource>::DynamicType: Default,
-    {
-        let mut result = vec![];
-        for r in resource.iter() {
-            let api: Api<K> = Api::all(self.client.clone());
-            result.push(api.create(&PostParams::default(), &r).await?);
-        }
-        Ok(result)
-    }
-
-    pub async fn apply_namespaced<K>(&self, resource: &Vec<K>) -> Result<K, Error>
-    where
-        K: Resource<Scope = NamespaceResourceScope>
-            + Clone
-            + std::fmt::Debug
-            + DeserializeOwned
-            + serde::Serialize
-            + Default,
-        <K as kube::Resource>::DynamicType: Default,
-    {
-        for r in resource.iter() {
-            let api: Api<K> = Api::default_namespaced(self.client.clone());
-            api.create(&PostParams::default(), &r).await?;
-        }
-        todo!("")
-    }
-}

harmony/src/domain/topology/tenant/k8s.rs

@@ -0,0 +1,95 @@
+use std::sync::Arc;
+
+use crate::{executors::ExecutorError, topology::k8s::K8sClient};
+use async_trait::async_trait;
+use derive_new::new;
+use k8s_openapi::api::core::v1::Namespace;
+use serde_json::json;
+
+use super::{ResourceLimits, TenantConfig, TenantManager, TenantNetworkPolicy};
+
+#[derive(new)]
+pub struct K8sTenantManager {
+    k8s_client: Arc<K8sClient>,
+}
+
+#[async_trait]
+impl TenantManager for K8sTenantManager {
+    async fn provision_tenant(&self, config: &TenantConfig) -> Result<(), ExecutorError> {
+        let namespace = json!(
+            {
+                "apiVersion": "v1",
+                "kind": "Namespace",
+                "metadata": {
+                    "labels": {
+                        "harmony.nationtech.io/tenant.id": config.id,
+                        "harmony.nationtech.io/tenant.name": config.name,
+                    },
+                "name": config.name,
+                },
+            }
+        );
+        todo!("Validate that when tenant already exists (by id) that name has not changed");
+
+        let namespace: Namespace = serde_json::from_value(namespace).unwrap();
+
+        let resource_quota = json!(
+         {
+           "apiVersion": "v1",
+           "kind": "List",
+           "items": [
+             {
+               "apiVersion": "v1",
+               "kind": "ResourceQuota",
+               "metadata": {
+                 "name": config.name,
+                 "labels": {
+                  "harmony.nationtech.io/tenant.id": config.id,
+                  "harmony.nationtech.io/tenant.name": config.name,
+                 },
+                 "namespace": config.name,
+               },
+               "spec": {
+                 "hard": {
+                   "limits.cpu": format!("{:.0}",config.resource_limits.cpu_limit_cores),
+                   "limits.memory": format!("{:.3}Gi", config.resource_limits.memory_limit_gb),
+                   "requests.cpu": format!("{:.0}",config.resource_limits.cpu_request_cores),
+                   "requests.memory": format!("{:.3}Gi", config.resource_limits.memory_request_gb),
+                   "requests.storage": format!("{:.3}", config.resource_limits.storage_total_gb),
+                   "pods": "20",
+                   "services": "10",
+                   "configmaps": "30",
+                   "secrets": "30",
+                   "persistentvolumeclaims": "15",
+                   "services.loadbalancers": "2",
+                   "services.nodeports": "5",
+
+                 }
+               }
+             }
+           ]
+         }
+
+        );
+    }
+
+    async fn update_tenant_resource_limits(
+        &self,
+        tenant_name: &str,
+        new_limits: &ResourceLimits,
+    ) -> Result<(), ExecutorError> {
+        todo!()
+    }
+
+    async fn update_tenant_network_policy(
+        &self,
+        tenant_name: &str,
+        new_policy: &TenantNetworkPolicy,
+    ) -> Result<(), ExecutorError> {
+        todo!()
+    }
+
+    async fn deprovision_tenant(&self, tenant_name: &str) -> Result<(), ExecutorError> {
+        todo!()
+    }
+}

harmony/src/domain/topology/tenant/manager.rs

@@ -0,0 +1,46 @@
+use super::*;
+use async_trait::async_trait;
+
+use crate::executors::ExecutorError;
+
+#[async_trait]
+pub trait TenantManager {
+    /// Provisions a new tenant based on the provided configuration.
+    /// This operation should be idempotent; if a tenant with the same `config.name`
+    /// already exists and matches the config, it will succeed without changes.
+    /// If it exists but differs, it will be updated, or return an error if the update
+    /// action is not supported
+    ///
+    /// # Arguments
+    /// * `config`: The desired configuration for the new tenant.
+    async fn provision_tenant(&self, config: &TenantConfig) -> Result<(), ExecutorError>;
+
+    /// Updates the resource limits for an existing tenant.
+    ///
+    /// # Arguments
+    /// * `tenant_name`: The logical name of the tenant to update.
+    /// * `new_limits`: The new set of resource limits to apply.
+    async fn update_tenant_resource_limits(
+        &self,
+        tenant_name: &str,
+        new_limits: &ResourceLimits,
+    ) -> Result<(), ExecutorError>;
+
+    /// Updates the high-level network isolation policy for an existing tenant.
+    ///
+    /// # Arguments
+    /// * `tenant_name`: The logical name of the tenant to update.
+    /// * `new_policy`: The new network policy to apply.
+    async fn update_tenant_network_policy(
+        &self,
+        tenant_name: &str,
+        new_policy: &TenantNetworkPolicy,
+    ) -> Result<(), ExecutorError>;
+
+    /// Decommissions an existing tenant, removing its isolated context and associated resources.
+    /// This operation should be idempotent.
+    ///
+    /// # Arguments
+    /// * `tenant_name`: The logical name of the tenant to deprovision.
+    async fn deprovision_tenant(&self, tenant_name: &str) -> Result<(), ExecutorError>;
+}

harmony/src/domain/topology/tenant/mod.rs

@@ -0,0 +1,67 @@
+pub mod k8s;
+mod manager;
+pub use manager::*;
+use serde::{Deserialize, Serialize};
+
+use std::collections::HashMap;
+
+use crate::data::Id;
+
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)] // Assuming serde for Scores
+pub struct TenantConfig {
+    /// This will be used as the primary unique identifier for management operations and will never
+    /// change for the entire lifetime of the tenant
+    pub id: Id,
+
+    /// A human-readable name for the tenant (e.g., "client-alpha", "project-phoenix").
+    pub name: String,
+
+    /// Desired resource allocations and limits for the tenant.
+    pub resource_limits: ResourceLimits,
+
+    /// High-level network isolation policies for the tenant.
+    pub network_policy: TenantNetworkPolicy,
+
+    /// Key-value pairs for provider-specific tagging, labeling, or metadata.
+    /// Useful for billing, organization, or filtering within the provider's console.
+    pub labels_or_tags: HashMap<String, String>,
+}
+
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize, Default)]
+pub struct ResourceLimits {
+    /// Requested/guaranteed CPU cores (e.g., 2.0).
+    pub cpu_request_cores: f32,
+    /// Maximum CPU cores the tenant can burst to (e.g., 4.0).
+    pub cpu_limit_cores: f32,
+
+    /// Requested/guaranteed memory in Gigabytes (e.g., 8.0).
+    pub memory_request_gb: f32,
+    /// Maximum memory in Gigabytes tenant can burst to (e.g., 16.0).
+    pub memory_limit_gb: f32,
+
+    /// Total persistent storage allocation in Gigabytes across all volumes.
+    pub storage_total_gb: f32,
+}
+
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+pub struct TenantNetworkPolicy {
+    /// Policy for ingress traffic originating from other tenants within the same Harmony-managed environment.
+    pub default_inter_tenant_ingress: InterTenantIngressPolicy,
+
+    /// Policy for egress traffic destined for the public internet.
+    pub default_internet_egress: InternetEgressPolicy,
+}
+
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+pub enum InterTenantIngressPolicy {
+    /// Deny all traffic from other tenants by default.
+    DenyAll,
+}
+
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+pub enum InternetEgressPolicy {
+    /// Allow all outbound traffic to the internet.
+    AllowAll,
+    /// Deny all outbound traffic to the internet by default.
+    DenyAll,
+}

harmony/src/infra/opnsense/dhcp.rs

@@ -69,4 +69,34 @@ impl DhcpServer for OPNSenseFirewall {
 
         Ok(())
     }
+
+    async fn set_filename(&self, filename: &str) -> Result<(), ExecutorError> {
+        {
+            let mut writable_opnsense = self.opnsense_config.write().await;
+            writable_opnsense.dhcp().set_filename(filename);
+            debug!("OPNsense dhcp server set filename {filename}");
+        }
+
+        Ok(())
+    }
+
+    async fn set_filename64(&self, filename: &str) -> Result<(), ExecutorError> {
+        {
+            let mut writable_opnsense = self.opnsense_config.write().await;
+            writable_opnsense.dhcp().set_filename64(filename);
+            debug!("OPNsense dhcp server set filename {filename}");
+        }
+
+        Ok(())
+    }
+
+    async fn set_filenameipxe(&self, filenameipxe: &str) -> Result<(), ExecutorError> {
+        {
+            let mut writable_opnsense = self.opnsense_config.write().await;
+            writable_opnsense.dhcp().set_filenameipxe(filenameipxe);
+            debug!("OPNsense dhcp server set filenameipxe {filenameipxe}");
+        }
+
+        Ok(())
+    }
 }

harmony/src/infra/opnsense/http.rs

@@ -61,7 +61,7 @@ impl HttpServer for OPNSenseFirewall {
         info!("Adding custom caddy config files");
         config
             .upload_files(
-                "../../../watchguard/caddy_config",
+                "./data/watchguard/caddy_config",
                 "/usr/local/etc/caddy/caddy.d/",
             )
             .await

harmony/src/infra/opnsense/load_balancer.rs

@@ -370,10 +370,13 @@ mod tests {
         let result = get_servers_for_backend(&backend, &haproxy);
 
         // Check the result
-        assert_eq!(result, vec![BackendServer {
-            address: "192.168.1.1".to_string(),
-            port: 80,
-        },]);
+        assert_eq!(
+            result,
+            vec![BackendServer {
+                address: "192.168.1.1".to_string(),
+                port: 80,
+            },]
+        );
     }
     #[test]
     fn test_get_servers_for_backend_no_linked_servers() {
@@ -430,15 +433,18 @@ mod tests {
         // Call the function
         let result = get_servers_for_backend(&backend, &haproxy);
         // Check the result
-        assert_eq!(result, vec![
-            BackendServer {
-                address: "some-hostname.test.mcd".to_string(),
-                port: 80,
-            },
-            BackendServer {
-                address: "192.168.1.2".to_string(),
-                port: 8080,
-            },
-        ]);
+        assert_eq!(
+            result,
+            vec![
+                BackendServer {
+                    address: "some-hostname.test.mcd".to_string(),
+                    port: 80,
+                },
+                BackendServer {
+                    address: "192.168.1.2".to_string(),
+                    port: 8080,
+                },
+            ]
+        );
     }
 }

harmony/src/modules/cert_manager/helm.rs

@@ -0,0 +1,46 @@
+use std::{collections::HashMap, str::FromStr};
+
+use non_blank_string_rs::NonBlankString;
+use serde::Serialize;
+use url::Url;
+
+use crate::{
+    modules::helm::chart::{HelmChartScore, HelmRepository},
+    score::Score,
+    topology::{HelmCommand, Topology},
+};
+
+#[derive(Debug, Serialize, Clone)]
+pub struct CertManagerHelmScore {}
+
+impl<T: Topology + HelmCommand> Score<T> for CertManagerHelmScore {
+    fn create_interpret(&self) -> Box<dyn crate::interpret::Interpret<T>> {
+        let mut values_overrides = HashMap::new();
+        values_overrides.insert(
+            NonBlankString::from_str("crds.enabled").unwrap(),
+            "true".to_string(),
+        );
+        let values_overrides = Some(values_overrides);
+
+        HelmChartScore {
+            namespace: Some(NonBlankString::from_str("cert-manager").unwrap()),
+            release_name: NonBlankString::from_str("cert-manager").unwrap(),
+            chart_name: NonBlankString::from_str("jetstack/cert-manager").unwrap(),
+            chart_version: None,
+            values_overrides,
+            values_yaml: None,
+            create_namespace: true,
+            install_only: true,
+            repository: Some(HelmRepository::new(
+                "jetstack".to_string(),
+                Url::parse("https://charts.jetstack.io").unwrap(),
+                true,
+            )),
+        }
+        .create_interpret()
+    }
+
+    fn name(&self) -> String {
+        format!("CertManagerHelmScore")
+    }
+}

harmony/src/modules/cert_manager/mod.rs

@@ -0,0 +1,2 @@
+mod helm;
+pub use helm::*;

harmony/src/modules/dhcp.rs

@@ -17,6 +17,9 @@ pub struct DhcpScore {
     pub host_binding: Vec<HostBinding>,
     pub next_server: Option<IpAddress>,
     pub boot_filename: Option<String>,
+    pub filename: Option<String>,
+    pub filename64: Option<String>,
+    pub filenameipxe: Option<String>,
 }
 
 impl<T: Topology + DhcpServer> Score<T> for DhcpScore {
@@ -117,8 +120,44 @@ impl DhcpInterpret {
             None => Outcome::noop(),
         };
 
+        let filename_outcome = match &self.score.filename {
+            Some(filename) => {
+                dhcp_server.set_filename(&filename).await?;
+                Outcome::new(
+                    InterpretStatus::SUCCESS,
+                    format!("Dhcp Interpret Set filename to {filename}"),
+                )
+            }
+            None => Outcome::noop(),
+        };
+
+        let filename64_outcome = match &self.score.filename64 {
+            Some(filename64) => {
+                dhcp_server.set_filename64(&filename64).await?;
+                Outcome::new(
+                    InterpretStatus::SUCCESS,
+                    format!("Dhcp Interpret Set filename64 to {filename64}"),
+                )
+            }
+            None => Outcome::noop(),
+        };
+
+        let filenameipxe_outcome = match &self.score.filenameipxe {
+            Some(filenameipxe) => {
+                dhcp_server.set_filenameipxe(&filenameipxe).await?;
+                Outcome::new(
+                    InterpretStatus::SUCCESS,
+                    format!("Dhcp Interpret Set filenameipxe to {filenameipxe}"),
+                )
+            }
+            None => Outcome::noop(),
+        };
+
         if next_server_outcome.status == InterpretStatus::NOOP
             && boot_filename_outcome.status == InterpretStatus::NOOP
+            && filename_outcome.status == InterpretStatus::NOOP
+            && filename64_outcome.status == InterpretStatus::NOOP
+            && filenameipxe_outcome.status == InterpretStatus::NOOP
         {
             return Ok(Outcome::noop());
         }
@@ -126,8 +165,12 @@ impl DhcpInterpret {
         Ok(Outcome::new(
             InterpretStatus::SUCCESS,
             format!(
-                "Dhcp Interpret Set next boot to {:?} and boot_filename to {:?}",
-                self.score.boot_filename, self.score.boot_filename
+                "Dhcp Interpret Set next boot to [{:?}], boot_filename to [{:?}], filename to [{:?}], filename64 to [{:?}], filenameipxe to [:{:?}]",
+                self.score.boot_filename,
+                self.score.boot_filename,
+                self.score.filename,
+                self.score.filename64,
+                self.score.filenameipxe
             ),
         ))
     }

harmony/src/modules/helm/chart.rs

@@ -0,0 +1,259 @@
+use crate::data::{Id, Version};
+use crate::interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome};
+use crate::inventory::Inventory;
+use crate::score::Score;
+use crate::topology::{HelmCommand, Topology};
+use async_trait::async_trait;
+use helm_wrapper_rs;
+use helm_wrapper_rs::blocking::{DefaultHelmExecutor, HelmExecutor};
+use log::{debug, info, warn};
+pub use non_blank_string_rs::NonBlankString;
+use serde::Serialize;
+use std::collections::HashMap;
+use std::path::Path;
+use std::process::{Command, Output, Stdio};
+use std::str::FromStr;
+use temp_file::TempFile;
+use url::Url;
+
+#[derive(Debug, Clone, Serialize)]
+pub struct HelmRepository {
+    name: String,
+    url: Url,
+    force_update: bool,
+}
+impl HelmRepository {
+    pub fn new(name: String, url: Url, force_update: bool) -> Self {
+        Self {
+            name,
+            url,
+            force_update,
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize)]
+pub struct HelmChartScore {
+    pub namespace: Option<NonBlankString>,
+    pub release_name: NonBlankString,
+    pub chart_name: NonBlankString,
+    pub chart_version: Option<NonBlankString>,
+    pub values_overrides: Option<HashMap<NonBlankString, String>>,
+    pub values_yaml: Option<String>,
+    pub create_namespace: bool,
+
+    /// Wether to run `helm upgrade --install` under the hood or only install when not present
+    pub install_only: bool,
+    pub repository: Option<HelmRepository>,
+}
+
+impl<T: Topology + HelmCommand> Score<T> for HelmChartScore {
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(HelmChartInterpret {
+            score: self.clone(),
+        })
+    }
+
+    fn name(&self) -> String {
+        format!("{} {} HelmChartScore", self.release_name, self.chart_name)
+    }
+}
+
+#[derive(Debug, Serialize)]
+pub struct HelmChartInterpret {
+    pub score: HelmChartScore,
+}
+impl HelmChartInterpret {
+    fn add_repo(&self) -> Result<(), InterpretError> {
+        let repo = match &self.score.repository {
+            Some(repo) => repo,
+            None => {
+                info!("No Helm repository specified in the score. Skipping repository setup.");
+                return Ok(());
+            }
+        };
+        info!(
+            "Ensuring Helm repository exists: Name='{}', URL='{}', ForceUpdate={}",
+            repo.name, repo.url, repo.force_update
+        );
+
+        let mut add_args = vec!["repo", "add", &repo.name, repo.url.as_str()];
+        if repo.force_update {
+            add_args.push("--force-update");
+        }
+
+        let add_output = run_helm_command(&add_args)?;
+        let full_output = format!(
+            "{}\n{}",
+            String::from_utf8_lossy(&add_output.stdout),
+            String::from_utf8_lossy(&add_output.stderr)
+        );
+
+        match add_output.status.success() {
+            true => {
+                return Ok(());
+            }
+            false => {
+                return Err(InterpretError::new(format!(
+                    "Failed to add helm repository!\n{full_output}"
+                )));
+            }
+        }
+    }
+}
+
+fn run_helm_command(args: &[&str]) -> Result<Output, InterpretError> {
+    let command_str = format!("helm {}", args.join(" "));
+    debug!(
+        "Got KUBECONFIG: `{}`",
+        std::env::var("KUBECONFIG").unwrap_or("".to_string())
+    );
+    debug!("Running Helm command: `{}`", command_str);
+
+    let output = Command::new("helm")
+        .args(args)
+        .stdout(Stdio::piped())
+        .stderr(Stdio::piped())
+        .output()
+        .map_err(|e| {
+            InterpretError::new(format!(
+                "Failed to execute helm command '{}': {}. Is helm installed and in PATH?",
+                command_str, e
+            ))
+        })?;
+
+    if !output.status.success() {
+        let stdout = String::from_utf8_lossy(&output.stdout);
+        let stderr = String::from_utf8_lossy(&output.stderr);
+        warn!(
+            "Helm command `{}` failed with status: {}\nStdout:\n{}\nStderr:\n{}",
+            command_str, output.status, stdout, stderr
+        );
+    } else {
+        debug!(
+            "Helm command `{}` finished successfully. Status: {}",
+            command_str, output.status
+        );
+    }
+
+    Ok(output)
+}
+
+#[async_trait]
+impl<T: Topology + HelmCommand> Interpret<T> for HelmChartInterpret {
+    async fn execute(
+        &self,
+        _inventory: &Inventory,
+        _topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let ns = self
+            .score
+            .namespace
+            .as_ref()
+            .unwrap_or_else(|| todo!("Get namespace from active kubernetes cluster"));
+
+        let tf: TempFile;
+        let yaml_path: Option<&Path> = match self.score.values_yaml.as_ref() {
+            Some(yaml_str) => {
+                tf = temp_file::with_contents(yaml_str.as_bytes());
+                Some(tf.path())
+            }
+            None => None,
+        };
+
+        self.add_repo()?;
+
+        let helm_executor = DefaultHelmExecutor::new_with_opts(
+            &NonBlankString::from_str("helm").unwrap(),
+            None,
+            900,
+            false,
+            false,
+        );
+
+        let mut helm_options = Vec::new();
+        if self.score.create_namespace {
+            helm_options.push(NonBlankString::from_str("--create-namespace").unwrap());
+        }
+
+        if self.score.install_only {
+            let chart_list = match helm_executor.list(Some(ns)) {
+                Ok(charts) => charts,
+                Err(e) => {
+                    return Err(InterpretError::new(format!(
+                        "Failed to list scores in namespace {:?} because of error : {}",
+                        self.score.namespace, e
+                    )));
+                }
+            };
+
+            if chart_list
+                .iter()
+                .any(|item| item.name == self.score.release_name.to_string())
+            {
+                info!(
+                    "Release '{}' already exists in namespace '{}'. Skipping installation as install_only is true.",
+                    self.score.release_name, ns
+                );
+
+                return Ok(Outcome::new(
+                    InterpretStatus::SUCCESS,
+                    format!(
+                        "Helm Chart '{}' already installed to namespace {ns} and install_only=true",
+                        self.score.release_name
+                    ),
+                ));
+            } else {
+                info!(
+                    "Release '{}' not found in namespace '{}'. Proceeding with installation.",
+                    self.score.release_name, ns
+                );
+            }
+        }
+
+        let res = helm_executor.install_or_upgrade(
+            &ns,
+            &self.score.release_name,
+            &self.score.chart_name,
+            self.score.chart_version.as_ref(),
+            self.score.values_overrides.as_ref(),
+            yaml_path,
+            Some(&helm_options),
+        );
+
+        let status = match res {
+            Ok(status) => status,
+            Err(err) => return Err(InterpretError::new(err.to_string())),
+        };
+
+        match status {
+            helm_wrapper_rs::HelmDeployStatus::Deployed => Ok(Outcome::new(
+                InterpretStatus::SUCCESS,
+                "Helm Chart deployed".to_string(),
+            )),
+            helm_wrapper_rs::HelmDeployStatus::PendingInstall => Ok(Outcome::new(
+                InterpretStatus::RUNNING,
+                "Helm Chart Pending install".to_string(),
+            )),
+            helm_wrapper_rs::HelmDeployStatus::PendingUpgrade => Ok(Outcome::new(
+                InterpretStatus::RUNNING,
+                "Helm Chart pending upgrade".to_string(),
+            )),
+            helm_wrapper_rs::HelmDeployStatus::Failed => Err(InterpretError::new(
+                "Failed to install helm chart".to_string(),
+            )),
+        }
+    }
+    fn get_name(&self) -> InterpretName {
+        todo!()
+    }
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/helm/command.rs

@@ -0,0 +1,376 @@
+use async_trait::async_trait;
+use log::debug;
+use serde::Serialize;
+use std::collections::HashMap;
+use std::io::ErrorKind;
+use std::path::PathBuf;
+use std::process::{Command, Output};
+use temp_dir::{self, TempDir};
+use temp_file::TempFile;
+
+use crate::data::{Id, Version};
+use crate::interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome};
+use crate::inventory::Inventory;
+use crate::score::Score;
+use crate::topology::{HelmCommand, K8sclient, Topology};
+
+#[derive(Clone)]
+pub struct HelmCommandExecutor {
+    pub env: HashMap<String, String>,
+    pub path: Option<PathBuf>,
+    pub args: Vec<String>,
+    pub api_versions: Option<Vec<String>>,
+    pub kube_version: String,
+    pub debug: Option<bool>,
+    pub globals: HelmGlobals,
+    pub chart: HelmChart,
+}
+
+#[derive(Clone)]
+pub struct HelmGlobals {
+    pub chart_home: Option<PathBuf>,
+    pub config_home: Option<PathBuf>,
+}
+
+#[derive(Debug, Clone, Serialize)]
+pub struct HelmChart {
+    pub name: String,
+    pub version: Option<String>,
+    pub repo: Option<String>,
+    pub release_name: Option<String>,
+    pub namespace: Option<String>,
+    pub additional_values_files: Vec<PathBuf>,
+    pub values_file: Option<PathBuf>,
+    pub values_inline: Option<String>,
+    pub include_crds: Option<bool>,
+    pub skip_hooks: Option<bool>,
+    pub api_versions: Option<Vec<String>>,
+    pub kube_version: Option<String>,
+    pub name_template: String,
+    pub skip_tests: Option<bool>,
+    pub debug: Option<bool>,
+}
+
+impl HelmCommandExecutor {
+    pub fn generate(mut self) -> Result<String, std::io::Error> {
+        if self.globals.chart_home.is_none() {
+            self.globals.chart_home = Some(PathBuf::from("charts"));
+        }
+
+        if self
+            .clone()
+            .chart
+            .clone()
+            .chart_exists_locally(self.clone().globals.chart_home.unwrap())
+            .is_none()
+        {
+            if self.chart.repo.is_none() {
+                return Err(std::io::Error::new(
+                    ErrorKind::Other,
+                    "Chart doesn't exist locally and no repo specified",
+                ));
+            }
+            self.clone().run_command(
+                self.chart
+                    .clone()
+                    .pull_command(self.globals.chart_home.clone().unwrap()),
+            )?;
+        }
+
+        let out = match self.clone().run_command(
+            self.chart
+                .clone()
+                .helm_args(self.globals.chart_home.clone().unwrap()),
+        ) {
+            Ok(out) => out,
+            Err(e) => return Err(e),
+        };
+
+        // TODO: don't use unwrap here
+        let s = String::from_utf8(out.stdout).unwrap();
+        debug!("helm stderr: {}", String::from_utf8(out.stderr).unwrap());
+        debug!("helm status: {}", out.status);
+        debug!("helm output: {s}");
+
+        let clean = s.split_once("---").unwrap().1;
+
+        Ok(clean.to_string())
+    }
+
+    pub fn version(self) -> Result<String, std::io::Error> {
+        let out = match self.run_command(vec![
+            "version".to_string(),
+            "-c".to_string(),
+            "--short".to_string(),
+        ]) {
+            Ok(out) => out,
+            Err(e) => return Err(e),
+        };
+
+        // TODO: don't use unwrap
+        Ok(String::from_utf8(out.stdout).unwrap())
+    }
+
+    pub fn run_command(mut self, mut args: Vec<String>) -> Result<Output, std::io::Error> {
+        if let Some(d) = self.debug {
+            if d {
+                args.push("--debug".to_string());
+            }
+        }
+
+        let path = if let Some(p) = self.path {
+            p
+        } else {
+            PathBuf::from("helm")
+        };
+
+        let config_home = match self.globals.config_home {
+            Some(p) => p,
+            None => PathBuf::from(TempDir::new()?.path()),
+        };
+
+        match self.chart.values_inline {
+            Some(yaml_str) => {
+                let tf: TempFile;
+                tf = temp_file::with_contents(yaml_str.as_bytes());
+                self.chart
+                    .additional_values_files
+                    .push(PathBuf::from(tf.path()));
+            }
+            None => (),
+        };
+
+        self.env.insert(
+            "HELM_CONFIG_HOME".to_string(),
+            config_home.to_str().unwrap().to_string(),
+        );
+        self.env.insert(
+            "HELM_CACHE_HOME".to_string(),
+            config_home.to_str().unwrap().to_string(),
+        );
+        self.env.insert(
+            "HELM_DATA_HOME".to_string(),
+            config_home.to_str().unwrap().to_string(),
+        );
+
+        Command::new(path).envs(self.env).args(args).output()
+    }
+}
+
+impl HelmChart {
+    pub fn chart_exists_locally(self, chart_home: PathBuf) -> Option<PathBuf> {
+        let chart_path =
+            PathBuf::from(chart_home.to_str().unwrap().to_string() + "/" + &self.name.to_string());
+
+        if chart_path.exists() {
+            Some(chart_path)
+        } else {
+            None
+        }
+    }
+
+    pub fn pull_command(self, chart_home: PathBuf) -> Vec<String> {
+        let mut args = vec![
+            "pull".to_string(),
+            "--untar".to_string(),
+            "--untardir".to_string(),
+            chart_home.to_str().unwrap().to_string(),
+        ];
+
+        match self.repo {
+            Some(r) => {
+                if r.starts_with("oci://") {
+                    args.push(String::from(
+                        r.trim_end_matches("/").to_string() + "/" + self.name.clone().as_str(),
+                    ));
+                } else {
+                    args.push("--repo".to_string());
+                    args.push(r.to_string());
+
+                    args.push(self.name);
+                }
+            }
+            None => args.push(self.name),
+        };
+
+        match self.version {
+            Some(v) => {
+                args.push("--version".to_string());
+                args.push(v.to_string());
+            }
+            None => (),
+        }
+
+        args
+    }
+
+    pub fn helm_args(self, chart_home: PathBuf) -> Vec<String> {
+        let mut args: Vec<String> = vec!["template".to_string()];
+
+        match self.release_name {
+            Some(rn) => args.push(rn.to_string()),
+            None => args.push("--generate-name".to_string()),
+        }
+
+        args.push(
+            PathBuf::from(chart_home.to_str().unwrap().to_string() + "/" + self.name.as_str())
+                .to_str()
+                .unwrap()
+                .to_string(),
+        );
+
+        if let Some(n) = self.namespace {
+            args.push("--namespace".to_string());
+            args.push(n.to_string());
+        }
+
+        if let Some(f) = self.values_file {
+            args.push("-f".to_string());
+            args.push(f.to_str().unwrap().to_string());
+        }
+
+        for f in self.additional_values_files {
+            args.push("-f".to_string());
+            args.push(f.to_str().unwrap().to_string());
+        }
+
+        if let Some(vv) = self.api_versions {
+            for v in vv {
+                args.push("--api-versions".to_string());
+                args.push(v);
+            }
+        }
+
+        if let Some(kv) = self.kube_version {
+            args.push("--kube-version".to_string());
+            args.push(kv);
+        }
+
+        if let Some(crd) = self.include_crds {
+            if crd {
+                args.push("--include-crds".to_string());
+            }
+        }
+
+        if let Some(st) = self.skip_tests {
+            if st {
+                args.push("--skip-tests".to_string());
+            }
+        }
+
+        if let Some(sh) = self.skip_hooks {
+            if sh {
+                args.push("--no-hooks".to_string());
+            }
+        }
+
+        if let Some(d) = self.debug {
+            if d {
+                args.push("--debug".to_string());
+            }
+        }
+
+        args
+    }
+}
+
+#[derive(Debug, Clone, Serialize)]
+pub struct HelmChartScoreV2 {
+    pub chart: HelmChart,
+}
+
+impl<T: Topology + K8sclient + HelmCommand> Score<T> for HelmChartScoreV2 {
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(HelmChartInterpretV2 {
+            score: self.clone(),
+        })
+    }
+
+    fn name(&self) -> String {
+        format!(
+            "{} {} HelmChartScoreV2",
+            self.chart
+                .release_name
+                .clone()
+                .unwrap_or("Unknown".to_string()),
+            self.chart.name
+        )
+    }
+}
+
+#[derive(Debug, Serialize)]
+pub struct HelmChartInterpretV2 {
+    pub score: HelmChartScoreV2,
+}
+impl HelmChartInterpretV2 {}
+
+#[async_trait]
+impl<T: Topology + K8sclient + HelmCommand> Interpret<T> for HelmChartInterpretV2 {
+    async fn execute(
+        &self,
+        _inventory: &Inventory,
+        _topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let ns = self
+            .score
+            .chart
+            .namespace
+            .as_ref()
+            .unwrap_or_else(|| todo!("Get namespace from active kubernetes cluster"));
+
+        let helm_executor = HelmCommandExecutor {
+            env: HashMap::new(),
+            path: None,
+            args: vec![],
+            api_versions: None,
+            kube_version: "v1.33.0".to_string(),
+            debug: Some(false),
+            globals: HelmGlobals {
+                chart_home: None,
+                config_home: None,
+            },
+            chart: self.score.chart.clone(),
+        };
+
+        // let mut helm_options = Vec::new();
+        // if self.score.create_namespace {
+        //     helm_options.push(NonBlankString::from_str("--create-namespace").unwrap());
+        // }
+
+        let res = helm_executor.generate();
+
+        let output = match res {
+            Ok(output) => output,
+            Err(err) => return Err(InterpretError::new(err.to_string())),
+        };
+
+        // TODO: implement actually applying the YAML from the templating in the generate function to a k8s cluster, having trouble passing in straight YAML into the k8s client
+
+        // let k8s_resource = k8s_openapi::serde_json::from_str(output.as_str()).unwrap();
+
+        // let client = topology
+        //     .k8s_client()
+        //     .await
+        //     .expect("Environment should provide enough information to instanciate a client")
+        //     .apply_namespaced(&vec![output], Some(ns.to_string().as_str()));
+        // match client.apply_yaml(output) {
+        //     Ok(_) => return Ok(Outcome::success("Helm chart deployed".to_string())),
+        //     Err(e) => return Err(InterpretError::new(e)),
+        // }
+
+        Ok(Outcome::success("Helm chart deployed".to_string()))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        todo!()
+    }
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/helm/mod.rs

@@ -0,0 +1,2 @@
+pub mod chart;
+pub mod command;

harmony/src/modules/ipxe.rs

@@ -0,0 +1,66 @@
+use async_trait::async_trait;
+use derive_new::new;
+use serde::Serialize;
+
+use crate::{
+    data::{Id, Version},
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, new, Clone, Serialize)]
+pub struct IpxeScore {
+    //files_to_serve: Url,
+}
+
+impl<T: Topology> Score<T> for IpxeScore {
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(IpxeInterpret::new(self.clone()))
+    }
+
+    fn name(&self) -> String {
+        "IpxeScore".to_string()
+    }
+}
+
+#[derive(Debug, new, Clone)]
+pub struct IpxeInterpret {
+    _score: IpxeScore,
+}
+
+#[async_trait]
+impl<T: Topology> Interpret<T> for IpxeInterpret {
+    async fn execute(
+        &self,
+        _inventory: &Inventory,
+        _topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        /*
+        let http_server = &topology.http_server;
+        http_server.ensure_initialized().await?;
+        Ok(Outcome::success(format!(
+            "Http Server running and serving files from {}",
+            self.score.files_to_serve
+        )))
+        */
+        todo!();
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Ipxe
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/k3d/install.rs

@@ -0,0 +1,82 @@
+use std::path::PathBuf;
+
+use async_trait::async_trait;
+use log::info;
+use serde::Serialize;
+
+use crate::{
+    config::HARMONY_CONFIG_DIR,
+    data::{Id, Version},
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct K3DInstallationScore {
+    pub installation_path: PathBuf,
+    pub cluster_name: String,
+}
+
+impl Default for K3DInstallationScore {
+    fn default() -> Self {
+        Self {
+            installation_path: HARMONY_CONFIG_DIR.join("k3d"),
+            cluster_name: "harmony".to_string(),
+        }
+    }
+}
+
+impl<T: Topology> Score<T> for K3DInstallationScore {
+    fn create_interpret(&self) -> Box<dyn crate::interpret::Interpret<T>> {
+        Box::new(K3dInstallationInterpret {
+            score: self.clone(),
+        })
+    }
+
+    fn name(&self) -> String {
+        todo!()
+    }
+}
+
+#[derive(Debug)]
+pub struct K3dInstallationInterpret {
+    score: K3DInstallationScore,
+}
+
+#[async_trait]
+impl<T: Topology> Interpret<T> for K3dInstallationInterpret {
+    async fn execute(
+        &self,
+        _inventory: &Inventory,
+        _topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let k3d = k3d_rs::K3d::new(
+            self.score.installation_path.clone(),
+            Some(self.score.cluster_name.clone()),
+        );
+        match k3d.ensure_installed().await {
+            Ok(_client) => {
+                let msg = format!("k3d cluster {} is installed ", self.score.cluster_name);
+                info!("{msg}");
+                Ok(Outcome::success(msg))
+            }
+            Err(msg) => Err(InterpretError::new(format!(
+                "K3dInstallationInterpret failed to ensure k3d is installed : {msg}"
+            ))),
+        }
+    }
+    fn get_name(&self) -> InterpretName {
+        InterpretName::K3dInstallation
+    }
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/k3d/mod.rs

@@ -0,0 +1,2 @@
+mod install;
+pub use install::*;

harmony/src/modules/k8s/deployment.rs

@@ -5,7 +5,7 @@ use serde_json::json;
 use crate::{
     interpret::Interpret,
     score::Score,
-    topology::{OcK8sclient, Topology},
+    topology::{K8sclient, Topology},
 };
 
 use super::resource::{K8sResourceInterpret, K8sResourceScore};
@@ -14,11 +14,13 @@ use super::resource::{K8sResourceInterpret, K8sResourceScore};
 pub struct K8sDeploymentScore {
     pub name: String,
     pub image: String,
+    pub namespace: Option<String>,
+    pub env_vars: serde_json::Value,
 }
 
-impl<T: Topology + OcK8sclient> Score<T> for K8sDeploymentScore {
+impl<T: Topology + K8sclient> Score<T> for K8sDeploymentScore {
     fn create_interpret(&self) -> Box<dyn Interpret<T>> {
-        let deployment: Deployment = serde_json::from_value(json!(
+        let deployment = json!(
             {
                 "metadata": {
                     "name": self.name
@@ -38,18 +40,21 @@ impl<T: Topology + OcK8sclient> Score<T> for K8sDeploymentScore {
                         "spec": {
                             "containers": [
                                 {
-                                     "image": self.image,
-                                      "name": self.image
+                                    "image": self.image,
+                                    "name": self.name,
+                                    "imagePullPolicy": "Always",
+                                    "env": self.env_vars,
                                 }
                             ]
                         }
                     }
                 }
             }
-        ))
-        .unwrap();
+        );
+
+        let deployment: Deployment = serde_json::from_value(deployment).unwrap();
         Box::new(K8sResourceInterpret {
-            score: K8sResourceScore::single(deployment.clone()),
+            score: K8sResourceScore::single(deployment.clone(), self.namespace.clone()),
         })
     }
 

harmony/src/modules/k8s/ingress.rs

@@ -0,0 +1,98 @@
+use harmony_macros::ingress_path;
+use k8s_openapi::api::networking::v1::Ingress;
+use serde::Serialize;
+use serde_json::json;
+
+use crate::{
+    interpret::Interpret,
+    score::Score,
+    topology::{K8sclient, Topology},
+};
+
+use super::resource::{K8sResourceInterpret, K8sResourceScore};
+
+#[derive(Debug, Clone, Serialize)]
+pub enum PathType {
+    ImplementationSpecific,
+    Exact,
+    Prefix,
+}
+
+impl PathType {
+    fn as_str(&self) -> &'static str {
+        match self {
+            PathType::ImplementationSpecific => "ImplementationSpecific",
+            PathType::Exact => "Exact",
+            PathType::Prefix => "Prefix",
+        }
+    }
+}
+
+type IngressPath = String;
+
+#[derive(Debug, Clone, Serialize)]
+pub struct K8sIngressScore {
+    pub name: fqdn::FQDN,
+    pub host: fqdn::FQDN,
+    pub backend_service: fqdn::FQDN,
+    pub port: u16,
+    pub path: Option<IngressPath>,
+    pub path_type: Option<PathType>,
+    pub namespace: Option<fqdn::FQDN>,
+}
+
+impl<T: Topology + K8sclient> Score<T> for K8sIngressScore {
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let path = match self.path.clone() {
+            Some(p) => p,
+            None => ingress_path!("/"),
+        };
+
+        let path_type = match self.path_type.clone() {
+            Some(p) => p,
+            None => PathType::Prefix,
+        };
+
+        let ingress = json!(
+            {
+                "metadata": {
+                    "name": self.name
+                },
+                "spec": {
+                    "rules": [
+                        {   "host": self.host,
+                            "http": {
+                                "paths": [
+                                    {
+                                        "path": path,
+                                        "pathType": path_type.as_str(),
+                                        "backend": [
+                                            {
+                                                "service": self.backend_service,
+                                                "port": self.port
+                                            }
+                                        ]
+                                    }
+                                ]
+                            }
+                        }
+                    ]
+                }
+            }
+        );
+
+        let ingress: Ingress = serde_json::from_value(ingress).unwrap();
+        Box::new(K8sResourceInterpret {
+            score: K8sResourceScore::single(
+                ingress.clone(),
+                self.namespace
+                    .clone()
+                    .map(|f| f.as_c_str().to_str().unwrap().to_string()),
+            ),
+        })
+    }
+
+    fn name(&self) -> String {
+        format!("{} K8sIngressScore", self.name)
+    }
+}

harmony/src/modules/k8s/mod.rs

@@ -1,2 +1,4 @@
 pub mod deployment;
+pub mod ingress;
+pub mod namespace;
 pub mod resource;

harmony/src/modules/k8s/namespace.rs

@@ -0,0 +1,46 @@
+use k8s_openapi::api::core::v1::Namespace;
+use non_blank_string_rs::NonBlankString;
+use serde::Serialize;
+use serde_json::json;
+
+use crate::{
+    interpret::Interpret,
+    score::Score,
+    topology::{K8sclient, Topology},
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct K8sNamespaceScore {
+    pub name: Option<NonBlankString>,
+}
+
+impl<T: Topology + K8sclient> Score<T> for K8sNamespaceScore {
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let name = match &self.name {
+            Some(name) => name,
+            None => todo!(
+                "Return NoOp interpret when no namespace specified or something that makes sense"
+            ),
+        };
+        let _namespace: Namespace = serde_json::from_value(json!(
+            {
+                "apiVersion": "v1",
+                "kind": "Namespace",
+                "metadata": {
+                    "name": name,
+                },
+            }
+        ))
+        .unwrap();
+        todo!(
+            "We currently only support namespaced ressources (see Scope = NamespaceResourceScope)"
+        );
+        // Box::new(K8sResourceInterpret {
+        //     score: K8sResourceScore::single(namespace.clone()),
+        // })
+    }
+
+    fn name(&self) -> String {
+        "K8sNamespaceScore".to_string()
+    }
+}

harmony/src/modules/k8s/resource.rs

@@ -8,18 +8,20 @@ use crate::{
     interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
     inventory::Inventory,
     score::Score,
-    topology::{OcK8sclient, Topology},
+    topology::{K8sclient, Topology},
 };
 
 #[derive(Debug, Clone, Serialize)]
 pub struct K8sResourceScore<K: Resource + std::fmt::Debug> {
     pub resource: Vec<K>,
+    pub namespace: Option<String>,
 }
 
 impl<K: Resource + std::fmt::Debug> K8sResourceScore<K> {
-    pub fn single(resource: K) -> Self {
+    pub fn single(resource: K, namespace: Option<String>) -> Self {
         Self {
             resource: vec![resource],
+            namespace,
         }
     }
 }
@@ -63,7 +65,7 @@ impl<
         + Default
         + Send
         + Sync,
-    T: Topology + OcK8sclient,
+    T: Topology + K8sclient,
 > Interpret<T> for K8sResourceInterpret<K>
 where
     <K as kube::Resource>::DynamicType: Default,
@@ -74,10 +76,10 @@ where
         topology: &T,
     ) -> Result<Outcome, InterpretError> {
         topology
-            .oc_client()
+            .k8s_client()
             .await
             .expect("Environment should provide enough information to instanciate a client")
-            .apply_namespaced(&self.score.resource)
+            .apply_namespaced(&self.score.resource, self.score.namespace.as_deref())
             .await?;
 
         Ok(Outcome::success(

harmony/src/modules/lamp.rs

@@ -1,17 +1,33 @@
+use convert_case::{Case, Casing};
+use dockerfile_builder::instruction::{CMD, COPY, ENV, EXPOSE, FROM, RUN, WORKDIR};
+use dockerfile_builder::{Dockerfile, instruction_builder::EnvBuilder};
+use fqdn::fqdn;
+use harmony_macros::ingress_path;
+use non_blank_string_rs::NonBlankString;
+use serde_json::json;
+use std::collections::HashMap;
+use std::fs;
 use std::path::{Path, PathBuf};
+use std::str::FromStr;
 
 use async_trait::async_trait;
+use log::{debug, info};
 use serde::Serialize;
 
+use crate::config::{REGISTRY_PROJECT, REGISTRY_URL};
+use crate::modules::k8s::ingress::K8sIngressScore;
+use crate::topology::HelmCommand;
 use crate::{
     data::{Id, Version},
     interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
     inventory::Inventory,
     modules::k8s::deployment::K8sDeploymentScore,
     score::Score,
-    topology::{OcK8sclient, Topology, Url},
+    topology::{K8sclient, Topology, Url},
 };
 
+use super::helm::chart::HelmChartScore;
+
 #[derive(Debug, Clone, Serialize)]
 pub struct LAMPScore {
     pub name: String,
@@ -24,6 +40,8 @@ pub struct LAMPScore {
 pub struct LAMPConfig {
     pub project_root: PathBuf,
     pub ssl_enabled: bool,
+    pub database_size: Option<String>,
+    pub namespace: String,
 }
 
 impl Default for LAMPConfig {
@@ -31,13 +49,17 @@ impl Default for LAMPConfig {
         LAMPConfig {
             project_root: Path::new("./src").to_path_buf(),
             ssl_enabled: true,
+            database_size: None,
+            namespace: "harmony-lamp".to_string(),
         }
     }
 }
 
-impl<T: Topology> Score<T> for LAMPScore {
+impl<T: Topology + K8sclient + HelmCommand> Score<T> for LAMPScore {
     fn create_interpret(&self) -> Box<dyn Interpret<T>> {
-        todo!()
+        Box::new(LAMPInterpret {
+            score: self.clone(),
+        })
     }
 
     fn name(&self) -> String {
@@ -51,22 +73,94 @@ pub struct LAMPInterpret {
 }
 
 #[async_trait]
-impl<T: Topology + OcK8sclient> Interpret<T> for LAMPInterpret {
+impl<T: Topology + K8sclient + HelmCommand> Interpret<T> for LAMPInterpret {
     async fn execute(
         &self,
         inventory: &Inventory,
         topology: &T,
     ) -> Result<Outcome, InterpretError> {
-        let deployment_score = K8sDeploymentScore {
-            name: <LAMPScore as Score<T>>::name(&self.score),
-            image: "local_image".to_string(),
+        let image_name = match self.build_docker_image() {
+            Ok(name) => name,
+            Err(e) => {
+                return Err(InterpretError::new(format!(
+                    "Could not build LAMP docker image {e}"
+                )));
+            }
         };
+        info!("LAMP docker image built {image_name}");
+
+        let remote_name = match self.push_docker_image(&image_name) {
+            Ok(remote_name) => remote_name,
+            Err(e) => {
+                return Err(InterpretError::new(format!(
+                    "Could not push docker image {e}"
+                )));
+            }
+        };
+        info!("LAMP docker image pushed to {remote_name}");
+
+        info!("Deploying database");
+        self.deploy_database(inventory, topology).await?;
+
+        let base_name = self.score.name.to_case(Case::Kebab);
+        let secret_name = format!("{}-database-mariadb", base_name);
+
+        let deployment_score = K8sDeploymentScore {
+            name: <LAMPScore as Score<T>>::name(&self.score).to_case(Case::Kebab),
+            image: remote_name,
+            namespace: self.get_namespace().map(|nbs| nbs.to_string()),
+            env_vars: json!([
+            {
+                "name": "MYSQL_PASSWORD",
+                "valueFrom": {
+                    "secretKeyRef": {
+                        "name": secret_name,
+                        "key": "mariadb-root-password"
+                    }
+                }
+            },
+            {
+                "name": "MYSQL_HOST",
+                "value": secret_name
+            },
+            ]),
+        };
+
+        info!("Deploying score {deployment_score:#?}");
 
         deployment_score
             .create_interpret()
             .execute(inventory, topology)
             .await?;
-        todo!()
+
+        info!("LAMP deployment_score {deployment_score:?}");
+
+        let lamp_ingress = K8sIngressScore {
+            name: fqdn!("lamp-ingress"),
+            host: fqdn!("test"),
+            backend_service: fqdn!(
+                <LAMPScore as Score<T>>::name(&self.score)
+                    .to_case(Case::Kebab)
+                    .as_str()
+            ),
+            port: 8080,
+            path: Some(ingress_path!("/")),
+            path_type: None,
+            namespace: self
+                .get_namespace()
+                .map(|nbs| fqdn!(nbs.to_string().as_str())),
+        };
+
+        lamp_ingress
+            .create_interpret()
+            .execute(inventory, topology)
+            .await?;
+
+        info!("LAMP lamp_ingress {lamp_ingress:?}");
+
+        Ok(Outcome::success(
+            "Successfully deployed LAMP Stack!".to_string(),
+        ))
     }
 
     fn get_name(&self) -> InterpretName {
@@ -85,3 +179,242 @@ impl<T: Topology + OcK8sclient> Interpret<T> for LAMPInterpret {
         todo!()
     }
 }
+
+impl LAMPInterpret {
+    async fn deploy_database<T: Topology + K8sclient + HelmCommand>(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let mut values_overrides = HashMap::new();
+        if let Some(database_size) = self.score.config.database_size.clone() {
+            values_overrides.insert(
+                NonBlankString::from_str("primary.persistence.size").unwrap(),
+                database_size,
+            );
+            values_overrides.insert(
+                NonBlankString::from_str("auth.rootPassword").unwrap(),
+                "mariadb-changethis".to_string(),
+            );
+        }
+        let score = HelmChartScore {
+            namespace: self.get_namespace(),
+            release_name: NonBlankString::from_str(&format!("{}-database", self.score.name))
+                .unwrap(),
+            chart_name: NonBlankString::from_str(
+                "oci://registry-1.docker.io/bitnamicharts/mariadb",
+            )
+            .unwrap(),
+            chart_version: None,
+            values_overrides: Some(values_overrides),
+            create_namespace: true,
+            install_only: false,
+            values_yaml: None,
+            repository: None,
+        };
+
+        score.create_interpret().execute(inventory, topology).await
+    }
+    fn build_dockerfile(&self, score: &LAMPScore) -> Result<PathBuf, Box<dyn std::error::Error>> {
+        let mut dockerfile = Dockerfile::new();
+
+        // Use the PHP version from the score to determine the base image
+        let php_version = score.php_version.to_string();
+        let php_major_minor = php_version
+            .split('.')
+            .take(2)
+            .collect::<Vec<&str>>()
+            .join(".");
+
+        // Base image selection - using official PHP image with Apache
+        dockerfile.push(FROM::from(format!("php:{}-apache", php_major_minor)));
+
+        // Set environment variables for PHP configuration
+        dockerfile.push(ENV::from("PHP_MEMORY_LIMIT=256M"));
+        dockerfile.push(ENV::from("PHP_MAX_EXECUTION_TIME=30"));
+        dockerfile.push(
+            EnvBuilder::builder()
+                .key("PHP_ERROR_REPORTING")
+                .value("\"E_ERROR | E_WARNING | E_PARSE\"")
+                .build()
+                .unwrap(),
+        );
+
+        // Install necessary PHP extensions and dependencies
+        dockerfile.push(RUN::from(
+            "apt-get update && \
+             apt-get install -y --no-install-recommends \
+                libfreetype6-dev \
+                libjpeg62-turbo-dev \
+                libpng-dev \
+                libzip-dev \
+                unzip \
+                && apt-get clean \
+                && rm -rf /var/lib/apt/lists/*",
+        ));
+
+        dockerfile.push(RUN::from(
+            "docker-php-ext-configure gd --with-freetype --with-jpeg && \
+             docker-php-ext-install -j$(nproc) \
+                gd \
+                mysqli \
+                pdo_mysql \
+                zip \
+                opcache",
+        ));
+
+        dockerfile.push(RUN::from(r#"sed -i 's/VirtualHost \*:80/VirtualHost *:8080/' /etc/apache2/sites-available/000-default.conf && \
+                sed -i 's/^Listen 80$/Listen 8080/' /etc/apache2/ports.conf"#));
+
+        // Copy PHP configuration
+        dockerfile.push(RUN::from("mkdir -p /usr/local/etc/php/conf.d/"));
+
+        // Create and copy a custom PHP configuration
+        let php_config = r#"
+memory_limit = ${PHP_MEMORY_LIMIT}
+max_execution_time = ${PHP_MAX_EXECUTION_TIME}
+error_reporting = ${PHP_ERROR_REPORTING}
+display_errors = Off
+log_errors = On
+error_log = /dev/stderr
+date.timezone = UTC
+
+; Opcache configuration for production
+opcache.enable=1
+opcache.memory_consumption=128
+opcache.interned_strings_buffer=8
+opcache.max_accelerated_files=4000
+opcache.revalidate_freq=2
+opcache.fast_shutdown=1
+"#;
+
+        // Save this configuration to a temporary file within the project root
+        let config_path = Path::new(&score.config.project_root).join("docker-php.ini");
+        fs::write(&config_path, php_config)?;
+
+        // Reference the file within the Docker context (where the build runs)
+        dockerfile.push(COPY::from(
+            "docker-php.ini /usr/local/etc/php/conf.d/docker-php.ini",
+        ));
+
+        // Security hardening
+        dockerfile.push(RUN::from(
+            "a2enmod headers && \
+             a2enmod rewrite && \
+             sed -i 's/ServerTokens OS/ServerTokens Prod/' /etc/apache2/conf-enabled/security.conf && \
+             sed -i 's/ServerSignature On/ServerSignature Off/' /etc/apache2/conf-enabled/security.conf"
+        ));
+
+        // Set env vars
+        dockerfile.push(RUN::from(
+            "echo 'PassEnv MYSQL_PASSWORD' >> /etc/apache2/sites-available/000-default.conf \
+             && echo 'PassEnv MYSQL_USER' >> /etc/apache2/sites-available/000-default.conf \
+             && echo 'PassEnv MYSQL_HOST' >> /etc/apache2/sites-available/000-default.conf",
+        ));
+
+        // Create a dedicated user for running Apache
+        dockerfile.push(RUN::from(
+            "groupadd -g 1000 appuser && \
+             useradd -u 1000 -g appuser -m -s /bin/bash appuser && \
+             chown -R appuser:appuser /var/www/html",
+        ));
+
+        // Set the working directory
+        dockerfile.push(WORKDIR::from("/var/www/html"));
+
+        // Copy application code from the project root to the container
+        // Note: In Dockerfile, the COPY context is relative to the build context
+        // We'll handle the actual context in the build_docker_image method
+        dockerfile.push(COPY::from(". /var/www/html"));
+
+        // Fix permissions
+        dockerfile.push(RUN::from("chown -R appuser:appuser /var/www/html"));
+
+        // Expose Apache port
+        dockerfile.push(EXPOSE::from("8080/tcp"));
+
+        // Set the default command
+        dockerfile.push(CMD::from("apache2-foreground"));
+
+        // Save the Dockerfile to disk in the project root
+        let dockerfile_path = Path::new(&score.config.project_root).join("Dockerfile");
+        fs::write(&dockerfile_path, dockerfile.to_string())?;
+
+        Ok(dockerfile_path)
+    }
+
+    fn check_output(
+        &self,
+        output: &std::process::Output,
+        msg: &str,
+    ) -> Result<(), Box<dyn std::error::Error>> {
+        if !output.status.success() {
+            return Err(format!("{msg}: {}", String::from_utf8_lossy(&output.stderr)).into());
+        }
+        Ok(())
+    }
+
+    fn push_docker_image(&self, image_name: &str) -> Result<String, Box<dyn std::error::Error>> {
+        let full_tag = format!("{}/{}/{}", *REGISTRY_URL, *REGISTRY_PROJECT, &image_name);
+        let output = std::process::Command::new("docker")
+            .args(["tag", image_name, &full_tag])
+            .output()?;
+        self.check_output(&output, "Tagging docker image failed")?;
+
+        debug!(
+            "docker tag output {} {}",
+            String::from_utf8_lossy(&output.stdout),
+            String::from_utf8_lossy(&output.stderr)
+        );
+
+        let output = std::process::Command::new("docker")
+            .args(["push", &full_tag])
+            .output()?;
+        self.check_output(&output, "Pushing docker image failed")?;
+        debug!(
+            "docker push output {} {}",
+            String::from_utf8_lossy(&output.stdout),
+            String::from_utf8_lossy(&output.stderr)
+        );
+
+        Ok(full_tag)
+    }
+
+    pub fn build_docker_image(&self) -> Result<String, Box<dyn std::error::Error>> {
+        info!("Generating Dockerfile");
+        let dockerfile = self.build_dockerfile(&self.score)?;
+
+        info!(
+            "Building Docker image with file {} from root {}",
+            dockerfile.to_string_lossy(),
+            self.score.config.project_root.to_string_lossy()
+        );
+        let image_name = format!("{}-php-apache", self.score.name);
+        let project_root = &self.score.config.project_root;
+
+        let output = std::process::Command::new("docker")
+            .args([
+                "build",
+                "--file",
+                dockerfile.to_str().unwrap(),
+                "-t",
+                &image_name,
+                project_root.to_str().unwrap(),
+            ])
+            .output()?;
+
+        if !output.status.success() {
+            return Err(format!(
+                "Failed to build Docker image: {}",
+                String::from_utf8_lossy(&output.stderr)
+            )
+            .into());
+        }
+
+        Ok(image_name)
+    }
+
+    fn get_namespace(&self) -> Option<NonBlankString> {
+        Some(NonBlankString::from_str(&self.score.config.namespace).unwrap())
+    }
+}

harmony/src/modules/mod.rs

@@ -1,10 +1,15 @@
+pub mod cert_manager;
 pub mod dhcp;
 pub mod dns;
 pub mod dummy;
+pub mod helm;
 pub mod http;
+pub mod ipxe;
+pub mod k3d;
 pub mod k8s;
 pub mod lamp;
 pub mod load_balancer;
+pub mod monitoring;
 pub mod okd;
 pub mod opnsense;
 pub mod tftp;

harmony/src/modules/monitoring/config.rs

@@ -0,0 +1,49 @@
+use serde::Serialize;
+
+use super::monitoring_alerting::AlertChannel;
+
+#[derive(Debug, Clone, Serialize)]
+pub struct KubePrometheusConfig {
+    pub namespace: String,
+    pub default_rules: bool,
+    pub windows_monitoring: bool,
+    pub alert_manager: bool,
+    pub node_exporter: bool,
+    pub prometheus: bool,
+    pub grafana: bool,
+    pub kubernetes_service_monitors: bool,
+    pub kubernetes_api_server: bool,
+    pub kubelet: bool,
+    pub kube_controller_manager: bool,
+    pub core_dns: bool,
+    pub kube_etcd: bool,
+    pub kube_scheduler: bool,
+    pub kube_proxy: bool,
+    pub kube_state_metrics: bool,
+    pub prometheus_operator: bool,
+    pub alert_channel: Vec<AlertChannel>,
+}
+impl KubePrometheusConfig {
+    pub fn new() -> Self {
+        Self {
+            namespace: "monitoring".into(),
+            default_rules: true,
+            windows_monitoring: false,
+            alert_manager: true,
+            alert_channel: Vec::new(),
+            grafana: true,
+            node_exporter: false,
+            prometheus: true,
+            kubernetes_service_monitors: true,
+            kubernetes_api_server: false,
+            kubelet: false,
+            kube_controller_manager: false,
+            kube_etcd: false,
+            kube_proxy: false,
+            kube_state_metrics: true,
+            prometheus_operator: true,
+            core_dns: false,
+            kube_scheduler: false,
+        }
+    }
+}

harmony/src/modules/monitoring/discord_alert_manager.rs

@@ -0,0 +1,35 @@
+use std::str::FromStr;
+
+use non_blank_string_rs::NonBlankString;
+use url::Url;
+
+use crate::modules::helm::chart::HelmChartScore;
+
+pub fn discord_alert_manager_score(
+    webhook_url: Url,
+    namespace: String,
+    name: String,
+) -> HelmChartScore {
+    let values = format!(
+        r#"
+environment:
+  - name: "DISCORD_WEBHOOK"
+    value: "{webhook_url}"
+"#,
+    );
+
+    HelmChartScore {
+        namespace: Some(NonBlankString::from_str(&namespace).unwrap()),
+        release_name: NonBlankString::from_str(&name).unwrap(),
+        chart_name: NonBlankString::from_str(
+            "oci://hub.nationtech.io/library/alertmanager-discord",
+        )
+        .unwrap(),
+        chart_version: None,
+        values_overrides: None,
+        values_yaml: Some(values.to_string()),
+        create_namespace: true,
+        install_only: true,
+        repository: None,
+    }
+}

harmony/src/modules/monitoring/discord_webhook_sender.rs

@@ -0,0 +1,131 @@
+use super::discord_alert_manager::discord_alert_manager_score;
+use async_trait::async_trait;
+use serde::Serialize;
+use serde_yaml::Value;
+use tokio::sync::OnceCell;
+use url::Url;
+
+use crate::{
+    interpret::{Interpret, InterpretError, Outcome},
+    inventory::Inventory,
+    score::Score,
+    topology::{
+        HelmCommand, K8sAnywhereTopology, Topology,
+        oberservability::monitoring::{AlertReceiverProvision, EnsureAlertReceiver},
+    },
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct DiscordWebhookConfig {
+    pub webhook_url: Url,
+    pub name: String,
+    pub send_resolved_notifications: bool,
+}
+
+#[async_trait]
+impl<T: Topology + DiscordWebhookReceiver> EnsureAlertReceiver<T> for DiscordWebhookConfig {
+    async fn ensure_alert_receiver(
+        &self,
+        inventory: Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        topology
+            .ensure_discord_webhook_receiver(&inventory, self.clone())
+            .await
+    }
+}
+
+impl<T: Topology + HelmCommand> AlertReceiverProvision<T> for DiscordWebhookConfig {
+    fn get_deployment_score(&self) -> Box<dyn Score<T>> {
+        Box::new(DiscordWebhookReceiverScore {
+            config: self.clone(),
+        })
+    }
+
+    fn alert_receiver_id(&self) -> String {
+        self.name.clone()
+    }
+}
+
+#[async_trait]
+pub trait DiscordWebhookReceiver {
+    async fn ensure_discord_webhook_receiver(
+        &self,
+        inventory: &Inventory,
+        config: DiscordWebhookConfig,
+    ) -> Result<Outcome, InterpretError>;
+    fn delete_discord_webhook_receiver(
+        &self,
+        config: DiscordWebhookConfig,
+    ) -> Result<Outcome, InterpretError>;
+}
+
+#[async_trait]
+impl DiscordWebhookReceiver for K8sAnywhereTopology {
+    async fn ensure_discord_webhook_receiver(
+        &self,
+        inventory: &Inventory,
+        config: DiscordWebhookConfig,
+    ) -> Result<Outcome, InterpretError> {
+        let receiver_key = config.name.clone();
+        let mut adapters_map_guard = self.alert_receivers.lock().await;
+
+        let cell = adapters_map_guard
+            .entry(receiver_key.clone())
+            .or_insert_with(OnceCell::new);
+
+        if let Some(initialized_receiver) = cell.get() {
+            return Ok(Outcome::success(format!(
+                "Discord Webhook adapter for '{}' already initialized.",
+                initialized_receiver.receiver_id
+            )));
+        }
+
+        let final_state = cell
+            .get_or_try_init(|| async { self.initialize_alert_receiver(&config, inventory).await })
+            .await?;
+
+        Ok(Outcome::success(format!(
+            "Discord Webhook Receiver for '{}' ensured/initialized.",
+            final_state.receiver_id
+        )))
+    }
+
+    fn delete_discord_webhook_receiver(
+        &self,
+        _config: DiscordWebhookConfig,
+    ) -> Result<Outcome, InterpretError> {
+        todo!()
+    }
+}
+
+pub trait AlertManagerConfig<T> {
+    fn get_alert_manager_config(&self) -> Result<Value, InterpretError>;
+}
+
+#[async_trait]
+impl<T: DiscordWebhookReceiver> AlertManagerConfig<T> for DiscordWebhookConfig {
+    fn get_alert_manager_config(&self) -> Result<Value, InterpretError> {
+        todo!()
+    }
+}
+
+#[derive(Debug, Clone, Serialize)]
+struct DiscordWebhookReceiverScore {
+    config: DiscordWebhookConfig,
+}
+
+impl<T: Topology + HelmCommand> Score<T> for DiscordWebhookReceiverScore {
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        discord_alert_manager_score(
+            self.config.webhook_url.clone(),
+            self.config.name.clone(),
+            self.config.name.clone(),
+        )
+        .create_interpret()
+    }
+
+    fn name(&self) -> String {
+        "DiscordWebhookReceiverScore".to_string()
+    }
+}

harmony/src/modules/monitoring/kube_prometheus.rs

@@ -0,0 +1,262 @@
+use super::{config::KubePrometheusConfig, monitoring_alerting::AlertChannel};
+use log::info;
+use non_blank_string_rs::NonBlankString;
+use std::{collections::HashMap, str::FromStr};
+use url::Url;
+
+use crate::modules::helm::chart::HelmChartScore;
+
+pub fn kube_prometheus_helm_chart_score(config: &KubePrometheusConfig) -> HelmChartScore {
+    //TODO this should be make into a rule with default formatting that can be easily passed as a vec
+    //to the overrides or something leaving the user to deal with formatting here seems bad
+    let default_rules = config.default_rules.to_string();
+    let windows_monitoring = config.windows_monitoring.to_string();
+    let alert_manager = config.alert_manager.to_string();
+    let grafana = config.grafana.to_string();
+    let kubernetes_service_monitors = config.kubernetes_service_monitors.to_string();
+    let kubernetes_api_server = config.kubernetes_api_server.to_string();
+    let kubelet = config.kubelet.to_string();
+    let kube_controller_manager = config.kube_controller_manager.to_string();
+    let core_dns = config.core_dns.to_string();
+    let kube_etcd = config.kube_etcd.to_string();
+    let kube_scheduler = config.kube_scheduler.to_string();
+    let kube_proxy = config.kube_proxy.to_string();
+    let kube_state_metrics = config.kube_state_metrics.to_string();
+    let node_exporter = config.node_exporter.to_string();
+    let prometheus_operator = config.prometheus_operator.to_string();
+    let prometheus = config.prometheus.to_string();
+    let mut values = format!(
+        r#"
+additionalPrometheusRulesMap:
+  pods-status-alerts:
+    groups:
+      - name: pods
+        rules:
+          - alert: "[CRIT] POD not healthy"
+            expr: min_over_time(sum by (namespace, pod) (kube_pod_status_phase{{phase=~"Pending|Unknown|Failed"}})[15m:1m]) > 0
+            for: 0m
+            labels:
+              severity: critical
+            annotations:
+              title: "[CRIT] POD not healthy : {{{{ $labels.pod }}}}"
+              description: |
+               A POD is in a non-ready state!
+               - **Pod**: {{{{ $labels.pod }}}}
+               - **Namespace**: {{{{ $labels.namespace }}}}
+          - alert: "[CRIT] POD crash looping"
+            expr: increase(kube_pod_container_status_restarts_total[5m]) > 3
+            for: 0m
+            labels:
+              severity: critical
+            annotations:
+              title: "[CRIT] POD crash looping : {{{{ $labels.pod }}}}"
+              description: |
+               A POD is drowning in a crash loop!
+               - **Pod**: {{{{ $labels.pod }}}}
+               - **Namespace**: {{{{ $labels.namespace }}}}
+               - **Instance**: {{{{ $labels.instance }}}}
+  pvc-alerts:
+    groups:
+      - name: pvc-alerts
+        rules:
+          - alert: 'PVC Fill Over 95 Percent In 2 Days'
+            expr: |
+              (
+                kubelet_volume_stats_used_bytes 
+                / 
+                kubelet_volume_stats_capacity_bytes
+              ) > 0.95
+              AND
+              predict_linear(kubelet_volume_stats_used_bytes[2d], 2 * 24 * 60 * 60)
+              / 
+              kubelet_volume_stats_capacity_bytes 
+              > 0.95
+            for: 1m
+            labels:
+              severity: warning
+            annotations:
+              description: The PVC {{{{ $labels.persistentvolumeclaim }}}} in namespace {{{{ $labels.namespace }}}} is predicted to fill over 95% in less than 2 days.
+              title: PVC {{{{ $labels.persistentvolumeclaim }}}} in namespace {{{{ $labels.namespace }}}} will fill over 95% in less than 2 days
+defaultRules:
+  create: {default_rules}
+  rules:
+    alertmanager: true
+    etcd: true
+    configReloaders: true
+    general: true
+    k8sContainerCpuUsageSecondsTotal: true
+    k8sContainerMemoryCache: true
+    k8sContainerMemoryRss: true
+    k8sContainerMemorySwap: true
+    k8sContainerResource: true
+    k8sContainerMemoryWorkingSetBytes: true
+    k8sPodOwner: true
+    kubeApiserverAvailability: true
+    kubeApiserverBurnrate: true
+    kubeApiserverHistogram: true
+    kubeApiserverSlos: true
+    kubeControllerManager: true
+    kubelet: true
+    kubeProxy: true
+    kubePrometheusGeneral: true
+    kubePrometheusNodeRecording: true
+    kubernetesApps: true
+    kubernetesResources: true
+    kubernetesStorage: true
+    kubernetesSystem: true
+    kubeSchedulerAlerting: true
+    kubeSchedulerRecording: true
+    kubeStateMetrics: true
+    network: true
+    node: true
+    nodeExporterAlerting: true
+    nodeExporterRecording: true
+    prometheus: true
+    prometheusOperator: true
+    windows: true
+windowsMonitoring:
+  enabled: {windows_monitoring}
+grafana:
+  enabled: {grafana}
+kubernetesServiceMonitors:
+  enabled: {kubernetes_service_monitors}
+kubeApiServer:
+  enabled: {kubernetes_api_server}
+kubelet:
+  enabled: {kubelet}
+kubeControllerManager:
+  enabled: {kube_controller_manager}
+coreDns:
+  enabled: {core_dns}
+kubeEtcd:
+  enabled: {kube_etcd}
+kubeScheduler:
+  enabled: {kube_scheduler}
+kubeProxy:
+  enabled: {kube_proxy}
+kubeStateMetrics:
+  enabled: {kube_state_metrics}
+nodeExporter:
+  enabled: {node_exporter}
+prometheusOperator:
+  enabled: {prometheus_operator}
+prometheus:
+  enabled: {prometheus}
+"#,
+    );
+
+    let alertmanager_config = alert_manager_yaml_builder(&config);
+    values.push_str(&alertmanager_config);
+
+    fn alert_manager_yaml_builder(config: &KubePrometheusConfig) -> String {
+        let mut receivers = String::new();
+        let mut routes = String::new();
+        let mut global_configs = String::new();
+        let alert_manager = config.alert_manager;
+        for alert_channel in &config.alert_channel {
+            match alert_channel {
+                AlertChannel::Discord { name, .. } => {
+                    let (receiver, route) = discord_alert_builder(name);
+                    info!("discord receiver: {} \nroute: {}", receiver, route);
+                    receivers.push_str(&receiver);
+                    routes.push_str(&route);
+                }
+                AlertChannel::Slack {
+                    slack_channel,
+                    webhook_url,
+                } => {
+                    let (receiver, route) = slack_alert_builder(slack_channel);
+                    info!("slack receiver: {} \nroute: {}", receiver, route);
+                    receivers.push_str(&receiver);
+
+                    routes.push_str(&route);
+                    let global_config = format!(
+                        r#"
+    global:
+      slack_api_url: {webhook_url}"#
+                    );
+
+                    global_configs.push_str(&global_config);
+                }
+                AlertChannel::Smpt { .. } => todo!(),
+            }
+        }
+        info!("after alert receiver: {}", receivers);
+        info!("after alert routes: {}", routes);
+
+        let alertmanager_config = format!(
+            r#"
+alertmanager:
+  enabled: {alert_manager}
+  config: {global_configs}
+    route: 
+      group_by: ['job']
+      group_wait: 30s
+      group_interval: 5m
+      repeat_interval: 12h
+      routes:
+{routes}
+    receivers: 
+    - name: 'null'
+{receivers}"#
+        );
+
+        info!("alert manager config: {}", alertmanager_config);
+        alertmanager_config
+    }
+
+    HelmChartScore {
+        namespace: Some(NonBlankString::from_str(&config.namespace).unwrap()),
+        release_name: NonBlankString::from_str("kube-prometheus").unwrap(),
+        chart_name: NonBlankString::from_str(
+            "oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack",
+        )
+        .unwrap(),
+        chart_version: None,
+        values_overrides: None,
+        values_yaml: Some(values.to_string()),
+        create_namespace: true,
+        install_only: true,
+        repository: None,
+    }
+}
+
+fn discord_alert_builder(release_name: &String) -> (String, String) {
+    let discord_receiver_name = format!("Discord-{}", release_name);
+    let receiver = format!(
+        r#"
+    - name: '{discord_receiver_name}'
+      webhook_configs:
+      - url: 'http://{release_name}-alertmanager-discord:9094'
+        send_resolved: true"#,
+    );
+    let route = format!(
+        r#"
+      - receiver: '{discord_receiver_name}'
+        matchers: 
+          - alertname!=Watchdog
+        continue: true"#,
+    );
+    (receiver, route)
+}
+
+fn slack_alert_builder(slack_channel: &String) -> (String, String) {
+    let slack_receiver_name = format!("Slack-{}", slack_channel);
+    let receiver = format!(
+        r#"
+    - name: '{slack_receiver_name}'
+      slack_configs:
+      - channel: '{slack_channel}'
+        send_resolved: true
+        title: '{{{{ .CommonAnnotations.title }}}}'
+        text: '{{{{ .CommonAnnotations.description }}}}'"#,
+    );
+    let route = format!(
+        r#"
+      - receiver: '{slack_receiver_name}'
+        matchers: 
+          - alertname!=Watchdog
+        continue: true"#,
+    );
+    (receiver, route)
+}

harmony/src/modules/monitoring/mod.rs

@@ -0,0 +1,5 @@
+mod config;
+mod discord_alert_manager;
+pub mod discord_webhook_sender;
+mod kube_prometheus;
+pub mod monitoring_alerting;

harmony/src/modules/monitoring/monitoring_alerting.rs

@@ -0,0 +1,161 @@
+use async_trait::async_trait;
+use email_address::EmailAddress;
+
+use log::info;
+use serde::Serialize;
+use url::Url;
+
+use crate::{
+    data::{Id, Version},
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    score::Score,
+    topology::{HelmCommand, Topology},
+};
+
+use super::{
+    config::KubePrometheusConfig, discord_alert_manager::discord_alert_manager_score,
+    kube_prometheus::kube_prometheus_helm_chart_score,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub enum AlertChannel {
+    Discord {
+        name: String,
+        webhook_url: Url,
+    },
+    Slack {
+        slack_channel: String,
+        webhook_url: Url,
+    },
+    //TODO test and implement in helm chart
+    //currently does not work
+    Smpt {
+        email_address: EmailAddress,
+        service_name: String,
+    },
+}
+
+#[derive(Debug, Clone, Serialize)]
+pub struct MonitoringAlertingStackScore {
+    pub alert_channel: Vec<AlertChannel>,
+    pub namespace: Option<String>,
+}
+
+impl MonitoringAlertingStackScore {
+    pub fn new() -> Self {
+        Self {
+            alert_channel: Vec::new(),
+            namespace: None,
+        }
+    }
+}
+
+impl<T: Topology + HelmCommand> Score<T> for MonitoringAlertingStackScore {
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(MonitoringAlertingStackInterpret {
+            score: self.clone(),
+        })
+    }
+    fn name(&self) -> String {
+        format!("MonitoringAlertingStackScore")
+    }
+}
+
+#[derive(Debug, Clone, Serialize)]
+struct MonitoringAlertingStackInterpret {
+    score: MonitoringAlertingStackScore,
+}
+
+impl MonitoringAlertingStackInterpret {
+    async fn build_kube_prometheus_helm_chart_config(&self) -> KubePrometheusConfig {
+        let mut config = KubePrometheusConfig::new();
+        if let Some(ns) = &self.score.namespace {
+            config.namespace = ns.clone();
+        }
+        config.alert_channel = self.score.alert_channel.clone();
+        config
+    }
+
+    async fn deploy_kube_prometheus_helm_chart_score<T: Topology + HelmCommand>(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+        config: &KubePrometheusConfig,
+    ) -> Result<Outcome, InterpretError> {
+        let helm_chart = kube_prometheus_helm_chart_score(config);
+        helm_chart
+            .create_interpret()
+            .execute(inventory, topology)
+            .await
+    }
+
+    async fn deploy_alert_channel_service<T: Topology + HelmCommand>(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+        config: &KubePrometheusConfig,
+    ) -> Result<Outcome, InterpretError> {
+        //let mut outcomes = vec![];
+
+        //for channel in &self.score.alert_channel {
+        //    let outcome = match channel {
+        //        AlertChannel::Discord { .. } => {
+        //            discord_alert_manager_score(config)
+        //                .create_interpret()
+        //                .execute(inventory, topology)
+        //                .await
+        //        }
+        //        AlertChannel::Slack { .. } => Ok(Outcome::success(
+        //            "No extra configs for slack alerting".to_string(),
+        //        )),
+        //        AlertChannel::Smpt { .. } => {
+        //            todo!()
+        //        }
+        //    };
+        //    outcomes.push(outcome);
+        //}
+        //for result in outcomes {
+        //    result?;
+        //}
+
+        Ok(Outcome::success("All alert channels deployed".to_string()))
+    }
+}
+
+#[async_trait]
+impl<T: Topology + HelmCommand> Interpret<T> for MonitoringAlertingStackInterpret {
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let config = self.build_kube_prometheus_helm_chart_config().await;
+        info!("Built kube prometheus config");
+        info!("Installing kube prometheus chart");
+        self.deploy_kube_prometheus_helm_chart_score(inventory, topology, &config)
+            .await?;
+        info!("Installing alert channel service");
+        self.deploy_alert_channel_service(inventory, topology, &config)
+            .await?;
+        Ok(Outcome::success(format!(
+            "succesfully deployed monitoring and alerting stack"
+        )))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        todo!()
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/okd/bootstrap_dhcp.rs

@@ -36,13 +36,20 @@ impl OKDBootstrapDhcpScore {
                 .expect("Should have at least one worker to be used as bootstrap node")
                 .clone(),
         });
+        // TODO refactor this so it is not copy pasted from dhcp.rs
         Self {
             dhcp_score: DhcpScore::new(
                 host_binding,
                 // TODO : we should add a tftp server to the topology instead of relying on the
                 // router address, this is leaking implementation details
                 Some(topology.router.get_gateway()),
-                Some("bootx64.efi".to_string()),
+                None, // To allow UEFI boot we cannot provide a legacy file
+                Some("undionly.kpxe".to_string()),
+                Some("ipxe.efi".to_string()),
+                Some(format!(
+                    "http://{}:8080/boot.ipxe",
+                    topology.router.get_gateway()
+                )),
             ),
         }
     }

harmony/src/modules/okd/dhcp.rs

@@ -15,7 +15,7 @@ pub struct OKDDhcpScore {
 
 impl OKDDhcpScore {
     pub fn new(topology: &HAClusterTopology, inventory: &Inventory) -> Self {
-        let host_binding = topology
+        let mut host_binding: Vec<HostBinding> = topology
             .control_plane
             .iter()
             .enumerate()
@@ -28,13 +28,35 @@ impl OKDDhcpScore {
                     .clone(),
             })
             .collect();
+
+        topology
+            .workers
+            .iter()
+            .enumerate()
+            .for_each(|(index, topology_entry)| {
+                host_binding.push(HostBinding {
+                    logical_host: topology_entry.clone(),
+                    physical_host: inventory
+                        .worker_host
+                        .get(index)
+                        .expect("There should be enough worker hosts to fill topology")
+                        .clone(),
+                })
+            });
+
         Self {
             // TODO : we should add a tftp server to the topology instead of relying on the
             // router address, this is leaking implementation details
             dhcp_score: DhcpScore {
                 host_binding,
                 next_server: Some(topology.router.get_gateway()),
-                boot_filename: Some("bootx64.efi".to_string()),
+                boot_filename: None,
+                filename: Some("undionly.kpxe".to_string()),
+                filename64: Some("ipxe.efi".to_string()),
+                filenameipxe: Some(format!(
+                    "http://{}:8080/boot.ipxe",
+                    topology.router.get_gateway()
+                )),
             },
         }
     }

harmony/src/modules/okd/load_balancer.rs

@@ -13,7 +13,7 @@ use crate::{
 };
 
 impl std::fmt::Display for OKDLoadBalancerScore {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+    fn fmt(&self, _f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         todo!()
     }
 }

harmony/src/modules/okd/upgrade.rs

@@ -2,15 +2,15 @@ use crate::data::Version;
 
 #[derive(Debug, Clone)]
 pub struct OKDUpgradeScore {
-    current_version: Version,
-    target_version: Version,
+    _current_version: Version,
+    _target_version: Version,
 }
 
 impl OKDUpgradeScore {
     pub fn new() -> Self {
         Self {
-            current_version: Version::from("4.17.0-okd-scos.0").unwrap(),
-            target_version: Version::from("").unwrap(),
+            _current_version: Version::from("4.17.0-okd-scos.0").unwrap(),
+            _target_version: Version::from("").unwrap(),
         }
     }
 }

harmony/src/modules/opnsense/shell.rs

@@ -27,7 +27,7 @@ pub struct OPNsenseShellCommandScore {
 }
 
 impl Serialize for OPNsenseShellCommandScore {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    fn serialize<S>(&self, _serializer: S) -> Result<S::Ok, S::Error>
     where
         S: serde::Serializer,
     {

harmony/src/modules/opnsense/upgrade.rs

@@ -17,7 +17,7 @@ pub struct OPNSenseLaunchUpgrade {
 }
 
 impl Serialize for OPNSenseLaunchUpgrade {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    fn serialize<S>(&self, _serializer: S) -> Result<S::Ok, S::Error>
     where
         S: serde::Serializer,
     {

harmony_cli/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "harmony_cli"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+assert_cmd = "2.0.17"
+clap = { version = "4.5.35", features = ["derive"] }
+harmony = { path = "../harmony" }
+harmony_tui = { path = "../harmony_tui", optional = true }
+inquire.workspace = true
+tokio.workspace = true
+env_logger.workspace = true
+
+
+[features]
+default = ["tui"]
+tui = ["dep:harmony_tui"]

harmony_cli/src/lib.rs

@@ -0,0 +1,313 @@
+use clap::Parser;
+use clap::builder::ArgPredicate;
+use harmony;
+use harmony::{score::Score, topology::Topology};
+use inquire::Confirm;
+
+#[cfg(feature = "tui")]
+use harmony_tui;
+
+#[derive(Parser, Debug)]
+#[command(version, about, long_about = None)]
+pub struct Args {
+    /// Run score(s) without prompt
+    #[arg(short, long, default_value_t = false, conflicts_with = "interactive")]
+    yes: bool,
+
+    /// Filter query
+    #[arg(short, long, conflicts_with = "interactive")]
+    filter: Option<String>,
+
+    /// Run interactive TUI or not
+    #[arg(short, long, default_value_t = false)]
+    interactive: bool,
+
+    /// Run all or nth, defaults to all
+    #[arg(
+        short,
+        long,
+        default_value_t = true,
+        default_value_if("number", ArgPredicate::IsPresent, "false"),
+        conflicts_with = "number",
+        conflicts_with = "interactive"
+    )]
+    all: bool,
+
+    /// Run nth matching, zero indexed
+    #[arg(short, long, default_value_t = 0, conflicts_with = "interactive")]
+    number: usize,
+
+    /// list scores, will also be affected by run filter
+    #[arg(short, long, default_value_t = false, conflicts_with = "interactive")]
+    list: bool,
+}
+
+fn maestro_scores_filter<T: Topology>(
+    maestro: &harmony::maestro::Maestro<T>,
+    all: bool,
+    filter: Option<String>,
+    number: usize,
+) -> Vec<Box<dyn Score<T>>> {
+    let scores = maestro.scores();
+    let scores_read = scores.read().expect("Should be able to read scores");
+    let mut scores_vec: Vec<Box<dyn Score<T>>> = match filter {
+        Some(f) => scores_read
+            .iter()
+            .filter(|s| s.name().contains(&f))
+            .map(|s| s.clone_box())
+            .collect(),
+        None => scores_read.iter().map(|s| s.clone_box()).collect(),
+    };
+
+    if !all {
+        let score = scores_vec.get(number);
+        match score {
+            Some(s) => scores_vec = vec![s.clone_box()],
+            None => return vec![],
+        }
+    };
+
+    return scores_vec;
+}
+
+// TODO: consider adding doctest for this function
+fn list_scores_with_index<T: Topology>(scores_vec: &Vec<Box<dyn Score<T>>>) -> String {
+    let mut display_str = String::new();
+    for (i, s) in scores_vec.iter().enumerate() {
+        let name = s.name();
+        display_str.push_str(&format!("\n{i}: {name}"));
+    }
+    return display_str;
+}
+
+pub async fn init<T: Topology + Send + Sync + 'static>(
+    maestro: harmony::maestro::Maestro<T>,
+    args_struct: Option<Args>,
+) -> Result<(), Box<dyn std::error::Error>> {
+    let args = match args_struct {
+        Some(args) => args,
+        None => Args::parse(),
+    };
+
+    #[cfg(feature = "tui")]
+    if args.interactive {
+        return harmony_tui::init(maestro).await;
+    }
+
+    #[cfg(not(feature = "tui"))]
+    if args.interactive {
+        return Err("Not compiled with interactive support".into());
+    }
+
+    let _ = env_logger::builder().try_init();
+
+    let scores_vec = maestro_scores_filter(&maestro, args.all, args.filter, args.number);
+
+    if scores_vec.len() == 0 {
+        return Err("No score found".into());
+    }
+
+    // if list option is specified, print filtered list and exit
+    if args.list {
+        println!("Available scores:");
+        println!("{}", list_scores_with_index(&scores_vec));
+        return Ok(());
+    }
+
+    // prompt user if --yes is not specified
+    if !args.yes {
+        let confirmation = Confirm::new(
+            format!(
+                "This will run the following scores: {}\n",
+                list_scores_with_index(&scores_vec)
+            )
+            .as_str(),
+        )
+        .with_default(true)
+        .prompt()
+        .expect("Unexpected prompt error");
+
+        if !confirmation {
+            return Ok(());
+        }
+    }
+
+    // Run filtered scores
+    for s in scores_vec {
+        println!("Running: {}", s.name());
+        maestro.interpret(s).await?;
+    }
+
+    Ok(())
+}
+
+#[cfg(test)]
+mod test {
+    use harmony::{
+        inventory::Inventory,
+        maestro::Maestro,
+        modules::dummy::{ErrorScore, PanicScore, SuccessScore},
+        topology::HAClusterTopology,
+    };
+
+    fn init_test_maestro() -> Maestro<HAClusterTopology> {
+        let inventory = Inventory::autoload();
+        let topology = HAClusterTopology::autoload();
+        let mut maestro = Maestro::new(inventory, topology);
+
+        maestro.register_all(vec![
+            Box::new(SuccessScore {}),
+            Box::new(ErrorScore {}),
+            Box::new(PanicScore {}),
+        ]);
+
+        maestro
+    }
+
+    #[tokio::test]
+    async fn test_init_success_score() {
+        let maestro = init_test_maestro();
+        let res = crate::init(
+            maestro,
+            Some(crate::Args {
+                yes: true,
+                filter: Some("SuccessScore".to_owned()),
+                interactive: false,
+                all: true,
+                number: 0,
+                list: false,
+            }),
+        )
+        .await;
+
+        assert!(res.is_ok());
+    }
+
+    #[tokio::test]
+    async fn test_init_error_score() {
+        let maestro = init_test_maestro();
+
+        let res = crate::init(
+            maestro,
+            Some(crate::Args {
+                yes: true,
+                filter: Some("ErrorScore".to_owned()),
+                interactive: false,
+                all: true,
+                number: 0,
+                list: false,
+            }),
+        )
+        .await;
+
+        assert!(res.is_err());
+    }
+
+    #[tokio::test]
+    async fn test_init_number_score() {
+        let maestro = init_test_maestro();
+
+        let res = crate::init(
+            maestro,
+            Some(crate::Args {
+                yes: true,
+                filter: None,
+                interactive: false,
+                all: false,
+                number: 0,
+                list: false,
+            }),
+        )
+        .await;
+
+        assert!(res.is_ok());
+    }
+
+    #[tokio::test]
+    async fn test_filter_fn_all() {
+        let maestro = init_test_maestro();
+
+        let res = crate::maestro_scores_filter(&maestro, true, None, 0);
+
+        assert!(res.len() == 3);
+    }
+
+    #[tokio::test]
+    async fn test_filter_fn_all_success() {
+        let maestro = init_test_maestro();
+
+        let res = crate::maestro_scores_filter(&maestro, true, Some("Success".to_owned()), 0);
+
+        assert!(res.len() == 1);
+
+        assert!(
+            maestro
+                .interpret(res.get(0).unwrap().clone_box())
+                .await
+                .is_ok()
+        );
+    }
+
+    #[tokio::test]
+    async fn test_filter_fn_all_error() {
+        let maestro = init_test_maestro();
+
+        let res = crate::maestro_scores_filter(&maestro, true, Some("Error".to_owned()), 0);
+
+        assert!(res.len() == 1);
+
+        assert!(
+            maestro
+                .interpret(res.get(0).unwrap().clone_box())
+                .await
+                .is_err()
+        );
+    }
+
+    #[tokio::test]
+    async fn test_filter_fn_all_score() {
+        let maestro = init_test_maestro();
+
+        let res = crate::maestro_scores_filter(&maestro, true, Some("Score".to_owned()), 0);
+
+        assert!(res.len() == 3);
+
+        assert!(
+            maestro
+                .interpret(res.get(0).unwrap().clone_box())
+                .await
+                .is_ok()
+        );
+        assert!(
+            maestro
+                .interpret(res.get(1).unwrap().clone_box())
+                .await
+                .is_err()
+        );
+    }
+
+    #[tokio::test]
+    async fn test_filter_fn_number() {
+        let maestro = init_test_maestro();
+
+        let res = crate::maestro_scores_filter(&maestro, false, None, 0);
+
+        assert!(res.len() == 1);
+
+        assert!(
+            maestro
+                .interpret(res.get(0).unwrap().clone_box())
+                .await
+                .is_ok()
+        );
+    }
+
+    #[tokio::test]
+    async fn test_filter_fn_number_invalid() {
+        let maestro = init_test_maestro();
+
+        let res = crate::maestro_scores_filter(&maestro, false, None, 11);
+
+        assert!(res.len() == 0);
+    }
+}

harmony_macros/src/lib.rs

@@ -116,3 +116,19 @@ pub fn yaml(input: TokenStream) -> TokenStream {
     }
     .into()
 }
+
+/// Verify that a string is a valid(ish) ingress path
+/// Panics if path does not start with `/`
+#[proc_macro]
+pub fn ingress_path(input: TokenStream) -> TokenStream {
+    let input = parse_macro_input!(input as LitStr);
+    let path_str = input.value();
+
+    match path_str.starts_with("/") {
+        true => {
+            let expanded = quote! {(#path_str.to_string()) };
+            return TokenStream::from(expanded);
+        }
+        false => panic!("Invalid ingress path"),
+    }
+}