chore: added rust doc for certificate management trait

Cargo.lock

@@ -1754,24 +1754,6 @@ dependencies = [
  "url",
 ]
 
-[[package]]
-name = "example-ha-cluster"
-version = "0.1.0"
-dependencies = [
- "brocade",
- "cidr",
- "env_logger",
- "harmony",
- "harmony_macros",
- "harmony_secret",
- "harmony_tui",
- "harmony_types",
- "log",
- "serde",
- "tokio",
- "url",
-]
-
 [[package]]
 name = "example-kube-rs"
 version = "0.1.0"
@@ -1960,28 +1942,9 @@ dependencies = [
  "cidr",
  "env_logger",
  "harmony",
- "harmony_cli",
  "harmony_macros",
  "harmony_secret",
- "harmony_types",
- "log",
- "serde",
- "tokio",
- "url",
-]
-
-[[package]]
-name = "example-opnsense-node-exporter"
-version = "0.1.0"
-dependencies = [
- "async-trait",
- "cidr",
- "env_logger",
- "harmony",
- "harmony_cli",
- "harmony_macros",
- "harmony_secret",
- "harmony_secret_derive",
+ "harmony_tui",
  "harmony_types",
  "log",
  "serde",
@@ -2019,6 +1982,25 @@ dependencies = [
  "url",
 ]
 
+[[package]]
+name = "example-opnsense-node-exporter"
+version = "0.1.0"
+dependencies = [
+ "async-trait",
+ "cidr",
+ "env_logger",
+ "harmony",
+ "harmony_cli",
+ "harmony_macros",
+ "harmony_secret",
+ "harmony_secret_derive",
+ "harmony_types",
+ "log",
+ "serde",
+ "tokio",
+ "url",
+]
+
 [[package]]
 name = "example-pxe"
 version = "0.1.0"
@@ -3482,25 +3464,6 @@ dependencies = [
  "thiserror 1.0.69",
 ]
 
-[[package]]
-name = "json-prompt"
-version = "0.1.0"
-dependencies = [
- "brocade",
- "cidr",
- "env_logger",
- "harmony",
- "harmony_cli",
- "harmony_macros",
- "harmony_secret",
- "harmony_secret_derive",
- "harmony_types",
- "log",
- "serde",
- "tokio",
- "url",
-]
-
 [[package]]
 name = "jsonpath-rust"
 version = "0.7.5"
@@ -6099,25 +6062,6 @@ dependencies = [
  "syn 2.0.106",
 ]
 
-[[package]]
-name = "sttest"
-version = "0.1.0"
-dependencies = [
- "brocade",
- "cidr",
- "env_logger",
- "harmony",
- "harmony_cli",
- "harmony_macros",
- "harmony_secret",
- "harmony_secret_derive",
- "harmony_types",
- "log",
- "serde",
- "tokio",
- "url",
-]
-
 [[package]]
 name = "subtle"
 version = "2.6.1"
@@ -7413,7 +7357,7 @@ checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"
 [[package]]
 name = "yaserde"
 version = "0.12.0"
-source = "git+https://github.com/jggc/yaserde.git#2eacb304113beee7270a10b81046d40ed3a99550"
+source = "git+https://github.com/jggc/yaserde.git#adfdb1c5f4d054f114e5bd0ea7bda9c07a369def"
 dependencies = [
  "log",
  "xml-rs",
@@ -7422,7 +7366,7 @@ dependencies = [
 [[package]]
 name = "yaserde_derive"
 version = "0.12.0"
-source = "git+https://github.com/jggc/yaserde.git#2eacb304113beee7270a10b81046d40ed3a99550"
+source = "git+https://github.com/jggc/yaserde.git#adfdb1c5f4d054f114e5bd0ea7bda9c07a369def"
 dependencies = [
  "heck",
  "log",

examples/cert_manager/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "sttest"
+name = "cert_manager"
 edition = "2024"
 version.workspace = true
 readme.workspace = true
@@ -13,10 +13,7 @@ harmony_types = { path = "../../harmony_types" }
 cidr = { workspace = true }
 tokio = { workspace = true }
 harmony_macros = { path = "../../harmony_macros" }
-harmony_secret = { path = "../../harmony_secret" }
-harmony_secret_derive = { path = "../../harmony_secret_derive" }
 log = { workspace = true }
 env_logger = { workspace = true }
 url = { workspace = true }
-serde = { workspace = true }
-brocade = { path = "../../brocade" }
+assert_cmd = "2.0.16"

examples/cert_manager/src/main.rs

@@ -0,0 +1,46 @@
+use harmony::{
+    inventory::Inventory,
+    modules::{
+        cert_manager::{
+            capability::CertificateManagementConfig, score_create_cert::CertificateCreationScore,
+            score_create_issuer::CertificateIssuerScore,
+            score_operator::CertificateManagementScore,
+        },
+        postgresql::{PostgreSQLScore, capability::PostgreSQLConfig},
+    },
+    topology::K8sAnywhereTopology,
+};
+
+#[tokio::main]
+async fn main() {
+    let config = CertificateManagementConfig {
+        namespace: Some("test".to_string()),
+        acme_issuer: None,
+        ca_issuer: None,
+        self_signed: true,
+    };
+
+    let cert_manager = CertificateManagementScore {
+        config: config.clone(),
+    };
+
+    let issuer = CertificateIssuerScore {
+        config: config.clone(),
+        issuer_name: "test-self-signed-issuer".to_string(),
+    };
+
+    let cert = CertificateCreationScore {
+        config: config.clone(),
+        cert_name: "test-self-signed-cert".to_string(),
+        issuer_name: "test-self-signed-issuer".to_string(),
+    };
+
+    harmony_cli::run(
+        Inventory::autoload(),
+        K8sAnywhereTopology::from_env(),
+        vec![Box::new(cert_manager), Box::new(issuer), Box::new(cert)],
+        None,
+    )
+    .await
+    .unwrap();
+}

examples/sttest/data

@@ -1 +0,0 @@
-../../data/

examples/sttest/env.sh

@@ -1,4 +0,0 @@
-export HARMONY_SECRET_NAMESPACE=sttest0
-export HARMONY_SECRET_STORE=file
-export HARMONY_DATABASE_URL=sqlite://harmony_sttest0.sqlite
-export RUST_LOG=info

examples/sttest/src/main.rs

@@ -1,41 +0,0 @@
-mod topology;
-
-use crate::topology::{get_inventory, get_topology};
-use harmony::{
-    config::secret::SshKeyPair,
-    data::{FileContent, FilePath},
-    modules::{
-        inventory::HarmonyDiscoveryStrategy,
-        okd::{installation::OKDInstallationPipeline, ipxe::OKDIpxeScore},
-    },
-    score::Score,
-    topology::HAClusterTopology,
-};
-use harmony_secret::SecretManager;
-
-#[tokio::main]
-async fn main() {
-    // env_logger::init();
-
-    let inventory = get_inventory();
-    let topology = get_topology().await;
-
-    let ssh_key = SecretManager::get_or_prompt::<SshKeyPair>().await.unwrap();
-
-    let mut scores: Vec<Box<dyn Score<HAClusterTopology>>> = vec![Box::new(OKDIpxeScore {
-        kickstart_filename: "inventory.kickstart".to_string(),
-        harmony_inventory_agent: "harmony_inventory_agent".to_string(),
-        cluster_pubkey: FileContent {
-            path: FilePath::Relative("cluster_ssh_key.pub".to_string()),
-            content: ssh_key.public,
-        },
-    })];
-
-    // let mut scores: Vec<Box<dyn Score<HAClusterTopology>>> = vec![];
-    scores
-        .append(&mut OKDInstallationPipeline::get_all_scores(HarmonyDiscoveryStrategy::MDNS).await);
-
-    harmony_cli::run(inventory, topology, scores, None)
-        .await
-        .unwrap();
-}

examples/sttest/src/topology.rs

@@ -1,99 +0,0 @@
-use cidr::Ipv4Cidr;
-use harmony::{
-    hardware::{Location, SwitchGroup},
-    infra::{brocade::UnmanagedSwitch, opnsense::OPNSenseManagementInterface},
-    inventory::Inventory,
-    topology::{HAClusterTopology, LogicalHost, UnmanagedRouter},
-};
-use harmony_macros::{ip, ipv4};
-use harmony_secret::{Secret, SecretManager};
-use serde::{Deserialize, Serialize};
-use std::{
-    net::IpAddr,
-    sync::{Arc, OnceLock},
-};
-
-#[derive(Secret, Serialize, Deserialize, Debug, PartialEq)]
-struct OPNSenseFirewallConfig {
-    username: String,
-    password: String,
-}
-
-pub async fn get_topology() -> HAClusterTopology {
-    let firewall = harmony::topology::LogicalHost {
-        ip: ip!("192.168.40.1"),
-        name: String::from("fw0"),
-    };
-
-    let switch_client = UnmanagedSwitch::init()
-        .await
-        .expect("Failed to connect to switch");
-
-    let switch_client = Arc::new(switch_client);
-
-    let config = SecretManager::get_or_prompt::<OPNSenseFirewallConfig>().await;
-    let config = config.unwrap();
-
-    let opnsense = Arc::new(
-        harmony::infra::opnsense::OPNSenseFirewall::new(
-            firewall,
-            None,
-            &config.username,
-            &config.password,
-        )
-        .await,
-    );
-    let lan_subnet = ipv4!("192.168.40.0");
-    let gateway_ipv4 = ipv4!("192.168.40.1");
-    let gateway_ip = IpAddr::V4(gateway_ipv4);
-    harmony::topology::HAClusterTopology {
-        kubeconfig: None,
-        domain_name: "sttest0.harmony.mcd".to_string(),
-        router: Arc::new(UnmanagedRouter::new(
-            gateway_ip,
-            Ipv4Cidr::new(lan_subnet, 24).unwrap(),
-        )),
-        load_balancer: opnsense.clone(),
-        firewall: opnsense.clone(),
-        tftp_server: opnsense.clone(),
-        http_server: opnsense.clone(),
-        dhcp_server: opnsense.clone(),
-        dns_server: opnsense.clone(),
-        control_plane: vec![
-            LogicalHost {
-                ip: ip!("192.168.40.20"),
-                name: "cp0".to_string(),
-            },
-            LogicalHost {
-                ip: ip!("192.168.40.21"),
-                name: "cp1".to_string(),
-            },
-            LogicalHost {
-                ip: ip!("192.168.40.22"),
-                name: "cp2".to_string(),
-            },
-        ],
-        bootstrap_host: LogicalHost {
-            ip: ip!("192.168.40.10"),
-            name: "bootstrap".to_string(),
-        },
-        workers: vec![LogicalHost {
-            ip: ip!("192.168.40.30"),
-            name: "wk0".to_string(),
-        }],
-        node_exporter: opnsense.clone(),
-        switch_client: switch_client.clone(),
-        network_manager: OnceLock::new(),
-    }
-}
-
-pub fn get_inventory() -> Inventory {
-    Inventory {
-        location: Location::new("Sylvain's basement".to_string(), "Charlesbourg".to_string()),
-        switch: SwitchGroup::from([]),
-        firewall_mgmt: Box::new(OPNSenseManagementInterface::new()),
-        storage_host: vec![],
-        worker_host: vec![],
-        control_plane_host: vec![],
-    }
-}

harmony/src/domain/topology/k8s.rs

@@ -230,14 +230,26 @@ impl K8sClient {
         namespace: Option<&str>,
         gvk: &GroupVersionKind,
     ) -> Result<DynamicObject, Error> {
-        let gvk = ApiResource::from_gvk(gvk);
-        let resource: Api<DynamicObject> = if let Some(ns) = namespace {
-            Api::namespaced_with(self.client.clone(), ns, &gvk)
-        } else {
-            Api::default_namespaced_with(self.client.clone(), &gvk)
-        };
+        let api_resource = ApiResource::from_gvk(gvk);
 
-        resource.get(name).await
+        // 1. Try namespaced first (if a namespace was provided)
+        if let Some(ns) = namespace {
+            let api: Api<DynamicObject> =
+                Api::namespaced_with(self.client.clone(), ns, &api_resource);
+
+            match api.get(name).await {
+                Ok(obj) => return Ok(obj),
+                Err(Error::Api(ae)) if ae.code == 404 => {
+                    // fall through and try cluster-scoped
+                }
+                Err(e) => return Err(e),
+            }
+        }
+
+        // 2. Fallback to cluster-scoped
+        let api: Api<DynamicObject> = Api::all_with(self.client.clone(), &api_resource);
+
+        api.get(name).await
     }
 
     pub async fn get_secret_json_value(

harmony/src/domain/topology/k8s_anywhere/k8s_anywhere.rs

@@ -17,6 +17,11 @@ use crate::{
     interpret::InterpretStatus,
     inventory::Inventory,
     modules::{
+        cert_manager::{
+            capability::{CertificateManagement, CertificateManagementConfig},
+            crd::{score_certificate::CertificateScore, score_issuer::IssuerScore},
+            operator::CertManagerOperatorScore,
+        },
         k3d::K3DInstallationScore,
         k8s::ingress::{K8sIngressScore, PathType},
         monitoring::{
@@ -359,6 +364,97 @@ impl Serialize for K8sAnywhereTopology {
     }
 }
 
+#[async_trait]
+impl CertificateManagement for K8sAnywhereTopology {
+    async fn install(&self) -> Result<PreparationOutcome, PreparationError> {
+        let cert_management_operator = CertManagerOperatorScore::default();
+
+        cert_management_operator
+            .interpret(&Inventory::empty(), self)
+            .await
+            .map_err(|e| PreparationError { msg: e.to_string() })?;
+
+        Ok(PreparationOutcome::Success {
+            details: format!(
+                "Installed cert-manager into ns: {}",
+                cert_management_operator.namespace
+            ),
+        })
+    }
+
+    async fn ensure_certificate_management_ready(
+        &self,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let k8s_client = self.k8s_client().await.unwrap();
+        let gvk = GroupVersionKind {
+            group: "operators.coreos.com".to_string(),
+            version: "v1".to_string(),
+            kind: "Operator".to_string(),
+        };
+        //TODO make this generic across k8s distributions using k8s family
+        match k8s_client
+            .get_resource_json_value("cert-manager.openshift-operators", None, &gvk)
+            .await
+        {
+            Ok(_ready) => Ok(PreparationOutcome::Success {
+                details: "Certificate Management Ready".to_string(),
+            }),
+            Err(e) => {
+                debug!("{} operator not found", e.to_string());
+                self.install().await
+            }
+        }
+    }
+
+    async fn create_issuer(
+        &self,
+        issuer_name: String,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let issuer_score = IssuerScore {
+            issuer_name: issuer_name.clone(),
+            config: config.clone(),
+        };
+
+        issuer_score
+            .interpret(&Inventory::empty(), self)
+            .await
+            .map_err(|e| PreparationError { msg: e.to_string() })?;
+
+        Ok(PreparationOutcome::Success {
+            details: format!("issuer of kind {} is ready", issuer_name),
+        })
+    }
+
+    async fn create_certificate(
+        &self,
+        cert_name: String,
+        issuer_name: String,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        self.certificate_issuer_ready(
+            issuer_name.clone(),
+            self.k8s_client().await.unwrap(),
+            config,
+        )
+        .await?;
+
+        let cert = CertificateScore {
+            cert_name: cert_name,
+            config: config.clone(),
+            issuer_name,
+        };
+        cert.interpret(&Inventory::empty(), self)
+            .await
+            .map_err(|e| PreparationError { msg: e.to_string() })?;
+
+        Ok(PreparationOutcome::Success {
+            details: format!("Created cert into ns: {:#?}", config.namespace.clone()),
+        })
+    }
+}
+
 impl K8sAnywhereTopology {
     pub fn from_env() -> Self {
         Self {
@@ -378,6 +474,35 @@ impl K8sAnywhereTopology {
         }
     }
 
+    pub async fn certificate_issuer_ready(
+        &self,
+        issuer_name: String,
+        k8s_client: Arc<K8sClient>,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let ns = config.namespace.clone().ok_or_else(|| PreparationError {
+            msg: "namespace is required".to_string(),
+        })?;
+
+        let gvk = GroupVersionKind {
+            group: "cert-manager.io".to_string(),
+            version: "v1".to_string(),
+            kind: "Issuer".to_string(),
+        };
+
+        match k8s_client
+            .get_resource_json_value(&issuer_name, Some(&ns), &gvk)
+            .await
+        {
+            Ok(_cert_issuer) => Ok(PreparationOutcome::Success {
+                details: format!("issuer of kind {} is ready", issuer_name),
+            }),
+            Err(e) => Err(PreparationError {
+                msg: format!("{} issuer {} not present", e.to_string(), issuer_name),
+            }),
+        }
+    }
+
     pub async fn get_k8s_distribution(&self) -> Result<&KubernetesDistribution, PreparationError> {
         self.k8s_distribution
             .get_or_try_init(async || {

harmony/src/modules/cert_manager/capability.rs

@@ -0,0 +1,90 @@
+use async_trait::async_trait;
+use serde::Serialize;
+
+use crate::{
+    modules::cert_manager::crd::{AcmeIssuer, CaIssuer},
+    topology::{PreparationError, PreparationOutcome},
+};
+
+/// Certificate management capability for a topology.
+///
+/// This trait represents the ability of a topology to provision, manage,
+/// and ensure the availability of TLS certificates.
+///
+/// Implementations may back this capability using different mechanisms,
+/// for example: a Kubernetes controller, an external PKI service, or
+/// platform-specific tooling
+///
+/// ## Concepts
+///
+/// ### Certificate Management System
+/// A certificate management system is responsible for issuing, renewing,
+/// and storing certificates. Before certificates can be created, this
+/// system must be installed and ready to serve requests.
+///
+/// ### Issuer
+/// An Issuer defines how certificates are issued and signed.
+/// It encapsulates trust configuration such as signing keys, certificate
+/// authorities, or external services. Issuers do not represent certificates
+/// themselves, but are referenced by certificate requests.
+///
+/// ### Certificate
+/// A Certificate represents a request for cryptographic identity
+/// material. It references an Issuer and defines the identities the certificate should be valid for,
+/// as well as where the resulting certificate material should be stored.
+///
+/// ## Responsibilities
+///
+/// Implementations of this trait are responsible for:
+///
+/// - Installing the underlying certificate management system
+/// - Ensuring the system is ready before certificates are requested
+/// - Creating Issuers
+/// - Creating Certificates
+///
+#[async_trait]
+pub trait CertificateManagement: Send + Sync {
+    /// Installs the underlying certificate management system for the topology.
+    ///
+    /// Abstracts away installation details
+    /// (e.g., controllers, operators, external services).
+    async fn install(&self) -> Result<PreparationOutcome, PreparationError>;
+
+    /// Ensures that the certificate management system is installed and ready.
+    ///
+    /// May verify presence of required components, APIs, or controllers,
+    /// and perform installation if necessary.
+    async fn ensure_certificate_management_ready(
+        &self,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError>;
+
+    /// Creates an issuer used to sign certificates.
+    ///
+    /// Abstracts away issuer representation and storage
+    /// (e.g., cluster-scoped resources, external PKI configuration).
+    async fn create_issuer(
+        &self,
+        issuer_name: String,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError>;
+
+    /// Creates a certificate signed by a previously created issuer.
+    ///
+    /// Abstracts away certificate request, issuance, and storage details
+    /// (e.g., secrets, files, remote APIs).
+    async fn create_certificate(
+        &self,
+        cert_name: String,
+        issuer_name: String,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError>;
+}
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertificateManagementConfig {
+    pub namespace: Option<String>,
+    pub acme_issuer: Option<AcmeIssuer>,
+    pub ca_issuer: Option<CaIssuer>,
+    pub self_signed: bool,
+}

harmony/src/modules/cert_manager/crd/certificate.rs

@@ -0,0 +1,112 @@
+use kube::{CustomResource, api::ObjectMeta};
+use serde::{Deserialize, Serialize};
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
+#[kube(
+    group = "cert-manager.io",
+    version = "v1",
+    kind = "Certificate",
+    plural = "certificates",
+    namespaced = true,
+    schema = "disabled"
+)]
+#[serde(rename_all = "camelCase")]
+pub struct CertificateSpec {
+    /// Name of the Secret where the certificate will be stored
+    pub secret_name: String,
+
+    /// Common Name (optional but often discouraged in favor of SANs)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub common_name: Option<String>,
+
+    /// DNS Subject Alternative Names
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub dns_names: Option<Vec<String>>,
+
+    /// IP Subject Alternative Names
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ip_addresses: Option<Vec<String>>,
+
+    /// Certificate duration (e.g. "2160h")
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub duration: Option<String>,
+
+    /// How long before expiry cert-manager should renew
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub renew_before: Option<String>,
+
+    /// Reference to the Issuer or ClusterIssuer
+    pub issuer_ref: IssuerRef,
+
+    /// Is this a CA certificate
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub is_ca: Option<bool>,
+
+    /// Private key configuration
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub private_key: Option<PrivateKey>,
+}
+
+impl Default for Certificate {
+    fn default() -> Self {
+        Certificate {
+            metadata: ObjectMeta::default(),
+            spec: CertificateSpec::default(),
+        }
+    }
+}
+
+impl Default for CertificateSpec {
+    fn default() -> Self {
+        Self {
+            secret_name: String::new(),
+            common_name: None,
+            dns_names: None,
+            ip_addresses: None,
+            duration: None,
+            renew_before: None,
+            issuer_ref: IssuerRef::default(),
+            is_ca: None,
+            private_key: None,
+        }
+    }
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct IssuerRef {
+    pub name: String,
+
+    /// Either "Issuer" or "ClusterIssuer"
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub kind: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub group: Option<String>,
+}
+
+impl Default for IssuerRef {
+    fn default() -> Self {
+        Self {
+            name: String::new(),
+            kind: None,
+            group: None,
+        }
+    }
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct PrivateKey {
+    /// RSA or ECDSA
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub algorithm: Option<String>,
+
+    /// Key size (e.g. 2048, 4096)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub size: Option<u32>,
+
+    /// Rotation policy: "Never" or "Always"
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub rotation_policy: Option<String>,
+}

harmony/src/modules/cert_manager/crd/cluster_issuer.rs

@@ -0,0 +1,44 @@
+use kube::{CustomResource, api::ObjectMeta};
+use serde::{Deserialize, Serialize};
+
+use crate::modules::cert_manager::crd::{AcmeIssuer, CaIssuer, SelfSignedIssuer};
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
+#[kube(
+    group = "cert-manager.io",
+    version = "v1",
+    kind = "ClusterIssuer",
+    plural = "clusterissuers",
+    namespaced = false,
+    schema = "disabled"
+)]
+#[serde(rename_all = "camelCase")]
+pub struct ClusterIssuerSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub self_signed: Option<SelfSignedIssuer>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ca: Option<CaIssuer>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub acme: Option<AcmeIssuer>,
+}
+
+impl Default for ClusterIssuer {
+    fn default() -> Self {
+        ClusterIssuer {
+            metadata: ObjectMeta::default(),
+            spec: ClusterIssuerSpec::default(),
+        }
+    }
+}
+
+impl Default for ClusterIssuerSpec {
+    fn default() -> Self {
+        Self {
+            self_signed: None,
+            ca: None,
+            acme: None,
+        }
+    }
+}

harmony/src/modules/cert_manager/crd/issuer.rs

@@ -0,0 +1,44 @@
+use kube::{CustomResource, api::ObjectMeta};
+use serde::{Deserialize, Serialize};
+
+use crate::modules::cert_manager::crd::{AcmeIssuer, CaIssuer, SelfSignedIssuer};
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
+#[kube(
+    group = "cert-manager.io",
+    version = "v1",
+    kind = "Issuer",
+    plural = "issuers",
+    namespaced = true,
+    schema = "disabled"
+)]
+#[serde(rename_all = "camelCase")]
+pub struct IssuerSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub self_signed: Option<SelfSignedIssuer>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ca: Option<CaIssuer>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub acme: Option<AcmeIssuer>,
+}
+
+impl Default for Issuer {
+    fn default() -> Self {
+        Issuer {
+            metadata: ObjectMeta::default(),
+            spec: IssuerSpec::default(),
+        }
+    }
+}
+
+impl Default for IssuerSpec {
+    fn default() -> Self {
+        Self {
+            self_signed: None,
+            ca: None,
+            acme: None,
+        }
+    }
+}

harmony/src/modules/cert_manager/crd/mod.rs

@@ -0,0 +1,65 @@
+use serde::{Deserialize, Serialize};
+
+pub mod certificate;
+pub mod cluster_issuer;
+pub mod issuer;
+//pub mod score_cluster_issuer;
+pub mod score_certificate;
+pub mod score_issuer;
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct CaIssuer {
+    /// Secret containing `tls.crt` and `tls.key`
+    pub secret_name: String,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default)]
+#[serde(rename_all = "camelCase")]
+pub struct SelfSignedIssuer {}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct AcmeIssuer {
+    pub server: String,
+    pub email: String,
+
+    /// Secret used to store the ACME account private key
+    pub private_key_secret_ref: SecretKeySelector,
+
+    pub solvers: Vec<AcmeSolver>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct SecretKeySelector {
+    pub name: String,
+    pub key: String,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct AcmeSolver {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub http01: Option<Http01Solver>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub dns01: Option<Dns01Solver>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct Dns01Solver {}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct Http01Solver {
+    pub ingress: IngressSolver,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct IngressSolver {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub class: Option<String>,
+}

harmony/src/modules/cert_manager/crd/score_certificate.rs

@@ -0,0 +1,49 @@
+use kube::api::ObjectMeta;
+use serde::Serialize;
+
+use crate::{
+    interpret::Interpret,
+    modules::{
+        cert_manager::{
+            capability::CertificateManagementConfig,
+            crd::certificate::{Certificate, CertificateSpec, IssuerRef},
+        },
+        k8s::resource::K8sResourceScore,
+    },
+    score::Score,
+    topology::{K8sclient, Topology},
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertificateScore {
+    pub cert_name: String,
+    pub issuer_name: String,
+    pub config: CertificateManagementConfig,
+}
+
+impl<T: Topology + K8sclient> Score<T> for CertificateScore {
+    fn name(&self) -> String {
+        "CertificateScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let cert = Certificate {
+            metadata: ObjectMeta {
+                name: Some(self.cert_name.clone()),
+                namespace: self.config.namespace.clone(),
+                ..Default::default()
+            },
+            spec: CertificateSpec {
+                secret_name: format!("{}-tls", self.cert_name.clone()),
+                issuer_ref: IssuerRef {
+                    name: self.issuer_name.clone(),
+                    kind: Some("Issuer".into()),
+                    group: Some("cert-manager.io".into()),
+                },
+                dns_names: Some(vec!["test.example.local".to_string()]),
+                ..Default::default()
+            },
+        };
+        K8sResourceScore::single(cert, self.config.namespace.clone()).create_interpret()
+    }
+}

harmony/src/modules/cert_manager/crd/score_cluster_issuer.rs

@@ -0,0 +1,51 @@
+use kube::api::ObjectMeta;
+use serde::Serialize;
+
+use crate::{
+    interpret::Interpret,
+    modules::{
+        cert_manager::crd::{
+            AcmeIssuer, CaIssuer, SelfSignedIssuer,
+            cluster_issuer::{ClusterIssuer, ClusterIssuerSpec},
+        },
+        k8s::resource::K8sResourceScore,
+    },
+    score::Score,
+    topology::{K8sclient, Topology},
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct ClusterIssuerScore {
+    name: String,
+    acme_issuer: Option<AcmeIssuer>,
+    ca_issuer: Option<CaIssuer>,
+    self_signed: bool,
+}
+
+impl<T: Topology + K8sclient> Score<T> for ClusterIssuerScore {
+    fn name(&self) -> String {
+        "ClusterIssuerScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let metadata = ObjectMeta {
+            name: Some(self.name.clone()),
+            namespace: None,
+            ..ObjectMeta::default()
+        };
+
+        let spec = ClusterIssuerSpec {
+            acme: self.acme_issuer.clone(),
+            ca: self.ca_issuer.clone(),
+            self_signed: if self.self_signed {
+                Some(SelfSignedIssuer::default())
+            } else {
+                None
+            },
+        };
+
+        let cluster_issuer = ClusterIssuer { metadata, spec };
+
+        K8sResourceScore::single(cluster_issuer, None).create_interpret()
+    }
+}

harmony/src/modules/cert_manager/crd/score_issuer.rs

@@ -0,0 +1,52 @@
+use kube::api::ObjectMeta;
+use serde::Serialize;
+
+use crate::{
+    interpret::Interpret,
+    modules::{
+        cert_manager::{
+            capability::CertificateManagementConfig,
+            crd::{
+                SelfSignedIssuer,
+                issuer::{Issuer, IssuerSpec},
+            },
+        },
+        k8s::resource::K8sResourceScore,
+    },
+    score::Score,
+    topology::{K8sclient, Topology},
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct IssuerScore {
+    pub issuer_name: String,
+    pub config: CertificateManagementConfig,
+}
+
+impl<T: Topology + K8sclient> Score<T> for IssuerScore {
+    fn name(&self) -> String {
+        "IssuerScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let metadata = ObjectMeta {
+            name: Some(self.issuer_name.clone()),
+            namespace: self.config.namespace.clone(),
+            ..ObjectMeta::default()
+        };
+
+        let spec = IssuerSpec {
+            acme: self.config.acme_issuer.clone(),
+            ca: self.config.ca_issuer.clone(),
+            self_signed: if self.config.self_signed {
+                Some(SelfSignedIssuer::default())
+            } else {
+                None
+            },
+        };
+
+        let issuer = Issuer { metadata, spec };
+
+        K8sResourceScore::single(issuer, self.config.namespace.clone()).create_interpret()
+    }
+}

harmony/src/modules/cert_manager/mod.rs

@@ -1,3 +1,9 @@
+pub mod capability;
 pub mod cluster_issuer;
+pub mod crd;
 mod helm;
+pub mod operator;
+pub mod score_create_cert;
+pub mod score_create_issuer;
+pub mod score_operator;
 pub use helm::*;

harmony/src/modules/cert_manager/operator.rs

@@ -0,0 +1,64 @@
+use kube::api::ObjectMeta;
+use serde::Serialize;
+
+use crate::{
+    interpret::Interpret,
+    modules::k8s::{
+        apps::crd::{Subscription, SubscriptionSpec},
+        resource::K8sResourceScore,
+    },
+    score::Score,
+    topology::{K8sclient, Topology, k8s::K8sClient},
+};
+
+/// Install the Cert-Manager Operator via RedHat Community Operators registry.redhat.io/redhat/community-operator-index:v4.19
+/// This Score creates a Subscription CR in the specified namespace
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertManagerOperatorScore {
+    pub namespace: String,
+    pub channel: String,
+    pub install_plan_approval: String,
+    pub source: String,
+    pub source_namespace: String,
+}
+
+impl Default for CertManagerOperatorScore {
+    fn default() -> Self {
+        Self {
+            namespace: "openshift-operators".to_string(),
+            channel: "stable".to_string(),
+            install_plan_approval: "Automatic".to_string(),
+            source: "community-operators".to_string(),
+            source_namespace: "openshift-marketplace".to_string(),
+        }
+    }
+}
+
+impl<T: Topology + K8sclient> Score<T> for CertManagerOperatorScore {
+    fn name(&self) -> String {
+        "CertManagerOperatorScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let metadata = ObjectMeta {
+            name: Some("cert-manager".to_string()),
+            namespace: Some(self.namespace.clone()),
+            ..ObjectMeta::default()
+        };
+
+        let spec = SubscriptionSpec {
+            channel: Some(self.channel.clone()),
+            config: None,
+            install_plan_approval: Some(self.install_plan_approval.clone()),
+            name: "cert-manager".to_string(),
+            source: self.source.clone(),
+            source_namespace: self.source_namespace.clone(),
+            starting_csv: None,
+        };
+
+        let subscription = Subscription { metadata, spec };
+
+        K8sResourceScore::single(subscription, Some(self.namespace.clone())).create_interpret()
+    }
+}

harmony/src/modules/cert_manager/score_create_cert.rs

@@ -0,0 +1,76 @@
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use serde::Serialize;
+
+use crate::{
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    modules::cert_manager::capability::{CertificateManagement, CertificateManagementConfig},
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertificateCreationScore {
+    pub cert_name: String,
+    pub issuer_name: String,
+    pub config: CertificateManagementConfig,
+}
+
+impl<T: Topology + CertificateManagement> Score<T> for CertificateCreationScore {
+    fn name(&self) -> String {
+        "CertificateCreationScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(CertificateCreationInterpret {
+            cert_name: self.cert_name.clone(),
+            issuer_name: self.issuer_name.clone(),
+            config: self.config.clone(),
+        })
+    }
+}
+
+#[derive(Debug)]
+struct CertificateCreationInterpret {
+    cert_name: String,
+    issuer_name: String,
+    config: CertificateManagementConfig,
+}
+
+#[async_trait]
+impl<T: Topology + CertificateManagement> Interpret<T> for CertificateCreationInterpret {
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let _certificate = topology
+            .create_certificate(
+                self.cert_name.clone(),
+                self.issuer_name.clone(),
+                &self.config,
+            )
+            .await
+            .map_err(|e| InterpretError::new(e.to_string()))?;
+
+        Ok(Outcome::success(format!("Installed CertificateManagement")))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("CertificateManagementInterpret")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/cert_manager/score_create_issuer.rs

@@ -0,0 +1,71 @@
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use log::debug;
+use serde::Serialize;
+
+use crate::{
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    modules::cert_manager::capability::{CertificateManagement, CertificateManagementConfig},
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertificateIssuerScore {
+    pub issuer_name: String,
+    pub config: CertificateManagementConfig,
+}
+
+impl<T: Topology + CertificateManagement> Score<T> for CertificateIssuerScore {
+    fn name(&self) -> String {
+        "CertificateIssuerScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(CertificateIssuerInterpret {
+            config: self.config.clone(),
+            issuer_name: self.issuer_name.clone(),
+        })
+    }
+}
+
+#[derive(Debug)]
+struct CertificateIssuerInterpret {
+    config: CertificateManagementConfig,
+    issuer_name: String,
+}
+
+#[async_trait]
+impl<T: Topology + CertificateManagement> Interpret<T> for CertificateIssuerInterpret {
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        debug!("issuer name: {}", self.issuer_name.clone());
+        let _cert_issuer = topology
+            .create_issuer(self.issuer_name.clone(), &self.config)
+            .await
+            .map_err(|e| InterpretError::new(e.to_string()))?;
+
+        Ok(Outcome::success(format!("Installed CertificateManagement")))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("CertificateManagementInterpret")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/cert_manager/score_operator.rs

@@ -0,0 +1,66 @@
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use serde::Serialize;
+
+use crate::{
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    modules::cert_manager::capability::{CertificateManagement, CertificateManagementConfig},
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertificateManagementScore {
+    pub config: CertificateManagementConfig,
+}
+
+impl<T: Topology + CertificateManagement> Score<T> for CertificateManagementScore {
+    fn name(&self) -> String {
+        "CertificateManagementScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(CertificateManagementInterpret {
+            config: self.config.clone(),
+        })
+    }
+}
+
+#[derive(Debug)]
+struct CertificateManagementInterpret {
+    config: CertificateManagementConfig,
+}
+
+#[async_trait]
+impl<T: Topology + CertificateManagement> Interpret<T> for CertificateManagementInterpret {
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        topology
+            .ensure_certificate_management_ready(&self.config)
+            .await
+            .map_err(|e| InterpretError::new(e.to_string()))?;
+
+        Ok(Outcome::success(format!("CertificateManagement is ready")))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("CertificateManagementInterpret")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/okd/bootstrap_04_workers.rs

@@ -22,7 +22,7 @@ pub struct OKDSetup04WorkersScore {
 impl Score<HAClusterTopology> for OKDSetup04WorkersScore {
     fn create_interpret(&self) -> Box<dyn Interpret<HAClusterTopology>> {
         Box::new(OKDNodeInterpret::new(
-            HostRole::Worker,
+            HostRole::ControlPlane,
             self.discovery_strategy.clone(),
         ))
     }

opnsense-config-xml/Cargo.toml

@@ -9,7 +9,6 @@ license.workspace = true
 serde = { version = "1.0.123", features = [ "derive" ] }
 log = { workspace = true }
 env_logger = { workspace = true }
-#yaserde = { path = "../../yaserde/yaserde" }
 yaserde = { git = "https://github.com/jggc/yaserde.git" }
 yaserde_derive = { git = "https://github.com/jggc/yaserde.git" }
 xml-rs = "0.8"

opnsense-config-xml/src/data/caddy.rs

@@ -8,8 +8,6 @@ pub struct Pischem {
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Caddy {
-    #[yaserde(attribute = true)]
-    pub version: Option<String>,
     pub general: CaddyGeneral,
     pub reverseproxy: MaybeString,
 }

opnsense-config-xml/src/data/dnsmasq.rs

@@ -8,8 +8,6 @@ pub struct DnsMasq {
     pub version: String,
     #[yaserde(attribute = true)]
     pub persisted_at: Option<String>,
-    #[yaserde(attribute = true)]
-    pub description: Option<String>,
 
     pub enable: u8,
     pub regdhcp: u8,
@@ -25,7 +23,7 @@ pub struct DnsMasq {
     pub dnssec: u8,
     pub regdhcpdomain: MaybeString,
     pub interface: Option<String>,
-    pub port: Option<MaybeString>,
+    pub port: Option<u32>,
     pub dns_forward_max: MaybeString,
     pub cache_size: MaybeString,
     pub local_ttl: MaybeString,
@@ -75,8 +73,6 @@ pub struct Dhcp {
     pub reply_delay: MaybeString,
     pub enable_ra: u8,
     pub nosync: u8,
-    pub log_dhcp: Option<u8>,
-    pub log_quiet: Option<u8>,
 }
 
 // Represents a single <dhcp_ranges> element.

opnsense-config-xml/src/data/haproxy.rs

@@ -598,7 +598,7 @@ pub struct HAProxyServer {
     pub ssl_client_certificate: MaybeString,
     #[yaserde(rename = "maxConnections")]
     pub max_connections: MaybeString,
-    pub weight: Option<MaybeString>,
+    pub weight: Option<u32>,
     #[yaserde(rename = "checkInterval")]
     pub check_interval: MaybeString,
     #[yaserde(rename = "checkDownInterval")]

opnsense-config-xml/src/data/opnsense.rs

@@ -30,7 +30,6 @@ pub struct OPNsense {
     pub staticroutes: StaticRoutes,
     pub ca: MaybeString,
     pub gateways: Option<RawXml>,
-    pub hostwatch: Option<RawXml>,
     pub cert: Vec<Cert>,
     pub dhcpdv6: DhcpDv6,
     pub virtualip: VirtualIp,
@@ -163,15 +162,11 @@ pub struct Username {
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Sysctl {
-    #[yaserde(attribute = true)]
-    pub version: Option<String>,
     pub item: Vec<SysctlItem>,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct SysctlItem {
-    #[yaserde(attribute = true)]
-    pub uuid: Option<String>,
     pub descr: Option<MaybeString>,
     pub tunable: Option<String>,
     pub value: Option<MaybeString>,
@@ -179,8 +174,6 @@ pub struct SysctlItem {
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct System {
-    #[yaserde(attribute = true)]
-    pub uuid: Option<String>,
     pub use_mfs_tmp: Option<MaybeString>,
     pub use_mfs_var: Option<MaybeString>,
     pub serialspeed: u32,
@@ -275,8 +268,6 @@ pub struct Bogons {
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Group {
-    #[yaserde(attribute = true)]
-    pub uuid: Option<String>,
     pub name: String,
     pub description: Option<String>,
     pub scope: String,
@@ -289,8 +280,6 @@ pub struct Group {
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct User {
-    #[yaserde(attribute = true)]
-    pub uuid: Option<String>,
     pub name: String,
     pub descr: MaybeString,
     pub scope: String,
@@ -474,8 +463,6 @@ pub struct OPNsenseXmlSection {
     pub openvpn: ConfigOpenVPN,
     #[yaserde(rename = "Gateways")]
     pub gateways: RawXml,
-    #[yaserde(rename = "Hostwatch")]
-    pub hostwatch: Option<RawXml>,
     #[yaserde(rename = "HAProxy")]
     pub haproxy: Option<HAProxy>,
 }
@@ -1156,9 +1143,9 @@ pub struct UnboundGeneral {
     pub dns64: MaybeString,
     pub dns64prefix: MaybeString,
     pub noarecords: MaybeString,
-    pub regdhcp: Option<MaybeString>,
+    pub regdhcp: Option<i8>,
     pub regdhcpdomain: MaybeString,
-    pub regdhcpstatic: Option<MaybeString>,
+    pub regdhcpstatic: Option<i8>,
     pub noreglladdr6: MaybeString,
     pub noregrecords: MaybeString,
     pub txtsupport: MaybeString,
@@ -1166,27 +1153,27 @@ pub struct UnboundGeneral {
     pub local_zone_type: String,
     pub outgoing_interface: MaybeString,
     pub enable_wpad: MaybeString,
-    pub safesearch: Option<MaybeString>,
+    pub safesearch: MaybeString,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Advanced {
-    pub hideidentity: Option<MaybeString>,
-    pub hideversion: Option<MaybeString>,
-    pub prefetch: Option<MaybeString>,
-    pub prefetchkey: Option<MaybeString>,
-    pub dnssecstripped: Option<MaybeString>,
+    pub hideidentity: Option<i8>,
+    pub hideversion: Option<i8>,
+    pub prefetch: Option<i8>,
+    pub prefetchkey: Option<i8>,
+    pub dnssecstripped: Option<i8>,
     pub aggressivensec: Option<i8>,
-    pub serveexpired: Option<MaybeString>,
+    pub serveexpired: Option<i8>,
     pub serveexpiredreplyttl: MaybeString,
     pub serveexpiredttl: MaybeString,
-    pub serveexpiredttlreset: Option<MaybeString>,
+    pub serveexpiredttlreset: Option<i32>,
     pub serveexpiredclienttimeout: MaybeString,
-    pub qnameminstrict: Option<MaybeString>,
-    pub extendedstatistics: Option<MaybeString>,
-    pub logqueries: Option<MaybeString>,
-    pub logreplies: Option<MaybeString>,
-    pub logtagqueryreply: Option<MaybeString>,
+    pub qnameminstrict: Option<i32>,
+    pub extendedstatistics: Option<i32>,
+    pub logqueries: Option<i32>,
+    pub logreplies: Option<i32>,
+    pub logtagqueryreply: Option<i32>,
     pub logservfail: MaybeString,
     pub loglocalactions: MaybeString,
     pub logverbosity: i32,
@@ -1229,12 +1216,12 @@ pub struct Dnsbl {
     pub blocklists: Option<MaybeString>,
     pub wildcards: Option<MaybeString>,
     pub address: Option<MaybeString>,
-    pub nxdomain: Option<MaybeString>,
+    pub nxdomain: Option<i32>,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Forwarding {
-    pub enabled: Option<MaybeString>,
+    pub enabled: Option<i32>,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
@@ -1256,7 +1243,7 @@ pub struct Host {
     pub ttl: Option<MaybeString>,
     pub server: String,
     pub description: Option<String>,
-    pub txtdata: Option<MaybeString>,
+    pub txtdata: MaybeString,
 }
 
 impl Host {
@@ -1272,7 +1259,7 @@ impl Host {
             ttl: Some(MaybeString::default()),
             mx: MaybeString::default(),
             description: None,
-            txtdata: Some(MaybeString::default()),
+            txtdata: MaybeString::default(),
         }
     }
 }
@@ -1434,7 +1421,7 @@ pub struct StaticRoutes {
     #[yaserde(attribute = true)]
     pub version: String,
     #[yaserde(rename = "route")]
-    pub route: Option<RawXml>,
+    pub route: Option<MaybeString>,
 }
 
 #[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]

opnsense-config/src/config/config.rs

@@ -234,15 +234,14 @@ mod tests {
     #[tokio::test]
     async fn test_load_config_from_local_file() {
         for path in [
-            "src/tests/data/config-opnsense-25.1.xml",
-            "src/tests/data/config-vm-test.xml",
+            // "src/tests/data/config-opnsense-25.1.xml",
+            // "src/tests/data/config-vm-test.xml",
             "src/tests/data/config-structure.xml",
             "src/tests/data/config-full-1.xml",
             // "src/tests/data/config-full-ncd0.xml",
             // "src/tests/data/config-full-25.7.xml",
             // "src/tests/data/config-full-25.7-dummy-dnsmasq-options.xml",
             "src/tests/data/config-25.7-dnsmasq-static-host.xml",
-            "src/tests/data/config-full-25.7.11_2.xml",
         ] {
             let mut test_file_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
             test_file_path.push(path);

opnsense-config/src/modules/dns.rs

@@ -1,4 +1,4 @@
-use opnsense_config_xml::{Host, MaybeString, OPNsense};
+use opnsense_config_xml::{Host, OPNsense};
 
 pub struct UnboundDnsConfig<'a> {
     opnsense: &'a mut OPNsense,
@@ -31,8 +31,7 @@ impl<'a> UnboundDnsConfig<'a> {
             None => todo!("Handle case where unboundplus is not used"),
         };
 
-        unbound.general.regdhcp = Some(MaybeString::from_bool_as_int("regdhcp", register));
-        unbound.general.regdhcpstatic =
-            Some(MaybeString::from_bool_as_int("regdhcpstatic", register));
+        unbound.general.regdhcp = Some(register as i8);
+        unbound.general.regdhcpstatic = Some(register as i8);
     }
 }

opnsense-config/src/tests/data/config-full-ncd0.xml

@@ -271,6 +271,7 @@
     </firmware>
     <language>en_US</language>
     <dnsserver>1.1.1.1</dnsserver>
+    <dnsserver>8.8.8.8</dnsserver>
     <dns1gw>none</dns1gw>
     <dns2gw>none</dns2gw>
     <dns3gw>none</dns3gw>

opnsense-config/src/tests/data/config-opnsense-25.1.xml

@@ -30,17 +30,28 @@
     <item uuid="b6b18051-830f-4b27-81ec-f772b14681e2">
       <tunable>net.inet.ip.sourceroute</tunable>
       <value>default</value>
-      <descr>Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system.</descr>
+      <descr>
+        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+        It can also be used to probe for information about your internal networks. These functions come enabled
+        as part of the standard FreeBSD core system.
+      </descr>
     </item>
     <item uuid="ea21409c-62d6-4040-aa2b-36bd01af5578">
       <tunable>net.inet.ip.accept_sourceroute</tunable>
       <value>default</value>
-      <descr>Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system.</descr>
+      <descr>
+        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+        It can also be used to probe for information about your internal networks. These functions come enabled
+        as part of the standard FreeBSD core system.
+      </descr>
     </item>
     <item uuid="1613256c-ef7e-4b53-a44c-234440046293">
       <tunable>net.inet.icmp.log_redirect</tunable>
       <value>default</value>
-      <descr>This option turns off the logging of redirect packets because there is no limit and this could fill up your logs consuming your whole hard drive.</descr>
+      <descr>
+        This option turns off the logging of redirect packets because there is no limit and this could fill
+        up your logs consuming your whole hard drive.
+      </descr>
     </item>
     <item uuid="1ba88c72-6e5b-4f19-abba-351c2b76d5dc">
       <tunable>net.inet.tcp.drop_synfin</tunable>
@@ -170,7 +181,9 @@
     <item uuid="2c42ae2f-a7bc-48cb-b27d-db72e738e80b">
       <tunable>net.inet.ip.redirect</tunable>
       <value>default</value>
-      <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better, and for the sender directly reachable, route and next hop is known.</descr>
+      <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
+        and for the sender directly reachable, route and next hop is known.
+      </descr>
     </item>
     <item uuid="7d315fb1-c638-4b79-9f6c-240b41e6d643">
       <tunable>net.local.dgram.maxdgram</tunable>
@@ -925,3 +938,4 @@
   </cert>
   <syslog/>
 </opnsense>
+

opnsense-config/src/tests/data/config-vm-test.xml

@@ -28,17 +28,28 @@
       <value>default</value>
     </item>
     <item>
-      <descr>Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system.</descr>
+      <descr>
+        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+        It can also be used to probe for information about your internal networks. These functions come enabled
+        as part of the standard FreeBSD core system.
+      </descr>
       <tunable>net.inet.ip.sourceroute</tunable>
       <value>default</value>
     </item>
     <item>
-      <descr>Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system.</descr>
+      <descr>
+        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+        It can also be used to probe for information about your internal networks. These functions come enabled
+        as part of the standard FreeBSD core system.
+      </descr>
       <tunable>net.inet.ip.accept_sourceroute</tunable>
       <value>default</value>
     </item>
     <item>
-      <descr>This option turns off the logging of redirect packets because there is no limit and this could fill up your logs consuming your whole hard drive.</descr>
+      <descr>
+        This option turns off the logging of redirect packets because there is no limit and this could fill
+        up your logs consuming your whole hard drive.
+      </descr>
       <tunable>net.inet.icmp.log_redirect</tunable>
       <value>default</value>
     </item>
@@ -168,7 +179,9 @@
       <value>default</value>
     </item>
     <item>
-      <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better, and for the sender directly reachable, route and next hop is known.</descr>
+      <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
+        and for the sender directly reachable, route and next hop is known.
+      </descr>
       <tunable>net.inet.ip.redirect</tunable>
       <value>default</value>
     </item>