feat: implentation to use a preinstalled cluster issuer to create a certificate

Reviewed-on: #156

.gitignore

@@ -3,6 +3,7 @@ private_repos/
 
 ### Harmony ###
 harmony.log
+data/okd/installation_files*
 
 ### Helm ###
 # Chart dependencies

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "examples/try_rust_webapp/tryrust.org"]
+	path = examples/try_rust_webapp/tryrust.org
+	url = https://github.com/rust-dd/tryrust.org.git

Cargo.lock

@@ -1759,6 +1759,7 @@ dependencies = [
  "env_logger",
  "harmony",
  "harmony_macros",
+ "harmony_secret",
  "harmony_tui",
  "harmony_types",
  "log",
@@ -1857,6 +1858,21 @@ dependencies = [
  "url",
 ]
 
+[[package]]
+name = "example-try-rust-webapp"
+version = "0.1.0"
+dependencies = [
+ "base64 0.22.1",
+ "env_logger",
+ "harmony",
+ "harmony_cli",
+ "harmony_macros",
+ "harmony_types",
+ "log",
+ "tokio",
+ "url",
+]
+
 [[package]]
 name = "example-tui"
 version = "0.1.0"
@@ -2345,6 +2361,7 @@ dependencies = [
  "tokio-util",
  "url",
  "uuid",
+ "walkdir",
 ]
 
 [[package]]
@@ -2416,6 +2433,7 @@ dependencies = [
  "serde",
  "serde_yaml",
  "syn 2.0.106",
+ "url",
 ]
 
 [[package]]
@@ -2427,6 +2445,7 @@ dependencies = [
  "harmony_secret_derive",
  "http 1.3.1",
  "infisical",
+ "inquire",
  "lazy_static",
  "log",
  "pretty_assertions",
@@ -3870,6 +3889,7 @@ dependencies = [
  "russh-sftp",
  "serde",
  "serde_json",
+ "sha2",
  "thiserror 1.0.69",
  "tokio",
  "tokio-stream",
@@ -4644,6 +4664,21 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "rhob-application-monitoring"
+version = "0.1.0"
+dependencies = [
+ "base64 0.22.1",
+ "env_logger",
+ "harmony",
+ "harmony_cli",
+ "harmony_macros",
+ "harmony_types",
+ "log",
+ "tokio",
+ "url",
+]
+
 [[package]]
 name = "ring"
 version = "0.17.14"
@@ -4984,6 +5019,15 @@ dependencies = [
  "cipher",
 ]
 
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
 [[package]]
 name = "schannel"
 version = "0.1.27"
@@ -6521,6 +6565,16 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -6703,6 +6757,15 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 
+[[package]]
+name = "winapi-util"
+version = "0.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0978bf7171b3d90bac376700cb56d606feb40f251a475a5d6634613564460b22"
+dependencies = [
+ "windows-sys 0.60.2",
+]
+
 [[package]]
 name = "winapi-x86_64-pc-windows-gnu"
 version = "0.4.0"

README.md

@@ -36,48 +36,59 @@ These principles surface as simple, ergonomic Rust APIs that let teams focus on
 
 ## 2 · Quick Start
 
-The snippet below spins up a complete **production-grade LAMP stack** with monitoring. Swap it for your own scores to deploy anything from microservices to machine-learning pipelines.
+The snippet below spins up a complete **production-grade Rust + Leptos Webapp** with monitoring. Swap it for your own scores to deploy anything from microservices to machine-learning pipelines.
 
 ```rust
 use harmony::{
-    data::Version,
     inventory::Inventory,
-    maestro::Maestro,
     modules::{
-        lamp::{LAMPConfig, LAMPScore},
-        monitoring::monitoring_alerting::MonitoringAlertingStackScore,
+        application::{
+            ApplicationScore, RustWebFramework, RustWebapp,
+            features::{PackagingDeployment, rhob_monitoring::Monitoring},
+        },
+        monitoring::alert_channel::discord_alert_channel::DiscordWebhook,
     },
-    topology::{K8sAnywhereTopology, Url},
+    topology::K8sAnywhereTopology,
 };
+use harmony_macros::hurl;
+use std::{path::PathBuf, sync::Arc};
 
 #[tokio::main]
 async fn main() {
-    // 1. Describe what you want
-    let lamp_stack = LAMPScore {
-        name: "harmony-lamp-demo".into(),
-        domain: Url::Url(url::Url::parse("https://lampdemo.example.com").unwrap()),
-        php_version: Version::from("8.3.0").unwrap(),
-        config: LAMPConfig {
-            project_root: "./php".into(),
-            database_size: "4Gi".into(),
-            ..Default::default()
-        },
+    let application = Arc::new(RustWebapp {
+        name: "harmony-example-leptos".to_string(),
+        project_root: PathBuf::from(".."), // <== Your project root, usually .. if you use the standard `/harmony` folder
+        framework: Some(RustWebFramework::Leptos),
+        service_port: 8080,
+    });
+
+    // Define your Application deployment and the features you want
+    let app = ApplicationScore {
+        features: vec![
+            Box::new(PackagingDeployment {
+                application: application.clone(),
+            }),
+            Box::new(Monitoring {
+                application: application.clone(),
+                alert_receiver: vec![
+                    Box::new(DiscordWebhook {
+                        name: "test-discord".to_string(),
+                        url: hurl!("https://discord.doesnt.exist.com"), // <== Get your discord webhook url
+                    }),
+                ],
+            }),
+        ],
+        application,
     };
 
-    // 2. Enhance with extra scores (monitoring, CI/CD, …)
-    let mut monitoring = MonitoringAlertingStackScore::new();
-    monitoring.namespace = Some(lamp_stack.config.namespace.clone());
-
-    // 3. Run your scores on the desired topology & inventory
     harmony_cli::run(
-        Inventory::autoload(),                // auto-detect hardware / kube-config
-        K8sAnywhereTopology::from_env(),      // local k3d, CI, staging, prod…
-        vec![
-          Box::new(lamp_stack),
-          Box::new(monitoring)
-        ],
-        None
-    ).await.unwrap();
+        Inventory::autoload(),
+        K8sAnywhereTopology::from_env(), // <== Deploy to local automatically provisioned local k3d by default or connect to any kubernetes cluster
+        vec![Box::new(app)],
+        None,
+    )
+    .await
+    .unwrap();
 }
 ```
 

demos/cncf-k8s-quebec-meetup-september-2025/.gitignore

@@ -0,0 +1,3 @@
+.terraform
+*.tfstate
+venv

demos/cncf-k8s-quebec-meetup-september-2025/README.md

@@ -0,0 +1,5 @@
+To build :
+
+```bash
+npx @marp-team/marp-cli@latest -w slides.md
+```

demos/cncf-k8s-quebec-meetup-september-2025/ansible/README.md

@@ -0,0 +1,9 @@
+To run this :
+
+```bash
+virtualenv venv
+source venv/bin/activate
+pip install ansible ansible-dev-tools
+ansible-lint download.yml
+ansible-playbook -i localhost download.yml
+```

demos/cncf-k8s-quebec-meetup-september-2025/ansible/download.yml

@@ -0,0 +1,8 @@
+- name: Test Ansible URL Validation
+  hosts: localhost
+  tasks:
+    - name: Download a file
+      ansible.builtin.get_url:
+        url: "http:/wikipedia.org/"
+        dest: "/tmp/ansible-test/wikipedia.html"
+        mode: '0900'

demos/cncf-k8s-quebec-meetup-september-2025/slides.md

@@ -0,0 +1,241 @@
+---
+theme: uncover
+---
+
+# Voici l'histoire de Petit Poisson
+
+---
+
+<img src="./Happy_swimmer.jpg" width="600"/>
+
+---
+
+<img src="./happy_landscape_swimmer.jpg" width="1000"/>
+
+---
+
+<img src="./Happy_swimmer.jpg" width="200"/>
+
+<img src="./tryrust.org.png" width="600"/>
+
+[https://tryrust.org](https://tryrust.org)
+
+---
+
+<img src="./texto_deploy_prod_1.png" width="600"/>
+
+---
+
+<img src="./texto_deploy_prod_2.png" width="600"/>
+
+---
+
+<img src="./texto_deploy_prod_3.png" width="600"/>
+
+---
+
+<img src="./texto_deploy_prod_4.png" width="600"/>
+
+---
+
+## Demo time
+
+---
+
+<img src="./Happy_swimmer_sunglasses.jpg" width="1000"/>
+
+---
+
+<img src="./texto_download_wikipedia.png" width="600"/>
+
+---
+
+<img src="./ansible.jpg" width="200"/>
+
+## Ansible❓
+
+---
+
+<img src="./Happy_swimmer.jpg" width="200"/>
+
+```yaml
+- name: Download wikipedia
+  hosts: localhost
+  tasks:
+    - name: Download a file
+      ansible.builtin.get_url:
+        url: "https:/wikipedia.org/"
+        dest: "/tmp/ansible-test/wikipedia.html"
+        mode: '0900'
+```
+
+---
+
+<img src="./Happy_swimmer.jpg" width="200"/>
+
+```
+ansible-lint download.yml
+
+Passed: 0 failure(s), 0 warning(s) on 1 files. Last profile that met the validation criteria was 'production'.
+```
+
+---
+
+```
+git push
+```
+
+---
+
+<img src="./75_years_later.jpg" width="1100"/>
+
+---
+
+<img src="./texto_download_wikipedia_fail.png" width="600"/>
+
+---
+
+<img src="./Happy_swimmer_reversed.jpg" width="600"/>
+
+---
+
+<img src="./ansible_output_fail.jpg" width="1100"/>
+
+---
+
+<img src="./Happy_swimmer_reversed_1hit.jpg" width="600"/>
+
+---
+
+<img src="./ansible_crossed_out.jpg" width="400"/>
+
+---
+
+
+<img src="./terraform.jpg" width="400"/>
+
+## Terraform❓❗
+
+---
+
+<img src="./Happy_swimmer_reversed_1hit.jpg" width="200"/>
+<img src="./terraform.jpg" width="200"/>
+
+```tf
+provider "docker" {}
+
+resource "docker_network" "invalid_network" {
+  name = "my-invalid-network"
+
+  ipam_config {
+    subnet = "172.17.0.0/33"
+  }
+}
+```
+
+---
+
+<img src="./Happy_swimmer_reversed_1hit.jpg" width="100"/>
+<img src="./terraform.jpg" width="200"/>
+
+```
+terraform plan
+
+Terraform used the selected providers to generate the following execution plan.
+Resource actions are indicated with the following symbols:
+  + create
+
+Terraform will perform the following actions:
+
+  # docker_network.invalid_network will be created
+  + resource "docker_network" "invalid_network" {
+      + driver      = (known after apply)
+      + id          = (known after apply)
+      + internal    = (known after apply)
+      + ipam_driver = "default"
+      + name        = "my-invalid-network"
+      + options     = (known after apply)
+      + scope       = (known after apply)
+
+      + ipam_config {
+          + subnet   = "172.17.0.0/33"
+            # (2 unchanged attributes hidden)
+        }
+    }
+
+Plan: 1 to add, 0 to change, 0 to destroy.
+```
+
+---
+
+✅
+
+---
+
+```
+terraform apply
+```
+
+---
+
+```
+Plan: 1 to add, 0 to change, 0 to destroy.
+
+Do you want to perform these actions?
+  Terraform will perform the actions described above.
+  Only 'yes' will be accepted to approve.
+
+  Enter a value: yes
+```
+
+---
+
+```
+docker_network.invalid_network: Creating...
+╷
+│ Error: Unable to create network: Error response from daemon: invalid network config:
+│ invalid subnet 172.17.0.0/33: invalid CIDR block notation
+│
+│   with docker_network.invalid_network,
+│   on main.tf line 11, in resource "docker_network" "invalid_network":
+│   11: resource "docker_network" "invalid_network" {
+│
+╵
+```
+
+---
+
+
+<img src="./Happy_swimmer_reversed_fullhit.jpg" width="1100"/>
+
+---
+
+<img src="./ansible_crossed_out.jpg" width="300"/>
+<img src="./terraform_crossed_out.jpg" width="400"/>
+<img src="./Happy_swimmer_reversed_fullhit.jpg" width="300"/>
+
+---
+
+## Harmony❓❗
+
+---
+
+Demo time
+
+---
+
+<img src="./Happy_swimmer.jpg" width="300"/>
+
+---
+
+# 🎼 
+
+Harmony : [https://git.nationtech.io/nationtech/harmony](https://git.nationtech.io/nationtech/harmony)
+
+
+ <img src="./qrcode_gitea_nationtech.png" width="120"/>
+
+
+LinkedIn : [https://www.linkedin.com/in/jean-gabriel-gill-couture/](https://www.linkedin.com/in/jean-gabriel-gill-couture/)
+
+Courriel : [jg@nationtech.io](mailto:jg@nationtech.io)

demos/cncf-k8s-quebec-meetup-september-2025/storyline.md

@@ -0,0 +1,132 @@
+# Harmony, Orchestrateur d'infrastructure open-source
+
+**Target Duration:** 25 minutes\
+**Tone:** Friendly, expert-to-expert, inspiring.
+
+---
+
+#### **Slide 1: Title Slide**
+
+- **Visual:** Clean and simple. Your company logo (NationTech) and the Harmony logo.
+
+---
+
+#### **Slide 2: The YAML Labyrinth**
+
+**Goal:** Get every head in the room nodding in agreement. Start with their world, not yours.
+
+- **Visual:**
+  - Option A: "The Pull Request from Hell". A screenshot of a GitHub pull request for a seemingly minor change that touches dozens of YAML files across multiple directories. A sea of red and green diffs that is visually overwhelming.
+  - Option B: A complex flowchart connecting dozens of logos: Terraform, Ansible, K8s, Helm, etc.
+- **Narration:**\
+  [...ADD SOMETHING FOR INTRODUCTION...]\
+  "We love the power that tools like Kubernetes and the CNCF landscape have given us. But let's be honest... when did our infrastructure code start looking like _this_?"\
+  "We have GitOps, which is great. But it often means we're managing this fragile cathedral of YAML, Helm charts, and brittle scripts. We spend more time debugging indentation and tracing variables than we do building truly resilient systems."
+
+---
+
+#### **Slide 3: The Real Cost of Infrastructure**
+
+- **Visual:** "The Jenga Tower of Tools". A tall, precarious Jenga tower where each block is the logo of a different tool (Terraform, K8s, Helm, Ansible, Prometheus, ArgoCD, etc.). One block near the bottom is being nervously pulled out.
+- **Narration:**
+  "The real cost isn't just complexity; it's the constant need to choose, learn, integrate, and operate a dozen different tools, each with its own syntax and failure modes. It's the nagging fear that a tiny typo in a config file could bring everything down. Click-ops isn't the answer, but the current state of IaC feels like we've traded one problem for another."
+
+---
+
+#### **Slide 4: The Broken Promise of "Code"**
+
+**Goal:** Introduce the core idea before introducing the product. This makes the solution feel inevitable.
+
+- **(Initial Visual):** A two-panel slide.
+  - **Left Panel Title: "The Plan"** - A terminal showing a green, successful `terraform plan` output.
+  - **Right Panel Title: "The Reality"** - The _next_ screen in the terminal, showing the `terraform apply` failing with a cascade of red error text.
+- **Narration:**
+  "We call our discipline **Infrastructure as Code**. And we've all been here. Our 'compiler' is a `terraform plan` that says everything looks perfect. We get the green light."
+  (Pause for a beat)
+  "And then we `apply`, and reality hits. It fails halfway through, at runtime, when it's most expensive and painful to fix."
+
+**(Click to transition the slide)**
+
+- **(New Visual):** The entire slide is replaced by a clean screenshot of a code editor (like nvim 😉) showing Harmony's Rust DSL. A red squiggly line is under a config line. The error message is clear in the "Problems" panel: `error: Incompatible deployment. Production target 'gcp-prod-cluster' requires a StorageClass with 'snapshots' capability, but 'standard-sc' does not provide it.`
+- **Narration (continued):**
+  "In software development, we solved these problems years ago. We don't accept 'it compiled, but crashed on startup'. We have real tools, type systems, compilers, test frameworks, and IDEs that catch our mistakes before they ever reach production. **So, what if we could treat our entire infrastructure... like a modern, compiled application?**"
+  "What if your infrastructure code could get compile-time checks, straight into the editor... instead of runtime panics and failures at 3 AM in production?"
+
+---
+
+#### **Slide 5: Introducing Harmony**
+
+**Goal:** Introduce Harmony as the answer to the "What If?" question.
+
+- **Visual:** The Harmony logo, large and centered.
+- **Tagline:** `Infrastructure in type-safe Rust. No YAML required.`
+- **Narration:**
+  "This is Harmony. It's an open-source orchestrator that lets you define your entire stack — from a dev laptop to a multi-site bare-metal cluster—in a single, type-safe Rust codebase."
+
+---
+
+#### **Slide 6: Before & After**
+
+- **Visual:** A side-by-side comparison. Left side: A screen full of complex, nested YAML. Right side: 10-15 lines of clean, readable Harmony Rust DSL that accomplishes the same thing.
+- **Narration:**
+  "This is the difference. On the left, the fragile world of strings and templates. On the right, a portable, verifiable program that describes your apps, your infra, and your operations. We unify scaffolding, provisioning, and Day-2 ops, all verified by the Rust compiler. But enough slides... let's see it in action."
+
+---
+
+#### **Slide 7: Live Demo: Zero to Monitored App**
+
+**Goal:** Show, don't just tell. Make it look effortless. This is where you build the "dream."
+
+- **Visual:** Your terminal/IDE, ready to go.
+- **Narration Guide:**
+  "Okay, for this demo, we're going to take a standard web app from GitHub. Nothing special about it."
+  _(Show the repo)_
+  "Now, let's bring it into Harmony. This is the entire definition we need to describe the application and its needs."
+  _(Show the Rust DSL)_
+  "First, let's run it locally on k3d. The exact same definition for dev as for prod."
+  _(Deploy locally, show it works)_
+  "Cool. But a real app needs monitoring. In Harmony, that's just adding a feature to our code."
+  _(Uncomment one line: `.with_feature(Monitoring)` and redeploy)_
+  "And just like that, we have a fully configured Prometheus and Grafana stack, scraping our app. No YAML, no extra config."
+  "Finally, let's push this to our production staging cluster. We just change the target and specify our multi-site Ceph storage."
+  _(Deploy to the remote cluster)_
+  "And there it is. We've gone from a simple web app to a monitored, enterprise-grade service in minutes."
+
+---
+
+#### **Slide 8: Live Demo: Embracing Chaos**
+
+**Goal:** Prove the "predictable" and "resilient" claims in the most dramatic way possible.
+
+- **Visual:** A slide showing a map or diagram of your distributed infrastructure (the different data centers). Then switch back to your terminal.
+- **Narration Guide:**
+  "This is great when things are sunny. But production is chaos. So... let's break things. On purpose."
+  "First, a network failure." _(Kill a switch/link, show app is still up)_
+  "Now, let's power off a storage server." _(Force off a server, show Ceph healing and the app is unaffected)_
+  "How about a control plane node?" _(Force off a k8s control plane, show the cluster is still running)_
+  "Okay, for the grand finale. What if we have a cascading failure? I'm going to kill _another_ storage server. This should cause a total failure in this data center."
+  _(Force off the second server, narrate what's happening)_
+  "And there it is... Ceph has lost quorum in this site... and Harmony has automatically failed everything over to our other datacenter. The app is still running."
+
+---
+
+#### **Slide 9: The New Reality**
+
+**Goal:** Summarize the dream and tell the audience what you want them to do.
+
+- **Visual:** The clean, simple Harmony Rust DSL code from Slide 6. A summary of what was just accomplished is listed next to it: `✓ GitHub to Prod in minutes`, `✓ Type-Safe Validation`, `✓ Built-in Monitoring`, `✓ Automated Multi-Site Failover`.
+- **Narration:**
+  "So, in just a few minutes, we went from a simple web app to a multi-site, monitored, and chaos-proof production deployment. We did it with a small amount of code that is easy to read, easy to verify, and completely portable. This is our vision: to offload the complexity, and make infrastructure simple, predictable, and even fun again."
+
+---
+
+#### **Slide 10: Join Us**
+
+- **Visual:** A clean, final slide with QR codes and links.
+  - GitHub Repo (`github.com/nation-tech/harmony`)
+  - Website (`harmony.sh` or similar)
+  - Your contact info (`jg@nation.tech` / LinkedIn / Twitter)
+- **Narration:**
+  "Harmony is open-source, AGPLv3. We believe this is the future, but we're just getting started. We know this crowd has great infrastructure minds out there, and we need your feedback. Please, check out the project on GitHub. Star it if you like what you see. Tell us what's missing. Let's build this future together. Thank you."
+
+**(Open for Q&A)**

demos/cncf-k8s-quebec-meetup-september-2025/terraform/.terraform.lock.hcl

@@ -0,0 +1,40 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/http" {
+  version = "3.5.0"
+  hashes = [
+    "h1:8bUoPwS4hahOvzCBj6b04ObLVFXCEmEN8T/5eOHmWOM=",
+    "zh:047c5b4920751b13425efe0d011b3a23a3be97d02d9c0e3c60985521c9c456b7",
+    "zh:157866f700470207561f6d032d344916b82268ecd0cf8174fb11c0674c8d0736",
+    "zh:1973eb9383b0d83dd4fd5e662f0f16de837d072b64a6b7cd703410d730499476",
+    "zh:212f833a4e6d020840672f6f88273d62a564f44acb0c857b5961cdb3bbc14c90",
+    "zh:2c8034bc039fffaa1d4965ca02a8c6d57301e5fa9fff4773e684b46e3f78e76a",
+    "zh:5df353fc5b2dd31577def9cc1a4ebf0c9a9c2699d223c6b02087a3089c74a1c6",
+    "zh:672083810d4185076c81b16ad13d1224b9e6ea7f4850951d2ab8d30fa6e41f08",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7b4200f18abdbe39904b03537e1a78f21ebafe60f1c861a44387d314fda69da6",
+    "zh:843feacacd86baed820f81a6c9f7bd32cf302db3d7a0f39e87976ebc7a7cc2ee",
+    "zh:a9ea5096ab91aab260b22e4251c05f08dad2ed77e43e5e4fadcdfd87f2c78926",
+    "zh:d02b288922811739059e90184c7f76d45d07d3a77cc48d0b15fd3db14e928623",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.5.3"
+  hashes = [
+    "h1:1Nkh16jQJMp0EuDmvP/96f5Unnir0z12WyDuoR6HjMo=",
+    "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927",
+    "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e",
+    "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf",
+    "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d",
+    "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09",
+    "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f",
+    "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1",
+    "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6",
+    "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47",
+    "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82",
+  ]
+}

demos/cncf-k8s-quebec-meetup-september-2025/terraform/main.tf

@@ -0,0 +1,10 @@
+provider "http" {}
+
+data "http" "remote_file" {
+  url = "http:/example.com/file.txt"
+}
+
+resource "local_file" "downloaded_file" {
+  content  = data.http.remote_file.body
+  filename = "${path.module}/downloaded_file.txt"
+}

demos/cncf-k8s-quebec-meetup-september-2025/terraform_2/.terraform.lock.hcl

@@ -0,0 +1,24 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/kreuzwerker/docker" {
+  version     = "3.0.2"
+  constraints = "~> 3.0.1"
+  hashes = [
+    "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=",
+    "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f",
+    "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95",
+    "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138",
+    "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da",
+    "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2",
+    "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06",
+    "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1",
+    "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710",
+    "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005",
+    "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d",
+    "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792",
+    "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387",
+    "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62",
+    "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d",
+  ]
+}

demos/cncf-k8s-quebec-meetup-september-2025/terraform_2/main.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "~> 3.0.1" # Adjust version as needed
+    }
+  }
+}
+provider "docker" {}
+
+resource "docker_network" "invalid_network" {
+  name = "my-invalid-network"
+
+  ipam_config {
+    subnet = "172.17.0.0/33"
+  }
+}

docs/OKD_Host_preparation.md

@@ -0,0 +1,8 @@
+## Bios settings
+
+1. CSM : Disabled (compatibility support to boot gpt formatted drives)
+2. Secure boot : disabled
+3. Boot order :
+    1. Local Hard drive
+    2. PXE IPv4
+4. System clock, make sure it is adjusted, otherwise you will get invalid certificates error

examples/application_monitoring_with_tenant/src/main.rs

@@ -27,9 +27,9 @@ async fn main() {
     };
     let application = Arc::new(RustWebapp {
         name: "example-monitoring".to_string(),
-        domain: Url::Url(url::Url::parse("https://rustapp.harmony.example.com").unwrap()),
         project_root: PathBuf::from("./examples/rust/webapp"),
         framework: Some(RustWebFramework::Leptos),
+        service_port: 3000,
     });
 
     let webhook_receiver = WebhookReceiver {

examples/nanodc/Cargo.toml

@@ -13,6 +13,7 @@ harmony_types = { path = "../../harmony_types" }
 cidr = { workspace = true }
 tokio = { workspace = true }
 harmony_macros = { path = "../../harmony_macros" }
+harmony_secret = { path = "../../harmony_secret" }
 log = { workspace = true }
 env_logger = { workspace = true }
 url = { workspace = true }

examples/nanodc/src/main.rs

@@ -5,6 +5,8 @@ use std::{
 
 use cidr::Ipv4Cidr;
 use harmony::{
+    config::secret::SshKeyPair,
+    data::{FileContent, FilePath},
     hardware::{HostCategory, Location, PhysicalHost, SwitchGroup},
     infra::opnsense::OPNSenseManagementInterface,
     inventory::Inventory,
@@ -13,13 +15,14 @@ use harmony::{
         okd::{
             bootstrap_dhcp::OKDBootstrapDhcpScore,
             bootstrap_load_balancer::OKDBootstrapLoadBalancerScore, dhcp::OKDDhcpScore,
-            dns::OKDDnsScore, ipxe::OkdIpxeScore,
+            dns::OKDDnsScore, ipxe::OKDIpxeScore,
         },
         tftp::TftpScore,
     },
     topology::{LogicalHost, UnmanagedRouter},
 };
 use harmony_macros::{ip, mac_address};
+use harmony_secret::SecretManager;
 use harmony_types::net::Url;
 
 #[tokio::main]
@@ -123,6 +126,8 @@ async fn main() {
     let load_balancer_score =
         harmony::modules::okd::load_balancer::OKDLoadBalancerScore::new(&topology);
 
+    let ssh_key = SecretManager::get_or_prompt::<SshKeyPair>().await.unwrap();
+
     let tftp_score = TftpScore::new(Url::LocalFolder("./data/watchguard/tftpboot".to_string()));
     let http_score = StaticFilesHttpScore {
         folder_to_serve: Some(Url::LocalFolder(
@@ -133,13 +138,15 @@ async fn main() {
     };
 
     let kickstart_filename = "inventory.kickstart".to_string();
-    let cluster_pubkey_filename = "cluster_ssh_key.pub".to_string();
     let harmony_inventory_agent = "harmony_inventory_agent".to_string();
 
-    let ipxe_score = OkdIpxeScore {
+    let ipxe_score = OKDIpxeScore {
         kickstart_filename,
         harmony_inventory_agent,
-        cluster_pubkey_filename,
+        cluster_pubkey: FileContent {
+            path: FilePath::Relative("cluster_ssh_key.pub".to_string()),
+            content: ssh_key.public,
+        },
     };
 
     harmony_tui::run(

examples/okd_installation/src/main.rs

@@ -2,24 +2,32 @@ mod topology;
 
 use crate::topology::{get_inventory, get_topology};
 use harmony::{
-    modules::okd::{installation::OKDInstallationScore, ipxe::OkdIpxeScore},
+    config::secret::SshKeyPair,
+    data::{FileContent, FilePath},
+    modules::okd::{installation::OKDInstallationPipeline, ipxe::OKDIpxeScore},
     score::Score,
     topology::HAClusterTopology,
 };
+use harmony_secret::SecretManager;
 
 #[tokio::main]
 async fn main() {
     let inventory = get_inventory();
     let topology = get_topology().await;
 
-    let scores: Vec<Box<dyn Score<HAClusterTopology>>> = vec![
-        Box::new(OkdIpxeScore {
-            kickstart_filename: "inventory.kickstart".to_string(),
-            harmony_inventory_agent: "cluster_ssh_key.pub".to_string(),
-            cluster_pubkey_filename: "harmony_inventory_agent".to_string(),
-        }),
-        Box::new(OKDInstallationScore {}),
-    ];
+    let ssh_key = SecretManager::get_or_prompt::<SshKeyPair>().await.unwrap();
+
+    let mut scores: Vec<Box<dyn Score<HAClusterTopology>>> = vec![Box::new(OKDIpxeScore {
+        kickstart_filename: "inventory.kickstart".to_string(),
+        harmony_inventory_agent: "harmony_inventory_agent".to_string(),
+        cluster_pubkey: FileContent {
+            path: FilePath::Relative("cluster_ssh_key.pub".to_string()),
+            content: ssh_key.public,
+        },
+    })];
+
+    scores.append(&mut OKDInstallationPipeline::get_all_scores().await);
+
     harmony_cli::run(inventory, topology, scores, None)
         .await
         .unwrap();

examples/okd_installation/src/topology.rs

@@ -22,7 +22,7 @@ pub async fn get_topology() -> HAClusterTopology {
         name: String::from("opnsense-1"),
     };
 
-    let config = SecretManager::get::<OPNSenseFirewallConfig>().await;
+    let config = SecretManager::get_or_prompt::<OPNSenseFirewallConfig>().await;
     let config = config.unwrap();
 
     let opnsense = Arc::new(

examples/okd_pxe/src/main.rs

@@ -1,7 +1,12 @@
 mod topology;
 
 use crate::topology::{get_inventory, get_topology};
-use harmony::modules::okd::ipxe::OkdIpxeScore;
+use harmony::{
+    config::secret::SshKeyPair,
+    data::{FileContent, FilePath},
+    modules::okd::ipxe::OKDIpxeScore,
+};
+use harmony_secret::SecretManager;
 
 #[tokio::main]
 async fn main() {
@@ -9,13 +14,16 @@ async fn main() {
     let topology = get_topology().await;
 
     let kickstart_filename = "inventory.kickstart".to_string();
-    let cluster_pubkey_filename = "cluster_ssh_key.pub".to_string();
     let harmony_inventory_agent = "harmony_inventory_agent".to_string();
+    let ssh_key = SecretManager::get_or_prompt::<SshKeyPair>().await.unwrap();
 
-    let ipxe_score = OkdIpxeScore {
+    let ipxe_score = OKDIpxeScore {
         kickstart_filename,
         harmony_inventory_agent,
-        cluster_pubkey_filename,
+        cluster_pubkey: FileContent {
+            path: FilePath::Relative("cluster_ssh_key.pub".to_string()),
+            content: ssh_key.public,
+        },
     };
 
     harmony_cli::run(inventory, topology, vec![Box::new(ipxe_score)], None)

examples/okd_pxe/src/topology.rs

@@ -16,7 +16,7 @@ pub async fn get_topology() -> HAClusterTopology {
         name: String::from("opnsense-1"),
     };
 
-    let config = SecretManager::get::<OPNSenseFirewallCredentials>().await;
+    let config = SecretManager::get_or_prompt::<OPNSenseFirewallCredentials>().await;
     let config = config.unwrap();
 
     let opnsense = Arc::new(

examples/opnsense/src/main.rs

@@ -5,7 +5,7 @@ use std::{
 
 use cidr::Ipv4Cidr;
 use harmony::{
-    hardware::{FirewallGroup, HostCategory, Location, PhysicalHost, SwitchGroup},
+    hardware::{HostCategory, Location, PhysicalHost, SwitchGroup},
     infra::opnsense::OPNSenseManagementInterface,
     inventory::Inventory,
     modules::{

examples/rhob_application_monitoring/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "rhob-application-monitoring"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+harmony_macros = { path = "../../harmony_macros" }
+tokio = { workspace = true }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
+base64.workspace = true

examples/rhob_application_monitoring/src/main.rs

@@ -0,0 +1,48 @@
+use std::{path::PathBuf, sync::Arc};
+
+use harmony::{
+    inventory::Inventory,
+    modules::{
+        application::{
+            ApplicationScore, RustWebFramework, RustWebapp, features::rhob_monitoring::Monitoring,
+        },
+        monitoring::alert_channel::discord_alert_channel::DiscordWebhook,
+    },
+    topology::K8sAnywhereTopology,
+};
+use harmony_types::net::Url;
+
+#[tokio::main]
+async fn main() {
+    let application = Arc::new(RustWebapp {
+        name: "test-rhob-monitoring".to_string(),
+        project_root: PathBuf::from("./webapp"), // Relative from 'harmony-path' param
+        framework: Some(RustWebFramework::Leptos),
+        service_port: 3000,
+    });
+
+    let discord_receiver = DiscordWebhook {
+        name: "test-discord".to_string(),
+        url: Url::Url(url::Url::parse("https://discord.doesnt.exist.com").unwrap()),
+    };
+
+    let app = ApplicationScore {
+        features: vec![
+            Box::new(Monitoring {
+                application: application.clone(),
+                alert_receiver: vec![Box::new(discord_receiver)],
+            }),
+            // TODO add backups, multisite ha, etc
+        ],
+        application,
+    };
+
+    harmony_cli::run(
+        Inventory::autoload(),
+        K8sAnywhereTopology::from_env(),
+        vec![Box::new(app)],
+        None,
+    )
+    .await
+    .unwrap();
+}

examples/rust/src/main.rs

@@ -5,7 +5,7 @@ use harmony::{
     modules::{
         application::{
             ApplicationScore, RustWebFramework, RustWebapp,
-            features::{ContinuousDelivery, Monitoring},
+            features::{Monitoring, PackagingDeployment},
         },
         monitoring::alert_channel::{
             discord_alert_channel::DiscordWebhook, webhook_receiver::WebhookReceiver,
@@ -13,30 +13,30 @@ use harmony::{
     },
     topology::K8sAnywhereTopology,
 };
-use harmony_types::net::Url;
+use harmony_macros::hurl;
 
 #[tokio::main]
 async fn main() {
     let application = Arc::new(RustWebapp {
         name: "harmony-example-rust-webapp".to_string(),
-        domain: Url::Url(url::Url::parse("https://rustapp.harmony.example.com").unwrap()),
-        project_root: PathBuf::from("./webapp"), // Relative from 'harmony-path' param
+        project_root: PathBuf::from("./webapp"),
         framework: Some(RustWebFramework::Leptos),
+        service_port: 3000,
     });
 
     let discord_receiver = DiscordWebhook {
         name: "test-discord".to_string(),
-        url: Url::Url(url::Url::parse("https://discord.doesnt.exist.com").unwrap()),
+        url: hurl!("https://discord.doesnt.exist.com"),
     };
 
     let webhook_receiver = WebhookReceiver {
         name: "sample-webhook-receiver".to_string(),
-        url: Url::Url(url::Url::parse("https://webhook-doesnt-exist.com").unwrap()),
+        url: hurl!("https://webhook-doesnt-exist.com"),
     };
 
     let app = ApplicationScore {
         features: vec![
-            Box::new(ContinuousDelivery {
+            Box::new(PackagingDeployment {
                 application: application.clone(),
             }),
             Box::new(Monitoring {

examples/try_rust_webapp/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "example-try-rust-webapp"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+harmony_macros = { path = "../../harmony_macros" }
+tokio = { workspace = true }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
+base64.workspace = true

examples/try_rust_webapp/files_to_add/.dockerignore

@@ -0,0 +1 @@
+harmony

examples/try_rust_webapp/files_to_add/Cargo.toml.to_add

@@ -0,0 +1,20 @@
+[package]
+name = "harmony-tryrust"
+edition = "2024"
+version = "0.1.0"
+
+[dependencies]
+harmony = { path = "../../../nationtech/harmony/harmony" }
+harmony_cli = { path = "../../../nationtech/harmony/harmony_cli" }
+harmony_types = { path = "../../../nationtech/harmony/harmony_types" }
+harmony_macros = { path = "../../../nationtech/harmony/harmony_macros" }
+tokio = { version = "1.40", features = [
+  "io-std",
+  "fs",
+  "macros",
+  "rt-multi-thread",
+] }
+log = { version = "0.4", features = ["kv"] }
+env_logger = "0.11"
+url = "2.5"
+base64 = "0.22.1"

examples/try_rust_webapp/files_to_add/main.rs

@@ -0,0 +1,50 @@
+use harmony::{
+    inventory::Inventory,
+    modules::{
+        application::{
+            ApplicationScore, RustWebFramework, RustWebapp,
+            features::{PackagingDeployment, rhob_monitoring::Monitoring},
+        },
+        monitoring::alert_channel::discord_alert_channel::DiscordWebhook,
+    },
+    topology::K8sAnywhereTopology,
+};
+use harmony_macros::hurl;
+use std::{path::PathBuf, sync::Arc};
+
+#[tokio::main]
+async fn main() {
+    let application = Arc::new(RustWebapp {
+        name: "tryrust".to_string(),
+        project_root: PathBuf::from(".."),
+        framework: Some(RustWebFramework::Leptos),
+        service_port: 8080,
+    });
+
+    let discord_webhook = DiscordWebhook {
+        name: "harmony_demo".to_string(),
+        url: hurl!("http://not_a_url.com"),
+    };
+
+    let app = ApplicationScore {
+        features: vec![
+            Box::new(PackagingDeployment {
+                application: application.clone(),
+            }),
+            Box::new(Monitoring {
+                application: application.clone(),
+                alert_receiver: vec![Box::new(discord_webhook)],
+            }),
+        ],
+        application,
+    };
+
+    harmony_cli::run(
+        Inventory::autoload(),
+        K8sAnywhereTopology::from_env(),
+        vec![Box::new(app)],
+        None,
+    )
+    .await
+    .unwrap();
+}

examples/try_rust_webapp/src/main.rs

@@ -0,0 +1,50 @@
+use harmony::{
+    inventory::Inventory,
+    modules::{
+        application::{
+            ApplicationScore, RustWebFramework, RustWebapp,
+            features::{PackagingDeployment, rhob_monitoring::Monitoring},
+        },
+        monitoring::alert_channel::discord_alert_channel::DiscordWebhook,
+    },
+    topology::K8sAnywhereTopology,
+};
+use harmony_macros::hurl;
+use std::{path::PathBuf, sync::Arc};
+
+#[tokio::main]
+async fn main() {
+    let application = Arc::new(RustWebapp {
+        name: "harmony-example-tryrust".to_string(),
+        project_root: PathBuf::from("./tryrust.org"), // <== Project root, in this case it is a
+        // submodule
+        framework: Some(RustWebFramework::Leptos),
+        service_port: 8080,
+    });
+
+    // Define your Application deployment and the features you want
+    let app = ApplicationScore {
+        features: vec![
+            Box::new(PackagingDeployment {
+                application: application.clone(),
+            }),
+            Box::new(Monitoring {
+                application: application.clone(),
+                alert_receiver: vec![Box::new(DiscordWebhook {
+                    name: "test-discord".to_string(),
+                    url: hurl!("https://discord.doesnt.exist.com"),
+                })],
+            }),
+        ],
+        application,
+    };
+
+    harmony_cli::run(
+        Inventory::autoload(),
+        K8sAnywhereTopology::from_env(), // <== Deploy to local automatically provisioned k3d by default or connect to any kubernetes cluster
+        vec![Box::new(app)],
+        None,
+    )
+    .await
+    .unwrap();
+}

examples/tui/src/main.rs

@@ -9,6 +9,7 @@ use harmony::{
     },
     topology::{
         BackendServer, DummyInfra, HealthCheck, HttpMethod, HttpStatusCode, LoadBalancerService,
+        SSL,
     },
 };
 use harmony_macros::ipv4;
@@ -47,6 +48,7 @@ fn build_large_score() -> LoadBalancerScore {
                 .to_string(),
             HttpMethod::GET,
             HttpStatusCode::Success2xx,
+            SSL::Disabled,
         )),
     };
     LoadBalancerScore {

harmony/Cargo.toml

@@ -10,7 +10,11 @@ testing = []
 
 [dependencies]
 hex = "0.4"
-reqwest = { version = "0.11", features = ["blocking", "json", "rustls-tls"], default-features = false }
+reqwest = { version = "0.11", features = [
+  "blocking",
+  "json",
+  "rustls-tls",
+], default-features = false }
 russh = "0.45.0"
 rust-ipmi = "0.1.1"
 semver = "1.0.23"
@@ -66,6 +70,7 @@ tar.workspace = true
 base64.workspace = true
 thiserror.workspace = true
 once_cell = "1.21.3"
+walkdir = "2.5.0"
 harmony_inventory_agent = { path = "../harmony_inventory_agent" }
 harmony_secret_derive = { path = "../harmony_secret_derive" }
 harmony_secret = { path = "../harmony_secret" }

harmony/src/domain/hardware/mod.rs

@@ -1,5 +1,3 @@
-use std::sync::Arc;
-
 use derive_new::new;
 use harmony_inventory_agent::hwinfo::{CPU, MemoryModule, NetworkInterface, StorageDrive};
 use harmony_types::net::MacAddress;
@@ -151,6 +149,98 @@ impl PhysicalHost {
         parts.join(" | ")
     }
 
+    pub fn parts_list(&self) -> String {
+        let PhysicalHost {
+            id,
+            category,
+            network,
+            storage,
+            labels,
+            memory_modules,
+            cpus,
+        } = self;
+
+        let mut parts_list = String::new();
+        parts_list.push_str("\n\n=====================");
+        parts_list.push_str(&format!("\nHost ID {id}"));
+        parts_list.push_str("\n=====================");
+        parts_list.push_str("\n\n=====================");
+        parts_list.push_str(&format!("\nCPU count {}", cpus.len()));
+        parts_list.push_str("\n=====================");
+        cpus.iter().for_each(|c| {
+            let CPU {
+                model,
+                vendor,
+                cores,
+                threads,
+                frequency_mhz,
+            } = c;
+            parts_list.push_str(&format!(
+                "\n{vendor} {model}, {cores}/{threads} {}Ghz",
+                *frequency_mhz as f64 / 1000.0
+            ));
+        });
+
+        parts_list.push_str("\n\n=====================");
+        parts_list.push_str(&format!("\nNetwork Interfaces count {}", network.len()));
+        parts_list.push_str("\n=====================");
+        network.iter().for_each(|nic| {
+            parts_list.push_str(&format!(
+                "\nNic({} {}Gbps mac({}) ipv4({}), ipv6({})",
+                nic.name,
+                nic.speed_mbps.unwrap_or(0) / 1000,
+                nic.mac_address,
+                nic.ipv4_addresses.join(","),
+                nic.ipv6_addresses.join(",")
+            ));
+        });
+
+        parts_list.push_str("\n\n=====================");
+        parts_list.push_str(&format!("\nStorage drives count {}", storage.len()));
+        parts_list.push_str("\n=====================");
+        storage.iter().for_each(|drive| {
+            let StorageDrive {
+                name,
+                model,
+                serial,
+                size_bytes,
+                logical_block_size: _,
+                physical_block_size: _,
+                rotational: _,
+                wwn: _,
+                interface_type,
+                smart_status,
+            } = drive;
+            parts_list.push_str(&format!(
+                "\n{name} {}Gb {model} {interface_type} smart({smart_status:?}) {serial}",
+                size_bytes / 1000 / 1000 / 1000
+            ));
+        });
+
+        parts_list.push_str("\n\n=====================");
+        parts_list.push_str(&format!("\nMemory modules count {}", memory_modules.len()));
+        parts_list.push_str("\n=====================");
+        memory_modules.iter().for_each(|mem| {
+            let MemoryModule {
+                size_bytes,
+                speed_mhz,
+                manufacturer,
+                part_number,
+                serial_number,
+                rank,
+            } = mem;
+            parts_list.push_str(&format!(
+                "\n{}Gb, {}Mhz, Manufacturer ({}), Part Number ({})",
+                size_bytes / 1000 / 1000 / 1000,
+                speed_mhz.unwrap_or(0),
+                manufacturer.as_ref().unwrap_or(&String::new()),
+                part_number.as_ref().unwrap_or(&String::new()),
+            ));
+        });
+
+        parts_list
+    }
+
     pub fn cluster_mac(&self) -> MacAddress {
         self.network
             .first()
@@ -275,9 +365,6 @@ pub enum HostCategory {
     Switch,
 }
 
-#[cfg(test)]
-use harmony_macros::mac_address;
-
 use harmony_types::id::Id;
 
 #[derive(Debug, Clone, Serialize)]

harmony/src/domain/interpret/mod.rs

@@ -33,6 +33,8 @@ pub enum InterpretName {
     DiscoverInventoryAgent,
     CephClusterHealth,
     Custom(&'static str),
+    RHOBAlerting,
+    K8sIngress,
 }
 
 impl std::fmt::Display for InterpretName {
@@ -62,6 +64,8 @@ impl std::fmt::Display for InterpretName {
             InterpretName::DiscoverInventoryAgent => f.write_str("DiscoverInventoryAgent"),
             InterpretName::CephClusterHealth => f.write_str("CephClusterHealth"),
             InterpretName::Custom(name) => f.write_str(name),
+            InterpretName::RHOBAlerting => f.write_str("RHOBAlerting"),
+            InterpretName::K8sIngress => f.write_str("K8sIngress"),
         }
     }
 }
@@ -80,13 +84,15 @@ pub trait Interpret<T>: std::fmt::Debug + Send {
 pub struct Outcome {
     pub status: InterpretStatus,
     pub message: String,
+    pub details: Vec<String>,
 }
 
 impl Outcome {
-    pub fn noop() -> Self {
+    pub fn noop(message: String) -> Self {
         Self {
             status: InterpretStatus::NOOP,
-            message: String::new(),
+            message,
+            details: vec![],
         }
     }
 
@@ -94,6 +100,23 @@ impl Outcome {
         Self {
             status: InterpretStatus::SUCCESS,
             message,
+            details: vec![],
+        }
+    }
+
+    pub fn success_with_details(message: String, details: Vec<String>) -> Self {
+        Self {
+            status: InterpretStatus::SUCCESS,
+            message,
+            details,
+        }
+    }
+
+    pub fn running(message: String) -> Self {
+        Self {
+            status: InterpretStatus::RUNNING,
+            message,
+            details: vec![],
         }
     }
 }
@@ -171,3 +194,11 @@ impl From<String> for InterpretError {
         }
     }
 }
+
+impl From<serde_yaml::Error> for InterpretError {
+    fn from(value: serde_yaml::Error) -> Self {
+        Self {
+            msg: format!("InterpretError : {value}"),
+        }
+    }
+}

harmony/src/domain/inventory/mod.rs

@@ -18,12 +18,13 @@ impl InventoryFilter {
 use derive_new::new;
 use log::info;
 use serde::{Deserialize, Serialize};
+use strum::EnumIter;
 
 use crate::hardware::{ManagementInterface, ManualManagementInterface};
 
 use super::{
     filter::Filter,
-    hardware::{FirewallGroup, HostGroup, Location, SwitchGroup},
+    hardware::{HostGroup, Location, SwitchGroup},
 };
 
 #[derive(Debug)]
@@ -63,7 +64,7 @@ impl Inventory {
     }
 }
 
-#[derive(Debug, Serialize, Deserialize, sqlx::Type)]
+#[derive(Debug, Serialize, Deserialize, sqlx::Type, Clone, EnumIter)]
 pub enum HostRole {
     Bootstrap,
     ControlPlane,

harmony/src/domain/inventory/repository.rs

@@ -29,7 +29,7 @@ pub trait InventoryRepository: Send + Sync + 'static {
     async fn save(&self, host: &PhysicalHost) -> Result<(), RepoError>;
     async fn get_latest_by_id(&self, host_id: &str) -> Result<Option<PhysicalHost>, RepoError>;
     async fn get_all_hosts(&self) -> Result<Vec<PhysicalHost>, RepoError>;
-    async fn get_host_for_role(&self, role: HostRole) -> Result<Vec<PhysicalHost>, RepoError>;
+    async fn get_host_for_role(&self, role: &HostRole) -> Result<Vec<PhysicalHost>, RepoError>;
     async fn save_role_mapping(
         &self,
         role: &HostRole,

harmony/src/domain/topology/ingress.rs

@@ -0,0 +1,7 @@
+use crate::topology::PreparationError;
+use async_trait::async_trait;
+
+#[async_trait]
+pub trait Ingress {
+    async fn get_domain(&self, service: &str) -> Result<String, PreparationError>;
+}

harmony/src/domain/topology/k8s.rs

@@ -17,7 +17,7 @@ use kube::{
 };
 use log::{debug, error, trace};
 use serde::{Serialize, de::DeserializeOwned};
-use serde_json::json;
+use serde_json::{Value, json};
 use similar::TextDiff;
 use tokio::io::AsyncReadExt;
 
@@ -53,6 +53,21 @@ impl K8sClient {
         })
     }
 
+    pub async fn get_resource_json_value(
+        &self,
+        name: &str,
+        namespace: Option<&str>,
+        gvk: &GroupVersionKind,
+    ) -> Result<DynamicObject, Error> {
+        let gvk = ApiResource::from_gvk(gvk);
+        let resource: Api<DynamicObject> = if let Some(ns) = namespace {
+            Api::namespaced_with(self.client.clone(), ns, &gvk)
+        } else {
+            Api::default_namespaced_with(self.client.clone(), &gvk)
+        };
+        Ok(resource.get(name).await?)
+    }
+
     pub async fn get_deployment(
         &self,
         name: &str,

harmony/src/domain/topology/k8s_anywhere.rs

@@ -1,6 +1,7 @@
 use std::{process::Command, sync::Arc};
 
 use async_trait::async_trait;
+use kube::api::GroupVersionKind;
 use log::{debug, info, warn};
 use serde::Serialize;
 use tokio::sync::OnceCell;
@@ -14,13 +15,15 @@ use crate::{
         monitoring::kube_prometheus::crd::{
             crd_alertmanager_config::CRDPrometheus,
             prometheus_operator::prometheus_operator_helm_chart_score,
+            rhob_alertmanager_config::RHOBObservability,
         },
         prometheus::{
             k8s_prometheus_alerting_score::K8sPrometheusCRDAlertingScore,
-            prometheus::PrometheusApplicationMonitoring,
+            prometheus::PrometheusApplicationMonitoring, rhob_alerting_score::RHOBAlertingScore,
         },
     },
     score::Score,
+    topology::ingress::Ingress,
 };
 
 use super::{
@@ -108,6 +111,43 @@ impl PrometheusApplicationMonitoring<CRDPrometheus> for K8sAnywhereTopology {
     }
 }
 
+#[async_trait]
+impl PrometheusApplicationMonitoring<RHOBObservability> for K8sAnywhereTopology {
+    async fn install_prometheus(
+        &self,
+        sender: &RHOBObservability,
+        inventory: &Inventory,
+        receivers: Option<Vec<Box<dyn AlertReceiver<RHOBObservability>>>>,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let po_result = self.ensure_cluster_observability_operator(sender).await?;
+
+        if po_result == PreparationOutcome::Noop {
+            debug!("Skipping Prometheus CR installation due to missing operator.");
+            return Ok(po_result);
+        }
+
+        let result = self
+            .get_cluster_observability_operator_prometheus_application_score(
+                sender.clone(),
+                receivers,
+            )
+            .await
+            .interpret(inventory, self)
+            .await;
+
+        match result {
+            Ok(outcome) => match outcome.status {
+                InterpretStatus::SUCCESS => Ok(PreparationOutcome::Success {
+                    details: outcome.message,
+                }),
+                InterpretStatus::NOOP => Ok(PreparationOutcome::Noop),
+                _ => Err(PreparationError::new(outcome.message)),
+            },
+            Err(err) => Err(PreparationError::new(err.to_string())),
+        }
+    }
+}
+
 impl Serialize for K8sAnywhereTopology {
     fn serialize<S>(&self, _serializer: S) -> Result<S::Ok, S::Error>
     where
@@ -134,6 +174,19 @@ impl K8sAnywhereTopology {
         }
     }
 
+    async fn get_cluster_observability_operator_prometheus_application_score(
+        &self,
+        sender: RHOBObservability,
+        receivers: Option<Vec<Box<dyn AlertReceiver<RHOBObservability>>>>,
+    ) -> RHOBAlertingScore {
+        RHOBAlertingScore {
+            sender,
+            receivers: receivers.unwrap_or_default(),
+            service_monitors: vec![],
+            prometheus_rules: vec![],
+        }
+    }
+
     async fn get_k8s_prometheus_application_score(
         &self,
         sender: CRDPrometheus,
@@ -147,6 +200,26 @@ impl K8sAnywhereTopology {
         }
     }
 
+    async fn openshift_ingress_operator_available(&self) -> Result<(), PreparationError> {
+        let client = self.k8s_client().await?;
+        let gvk = GroupVersionKind {
+            group: "operator.openshift.io".into(),
+            version: "v1".into(),
+            kind: "IngressController".into(),
+        };
+        let ic = client
+            .get_resource_json_value("default", Some("openshift-ingress-operator"), &gvk)
+            .await?;
+        let ready_replicas = ic.data["status"]["availableReplicas"].as_i64().unwrap_or(0);
+        if ready_replicas >= 1 {
+            return Ok(());
+        } else {
+            return Err(PreparationError::new(
+                "openshift-ingress-operator not available".to_string(),
+            ));
+        }
+    }
+
     fn is_helm_available(&self) -> Result<(), String> {
         let version_result = Command::new("helm")
             .arg("version")
@@ -286,6 +359,64 @@ impl K8sAnywhereTopology {
         }
     }
 
+    async fn ensure_cluster_observability_operator(
+        &self,
+        sender: &RHOBObservability,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let status = Command::new("sh")
+            .args(["-c", "kubectl get crd -A | grep -i rhobs"])
+            .status()
+            .map_err(|e| PreparationError::new(format!("could not connect to cluster: {}", e)))?;
+
+        if !status.success() {
+            if let Some(Some(k8s_state)) = self.k8s_state.get() {
+                match k8s_state.source {
+                    K8sSource::LocalK3d => {
+                        warn!(
+                            "Installing observability operator is not supported on LocalK3d source"
+                        );
+                        return Ok(PreparationOutcome::Noop);
+                        debug!("installing cluster observability operator");
+                        todo!();
+                        let op_score =
+                            prometheus_operator_helm_chart_score(sender.namespace.clone());
+                        let result = op_score.interpret(&Inventory::empty(), self).await;
+
+                        return match result {
+                            Ok(outcome) => match outcome.status {
+                                InterpretStatus::SUCCESS => Ok(PreparationOutcome::Success {
+                                    details: "installed cluster observability operator".into(),
+                                }),
+                                InterpretStatus::NOOP => Ok(PreparationOutcome::Noop),
+                                _ => Err(PreparationError::new(
+                                    "failed to install cluster observability operator (unknown error)".into(),
+                                )),
+                            },
+                            Err(err) => Err(PreparationError::new(err.to_string())),
+                        };
+                    }
+                    K8sSource::Kubeconfig => {
+                        debug!(
+                            "unable to install cluster observability operator, contact cluster admin"
+                        );
+                        return Ok(PreparationOutcome::Noop);
+                    }
+                }
+            } else {
+                warn!(
+                    "Unable to detect k8s_state. Skipping Cluster Observability Operator install."
+                );
+                return Ok(PreparationOutcome::Noop);
+            }
+        }
+
+        debug!("Cluster Observability Operator is already present, skipping install");
+
+        Ok(PreparationOutcome::Success {
+            details: "cluster observability operator present in cluster".into(),
+        })
+    }
+
     async fn ensure_prometheus_operator(
         &self,
         sender: &CRDPrometheus,
@@ -423,7 +554,7 @@ impl MultiTargetTopology for K8sAnywhereTopology {
         match self.config.harmony_profile.to_lowercase().as_str() {
             "staging" => DeploymentTarget::Staging,
             "production" => DeploymentTarget::Production,
-            _ => todo!("HARMONY_PROFILE must be set when use_local_k3d is not set"),
+            _ => todo!("HARMONY_PROFILE must be set when use_local_k3d is false"),
         }
     }
 }
@@ -445,3 +576,45 @@ impl TenantManager for K8sAnywhereTopology {
             .await
     }
 }
+
+#[async_trait]
+impl Ingress for K8sAnywhereTopology {
+    //TODO this is specifically for openshift/okd which violates the k8sanywhere idea
+    async fn get_domain(&self, service: &str) -> Result<String, PreparationError> {
+        let client = self.k8s_client().await?;
+
+        if let Some(Some(k8s_state)) = self.k8s_state.get() {
+            match k8s_state.source {
+                K8sSource::LocalK3d => Ok(format!("{service}.local.k3d")),
+                K8sSource::Kubeconfig => {
+                    self.openshift_ingress_operator_available().await?;
+
+                    let gvk = GroupVersionKind {
+                        group: "operator.openshift.io".into(),
+                        version: "v1".into(),
+                        kind: "IngressController".into(),
+                    };
+                    let ic = client
+                        .get_resource_json_value(
+                            "default",
+                            Some("openshift-ingress-operator"),
+                            &gvk,
+                        )
+                        .await
+                        .map_err(|_| {
+                            PreparationError::new("Failed to fetch IngressController".to_string())
+                        })?;
+
+                    match ic.data["status"]["domain"].as_str() {
+                        Some(domain) => Ok(format!("{service}.{domain}")),
+                        None => Err(PreparationError::new("Could not find domain".to_string())),
+                    }
+                }
+            }
+        } else {
+            Err(PreparationError::new(
+                "Cannot get domain: unable to detect K8s state".to_string(),
+            ))
+        }
+    }
+}

harmony/src/domain/topology/load_balancer.rs

@@ -102,8 +102,17 @@ pub enum HttpStatusCode {
     ServerError5xx,
 }
 
+#[derive(Debug, Clone, PartialEq, Serialize)]
+pub enum SSL {
+    SSL,
+    Disabled,
+    Default,
+    SNI,
+    Other(String),
+}
+
 #[derive(Debug, Clone, PartialEq, Serialize)]
 pub enum HealthCheck {
-    HTTP(String, HttpMethod, HttpStatusCode),
+    HTTP(String, HttpMethod, HttpStatusCode, SSL),
     TCP(Option<u16>),
 }

harmony/src/domain/topology/localhost.rs

@@ -1,9 +1,10 @@
 use async_trait::async_trait;
 use derive_new::new;
+use serde::{Deserialize, Serialize};
 
 use super::{HelmCommand, PreparationError, PreparationOutcome, Topology};
 
-#[derive(new)]
+#[derive(new, Clone, Debug, Serialize, Deserialize)]
 pub struct LocalhostTopology;
 
 #[async_trait]

harmony/src/domain/topology/mod.rs

@@ -1,4 +1,5 @@
 mod ha_cluster;
+pub mod ingress;
 use harmony_types::net::IpAddress;
 mod host_binding;
 mod http;

harmony/src/domain/topology/network.rs

@@ -17,7 +17,12 @@ pub struct DHCPStaticEntry {
 
 impl std::fmt::Display for DHCPStaticEntry {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        let mac = self.mac.iter().map(|m| m.to_string()).collect::<Vec<String>>().join(",");
+        let mac = self
+            .mac
+            .iter()
+            .map(|m| m.to_string())
+            .collect::<Vec<String>>()
+            .join(",");
         f.write_fmt(format_args!(
             "DHCPStaticEntry : name {}, mac {}, ip {}",
             self.name, mac, self.ip

harmony/src/infra/inventory/sqlite.rs

@@ -108,7 +108,8 @@ impl InventoryRepository for SqliteInventoryRepository {
 
         Ok(())
     }
-    async fn get_host_for_role(&self, role: HostRole) -> Result<Vec<PhysicalHost>, RepoError> {
+
+    async fn get_host_for_role(&self, role: &HostRole) -> Result<Vec<PhysicalHost>, RepoError> {
         struct HostIdRow {
             host_id: String,
         }

harmony/src/infra/opnsense/dns.rs

@@ -1,4 +1,3 @@
-use crate::infra::opnsense::Host;
 use crate::infra::opnsense::LogicalHost;
 use crate::{
     executors::ExecutorError,

harmony/src/infra/opnsense/load_balancer.rs

@@ -1,13 +1,15 @@
 use async_trait::async_trait;
-use log::{debug, info, warn};
-use opnsense_config_xml::{Frontend, HAProxy, HAProxyBackend, HAProxyHealthCheck, HAProxyServer};
+use log::{debug, error, info, warn};
+use opnsense_config_xml::{
+    Frontend, HAProxy, HAProxyBackend, HAProxyHealthCheck, HAProxyServer, MaybeString,
+};
 use uuid::Uuid;
 
 use crate::{
     executors::ExecutorError,
     topology::{
         BackendServer, HealthCheck, HttpMethod, HttpStatusCode, LoadBalancer, LoadBalancerService,
-        LogicalHost,
+        LogicalHost, SSL,
     },
 };
 use harmony_types::net::IpAddress;
@@ -206,7 +208,22 @@ pub(crate) fn get_health_check_for_backend(
                 .unwrap_or_default()
                 .into();
             let status_code: HttpStatusCode = HttpStatusCode::Success2xx;
-            Some(HealthCheck::HTTP(path, method, status_code))
+            let ssl = match haproxy_health_check
+                .ssl
+                .content_string()
+                .to_uppercase()
+                .as_str()
+            {
+                "SSL" => SSL::SSL,
+                "SSLNI" => SSL::SNI,
+                "NOSSL" => SSL::Disabled,
+                "" => SSL::Default,
+                other => {
+                    error!("Unknown haproxy health check ssl config {other}");
+                    SSL::Other(other.to_string())
+                }
+            };
+            Some(HealthCheck::HTTP(path, method, status_code, ssl))
         }
         _ => panic!("Received unsupported health check type {}", uppercase),
     }
@@ -241,7 +258,14 @@ pub(crate) fn harmony_load_balancer_service_to_haproxy_xml(
     // frontend points to backend
     let healthcheck = if let Some(health_check) = &service.health_check {
         match health_check {
-            HealthCheck::HTTP(path, http_method, _http_status_code) => {
+            HealthCheck::HTTP(path, http_method, _http_status_code, ssl) => {
+                let ssl: MaybeString = match ssl {
+                    SSL::SSL => "ssl".into(),
+                    SSL::SNI => "sslni".into(),
+                    SSL::Disabled => "nossl".into(),
+                    SSL::Default => "".into(),
+                    SSL::Other(other) => other.as_str().into(),
+                };
                 let haproxy_check = HAProxyHealthCheck {
                     name: format!("HTTP_{http_method}_{path}"),
                     uuid: Uuid::new_v4().to_string(),
@@ -249,6 +273,7 @@ pub(crate) fn harmony_load_balancer_service_to_haproxy_xml(
                     health_check_type: "http".to_string(),
                     http_uri: path.clone().into(),
                     interval: "2s".to_string(),
+                    ssl,
                     ..Default::default()
                 };
 

harmony/src/modules/application/feature.rs

@@ -1,7 +1,10 @@
+use std::error::Error;
+
 use async_trait::async_trait;
+use derive_new::new;
 use serde::Serialize;
 
-use crate::topology::Topology;
+use crate::{executors::ExecutorError, topology::Topology};
 
 /// An ApplicationFeature provided by harmony, such as Backups, Monitoring, MultisiteAvailability,
 /// ContinuousIntegration, ContinuousDelivery
@@ -9,7 +12,10 @@ use crate::topology::Topology;
 pub trait ApplicationFeature<T: Topology>:
     std::fmt::Debug + Send + Sync + ApplicationFeatureClone<T>
 {
-    async fn ensure_installed(&self, topology: &T) -> Result<(), String>;
+    async fn ensure_installed(
+        &self,
+        topology: &T,
+    ) -> Result<InstallationOutcome, InstallationError>;
     fn name(&self) -> String;
 }
 
@@ -40,3 +46,60 @@ impl<T: Topology> Clone for Box<dyn ApplicationFeature<T>> {
         self.clone_box()
     }
 }
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum InstallationOutcome {
+    Success { details: Vec<String> },
+    Noop,
+}
+
+impl InstallationOutcome {
+    pub fn success() -> Self {
+        Self::Success { details: vec![] }
+    }
+
+    pub fn success_with_details(details: Vec<String>) -> Self {
+        Self::Success { details }
+    }
+
+    pub fn noop() -> Self {
+        Self::Noop
+    }
+}
+
+#[derive(Debug, Clone, new)]
+pub struct InstallationError {
+    msg: String,
+}
+
+impl std::fmt::Display for InstallationError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(&self.msg)
+    }
+}
+
+impl Error for InstallationError {}
+
+impl From<ExecutorError> for InstallationError {
+    fn from(value: ExecutorError) -> Self {
+        Self {
+            msg: format!("InstallationError : {value}"),
+        }
+    }
+}
+
+impl From<kube::Error> for InstallationError {
+    fn from(value: kube::Error) -> Self {
+        Self {
+            msg: format!("InstallationError : {value}"),
+        }
+    }
+}
+
+impl From<String> for InstallationError {
+    fn from(value: String) -> Self {
+        Self {
+            msg: format!("PreparationError : {value}"),
+        }
+    }
+}

harmony/src/modules/application/features/endpoint.rs

@@ -2,7 +2,7 @@ use async_trait::async_trait;
 use log::info;
 
 use crate::{
-    modules::application::ApplicationFeature,
+    modules::application::{ApplicationFeature, InstallationError, InstallationOutcome},
     topology::{K8sclient, Topology},
 };
 
@@ -29,7 +29,10 @@ impl Default for PublicEndpoint {
 /// For now we only suport K8s ingress, but we will support more stuff at some point
 #[async_trait]
 impl<T: Topology + K8sclient + 'static> ApplicationFeature<T> for PublicEndpoint {
-    async fn ensure_installed(&self, _topology: &T) -> Result<(), String> {
+    async fn ensure_installed(
+        &self,
+        _topology: &T,
+    ) -> Result<InstallationOutcome, InstallationError> {
         info!(
             "Making sure public endpoint is installed for port {}",
             self.application_port

harmony/src/modules/application/features/helm_argocd_score.rs

@@ -1,7 +1,10 @@
 use async_trait::async_trait;
+use kube::{Api, api::GroupVersionKind};
+use log::{debug, warn};
 use non_blank_string_rs::NonBlankString;
 use serde::Serialize;
-use std::str::FromStr;
+use serde::de::DeserializeOwned;
+use std::{process::Command, str::FromStr, sync::Arc};
 
 use crate::{
     data::Version,
@@ -9,7 +12,10 @@ use crate::{
     inventory::Inventory,
     modules::helm::chart::{HelmChartScore, HelmRepository},
     score::Score,
-    topology::{HelmCommand, K8sclient, Topology},
+    topology::{
+        HelmCommand, K8sclient, PreparationError, PreparationOutcome, Topology, ingress::Ingress,
+        k8s::K8sClient,
+    },
 };
 use harmony_types::id::Id;
 
@@ -19,15 +25,13 @@ use super::ArgoApplication;
 pub struct ArgoHelmScore {
     pub namespace: String,
     pub openshift: bool,
-    pub domain: String,
     pub argo_apps: Vec<ArgoApplication>,
 }
 
-impl<T: Topology + HelmCommand + K8sclient> Score<T> for ArgoHelmScore {
+impl<T: Topology + HelmCommand + K8sclient + Ingress> Score<T> for ArgoHelmScore {
     fn create_interpret(&self) -> Box<dyn crate::interpret::Interpret<T>> {
-        let helm_score = argo_helm_chart_score(&self.namespace, self.openshift, &self.domain);
         Box::new(ArgoInterpret {
-            score: helm_score,
+            score: self.clone(),
             argo_apps: self.argo_apps.clone(),
         })
     }
@@ -39,33 +43,41 @@ impl<T: Topology + HelmCommand + K8sclient> Score<T> for ArgoHelmScore {
 
 #[derive(Debug)]
 pub struct ArgoInterpret {
-    score: HelmChartScore,
+    score: ArgoHelmScore,
     argo_apps: Vec<ArgoApplication>,
 }
 
 #[async_trait]
-impl<T: Topology + K8sclient + HelmCommand> Interpret<T> for ArgoInterpret {
+impl<T: Topology + K8sclient + HelmCommand + Ingress> Interpret<T> for ArgoInterpret {
     async fn execute(
         &self,
         inventory: &Inventory,
         topology: &T,
     ) -> Result<Outcome, InterpretError> {
-        self.score.interpret(inventory, topology).await?;
-
         let k8s_client = topology.k8s_client().await?;
+        let svc = format!("argo-{}", self.score.namespace.clone());
+        let domain = topology.get_domain(&svc).await?;
+        let helm_score =
+            argo_helm_chart_score(&self.score.namespace, self.score.openshift, &domain);
+
+        helm_score.interpret(inventory, topology).await?;
+
         k8s_client
             .apply_yaml_many(&self.argo_apps.iter().map(|a| a.to_yaml()).collect(), None)
             .await
             .unwrap();
 
-        Ok(Outcome::success(format!(
-            "ArgoCD installed with {} {}",
-            self.argo_apps.len(),
-            match self.argo_apps.len() {
-                1 => "application",
-                _ => "applications",
-            }
-        )))
+        Ok(Outcome::success_with_details(
+            format!(
+                "ArgoCD {} {}",
+                self.argo_apps.len(),
+                match self.argo_apps.len() {
+                    1 => "application",
+                    _ => "applications",
+                }
+            ),
+            vec![format!("argo application: http://{}", domain)],
+        ))
     }
 
     fn get_name(&self) -> InterpretName {
@@ -85,6 +97,38 @@ impl<T: Topology + K8sclient + HelmCommand> Interpret<T> for ArgoInterpret {
     }
 }
 
+impl ArgoInterpret {
+    pub async fn get_host_domain(
+        &self,
+        client: Arc<K8sClient>,
+        openshift: bool,
+    ) -> Result<String, InterpretError> {
+        //This should be the job of the topology to determine if we are in
+        //openshift, potentially we need on openshift topology the same way we create a
+        //localhosttopology
+        match openshift {
+            true => {
+                let gvk = GroupVersionKind {
+                    group: "operator.openshift.io".into(),
+                    version: "v1".into(),
+                    kind: "IngressController".into(),
+                };
+                let ic = client
+                    .get_resource_json_value("default", Some("openshift-ingress-operator"), &gvk)
+                    .await?;
+
+                match ic.data["status"]["domain"].as_str() {
+                    Some(domain) => return Ok(domain.to_string()),
+                    None => return Err(InterpretError::new("Could not find domain".to_string())),
+                }
+            }
+            false => {
+                todo!()
+            }
+        };
+    }
+}
+
 pub fn argo_helm_chart_score(namespace: &str, openshift: bool, domain: &str) -> HelmChartScore {
     let values = format!(
         r#"
@@ -116,6 +160,9 @@ global:
   ## Used for ingresses, certificates, SSO, notifications, etc.
   domain: {domain}
 
+  securityContext: 
+    runAsUser: null
+
   # -- Runtime class name for all components
   runtimeClassName: ""
 
@@ -427,6 +474,13 @@ redis:
   # -- Redis name
   name: redis
 
+  serviceAccount:
+    create: true
+
+  securityContext:
+    runAsUser: null
+
+
   ## Redis image
   image:
     # -- Redis repository
@@ -660,7 +714,7 @@ server:
       # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
 
     # -- Defines which ingress controller will implement the resource
-    ingressClassName: ""
+    ingressClassName: "openshift-default"
 
     # -- Argo CD server hostname
     # @default -- `""` (defaults to global.domain)

harmony/src/modules/application/features/mod.rs

@@ -1,11 +1,12 @@
 mod endpoint;
+pub mod rhob_monitoring;
 pub use endpoint::*;
 
 mod monitoring;
 pub use monitoring::*;
 
-mod continuous_delivery;
-pub use continuous_delivery::*;
+mod packaging_deployment;
+pub use packaging_deployment::*;
 
 mod helm_argocd_score;
 pub use helm_argocd_score::*;

harmony/src/modules/application/features/monitoring.rs

@@ -1,10 +1,10 @@
-use std::sync::Arc;
-
-use crate::modules::application::{Application, ApplicationFeature};
+use crate::modules::application::{
+    Application, ApplicationFeature, InstallationError, InstallationOutcome,
+};
 use crate::modules::monitoring::application_monitoring::application_monitoring_score::ApplicationMonitoringScore;
 use crate::modules::monitoring::kube_prometheus::crd::crd_alertmanager_config::CRDPrometheus;
-
 use crate::topology::MultiTargetTopology;
+use crate::topology::ingress::Ingress;
 use crate::{
     inventory::Inventory,
     modules::monitoring::{
@@ -19,8 +19,12 @@ use crate::{
 };
 use async_trait::async_trait;
 use base64::{Engine as _, engine::general_purpose};
+use harmony_secret::SecretManager;
+use harmony_secret_derive::Secret;
 use harmony_types::net::Url;
 use log::{debug, info};
+use serde::{Deserialize, Serialize};
+use std::sync::Arc;
 
 #[derive(Debug, Clone)]
 pub struct Monitoring {
@@ -36,17 +40,22 @@ impl<
         + TenantManager
         + K8sclient
         + MultiTargetTopology
-        + std::fmt::Debug
-        + PrometheusApplicationMonitoring<CRDPrometheus>,
+        + PrometheusApplicationMonitoring<CRDPrometheus>
+        + Ingress
+        + std::fmt::Debug,
 > ApplicationFeature<T> for Monitoring
 {
-    async fn ensure_installed(&self, topology: &T) -> Result<(), String> {
+    async fn ensure_installed(
+        &self,
+        topology: &T,
+    ) -> Result<InstallationOutcome, InstallationError> {
         info!("Ensuring monitoring is available for application");
         let namespace = topology
             .get_tenant_config()
             .await
             .map(|ns| ns.name.clone())
             .unwrap_or_else(|| self.application.name());
+        let domain = topology.get_domain("ntfy").await.unwrap();
 
         let mut alerting_score = ApplicationMonitoringScore {
             sender: CRDPrometheus {
@@ -58,19 +67,17 @@ impl<
         };
         let ntfy = NtfyScore {
             namespace: namespace.clone(),
-            host: "ntfy.harmonydemo.apps.ncd0.harmony.mcd".to_string(),
+            host: domain,
         };
         ntfy.interpret(&Inventory::empty(), topology)
             .await
             .map_err(|e| e.to_string())?;
 
-        let ntfy_default_auth_username = "harmony";
-        let ntfy_default_auth_password = "harmony";
+        let config = SecretManager::get_or_prompt::<NtfyAuth>().await.unwrap();
+
         let ntfy_default_auth_header = format!(
             "Basic {}",
-            general_purpose::STANDARD.encode(format!(
-                "{ntfy_default_auth_username}:{ntfy_default_auth_password}"
-            ))
+            general_purpose::STANDARD.encode(format!("{}:{}", config.username, config.password))
         );
 
         debug!("ntfy_default_auth_header: {ntfy_default_auth_header}");
@@ -100,9 +107,17 @@ impl<
             .interpret(&Inventory::empty(), topology)
             .await
             .map_err(|e| e.to_string())?;
-        Ok(())
+
+        Ok(InstallationOutcome::success())
     }
+
     fn name(&self) -> String {
         "Monitoring".to_string()
     }
 }
+
+#[derive(Secret, Serialize, Deserialize, Clone, Debug)]
+struct NtfyAuth {
+    username: String,
+    password: String,
+}

harmony/src/modules/application/features/packaging_deployment.rs

@@ -10,11 +10,13 @@ use crate::{
     data::Version,
     inventory::Inventory,
     modules::application::{
-        ApplicationFeature, HelmPackage, OCICompliant,
+        ApplicationFeature, HelmPackage, InstallationError, InstallationOutcome, OCICompliant,
         features::{ArgoApplication, ArgoHelmScore},
     },
     score::Score,
-    topology::{DeploymentTarget, HelmCommand, K8sclient, MultiTargetTopology, Topology},
+    topology::{
+        DeploymentTarget, HelmCommand, K8sclient, MultiTargetTopology, Topology, ingress::Ingress,
+    },
 };
 
 /// ContinuousDelivery in Harmony provides this functionality :
@@ -45,11 +47,11 @@ use crate::{
 /// - ArgoCD to install/upgrade/rollback/inspect k8s resources
 /// - Kubernetes for runtime orchestration
 #[derive(Debug, Default, Clone)]
-pub struct ContinuousDelivery<A: OCICompliant + HelmPackage> {
+pub struct PackagingDeployment<A: OCICompliant + HelmPackage> {
     pub application: Arc<A>,
 }
 
-impl<A: OCICompliant + HelmPackage> ContinuousDelivery<A> {
+impl<A: OCICompliant + HelmPackage> PackagingDeployment<A> {
     async fn deploy_to_local_k3d(
         &self,
         app_name: String,
@@ -136,18 +138,28 @@ impl<A: OCICompliant + HelmPackage> ContinuousDelivery<A> {
 #[async_trait]
 impl<
     A: OCICompliant + HelmPackage + Clone + 'static,
-    T: Topology + HelmCommand + MultiTargetTopology + K8sclient + 'static,
-> ApplicationFeature<T> for ContinuousDelivery<A>
+    T: Topology + HelmCommand + MultiTargetTopology + K8sclient + Ingress + 'static,
+> ApplicationFeature<T> for PackagingDeployment<A>
 {
-    async fn ensure_installed(&self, topology: &T) -> Result<(), String> {
+    async fn ensure_installed(
+        &self,
+        topology: &T,
+    ) -> Result<InstallationOutcome, InstallationError> {
         let image = self.application.image_name();
+        let domain = topology
+            .get_domain(&self.application.name())
+            .await
+            .map_err(|e| e.to_string())?;
 
         // TODO Write CI/CD workflow files
         // we can autotedect the CI type using the remote url (default to github action for github
         // url, etc..)
         // Or ask for it when unknown
 
-        let helm_chart = self.application.build_push_helm_package(&image).await?;
+        let helm_chart = self
+            .application
+            .build_push_helm_package(&image, &domain)
+            .await?;
 
         // TODO: Make building image configurable/skippable if image already exists (prompt)")
         // https://git.nationtech.io/NationTech/harmony/issues/104
@@ -176,18 +188,18 @@ impl<
             }
             target => {
                 info!("Deploying {} to target {target:?}", self.application.name());
+
                 let score = ArgoHelmScore {
-                    namespace: "harmony-example-rust-webapp".to_string(),
+                    namespace: format!("{}", self.application.name()),
                     openshift: true,
-                    domain: "argo.harmonydemo.apps.ncd0.harmony.mcd".to_string(),
                     argo_apps: vec![ArgoApplication::from(CDApplicationConfig {
                         // helm pull oci://hub.nationtech.io/harmony/harmony-example-rust-webapp-chart --version 0.1.0
                         version: Version::from("0.1.0").unwrap(),
                         helm_chart_repo_url: "hub.nationtech.io/harmony".to_string(),
-                        helm_chart_name: "harmony-example-rust-webapp-chart".to_string(),
+                        helm_chart_name: format!("{}-chart", self.application.name()),
                         values_overrides: None,
-                        name: "harmony-demo-rust-webapp".to_string(),
-                        namespace: "harmony-example-rust-webapp".to_string(),
+                        name: format!("{}", self.application.name()),
+                        namespace: format!("{}", self.application.name()),
                     })],
                 };
                 score
@@ -196,7 +208,11 @@ impl<
                     .unwrap();
             }
         };
-        Ok(())
+
+        Ok(InstallationOutcome::success_with_details(vec![format!(
+            "{}: http://{domain}",
+            self.application.name()
+        )]))
     }
     fn name(&self) -> String {
         "ContinuousDelivery".to_string()

harmony/src/modules/application/features/rhob_monitoring.rs

@@ -0,0 +1,126 @@
+use std::sync::Arc;
+
+use crate::modules::application::{
+    Application, ApplicationFeature, InstallationError, InstallationOutcome,
+};
+use crate::modules::monitoring::application_monitoring::application_monitoring_score::ApplicationMonitoringScore;
+use crate::modules::monitoring::application_monitoring::rhobs_application_monitoring_score::ApplicationRHOBMonitoringScore;
+
+use crate::modules::monitoring::kube_prometheus::crd::rhob_alertmanager_config::RHOBObservability;
+use crate::topology::MultiTargetTopology;
+use crate::topology::ingress::Ingress;
+use crate::{
+    inventory::Inventory,
+    modules::monitoring::{
+        alert_channel::webhook_receiver::WebhookReceiver, ntfy::ntfy::NtfyScore,
+    },
+    score::Score,
+    topology::{HelmCommand, K8sclient, Topology, tenant::TenantManager},
+};
+use crate::{
+    modules::prometheus::prometheus::PrometheusApplicationMonitoring,
+    topology::oberservability::monitoring::AlertReceiver,
+};
+use async_trait::async_trait;
+use base64::{Engine as _, engine::general_purpose};
+use harmony_types::net::Url;
+use log::{debug, info};
+
+#[derive(Debug, Clone)]
+pub struct Monitoring {
+    pub application: Arc<dyn Application>,
+    pub alert_receiver: Vec<Box<dyn AlertReceiver<RHOBObservability>>>,
+}
+
+#[async_trait]
+impl<
+    T: Topology
+        + HelmCommand
+        + 'static
+        + TenantManager
+        + K8sclient
+        + MultiTargetTopology
+        + Ingress
+        + std::fmt::Debug
+        + PrometheusApplicationMonitoring<RHOBObservability>,
+> ApplicationFeature<T> for Monitoring
+{
+    async fn ensure_installed(
+        &self,
+        topology: &T,
+    ) -> Result<InstallationOutcome, InstallationError> {
+        info!("Ensuring monitoring is available for application");
+        let namespace = topology
+            .get_tenant_config()
+            .await
+            .map(|ns| ns.name.clone())
+            .unwrap_or_else(|| self.application.name());
+
+        let mut alerting_score = ApplicationRHOBMonitoringScore {
+            sender: RHOBObservability {
+                namespace: namespace.clone(),
+                client: topology.k8s_client().await.unwrap(),
+            },
+            application: self.application.clone(),
+            receivers: self.alert_receiver.clone(),
+        };
+        let domain = topology
+            .get_domain("ntfy")
+            .await
+            .map_err(|e| format!("could not get domain {e}"))?;
+        let ntfy = NtfyScore {
+            namespace: namespace.clone(),
+            host: domain.clone(),
+        };
+        ntfy.interpret(&Inventory::empty(), topology)
+            .await
+            .map_err(|e| e.to_string())?;
+
+        let ntfy_default_auth_username = "harmony";
+        let ntfy_default_auth_password = "harmony";
+        let ntfy_default_auth_header = format!(
+            "Basic {}",
+            general_purpose::STANDARD.encode(format!(
+                "{ntfy_default_auth_username}:{ntfy_default_auth_password}"
+            ))
+        );
+
+        debug!("ntfy_default_auth_header: {ntfy_default_auth_header}");
+
+        let ntfy_default_auth_param = general_purpose::STANDARD
+            .encode(ntfy_default_auth_header)
+            .replace("=", "");
+
+        debug!("ntfy_default_auth_param: {ntfy_default_auth_param}");
+        let ntfy_receiver = WebhookReceiver {
+            name: "ntfy-webhook".to_string(),
+            url: Url::Url(
+                url::Url::parse(
+                    format!(
+                        "http://{domain}/{}?auth={ntfy_default_auth_param}",
+                        self.application.name()
+                    )
+                    .as_str(),
+                )
+                .unwrap(),
+            ),
+        };
+        debug!(
+            "ntfy webhook receiver \n{:#?}\nntfy topic: {}",
+            ntfy_receiver.clone(),
+            self.application.name()
+        );
+        alerting_score.receivers.push(Box::new(ntfy_receiver));
+        alerting_score
+            .interpret(&Inventory::empty(), topology)
+            .await
+            .map_err(|e| e.to_string())?;
+        Ok(InstallationOutcome::success_with_details(vec![format!(
+            "ntfy topic: {}",
+            self.application.name()
+        )]))
+    }
+    fn name(&self) -> String {
+        "Monitoring".to_string()
+    }
+}

harmony/src/modules/application/mod.rs

@@ -24,8 +24,8 @@ use harmony_types::id::Id;
 #[derive(Clone, Debug)]
 pub enum ApplicationFeatureStatus {
     Installing,
-    Installed,
-    Failed { details: String },
+    Installed { details: Vec<String> },
+    Failed { message: String },
 }
 
 pub trait Application: std::fmt::Debug + Send + Sync {
@@ -65,27 +65,32 @@ impl<A: Application, T: Topology + std::fmt::Debug> Interpret<T> for Application
             .unwrap();
 
             let _ = match feature.ensure_installed(topology).await {
-                Ok(()) => {
+                Ok(outcome) => {
                     instrumentation::instrument(HarmonyEvent::ApplicationFeatureStateChanged {
                         topology: topology.name().into(),
                         application: self.application.name(),
                         feature: feature.name(),
-                        status: ApplicationFeatureStatus::Installed,
+                        status: ApplicationFeatureStatus::Installed {
+                            details: match outcome {
+                                InstallationOutcome::Success { details } => details,
+                                InstallationOutcome::Noop => vec![],
+                            },
+                        },
                     })
                     .unwrap();
                 }
-                Err(msg) => {
+                Err(error) => {
                     instrumentation::instrument(HarmonyEvent::ApplicationFeatureStateChanged {
                         topology: topology.name().into(),
                         application: self.application.name(),
                         feature: feature.name(),
                         status: ApplicationFeatureStatus::Failed {
-                            details: msg.clone(),
+                            message: error.to_string(),
                         },
                     })
                     .unwrap();
                     return Err(InterpretError::new(format!(
-                        "Application Interpret failed to install feature : {msg}"
+                        "Application Interpret failed to install feature : {error}"
                     )));
                 }
             };

harmony/src/modules/application/oci.rs

@@ -1,6 +1,5 @@
-use async_trait::async_trait;
-
 use super::Application;
+use async_trait::async_trait;
 
 #[async_trait]
 pub trait OCICompliant: Application {
@@ -17,5 +16,10 @@ pub trait HelmPackage: Application {
     ///
     /// # Arguments
     /// * `image_url` - The full URL of the OCI container image to be used in the Deployment.
-    async fn build_push_helm_package(&self, image_url: &str) -> Result<String, String>;
+    /// * `domain` - The domain where the application is hosted.
+    async fn build_push_helm_package(
+        &self,
+        image_url: &str,
+        domain: &str,
+    ) -> Result<String, String>;
 }

harmony/src/modules/application/rust.rs

@@ -1,4 +1,4 @@
-use std::fs;
+use std::fs::{self};
 use std::path::{Path, PathBuf};
 use std::process;
 use std::sync::Arc;
@@ -10,13 +10,13 @@ use dockerfile_builder::Dockerfile;
 use dockerfile_builder::instruction::{CMD, COPY, ENV, EXPOSE, FROM, RUN, USER, WORKDIR};
 use dockerfile_builder::instruction_builder::CopyBuilder;
 use futures_util::StreamExt;
-use log::{debug, info, log_enabled};
+use log::{debug, error, info, log_enabled, trace, warn};
 use serde::Serialize;
-use tar::Archive;
+use tar::{Builder, Header};
+use walkdir::WalkDir;
 
 use crate::config::{REGISTRY_PROJECT, REGISTRY_URL};
 use crate::{score::Score, topology::Topology};
-use harmony_types::net::Url;
 
 use super::{Application, ApplicationFeature, ApplicationInterpret, HelmPackage, OCICompliant};
 
@@ -56,9 +56,9 @@ pub enum RustWebFramework {
 #[derive(Debug, Clone, Serialize)]
 pub struct RustWebapp {
     pub name: String,
-    pub domain: Url,
     /// The path to the root of the Rust project to be containerized.
     pub project_root: PathBuf,
+    pub service_port: u32,
     pub framework: Option<RustWebFramework>,
 }
 
@@ -70,12 +70,17 @@ impl Application for RustWebapp {
 
 #[async_trait]
 impl HelmPackage for RustWebapp {
-    async fn build_push_helm_package(&self, image_url: &str) -> Result<String, String> {
+    async fn build_push_helm_package(
+        &self,
+        image_url: &str,
+        domain: &str,
+    ) -> Result<String, String> {
         info!("Starting Helm chart build and push for '{}'", self.name);
 
         // 1. Create the Helm chart files on disk.
         let chart_dir = self
-            .create_helm_chart_files(image_url)
+            .create_helm_chart_files(image_url, domain)
+            .await
             .map_err(|e| format!("Failed to create Helm chart files: {}", e))?;
         info!("Successfully created Helm chart files in {:?}", chart_dir);
 
@@ -157,46 +162,135 @@ impl RustWebapp {
         &self,
         image_name: &str,
     ) -> Result<String, Box<dyn std::error::Error>> {
-        debug!("Generating Dockerfile for '{}'", self.name);
-        let _dockerfile_path = self.build_dockerfile()?;
-
-        let docker = Docker::connect_with_socket_defaults().unwrap();
-
+        info!("Generating Dockerfile for '{}'", self.name);
+        let dockerfile = self.get_or_build_dockerfile();
         let quiet = !log_enabled!(log::Level::Debug);
-
-        let build_image_options = bollard::query_parameters::BuildImageOptionsBuilder::default()
-            .dockerfile("Dockerfile.harmony")
-            .t(image_name)
-            .q(quiet)
-            .version(bollard::query_parameters::BuilderVersion::BuilderV1)
-            .platform("linux/x86_64");
-
-        let mut temp_tar_builder = tar::Builder::new(Vec::new());
-        temp_tar_builder
-            .append_dir_all("", self.project_root.clone())
-            .unwrap();
-        let archive = temp_tar_builder
-            .into_inner()
-            .expect("couldn't finish creating tar");
-        let archived_files = Archive::new(archive.as_slice())
-            .entries()
+        match dockerfile
             .unwrap()
-            .map(|entry| entry.unwrap().path().unwrap().into_owned())
-            .collect::<Vec<_>>();
+            .file_name()
+            .and_then(|os_str| os_str.to_str())
+        {
+            Some(path_str) => {
+                debug!("Building from dockerfile {}", path_str);
 
-        debug!("files in docker tar: {:#?}", archived_files);
+                let tar_data = self
+                    .create_deterministic_tar(&self.project_root.clone())
+                    .await
+                    .unwrap();
 
-        let mut image_build_stream = docker.build_image(
-            build_image_options.build(),
-            None,
-            Some(body_full(archive.into())),
-        );
+                let docker = Docker::connect_with_socket_defaults().unwrap();
 
-        while let Some(msg) = image_build_stream.next().await {
-            debug!("Message: {msg:?}");
+                let build_image_options =
+                    bollard::query_parameters::BuildImageOptionsBuilder::default()
+                        .dockerfile(path_str)
+                        .t(image_name)
+                        .q(quiet)
+                        .version(bollard::query_parameters::BuilderVersion::BuilderV1)
+                        .platform("linux/x86_64");
+
+                let mut image_build_stream = docker.build_image(
+                    build_image_options.build(),
+                    None,
+                    Some(body_full(tar_data.into())),
+                );
+
+                while let Some(mut msg) = image_build_stream.next().await {
+                    trace!("Got bollard msg {msg:?}");
+                    match msg {
+                        Ok(mut msg) => {
+                            if let Some(progress) = msg.progress_detail {
+                                info!(
+                                    "Build progress {}/{}",
+                                    progress.current.unwrap_or(0),
+                                    progress.total.unwrap_or(0)
+                                );
+                            }
+
+                            if let Some(mut log) = msg.stream {
+                                if log.ends_with('\n') {
+                                    log.pop();
+                                    if log.ends_with('\r') {
+                                        log.pop();
+                                    }
+                                }
+                                info!("{log}");
+                            }
+
+                            if let Some(error) = msg.error {
+                                warn!("Build error : {error:?}");
+                            }
+
+                            if let Some(error) = msg.error_detail {
+                                warn!("Build error : {error:?}");
+                            }
+                        }
+                        Err(e) => {
+                            error!("Build failed : {e}");
+                            return Err(format!("Build failed : {e}").into());
+                        }
+                    }
+                }
+
+                Ok(image_name.to_string())
+            }
+
+            None => Err(Box::new(std::io::Error::new(
+                std::io::ErrorKind::InvalidData,
+                "Path is not valid UTF-8",
+            ))),
         }
+    }
 
-        Ok(image_name.to_string())
+    ///normalizes timestamp and ignores files that will bust the docker cach
+    async fn create_deterministic_tar(
+        &self,
+        project_root: &std::path::Path,
+    ) -> Result<Vec<u8>, Box<dyn std::error::Error>> {
+        debug!("building tar file from project root {:#?}", project_root);
+        let mut tar_data = Vec::new();
+        {
+            let mut builder = Builder::new(&mut tar_data);
+            let ignore_prefixes = [
+                "target",
+                ".git",
+                ".github",
+                ".harmony_generated",
+                "harmony",
+                "node_modules",
+                "Dockerfile.harmony",
+            ];
+            let mut entries: Vec<_> = WalkDir::new(project_root)
+                .into_iter()
+                .filter_map(Result::ok)
+                .filter(|e| e.file_type().is_file())
+                .filter(|e| {
+                    let rel_path = e.path().strip_prefix(project_root).unwrap();
+                    !ignore_prefixes
+                        .iter()
+                        .any(|prefix| rel_path.starts_with(prefix))
+                })
+                .collect();
+            entries.sort_by_key(|e| e.path().to_owned());
+
+            for entry in entries {
+                let path = entry.path();
+                let rel_path = path.strip_prefix(project_root).unwrap();
+
+                let mut file = fs::File::open(path)?;
+                let mut header = Header::new_gnu();
+
+                header.set_size(entry.metadata()?.len());
+                header.set_mode(0o644);
+                header.set_mtime(0);
+                header.set_uid(0);
+                header.set_gid(0);
+
+                builder.append_data(&mut header, rel_path, &mut file)?;
+            }
+
+            builder.finish()?;
+        }
+        Ok(tar_data)
     }
 
     /// Tags and pushes a Docker image to the configured remote registry.
@@ -208,8 +302,6 @@ impl RustWebapp {
 
         let docker = Docker::connect_with_socket_defaults().unwrap();
 
-        // let push_options = PushImageOptionsBuilder::new().tag(tag);
-
         let mut push_image_stream = docker.push_image(
             image_tag,
             Some(PushImageOptionsBuilder::new().build()),
@@ -217,6 +309,8 @@ impl RustWebapp {
         );
 
         while let Some(msg) = push_image_stream.next().await {
+            // let msg = msg?;
+            // TODO this fails silently, for some reason bollard cannot push to hub.nationtech.io
             debug!("Message: {msg:?}");
         }
 
@@ -272,8 +366,11 @@ impl RustWebapp {
                     "groupadd -r appgroup && useradd -r -s /bin/false -g appgroup appuser",
                 ));
 
-                dockerfile.push(ENV::from("LEPTOS_SITE_ADDR=0.0.0.0:3000"));
-                dockerfile.push(EXPOSE::from("3000/tcp"));
+                dockerfile.push(ENV::from(format!(
+                    "LEPTOS_SITE_ADDR=0.0.0.0:{}",
+                    self.service_port
+                )));
+                dockerfile.push(EXPOSE::from(format!("{}/tcp", self.service_port)));
                 dockerfile.push(WORKDIR::from("/home/appuser"));
 
                 // Copy static files
@@ -348,9 +445,10 @@ impl RustWebapp {
     }
 
     /// Creates all necessary files for a basic Helm chart.
-    fn create_helm_chart_files(
+    async fn create_helm_chart_files(
         &self,
         image_url: &str,
+        domain: &str,
     ) -> Result<PathBuf, Box<dyn std::error::Error>> {
         let chart_name = format!("{}-chart", self.name);
         let chart_dir = self
@@ -394,132 +492,137 @@ image:
 
 service:
   type: ClusterIP
-  port: 3000
+  port: {}
 
 ingress:
   enabled: true
   # Annotations for cert-manager to handle SSL.
   annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     # Add other annotations like nginx ingress class if needed
     # kubernetes.io/ingress.class: nginx
   hosts:
-    - host: chart-example.local
+    - host: {}
       paths:
         - path: /
           pathType: ImplementationSpecific
-  tls:
-   - secretName: {}-tls
-     hosts:
-       - chart-example.local
-
 "#,
-            chart_name, image_repo, image_tag, self.name
+            chart_name, image_repo, image_tag, self.service_port, domain,
         );
         fs::write(chart_dir.join("values.yaml"), values_yaml)?;
 
         // Create templates/_helpers.tpl
-        let helpers_tpl = r#"
-{{/*
+        let helpers_tpl = format!(
+            r#"
+{{{{/*
 Expand the name of the chart.
-*/}}
-{{- define "chart.name" -}}
-{{- default .Chart.Name $.Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
+*/}}}}
+{{{{- define "chart.name" -}}}}
+{{{{- default .Chart.Name $.Values.nameOverride | trunc 63 | trimSuffix "-" }}}}
+{{{{- end }}}}
 
-{{/*
+{{{{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-*/}}
-{{- define "chart.fullname" -}}
-{{- $name := default .Chart.Name $.Values.nameOverride }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-"#;
+*/}}}}
+{{{{- define "chart.fullname" -}}}}
+{{{{- $name := default .Chart.Name $.Values.nameOverride }}}}
+{{{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}}}
+{{{{- end }}}}
+"#
+        );
         fs::write(templates_dir.join("_helpers.tpl"), helpers_tpl)?;
 
         // Create templates/service.yaml
-        let service_yaml = r#"
+        let service_yaml = format!(
+            r#"
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "chart.fullname" . }}
+  name: {{{{ include "chart.fullname" . }}}}
 spec:
-  type: {{ $.Values.service.type }}
+  type: {{{{ $.Values.service.type }}}}
   ports:
     - name: main
-      port: {{ $.Values.service.port | default 3000 }}
-      targetPort: {{ $.Values.service.port | default 3000 }}
+      port: {{{{ $.Values.service.port | default {} }}}}
+      targetPort: {{{{ $.Values.service.port | default {} }}}}
       protocol: TCP
   selector:
-    app: {{ include "chart.name" . }}
-"#;
+    app: {{{{ include "chart.name" . }}}}
+"#,
+            self.service_port, self.service_port
+        );
         fs::write(templates_dir.join("service.yaml"), service_yaml)?;
 
         // Create templates/deployment.yaml
-        let deployment_yaml = r#"
+        let deployment_yaml = format!(
+            r#"
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "chart.fullname" . }}
+  name: {{{{ include "chart.fullname" . }}}}
 spec:
-  replicas: {{ $.Values.replicaCount }}
+  replicas: {{{{ $.Values.replicaCount }}}}
   selector:
     matchLabels:
-      app: {{ include "chart.name" . }}
+      app: {{{{ include "chart.name" . }}}}
   template:
     metadata:
       labels:
-        app: {{ include "chart.name" . }}
+        app: {{{{ include "chart.name" . }}}}
     spec:
       containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ $.Values.image.pullPolicy }}
+        - name: {{{{ .Chart.Name }}}}
+          image: "{{{{ $.Values.image.repository }}}}:{{{{ $.Values.image.tag | default .Chart.AppVersion }}}}"
+          imagePullPolicy: {{{{ $.Values.image.pullPolicy }}}}
           ports:
             - name: main
-              containerPort: {{ $.Values.service.port | default 3000 }}
+              containerPort: {{{{ $.Values.service.port | default {} }}}}
               protocol: TCP
-"#;
+"#,
+            self.service_port
+        );
         fs::write(templates_dir.join("deployment.yaml"), deployment_yaml)?;
 
         // Create templates/ingress.yaml
-        let ingress_yaml = r#"
-{{- if $.Values.ingress.enabled -}}
+        let ingress_yaml = format!(
+            r#"
+{{{{- if $.Values.ingress.enabled -}}}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ include "chart.fullname" . }}
+  name: {{{{ include "chart.fullname" . }}}}
   annotations:
-    {{- toYaml $.Values.ingress.annotations | nindent 4 }}
+    {{{{- toYaml $.Values.ingress.annotations | nindent 4 }}}}
 spec:
-  {{- if $.Values.ingress.tls }}
+  {{{{- if $.Values.ingress.tls }}}}
   tls:
-    {{- range $.Values.ingress.tls }}
+    {{{{- range $.Values.ingress.tls }}}}
     - hosts:
-        {{- range .hosts }}
-        - {{ . | quote }}
-        {{- end }}
-      secretName: {{ .secretName }}
-    {{- end }}
-  {{- end }}
+        {{{{- range .hosts }}}}
+        - {{{{ . | quote }}}}
+        {{{{- end }}}}
+      secretName: {{{{ .secretName }}}}
+    {{{{- end }}}}
+  {{{{- end }}}}
   rules:
-    {{- range $.Values.ingress.hosts }}
-    - host: {{ .host | quote }}
+    {{{{- range $.Values.ingress.hosts }}}}
+    - host: {{{{ .host | quote }}}}
       http:
         paths:
-          {{- range .paths }}
-          - path: {{ .path }}
-            pathType: {{ .pathType }}
+          {{{{- range .paths }}}}
+          - path: {{{{ .path }}}}
+            pathType: {{{{ .pathType }}}}
             backend:
               service:
-                name: {{ include "chart.fullname" $ }}
+                name: {{{{ include "chart.fullname" $ }}}}
                 port:
-                  number: {{ $.Values.service.port | default 3000 }}
-          {{- end }}
-    {{- end }}
-{{- end }}
-"#;
+                  number: {{{{ $.Values.service.port | default {} }}}}
+          {{{{- end }}}}
+    {{{{- end }}}}
+{{{{- end }}}}
+"#,
+            self.service_port
+        );
         fs::write(templates_dir.join("ingress.yaml"), ingress_yaml)?;
 
         Ok(chart_dir)
@@ -571,7 +674,6 @@ spec:
         let chart_file_name = packaged_chart_path.file_stem().unwrap().to_str().unwrap();
         let oci_push_url = format!("oci://{}/{}", *REGISTRY_URL, *REGISTRY_PROJECT);
         let oci_pull_url = format!("{oci_push_url}/{}-chart", self.name);
-
         debug!(
             "Pushing Helm chart {} to {}",
             packaged_chart_path.to_string_lossy(),
@@ -590,4 +692,20 @@ spec:
         debug!("push url {oci_push_url}");
         Ok(format!("{}:{}", oci_pull_url, version))
     }
+
+    fn get_or_build_dockerfile(&self) -> Result<PathBuf, Box<dyn std::error::Error>> {
+        let existing_dockerfile = self.project_root.join("Dockerfile");
+
+        debug!("project_root = {:?}", self.project_root);
+
+        debug!("checking = {:?}", existing_dockerfile);
+        if existing_dockerfile.exists() {
+            debug!(
+                "Checking path {:#?} for existing Dockerfile",
+                self.project_root.clone()
+            );
+            return Ok(existing_dockerfile);
+        }
+        self.build_dockerfile()
+    }
 }

harmony/src/modules/cert_manager/gen_ca_cert.rs

@@ -0,0 +1,106 @@
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use serde::Serialize;
+
+use crate::{
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    score::Score,
+    topology::{K8sclient, Topology, k8s::K8sClient},
+};
+
+#[derive(Clone, Serialize, Debug)]
+pub struct GenerateCaCertScore {
+    cluster_issuer_name: String,
+    dns_names: String,
+    operator_namespace: String,
+}
+
+impl<T: Topology + K8sclient> Score<T> for GenerateCaCertScore {
+    fn name(&self) -> String {
+        "GenerateCaCertScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(GenerateCaCertIntepret {
+            score: self.clone(),
+        })
+    }
+}
+
+#[derive(Clone, Serialize, Debug)]
+pub struct GenerateCaCertIntepret {
+    score: GenerateCaCertScore,
+}
+
+#[async_trait]
+impl<T: Topology + K8sclient> Interpret<T> for GenerateCaCertIntepret {
+    async fn execute(
+        &self,
+        _inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let client = topology.k8s_client().await.unwrap();
+        let cert_yaml = self
+            .build_cert_request_yaml(&self.score.cluster_issuer_name, &self.score.dns_names)
+            .unwrap();
+        self.apply_cert_request(&client, cert_yaml, &self.score.operator_namespace)
+            .await?;
+        Ok(Outcome::success("created ca cert".to_string()))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("GenerateCaCertInterpret")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}
+
+impl GenerateCaCertIntepret {
+    pub fn build_cert_request_yaml(
+        &self,
+        cluster_issuer_name: &str,
+        dns_names: &str,
+    ) -> Result<serde_yaml::Value, InterpretError> {
+        let cert_yaml = format!(
+            r#"
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ingress-cert
+  namespace: openshift-ingress
+spec:
+  secretName: ingress-cert-tls
+  issuerRef:
+    name: {cluster_issuer_name}
+    kind: ClusterIssuer
+  dnsNames:
+  - "*.{dns_names}"
+        "#
+        );
+        Ok(serde_yaml::to_value(cert_yaml)?)
+    }
+    pub async fn apply_cert_request(
+        &self,
+        client: &Arc<K8sClient>,
+        cert_yaml: serde_yaml::Value,
+        operator_namespace: &str,
+    ) -> Result<(), InterpretError> {
+        Ok(client
+            .apply_yaml(&cert_yaml, Some(operator_namespace))
+            .await?)
+    }
+}

harmony/src/modules/cert_manager/mod.rs

@@ -1,2 +1,3 @@
+mod gen_ca_cert;
 mod helm;
 pub use helm::*;

harmony/src/modules/dhcp.rs

@@ -69,17 +69,14 @@ impl DhcpInterpret {
 
         dhcp_server.set_pxe_options(pxe_options).await?;
 
-        Ok(Outcome::new(
-            InterpretStatus::SUCCESS,
-            format!(
-                "Dhcp Interpret Set next boot to [{:?}], boot_filename to [{:?}], filename to [{:?}], filename64 to [{:?}], filenameipxe to [:{:?}]",
-                self.score.boot_filename,
-                self.score.boot_filename,
-                self.score.filename,
-                self.score.filename64,
-                self.score.filenameipxe
-            ),
-        ))
+        Ok(Outcome::success(format!(
+            "Dhcp Interpret Set next boot to [{:?}], boot_filename to [{:?}], filename to [{:?}], filename64 to [{:?}], filenameipxe to [:{:?}]",
+            self.score.boot_filename,
+            self.score.boot_filename,
+            self.score.filename,
+            self.score.filename64,
+            self.score.filenameipxe
+        )))
     }
 }
 
@@ -122,8 +119,7 @@ impl<T: Topology + DhcpServer> Interpret<T> for DhcpInterpret {
 
         topology.commit_config().await?;
 
-        Ok(Outcome::new(
-            InterpretStatus::SUCCESS,
+        Ok(Outcome::success(
             "Dhcp Interpret execution successful".to_string(),
         ))
     }
@@ -197,10 +193,10 @@ impl DhcpHostBindingInterpret {
             }
         }
 
-        Ok(Outcome::new(
-            InterpretStatus::SUCCESS,
-            format!("Dhcp Interpret registered {} entries", number_new_entries),
-        ))
+        Ok(Outcome::success(format!(
+            "Dhcp Interpret registered {} entries",
+            number_new_entries
+        )))
     }
 }
 
@@ -236,12 +232,9 @@ impl<T: DhcpServer> Interpret<T> for DhcpHostBindingInterpret {
 
         topology.commit_config().await?;
 
-        Ok(Outcome::new(
-            InterpretStatus::SUCCESS,
-            format!(
-                "Dhcp Host Binding Interpret execution successful on {} hosts",
-                self.score.host_binding.len()
-            ),
-        ))
+        Ok(Outcome::success(format!(
+            "Dhcp Host Binding Interpret execution successful on {} hosts",
+            self.score.host_binding.len()
+        )))
     }
 }

harmony/src/modules/dns.rs

@@ -55,8 +55,7 @@ impl DnsInterpret {
             dns.register_dhcp_leases(register).await?;
         }
 
-        Ok(Outcome::new(
-            InterpretStatus::SUCCESS,
+        Ok(Outcome::success(
             "DNS Interpret execution successfull".to_string(),
         ))
     }
@@ -68,13 +67,10 @@ impl DnsInterpret {
         let entries = &self.score.dns_entries;
         dns_server.ensure_hosts_registered(entries.clone()).await?;
 
-        Ok(Outcome::new(
-            InterpretStatus::SUCCESS,
-            format!(
-                "DnsInterpret registered {} hosts successfully",
-                entries.len()
-            ),
-        ))
+        Ok(Outcome::success(format!(
+            "DnsInterpret registered {} hosts successfully",
+            entries.len()
+        )))
     }
 }
 
@@ -111,8 +107,7 @@ impl<T: Topology + DnsServer> Interpret<T> for DnsInterpret {
 
         topology.commit_config().await?;
 
-        Ok(Outcome::new(
-            InterpretStatus::SUCCESS,
+        Ok(Outcome::success(
             "Dns Interpret execution successful".to_string(),
         ))
     }

harmony/src/modules/helm/chart.rs

@@ -153,6 +153,10 @@ impl<T: Topology + HelmCommand> Interpret<T> for HelmChartInterpret {
         let yaml_path: Option<&Path> = match self.score.values_yaml.as_ref() {
             Some(yaml_str) => {
                 tf = temp_file::with_contents(yaml_str.as_bytes());
+                debug!(
+                    "values yaml string for chart {} :\n {yaml_str}",
+                    self.score.chart_name
+                );
                 Some(tf.path())
             }
             None => None,
@@ -193,13 +197,10 @@ impl<T: Topology + HelmCommand> Interpret<T> for HelmChartInterpret {
                     self.score.release_name, ns
                 );
 
-                return Ok(Outcome::new(
-                    InterpretStatus::SUCCESS,
-                    format!(
-                        "Helm Chart '{}' already installed to namespace {ns} and install_only=true",
-                        self.score.release_name
-                    ),
-                ));
+                return Ok(Outcome::success(format!(
+                    "Helm Chart '{}' already installed to namespace {ns} and install_only=true",
+                    self.score.release_name
+                )));
             } else {
                 info!(
                     "Release '{}' not found in namespace '{}'. Proceeding with installation.",
@@ -224,18 +225,18 @@ impl<T: Topology + HelmCommand> Interpret<T> for HelmChartInterpret {
         };
 
         match status {
-            helm_wrapper_rs::HelmDeployStatus::Deployed => Ok(Outcome::new(
-                InterpretStatus::SUCCESS,
-                format!("Helm Chart {} deployed", self.score.release_name),
-            )),
-            helm_wrapper_rs::HelmDeployStatus::PendingInstall => Ok(Outcome::new(
-                InterpretStatus::RUNNING,
-                format!("Helm Chart {} pending install...", self.score.release_name),
-            )),
-            helm_wrapper_rs::HelmDeployStatus::PendingUpgrade => Ok(Outcome::new(
-                InterpretStatus::RUNNING,
-                format!("Helm Chart {} pending upgrade...", self.score.release_name),
-            )),
+            helm_wrapper_rs::HelmDeployStatus::Deployed => Ok(Outcome::success(format!(
+                "Helm Chart {} deployed",
+                self.score.release_name
+            ))),
+            helm_wrapper_rs::HelmDeployStatus::PendingInstall => Ok(Outcome::running(format!(
+                "Helm Chart {} pending install...",
+                self.score.release_name
+            ))),
+            helm_wrapper_rs::HelmDeployStatus::PendingUpgrade => Ok(Outcome::running(format!(
+                "Helm Chart {} pending upgrade...",
+                self.score.release_name
+            ))),
             helm_wrapper_rs::HelmDeployStatus::Failed => Err(InterpretError::new(format!(
                 "Helm Chart {} installation failed",
                 self.score.release_name

harmony/src/modules/inventory/discovery.rs

@@ -0,0 +1,122 @@
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use log::{error, info};
+use serde::{Deserialize, Serialize};
+
+use crate::{
+    data::Version,
+    hardware::PhysicalHost,
+    infra::inventory::InventoryRepositoryFactory,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::{HostRole, Inventory},
+    modules::inventory::LaunchDiscoverInventoryAgentScore,
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DiscoverHostForRoleScore {
+    pub role: HostRole,
+}
+
+impl<T: Topology> Score<T> for DiscoverHostForRoleScore {
+    fn name(&self) -> String {
+        "DiscoverInventoryAgentScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(DiscoverHostForRoleInterpret {
+            score: self.clone(),
+        })
+    }
+}
+
+#[derive(Debug)]
+pub struct DiscoverHostForRoleInterpret {
+    score: DiscoverHostForRoleScore,
+}
+
+#[async_trait]
+impl<T: Topology> Interpret<T> for DiscoverHostForRoleInterpret {
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        info!(
+            "Launching discovery agent, make sure that your nodes are successfully PXE booted and running inventory agent. They should answer on `http://<node_ip>:8080/inventory`"
+        );
+        LaunchDiscoverInventoryAgentScore {
+            discovery_timeout: None,
+        }
+        .interpret(inventory, topology)
+        .await?;
+
+        let host: PhysicalHost;
+        let host_repo = InventoryRepositoryFactory::build().await?;
+
+        loop {
+            let all_hosts = host_repo.get_all_hosts().await?;
+
+            if all_hosts.is_empty() {
+                info!("No discovered hosts found yet. Waiting for hosts to appear...");
+                // Sleep to avoid spamming the user and logs while waiting for nodes.
+                tokio::time::sleep(std::time::Duration::from_secs(3)).await;
+                continue;
+            }
+
+            let ans = inquire::Select::new(
+                &format!("Select the node to be used for role {:?}:", self.score.role),
+                all_hosts,
+            )
+            .with_help_message("Press Esc to refresh the list of discovered hosts")
+            .prompt();
+
+            match ans {
+                Ok(choice) => {
+                    info!("Selected {} as the bootstrap node.", choice.summary());
+                    host_repo
+                        .save_role_mapping(&self.score.role, &choice)
+                        .await?;
+                    host = choice;
+                    break;
+                }
+                Err(inquire::InquireError::OperationCanceled) => {
+                    info!("Refresh requested. Fetching list of discovered hosts again...");
+                    continue;
+                }
+                Err(e) => {
+                    error!(
+                        "Failed to select node for role {:?} : {}",
+                        self.score.role, e
+                    );
+                    return Err(InterpretError::new(format!(
+                        "Could not select host : {}",
+                        e.to_string()
+                    )));
+                }
+            }
+        }
+
+        Ok(Outcome::success(format!(
+            "Successfully discovered host {} for role {:?}",
+            host.summary(),
+            self.score.role
+        )))
+    }
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("DiscoverHostForRoleScore")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/inventory/inspect.rs

@@ -0,0 +1,72 @@
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use log::info;
+use serde::{Deserialize, Serialize};
+use strum::IntoEnumIterator;
+
+use crate::{
+    data::Version,
+    infra::inventory::InventoryRepositoryFactory,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::{HostRole, Inventory},
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct InspectInventoryScore {}
+
+impl<T: Topology> Score<T> for InspectInventoryScore {
+    fn name(&self) -> String {
+        "InspectInventoryScore".to_string()
+    }
+
+    #[doc(hidden)]
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(InspectInventoryInterpret {})
+    }
+}
+
+#[derive(Debug)]
+pub struct InspectInventoryInterpret;
+
+#[async_trait]
+impl<T: Topology> Interpret<T> for InspectInventoryInterpret {
+    async fn execute(
+        &self,
+        _inventory: &Inventory,
+        _topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let repo = InventoryRepositoryFactory::build().await?;
+        for role in HostRole::iter() {
+            info!("Inspecting hosts for role {role:?}");
+            let hosts = repo.get_host_for_role(&role).await?;
+            info!("Hosts with role {role:?} : {}", hosts.len());
+            hosts.iter().enumerate().for_each(|(idx, h)| {
+                info!(
+                    "Found host index {idx} with role {role:?} => \n{}\n{}",
+                    h.summary(),
+                    h.parts_list()
+                )
+            });
+        }
+        Ok(Outcome::success(
+            "Inventory inspection complete".to_string(),
+        ))
+    }
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("InspectInventoryInterpret")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/inventory/mod.rs

@@ -1,3 +1,7 @@
+mod discovery;
+pub mod inspect;
+pub use discovery::*;
+
 use async_trait::async_trait;
 use harmony_inventory_agent::local_presence::DiscoveryEvent;
 use log::{debug, info, trace};
@@ -129,10 +133,9 @@ impl<T: Topology> Interpret<T> for DiscoverInventoryAgentInterpret {
             },
         )
         .await;
-        Ok(Outcome {
-            status: InterpretStatus::SUCCESS,
-            message: "Discovery process completed successfully".to_string(),
-        })
+        Ok(Outcome::success(
+            "Discovery process completed successfully".to_string(),
+        ))
     }
 
     fn get_name(&self) -> InterpretName {

harmony/src/modules/k8s/ingress.rs

@@ -1,11 +1,15 @@
+use async_trait::async_trait;
 use harmony_macros::ingress_path;
+use harmony_types::id::Id;
 use k8s_openapi::api::networking::v1::Ingress;
 use log::{debug, trace};
 use serde::Serialize;
 use serde_json::json;
 
 use crate::{
-    interpret::Interpret,
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
     score::Score,
     topology::{K8sclient, Topology},
 };
@@ -40,6 +44,7 @@ pub struct K8sIngressScore {
     pub path: Option<IngressPath>,
     pub path_type: Option<PathType>,
     pub namespace: Option<fqdn::FQDN>,
+    pub ingress_class_name: Option<String>,
 }
 
 impl<T: Topology + K8sclient> Score<T> for K8sIngressScore {
@@ -54,12 +59,18 @@ impl<T: Topology + K8sclient> Score<T> for K8sIngressScore {
             None => PathType::Prefix,
         };
 
+        let ingress_class = match self.ingress_class_name.clone() {
+            Some(ingress_class_name) => ingress_class_name,
+            None => "\"default\"".to_string(),
+        };
+
         let ingress = json!(
             {
                 "metadata": {
                     "name": self.name.to_string(),
                 },
                 "spec": {
+                    "ingressClassName": ingress_class.as_str(),
                     "rules": [
                         {   "host": self.host.to_string(),
                             "http": {
@@ -90,11 +101,12 @@ impl<T: Topology + K8sclient> Score<T> for K8sIngressScore {
             "Successfully built Ingress for host {:?}",
             ingress.metadata.name
         );
-        Box::new(K8sResourceInterpret {
-            score: K8sResourceScore::single(
-                ingress.clone(),
-                self.namespace.clone().map(|f| f.to_string()),
-            ),
+
+        Box::new(K8sIngressInterpret {
+            ingress,
+            service: self.name.to_string(),
+            namespace: self.namespace.clone().map(|f| f.to_string()),
+            host: self.host.clone(),
         })
     }
 
@@ -102,3 +114,62 @@ impl<T: Topology + K8sclient> Score<T> for K8sIngressScore {
         format!("{} K8sIngressScore", self.name)
     }
 }
+
+#[derive(std::fmt::Debug)]
+struct K8sIngressInterpret {
+    ingress: Ingress,
+    service: String,
+    namespace: Option<String>,
+    host: fqdn::FQDN,
+}
+
+#[async_trait]
+impl<T: Topology + K8sclient> Interpret<T> for K8sIngressInterpret {
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let result = K8sResourceInterpret {
+            score: K8sResourceScore::single(self.ingress.clone(), self.namespace.clone()),
+        }
+        .execute(inventory, topology)
+        .await;
+
+        match result {
+            Ok(outcome) => match outcome.status {
+                InterpretStatus::SUCCESS => {
+                    let details = match &self.namespace {
+                        Some(namespace) => {
+                            vec![format!(
+                                "{} ({namespace}): http://{}",
+                                self.service, self.host
+                            )]
+                        }
+                        None => vec![format!("{}: {}", self.service, self.host)],
+                    };
+
+                    Ok(Outcome::success_with_details(outcome.message, details))
+                }
+                _ => Ok(outcome),
+            },
+            Err(e) => Err(e),
+        }
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::K8sIngress
+    }
+
+    fn get_version(&self) -> Version {
+        Version::from("0.0.1").unwrap()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        vec![]
+    }
+}

harmony/src/modules/lamp.rs

@@ -147,6 +147,7 @@ impl<T: Topology + K8sclient + HelmCommand> Interpret<T> for LAMPInterpret {
             port: 8080,
             path: Some(ingress_path),
             path_type: None,
+            ingress_class_name: None,
             namespace: self
                 .get_namespace()
                 .map(|nbs| fqdn!(nbs.to_string().as_str())),

harmony/src/modules/monitoring/alert_channel/discord_alert_channel.rs

@@ -4,6 +4,7 @@ use std::collections::BTreeMap;
 use async_trait::async_trait;
 use k8s_openapi::api::core::v1::Secret;
 use kube::api::ObjectMeta;
+use log::debug;
 use serde::Serialize;
 use serde_json::json;
 use serde_yaml::{Mapping, Value};
@@ -11,6 +12,7 @@ use serde_yaml::{Mapping, Value};
 use crate::modules::monitoring::kube_prometheus::crd::crd_alertmanager_config::{
     AlertmanagerConfig, AlertmanagerConfigSpec, CRDPrometheus,
 };
+use crate::modules::monitoring::kube_prometheus::crd::rhob_alertmanager_config::RHOBObservability;
 use crate::{
     interpret::{InterpretError, Outcome},
     modules::monitoring::{
@@ -30,6 +32,94 @@ pub struct DiscordWebhook {
     pub url: Url,
 }
 
+#[async_trait]
+impl AlertReceiver<RHOBObservability> for DiscordWebhook {
+    async fn install(&self, sender: &RHOBObservability) -> Result<Outcome, InterpretError> {
+        let ns = sender.namespace.clone();
+        let secret_name = format!("{}-secret", self.name.clone());
+        let webhook_key = format!("{}", self.url.clone());
+
+        let mut string_data = BTreeMap::new();
+        string_data.insert("webhook-url".to_string(), webhook_key.clone());
+
+        let secret = Secret {
+            metadata: kube::core::ObjectMeta {
+                name: Some(secret_name.clone()),
+                ..Default::default()
+            },
+            string_data: Some(string_data),
+            type_: Some("Opaque".to_string()),
+            ..Default::default()
+        };
+
+        let _ = sender.client.apply(&secret, Some(&ns)).await;
+        let spec = crate::modules::monitoring::kube_prometheus::crd::rhob_alertmanager_config::AlertmanagerConfigSpec {
+            data: json!({
+                "route": {
+                    "receiver": self.name,
+                },
+                "receivers": [
+                    {
+                        "name": self.name,
+                        "discordConfigs": [
+                            {
+                            "apiURL": {
+                                "name": secret_name,
+                                "key":  "webhook-url",
+                            },
+                            "title": "{{ template \"discord.default.title\" . }}",
+                            "message": "{{ template \"discord.default.message\" . }}"
+                            }
+                        ]
+                    }
+                ]
+            }),
+        };
+
+        let alertmanager_configs = crate::modules::monitoring::kube_prometheus::crd::rhob_alertmanager_config::AlertmanagerConfig {
+            metadata: ObjectMeta {
+                name: Some(self.name.clone()),
+                labels: Some(std::collections::BTreeMap::from([(
+                    "alertmanagerConfig".to_string(),
+                    "enabled".to_string(),
+                )])),
+                namespace: Some(sender.namespace.clone()),
+                ..Default::default()
+            },
+            spec,
+        };
+        debug!(
+            "alertmanager_configs yaml:\n{:#?}",
+            serde_yaml::to_string(&alertmanager_configs)
+        );
+        debug!(
+            "alert manager configs: \n{:#?}",
+            alertmanager_configs.clone()
+        );
+
+        sender
+            .client
+            .apply(&alertmanager_configs, Some(&sender.namespace))
+            .await?;
+        Ok(Outcome::success(format!(
+            "installed rhob-alertmanagerconfigs for {}",
+            self.name
+        )))
+    }
+
+    fn name(&self) -> String {
+        "webhook-receiver".to_string()
+    }
+
+    fn clone_box(&self) -> Box<dyn AlertReceiver<RHOBObservability>> {
+        Box::new(self.clone())
+    }
+
+    fn as_any(&self) -> &dyn Any {
+        self
+    }
+}
+
 #[async_trait]
 impl AlertReceiver<CRDPrometheus> for DiscordWebhook {
     async fn install(&self, sender: &CRDPrometheus) -> Result<Outcome, InterpretError> {

harmony/src/modules/monitoring/alert_channel/webhook_receiver.rs

@@ -11,8 +11,8 @@ use crate::{
     interpret::{InterpretError, Outcome},
     modules::monitoring::{
         kube_prometheus::{
-            crd::crd_alertmanager_config::{
-                AlertmanagerConfig, AlertmanagerConfigSpec, CRDPrometheus,
+            crd::{
+                crd_alertmanager_config::CRDPrometheus, rhob_alertmanager_config::RHOBObservability,
             },
             prometheus::{KubePrometheus, KubePrometheusReceiver},
             types::{AlertChannelConfig, AlertManagerChannelConfig},
@@ -29,10 +29,76 @@ pub struct WebhookReceiver {
     pub url: Url,
 }
 
+#[async_trait]
+impl AlertReceiver<RHOBObservability> for WebhookReceiver {
+    async fn install(&self, sender: &RHOBObservability) -> Result<Outcome, InterpretError> {
+        let spec = crate::modules::monitoring::kube_prometheus::crd::rhob_alertmanager_config::AlertmanagerConfigSpec {
+            data: json!({
+                "route": {
+                    "receiver": self.name,
+                },
+                "receivers": [
+                    {
+                        "name": self.name,
+                        "webhookConfigs": [
+                            {
+                            "url": self.url,
+                            "httpConfig": {
+                                "tlsConfig": {
+                                    "insecureSkipVerify": true
+                                    }
+                                }
+                            }
+                        ]
+                    }
+                ]
+            }),
+        };
+
+        let alertmanager_configs = crate::modules::monitoring::kube_prometheus::crd::rhob_alertmanager_config::AlertmanagerConfig {
+            metadata: ObjectMeta {
+                name: Some(self.name.clone()),
+                labels: Some(std::collections::BTreeMap::from([(
+                    "alertmanagerConfig".to_string(),
+                    "enabled".to_string(),
+                )])),
+                namespace: Some(sender.namespace.clone()),
+                ..Default::default()
+            },
+            spec,
+        };
+        debug!(
+            "alert manager configs: \n{:#?}",
+            alertmanager_configs.clone()
+        );
+
+        sender
+            .client
+            .apply(&alertmanager_configs, Some(&sender.namespace))
+            .await?;
+        Ok(Outcome::success(format!(
+            "installed rhob-alertmanagerconfigs for {}",
+            self.name
+        )))
+    }
+
+    fn name(&self) -> String {
+        "webhook-receiver".to_string()
+    }
+
+    fn clone_box(&self) -> Box<dyn AlertReceiver<RHOBObservability>> {
+        Box::new(self.clone())
+    }
+
+    fn as_any(&self) -> &dyn Any {
+        self
+    }
+}
+
 #[async_trait]
 impl AlertReceiver<CRDPrometheus> for WebhookReceiver {
     async fn install(&self, sender: &CRDPrometheus) -> Result<Outcome, InterpretError> {
-        let spec = AlertmanagerConfigSpec {
+        let spec = crate::modules::monitoring::kube_prometheus::crd::crd_alertmanager_config::AlertmanagerConfigSpec {
             data: json!({
                 "route": {
                     "receiver": self.name,
@@ -50,7 +116,7 @@ impl AlertReceiver<CRDPrometheus> for WebhookReceiver {
             }),
         };
 
-        let alertmanager_configs = AlertmanagerConfig {
+        let alertmanager_configs = crate::modules::monitoring::kube_prometheus::crd::crd_alertmanager_config::AlertmanagerConfig {
             metadata: ObjectMeta {
                 name: Some(self.name.clone()),
                 labels: Some(std::collections::BTreeMap::from([(
@@ -115,6 +181,7 @@ impl PrometheusReceiver for WebhookReceiver {
         self.get_config().await
     }
 }
+
 #[async_trait]
 impl AlertReceiver<KubePrometheus> for WebhookReceiver {
     async fn install(&self, sender: &KubePrometheus) -> Result<Outcome, InterpretError> {

harmony/src/modules/monitoring/application_monitoring/application_monitoring_score.rs

@@ -68,7 +68,9 @@ impl<T: Topology + PrometheusApplicationMonitoring<CRDPrometheus>> Interpret<T>
                 PreparationOutcome::Success { details: _ } => {
                     Ok(Outcome::success("Prometheus installed".into()))
                 }
-                PreparationOutcome::Noop => Ok(Outcome::noop()),
+                PreparationOutcome::Noop => {
+                    Ok(Outcome::noop("Prometheus installation skipped".into()))
+                }
             },
             Err(err) => Err(InterpretError::from(err)),
         }

harmony/src/modules/monitoring/application_monitoring/mod.rs

@@ -1 +1,2 @@
 pub mod application_monitoring_score;
+pub mod rhobs_application_monitoring_score;

harmony/src/modules/monitoring/application_monitoring/rhobs_application_monitoring_score.rs

@@ -0,0 +1,96 @@
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use serde::Serialize;
+
+use crate::{
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    modules::{
+        application::Application,
+        monitoring::kube_prometheus::crd::{
+            crd_alertmanager_config::CRDPrometheus, rhob_alertmanager_config::RHOBObservability,
+        },
+        prometheus::prometheus::PrometheusApplicationMonitoring,
+    },
+    score::Score,
+    topology::{PreparationOutcome, Topology, oberservability::monitoring::AlertReceiver},
+};
+use harmony_types::id::Id;
+
+#[derive(Debug, Clone, Serialize)]
+pub struct ApplicationRHOBMonitoringScore {
+    pub sender: RHOBObservability,
+    pub application: Arc<dyn Application>,
+    pub receivers: Vec<Box<dyn AlertReceiver<RHOBObservability>>>,
+}
+
+impl<T: Topology + PrometheusApplicationMonitoring<RHOBObservability>> Score<T>
+    for ApplicationRHOBMonitoringScore
+{
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(ApplicationRHOBMonitoringInterpret {
+            score: self.clone(),
+        })
+    }
+
+    fn name(&self) -> String {
+        format!(
+            "{} monitoring [ApplicationRHOBMonitoringScore]",
+            self.application.name()
+        )
+    }
+}
+
+#[derive(Debug)]
+pub struct ApplicationRHOBMonitoringInterpret {
+    score: ApplicationRHOBMonitoringScore,
+}
+
+#[async_trait]
+impl<T: Topology + PrometheusApplicationMonitoring<RHOBObservability>> Interpret<T>
+    for ApplicationRHOBMonitoringInterpret
+{
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let result = topology
+            .install_prometheus(
+                &self.score.sender,
+                inventory,
+                Some(self.score.receivers.clone()),
+            )
+            .await;
+
+        match result {
+            Ok(outcome) => match outcome {
+                PreparationOutcome::Success { details: _ } => {
+                    Ok(Outcome::success("Prometheus installed".into()))
+                }
+                PreparationOutcome::Noop => {
+                    Ok(Outcome::noop("Prometheus installation skipped".into()))
+                }
+            },
+            Err(err) => Err(InterpretError::from(err)),
+        }
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::ApplicationMonitoring
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/monitoring/kube_prometheus/crd/mod.rs

@@ -7,5 +7,15 @@ pub mod crd_prometheuses;
 pub mod grafana_default_dashboard;
 pub mod grafana_operator;
 pub mod prometheus_operator;
+pub mod rhob_alertmanager_config;
+pub mod rhob_alertmanagers;
+pub mod rhob_cluster_observability_operator;
+pub mod rhob_default_rules;
+pub mod rhob_grafana;
+pub mod rhob_monitoring_stack;
+pub mod rhob_prometheus_rules;
+pub mod rhob_prometheuses;
+pub mod rhob_role;
+pub mod rhob_service_monitor;
 pub mod role;
 pub mod service_monitor;

harmony/src/modules/monitoring/kube_prometheus/crd/rhob_alertmanager_config.rs

@@ -0,0 +1,50 @@
+use std::sync::Arc;
+
+use kube::CustomResource;
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+use crate::topology::{
+    k8s::K8sClient,
+    oberservability::monitoring::{AlertReceiver, AlertSender},
+};
+
+#[derive(CustomResource, Serialize, Deserialize, Debug, Clone, JsonSchema)]
+#[kube(
+    group = "monitoring.rhobs",
+    version = "v1alpha1",
+    kind = "AlertmanagerConfig",
+    plural = "alertmanagerconfigs",
+    namespaced
+)]
+pub struct AlertmanagerConfigSpec {
+    #[serde(flatten)]
+    pub data: serde_json::Value,
+}
+
+#[derive(Debug, Clone, Serialize)]
+pub struct RHOBObservability {
+    pub namespace: String,
+    pub client: Arc<K8sClient>,
+}
+
+impl AlertSender for RHOBObservability {
+    fn name(&self) -> String {
+        "RHOBAlertManager".to_string()
+    }
+}
+
+impl Clone for Box<dyn AlertReceiver<RHOBObservability>> {
+    fn clone(&self) -> Self {
+        self.clone_box()
+    }
+}
+
+impl Serialize for Box<dyn AlertReceiver<RHOBObservability>> {
+    fn serialize<S>(&self, _serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        todo!()
+    }
+}