cargo fmt

examples/cert_manager/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "cert_manager"
+edition = "2024"
+version.workspace = true
+readme.workspace = true
+license.workspace = true
+publish = false
+
+[dependencies]
+harmony = { path = "../../harmony" }
+harmony_cli = { path = "../../harmony_cli" }
+harmony_types = { path = "../../harmony_types" }
+cidr = { workspace = true }
+tokio = { workspace = true }
+harmony_macros = { path = "../../harmony_macros" }
+log = { workspace = true }
+env_logger = { workspace = true }
+url = { workspace = true }
+assert_cmd = "2.0.16"

examples/cert_manager/src/main.rs

@@ -0,0 +1,46 @@
+use harmony::{
+    inventory::Inventory,
+    modules::{
+        cert_manager::{
+            capability::CertificateManagementConfig, score_create_cert::CertificateCreationScore,
+            score_create_issuer::CertificateIssuerScore,
+            score_operator::CertificateManagementScore,
+        },
+        postgresql::{PostgreSQLScore, capability::PostgreSQLConfig},
+    },
+    topology::K8sAnywhereTopology,
+};
+
+#[tokio::main]
+async fn main() {
+    let config = CertificateManagementConfig {
+        namespace: Some("test".to_string()),
+        acme_issuer: None,
+        ca_issuer: None,
+        self_signed: true,
+    };
+
+    let cert_manager = CertificateManagementScore {
+        config: config.clone(),
+    };
+
+    let issuer = CertificateIssuerScore {
+        config: config.clone(),
+        issuer_name: "test-self-signed-issuer".to_string(),
+    };
+
+    let cert = CertificateCreationScore {
+        config: config.clone(),
+        cert_name: "test-self-signed-cert".to_string(),
+        issuer_name: "test-self-signed-issuer".to_string(),
+    };
+
+    harmony_cli::run(
+        Inventory::autoload(),
+        K8sAnywhereTopology::from_env(),
+        vec![Box::new(cert_manager), Box::new(issuer), Box::new(cert)],
+        None,
+    )
+    .await
+    .unwrap();
+}

harmony/src/domain/topology/k8s.rs

@@ -230,14 +230,26 @@ impl K8sClient {
         namespace: Option<&str>,
         gvk: &GroupVersionKind,
     ) -> Result<DynamicObject, Error> {
-        let gvk = ApiResource::from_gvk(gvk);
+        let api_resource = ApiResource::from_gvk(gvk);
-        let resource: Api<DynamicObject> = if let Some(ns) = namespace {
-            Api::namespaced_with(self.client.clone(), ns, &gvk)
-        } else {
-            Api::default_namespaced_with(self.client.clone(), &gvk)
-        };
 
-        resource.get(name).await
+        // 1. Try namespaced first (if a namespace was provided)
+        if let Some(ns) = namespace {
+            let api: Api<DynamicObject> =
+                Api::namespaced_with(self.client.clone(), ns, &api_resource);
+
+            match api.get(name).await {
+                Ok(obj) => return Ok(obj),
+                Err(Error::Api(ae)) if ae.code == 404 => {
+                    // fall through and try cluster-scoped
+                }
+                Err(e) => return Err(e),
+            }
+        }
+
+        // 2. Fallback to cluster-scoped
+        let api: Api<DynamicObject> = Api::all_with(self.client.clone(), &api_resource);
+
+        api.get(name).await
     }
 
     pub async fn get_secret_json_value(

harmony/src/domain/topology/k8s_anywhere/k8s_anywhere.rs

@@ -17,6 +17,11 @@ use crate::{
     interpret::InterpretStatus,
     inventory::Inventory,
     modules::{
+        cert_manager::{
+            capability::{CertificateManagement, CertificateManagementConfig},
+            crd::{score_certificate::CertificateScore, score_issuer::IssuerScore},
+            operator::CertManagerOperatorScore,
+        },
         k3d::K3DInstallationScore,
         k8s::ingress::{K8sIngressScore, PathType},
         monitoring::{
@@ -359,6 +364,97 @@ impl Serialize for K8sAnywhereTopology {
     }
 }
 
+#[async_trait]
+impl CertificateManagement for K8sAnywhereTopology {
+    async fn install(&self) -> Result<PreparationOutcome, PreparationError> {
+        let cert_management_operator = CertManagerOperatorScore::default();
+
+        cert_management_operator
+            .interpret(&Inventory::empty(), self)
+            .await
+            .map_err(|e| PreparationError { msg: e.to_string() })?;
+
+        Ok(PreparationOutcome::Success {
+            details: format!(
+                "Installed cert-manager into ns: {}",
+                cert_management_operator.namespace
+            ),
+        })
+    }
+
+    async fn ensure_certificate_management_ready(
+        &self,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let k8s_client = self.k8s_client().await.unwrap();
+        let gvk = GroupVersionKind {
+            group: "operators.coreos.com".to_string(),
+            version: "v1".to_string(),
+            kind: "Operator".to_string(),
+        };
+        //TODO make this generic across k8s distributions using k8s family
+        match k8s_client
+            .get_resource_json_value("cert-manager.openshift-operators", None, &gvk)
+            .await
+        {
+            Ok(_ready) => Ok(PreparationOutcome::Success {
+                details: "Certificate Management Ready".to_string(),
+            }),
+            Err(e) => {
+                debug!("{} operator not found", e.to_string());
+                self.install().await
+            }
+        }
+    }
+
+    async fn create_issuer(
+        &self,
+        issuer_name: String,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let issuer_score = IssuerScore {
+            issuer_name: issuer_name.clone(),
+            config: config.clone(),
+        };
+
+        issuer_score
+            .interpret(&Inventory::empty(), self)
+            .await
+            .map_err(|e| PreparationError { msg: e.to_string() })?;
+
+        Ok(PreparationOutcome::Success {
+            details: format!("issuer of kind {} is ready", issuer_name),
+        })
+    }
+
+    async fn create_certificate(
+        &self,
+        cert_name: String,
+        issuer_name: String,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        self.certificate_issuer_ready(
+            issuer_name.clone(),
+            self.k8s_client().await.unwrap(),
+            config,
+        )
+        .await?;
+
+        let cert = CertificateScore {
+            cert_name: cert_name,
+            config: config.clone(),
+            issuer_name,
+        };
+        cert.interpret(&Inventory::empty(), self)
+            .await
+            .map_err(|e| PreparationError { msg: e.to_string() })?;
+
+        Ok(PreparationOutcome::Success {
+            details: format!("Created cert into ns: {:#?}", config.namespace.clone()),
+        })
+    }
+}
+
 impl K8sAnywhereTopology {
     pub fn from_env() -> Self {
         Self {
@@ -378,6 +474,35 @@ impl K8sAnywhereTopology {
         }
     }
 
+    pub async fn certificate_issuer_ready(
+        &self,
+        issuer_name: String,
+        k8s_client: Arc<K8sClient>,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError> {
+        let ns = config.namespace.clone().ok_or_else(|| PreparationError {
+            msg: "namespace is required".to_string(),
+        })?;
+
+        let gvk = GroupVersionKind {
+            group: "cert-manager.io".to_string(),
+            version: "v1".to_string(),
+            kind: "Issuer".to_string(),
+        };
+
+        match k8s_client
+            .get_resource_json_value(&issuer_name, Some(&ns), &gvk)
+            .await
+        {
+            Ok(_cert_issuer) => Ok(PreparationOutcome::Success {
+                details: format!("issuer of kind {} is ready", issuer_name),
+            }),
+            Err(e) => Err(PreparationError {
+                msg: format!("{} issuer {} not present", e.to_string(), issuer_name),
+            }),
+        }
+    }
+
     pub async fn get_k8s_distribution(&self) -> Result<&KubernetesDistribution, PreparationError> {
         self.k8s_distribution
             .get_or_try_init(async || {

harmony/src/modules/cert_manager/capability.rs

@@ -0,0 +1,39 @@
+use async_trait::async_trait;
+use serde::Serialize;
+
+use crate::{
+    modules::cert_manager::crd::{AcmeIssuer, CaIssuer},
+    topology::{PreparationError, PreparationOutcome},
+};
+
+///TODO rust doc explaining issuer, certificate etc
+#[async_trait]
+pub trait CertificateManagement: Send + Sync {
+    async fn install(&self) -> Result<PreparationOutcome, PreparationError>;
+
+    async fn ensure_certificate_management_ready(
+        &self,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError>;
+
+    async fn create_issuer(
+        &self,
+        issuer_name: String,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError>;
+
+    async fn create_certificate(
+        &self,
+        cert_name: String,
+        issuer_name: String,
+        config: &CertificateManagementConfig,
+    ) -> Result<PreparationOutcome, PreparationError>;
+}
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertificateManagementConfig {
+    pub namespace: Option<String>,
+    pub acme_issuer: Option<AcmeIssuer>,
+    pub ca_issuer: Option<CaIssuer>,
+    pub self_signed: bool,
+}

harmony/src/modules/cert_manager/crd/certificate.rs

@@ -0,0 +1,112 @@
+use kube::{CustomResource, api::ObjectMeta};
+use serde::{Deserialize, Serialize};
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
+#[kube(
+    group = "cert-manager.io",
+    version = "v1",
+    kind = "Certificate",
+    plural = "certificates",
+    namespaced = true,
+    schema = "disabled"
+)]
+#[serde(rename_all = "camelCase")]
+pub struct CertificateSpec {
+    /// Name of the Secret where the certificate will be stored
+    pub secret_name: String,
+
+    /// Common Name (optional but often discouraged in favor of SANs)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub common_name: Option<String>,
+
+    /// DNS Subject Alternative Names
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub dns_names: Option<Vec<String>>,
+
+    /// IP Subject Alternative Names
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ip_addresses: Option<Vec<String>>,
+
+    /// Certificate duration (e.g. "2160h")
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub duration: Option<String>,
+
+    /// How long before expiry cert-manager should renew
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub renew_before: Option<String>,
+
+    /// Reference to the Issuer or ClusterIssuer
+    pub issuer_ref: IssuerRef,
+
+    /// Is this a CA certificate
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub is_ca: Option<bool>,
+
+    /// Private key configuration
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub private_key: Option<PrivateKey>,
+}
+
+impl Default for Certificate {
+    fn default() -> Self {
+        Certificate {
+            metadata: ObjectMeta::default(),
+            spec: CertificateSpec::default(),
+        }
+    }
+}
+
+impl Default for CertificateSpec {
+    fn default() -> Self {
+        Self {
+            secret_name: String::new(),
+            common_name: None,
+            dns_names: None,
+            ip_addresses: None,
+            duration: None,
+            renew_before: None,
+            issuer_ref: IssuerRef::default(),
+            is_ca: None,
+            private_key: None,
+        }
+    }
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct IssuerRef {
+    pub name: String,
+
+    /// Either "Issuer" or "ClusterIssuer"
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub kind: Option<String>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub group: Option<String>,
+}
+
+impl Default for IssuerRef {
+    fn default() -> Self {
+        Self {
+            name: String::new(),
+            kind: None,
+            group: None,
+        }
+    }
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct PrivateKey {
+    /// RSA or ECDSA
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub algorithm: Option<String>,
+
+    /// Key size (e.g. 2048, 4096)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub size: Option<u32>,
+
+    /// Rotation policy: "Never" or "Always"
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub rotation_policy: Option<String>,
+}

harmony/src/modules/cert_manager/crd/cluster_issuer.rs

@@ -0,0 +1,44 @@
+use kube::{CustomResource, api::ObjectMeta};
+use serde::{Deserialize, Serialize};
+
+use crate::modules::cert_manager::crd::{AcmeIssuer, CaIssuer, SelfSignedIssuer};
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
+#[kube(
+    group = "cert-manager.io",
+    version = "v1",
+    kind = "ClusterIssuer",
+    plural = "clusterissuers",
+    namespaced = false,
+    schema = "disabled"
+)]
+#[serde(rename_all = "camelCase")]
+pub struct ClusterIssuerSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub self_signed: Option<SelfSignedIssuer>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ca: Option<CaIssuer>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub acme: Option<AcmeIssuer>,
+}
+
+impl Default for ClusterIssuer {
+    fn default() -> Self {
+        ClusterIssuer {
+            metadata: ObjectMeta::default(),
+            spec: ClusterIssuerSpec::default(),
+        }
+    }
+}
+
+impl Default for ClusterIssuerSpec {
+    fn default() -> Self {
+        Self {
+            self_signed: None,
+            ca: None,
+            acme: None,
+        }
+    }
+}

harmony/src/modules/cert_manager/crd/issuer.rs

@@ -0,0 +1,44 @@
+use kube::{CustomResource, api::ObjectMeta};
+use serde::{Deserialize, Serialize};
+
+use crate::modules::cert_manager::crd::{AcmeIssuer, CaIssuer, SelfSignedIssuer};
+
+#[derive(CustomResource, Deserialize, Serialize, Clone, Debug)]
+#[kube(
+    group = "cert-manager.io",
+    version = "v1",
+    kind = "Issuer",
+    plural = "issuers",
+    namespaced = true,
+    schema = "disabled"
+)]
+#[serde(rename_all = "camelCase")]
+pub struct IssuerSpec {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub self_signed: Option<SelfSignedIssuer>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub ca: Option<CaIssuer>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub acme: Option<AcmeIssuer>,
+}
+
+impl Default for Issuer {
+    fn default() -> Self {
+        Issuer {
+            metadata: ObjectMeta::default(),
+            spec: IssuerSpec::default(),
+        }
+    }
+}
+
+impl Default for IssuerSpec {
+    fn default() -> Self {
+        Self {
+            self_signed: None,
+            ca: None,
+            acme: None,
+        }
+    }
+}

harmony/src/modules/cert_manager/crd/mod.rs

@@ -0,0 +1,65 @@
+use serde::{Deserialize, Serialize};
+
+pub mod certificate;
+pub mod cluster_issuer;
+pub mod issuer;
+//pub mod score_cluster_issuer;
+pub mod score_certificate;
+pub mod score_issuer;
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct CaIssuer {
+    /// Secret containing `tls.crt` and `tls.key`
+    pub secret_name: String,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug, Default)]
+#[serde(rename_all = "camelCase")]
+pub struct SelfSignedIssuer {}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct AcmeIssuer {
+    pub server: String,
+    pub email: String,
+
+    /// Secret used to store the ACME account private key
+    pub private_key_secret_ref: SecretKeySelector,
+
+    pub solvers: Vec<AcmeSolver>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct SecretKeySelector {
+    pub name: String,
+    pub key: String,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct AcmeSolver {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub http01: Option<Http01Solver>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub dns01: Option<Dns01Solver>,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct Dns01Solver {}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct Http01Solver {
+    pub ingress: IngressSolver,
+}
+
+#[derive(Deserialize, Serialize, Clone, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct IngressSolver {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub class: Option<String>,
+}

harmony/src/modules/cert_manager/crd/score_certificate.rs

@@ -0,0 +1,49 @@
+use kube::api::ObjectMeta;
+use serde::Serialize;
+
+use crate::{
+    interpret::Interpret,
+    modules::{
+        cert_manager::{
+            capability::CertificateManagementConfig,
+            crd::certificate::{Certificate, CertificateSpec, IssuerRef},
+        },
+        k8s::resource::K8sResourceScore,
+    },
+    score::Score,
+    topology::{K8sclient, Topology},
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertificateScore {
+    pub cert_name: String,
+    pub issuer_name: String,
+    pub config: CertificateManagementConfig,
+}
+
+impl<T: Topology + K8sclient> Score<T> for CertificateScore {
+    fn name(&self) -> String {
+        "CertificateScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let cert = Certificate {
+            metadata: ObjectMeta {
+                name: Some(self.cert_name.clone()),
+                namespace: self.config.namespace.clone(),
+                ..Default::default()
+            },
+            spec: CertificateSpec {
+                secret_name: format!("{}-tls", self.cert_name.clone()),
+                issuer_ref: IssuerRef {
+                    name: self.issuer_name.clone(),
+                    kind: Some("Issuer".into()),
+                    group: Some("cert-manager.io".into()),
+                },
+                dns_names: Some(vec!["test.example.local".to_string()]),
+                ..Default::default()
+            },
+        };
+        K8sResourceScore::single(cert, self.config.namespace.clone()).create_interpret()
+    }
+}

harmony/src/modules/cert_manager/crd/score_cluster_issuer.rs

@@ -0,0 +1,51 @@
+use kube::api::ObjectMeta;
+use serde::Serialize;
+
+use crate::{
+    interpret::Interpret,
+    modules::{
+        cert_manager::crd::{
+            AcmeIssuer, CaIssuer, SelfSignedIssuer,
+            cluster_issuer::{ClusterIssuer, ClusterIssuerSpec},
+        },
+        k8s::resource::K8sResourceScore,
+    },
+    score::Score,
+    topology::{K8sclient, Topology},
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct ClusterIssuerScore {
+    name: String,
+    acme_issuer: Option<AcmeIssuer>,
+    ca_issuer: Option<CaIssuer>,
+    self_signed: bool,
+}
+
+impl<T: Topology + K8sclient> Score<T> for ClusterIssuerScore {
+    fn name(&self) -> String {
+        "ClusterIssuerScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let metadata = ObjectMeta {
+            name: Some(self.name.clone()),
+            namespace: None,
+            ..ObjectMeta::default()
+        };
+
+        let spec = ClusterIssuerSpec {
+            acme: self.acme_issuer.clone(),
+            ca: self.ca_issuer.clone(),
+            self_signed: if self.self_signed {
+                Some(SelfSignedIssuer::default())
+            } else {
+                None
+            },
+        };
+
+        let cluster_issuer = ClusterIssuer { metadata, spec };
+
+        K8sResourceScore::single(cluster_issuer, None).create_interpret()
+    }
+}

harmony/src/modules/cert_manager/crd/score_issuer.rs

@@ -0,0 +1,52 @@
+use kube::api::ObjectMeta;
+use serde::Serialize;
+
+use crate::{
+    interpret::Interpret,
+    modules::{
+        cert_manager::{
+            capability::CertificateManagementConfig,
+            crd::{
+                SelfSignedIssuer,
+                issuer::{Issuer, IssuerSpec},
+            },
+        },
+        k8s::resource::K8sResourceScore,
+    },
+    score::Score,
+    topology::{K8sclient, Topology},
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct IssuerScore {
+    pub issuer_name: String,
+    pub config: CertificateManagementConfig,
+}
+
+impl<T: Topology + K8sclient> Score<T> for IssuerScore {
+    fn name(&self) -> String {
+        "IssuerScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let metadata = ObjectMeta {
+            name: Some(self.issuer_name.clone()),
+            namespace: self.config.namespace.clone(),
+            ..ObjectMeta::default()
+        };
+
+        let spec = IssuerSpec {
+            acme: self.config.acme_issuer.clone(),
+            ca: self.config.ca_issuer.clone(),
+            self_signed: if self.config.self_signed {
+                Some(SelfSignedIssuer::default())
+            } else {
+                None
+            },
+        };
+
+        let issuer = Issuer { metadata, spec };
+
+        K8sResourceScore::single(issuer, self.config.namespace.clone()).create_interpret()
+    }
+}

harmony/src/modules/cert_manager/mod.rs

@@ -1,3 +1,9 @@
+pub mod capability;
 pub mod cluster_issuer;
+pub mod crd;
 mod helm;
+pub mod operator;
+pub mod score_create_cert;
+pub mod score_create_issuer;
+pub mod score_operator;
 pub use helm::*;

harmony/src/modules/cert_manager/operator.rs

@@ -0,0 +1,64 @@
+use kube::api::ObjectMeta;
+use serde::Serialize;
+
+use crate::{
+    interpret::Interpret,
+    modules::k8s::{
+        apps::crd::{Subscription, SubscriptionSpec},
+        resource::K8sResourceScore,
+    },
+    score::Score,
+    topology::{K8sclient, Topology, k8s::K8sClient},
+};
+
+/// Install the Cert-Manager Operator via RedHat Community Operators registry.redhat.io/redhat/community-operator-index:v4.19
+/// This Score creates a Subscription CR in the specified namespace
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertManagerOperatorScore {
+    pub namespace: String,
+    pub channel: String,
+    pub install_plan_approval: String,
+    pub source: String,
+    pub source_namespace: String,
+}
+
+impl Default for CertManagerOperatorScore {
+    fn default() -> Self {
+        Self {
+            namespace: "openshift-operators".to_string(),
+            channel: "stable".to_string(),
+            install_plan_approval: "Automatic".to_string(),
+            source: "community-operators".to_string(),
+            source_namespace: "openshift-marketplace".to_string(),
+        }
+    }
+}
+
+impl<T: Topology + K8sclient> Score<T> for CertManagerOperatorScore {
+    fn name(&self) -> String {
+        "CertManagerOperatorScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        let metadata = ObjectMeta {
+            name: Some("cert-manager".to_string()),
+            namespace: Some(self.namespace.clone()),
+            ..ObjectMeta::default()
+        };
+
+        let spec = SubscriptionSpec {
+            channel: Some(self.channel.clone()),
+            config: None,
+            install_plan_approval: Some(self.install_plan_approval.clone()),
+            name: "cert-manager".to_string(),
+            source: self.source.clone(),
+            source_namespace: self.source_namespace.clone(),
+            starting_csv: None,
+        };
+
+        let subscription = Subscription { metadata, spec };
+
+        K8sResourceScore::single(subscription, Some(self.namespace.clone())).create_interpret()
+    }
+}

harmony/src/modules/cert_manager/score_create_cert.rs

@@ -0,0 +1,76 @@
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use serde::Serialize;
+
+use crate::{
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    modules::cert_manager::capability::{CertificateManagement, CertificateManagementConfig},
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertificateCreationScore {
+    pub cert_name: String,
+    pub issuer_name: String,
+    pub config: CertificateManagementConfig,
+}
+
+impl<T: Topology + CertificateManagement> Score<T> for CertificateCreationScore {
+    fn name(&self) -> String {
+        "CertificateCreationScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(CertificateCreationInterpret {
+            cert_name: self.cert_name.clone(),
+            issuer_name: self.issuer_name.clone(),
+            config: self.config.clone(),
+        })
+    }
+}
+
+#[derive(Debug)]
+struct CertificateCreationInterpret {
+    cert_name: String,
+    issuer_name: String,
+    config: CertificateManagementConfig,
+}
+
+#[async_trait]
+impl<T: Topology + CertificateManagement> Interpret<T> for CertificateCreationInterpret {
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        let _certificate = topology
+            .create_certificate(
+                self.cert_name.clone(),
+                self.issuer_name.clone(),
+                &self.config,
+            )
+            .await
+            .map_err(|e| InterpretError::new(e.to_string()))?;
+
+        Ok(Outcome::success(format!("Installed CertificateManagement")))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("CertificateManagementInterpret")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/cert_manager/score_create_issuer.rs

@@ -0,0 +1,71 @@
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use log::debug;
+use serde::Serialize;
+
+use crate::{
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    modules::cert_manager::capability::{CertificateManagement, CertificateManagementConfig},
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertificateIssuerScore {
+    pub issuer_name: String,
+    pub config: CertificateManagementConfig,
+}
+
+impl<T: Topology + CertificateManagement> Score<T> for CertificateIssuerScore {
+    fn name(&self) -> String {
+        "CertificateIssuerScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(CertificateIssuerInterpret {
+            config: self.config.clone(),
+            issuer_name: self.issuer_name.clone(),
+        })
+    }
+}
+
+#[derive(Debug)]
+struct CertificateIssuerInterpret {
+    config: CertificateManagementConfig,
+    issuer_name: String,
+}
+
+#[async_trait]
+impl<T: Topology + CertificateManagement> Interpret<T> for CertificateIssuerInterpret {
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        debug!("issuer name: {}", self.issuer_name.clone());
+        let _cert_issuer = topology
+            .create_issuer(self.issuer_name.clone(), &self.config)
+            .await
+            .map_err(|e| InterpretError::new(e.to_string()))?;
+
+        Ok(Outcome::success(format!("Installed CertificateManagement")))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("CertificateManagementInterpret")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}

harmony/src/modules/cert_manager/score_operator.rs

@@ -0,0 +1,66 @@
+use async_trait::async_trait;
+use harmony_types::id::Id;
+use serde::Serialize;
+
+use crate::{
+    data::Version,
+    interpret::{Interpret, InterpretError, InterpretName, InterpretStatus, Outcome},
+    inventory::Inventory,
+    modules::cert_manager::capability::{CertificateManagement, CertificateManagementConfig},
+    score::Score,
+    topology::Topology,
+};
+
+#[derive(Debug, Clone, Serialize)]
+pub struct CertificateManagementScore {
+    pub config: CertificateManagementConfig,
+}
+
+impl<T: Topology + CertificateManagement> Score<T> for CertificateManagementScore {
+    fn name(&self) -> String {
+        "CertificateManagementScore".to_string()
+    }
+
+    fn create_interpret(&self) -> Box<dyn Interpret<T>> {
+        Box::new(CertificateManagementInterpret {
+            config: self.config.clone(),
+        })
+    }
+}
+
+#[derive(Debug)]
+struct CertificateManagementInterpret {
+    config: CertificateManagementConfig,
+}
+
+#[async_trait]
+impl<T: Topology + CertificateManagement> Interpret<T> for CertificateManagementInterpret {
+    async fn execute(
+        &self,
+        inventory: &Inventory,
+        topology: &T,
+    ) -> Result<Outcome, InterpretError> {
+        topology
+            .ensure_certificate_management_ready(&self.config)
+            .await
+            .map_err(|e| InterpretError::new(e.to_string()))?;
+
+        Ok(Outcome::success(format!("CertificateManagement is ready")))
+    }
+
+    fn get_name(&self) -> InterpretName {
+        InterpretName::Custom("CertificateManagementInterpret")
+    }
+
+    fn get_version(&self) -> Version {
+        todo!()
+    }
+
+    fn get_status(&self) -> InterpretStatus {
+        todo!()
+    }
+
+    fn get_children(&self) -> Vec<Id> {
+        todo!()
+    }
+}