ironcore-dev
diff --git a/‎PROJECT‎
Lines changed: 9 additions & 0 deletions b/‎PROJECT‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎Tiltfile‎
Lines changed: 3 additions & 0 deletions b/‎Tiltfile‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎api/v1alpha1/device_types.go‎
Lines changed: 0 additions & 62 deletions b/‎api/v1alpha1/device_types.go‎
Lines changed: 0 additions & 62 deletions
diff --git a/‎api/v1alpha1/managementaccess_types.go‎
Lines changed: 145 additions & 0 deletions b/‎api/v1alpha1/managementaccess_types.go‎
Lines changed: 145 additions & 0 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 104 additions & 10 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 104 additions & 10 deletions
diff --git a/‎cmd/main.go‎
Lines changed: 11 additions & 0 deletions b/‎cmd/main.go‎
Lines changed: 11 additions & 0 deletions
@@ -100,4 +100,13 @@ resources:
   kind: Syslog
   path: github.com/ironcore-dev/network-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: cloud.sap
+  group: networking
+  kind: ManagementAccess
+  path: github.com/ironcore-dev/network-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"
@@ -58,6 +58,9 @@ k8s_resource(new_name='snmp', objects=['snmp:snmp'], trigger_mode=TRIGGER_MODE_M
 k8s_yaml('./config/samples/v1alpha1_syslog.yaml')
 k8s_resource(new_name='syslog', objects=['syslog:syslog'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
+k8s_yaml('./config/samples/v1alpha1_managementaccess.yaml')
+k8s_resource(new_name='managementaccess', objects=['managementaccess:managementaccess'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+
 print('🚀 network-operator development environment')
 print('👉 Edit the code inside the api/, cmd/, or internal/ directories')
 print('👉 Tilt will automatically rebuild and redeploy when changes are detected')
 
@@ -18,11 +18,6 @@ type DeviceSpec struct {
 	// It can be used to provide initial configuration templates or scripts that are applied during the device provisioning.
 	// +optional
 	Bootstrap *Bootstrap `json:"bootstrap,omitempty"`
-
-	// Configuration for the gRPC server on the device.
-	// Currently, only a single "default" gRPC server is supported.
-	// +optional
-	GRPC *GRPC `json:"grpc,omitempty"`
 }
 
 type Endpoint struct {
@@ -59,63 +54,6 @@ type Bootstrap struct {
 	Template *TemplateSource `json:"template"`
 }
 
-type GRPC struct {
-	// The TCP port on which the gRPC server should listen.
-	// The range of port-id is from 1024 to 65535.
-	// Port 9339 is the default.
-	// +kubebuilder:validation:Minimum=1024
-	// +kubebuilder:validation:Maximum=65535
-	// +kubebuilder:validation:ExclusiveMaximum=false
-	// +kubebuilder:default=9339
-	// +optional
-	Port int32 `json:"port"`
-
-	// Name of the certificate that is associated with the gRPC service.
-	// The certificate is provisioned through other interfaces on the device,
-	// such as e.g. the gNOI certificate management service.
-	// +optional
-	CertificateID string `json:"certificateId,omitempty"`
-
-	// Enable the gRPC agent to accept incoming (dial-in) RPC requests from a given network instance.
-	// +optional
-	NetworkInstance string `json:"networkInstance,omitempty"`
-
-	// Additional gNMI configuration for the gRPC server.
-	// This may not be supported by all devices.
-	// +optional
-	GNMI *GNMI `json:"gnmi,omitempty"`
-}
-
-type GNMI struct {
-	// The maximum number of concurrent gNMI calls that can be made to the gRPC server on the switch for each VRF.
-	// Configure a limit from 1 through 16. The default limit is 8.
-	// +kubebuilder:validation:Minimum=1
-	// +kubebuilder:validation:Maximum=16
-	// +kubebuilder:validation:ExclusiveMaximum=false
-	// +kubebuilder:default=8
-	// +optional
-	MaxConcurrentCall int8 `json:"maxConcurrentCall"`
-
-	// Configure the keepalive timeout for inactive or unauthorized connections.
-	// The gRPC agent is expected to periodically send an empty response to the client, on which the client is expected to respond with an empty request.
-	// If the client does not respond within the keepalive timeout, the gRPC agent should close the connection.
-	// The default interval value is 10 minutes.
-	// +kubebuilder:validation:Type=string
-	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$"
-	// +kubebuilder:default="10m"
-	// +optional
-	KeepAliveTimeout metav1.Duration `json:"keepAliveTimeout"`
-
-	// Configure the minimum sample interval for the gNMI telemetry stream.
-	// Once per stream sample interval, the switch sends the current values for all specified paths.
-	// The default value is 10 seconds.
-	// +kubebuilder:validation:Type=string
-	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$"
-	// +kubebuilder:default="10s"
-	// +optional
-	MinSampleInterval metav1.Duration `json:"minSampleInterval"`
-}
-
 // TemplateSource defines a source for template content.
 // It can be provided inline, or as a reference to a Secret or ConfigMap.
 //
 
@@ -0,0 +1,145 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ManagementAccessSpec defines the desired state of ManagementAccess
+type ManagementAccessSpec struct {
+	// DeviceName is the name of the Device this object belongs to. The Device object must exist in the same namespace.
+	// Immutable.
+	// +required
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="DeviceRef is immutable"
+	DeviceRef LocalObjectReference `json:"deviceRef"`
+
+	// ProviderConfigRef is a reference to a resource holding the provider-specific configuration of this interface.
+	// This reference is used to link the Interface to its provider-specific configuration.
+	// +optional
+	ProviderConfigRef *TypedLocalObjectReference `json:"providerConfigRef,omitempty"`
+
+	// Configuration for the gRPC server on the device.
+	// Currently, only a single "default" gRPC server is supported.
+	// +optional
+	// +kubebuilder:default={enabled:true, port:9339}
+	GRPC GRPC `json:"grpc,omitempty"`
+}
+
+type GRPC struct {
+	// Enable or disable the gRPC server on the device.
+	// If not specified, the gRPC server is enabled by default.
+	// +optional
+	// +kubebuilder:default=true
+	Enabled bool `json:"enabled"`
+
+	// The TCP port on which the gRPC server should listen.
+	// The range of port-id is from 1024 to 65535.
+	// Port 9339 is the default.
+	// +optional
+	// +kubebuilder:default=9339
+	// +kubebuilder:validation:Minimum=1024
+	// +kubebuilder:validation:Maximum=65535
+	// +kubebuilder:validation:ExclusiveMaximum=false
+	Port int32 `json:"port"`
+
+	// Name of the certificate that is associated with the gRPC service.
+	// The certificate is provisioned through other interfaces on the device,
+	// such as e.g. the gNOI certificate management service.
+	// +optional
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	CertificateID string `json:"certificateId,omitempty"`
+
+	// Enable the gRPC agent to accept incoming (dial-in) RPC requests from a given vrf.
+	// +optional
+	// +kubebuilder:default="default"
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	VrfName string `json:"vrfName"`
+
+	// Additional gNMI configuration for the gRPC server.
+	// This may not be supported by all devices.
+	// +optional
+	// +kubebuilder:default={maxConcurrentCall:8, keepAliveTimeout:"10m", minSampleInterval:"10s"}
+	GNMI GNMI `json:"gnmi,omitzero"`
+}
+
+type GNMI struct {
+	// The maximum number of concurrent gNMI calls that can be made to the gRPC server on the switch for each VRF.
+	// Configure a limit from 1 through 16. The default limit is 8.
+	// +optional
+	// +kubebuilder:default=8
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=16
+	// +kubebuilder:validation:ExclusiveMaximum=false
+	MaxConcurrentCall int8 `json:"maxConcurrentCall"`
+
+	// Configure the keepalive timeout for inactive or unauthorized connections.
+	// The gRPC agent is expected to periodically send an empty response to the client, on which the client is expected to respond with an empty request.
+	// If the client does not respond within the keepalive timeout, the gRPC agent should close the connection.
+	// The default interval value is 10 minutes.
+	// +optional
+	// +kubebuilder:default="10m"
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$"
+	KeepAliveTimeout metav1.Duration `json:"keepAliveTimeout"`
+
+	// Configure the minimum sample interval for the gNMI telemetry stream.
+	// Once per stream sample interval, the switch sends the current values for all specified paths.
+	// The default value is 10 seconds.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$"
+	// +kubebuilder:default="10s"
+	MinSampleInterval metav1.Duration `json:"minSampleInterval"`
+}
+
+// ManagementAccessStatus defines the observed state of ManagementAccess.
+type ManagementAccessStatus struct {
+	// The conditions are a list of status objects that describe the state of the ManagementAccess.
+	//+listType=map
+	//+listMapKey=type
+	//+patchStrategy=merge
+	//+patchMergeKey=type
+	//+optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:path=managementaccesses
+// +kubebuilder:resource:singular=managementaccess
+// +kubebuilder:printcolumn:name="Device",type=string,JSONPath=`.spec.deviceName`
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+
+// ManagementAccess is the Schema for the managementaccesses API
+type ManagementAccess struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Specification of the desired state of the resource.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +required
+	Spec ManagementAccessSpec `json:"spec,omitempty"`
+
+	// Status of the resource. This is set and updated automatically.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	Status ManagementAccessStatus `json:"status,omitempty,omitzero"`
+}
+
+// +kubebuilder:object:root=true
+
+// ManagementAccessList contains a list of ManagementAccess
+type ManagementAccessList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ManagementAccess `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ManagementAccess{}, &ManagementAccessList{})
+}
@@ -314,6 +314,17 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "Syslog")
 		os.Exit(1)
 	}
+
+	if err := (&controller.ManagementAccessReconciler{
+		Client:           mgr.GetClient(),
+		Scheme:           mgr.GetScheme(),
+		Recorder:         mgr.GetEventRecorderFor("managementaccess-controller"),
+		WatchFilterValue: watchFilterValue,
+		Provider:         prov,
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "ManagementAccess")
+		os.Exit(1)
+	}
 	// +kubebuilder:scaffold:builder
 
 	if metricsCertWatcher != nil {