From ce1fd8ac832aca2cf503f27b9db54ba53f2be410 Mon Sep 17 00:00:00 2001
From: Simon Mayer <Simon.Mayer@x-cellent.com>
Date: Mon, 3 Feb 2025 09:44:36 +0100
Subject: [PATCH 1/7] Use Metal-Edit user for HMAC

---
 cmd/main.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/main.go b/cmd/main.go
index f814a17..35a6f7d 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -202,5 +202,5 @@ func newMetalClient() (metalgo.Client, error) {
 		return nil, errors.New("METAL_API_HMAC environment variable must be set")
 	}
 
-	return metalgo.NewDriver(url, "", hmac)
+	return metalgo.NewDriver(url, "", hmac, metalgo.AuthType("Metal-Edit"))
 }

From ea57720cf352bbe25ca0bcdaa2618b0db1210c71 Mon Sep 17 00:00:00 2001
From: Simon Mayer <Simon.Mayer@x-cellent.com>
Date: Mon, 3 Feb 2025 11:42:54 +0100
Subject: [PATCH 2/7] Configure HMAC auth type for metal-ccm

---
 capi-lab/metal-ccm.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/capi-lab/metal-ccm.yaml b/capi-lab/metal-ccm.yaml
index 16f9813..d169b87 100644
--- a/capi-lab/metal-ccm.yaml
+++ b/capi-lab/metal-ccm.yaml
@@ -7,6 +7,7 @@ metadata:
 stringData:
   api-url: ${METAL_API_URL}
   api-hmac: ${METAL_API_HMAC}
+  api-hmac-auth-type: ${METAL_API_HMAC_AUTH_TYPE}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -172,6 +173,11 @@ spec:
             secretKeyRef:
               key: api-hmac
               name: cloud-controller-manager
+        - name: METAL_AUTH_HMAC_AUTH_TYPE
+          valueFrom:
+            secretKeyRef:
+              key: api-hmac-auth-type
+              name: cloud-controller-manager
         - name: METAL_PROJECT_ID
           value: 00000000-0000-0000-0000-000000000001
         - name: METAL_PARTITION_ID
@@ -185,7 +191,7 @@ spec:
           value: internet-mini-lab,${METAL_NODE_NETWORK_ID}
         - name: METAL_SSH_PUBLICKEY
           value: ""
-        image: ghcr.io/metal-stack/metal-ccm:v0.9.3
+        image: ghcr.io/metal-stack/metal-ccm:run-with-edit-privileges
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 2

From 8cc8889aec979f3122852e6c110cb71cdb0caffc Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Mon, 3 Feb 2025 13:54:22 +0100
Subject: [PATCH 3/7] feat: METAL_API_HMAC_AUTH_TYPE in edit mode

---
 README.md         | 1 +
 capi-lab/Makefile | 3 ++-
 cmd/main.go       | 7 ++++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 25c741f..17c9de9 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,7 @@ Now, you are able to install the CAPMS into your management cluster:
 # export the following environment variables
 export METAL_API_URL=<url>
 export METAL_API_HMAC=<hmac>
+export METAL_API_HMAC_AUTH_TYPE=<Metal-Admin or Metal-Edit>
 export EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION=true
 
 # initialize the management cluster
diff --git a/capi-lab/Makefile b/capi-lab/Makefile
index d1c42cf..67a7ee9 100644
--- a/capi-lab/Makefile
+++ b/capi-lab/Makefile
@@ -7,7 +7,8 @@ KUBECONFIG := $(shell pwd)/mini-lab/.kubeconfig
 MINI_LAB_FLAVOR=capms
 
 METAL_API_URL=http://metal.203.0.113.1.nip.io:8080
-METAL_API_HMAC=metal-admin
+METAL_API_HMAC=metal-edit
+METAL_API_HMAC_AUTH_TYPE=Metal-Edit
 METALCTL_API_URL=http://metal.203.0.113.1.nip.io:8080
 METALCTL_HMAC=metal-admin
 
diff --git a/cmd/main.go b/cmd/main.go
index 35a6f7d..1c7c124 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -202,5 +202,10 @@ func newMetalClient() (metalgo.Client, error) {
 		return nil, errors.New("METAL_API_HMAC environment variable must be set")
 	}
 
-	return metalgo.NewDriver(url, "", hmac, metalgo.AuthType("Metal-Edit"))
+	hmacAuthType := os.Getenv("METAL_API_HMAC_AUTH_TYPE")
+	if hmacAuthType == "" {
+		return nil, errors.New("METAL_API_HMAC_AUTH_TYPE environment variable must be set")
+	}
+
+	return metalgo.NewDriver(url, "", hmac, metalgo.AuthType(hmacAuthType))
 }

From b49e370156616094fe00a28efd859db56c372467 Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Mon, 3 Feb 2025 14:09:06 +0100
Subject: [PATCH 4/7] feat: use v0.9.4 metal-ccm instead of deleted branch

---
 capi-lab/metal-ccm.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/capi-lab/metal-ccm.yaml b/capi-lab/metal-ccm.yaml
index d169b87..bb922f4 100644
--- a/capi-lab/metal-ccm.yaml
+++ b/capi-lab/metal-ccm.yaml
@@ -191,7 +191,7 @@ spec:
           value: internet-mini-lab,${METAL_NODE_NETWORK_ID}
         - name: METAL_SSH_PUBLICKEY
           value: ""
-        image: ghcr.io/metal-stack/metal-ccm:run-with-edit-privileges
+        image: ghcr.io/metal-stack/metal-ccm:v0.9.4
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 2

From 67fbce78f9bd0a349769b2737967089f36c2c39b Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Mon, 3 Feb 2025 15:18:08 +0100
Subject: [PATCH 5/7] fix: installation

---
 Makefile                    | 3 ++-
 capi-lab/Makefile           | 3 ++-
 config/manager/manager.yaml | 6 ++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 04835cd..c4e8bd1 100644
--- a/Makefile
+++ b/Makefile
@@ -167,7 +167,8 @@ endif
 
 # this is configured to work with the capi-lab
 export METAL_API_URL := "http://metal.203.0.113.1.nip.io:8080"
-export METAL_API_HMAC := "metal-admin"
+export METAL_API_HMAC := "metal-edit"
+export METAL_API_HMAC_AUTH_TYPE := "Metal-Admin"
 
 .PHONY: install
 install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
diff --git a/capi-lab/Makefile b/capi-lab/Makefile
index 67a7ee9..47f6fba 100644
--- a/capi-lab/Makefile
+++ b/capi-lab/Makefile
@@ -10,7 +10,8 @@ METAL_API_URL=http://metal.203.0.113.1.nip.io:8080
 METAL_API_HMAC=metal-edit
 METAL_API_HMAC_AUTH_TYPE=Metal-Edit
 METALCTL_API_URL=http://metal.203.0.113.1.nip.io:8080
-METALCTL_HMAC=metal-admin
+METALCTL_HMAC=metal-edit
+METALCTL_HMAC_AUTH_TYPE=Metal-Edit
 
 METAL_PARTITION ?= mini-lab
 METAL_PROJECT_ID ?= 00000000-0000-0000-0000-000000000001
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 77e8035..8859dbb 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -6,6 +6,7 @@ metadata:
 stringData:
   api-url: ${METAL_API_URL}
   api-hmac: ${METAL_API_HMAC}
+  api-hmac-auth-type: ${METAL_API_HMAC_AUTH_TYPE}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -44,6 +45,11 @@ spec:
               secretKeyRef:
                 name: controller-manager-config
                 key: api-hmac
+          - name: METAL_API_HMAC_AUTH_TYPE
+            valueFrom:
+              secretKeyRef:
+                name: controller-manager-config
+                key: api-hmac-auth-type
         command:
         - /manager
         args:

From e9255cf0a4b33ecd85664f0f4a6ebbb82af44fc6 Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Mon, 3 Feb 2025 16:15:31 +0100
Subject: [PATCH 6/7] chore: minor release

---
 metadata.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/metadata.yaml b/metadata.yaml
index 32d63b9..b79cd26 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -5,6 +5,9 @@
 # update this file only when a new major or minor version is released
 apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
 releaseSeries:
+  - major: 0
+    minor: 3
+    contract: v1beta1
   - major: 0
     minor: 2
     contract: v1beta1

From bb59f669e3be7ed7c87ece4aa85a2b0fee50d79d Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Mon, 3 Feb 2025 16:28:07 +0100
Subject: [PATCH 7/7] fix: metal edit

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index c4e8bd1..d97995a 100644
--- a/Makefile
+++ b/Makefile
@@ -168,7 +168,7 @@ endif
 # this is configured to work with the capi-lab
 export METAL_API_URL := "http://metal.203.0.113.1.nip.io:8080"
 export METAL_API_HMAC := "metal-edit"
-export METAL_API_HMAC_AUTH_TYPE := "Metal-Admin"
+export METAL_API_HMAC_AUTH_TYPE := "Metal-Edit"
 
 .PHONY: install
 install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.