feat: HardeningProfile bootstrap support -- CAPI template merge + ONT-native NodeMaintenance

CLAUDE.md

@@ -25,5 +25,5 @@ CP-INV-013 -- CiliumPending on TalosCluster is not a degraded state. It is the e
 
 ### Session protocol additions
 Step 4a -- Read platform-design.md in this repository.
-Step 4b -- Determine which category the target CRD belongs to before implementing any reconciler: CAPI-managed lifecycle (TalosCluster target path, SeamInfrastructureCluster, SeamInfrastructureMachine -- no RunnerConfig); operational runner Job CRDs (TalosBackup, TalosEtcdMaintenance, TalosPKIRotation, TalosRecovery, TalosHardeningApply, TalosNodePatch, TalosCredentialRotation, TalosClusterReset -- verify capability in conductor-schema.md first); tenant coordination (PlatformTenant, QueueProfile -- no runner capability, no CAPI objects).
+Step 4b -- Determine which category the target CRD belongs to before implementing any reconciler: CAPI-managed lifecycle (TalosCluster target path, SeamInfrastructureCluster, SeamInfrastructureMachine -- no RunnerConfig); operational runner Job CRDs (TalosBackup, TalosEtcdMaintenance, TalosPKIRotation, TalosRecovery, TalosHardeningApply, TalosNodePatch, TalosCredentialRotation, TalosClusterReset -- verify capability in conductor-schema.md first). PlatformTenant is dropped: tenant coordination is handled by InfrastructureTalosCluster (mode=import or mode=bootstrap) plus the conductor role=tenant Deployment managed by the compiler enable bundle.
 Step 4c -- For any Seam Infrastructure Provider session: confirm talos goclient access is bounded to SeamInfrastructureClusterReconciler and SeamInfrastructureMachineReconciler only. Any other file importing talos goclient is a CP-INV-001 violation.

api/v1alpha1/machineconfigbackup_types.go

@@ -0,0 +1,113 @@
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/ontai-dev/seam-core/pkg/lineage"
+)
+
+// Condition type and reason constants for TalosMachineConfigBackup.
+const (
+	// ConditionTypeMachineConfigBackupReady indicates the backup completed successfully.
+	ConditionTypeMachineConfigBackupReady = "Ready"
+
+	// ConditionTypeMachineConfigBackupRunning indicates the Conductor Job is running.
+	ConditionTypeMachineConfigBackupRunning = "Running"
+
+	// ConditionTypeMachineConfigBackupDegraded indicates the backup failed.
+	ConditionTypeMachineConfigBackupDegraded = "Degraded"
+
+	// ReasonMachineConfigBackupJobSubmitted is set when the Conductor executor Job is submitted.
+	ReasonMachineConfigBackupJobSubmitted = "JobSubmitted"
+
+	// ReasonMachineConfigBackupJobComplete is set when the Job completed successfully.
+	ReasonMachineConfigBackupJobComplete = "JobComplete"
+
+	// ReasonMachineConfigBackupJobFailed is set when the Job failed. INV-018 applies.
+	ReasonMachineConfigBackupJobFailed = "JobFailed"
+
+	// ReasonMachineConfigBackupS3Absent indicates no S3 backup destination is configured.
+	ReasonMachineConfigBackupS3Absent = "S3DestinationAbsent"
+
+	// ConditionTypeMachineConfigBackupS3Absent is the condition type for absent S3 config.
+	ConditionTypeMachineConfigBackupS3Absent = "S3DestinationAbsent"
+)
+
+// TalosMachineConfigBackupSpec defines the desired state of TalosMachineConfigBackup.
+type TalosMachineConfigBackupSpec struct {
+	// ClusterRef references the TalosCluster whose node machine configs are to be backed up.
+	ClusterRef LocalObjectRef `json:"clusterRef"`
+
+	// S3BackupSecretRef references a Secret containing S3 backup credentials for this
+	// operation. Takes precedence over the cluster-wide seam-etcd-backup-config Secret
+	// in seam-system. platform-schema.md §10.
+	// +optional
+	S3BackupSecretRef *corev1.SecretReference `json:"s3BackupSecretRef,omitempty"`
+
+	// S3Destination is the S3 location to write node machine configs to.
+	// The bucket is required. The key prefix is auto-generated as:
+	// {cluster}/machineconfigs/{TIMESTAMP}/{hostname}.yaml
+	S3Destination S3Ref `json:"s3Destination"`
+
+	// Lineage is the sealed causal chain record for this root declaration.
+	// Authored once at object creation time and immutable thereafter.
+	// seam-core-schema.md §5, CLAUDE.md §14 Decision 1.
+	// +optional
+	Lineage *lineage.SealedCausalChain `json:"lineage,omitempty"`
+}
+
+// TalosMachineConfigBackupStatus defines the observed state of TalosMachineConfigBackup.
+type TalosMachineConfigBackupStatus struct {
+	// ObservedGeneration is the generation of the spec last reconciled.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// JobName is the name of the most recently submitted Conductor executor Job.
+	// +optional
+	JobName string `json:"jobName,omitempty"`
+
+	// OperationResult is the message from the Conductor OperationResult ConfigMap.
+	// +optional
+	OperationResult string `json:"operationResult,omitempty"`
+
+	// Conditions is the list of status conditions for this TalosMachineConfigBackup.
+	// Condition types: Ready, Running, Degraded, S3DestinationAbsent, LineageSynced.
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// TalosMachineConfigBackup triggers a machine config backup for all nodes of a target
+// cluster. The Conductor executor reads each node's running config via GetMachineConfig
+// and uploads it to S3 at {cluster}/machineconfigs/{TIMESTAMP}/{hostname}.yaml.
+// Named Conductor capability: machineconfig-backup. platform-schema.md §11.
+//
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,shortName=mcb
+// +kubebuilder:printcolumn:name="Cluster",type=string,JSONPath=".spec.clusterRef.name"
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=".status.conditions[?(@.type==\"Ready\")].status"
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=".metadata.creationTimestamp"
+type TalosMachineConfigBackup struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TalosMachineConfigBackupSpec   `json:"spec,omitempty"`
+	Status TalosMachineConfigBackupStatus `json:"status,omitempty"`
+}
+
+// TalosMachineConfigBackupList is the list type for TalosMachineConfigBackup.
+//
+// +kubebuilder:object:root=true
+type TalosMachineConfigBackupList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []TalosMachineConfigBackup `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&TalosMachineConfigBackup{}, &TalosMachineConfigBackupList{})
+}

api/v1alpha1/taloscluster_types.go

@@ -70,6 +70,7 @@ const (
 	ConditionTypeKubeconfigUnavailable        = conditions.ConditionTypeKubeconfigUnavailable
 	ConditionTypeVersionUpgradePending        = conditions.ConditionTypeVersionUpgradePending
 	ConditionTypeVersionRegressionBlocked     = conditions.ConditionTypeVersionRegressionBlocked
+	ConditionTypeHardeningApplied             = conditions.ConditionTypeHardeningApplied
 )
 
 // Reason constants for TalosCluster -- re-exported from seam-core/pkg/conditions.
@@ -95,4 +96,7 @@ const (
 	ReasonVersionUpgradeSubmitted        = conditions.ReasonVersionUpgradeSubmitted
 	ReasonVersionUpgradeComplete         = conditions.ReasonVersionUpgradeComplete
 	ReasonVersionRegressionAttempted     = conditions.ReasonVersionRegressionAttempted
+	ReasonHardeningApplied               = conditions.ReasonHardeningApplied
+	ReasonHardeningPending               = conditions.ReasonHardeningPending
+	ReasonHardeningProfileNotValid       = conditions.ReasonHardeningProfileNotValid
 )

cmd/platform/main.go

@@ -210,6 +210,16 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := (&controller.MachineConfigBackupReconciler{
+		Client:    mgr.GetClient(),
+		APIReader: mgr.GetAPIReader(),
+		Scheme:    mgr.GetScheme(),
+		Recorder:  mgr.GetEventRecorder("machineconfigbackup-controller"),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "MachineConfigBackup")
+		os.Exit(1)
+	}
+
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")
 		os.Exit(1)