Refactor and fix clusterctl role to backup capi resources (!5534) · Merge requests · Sylva-projects / sylva-core

What does this MR do and why?

The way rights are granted to clusterctl is not efficient today, with specific cases regarding some infrastructures. And this is failing for metal3.

This MR change the way clusterctl is granted to get capi resources.

The proposal is to configure a dedicated role rather than binding on existing ones provided by the providers.

This role is build of capi resources as of providers resources (metal3 and capo, CAPV and CAPD appear not to have specific resources).

Part of the mandatory resources needed can be found looking at the CRD on a running cluster (it works also on crustgather clusters) :

kubectl get crd -o yaml | yq eval '[.items[] | select(.metadata.labels."clusterctl.cluster.x-k8s.io" == "") | {"group": .spec.group, "name": .spec.names.plural}] | map(select(.group != "infrastructure.cluster.x-k8s.io" and .group != "controlplane.cluster.x-k8s.io" and .group != "bootstrap.cluster.x-k8s.io" and .group != "addons.cluster.x-k8s.io")) | sort_by(.group) | group_by(.group) | (.[] | {"apiGroups": [.[0].group], "resources": map(.name)} )'

It's working now on metal3:

-- Start backing up clusters from namespace 'kubeadm-capm3-virt'.
Moving to directory...
Discovering Cluster API objects
Starting move of Cluster API objects Clusters=1
Moving Cluster API objects ClusterClasses=0
Saving files to /tmp/tmp.DnEPBn/kubeadm-capm3-virt_capi_resources_backup_202509181213
-- Backing up additional resources : ConfigMap/sylva-units-values Secret/sylva-units-secrets ConfigMap/capo-cluster-resources
-- Cluster backed up.

as on capo:

-- Start backing up clusters from namespace 'rke2-capo'.
Moving to directory...
Discovering Cluster API objects
Starting move of Cluster API objects Clusters=1
Moving Cluster API objects ClusterClasses=0
Saving files to /tmp/tmp.kDCohJ/rke2-capo_capi_resources_backup_202509181203
-- Backing up additional resources : ConfigMap/sylva-units-values Secret/sylva-units-secrets ConfigMap/capo-cluster-resources
-- Cluster backed up.

Related reference(s)

Fix #2909 (closed)

Backport to 1.4.x: !5540 (merged)

Test coverage

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon	Meaning	Available values
☁️	Infra Provider	`capd`, `capo`, `capm3`
🚀	Bootstrap Provider	`kubeadm` (alias `kadm`), `rke2`, `okd`, `ck8s`
🐧	Node OS	`ubuntu`, `suse`, `na`, `leapmicro`
🛠️	Deployment Options	`light-deploy`, `dev-sources`, `ha`, `misc`, `maxsurge-0`, `logging`, `no-logging`, `openbao`
🎬	Pipeline Scenarios	Available scenario list and description

Global config for deployment pipelines

autorun pipelines
allow failure on pipelines
record sylvactl events

Notes:

Enabling autorun will make deployment pipelines to be run automatically without human interaction
Disabling allow failure will make deployment pipelines mandatory for pipeline success.
if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited Sep 19, 2025 by Arnaud Bouts

Refactor and fix clusterctl role to backup capi resources

What does this MR do and why?

Related reference(s)

Test coverage

CI configuration

Global config for deployment pipelines

Merge request reports