stuttgart-things · patrick-hermann-sva · Apr 10, 2026 · Apr 3, 2026 · Apr 10, 2026
diff --git a/configurations/config/cluster-profile/examples/environment-config.yaml b/configurations/config/cluster-profile/examples/environment-config.yaml
@@ -7,6 +7,6 @@ data:
   deployCilium: true
   vault:
     addr: "https://vault.sthings-infra.sthings-vsphere.labul.sva.de"
-    caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t # pragma: allowlist secretCk1JSURrVENDQW5tZ0F3SUJBZ0lVYzBuVkNqL2MrblMyT3VTUUpIMHB5TXE4Qkhjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VERUxNQWtHQTFVRUJoTUNSRVV4RERBS0JnTlZCQW9UQTNOMllURXpNREVHQTFVRUF4TXFjM1JvYVc1bgpjeTFwYm1aeVlTNXpkR2hwYm1kekxYWnpjR2hsY21VdWJHRmlkV3d1YzNaaExtUmxNQjRYRFRJMk1ETXlNREV5Ck5EVXdNVm9YRFRNMk1ETXhOekV5TkRVek1Wb3dVREVMTUFrR0ExVUVCaE1DUkVVeEREQUtCZ05WQkFvVEEzTjIKWVRFek1ERUdBMVVFQXhNcWMzUm9hVzVuY3kxcGJtWnlZUzV6ZEdocGJtZHpMWFp6Y0dobGNtVXViR0ZpZFd3dQpjM1poTG1SbE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbWYyVXpsSy9wRzNqCksyc0VRNDB1RXBySmZQeDU5dTcvNFlGM0k4NDJKRjFQNWl4NmYxelRTeGlEM09vUTFHOVlNVi8yZ3BzNmdSb3MKRWRIbGJkbTY5Nkx1WEdCNkM0QW5mSHhQQVN3VHhraCsxdkdCeUc0RFY0cEduaEhxd0ZtTFNuUWNnQzlESDlyVQovdHVxVjVVZWVMbGVtYzZzMnFRWVd6VGhUNHFFUG9ucnJtRlNvTCt5MWVwYzh4Ry9pWWh5aGJ6Ykd4bTZzQ3M1CmlzdTdMYlJrVU9BV1hRQXdZOFRrZjExQlVqanFTc0dNSXRnNEhBUC9pczA4dmp5M0ZmdnJBd0UwZEJDeDFqR1IKRm05THpPRFV1enhObll4cE95Q2hyNXJ1SU05UTl1cCtZemovNmZEbWJoWG9JbUd0TTI0MWEzUS9IV3AzenFmKwpCOTluQ0hEVGJRSURBUUFCbzJNd1lUQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCCi96QWRCZ05WSFE4RUZnUVV1UGpiUVFVNVc1RHBDbk9wdEVXb0NJU2YvQll3SHdZRFZSMGpCQmd3Rm9BVXVQamIKUVFVNVc1RHBDbk9wdEVXb0NJU2YvQll3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUVwcEw5V3dzSENEODl0SApLMGwyMDNBQWdmSTVvQnRKWC9kUVZkT204MFFTNlM4RUorRFhieDlMS0R0YVBGdTRoOHZLcEhNcnhOVnI2R1UvCmZRdStZTGxrZWV4YW9PQVgxTDhIRnc4VnNVMVZFRVFFcUVlRWVtK2xjWmtIdGZkd294M1BwWlhWSXBWVDVkQkUKcjJvcFpKVG1rNjFncGFxaThJcStqMlgzVEZqci9vMmFzWDVkZ04vYS9IY2k3cjE2L2cvRnAvZzYwdlFlUnVpNQpMejNQanNxeERFR3JRdHpORWlQclpOR0pESlZlbFpmS0VBVGUveXpERGZIVkI4c3I3V0orbFNxb3R3UTVmdFhwCnBVRytIMHdJejVncmFhc2tSZ1JJZDc2dTArejV0eUY2N2pmUE95K3p2b1NESzlKMFRPOEpHSkp3M3d0WFh0eXIKT3J2SU9pYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ=="
+    caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrVENDQW5tZ0F3SUJBZ0lVYzBuVkNqL2MrblMyT3VTUUpIMHB5TXE4Qkhjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1VERUxNQWtHQTFVRUJoTUNSRVV4RERBS0JnTlZCQW9UQTNOMllURXpNREVHQTFVRUF4TXFjM1JvYVc1bgpjeTFwYm1aeVlTNXpkR2hwYm1kekxYWnpjR2hsY21VdWJHRmlkV3d1YzNaaExtUmxNQjRYRFRJMk1ETXlNREV5Ck5EVXdNVm9YRFRNMk1ETXhOekV5TkRVek1Wb3dVREVMTUFrR0ExVUVCaE1DUkVVeEREQUtCZ05WQkFvVEEzTjIKWVRFek1ERUdBMVVFQXhNcWMzUm9hVzVuY3kxcGJtWnlZUzV6ZEdocGJtZHpMWFp6Y0dobGNtVXViR0ZpZFd3dQpjM1poTG1SbE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbWYyVXpsSy9wRzNqCksyc0VRNDB1RXBySmZQeDU5dTcvNFlGM0k4NDJKRjFQNWl4NmYxelRTeGlEM09vUTFHOVlNVi8yZ3BzNmdSb3MKRWRIbGJkbTY5Nkx1WEdCNkM0QW5mSHhQQVN3VHhraCsxdkdCeUc0RFY0cEduaEhxd0ZtTFNuUWNnQzlESDlyVQovdHVxVjVVZWVMbGVtYzZzMnFRWVd6VGhUNHFFUG9ucnJtRlNvTCt5MWVwYzh4Ry9pWWh5aGJ6Ykd4bTZzQ3M1CmlzdTdMYlJrVU9BV1hRQXdZOFRrZjExQlVqanFTc0dNSXRnNEhBUC9pczA4dmp5M0ZmdnJBd0UwZEJDeDFqR1IKRm05THpPRFV1enhObll4cE95Q2hyNXJ1SU05UTl1cCtZemovNmZEbWJoWG9JbUd0TTI0MWEzUS9IV3AzenFmKwpCOTluQ0hEVGJRSURBUUFCbzJNd1lUQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCCi96QWRCZ05WSFE4RUZnUVV1UGpiUVFVNVc1RHBDbk9wdEVXb0NJU2YvQll3SHdZRFZSMGpCQmd3Rm9BVXVQamIKUVFVNVc1RHBDbk9wdEVXb0NJU2YvQll3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUVwcEw5V3dzSENEODl0SApLMGwyMDNBQWdmSTVvQnRKWC9kUVZkT204MFFTNlM4RUorRFhieDlMS0R0YVBGdTRoOHZLcEhNcnhOVnI2R1UvCmZRdStZTGxrZWV4YW9PQVgxTDhIRnc4VnNVMVZFRVFFcUVlRWVtK2xjWmtIdGZkd294M1BwWlhWSXBWVDVkQkUKcjJvcFpKVG1rNjFncGFxaThJcStqMlgzVEZqci9vMmFzWDVkZ04vYS9IY2k3cjE2L2cvRnAvZzYwdlFlUnVpNQpMejNQanNxeERFR3JRdHpORWlQclpOR0pESlZlbFpmS0VBVGUveXpERGZIVkI4c3I3V0orbFNxb3R3UTVmdFhwCnBVRytIMHdJejVncmFhc2tSZ1JJZDc2dTArejV0eUY2N2pmUE95K3p2b1NESzlKMFRPOEpHSkp3M3d0WFh0eXIKT3J2SU9pYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==" # pragma: allowlist secret
     pkiRole: "sthings-vsphere"
     policyName: "pki-issue"
diff --git a/configurations/infra/cert-manager/compositions/cert-manager.yaml b/configurations/infra/cert-manager/compositions/cert-manager.yaml
@@ -419,7 +419,7 @@ spec:
         apiVersion: krm.kcl.dev/v1alpha1
         kind: KCLInput
         spec:
-          source: |
+          source: | # pragma: allowlist secret
             oxr  = option("params").oxr
             ocds = option("params").ocds
 

diff --git a/configurations/infra/cilium/compositions/cilium.yaml b/configurations/infra/cilium/compositions/cilium.yaml
@@ -439,7 +439,7 @@ spec:
         apiVersion: krm.kcl.dev/v1alpha1
         kind: KCLInput
         spec:
-          source: |
+          source: | # pragma: allowlist secret
             oxr  = option("params").oxr
             ocds = option("params").ocds
 

diff --git a/configurations/infra/trust-manager/compositions/trust-manager.yaml b/configurations/infra/trust-manager/compositions/trust-manager.yaml
@@ -212,7 +212,7 @@ spec:
         apiVersion: krm.kcl.dev/v1alpha1
         kind: KCLInput
         spec:
-          source: |
+          source: | # pragma: allowlist secret
             oxr  = option("params").oxr
             ocds = option("params").ocds
 

diff --git a/configurations/infra/vsphere-vm/README.md b/configurations/infra/vsphere-vm/README.md
@@ -0,0 +1,188 @@
+# vSphere VM
+
+Crossplane composition that provisions vSphere virtual machines using the [xplane-provider-vspherevm](https://github.com/stuttgart-things/xplane-provider-vspherevm). Environment-specific defaults (vSphere IDs, T-shirt sizes) are externalized via `EnvironmentConfig`, keeping the composition fully portable across environments.
+
+## API
+
+- **Group:** `infrastructure.stuttgart-things.com`
+- **Version:** `v1alpha1`
+- **XR Kind:** `XVsphereVM`
+- **Scope:** `Namespaced`
+
+### Spec Fields
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `name` | string | required | Name of the virtual machine |
+| `size` | string | `m` | T-shirt size (`s`/`m`/`l`) for CPU, memory, and disk |
+| `numCpus` | integer | — | Number of virtual CPUs (overrides `size`) |
+| `memory` | integer | — | Memory size in MB (overrides `size`) |
+| `diskSize` | integer | — | Primary disk size in GB (overrides `size`) |
+| `thinProvisioned` | boolean | `true` | Use thin provisioning for the disk |
+| `guestId` | string | `ubuntu64Guest` | Guest OS identifier |
+| `firmware` | string | `bios` | Firmware type (`bios` or `efi`) |
+| `folder` | string | env default | VM folder path |
+| `annotation` | string | `VSPHERE-VM BUILD w/ CROSSPLANE` | VM annotation |
+| `os` | string | env default | OS template alias (e.g. `sthings-u24`), resolved from EnvironmentConfig |
+| `templateUuid` | string | — | Template UUID for cloning (overrides `os` alias) |
+| `resourcePool` | string | env default | Resource pool alias (e.g. `Cluster-V6.7`), resolved from EnvironmentConfig |
+| `resourcePoolId` | string | — | vSphere resource pool ID (overrides `resourcePool` alias) |
+| `datastore` | string | env default | Datastore alias (e.g. `UL-ESX-SAS-02`), resolved from EnvironmentConfig |
+| `datastoreId` | string | — | vSphere datastore ID (overrides `datastore` alias) |
+| `network` | string | env default | Network alias (e.g. `LAB-10.31.103`), resolved from EnvironmentConfig |
+| `networkId` | string | — | vSphere network ID (overrides `network` alias) |
+| `providerConfigName` | string | `default` | ProviderConfig to use |
+
+### T-Shirt Sizes
+
+Sizes are defined in the `EnvironmentConfig` and can vary per environment. Default values:
+
+| Size | CPUs | Memory (MB) | Disk (GB) |
+|------|------|-------------|-----------|
+| `s` | 2 | 2048 | 32 |
+| `m` | 4 | 4096 | 64 |
+| `l` | 8 | 8192 | 128 |
+
+Precedence: explicit `numCpus`/`memory`/`diskSize` > T-shirt `size` > hardcoded fallback.
+
+### Resource Aliases
+
+Templates, resource pools, and datastores can be referenced by human-readable aliases instead of vSphere IDs. Aliases are defined in the `EnvironmentConfig` and resolved at composition time.
+
+| Resource | Alias field | Explicit ID field | EnvironmentConfig key |
+|----------|------------|-------------------|-----------------------|
+| OS Template | `os` | `templateUuid` | `templates` / `defaultOs` |
+| Resource Pool | `resourcePool` | `resourcePoolId` | `resourcePools` / `defaultResourcePool` |
+| Datastore | `datastore` | `datastoreId` | `datastores` / `defaultDatastore` |
+| Network | `network` | `networkId` | `networks` / `defaultNetwork` |
+
+Precedence (highest to lowest):
+
+1. **Explicit ID** (`templateUuid`, `resourcePoolId`, `datastoreId`, `networkId`) — raw vSphere ID, always wins
+2. **Alias field** (`os`, `resourcePool`, `datastore`, `network`) — looked up in the EnvironmentConfig map
+3. **Default alias** (`defaultOs`, `defaultResourcePool`, `defaultDatastore`, `defaultNetwork`) — fallback from EnvironmentConfig when no alias is specified
+
+### Status Fields
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `ready` | boolean | True when the VM is Ready |
+| `ipAddress` | string | Primary IP address of the VM |
+| `guestIpAddresses` | []string | All IP addresses reported by VMware Tools |
+| `powerState` | string | Power state (`poweredOn`, `poweredOff`, `suspended`) |
+| `vmwareToolsStatus` | string | VMware Tools status |
+| `uuid` | string | UUID of the virtual machine |
+| `moid` | string | vSphere managed object reference ID |
+| `vmName` | string | Name of the VM as reported by vSphere |
+
+### Composed Resources
+
+| Resource | Kind | Description |
+|----------|------|-------------|
+| VM | `VirtualMachine` | vSphere virtual machine (xplane-provider-vspherevm) |
+
+## EnvironmentConfig
+
+The composition loads a `vsphere-vm-defaults` EnvironmentConfig to resolve environment-specific values. Deploy it before creating VMs:
+
+```yaml
+apiVersion: apiextensions.crossplane.io/v1beta1
+kind: EnvironmentConfig
+metadata:
+  name: vsphere-vm-defaults
+data:
+  vsphere:
+    defaultOs: sthings-u24
+    templates:
+      sthings-u24: "423483d0-5dd4-def9-5c87-94c0f513bab4"
+      sthings-u22: "<uuid>"
+      sthings-rh9: "<uuid>"
+    defaultResourcePool: Cluster-V6.7
+    resourcePools:
+      Cluster-V6.7: "resgroup-481"
+    defaultDatastore: UL-ESX-SAS-02
+    datastores:
+      UL-ESX-SAS-02: "datastore-255"
+    defaultNetwork: LAB-10.31.103
+    networks:
+      LAB-10.31.103: "network-263"
+    folder: "stuttgart-things/testing"
+    sizes:
+      s:
+        numCpus: 2
+        memory: 2048
+        diskSize: 32
+      m:
+        numCpus: 4
+        memory: 4096
+        diskSize: 64
+      l:
+        numCpus: 8
+        memory: 8192
+        diskSize: 128
+```
+
+## Install
+
+```bash
+kubectl apply -f examples/functions.yaml
+kubectl apply -f examples/environment-config.yaml
+kubectl apply -f apis/definition.yaml
+kubectl apply -f compositions/vsphere-vm.yaml
+```
+
+## Example
+
+Minimal - uses T-shirt size and all defaults from EnvironmentConfig:
+
+```yaml
+apiVersion: infrastructure.stuttgart-things.com/v1alpha1
+kind: XVsphereVM
+metadata:
+  name: movie-scripts5
+  namespace: crossplane2
+spec:
+  name: movie-scripts5
+  size: l
+```
+
+With explicit resources and OS alias:
+
+```yaml
+apiVersion: infrastructure.stuttgart-things.com/v1alpha1
+kind: XVsphereVM
+metadata:
+  name: custom-vm
+  namespace: crossplane2
+spec:
+  name: custom-vm
+  numCpus: 4
+  memory: 8192
+  diskSize: 200
+  os: sthings-u24
+  firmware: efi
+  annotation: "Custom VM with larger disk"
+```
+
+With explicit vSphere IDs (overrides aliases):
+
+```yaml
+apiVersion: infrastructure.stuttgart-things.com/v1alpha1
+kind: XVsphereVM
+metadata:
+  name: custom-vm2
+  namespace: crossplane2
+spec:
+  name: custom-vm2
+  size: m
+  templateUuid: "423483d0-5dd4-def9-5c87-94c0f513bab4"
+  resourcePoolId: "resgroup-481"
+  datastoreId: "datastore-255"
+```
+
+## Check Status
+
+```bash
+kubectl get xvspherevm movie-scripts5 -n crossplane2 -o jsonpath='{.status.ipAddress}'
+kubectl get xvspherevm movie-scripts5 -n crossplane2 -o yaml
+```
diff --git a/configurations/infra/vsphere-vm/apis/definition.yaml b/configurations/infra/vsphere-vm/apis/definition.yaml
@@ -0,0 +1,133 @@
+---
+apiVersion: apiextensions.crossplane.io/v2
+kind: CompositeResourceDefinition
+metadata:
+  name: xvspherevm.infrastructure.stuttgart-things.com
+spec:
+  group: infrastructure.stuttgart-things.com
+  defaultCompositeDeletePolicy: Foreground
+  scope: Namespaced
+  names:
+    kind: XVsphereVM
+    plural: xvspherevm
+    singular: xvspherevm
+  versions:
+    - name: v1alpha1
+      served: true
+      referenceable: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            spec:
+              type: object
+              required:
+                - name
+              properties:
+                name:
+                  type: string
+                  description: Name of the virtual machine
+                size:
+                  type: string
+                  default: m
+                  enum:
+                    - s
+                    - m
+                    - l
+                  description: "T-shirt size (s/m/l) for CPU, memory, and disk. Resolved from EnvironmentConfig. Explicit numCpus/memory/diskSize override."
+                numCpus:
+                  type: integer
+                  description: Number of virtual CPUs (overrides size)
+                memory:
+                  type: integer
+                  description: Memory size in MB (overrides size)
+                diskSize:
+                  type: integer
+                  description: Primary disk size in GB (overrides size)
+                thinProvisioned:
+                  type: boolean
+                  default: true
+                  description: Use thin provisioning for the disk
+                guestId:
+                  type: string
+                  default: ubuntu64Guest
+                  description: Guest OS identifier
+                firmware:
+                  type: string
+                  default: bios
+                  enum:
+                    - bios
+                    - efi
+                  description: Firmware type (bios or efi)
+                folder:
+                  type: string
+                  default: ""
+                  description: VM folder path (overrides EnvironmentConfig default)
+                annotation:
+                  type: string
+                  default: "VSPHERE-VM BUILD w/ CROSSPLANE"
+                  description: VM annotation
+                resourcePool:
+                  type: string
+                  description: "Resource pool alias (e.g. Cluster-V6.7). Resolved to resourcePoolId from EnvironmentConfig."
+                resourcePoolId:
+                  type: string
+                  default: ""
+                  description: "Resource pool ID (overrides resourcePool alias and EnvironmentConfig)"
+                datastore:
+                  type: string
+                  description: "Datastore alias (e.g. UL-ESX-SAS-02). Resolved to datastoreId from EnvironmentConfig."
+                datastoreId:
+                  type: string
+                  default: ""
+                  description: "Datastore ID (overrides datastore alias and EnvironmentConfig)"
+                os:
+                  type: string
+                  description: "OS template alias (e.g. sthings-u24). Resolved to templateUuid from EnvironmentConfig."
+                templateUuid:
+                  type: string
+                  default: ""
+                  description: "Template UUID for cloning (overrides os alias and EnvironmentConfig)"
+                network:
+                  type: string
+                  description: "Network alias (e.g. LAB-10.31.103). Resolved to networkId from EnvironmentConfig."
+                networkId:
+                  type: string
+                  default: ""
+                  description: "Network ID (overrides network alias and EnvironmentConfig)"
+                providerConfigName:
+                  type: string
+                  default: default
+                  description: Name of the ProviderConfig to use
+
+            status:
+              type: object
+              properties:
+                ready:
+                  type: boolean
+                  description: True when the VM is Ready
+                ipAddress:
+                  type: string
+                  description: Primary IP address of the VM
+                guestIpAddresses:
+                  type: array
+                  items:
+                    type: string
+                  description: All IP addresses reported by VMware Tools
+                powerState:
+                  type: string
+                  description: Power state of the VM (poweredOn, poweredOff, suspended)
+                vmwareToolsStatus:
+                  type: string
+                  description: VMware Tools status
+                uuid:
+                  type: string
+                  description: UUID of the virtual machine
+                moid:
+                  type: string
+                  description: vSphere managed object reference ID
+                vmName:
+                  type: string
+                  description: Name of the VM as reported by vSphere