โ ๏ธ This project is a work in progress and needs a thorough review and testing before it can be used in a production environment.
A Kubernetes operator for managing OVHcloud resources declaratively. This operator allows you to manage OVH cloud infrastructure using Kubernetes Custom Resource Definitions (CRDs).
The operator provides 100+ CRDs covering the full OVHcloud ecosystem:
- Managed Kubernetes - Clusters, node pools, OIDC, IP restrictions
- Managed Databases - PostgreSQL, MySQL, MongoDB, Redis, Kafka, M3DB, OpenSearch, and more
- Cloud Project - Instances, volumes, networks, gateways, S3 storage, SSH keys
- Key Management (OKMS) - KMS service, credentials, service keys, secrets
- IP Load Balancing - HTTP/TCP/UDP frontends, farms, servers, routes, SSL
- IP Services - IP management, firewalls, mitigation, reverse DNS
- vRack Networking - Private networking, cloud project/server attachment, IPv6
- Domain & DNS - Zones, records, DNSSEC, redirections, DynHost
- Dedicated Servers - VPS, dedicated servers, networking, NAS-HA
- Container Registry - Harbor registry, users, OIDC, IAM integration
- Storage - Object storage, EFS shares, snapshots
- Hosting - Private databases, users, grants
- IAM - Policies, permission groups, resource groups, OAuth2 clients
- Logs Data Platform - DBaaS Logs clusters, inputs, tokens
- Billing - Savings plans
๐ Full Documentation | ๐ CRD Reference
- Kubernetes cluster (v1.25+)
- kubectl configured to access your cluster
- OVH API credentials (create here)
# Install CRDs and deploy operator
make install
make deploy# Using kustomize
kubectl kustomize config/crd | kubectl apply -f -
# Or directly from files
kubectl apply -f config/crd/bases/Create a secret with your OVH API credentials:
apiVersion: v1
kind: Secret
metadata:
name: ovh-credentials
namespace: default
type: Opaque
stringData:
endpoint: "https://eu.api.ovh.com/1.0"
applicationKey: "YOUR_APPLICATION_KEY"
applicationSecret: "YOUR_APPLICATION_SECRET"
consumerKey: "YOUR_CONSUMER_KEY"# Using kustomize (recommended)
kubectl kustomize config/default | kubectl apply -f -
# Or using make with custom image
make deploy IMG=ghcr.io/roerbakei/kubernetes-operator-ovh:v1.0.0The operator uses Kustomize for configuration management. To deploy with a custom image:
# Option 1: Use make with IMG variable
make deploy IMG=myregistry/my-operator:v1.0.0
# Option 2: Edit kustomization.yaml directly
cd config/manager
kustomize edit set image ghcr.io/roerbakei/kubernetes-operator-ovh=myregistry/my-operator:v1.0.0
kubectl kustomize config/default | kubectl apply -f -
# Option 3: Preview the generated manifests
kubectl kustomize config/defaultapiVersion: ovh.com/v1alpha1
kind: CloudProject
metadata:
name: my-project
spec:
ovhSubsidiary: FR
credentialsSecretRef:
name: ovh-credentials
---
apiVersion: ovh.com/v1alpha1
kind: KubeCluster
metadata:
name: my-cluster
spec:
cloudProjectRef:
name: my-project
name: production
region: GRA7
version: "1.28"
---
apiVersion: ovh.com/v1alpha1
kind: KubeNodePool
metadata:
name: my-nodepool
spec:
cloudProjectRef:
name: my-project
kubeClusterRef:
name: my-cluster
name: workers
flavorName: b2-7
desiredNodes: 3
autoscale: true
minNodes: 1
maxNodes: 10apiVersion: ovh.com/v1alpha1
kind: Database
metadata:
name: my-postgres
spec:
cloudProjectRef:
name: my-project
engine: postgresql
version: "15"
plan: essential
flavor: db1-4
nodes:
- region: GRAapiVersion: ovh.com/v1alpha1
kind: DomainZoneRecord
metadata:
name: www-record
spec:
credentialsSecretRef:
name: ovh-credentials
zone: example.com
fieldType: A
subDomain: www
target: "192.0.2.1"
ttl: 3600apiVersion: ovh.com/v1alpha1
kind: OKMSServiceKey
metadata:
name: encryption-key
spec:
credentialsSecretRef:
name: ovh-credentials
okmsId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
name: app-encryption-key
type: oct
size: 256
operations:
- encrypt
- decrypt| Category | CRDs | Description |
|---|---|---|
| Core | 1 | Cloud project reference |
| Cloud Project | 20 | Compute, network, storage resources |
| OKMS | 5 | Key management service |
| Kubernetes | 4 | Managed Kubernetes |
| Database | 19 | Multi-engine managed databases |
| IP Load Balancing | 11 | Load balancing configuration |
| IP Services | 6 | IP and firewall management |
| vRack | 11 | Private networking |
| Domain & DNS | 9 | DNS management |
| Dedicated | 10 | VPS and dedicated servers |
| Container Registry | 5 | Harbor registry |
| Storage | 3 | Object and file storage |
| Hosting | 5 | Private database hosting |
| IAM | 7 | Identity and access management |
| Logs | 3 | Log data platform |
| Billing | 1 | Savings plans |
See the CRD Reference for complete documentation.
All resources include:
status.conditions- Current state conditions (Ready, etc.)status.observedGeneration- Last reconciled generation- Resource-specific status fields (IDs, endpoints, etc.)
For KubeCluster resources, the operator automatically creates a secret containing the kubeconfig:
kubectl get secret my-cluster-kubeconfig -o jsonpath='{.data.kubeconfig}' | base64 -d > kubeconfig.yaml
export KUBECONFIG=kubeconfig.yaml
kubectl get nodesmake buildmake runmake docker-build IMG=your-registry/ovh-operator:tag
make docker-push IMG=your-registry/ovh-operator:tagRequired API permissions depend on the resources you want to manage. For full access:
GET /cloud/project/*
POST /cloud/project/*
PUT /cloud/project/*
DELETE /cloud/project/*
GET /domain/zone/*
POST /domain/zone/*
PUT /domain/zone/*
DELETE /domain/zone/*
GET /vrack/*
POST /vrack/*
DELETE /vrack/*
GET /ip/*
POST /ip/*
PUT /ip/*
DELETE /ip/*
GET /ipLoadbalancing/*
POST /ipLoadbalancing/*
PUT /ipLoadbalancing/*
DELETE /ipLoadbalancing/*
GET /dedicated/*
POST /dedicated/*
PUT /dedicated/*
DELETE /dedicated/*
GET /me/*
POST /me/*
PUT /me/*
DELETE /me/*
GET /okms/*
POST /okms/*
PUT /okms/*
DELETE /okms/*
MIT License