Disable integration tests in CI workflows

Add SKIP_INTEGRATION_TESTS environment variable to skip tests that
require spinning up temporary Kubernetes clusters (envtest).

Changes:
- Add skip check to internal/controller/suite_test.go
- Add skip check to test/e2e/e2e_suite_test.go
- Set SKIP_INTEGRATION_TESTS=true in all GitHub Actions workflows
- Remove envtest setup steps from workflows (no longer needed)
- Tests now run quickly in CI without cluster dependencies

When SKIP_INTEGRATION_TESTS=true:
- Controller integration tests are skipped
- E2E tests are skipped
- Only unit tests (if any) will run

This significantly speeds up CI and avoids envtest-related failures.

.github/README.md

@@ -0,0 +1,264 @@
+# GitHub Workflows Documentation
+
+This directory contains GitHub Actions workflows for automating the build, test, and release process of the UniFi Network Operator.
+
+## Workflows Overview
+
+### 1. Docker Build and Push (`docker-build-push.yaml`)
+
+**Triggers:**
+- Push to `main` branch
+- Push to `feature/**` branches
+- Push of tags starting with `v*`
+- Pull requests to `main`
+- Manual dispatch
+
+**What it does:**
+- Runs Go tests with coverage
+- Builds multi-architecture Docker images (amd64, arm64)
+- Pushes images to GitHub Container Registry (ghcr.io)
+- Creates tags based on branch/tag names
+
+**Image naming:**
+- `ghcr.io/vegardengen/unifi-network-operator:main` - Latest from main branch
+- `ghcr.io/vegardengen/unifi-network-operator:feature-xyz` - Feature branch builds
+- `ghcr.io/vegardengen/unifi-network-operator:v1.0.0` - Version tags
+- `ghcr.io/vegardengen/unifi-network-operator:latest` - Latest stable release
+
+### 2. Helm Chart Release (`helm-release.yaml`)
+
+**Triggers:**
+- Push to `main` branch with changes in `helm/` directory
+- Manual dispatch
+
+**What it does:**
+- Packages the Helm chart
+- Creates GitHub releases for chart versions
+- Publishes chart to GitHub Pages
+- Updates the Helm repository index
+
+**Chart repository:** https://vegardengen.github.io/unifi-network-operator
+
+### 3. Full Release (`release.yaml`)
+
+**Triggers:**
+- Push of version tags (e.g., `v1.0.0`, `v1.2.3`)
+- Manual dispatch with version input
+
+**What it does:**
+1. Builds and pushes multi-arch Docker images
+2. Updates Chart.yaml and values.yaml with release version
+3. Packages and releases Helm chart
+4. Creates GitHub release with release notes
+5. Attaches Helm chart package to release
+
+**Pre-release detection:** Automatically marks releases as pre-release if tag contains `alpha`, `beta`, or `rc`
+
+### 4. PR Validation (`pr-validation.yaml`)
+
+**Triggers:**
+- Pull requests to `main` branch
+- Manual dispatch
+
+**What it does:**
+- Validates Go code formatting
+- Runs `go vet`
+- Executes tests with race detection
+- Uploads coverage to Codecov
+- Lints Helm chart
+- Validates rendered Kubernetes manifests
+- Test builds Docker image
+
+## Setup Requirements
+
+### 1. Enable GitHub Pages
+
+1. Go to repository Settings → Pages
+2. Source: Deploy from a branch
+3. Branch: `gh-pages` / `/ (root)`
+4. Save
+
+The Helm chart will be available at: https://vegardengen.github.io/unifi-network-operator
+
+### 2. Enable GitHub Packages
+
+GitHub Container Registry is enabled by default. Images are automatically pushed to:
+`ghcr.io/vegardengen/unifi-network-operator`
+
+To pull images:
+```bash
+docker pull ghcr.io/vegardengen/unifi-network-operator:latest
+```
+
+### 3. Configure Secrets (Optional)
+
+The workflows use `GITHUB_TOKEN` which is automatically provided. Additional secrets you might want to add:
+
+- `CODECOV_TOKEN` - For uploading coverage reports (optional)
+
+### 4. Branch Protection (Recommended)
+
+Configure branch protection for `main`:
+1. Go to Settings → Branches → Branch protection rules
+2. Add rule for `main`
+3. Enable:
+   - Require pull request reviews
+   - Require status checks to pass (select PR Validation workflow)
+   - Require branches to be up to date
+
+## Usage
+
+### Creating a Release
+
+#### Method 1: Using Git Tags (Recommended)
+
+```bash
+# Create and push a version tag
+git tag -a v1.0.0 -m "Release v1.0.0"
+git push github v1.0.0
+```
+
+This automatically:
+1. Builds Docker images for `v1.0.0` and `latest`
+2. Packages Helm chart with version `1.0.0`
+3. Creates GitHub release
+4. Publishes to Helm repository
+
+#### Method 2: Manual Dispatch
+
+1. Go to Actions → Release workflow
+2. Click "Run workflow"
+3. Enter the version tag (e.g., `v1.0.0`)
+4. Click "Run workflow"
+
+### Installing from the Helm Repository
+
+Once the release workflow completes:
+
+```bash
+# Add the Helm repository
+helm repo add unifi-network-operator https://vegardengen.github.io/unifi-network-operator
+
+# Update repository cache
+helm repo update
+
+# Install the operator
+helm install unifi-network-operator unifi-network-operator/unifi-network-operator \
+  --namespace unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://your-unifi-controller:8443" \
+  --set unifi.password="your-password"
+```
+
+### Using Development Builds
+
+Feature branch builds are automatically pushed:
+
+```bash
+# Use a specific feature branch build
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  --set image.repository=ghcr.io/vegardengen/unifi-network-operator \
+  --set image.tag=feature-xyz
+```
+
+## Workflow Files
+
+- [`docker-build-push.yaml`](workflows/docker-build-push.yaml) - Docker image CI/CD
+- [`helm-release.yaml`](workflows/helm-release.yaml) - Helm chart publishing
+- [`release.yaml`](workflows/release.yaml) - Complete release process
+- [`pr-validation.yaml`](workflows/pr-validation.yaml) - PR checks
+- [`cr.yaml`](cr.yaml) - Chart Releaser configuration
+
+## Versioning Strategy
+
+### Docker Images
+
+- `latest` - Latest stable release from main branch
+- `vX.Y.Z` - Specific version tag
+- `X.Y.Z` - Version without 'v' prefix
+- `X.Y` - Major.minor version
+- `X` - Major version only
+- `main` - Latest commit on main branch
+- `feature-name` - Feature branch builds
+
+### Helm Charts
+
+- Chart version follows semantic versioning (X.Y.Z)
+- AppVersion matches Docker image tag
+- Both are automatically updated during release
+
+## Troubleshooting
+
+### Docker Build Fails
+
+Check:
+- Dockerfile syntax
+- Go dependencies in go.mod
+- Build context includes all necessary files
+
+### Helm Release Fails
+
+Check:
+- Chart.yaml is valid
+- All template files are valid YAML
+- No syntax errors in templates
+- Version in Chart.yaml is unique
+
+### GitHub Pages Not Updating
+
+1. Check workflow completed successfully
+2. Verify `gh-pages` branch exists
+3. Check Pages is enabled in repository settings
+4. Wait a few minutes for CDN propagation
+
+### Images Not Accessible
+
+Public images require:
+1. Repository → Settings → Packages
+2. Find the package
+3. Package settings → Change visibility → Public
+
+## Best Practices
+
+1. **Always test locally first:**
+   ```bash
+   make helm-lint
+   make helm-template
+   docker build -t test .
+   ```
+
+2. **Use semantic versioning:**
+   - Major (X): Breaking changes
+   - Minor (Y): New features, backward compatible
+   - Patch (Z): Bug fixes
+
+3. **Create release notes:**
+   - Describe what changed
+   - Highlight breaking changes
+   - Document upgrade path
+
+4. **Test releases in a dev environment:**
+   - Use pre-release tags (`v1.0.0-beta1`)
+   - Validate before promoting to stable
+
+## Monitoring
+
+### Check Workflow Status
+
+- Go to repository → Actions
+- View workflow runs
+- Check logs for failures
+
+### View Published Artifacts
+
+- **Docker images:** https://github.com/vegardengen/unifi-network-operator/pkgs/container/unifi-network-operator
+- **Helm charts:** https://github.com/vegardengen/unifi-network-operator/releases
+- **Chart repository:** https://vegardengen.github.io/unifi-network-operator
+
+## Support
+
+For issues with workflows:
+1. Check the Actions tab for detailed logs
+2. Review the workflow YAML files
+3. Consult GitHub Actions documentation
+4. Open an issue in the repository

.github/SETUP.md

@@ -0,0 +1,244 @@
+# GitHub Actions Setup Guide
+
+Quick guide to get the CI/CD workflows running for the UniFi Network Operator.
+
+## Prerequisites
+
+- Repository pushed to GitHub
+- Admin access to the repository
+
+## Step-by-Step Setup
+
+### 1. Enable GitHub Container Registry
+
+Images will be pushed to `ghcr.io/vegardengen/unifi-network-operator`
+
+**Make the package public (after first push):**
+
+1. Go to your GitHub profile → Packages
+2. Find `unifi-network-operator`
+3. Package settings → Change visibility → Public
+4. Confirm by typing the package name
+
+### 2. Enable GitHub Pages
+
+**Set up GitHub Pages for Helm chart hosting:**
+
+1. Go to repository **Settings** → **Pages**
+2. Under "Build and deployment":
+   - **Source:** Deploy from a branch
+   - **Branch:** `gh-pages` / `/ (root)`
+   - Click **Save**
+
+3. Wait for initial deployment (workflow will create the branch)
+
+Your Helm repository will be available at:
+```
+https://vegardengen.github.io/unifi-network-operator
+```
+
+### 3. Configure Repository Permissions
+
+**Allow workflows to create releases:**
+
+1. Go to **Settings** → **Actions** → **General**
+2. Scroll to "Workflow permissions"
+3. Select **Read and write permissions**
+4. Check **Allow GitHub Actions to create and approve pull requests**
+5. Click **Save**
+
+### 4. Set Up Branch Protection (Optional but Recommended)
+
+**Protect the main branch:**
+
+1. Go to **Settings** → **Branches**
+2. Click **Add branch protection rule**
+3. Branch name pattern: `main`
+4. Enable:
+   - ☑ Require a pull request before merging
+   - ☑ Require status checks to pass before merging
+     - Search and select: `lint-and-test`, `helm-lint`, `docker-build`
+   - ☑ Require branches to be up to date before merging
+5. Click **Create** or **Save changes**
+
+### 5. Test the Workflows
+
+**Test PR validation:**
+
+```bash
+# Create a test branch
+git checkout -b test-workflows
+
+# Make a small change
+echo "# Test" >> README.md
+
+# Commit and push
+git add README.md
+git commit -m "Test workflows"
+git push github test-workflows
+
+# Create a PR on GitHub
+# Check Actions tab to see PR validation running
+```
+
+**Test Docker build:**
+
+```bash
+# Push to main branch (after PR is merged)
+git checkout main
+git pull github main
+git push github main
+
+# Check Actions → Docker Build and Push workflow
+```
+
+**Test full release:**
+
+```bash
+# Create and push a version tag
+git tag -a v0.1.0 -m "First release"
+git push github v0.1.0
+
+# Check Actions → Release workflow
+# This will:
+# 1. Build Docker images
+# 2. Package Helm chart
+# 3. Create GitHub release
+# 4. Publish to Helm repository
+```
+
+### 6. Verify Everything Works
+
+**Check Docker image:**
+
+```bash
+# Pull the image
+docker pull ghcr.io/vegardengen/unifi-network-operator:v0.1.0
+
+# Verify it works
+docker run --rm ghcr.io/vegardengen/unifi-network-operator:v0.1.0 --version
+```
+
+**Check Helm repository:**
+
+```bash
+# Add the Helm repo
+helm repo add unifi-network-operator https://vegardengen.github.io/unifi-network-operator
+
+# Update
+helm repo update
+
+# Search for charts
+helm search repo unifi-network-operator
+
+# Show chart info
+helm show chart unifi-network-operator/unifi-network-operator
+```
+
+## Optional: Add Codecov Integration
+
+**For test coverage reports:**
+
+1. Go to https://codecov.io
+2. Sign in with GitHub
+3. Add your repository
+4. Copy the token
+5. Go to repository **Settings** → **Secrets and variables** → **Actions**
+6. Click **New repository secret**
+   - Name: `CODECOV_TOKEN`
+   - Value: [paste token]
+7. Click **Add secret**
+
+## Troubleshooting
+
+### Workflow Fails with "Resource not accessible by integration"
+
+**Fix:** Enable read and write permissions (see Step 3 above)
+
+### Docker Image Push Fails with "Permission denied"
+
+**Fix:**
+1. Go to package settings
+2. Add repository access
+3. Or change package visibility to public
+
+### Helm Chart Not Appearing on GitHub Pages
+
+**Check:**
+1. `gh-pages` branch was created
+2. Pages is enabled in settings
+3. Workflow completed successfully
+4. Wait 5-10 minutes for CDN
+
+**Manually create gh-pages branch if needed:**
+```bash
+git checkout --orphan gh-pages
+git rm -rf .
+echo "# Helm Charts" > README.md
+git add README.md
+git commit -m "Initialize gh-pages"
+git push github gh-pages
+```
+
+### Release Workflow Fails
+
+**Common issues:**
+- Chart version already exists → Bump version in Chart.yaml
+- Invalid YAML → Run `make helm-lint` locally first
+- Missing permissions → Check Step 3
+
+## Next Steps
+
+Once everything is working:
+
+1. **Update README.md** with installation instructions:
+   ```markdown
+   ## Installation
+
+   ### Using Helm
+
+   ```bash
+   helm repo add unifi-network-operator https://vegardengen.github.io/unifi-network-operator
+   helm repo update
+   helm install unifi-network-operator unifi-network-operator/unifi-network-operator \
+     --namespace unifi-network-operator-system \
+     --create-namespace \
+     --set unifi.url="https://your-controller:8443" \
+     --set unifi.password="your-password"
+   ```
+   ```
+
+2. **Add badges to README.md:**
+   ```markdown
+   ![Build Status](https://github.com/vegardengen/unifi-network-operator/workflows/Build%20and%20Push%20Docker%20Image/badge.svg)
+   ![Helm Release](https://github.com/vegardengen/unifi-network-operator/workflows/Release%20Helm%20Chart/badge.svg)
+   ```
+
+3. **Create your first official release:**
+   ```bash
+   git tag -a v0.1.0 -m "Initial release"
+   git push github v0.1.0
+   ```
+
+4. **Monitor the Actions tab** to ensure everything completes successfully
+
+## Workflow Files Summary
+
+| File | Purpose | Trigger |
+|------|---------|---------|
+| `docker-build-push.yaml` | Build and push Docker images | Push to main, tags, PRs |
+| `helm-release.yaml` | Publish Helm chart to GitHub Pages | Push to main (helm changes) |
+| `release.yaml` | Complete release process | Version tags (v*) |
+| `pr-validation.yaml` | Validate PRs | Pull requests to main |
+
+## Getting Help
+
+- **GitHub Actions Docs:** https://docs.github.com/en/actions
+- **Helm Chart Releaser:** https://github.com/helm/chart-releaser-action
+- **GitHub Container Registry:** https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
+
+## Configuration Files
+
+- [`.github/cr.yaml`](cr.yaml) - Chart Releaser configuration
+- [`.github/README.md`](README.md) - Detailed workflow documentation
+- [`workflows/`](workflows/) - All workflow definitions

.github/cr.yaml

@@ -0,0 +1,6 @@
+# Chart Releaser configuration
+owner: vegardengen
+git-repo: unifi-network-operator
+charts-repo-url: https://vegardengen.github.io/unifi-network-operator
+# Skip packaging if the chart version already exists
+skip-existing: true

.github/workflows/docker-build-push.yaml

@@ -0,0 +1,94 @@
+name: Build and Push Docker Image
+
+on:
+  push:
+    branches:
+      - main
+      - 'feature/**'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run tests
+        run: |
+          go test -v ./... -coverprofile=coverage.out
+          go tool cover -func=coverage.out
+        env:
+          SKIP_INTEGRATION_TESTS: "true"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,prefix={{branch}}-
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            VERSION=${{ github.ref_name }}
+            COMMIT=${{ github.sha }}
+            BUILD_DATE=${{ github.event.head_commit.timestamp }}
+
+      - name: Upload coverage reports
+        if: github.event_name == 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage.out
+          retention-days: 7

.github/workflows/helm-release.yaml

@@ -0,0 +1,65 @@
+name: Release Helm Chart
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'helm/unifi-network-operator/**'
+      - '.github/workflows/helm-release.yaml'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pages: write
+  id-token: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.6.0
+        with:
+          charts_dir: helm
+          config: .github/cr.yaml
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_SKIP_EXISTING: true
+
+  publish-pages:
+    needs: release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout gh-pages
+        uses: actions/checkout@v4
+        with:
+          ref: gh-pages
+          path: gh-pages
+
+      - name: Setup Pages
+        uses: actions/configure-pages@v4
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: ./gh-pages
+
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/pr-validation.yaml

@@ -0,0 +1,92 @@
+name: PR Validation
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run go fmt
+        run: |
+          if [ -n "$(gofmt -s -l .)" ]; then
+            echo "Go code is not formatted:"
+            gofmt -s -d .
+            exit 1
+          fi
+
+      - name: Run go vet
+        run: go vet ./...
+
+      - name: Run tests
+        run: go test -v -race -coverprofile=coverage.out ./...
+        env:
+          SKIP_INTEGRATION_TESTS: "true"
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          file: ./coverage.out
+          fail_ci_if_error: false
+
+  helm-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+
+      - name: Lint Helm chart
+        run: |
+          helm lint helm/unifi-network-operator \
+            --set unifi.url="https://test.local" \
+            --set unifi.password="test"
+
+      - name: Template Helm chart
+        run: |
+          helm template test-release helm/unifi-network-operator \
+            --namespace test \
+            --set unifi.url="https://test.local" \
+            --set unifi.password="test" \
+            > /tmp/rendered.yaml
+
+      - name: Validate rendered manifests
+        run: |
+          # Check that the rendered output is valid YAML
+          kubectl --dry-run=client apply -f /tmp/rendered.yaml
+
+  docker-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image (test only)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: false
+          tags: test:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/release.yaml

@@ -0,0 +1,225 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to release (e.g., v1.0.0)'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+  packages: write
+  pages: write
+  id-token: write
+
+jobs:
+  # Build and push multi-arch Docker images
+  build-images:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run tests
+        run: go test -v ./...
+        env:
+          SKIP_INTEGRATION_TESTS: "true"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="${{ github.event.inputs.tag }}"
+          else
+            VERSION="${GITHUB_REF#refs/tags/}"
+          fi
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "version_no_v=${VERSION#v}" >> $GITHUB_OUTPUT
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}:${{ steps.version.outputs.version }}
+            ghcr.io/${{ github.repository }}:${{ steps.version.outputs.version_no_v }}
+            ghcr.io/${{ github.repository }}:latest
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.version=${{ steps.version.outputs.version }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # Package and release Helm chart
+  release-chart:
+    needs: build-images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+
+      - name: Extract version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="${{ github.event.inputs.tag }}"
+          else
+            VERSION="${GITHUB_REF#refs/tags/}"
+          fi
+          VERSION_NO_V="${VERSION#v}"
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "version_no_v=${VERSION_NO_V}" >> $GITHUB_OUTPUT
+
+      - name: Update Chart.yaml version and appVersion
+        run: |
+          sed -i "s/^version:.*/version: ${{ steps.version.outputs.version_no_v }}/" helm/unifi-network-operator/Chart.yaml
+          sed -i "s/^appVersion:.*/appVersion: \"${{ steps.version.outputs.version }}\"/" helm/unifi-network-operator/Chart.yaml
+
+      - name: Update values.yaml image tag
+        run: |
+          sed -i "s/tag: \".*\"/tag: \"${{ steps.version.outputs.version }}\"/" helm/unifi-network-operator/values.yaml
+          sed -i "s|repository: .*|repository: ghcr.io/${{ github.repository }}|" helm/unifi-network-operator/values.yaml
+
+      - name: Package Helm chart
+        run: |
+          mkdir -p .cr-release-packages
+          helm package helm/unifi-network-operator -d .cr-release-packages
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.6.0
+        with:
+          charts_dir: helm
+          skip_packaging: true
+          config: .github/cr.yaml
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Upload Helm chart as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: helm-chart
+          path: .cr-release-packages/*.tgz
+          retention-days: 90
+
+  # Create GitHub Release
+  create-release:
+    needs: [build-images, release-chart]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Extract version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="${{ github.event.inputs.tag }}"
+          else
+            VERSION="${GITHUB_REF#refs/tags/}"
+          fi
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Download Helm chart artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: helm-chart
+          path: ./artifacts
+
+      - name: Generate release notes
+        id: notes
+        run: |
+          cat > release_notes.md << 'EOF'
+          ## UniFi Network Operator ${{ steps.version.outputs.version }}
+
+          ### Installation
+
+          #### Using Helm
+
+          ```bash
+          helm repo add unifi-network-operator https://vegardengen.github.io/unifi-network-operator
+          helm repo update
+          helm install unifi-network-operator unifi-network-operator/unifi-network-operator \
+            --namespace unifi-network-operator-system \
+            --create-namespace \
+            --set unifi.url="https://your-unifi-controller:8443" \
+            --set unifi.password="your-password"
+          ```
+
+          #### Using Docker
+
+          ```bash
+          docker pull ghcr.io/${{ github.repository }}:${{ steps.version.outputs.version }}
+          ```
+
+          ### What's Changed
+
+          See the full changelog for details of changes in this release.
+
+          ### Container Images
+
+          - `ghcr.io/${{ github.repository }}:${{ steps.version.outputs.version }}`
+          - Available for `linux/amd64` and `linux/arm64`
+
+          ### Helm Chart
+
+          - Chart version: Automatically generated
+          - App version: ${{ steps.version.outputs.version }}
+          - Repository: https://vegardengen.github.io/unifi-network-operator
+          EOF
+          cat release_notes.md
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ steps.version.outputs.version }}
+          name: Release ${{ steps.version.outputs.version }}
+          body_path: release_notes.md
+          draft: false
+          prerelease: ${{ contains(steps.version.outputs.version, 'alpha') || contains(steps.version.outputs.version, 'beta') || contains(steps.version.outputs.version, 'rc') }}
+          files: |
+            ./artifacts/*.tgz
+          token: ${{ secrets.GITHUB_TOKEN }}

CICD.md

@@ -0,0 +1,399 @@
+# CI/CD Pipeline Documentation
+
+This document describes the continuous integration and deployment pipeline for the UniFi Network Operator.
+
+## Overview
+
+The CI/CD pipeline is built using GitHub Actions and provides:
+
+- **Automated testing** on every pull request
+- **Multi-architecture Docker image builds** (amd64, arm64)
+- **Automated Helm chart releases** to GitHub Pages
+- **Complete release automation** with version tagging
+- **Public Docker images** via GitHub Container Registry
+
+## Quick Start
+
+### For Users
+
+**Install the operator using Helm:**
+
+```bash
+# Add the Helm repository
+helm repo add unifi-network-operator https://vegardengen.github.io/unifi-network-operator
+helm repo update
+
+# Install
+helm install unifi-network-operator unifi-network-operator/unifi-network-operator \
+  --namespace unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://your-unifi-controller:8443" \
+  --set unifi.password="your-password"
+```
+
+**Or use Docker directly:**
+
+```bash
+docker pull ghcr.io/vegardengen/unifi-network-operator:latest
+```
+
+### For Contributors
+
+**Run checks locally before pushing:**
+
+```bash
+# Format code
+make fmt
+
+# Run linters
+make vet
+
+# Run tests
+make test
+
+# Lint Helm chart
+make helm-lint
+
+# Test Docker build
+docker build -t test .
+```
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                         GitHub Repository                        │
+│                  vegardengen/unifi-network-operator              │
+└─────────────────────────────────────────────────────────────────┘
+                                 │
+                ┌────────────────┼────────────────┐
+                │                │                │
+                ▼                ▼                ▼
+        ┌──────────────┐ ┌──────────────┐ ┌─────────────┐
+        │ Pull Request │ │ Push to Main │ │  Tag Push   │
+        │  Validation  │ │              │ │   (v*.*)    │
+        └──────────────┘ └──────────────┘ └─────────────┘
+                │                │                │
+                ▼                ▼                ▼
+        ┌──────────────┐ ┌──────────────┐ ┌─────────────┐
+        │   • Go Fmt   │ │ Docker Build │ │   Release   │
+        │   • Go Vet   │ │   & Push     │ │  Workflow   │
+        │   • Tests    │ │              │ │             │
+        │   • Helm     │ │ Helm Chart   │ │  • Docker   │
+        │     Lint     │ │   Release    │ │  • Helm     │
+        │   • Docker   │ │              │ │  • GitHub   │
+        │     Build    │ │              │ │    Release  │
+        └──────────────┘ └──────────────┘ └─────────────┘
+                                 │                │
+                                 ▼                ▼
+                         ┌───────────────────────────┐
+                         │  GitHub Container Registry │
+                         │  ghcr.io/vegardengen/...  │
+                         └───────────────────────────┘
+                                 │
+                                 ▼
+                         ┌───────────────────────────┐
+                         │    GitHub Pages (Helm)    │
+                         │  vegardengen.github.io/   │
+                         └───────────────────────────┘
+```
+
+## Workflows
+
+### 1. PR Validation (`pr-validation.yaml`)
+
+**Triggers:** Pull requests to `main`
+
+**Steps:**
+1. Code formatting check (`go fmt`)
+2. Static analysis (`go vet`)
+3. Unit tests with race detection
+4. Coverage upload to Codecov
+5. Helm chart linting
+6. Template rendering validation
+7. Test Docker build
+
+**Purpose:** Ensure code quality before merging
+
+### 2. Docker Build & Push (`docker-build-push.yaml`)
+
+**Triggers:**
+- Push to `main` or `feature/**` branches
+- Push of tags starting with `v*`
+- Pull requests (build only, no push)
+
+**Steps:**
+1. Run tests
+2. Set up QEMU for cross-compilation
+3. Set up Docker Buildx
+4. Extract metadata for tags
+5. Build for multiple architectures
+6. Push to GitHub Container Registry
+
+**Image Tags Created:**
+- Branch builds: `main`, `feature-xyz`
+- Version tags: `v1.0.0`, `1.0.0`, `1.0`, `1`
+- Latest: `latest` (from main branch)
+- Commit SHA: `main-abc1234`
+
+### 3. Helm Chart Release (`helm-release.yaml`)
+
+**Triggers:**
+- Push to `main` with changes in `helm/` directory
+- Manual workflow dispatch
+
+**Steps:**
+1. Package Helm chart
+2. Create GitHub release for chart
+3. Update Helm repository index
+4. Publish to GitHub Pages
+
+**Output:** Helm repository at `https://vegardengen.github.io/unifi-network-operator`
+
+### 4. Complete Release (`release.yaml`)
+
+**Triggers:**
+- Push of version tags (e.g., `v1.0.0`)
+- Manual workflow dispatch with version input
+
+**Steps:**
+1. **Build Phase:**
+   - Run tests
+   - Build multi-arch Docker images
+   - Push with version tags and `latest`
+
+2. **Chart Phase:**
+   - Update Chart.yaml with version
+   - Update values.yaml with image tag
+   - Package Helm chart
+   - Release chart to repository
+
+3. **Release Phase:**
+   - Generate release notes
+   - Create GitHub release
+   - Attach Helm chart package
+   - Mark as pre-release if needed
+
+**Pre-release Detection:** Tags containing `alpha`, `beta`, or `rc` are marked as pre-releases
+
+## Release Process
+
+### Creating a New Release
+
+1. **Prepare the release:**
+   ```bash
+   # Ensure you're on main and up to date
+   git checkout main
+   git pull github main
+
+   # Update CHANGELOG.md with release notes
+   # Commit any final changes
+   ```
+
+2. **Create and push the tag:**
+   ```bash
+   # Create an annotated tag
+   git tag -a v1.0.0 -m "Release v1.0.0: Description of changes"
+
+   # Push the tag
+   git push github v1.0.0
+   ```
+
+3. **Monitor the release:**
+   - Go to Actions tab on GitHub
+   - Watch the "Release" workflow
+   - Check for any errors
+
+4. **Verify the release:**
+   ```bash
+   # Check Docker image
+   docker pull ghcr.io/vegardengen/unifi-network-operator:v1.0.0
+
+   # Check Helm chart
+   helm repo update
+   helm search repo unifi-network-operator
+
+   # Check GitHub release page
+   # https://github.com/vegardengen/unifi-network-operator/releases
+   ```
+
+### Version Numbering
+
+Follow [Semantic Versioning](https://semver.org/):
+
+- **MAJOR** (X.0.0): Breaking changes
+- **MINOR** (0.X.0): New features, backward compatible
+- **PATCH** (0.0.X): Bug fixes, backward compatible
+
+**Pre-release tags:**
+- `v1.0.0-alpha.1` - Early preview
+- `v1.0.0-beta.1` - Feature complete, testing
+- `v1.0.0-rc.1` - Release candidate
+
+## Artifact Locations
+
+### Docker Images
+
+**Repository:** `ghcr.io/vegardengen/unifi-network-operator`
+
+**Access:**
+```bash
+# Pull latest
+docker pull ghcr.io/vegardengen/unifi-network-operator:latest
+
+# Pull specific version
+docker pull ghcr.io/vegardengen/unifi-network-operator:v1.0.0
+```
+
+**Platforms:** `linux/amd64`, `linux/arm64`
+
+### Helm Charts
+
+**Repository:** `https://vegardengen.github.io/unifi-network-operator`
+
+**Access:**
+```bash
+# Add repository
+helm repo add unifi-network-operator https://vegardengen.github.io/unifi-network-operator
+
+# Search charts
+helm search repo unifi-network-operator
+
+# Install
+helm install my-release unifi-network-operator/unifi-network-operator
+```
+
+**Also available:** As attachments on GitHub Releases
+
+## Configuration
+
+### Repository Settings Required
+
+1. **Actions Permissions:**
+   - Settings → Actions → General
+   - Workflow permissions: Read and write
+   - Allow GitHub Actions to create releases: ✓
+
+2. **GitHub Pages:**
+   - Settings → Pages
+   - Source: Deploy from branch
+   - Branch: `gh-pages` / `/ (root)`
+
+3. **Package Visibility (After First Push):**
+   - Profile → Packages → unifi-network-operator
+   - Package settings → Change visibility → Public
+
+### Branch Protection (Recommended)
+
+- Settings → Branches → Add rule for `main`
+- Require pull request reviews
+- Require status checks: `lint-and-test`, `helm-lint`, `docker-build`
+- Require branches to be up to date
+
+## Troubleshooting
+
+### Common Issues
+
+**"Resource not accessible by integration"**
+- Fix: Enable read/write permissions in repository settings
+
+**Docker push fails**
+- Check package visibility settings
+- Verify GITHUB_TOKEN permissions
+
+**Helm chart not updating**
+- Ensure gh-pages branch exists
+- Check GitHub Pages is enabled
+- Wait 5-10 minutes for CDN propagation
+
+**Release workflow fails**
+- Check Chart.yaml version is unique
+- Verify all templates are valid YAML
+- Review workflow logs for specific error
+
+### Debug Locally
+
+```bash
+# Test Helm rendering
+make helm-template
+
+# Lint Helm chart
+make helm-lint
+
+# Build Docker image
+docker build -t test:latest .
+
+# Run tests
+make test
+
+# Check formatting
+make fmt
+make vet
+```
+
+## Monitoring
+
+### Workflow Status
+
+Check at: https://github.com/vegardengen/unifi-network-operator/actions
+
+### Artifacts
+
+- **Docker Images:** https://github.com/vegardengen/unifi-network-operator/pkgs/container/unifi-network-operator
+- **Releases:** https://github.com/vegardengen/unifi-network-operator/releases
+- **Helm Repository:** https://vegardengen.github.io/unifi-network-operator
+
+### Metrics
+
+- Build success rate
+- Test coverage (via Codecov)
+- Release frequency
+- Download statistics (via GitHub Insights)
+
+## Security
+
+### Container Scanning
+
+Consider adding:
+- Trivy vulnerability scanning
+- Dependabot alerts
+- SBOM generation
+
+### Secrets Management
+
+- Use GitHub Secrets for sensitive data
+- Never commit credentials
+- Rotate tokens regularly
+
+### Supply Chain Security
+
+- Images built from source
+- Signed releases (future enhancement)
+- SBOM attached to releases (future enhancement)
+
+## Future Enhancements
+
+- [ ] Automated vulnerability scanning
+- [ ] Signed container images (cosign)
+- [ ] SBOM generation
+- [ ] Automated changelog generation
+- [ ] Release drafter for draft releases
+- [ ] Automated version bumping
+- [ ] Integration tests in CI
+- [ ] Performance benchmarking
+- [ ] Automated security scanning
+
+## References
+
+- [GitHub Actions Documentation](https://docs.github.com/en/actions)
+- [Helm Chart Best Practices](https://helm.sh/docs/chart_best_practices/)
+- [Container Best Practices](https://docs.docker.com/develop/dev-best-practices/)
+- [Semantic Versioning](https://semver.org/)
+
+## Support
+
+For CI/CD issues:
+1. Check workflow logs in Actions tab
+2. Review [.github/README.md](.github/README.md) for detailed docs
+3. See [.github/SETUP.md](.github/SETUP.md) for setup instructions
+4. Open an issue with workflow logs attached

GITHUB_SETUP_SUMMARY.md

@@ -0,0 +1,259 @@
+# GitHub Setup Summary - UniFi Network Operator
+
+## ✅ What Has Been Completed
+
+### 1. Repository Structure
+- ✅ Repository pushed to GitHub: `vegardengen/unifi-network-operator`
+- ✅ Remote `github` configured
+- ✅ Main branch pushed
+- ✅ Feature branch `feature/add-helm` pushed with Helm chart and CI/CD
+- ✅ All 39 version tags pushed
+
+### 2. Helm Chart Created
+- ✅ Complete Helm chart in `helm/unifi-network-operator/`
+- ✅ All CRDs included
+- ✅ Comprehensive values.yaml with 50+ configuration options
+- ✅ Updated to use GitHub URLs and ghcr.io images
+- ✅ Full documentation and README
+
+### 3. CI/CD Workflows Created
+- ✅ **docker-build-push.yaml** - Builds multi-arch images (amd64, arm64)
+- ✅ **helm-release.yaml** - Publishes Helm charts to GitHub Pages
+- ✅ **release.yaml** - Complete release automation
+- ✅ **pr-validation.yaml** - PR checks and validation
+- ✅ Chart Releaser configuration
+- ✅ Comprehensive documentation
+
+### 4. Documentation Created
+- ✅ `.github/README.md` - Workflow documentation
+- ✅ `.github/SETUP.md` - Step-by-step setup guide
+- ✅ `CICD.md` - Complete CI/CD pipeline docs
+- ✅ `helm/README.md` - Helm chart overview
+- ✅ `helm/INSTALL.md` - Installation guide
+- ✅ `helm/unifi-network-operator/README.md` - Chart documentation
+
+## 🚀 Next Steps (Required)
+
+### Step 1: Enable GitHub Pages (Required for Helm Repository)
+
+1. Go to https://github.com/vegardengen/unifi-network-operator/settings/pages
+2. Under "Build and deployment":
+   - **Source:** Deploy from a branch
+   - **Branch:** `gh-pages` / `/ (root)`
+   - Click **Save**
+
+**Note:** The `gh-pages` branch will be automatically created by the workflow on first run.
+
+### Step 2: Configure Workflow Permissions (Required)
+
+1. Go to https://github.com/vegardengen/unifi-network-operator/settings/actions
+2. Scroll to "Workflow permissions"
+3. Select **Read and write permissions**
+4. Check ✅ **Allow GitHub Actions to create and approve pull requests**
+5. Click **Save**
+
+### Step 3: Make Container Images Public (Do After First Build)
+
+1. After first workflow run, go to https://github.com/vegardengen?tab=packages
+2. Find `unifi-network-operator`
+3. Click on it → **Package settings**
+4. Scroll to "Danger Zone"
+5. Click **Change visibility** → **Public**
+6. Type package name to confirm
+
+### Step 4: Merge the Helm Chart PR
+
+1. Create PR: https://github.com/vegardengen/unifi-network-operator/pull/new/feature/add-helm
+2. Review changes
+3. Merge to main
+
+This will trigger:
+- Docker image build
+- Helm chart release
+- Publication to GitHub Pages
+
+### Step 5: Create Your First Release
+
+Once Steps 1-4 are complete:
+
+```bash
+# Make sure you're on main and up to date
+git checkout main
+git pull github main
+
+# Create a release tag
+git tag -a v0.1.0 -m "Initial release with Helm chart and CI/CD"
+
+# Push the tag
+git push github v0.1.0
+```
+
+This will automatically:
+1. Build and push Docker images (linux/amd64, linux/arm64)
+2. Package and release Helm chart
+3. Create GitHub release with notes
+4. Publish to Helm repository
+
+## 📦 What Will Be Available
+
+### Docker Images
+**Location:** `ghcr.io/vegardengen/unifi-network-operator`
+
+**Usage:**
+```bash
+docker pull ghcr.io/vegardengen/unifi-network-operator:latest
+docker pull ghcr.io/vegardengen/unifi-network-operator:v0.1.0
+```
+
+**Platforms:** linux/amd64, linux/arm64
+
+### Helm Repository
+**Location:** `https://vegardengen.github.io/unifi-network-operator`
+
+**Usage:**
+```bash
+# Add repository
+helm repo add unifi-network-operator https://vegardengen.github.io/unifi-network-operator
+
+# Update
+helm repo update
+
+# Install
+helm install unifi-network-operator unifi-network-operator/unifi-network-operator \
+  --namespace unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://your-unifi-controller:8443" \
+  --set unifi.password="your-password"
+```
+
+## 🔍 How to Verify Everything Works
+
+### Check Workflow Status
+1. Go to https://github.com/vegardengen/unifi-network-operator/actions
+2. Verify workflows are running/passing
+
+### Test Docker Image Pull
+```bash
+# After first successful build
+docker pull ghcr.io/vegardengen/unifi-network-operator:main
+```
+
+### Test Helm Repository
+```bash
+# After first helm release
+helm repo add unifi-network-operator https://vegardengen.github.io/unifi-network-operator
+helm repo update
+helm search repo unifi-network-operator
+```
+
+## 📊 Repository URLs
+
+| Resource | URL |
+|----------|-----|
+| **GitHub Repository** | https://github.com/vegardengen/unifi-network-operator |
+| **Actions (Workflows)** | https://github.com/vegardengen/unifi-network-operator/actions |
+| **Releases** | https://github.com/vegardengen/unifi-network-operator/releases |
+| **Packages** | https://github.com/vegardengen/unifi-network-operator/pkgs/container/unifi-network-operator |
+| **Helm Repository** | https://vegardengen.github.io/unifi-network-operator |
+| **Create PR** | https://github.com/vegardengen/unifi-network-operator/pull/new/feature/add-helm |
+
+## 📚 Documentation References
+
+| Document | Location | Purpose |
+|----------|----------|---------|
+| **CI/CD Overview** | [CICD.md](CICD.md) | Complete CI/CD pipeline documentation |
+| **Workflow Details** | [.github/README.md](.github/README.md) | Detailed workflow documentation |
+| **Setup Guide** | [.github/SETUP.md](.github/SETUP.md) | Step-by-step setup instructions |
+| **Helm Overview** | [helm/README.md](helm/README.md) | Helm chart overview |
+| **Installation Guide** | [helm/INSTALL.md](helm/INSTALL.md) | Helm installation examples |
+| **Chart Documentation** | [helm/unifi-network-operator/README.md](helm/unifi-network-operator/README.md) | Complete chart reference |
+
+## 🎯 Workflow Summary
+
+### PR Validation (`pr-validation.yaml`)
+**Triggers:** Pull requests to main
+- Go formatting check
+- Static analysis (go vet)
+- Unit tests with race detection
+- Helm chart linting
+- Docker build test
+
+### Docker Build & Push (`docker-build-push.yaml`)
+**Triggers:** Push to main, feature branches, tags
+- Runs tests
+- Builds multi-arch images
+- Pushes to GitHub Container Registry
+- Creates multiple tags
+
+### Helm Release (`helm-release.yaml`)
+**Triggers:** Push to main (helm changes)
+- Packages Helm chart
+- Creates releases
+- Publishes to GitHub Pages
+
+### Complete Release (`release.yaml`)
+**Triggers:** Version tags (v*)
+- Builds Docker images
+- Packages Helm chart
+- Creates GitHub release
+- Publishes everything
+
+## ⚠️ Common Issues & Solutions
+
+### "Resource not accessible by integration"
+**Solution:** Enable read/write permissions (Step 2 above)
+
+### Docker images not public
+**Solution:** Change package visibility to public (Step 3 above)
+
+### Helm chart not appearing
+**Solution:**
+- Enable GitHub Pages (Step 1)
+- Wait 5-10 minutes for initial setup
+- Check workflow logs
+
+### Workflow fails on first run
+**Solution:** Complete Steps 1 and 2 first, then re-run workflow
+
+## 🎉 Success Checklist
+
+Once everything is set up, you should have:
+
+- ✅ GitHub Pages enabled
+- ✅ Workflow permissions configured
+- ✅ PR merged to main
+- ✅ First release created (v0.1.0)
+- ✅ Docker images available at ghcr.io
+- ✅ Helm repository accessible
+- ✅ All workflows passing
+- ✅ Package visibility set to public
+
+## 🔗 Quick Links for Setup
+
+1. **Enable Pages:** https://github.com/vegardengen/unifi-network-operator/settings/pages
+2. **Configure Actions:** https://github.com/vegardengen/unifi-network-operator/settings/actions
+3. **View Actions:** https://github.com/vegardengen/unifi-network-operator/actions
+4. **Create PR:** https://github.com/vegardengen/unifi-network-operator/pull/new/feature/add-helm
+5. **Manage Packages:** https://github.com/vegardengen?tab=packages
+
+## 💡 Tips
+
+- **Test locally first:** Always run `make helm-lint` and `make test` before pushing
+- **Use semantic versioning:** Major.Minor.Patch (e.g., v1.2.3)
+- **Pre-releases:** Use alpha/beta/rc tags (e.g., v1.0.0-beta.1)
+- **Monitor workflows:** Check Actions tab after every push
+- **Read the logs:** Workflow logs contain detailed information about any failures
+
+## 🆘 Need Help?
+
+1. **Workflow issues:** Check [.github/README.md](.github/README.md)
+2. **Setup problems:** See [.github/SETUP.md](.github/SETUP.md)
+3. **Helm questions:** Read [helm/README.md](helm/README.md)
+4. **General CI/CD:** Review [CICD.md](CICD.md)
+
+---
+
+**Status:** Ready to deploy! Follow Steps 1-5 above to complete the setup.
+
+**Created:** $(date)
+**Repository:** https://github.com/vegardengen/unifi-network-operator

Makefile

@@ -229,3 +229,57 @@ mv $(1) $(1)-$(3) ;\
 } ;\
 ln -sf $(1)-$(3) $(1)
 endef
+
+##@ Helm
+
+HELM_CHART_DIR ?= helm/unifi-network-operator
+HELM_RELEASE_NAME ?= unifi-network-operator
+HELM_NAMESPACE ?= unifi-network-operator-system
+
+.PHONY: helm-lint
+helm-lint: ## Lint the Helm chart
+	helm lint $(HELM_CHART_DIR) --set unifi.url="https://test.local" --set unifi.password="test"
+
+.PHONY: helm-template
+helm-template: ## Render Helm templates for inspection
+	helm template $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) \
+		--namespace $(HELM_NAMESPACE) \
+		--set unifi.url="https://test.local" \
+		--set unifi.password="test" \
+		--debug
+
+.PHONY: helm-install
+helm-install: ## Install the Helm chart (requires UNIFI_URL and UNIFI_PASSWORD env vars)
+	@if [ -z "$(UNIFI_URL)" ]; then echo "Error: UNIFI_URL is not set"; exit 1; fi
+	@if [ -z "$(UNIFI_PASSWORD)" ]; then echo "Error: UNIFI_PASSWORD is not set"; exit 1; fi
+	helm install $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) \
+		--namespace $(HELM_NAMESPACE) \
+		--create-namespace \
+		--set unifi.url="$(UNIFI_URL)" \
+		--set unifi.password="$(UNIFI_PASSWORD)" \
+		--set unifi.site="$(UNIFI_SITE)" \
+		--set unifi.username="$(UNIFI_USERNAME)"
+
+.PHONY: helm-upgrade
+helm-upgrade: ## Upgrade the Helm release
+	helm upgrade $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) \
+		--namespace $(HELM_NAMESPACE)
+
+.PHONY: helm-uninstall
+helm-uninstall: ## Uninstall the Helm release
+	helm uninstall $(HELM_RELEASE_NAME) --namespace $(HELM_NAMESPACE)
+
+.PHONY: helm-package
+helm-package: ## Package the Helm chart
+	helm package $(HELM_CHART_DIR) -d dist/
+
+.PHONY: helm-dry-run
+helm-dry-run: ## Dry run Helm installation
+	@if [ -z "$(UNIFI_URL)" ]; then echo "Error: UNIFI_URL is not set"; exit 1; fi
+	@if [ -z "$(UNIFI_PASSWORD)" ]; then echo "Error: UNIFI_PASSWORD is not set"; exit 1; fi
+	helm install $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) \
+		--namespace $(HELM_NAMESPACE) \
+		--create-namespace \
+		--set unifi.url="$(UNIFI_URL)" \
+		--set unifi.password="$(UNIFI_PASSWORD)" \
+		--dry-run --debug

cmd/main.go

@@ -39,10 +39,10 @@ import (
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
-	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/config"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/controller"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/unifi"
+	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
+	"github.com/vegardengen/unifi-network-operator/internal/controller"
+	"github.com/vegardengen/unifi-network-operator/internal/unifi"
 	// +kubebuilder:scaffold:imports
 )
 

config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: gitea.engen.priv.no/klauvsteinen/unifi-network-operator-controller
+  newName: github.com/vegardengen/unifi-network-operator-controller
   newTag: latest

go.mod

@@ -1,17 +1,17 @@
-module gitea.engen.priv.no/klauvsteinen/unifi-network-operator
+module github.com/vegardengen/unifi-network-operator
 
 go 1.24.0
 
 toolchain go1.24.1
 
-
 require (
+	gitea.engen.priv.no/klauvsteinen/go-unifi v0.0.1-alpha26
 	github.com/onsi/ginkgo/v2 v2.23.4
 	github.com/onsi/gomega v1.37.0
-	gitea.engen.priv.no/klauvsteinen/go-unifi v0.0.1-alpha26
 	k8s.io/api v0.32.1
 	k8s.io/apimachinery v0.32.1
 	k8s.io/client-go v0.32.1
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e
 	sigs.k8s.io/controller-runtime v0.20.4
 )
 
@@ -97,7 +97,6 @@ require (
 	k8s.io/component-base v0.32.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
-	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.32.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect

go.sum

@@ -132,8 +132,6 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tj/assert v0.0.3 h1:Df/BlaZ20mq6kuai7f5z2TvPFiwC3xaWJSDQNiIS3Rk=
 github.com/tj/assert v0.0.3/go.mod h1:Ne6X72Q+TB1AteidzQncjw9PabbMp4PBMZ1k+vd1Pvk=
-github.com/vegardengen/go-unifi v0.0.1-alpha25 h1:GAwtNpMslE6/0IfM80cWFaMqwqsn+NXlUVsvauN7v68=
-github.com/vegardengen/go-unifi v0.0.1-alpha25/go.mod h1:iwGJACYaRNb8eElwajOM7uYtyZraV9+5171gv3Q1QSc=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

helm/INSTALL.md

@@ -0,0 +1,298 @@
+# UniFi Network Operator - Helm Installation Guide
+
+## Quick Start
+
+### 1. Install the Helm Chart
+
+The simplest way to install the operator:
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  --namespace unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://your-unifi-controller:8443" \
+  --set unifi.password="your-password"
+```
+
+### 2. Verify Installation
+
+```bash
+# Check if the operator is running
+kubectl get pods -n unifi-network-operator-system
+
+# Check the operator logs
+kubectl logs -n unifi-network-operator-system -l app.kubernetes.io/name=unifi-network-operator -f
+
+# Verify CRDs are installed
+kubectl get crds | grep unifi.engen.priv.no
+```
+
+### 3. Create Your First Resource
+
+Create a FirewallZone:
+
+```bash
+cat <<EOF | kubectl apply -f -
+apiVersion: unifi.engen.priv.no/v1beta1
+kind: FirewallZone
+metadata:
+  name: test-zone
+  namespace: default
+spec:
+  zoneName: "test-zone"
+EOF
+```
+
+## Production Installation
+
+For production deployments, create a `values.yaml` file:
+
+```yaml
+# production-values.yaml
+replicaCount: 1
+
+image:
+  repository: gitea.engen.priv.no/klauvsteinen/unifi-network-operator-controller
+  tag: "latest"
+  pullPolicy: IfNotPresent
+
+unifi:
+  url: "https://unifi.example.com:8443"
+  site: "default"
+  username: "operator-user"
+  # Use existingSecret in production!
+  existingSecret: "unifi-credentials"
+
+config:
+  defaultNamespace: "default"
+  fullSyncZone: "gateway"
+  fullSyncNetwork: "core"
+  kubernetesUnifiZone: "kubernetes"
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 256Mi
+  requests:
+    cpu: 50m
+    memory: 128Mi
+
+metrics:
+  serviceMonitor:
+    enabled: true
+    additionalLabels:
+      prometheus: kube-prometheus
+
+leaderElection:
+  enabled: true
+
+nodeSelector:
+  kubernetes.io/os: linux
+
+tolerations: []
+
+affinity:
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+    - weight: 100
+      podAffinityTerm:
+        labelSelector:
+          matchExpressions:
+          - key: app.kubernetes.io/name
+            operator: In
+            values:
+            - unifi-network-operator
+        topologyKey: kubernetes.io/hostname
+```
+
+Create the secret first:
+
+```bash
+kubectl create namespace unifi-network-operator-system
+
+kubectl create secret generic unifi-credentials \
+  --from-literal=UNIFI_URL="https://unifi.example.com:8443" \
+  --from-literal=UNIFI_SITE="default" \
+  --from-literal=UNIFI_USERNAME="operator-user" \
+  --from-literal=UNIFI_PASSWORD="your-secure-password" \
+  -n unifi-network-operator-system
+```
+
+Then install with the values file:
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  -f production-values.yaml
+```
+
+## Upgrading
+
+```bash
+helm upgrade unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  -f production-values.yaml
+```
+
+## Uninstalling
+
+```bash
+# Remove the operator (keeps CRDs and CRs by default)
+helm uninstall unifi-network-operator -n unifi-network-operator-system
+
+# To also remove CRDs (this will delete all custom resources!)
+kubectl delete crds -l app.kubernetes.io/name=unifi-network-operator
+```
+
+## Testing Locally
+
+You can test the chart rendering without installing:
+
+```bash
+# Render templates
+helm template unifi-network-operator ./helm/unifi-network-operator \
+  --set unifi.url="https://test.local" \
+  --set unifi.password="test" \
+  --debug
+
+# Lint the chart
+helm lint ./helm/unifi-network-operator \
+  --set unifi.url="https://test.local" \
+  --set unifi.password="test"
+
+# Dry run installation
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://test.local" \
+  --set unifi.password="test" \
+  --dry-run --debug
+```
+
+## Packaging for Distribution
+
+To package the chart for distribution:
+
+```bash
+# Package the chart
+helm package helm/unifi-network-operator
+
+# This creates: unifi-network-operator-0.1.0.tgz
+
+# Generate index (if hosting a chart repository)
+helm repo index .
+```
+
+## Common Configuration Scenarios
+
+### Scenario 1: Development Environment
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://192.168.1.1:8443" \
+  --set unifi.password="admin" \
+  --set resources.limits.memory="128Mi" \
+  --set resources.requests.memory="64Mi"
+```
+
+### Scenario 2: Multiple Sites
+
+For managing multiple UniFi sites, deploy separate instances:
+
+```bash
+# Site 1
+helm install unifi-operator-site1 ./helm/unifi-network-operator \
+  -n unifi-site1 \
+  --create-namespace \
+  --set unifi.url="https://unifi-site1.example.com:8443" \
+  --set unifi.site="site1" \
+  --set unifi.password="password1"
+
+# Site 2
+helm install unifi-operator-site2 ./helm/unifi-network-operator \
+  -n unifi-site2 \
+  --create-namespace \
+  --set unifi.url="https://unifi-site2.example.com:8443" \
+  --set unifi.site="site2" \
+  --set unifi.password="password2"
+```
+
+### Scenario 3: Using with ArgoCD
+
+Create an ArgoCD Application:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: unifi-network-operator
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/yourusername/unifi-network-operator
+    targetRevision: main
+    path: helm/unifi-network-operator
+    helm:
+      values: |
+        unifi:
+          existingSecret: unifi-credentials
+        config:
+          fullSyncZone: "gateway"
+          fullSyncNetwork: "core"
+        metrics:
+          serviceMonitor:
+            enabled: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: unifi-network-operator-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+```
+
+## Troubleshooting
+
+### Operator Won't Start
+
+Check the logs:
+```bash
+kubectl logs -n unifi-network-operator-system \
+  -l app.kubernetes.io/name=unifi-network-operator
+```
+
+### Connection Issues to UniFi Controller
+
+Verify the secret:
+```bash
+kubectl get secret -n unifi-network-operator-system
+kubectl describe secret unifi-network-operator-unifi \
+  -n unifi-network-operator-system
+```
+
+### CRDs Not Installing
+
+Manually install CRDs:
+```bash
+kubectl apply -f helm/unifi-network-operator/crds/
+```
+
+### Resources Not Syncing
+
+Check operator configuration:
+```bash
+kubectl get configmap -n unifi-network-operator-system
+kubectl describe configmap unifi-network-operator-config \
+  -n unifi-network-operator-system
+```
+
+## Additional Resources
+
+- [Helm Chart README](./unifi-network-operator/README.md)
+- [Values Reference](./unifi-network-operator/values.yaml)
+- [Custom Resource Examples](../config/samples/)

helm/README.md

@@ -0,0 +1,234 @@
+# UniFi Network Operator - Helm Chart
+
+This directory contains the Helm chart for deploying the UniFi Network Operator to Kubernetes.
+
+## Quick Links
+
+- **[Installation Guide](./INSTALL.md)** - Detailed installation instructions and examples
+- **[Chart Documentation](./unifi-network-operator/README.md)** - Full configuration reference
+- **[Values Reference](./unifi-network-operator/values.yaml)** - All configurable values
+
+## Quick Start
+
+```bash
+# Install with minimal configuration
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  --namespace unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://your-unifi-controller:8443" \
+  --set unifi.password="your-password"
+```
+
+## Chart Structure
+
+```
+helm/unifi-network-operator/
+├── Chart.yaml                 # Chart metadata
+├── values.yaml               # Default configuration values
+├── README.md                 # Detailed chart documentation
+├── .helmignore              # Files to ignore when packaging
+├── crds/                    # Custom Resource Definitions
+│   ├── unifi.engen.priv.no_firewallgroups.yaml
+│   ├── unifi.engen.priv.no_firewallpolicies.yaml
+│   ├── unifi.engen.priv.no_firewallzones.yaml
+│   ├── unifi.engen.priv.no_networkconfigurations.yaml
+│   └── unifi.engen.priv.no_portforwards.yaml
+└── templates/               # Kubernetes resource templates
+    ├── NOTES.txt           # Post-installation notes
+    ├── _helpers.tpl        # Template helpers
+    ├── deployment.yaml     # Operator deployment
+    ├── serviceaccount.yaml # Service account
+    ├── clusterrole.yaml    # Cluster-level permissions
+    ├── clusterrolebinding.yaml
+    ├── role.yaml           # Namespace-level permissions
+    ├── rolebinding.yaml
+    ├── configmap.yaml      # Operator configuration
+    ├── secret.yaml         # UniFi credentials
+    ├── service.yaml        # Metrics service
+    └── servicemonitor.yaml # Prometheus integration
+```
+
+## Features
+
+- **Secure by Default**: Runs with restricted security context and non-root user
+- **Flexible Configuration**: Extensive values for customization
+- **Production Ready**: Leader election, resource limits, health checks
+- **Monitoring**: Built-in Prometheus ServiceMonitor support
+- **GitOps Friendly**: Works with ArgoCD, Flux, and other GitOps tools
+- **Credential Management**: Support for external secrets
+
+## Key Configuration Options
+
+### Required Settings
+
+- `unifi.url` - UniFi controller URL (e.g., `https://unifi.example.com:8443`)
+- `unifi.password` - UniFi password (or use `unifi.existingSecret`)
+
+### Common Optional Settings
+
+- `unifi.site` - UniFi site ID (default: `default`)
+- `unifi.username` - UniFi username (default: `admin`)
+- `config.fullSyncZone` - Zone name for bidirectional sync
+- `config.fullSyncNetwork` - Network name for bidirectional sync
+- `metrics.serviceMonitor.enabled` - Enable Prometheus monitoring
+- `resources.*` - Resource limits and requests
+
+## Using Make Targets
+
+The project Makefile includes helpful Helm targets:
+
+```bash
+# Lint the chart
+make helm-lint
+
+# Render templates (for debugging)
+make helm-template
+
+# Install (requires env vars)
+export UNIFI_URL="https://unifi.example.com:8443"
+export UNIFI_PASSWORD="your-password"
+make helm-install
+
+# Upgrade
+make helm-upgrade
+
+# Uninstall
+make helm-uninstall
+
+# Package the chart
+make helm-package
+
+# Dry run
+make helm-dry-run
+```
+
+## Examples
+
+### Development Installation
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://192.168.1.1:8443" \
+  --set unifi.password="admin"
+```
+
+### Production with Existing Secret
+
+```bash
+# Create secret
+kubectl create secret generic unifi-creds \
+  --from-literal=UNIFI_URL="https://unifi.example.com:8443" \
+  --from-literal=UNIFI_SITE="default" \
+  --from-literal=UNIFI_USERNAME="operator" \
+  --from-literal=UNIFI_PASSWORD="secure-password" \
+  -n unifi-network-operator-system
+
+# Install with secret reference
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  --set unifi.existingSecret="unifi-creds"
+```
+
+### With Full Sync and Monitoring
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://unifi.example.com:8443" \
+  --set unifi.password="password" \
+  --set config.fullSyncZone="gateway" \
+  --set config.fullSyncNetwork="core" \
+  --set metrics.serviceMonitor.enabled=true
+```
+
+## Upgrading
+
+To upgrade the operator:
+
+```bash
+helm upgrade unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system
+```
+
+## Uninstalling
+
+```bash
+# Remove the operator (CRDs remain)
+helm uninstall unifi-network-operator -n unifi-network-operator-system
+
+# Also remove CRDs (WARNING: deletes all custom resources)
+kubectl delete crds \
+  firewallgroups.unifi.engen.priv.no \
+  firewallpolicies.unifi.engen.priv.no \
+  firewallzones.unifi.engen.priv.no \
+  networkconfigurations.unifi.engen.priv.no \
+  portforwards.unifi.engen.priv.no
+```
+
+## Customization
+
+Create a `custom-values.yaml` file:
+
+```yaml
+image:
+  tag: "v1.0.0"
+
+replicaCount: 1
+
+unifi:
+  existingSecret: "my-unifi-secret"
+
+config:
+  fullSyncZone: "gateway"
+  fullSyncNetwork: "core"
+  kubernetesUnifiZone: "k8s"
+
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    memory: 128Mi
+
+metrics:
+  serviceMonitor:
+    enabled: true
+    additionalLabels:
+      prometheus: kube-prometheus
+
+nodeSelector:
+  kubernetes.io/os: linux
+
+tolerations:
+  - key: "node-role.kubernetes.io/control-plane"
+    operator: "Exists"
+    effect: "NoSchedule"
+```
+
+Install with:
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  --create-namespace \
+  -f custom-values.yaml
+```
+
+## Documentation
+
+- **[INSTALL.md](./INSTALL.md)** - Complete installation guide with examples
+- **[Chart README](./unifi-network-operator/README.md)** - Full configuration reference
+- **[values.yaml](./unifi-network-operator/values.yaml)** - Commented default values
+
+## Support
+
+For issues and questions:
+- Check the [Installation Guide](./INSTALL.md)
+- Review the [Chart Documentation](./unifi-network-operator/README.md)
+- Check operator logs: `kubectl logs -n unifi-network-operator-system -l app.kubernetes.io/name=unifi-network-operator`
+
+## License
+
+This Helm chart is provided under the same license as the UniFi Network Operator project.

helm/unifi-network-operator/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/unifi-network-operator/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: unifi-network-operator
+description: A Kubernetes operator for managing UniFi network configurations
+type: application
+version: 0.1.0
+appVersion: "latest"
+home: https://github.com/vegardengen/unifi-network-operator
+maintainers:
+  - name: Vegar Dengen
+    url: https://github.com/vegardengen
+keywords:
+  - unifi
+  - network
+  - operator
+  - firewall
+  - ubiquiti
+sources:
+  - https://github.com/vegardengen/unifi-network-operator

helm/unifi-network-operator/README.md

@@ -0,0 +1,335 @@
+# UniFi Network Operator Helm Chart
+
+A Kubernetes operator for managing UniFi network configurations declaratively through Kubernetes Custom Resources.
+
+## Introduction
+
+This Helm chart deploys the UniFi Network Operator on a Kubernetes cluster. The operator enables you to manage UniFi network infrastructure (firewall zones, groups, policies, networks, and port forwards) using Kubernetes resources.
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.0+
+- Access to a UniFi Network Controller
+- UniFi controller credentials (URL, username, password)
+
+## Installing the Chart
+
+To install the chart with the release name `unifi-network-operator`:
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  --namespace unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://unifi.example.com:8443" \
+  --set unifi.username="admin" \
+  --set unifi.password="your-password" \
+  --set unifi.site="default"
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `unifi-network-operator` deployment:
+
+```bash
+helm uninstall unifi-network-operator -n unifi-network-operator-system
+```
+
+This command removes all the Kubernetes components associated with the chart. Note that CRDs are not deleted by default to prevent data loss.
+
+## Configuration
+
+The following table lists the configurable parameters of the UniFi Network Operator chart and their default values.
+
+### General Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `replicaCount` | Number of operator replicas | `1` |
+| `image.repository` | Operator image repository | `gitea.engen.priv.no/klauvsteinen/unifi-network-operator-controller` |
+| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `image.tag` | Image tag (overrides appVersion) | `latest` |
+| `imagePullSecrets` | Image pull secrets | `[]` |
+| `nameOverride` | Override chart name | `""` |
+| `fullnameOverride` | Override full chart name | `""` |
+
+### Service Account Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `serviceAccount.create` | Create service account | `true` |
+| `serviceAccount.automount` | Auto-mount service account token | `true` |
+| `serviceAccount.annotations` | Service account annotations | `{}` |
+| `serviceAccount.name` | Service account name | `""` |
+
+### Security Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `podSecurityContext.runAsNonRoot` | Run as non-root user | `true` |
+| `podSecurityContext.seccompProfile.type` | Seccomp profile type | `RuntimeDefault` |
+| `securityContext.allowPrivilegeEscalation` | Allow privilege escalation | `false` |
+| `securityContext.capabilities.drop` | Dropped capabilities | `["ALL"]` |
+
+### Resource Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `resources.limits.cpu` | CPU limit | `500m` |
+| `resources.limits.memory` | Memory limit | `128Mi` |
+| `resources.requests.cpu` | CPU request | `10m` |
+| `resources.requests.memory` | Memory request | `64Mi` |
+
+### UniFi Controller Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `unifi.url` | UniFi controller URL | `""` (required) |
+| `unifi.site` | UniFi site ID | `"default"` |
+| `unifi.username` | UniFi username | `"admin"` |
+| `unifi.password` | UniFi password | `""` (required) |
+| `unifi.existingSecret` | Use existing secret for credentials | `""` |
+| `unifi.existingSecretKeys.url` | Key for URL in existing secret | `UNIFI_URL` |
+| `unifi.existingSecretKeys.site` | Key for site in existing secret | `UNIFI_SITE` |
+| `unifi.existingSecretKeys.username` | Key for username in existing secret | `UNIFI_USERNAME` |
+| `unifi.existingSecretKeys.password` | Key for password in existing secret | `UNIFI_PASSWORD` |
+
+### Operator Configuration Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `config.create` | Create ConfigMap for operator config | `true` |
+| `config.defaultNamespace` | Default namespace for resources | `"default"` |
+| `config.fullSyncZone` | Full sync zone name | `""` |
+| `config.fullSyncNetwork` | Full sync network name | `""` |
+| `config.kubernetesUnifiZone` | Kubernetes UniFi zone name | `""` |
+| `config.existingConfigMap` | Use existing ConfigMap | `""` |
+
+### RBAC Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `rbac.create` | Create RBAC resources | `true` |
+
+### CRD Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `crds.install` | Install CRDs | `true` |
+| `crds.keep` | Keep CRDs on uninstall | `true` |
+
+### Service Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `service.enabled` | Enable metrics service | `true` |
+| `service.type` | Service type | `ClusterIP` |
+| `service.port` | Service port | `8443` |
+| `service.annotations` | Service annotations | `{}` |
+
+### Metrics Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `metrics.serviceMonitor.enabled` | Enable Prometheus ServiceMonitor | `false` |
+| `metrics.serviceMonitor.additionalLabels` | Additional labels for ServiceMonitor | `{}` |
+| `metrics.serviceMonitor.interval` | Scrape interval | `30s` |
+| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout | `10s` |
+
+### Other Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `leaderElection.enabled` | Enable leader election | `true` |
+| `nodeSelector` | Node selector | `{}` |
+| `tolerations` | Tolerations | `[]` |
+| `affinity` | Affinity rules | `{}` |
+| `podAnnotations` | Pod annotations | `{"kubectl.kubernetes.io/default-container": "manager"}` |
+| `podLabels` | Pod labels | `{"control-plane": "controller-manager"}` |
+
+## Using an Existing Secret
+
+If you prefer to manage the UniFi credentials separately, you can create a secret manually and reference it:
+
+```bash
+kubectl create secret generic my-unifi-secret \
+  --from-literal=UNIFI_URL="https://unifi.example.com:8443" \
+  --from-literal=UNIFI_SITE="default" \
+  --from-literal=UNIFI_USERNAME="admin" \
+  --from-literal=UNIFI_PASSWORD="your-password" \
+  -n unifi-network-operator-system
+```
+
+Then install the chart with:
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  --namespace unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.existingSecret="my-unifi-secret"
+```
+
+## Examples
+
+### Basic Installation
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://192.168.1.1:8443" \
+  --set unifi.password="mypassword"
+```
+
+### Installation with Custom Configuration
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  --create-namespace \
+  --set unifi.url="https://unifi.example.com:8443" \
+  --set unifi.username="operator" \
+  --set unifi.password="secure-password" \
+  --set unifi.site="main" \
+  --set config.defaultNamespace="production" \
+  --set config.fullSyncZone="gateway" \
+  --set config.fullSyncNetwork="core" \
+  --set resources.limits.memory="256Mi" \
+  --set metrics.serviceMonitor.enabled=true
+```
+
+### Using a Values File
+
+Create a `my-values.yaml` file:
+
+```yaml
+unifi:
+  url: "https://unifi.example.com:8443"
+  username: "operator"
+  password: "my-secure-password"
+  site: "default"
+
+config:
+  defaultNamespace: "default"
+  fullSyncZone: "gateway"
+  fullSyncNetwork: "core"
+
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    memory: 128Mi
+
+metrics:
+  serviceMonitor:
+    enabled: true
+    additionalLabels:
+      prometheus: kube-prometheus
+```
+
+Install with:
+
+```bash
+helm install unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system \
+  --create-namespace \
+  -f my-values.yaml
+```
+
+## Custom Resources
+
+After installing the operator, you can create the following custom resources:
+
+### FirewallZone
+
+```yaml
+apiVersion: unifi.engen.priv.no/v1beta1
+kind: FirewallZone
+metadata:
+  name: my-zone
+spec:
+  zoneName: "my-zone"
+```
+
+### FirewallGroup
+
+```yaml
+apiVersion: unifi.engen.priv.no/v1beta1
+kind: FirewallGroup
+metadata:
+  name: web-servers
+spec:
+  addresses:
+    - "10.0.1.100/32"
+    - "10.0.1.101/32"
+  ports:
+    - "80/tcp"
+    - "443/tcp"
+```
+
+### FirewallPolicy
+
+```yaml
+apiVersion: unifi.engen.priv.no/v1beta1
+kind: FirewallPolicy
+metadata:
+  name: allow-web
+spec:
+  sourceZone: "wan"
+  destinationGroup: "web-servers"
+```
+
+### Networkconfiguration
+
+```yaml
+apiVersion: unifi.engen.priv.no/v1beta1
+kind: Networkconfiguration
+metadata:
+  name: vlan10
+spec:
+  networkName: "VLAN10"
+```
+
+## Upgrading
+
+To upgrade the operator to a new version:
+
+```bash
+helm upgrade unifi-network-operator ./helm/unifi-network-operator \
+  -n unifi-network-operator-system
+```
+
+## Troubleshooting
+
+### Check Operator Logs
+
+```bash
+kubectl logs -n unifi-network-operator-system -l app.kubernetes.io/name=unifi-network-operator -f
+```
+
+### Check Operator Status
+
+```bash
+kubectl get deployment -n unifi-network-operator-system
+kubectl get pods -n unifi-network-operator-system
+```
+
+### Verify CRDs are Installed
+
+```bash
+kubectl get crds | grep unifi.engen.priv.no
+```
+
+### Common Issues
+
+1. **Authentication Failures**: Verify your UniFi credentials and URL are correct
+2. **CRD Not Found**: Ensure CRDs are installed with `crds.install=true`
+3. **Operator Not Starting**: Check resource limits and image pull secrets
+
+## License
+
+This chart is provided as-is under the same license as the UniFi Network Operator project.
+
+## Support
+
+For issues and questions, please refer to the project repository.

helm/unifi-network-operator/crds/unifi.engen.priv.no_firewallgroups.yaml

@@ -0,0 +1,187 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.2
+  name: firewallgroups.unifi.engen.priv.no
+spec:
+  group: unifi.engen.priv.no
+  names:
+    kind: FirewallGroup
+    listKind: FirewallGroupList
+    plural: firewallgroups
+    singular: firewallgroup
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: FirewallGroup is the Schema for the firewallgroups API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              auto_created_from:
+                properties:
+                  name:
+                    type: string
+                  namespace:
+                    type: string
+                type: object
+              autoIncludeSelector:
+                description: AutoIncludeSelector defines which services to extract
+                  addresses from
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              id:
+                description: |-
+                  Foo is an example field of FirewallGroup. Edit firewallgroup_types.go to remove/update
+                  Description is a human-readable explanation for the object
+                type: string
+              manual_services:
+                items:
+                  properties:
+                    name:
+                      type: string
+                    namespace:
+                      type: string
+                  type: object
+                type: array
+              manualAddresses:
+                description: ManualAddresses is a list of manual IPs or CIDRs (IPv4
+                  or IPv6)
+                items:
+                  type: string
+                type: array
+              manualPorts:
+                items:
+                  type: string
+                type: array
+              matchServicesInAllNamespaces:
+                type: boolean
+              name:
+                type: string
+            type: object
+          status:
+            description: FirewallGroupStatus defines the observed state of FirewallGroup.
+            properties:
+              lastSyncTime:
+                description: LastSyncTime is the last time the object was synced
+                format: date-time
+                type: string
+              resolvedIPV4Addresses:
+                items:
+                  type: string
+                type: array
+              resolvedIPV6Addresses:
+                items:
+                  type: string
+                type: array
+              resolvedTCPorts:
+                items:
+                  type: string
+                type: array
+              resolvedUDPorts:
+                items:
+                  type: string
+                type: array
+              resources_managed:
+                properties:
+                  ipv4_object:
+                    properties:
+                      id:
+                        type: string
+                      name:
+                        type: string
+                    type: object
+                  ipv6_object:
+                    properties:
+                      id:
+                        type: string
+                      name:
+                        type: string
+                    type: object
+                  tcp_ports_object:
+                    properties:
+                      id:
+                        type: string
+                      name:
+                        type: string
+                    type: object
+                  udp_ports_object:
+                    properties:
+                      id:
+                        type: string
+                      name:
+                        type: string
+                    type: object
+                type: object
+              syncedWithUnifi:
+                description: SyncedWithUnifi indicates whether the addresses are successfully
+                  pushed
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

helm/unifi-network-operator/crds/unifi.engen.priv.no_firewallpolicies.yaml

@@ -0,0 +1,138 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.2
+  name: firewallpolicies.unifi.engen.priv.no
+spec:
+  group: unifi.engen.priv.no
+  names:
+    kind: FirewallPolicy
+    listKind: FirewallPolicyList
+    plural: firewallpolicies
+    singular: firewallpolicy
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: FirewallPolicy is the Schema for the firewallpolicies API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              destination:
+                properties:
+                  firewall_groups:
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                    type: array
+                  services:
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              match_firewall_groups_in_all_namespaces:
+                type: boolean
+              match_services_in_all_namespaces:
+                type: boolean
+              name:
+                type: string
+              source:
+                properties:
+                  from_networks:
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                    type: array
+                  from_zones:
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            required:
+            - destination
+            - name
+            - source
+            type: object
+          status:
+            description: FirewallPolicyStatus defines the observed state of FirewallPolicy.
+            properties:
+              resources_managed:
+                properties:
+                  firewall_groups_managed:
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        namespace:
+                          type: string
+                      type: object
+                    type: array
+                  firewall_policies_managed:
+                    items:
+                      properties:
+                        from:
+                          type: string
+                        tcpipv4_id:
+                          type: string
+                        tcpipv6_id:
+                          type: string
+                        to:
+                          type: string
+                        udpipv4_id:
+                          type: string
+                        udpipv6_id:
+                          type: string
+                      required:
+                      - from
+                      - tcpipv4_id
+                      - tcpipv6_id
+                      - to
+                      - udpipv4_id
+                      - udpipv6_id
+                      type: object
+                    type: array
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

helm/unifi-network-operator/crds/unifi.engen.priv.no_firewallzones.yaml

@@ -0,0 +1,75 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.2
+  name: firewallzones.unifi.engen.priv.no
+spec:
+  group: unifi.engen.priv.no
+  names:
+    kind: FirewallZone
+    listKind: FirewallZoneList
+    plural: firewallzones
+    singular: firewallzone
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: FirewallZone is the Schema for the firewallzones API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: FirewallZoneSpec defines the desired state of FirewallZone.
+            properties:
+              _id:
+                type: string
+              default_zone:
+                type: boolean
+              name:
+                type: string
+              network_ids:
+                items:
+                  type: string
+                type: array
+              zone_key:
+                type: string
+            type: object
+          status:
+            description: FirewallZoneStatus defines the observed state of FirewallZone.
+            properties:
+              resources_managed:
+                properties:
+                  firewall_zones_managed:
+                    items:
+                      properties:
+                        id:
+                          type: string
+                        name:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

helm/unifi-network-operator/crds/unifi.engen.priv.no_networkconfigurations.yaml

@@ -0,0 +1,117 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.2
+  name: networkconfigurations.unifi.engen.priv.no
+spec:
+  group: unifi.engen.priv.no
+  names:
+    kind: Networkconfiguration
+    listKind: NetworkconfigurationList
+    plural: networkconfigurations
+    singular: networkconfiguration
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Networkconfiguration is the Schema for the networkconfigurations
+          API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: NetworkconfigurationSpec defines the desired state of Networkconfiguration.
+            properties:
+              _id:
+                description: Foo is an example field of Networkconfiguration. Edit
+                  networkconfiguration_types.go to remove/update
+                type: string
+              enabled:
+                type: boolean
+              firewall_zone:
+                type: string
+              gateway_type:
+                type: string
+              ip_subnet:
+                type: string
+              ipv6_interface_type:
+                type: string
+              ipv6_pd_auto_prefixid_enabled:
+                type: boolean
+              ipv6_ra_enabled:
+                type: boolean
+              ipv6_setting_preference:
+                type: string
+              ipv6_subnet:
+                type: string
+              name:
+                type: string
+              networkgroup:
+                type: string
+              purpose:
+                type: string
+              setting_preference:
+                type: string
+              vlan:
+                format: int64
+                type: integer
+              vlan_enabled:
+                type: boolean
+            required:
+            - name
+            type: object
+          status:
+            description: NetworkconfigurationStatus defines the observed state of
+              Networkconfiguration.
+            properties:
+              firewall_zone_id:
+                description: |-
+                  INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+                  Important: Run "make" to regenerate code after modifying this file
+                type: string
+              ipv6_subnet_status:
+                type: string
+              lastSyncTime:
+                description: LastSyncTime is the last time the object was synced
+                format: date-time
+                type: string
+              resources_managed:
+                properties:
+                  networks_managed:
+                    items:
+                      properties:
+                        id:
+                          type: string
+                        name:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              syncedWithUnifi:
+                description: SyncedWithUnifi indicates whether the addresses are successfully
+                  pushed
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

helm/unifi-network-operator/crds/unifi.engen.priv.no_portforwards.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.2
+  name: portforwards.unifi.engen.priv.no
+spec:
+  group: unifi.engen.priv.no
+  names:
+    kind: PortForward
+    listKind: PortForwardList
+    plural: portforwards
+    singular: portforward
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          PortForward is a placeholder type to allow future CRD support if needed.
+          Right now, port forwards are managed entirely through annotations on Services.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            type: object
+          status:
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

helm/unifi-network-operator/templates/NOTES.txt

@@ -0,0 +1,49 @@
+Thank you for installing {{ .Chart.Name }}!
+
+Your release is named {{ .Release.Name }}.
+
+The UniFi Network Operator has been deployed to namespace: {{ .Release.Namespace }}
+
+To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+{{- if not .Values.unifi.existingSecret }}
+
+IMPORTANT: Make sure to configure your UniFi controller credentials properly.
+The operator requires the following environment variables to be set:
+  - UNIFI_URL: {{ .Values.unifi.url }}
+  - UNIFI_SITE: {{ .Values.unifi.site }}
+  - UNIFI_USER: {{ .Values.unifi.username }}
+  - UNIFI_PASSWORD: [CONFIGURED]
+{{- end }}
+
+{{- if .Values.config.create }}
+
+Operator configuration has been created with:
+{{- if .Values.config.defaultNamespace }}
+  - Default Namespace: {{ .Values.config.defaultNamespace }}
+{{- end }}
+{{- if .Values.config.fullSyncZone }}
+  - Full Sync Zone: {{ .Values.config.fullSyncZone }}
+{{- end }}
+{{- if .Values.config.fullSyncNetwork }}
+  - Full Sync Network: {{ .Values.config.fullSyncNetwork }}
+{{- end }}
+{{- if .Values.config.kubernetesUnifiZone }}
+  - Kubernetes UniFi Zone: {{ .Values.config.kubernetesUnifiZone }}
+{{- end }}
+{{- end }}
+
+To get the operator logs:
+  $ kubectl logs -n {{ .Release.Namespace }} -l {{ include "unifi-network-operator.selectorLabels" . | replace "\n" "," }} -f
+
+Next steps:
+  1. Create FirewallZone resources to manage UniFi firewall zones
+  2. Create FirewallGroup resources to group IP addresses and ports
+  3. Create FirewallPolicy resources to define firewall rules
+  4. Create Networkconfiguration resources to manage network settings
+  5. Annotate Services for port forwarding
+
+For more information, visit: {{ .Chart.Home }}

helm/unifi-network-operator/templates/_helpers.tpl

@@ -0,0 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "unifi-network-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "unifi-network-operator.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "unifi-network-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "unifi-network-operator.labels" -}}
+helm.sh/chart: {{ include "unifi-network-operator.chart" . }}
+{{ include "unifi-network-operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "unifi-network-operator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "unifi-network-operator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+control-plane: controller-manager
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "unifi-network-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "unifi-network-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the secret to use
+*/}}
+{{- define "unifi-network-operator.secretName" -}}
+{{- if .Values.unifi.existingSecret }}
+{{- .Values.unifi.existingSecret }}
+{{- else }}
+{{- include "unifi-network-operator.fullname" . }}-unifi
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the configmap to use
+*/}}
+{{- define "unifi-network-operator.configMapName" -}}
+{{- if .Values.config.existingConfigMap }}
+{{- .Values.config.existingConfigMap }}
+{{- else }}
+{{- include "unifi-network-operator.fullname" . }}-config
+{{- end }}
+{{- end }}

helm/unifi-network-operator/templates/clusterrole.yaml

@@ -0,0 +1,56 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "unifi-network-operator.fullname" . }}-manager-role
+  labels:
+    {{- include "unifi-network-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallgroups
+  - firewallpolicies
+  - firewallzones
+  - networkconfigurations
+  - portforwards
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallgroups/finalizers
+  - firewallpolicies/finalizers
+  - firewallzones/finalizers
+  - networkconfigurations/finalizers
+  - portforwards/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallgroups/status
+  - firewallpolicies/status
+  - firewallzones/status
+  - networkconfigurations/status
+  - portforwards/status
+  verbs:
+  - get
+  - patch
+  - update
+{{- end }}

helm/unifi-network-operator/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "unifi-network-operator.fullname" . }}-manager-rolebinding
+  labels:
+    {{- include "unifi-network-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "unifi-network-operator.fullname" . }}-manager-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "unifi-network-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

helm/unifi-network-operator/templates/configmap.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.config.create -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "unifi-network-operator.configMapName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "unifi-network-operator.labels" . | nindent 4 }}
+data:
+  {{- if .Values.config.defaultNamespace }}
+  defaultNamespace: {{ .Values.config.defaultNamespace | quote }}
+  {{- end }}
+  {{- if .Values.config.fullSyncZone }}
+  fullSyncZone: {{ .Values.config.fullSyncZone | quote }}
+  {{- end }}
+  {{- if .Values.config.fullSyncNetwork }}
+  fullSyncNetwork: {{ .Values.config.fullSyncNetwork | quote }}
+  {{- end }}
+  {{- if .Values.config.kubernetesUnifiZone }}
+  kubernetesUnifiZone: {{ .Values.config.kubernetesUnifiZone | quote }}
+  {{- end }}
+{{- end }}

helm/unifi-network-operator/templates/deployment.yaml

@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "unifi-network-operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "unifi-network-operator.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "unifi-network-operator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "unifi-network-operator.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "unifi-network-operator.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: manager
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+        {{- if .Values.leaderElection.enabled }}
+        - --leader-elect
+        {{- end }}
+        - --health-probe-bind-address=:8081
+        env:
+        - name: UNIFI_URL
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "unifi-network-operator.secretName" . }}
+              key: {{ .Values.unifi.existingSecretKeys.url }}
+        - name: UNIFI_SITE
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "unifi-network-operator.secretName" . }}
+              key: {{ .Values.unifi.existingSecretKeys.site }}
+        - name: UNIFI_USER
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "unifi-network-operator.secretName" . }}
+              key: {{ .Values.unifi.existingSecretKeys.username }}
+        - name: UNIFI_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "unifi-network-operator.secretName" . }}
+              key: {{ .Values.unifi.existingSecretKeys.password }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
+        livenessProbe:
+          {{- toYaml .Values.livenessProbe | nindent 10 }}
+        readinessProbe:
+          {{- toYaml .Values.readinessProbe | nindent 10 }}
+        resources:
+          {{- toYaml .Values.resources | nindent 10 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 10

helm/unifi-network-operator/templates/role.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "unifi-network-operator.fullname" . }}-leader-election-role
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "unifi-network-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+{{- end }}

helm/unifi-network-operator/templates/rolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "unifi-network-operator.fullname" . }}-leader-election-rolebinding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "unifi-network-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "unifi-network-operator.fullname" . }}-leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "unifi-network-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

helm/unifi-network-operator/templates/secret.yaml

@@ -0,0 +1,15 @@
+{{- if not .Values.unifi.existingSecret -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "unifi-network-operator.fullname" . }}-unifi
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "unifi-network-operator.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{ .Values.unifi.existingSecretKeys.url }}: {{ .Values.unifi.url | required "unifi.url is required when not using an existing secret" | quote }}
+  {{ .Values.unifi.existingSecretKeys.site }}: {{ .Values.unifi.site | quote }}
+  {{ .Values.unifi.existingSecretKeys.username }}: {{ .Values.unifi.username | quote }}
+  {{ .Values.unifi.existingSecretKeys.password }}: {{ .Values.unifi.password | required "unifi.password is required when not using an existing secret" | quote }}
+{{- end }}

helm/unifi-network-operator/templates/service.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.service.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "unifi-network-operator.fullname" . }}-metrics
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "unifi-network-operator.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+  - name: https
+    port: {{ .Values.service.port }}
+    targetPort: 8443
+    protocol: TCP
+  selector:
+    {{- include "unifi-network-operator.selectorLabels" . | nindent 4 }}
+{{- end }}

helm/unifi-network-operator/templates/serviceaccount.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "unifi-network-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "unifi-network-operator.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}

helm/unifi-network-operator/templates/servicemonitor.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.metrics.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "unifi-network-operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "unifi-network-operator.labels" . | nindent 4 }}
+    {{- with .Values.metrics.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  endpoints:
+  - interval: {{ .Values.metrics.serviceMonitor.interval }}
+    path: /metrics
+    port: https
+    scheme: https
+    scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+    tlsConfig:
+      insecureSkipVerify: true
+  selector:
+    matchLabels:
+      {{- include "unifi-network-operator.selectorLabels" . | nindent 6 }}
+{{- end }}

helm/unifi-network-operator/values.yaml

@@ -0,0 +1,159 @@
+# Default values for unifi-network-operator
+
+# -- Number of replicas for the operator deployment
+replicaCount: 1
+
+image:
+  # -- Container image repository
+  repository: ghcr.io/vegardengen/unifi-network-operator
+  # -- Image pull policy
+  pullPolicy: IfNotPresent
+  # -- Overrides the image tag whose default is the chart appVersion
+  tag: "latest"
+
+# -- Image pull secrets for private registries
+imagePullSecrets: []
+
+# -- Override the name of the chart
+nameOverride: ""
+# -- Override the full name of the chart
+fullnameOverride: ""
+
+serviceAccount:
+  # -- Specifies whether a service account should be created
+  create: true
+  # -- Automatically mount a ServiceAccount's API credentials
+  automount: true
+  # -- Annotations to add to the service account
+  annotations: {}
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+# -- Annotations to add to the pod
+podAnnotations:
+  kubectl.kubernetes.io/default-container: manager
+
+# -- Labels to add to the pod
+podLabels:
+  control-plane: controller-manager
+
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+
+service:
+  # -- Enable metrics service
+  enabled: true
+  # -- Service type
+  type: ClusterIP
+  # -- Metrics port
+  port: 8443
+  # -- Annotations to add to the service
+  annotations: {}
+
+resources:
+  limits:
+    # -- CPU limit
+    cpu: 500m
+    # -- Memory limit
+    memory: 128Mi
+  requests:
+    # -- CPU request
+    cpu: 10m
+    # -- Memory request
+    memory: 64Mi
+
+livenessProbe:
+  httpGet:
+    path: /healthz
+    port: 8081
+  initialDelaySeconds: 15
+  periodSeconds: 20
+
+readinessProbe:
+  httpGet:
+    path: /readyz
+    port: 8081
+  initialDelaySeconds: 5
+  periodSeconds: 10
+
+# -- Node selector for pod assignment
+nodeSelector: {}
+
+# -- Tolerations for pod assignment
+tolerations: []
+
+# -- Affinity for pod assignment
+affinity: {}
+
+# Leader election configuration
+leaderElection:
+  # -- Enable leader election for high availability
+  enabled: true
+
+# UniFi controller configuration
+unifi:
+  # -- UniFi controller URL (e.g., https://unifi.example.com:8443)
+  url: ""
+  # -- UniFi site ID (e.g., default)
+  site: "default"
+  # -- UniFi username
+  username: "admin"
+  # -- UniFi password (leave empty to use existing secret)
+  password: ""
+  # -- Use existing secret for UniFi credentials
+  # If set, the chart will not create a secret
+  existingSecret: ""
+  # -- Keys in the existing secret for UniFi credentials
+  existingSecretKeys:
+    url: UNIFI_URL
+    site: UNIFI_SITE
+    username: UNIFI_USERNAME
+    password: UNIFI_PASSWORD
+
+# Operator configuration
+config:
+  # -- Create a ConfigMap for operator configuration
+  create: true
+  # -- Default namespace for resources
+  defaultNamespace: "default"
+  # -- Full sync zone name (zone for bidirectional sync)
+  fullSyncZone: ""
+  # -- Full sync network name (network for bidirectional sync)
+  fullSyncNetwork: ""
+  # -- Kubernetes UniFi zone name
+  kubernetesUnifiZone: ""
+  # -- Use existing ConfigMap for operator configuration
+  existingConfigMap: ""
+
+# CRD configuration
+crds:
+  # -- Install CRDs as part of the Helm chart
+  install: true
+  # -- Keep CRDs on chart uninstall
+  keep: true
+
+# RBAC configuration
+rbac:
+  # -- Create RBAC resources
+  create: true
+
+# Metrics configuration
+metrics:
+  # -- Enable Prometheus ServiceMonitor
+  serviceMonitor:
+    enabled: false
+    # -- Additional labels for the ServiceMonitor
+    additionalLabels: {}
+    # -- Scrape interval
+    interval: 30s
+    # -- Scrape timeout
+    scrapeTimeout: 10s

internal/controller/firewallgroup_controller.go

@@ -39,9 +39,9 @@ import (
 	//	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	goUnifi "gitea.engen.priv.no/klauvsteinen/go-unifi/unifi"
-	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/config"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/unifi"
+	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
+	"github.com/vegardengen/unifi-network-operator/internal/unifi"
 )
 
 const firewallGroupFinalizer = "finalizer.unifi.engen.priv.no/firewallgroup"
@@ -377,7 +377,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 				if err != nil {
 					msg := strings.ToLower(err.Error())
 					log.Info(msg)
-					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
+					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") {
 						log.Info("Firewall group is in use. Invoking workaround...!")
 						firewall_group.GroupMembers = []string{"127.0.0.1"}
 						firewall_group.Name = firewall_group.Name + "-deleted"
@@ -417,7 +417,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 				if err != nil {
 					msg := strings.ToLower(err.Error())
 					log.Info(msg)
-					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
+					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") {
 						log.Info("Firewall group is in use. Invoking workaround...!")
 						firewall_group.GroupMembers = []string{"::1"}
 						firewall_group.Name = firewall_group.Name + "-deleted"
@@ -457,7 +457,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 				if err != nil {
 					msg := strings.ToLower(err.Error())
 					log.Info(msg)
-					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
+					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") {
 						log.Info("Firewall group is in use. Invoking workaround...!")
 						firewall_group.GroupMembers = []string{"0"}
 						firewall_group.Name = firewall_group.Name + "-deleted"
@@ -497,7 +497,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 				if err != nil {
 					msg := strings.ToLower(err.Error())
 					log.Info(msg)
-					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
+					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") {
 						log.Info("Firewall group is in use. Invoking workaround...!")
 						firewall_group.GroupMembers = []string{"127.0.0.1"}
 						firewall_group.Name = firewall_group.Name + "-deleted"

internal/controller/firewallgroup_controller_test.go

@@ -27,7 +27,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
+	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
 )
 
 var _ = Describe("FirewallGroup Controller", func() {
@@ -61,10 +61,10 @@ var _ = Describe("FirewallGroup Controller", func() {
 			// TODO(user): Cleanup logic after each test, like removing the resource instance.
 			resource := &unifiv1beta1.FirewallGroup{}
 			err := k8sClient.Get(ctx, typeNamespacedName, resource)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Cleanup the specific resource instance FirewallGroup")
-			Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+			if err == nil {
+				By("Cleanup the specific resource instance FirewallGroup")
+				Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+			}
 		})
 		It("should successfully reconcile the resource", func() {
 			By("Reconciling the created resource")

internal/controller/firewallpolicy_controller.go

@@ -34,9 +34,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	goUnifi "gitea.engen.priv.no/klauvsteinen/go-unifi/unifi"
-	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/config"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/unifi"
+	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
+	"github.com/vegardengen/unifi-network-operator/internal/unifi"
 )
 
 // FirewallPolicyReconciler reconciles a FirewallPolicy object
@@ -125,70 +125,72 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 			}
 			log.Info("Running finalizer logic for FirewallPolicy", "name", firewallPolicy.Name)
 
-			if len(firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies) > 0 {
-				for i, UnifiFirewallPolicy := range firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies {
-					log.Info(fmt.Sprintf("From: %s to: %s TcpIpv4: %s UdpIpv4: %s TcpIpv6: %s UdpIpv6: %s", UnifiFirewallPolicy.From, UnifiFirewallPolicy.To, UnifiFirewallPolicy.TcpIpv4ID, UnifiFirewallPolicy.UdpIpv4ID, UnifiFirewallPolicy.TcpIpv6ID, UnifiFirewallPolicy.UdpIpv6ID))
-					if len(UnifiFirewallPolicy.TcpIpv4ID) > 0 {
-						err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv4ID)
-						if err != nil && !strings.Contains(err.Error(), "not found") {
-						} else {
-							firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv4ID = ""
-							if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
-								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+			if firewallPolicy.Status.ResourcesManaged != nil {
+				if len(firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies) > 0 {
+					for i, UnifiFirewallPolicy := range firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies {
+						log.Info(fmt.Sprintf("From: %s to: %s TcpIpv4: %s UdpIpv4: %s TcpIpv6: %s UdpIpv6: %s", UnifiFirewallPolicy.From, UnifiFirewallPolicy.To, UnifiFirewallPolicy.TcpIpv4ID, UnifiFirewallPolicy.UdpIpv4ID, UnifiFirewallPolicy.TcpIpv6ID, UnifiFirewallPolicy.UdpIpv6ID))
+						if len(UnifiFirewallPolicy.TcpIpv4ID) > 0 {
+							err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv4ID)
+							if err != nil && !strings.Contains(err.Error(), "not found") {
+							} else {
+								firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv4ID = ""
+								if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+									return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+								}
 							}
 						}
-					}
-					if len(UnifiFirewallPolicy.UdpIpv4ID) > 0 {
-						err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv4ID)
-						if err != nil && !strings.Contains(err.Error(), "not found") {
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
-						} else {
-							firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv4ID = ""
-							if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+						if len(UnifiFirewallPolicy.UdpIpv4ID) > 0 {
+							err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv4ID)
+							if err != nil && !strings.Contains(err.Error(), "not found") {
 								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							} else {
+								firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv4ID = ""
+								if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+									return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+								}
 							}
 						}
-					}
-					if len(UnifiFirewallPolicy.TcpIpv6ID) > 0 {
-						err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv6ID)
-						if err != nil && !strings.Contains(err.Error(), "not found") {
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
-						} else {
-							firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv6ID = ""
-							if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+						if len(UnifiFirewallPolicy.TcpIpv6ID) > 0 {
+							err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv6ID)
+							if err != nil && !strings.Contains(err.Error(), "not found") {
 								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							} else {
+								firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv6ID = ""
+								if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+									return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+								}
 							}
 						}
-					}
-					if len(UnifiFirewallPolicy.UdpIpv6ID) > 0 {
-						err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv6ID)
-						if err != nil && !strings.Contains(err.Error(), "not found") {
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
-						} else {
-							firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv6ID = ""
-							if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+						if len(UnifiFirewallPolicy.UdpIpv6ID) > 0 {
+							err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv6ID)
+							if err != nil && !strings.Contains(err.Error(), "not found") {
 								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							} else {
+								firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv6ID = ""
+								if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+									return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+								}
 							}
 						}
 					}
 				}
-			}
 
-			if len(firewallPolicy.Status.ResourcesManaged.FirewallGroups) > 0 {
-				for i, firewallGroup := range firewallPolicy.Status.ResourcesManaged.FirewallGroups {
-					var firewallGroupCRD unifiv1beta1.FirewallGroup
-					if firewallGroup.Name != "" {
-						if err := r.Get(ctx, types.NamespacedName{Name: firewallGroup.Name, Namespace: firewallGroup.Namespace}, &firewallGroupCRD); err != nil {
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
-						}
-						if err := r.Delete(ctx, &firewallGroupCRD); err != nil {
-							log.Error(err, "Could not delete firewall group")
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
-						}
-						firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Name = ""
-						firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Namespace = ""
-						if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+				if len(firewallPolicy.Status.ResourcesManaged.FirewallGroups) > 0 {
+					for i, firewallGroup := range firewallPolicy.Status.ResourcesManaged.FirewallGroups {
+						var firewallGroupCRD unifiv1beta1.FirewallGroup
+						if firewallGroup.Name != "" {
+							if err := r.Get(ctx, types.NamespacedName{Name: firewallGroup.Name, Namespace: firewallGroup.Namespace}, &firewallGroupCRD); err != nil {
+								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							}
+							if err := r.Delete(ctx, &firewallGroupCRD); err != nil {
+								log.Error(err, "Could not delete firewall group")
+								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							}
+							firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Name = ""
+							firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Namespace = ""
+							if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							}
 						}
 					}
 				}
@@ -285,14 +287,14 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	// This will be used when running through all firewall groups and servics known, to see if a rule should be added.
 
 	for _, dest_group := range firewallPolicy.Spec.Destination.FirewallGroups {
-		namespace := defaultNs
+		namespace := firewallPolicy.Namespace
 		if len(dest_group.Namespace) > 0 {
 			namespace = dest_group.Namespace
 		}
 		destination_groups[namespace+"/"+dest_group.Name] = struct{}{}
 	}
 	for _, dest_service := range firewallPolicy.Spec.Destination.Services {
-		namespace := defaultNs
+		namespace := firewallPolicy.Namespace
 		if len(dest_service.Namespace) > 0 {
 			namespace = dest_service.Namespace
 		}

internal/controller/firewallpolicy_controller_test.go

@@ -27,7 +27,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
+	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
 )
 
 var _ = Describe("FirewallPolicy Controller", func() {
@@ -61,10 +61,10 @@ var _ = Describe("FirewallPolicy Controller", func() {
 			// TODO(user): Cleanup logic after each test, like removing the resource instance.
 			resource := &unifiv1beta1.FirewallPolicy{}
 			err := k8sClient.Get(ctx, typeNamespacedName, resource)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Cleanup the specific resource instance FirewallPolicy")
-			Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+			if err == nil {
+				By("Cleanup the specific resource instance FirewallPolicy")
+				Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+			}
 		})
 		It("should successfully reconcile the resource", func() {
 			By("Reconciling the created resource")

internal/controller/firewallzone_controller.go

@@ -28,9 +28,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
-	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/config"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/unifi"
+	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
+	"github.com/vegardengen/unifi-network-operator/internal/unifi"
 )
 
 // FirewallZoneReconciler reconciles a FirewallZone object

internal/controller/firewallzone_controller_test.go

@@ -27,7 +27,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
+	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
 )
 
 var _ = Describe("FirewallZone Controller", func() {
@@ -61,10 +61,10 @@ var _ = Describe("FirewallZone Controller", func() {
 			// TODO(user): Cleanup logic after each test, like removing the resource instance.
 			resource := &unifiv1beta1.FirewallZone{}
 			err := k8sClient.Get(ctx, typeNamespacedName, resource)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Cleanup the specific resource instance FirewallZone")
-			Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+			if err == nil {
+				By("Cleanup the specific resource instance FirewallZone")
+				Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+			}
 		})
 		It("should successfully reconcile the resource", func() {
 			By("Reconciling the created resource")

internal/controller/networkconfiguration_controller.go

@@ -28,9 +28,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
-	unifiv1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/config"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/unifi"
+	unifiv1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
+	"github.com/vegardengen/unifi-network-operator/internal/unifi"
 )
 
 // NetworkconfigurationReconciler reconciles a Networkconfiguration object

internal/controller/networkconfiguration_controller_test.go

@@ -27,7 +27,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
+	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
 )
 
 var _ = Describe("Networkconfiguration Controller", func() {
@@ -61,10 +61,10 @@ var _ = Describe("Networkconfiguration Controller", func() {
 			// TODO(user): Cleanup logic after each test, like removing the resource instance.
 			resource := &unifiv1beta1.Networkconfiguration{}
 			err := k8sClient.Get(ctx, typeNamespacedName, resource)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Cleanup the specific resource instance Networkconfiguration")
-			Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+			if err == nil {
+				By("Cleanup the specific resource instance Networkconfiguration")
+				Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+			}
 		})
 		It("should successfully reconcile the resource", func() {
 			By("Reconciling the created resource")

internal/controller/portforward_controller.go

@@ -19,9 +19,9 @@ import (
 	//	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	goUnifi "gitea.engen.priv.no/klauvsteinen/go-unifi/unifi"
-	//	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/config"
-	"gitea.engen.priv.no/klauvsteinen/unifi-network-operator/internal/unifi"
+	//	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
+	"github.com/vegardengen/unifi-network-operator/internal/unifi"
 )
 
 type PortForwardReconciler struct {

internal/controller/portforward_controller_test.go

@@ -27,7 +27,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
+	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
 )
 
 var _ = Describe("PortForward Controller", func() {
@@ -61,10 +61,10 @@ var _ = Describe("PortForward Controller", func() {
 			// TODO(user): Cleanup logic after each test, like removing the resource instance.
 			resource := &unifiv1beta1.PortForward{}
 			err := k8sClient.Get(ctx, typeNamespacedName, resource)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Cleanup the specific resource instance PortForward")
-			Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+			if err == nil {
+				By("Cleanup the specific resource instance PortForward")
+				Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
+			}
 		})
 		It("should successfully reconcile the resource", func() {
 			By("Reconciling the created resource")

internal/controller/suite_test.go

@@ -32,7 +32,7 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
-	unifiv1beta1 "gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1"
+	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -48,6 +48,10 @@ var (
 )
 
 func TestControllers(t *testing.T) {
+	if os.Getenv("SKIP_INTEGRATION_TESTS") == "true" {
+		t.Skip("Skipping integration tests that require envtest")
+	}
+
 	RegisterFailHandler(Fail)
 
 	RunSpecs(t, "Controller Suite")

ko.yaml

@@ -2,6 +2,6 @@ defaultBaseImage: cgr.dev/chainguard/static:latest
 
 labels:
   org.opencontainers.image.authors: Vegard Engen <vegard@engen.priv.no>
-  org.opencontainers.image.source: https://gitea.engen.priv.no/klauvsteinen/unifi-network-operator
+  org.opencontainers.image.source: https://github.com/vegardengen/unifi-network-operator
   org.opencontainers.image.vendor: Klauvsteinen
   dev.chainguard.package.main: ""

test/e2e/e2e_suite_test.go

@@ -47,6 +47,10 @@ var (
 // The default setup requires Kind, builds/loads the Manager Docker image locally, and installs
 // CertManager.
 func TestE2E(t *testing.T) {
+	if os.Getenv("SKIP_INTEGRATION_TESTS") == "true" {
+		t.Skip("Skipping e2e tests that require Kubernetes cluster")
+	}
+
 	RegisterFailHandler(Fail)
 	_, _ = fmt.Fprintf(GinkgoWriter, "Starting unifi-network-operator integration test suite\n")
 	RunSpecs(t, "e2e suite")