OCPEDGE-2084: Add PacemakerStatus CRD for two-node fencing

Introduces tnf.etcd.openshift.io/v1alpha1 API group with PacemakerStatus
custom resource. This provides visibility into Pacemaker cluster health for
dual-replica etcd deployments. The status-only resource is populated by a
privileged controller and consumed by the cluster-etcd-operator healthcheck
controller. Gated by DualReplica feature and managed by two-node-fencing component.

Author: jaypoulz

etcd/README.md

@@ -0,0 +1,28 @@
+# tnf.etcd.openshift.io API Group
+
+This API group contains CRDs related to two-node fencing (TNF) for etcd cluster management.
+
+## API Versions
+
+### tnf/v1alpha1
+
+Contains the `PacemakerStatus` custom resource for monitoring Pacemaker cluster health in dual-replica (two-node) deployments.
+
+#### PacemakerStatus
+
+- **Feature Gate**: `DualReplica`
+- **Component**: `two-node-fencing`
+- **Scope**: Cluster-scoped singleton resource named "cluster"
+
+The `PacemakerStatus` resource provides visibility into the health and status of a Pacemaker-managed cluster. It is periodically updated by the cluster-etcd-operator's status collector running as a privileged CronJob.
+
+**Status Fields:**
+- `summary`: High-level cluster health metrics (quorum, node counts, resource counts)
+- `nodes`: Detailed status of each node (online, standby)
+- `resources`: Detailed status of each resource (role, active, node assignment)
+- `nodeHistory`: Recent operation failures for troubleshooting
+- `fencingHistory`: Recent fencing events
+- `rawXML`: Full XML output from `pcs status xml` for debugging
+
+**Usage:**
+The cluster-etcd-operator healthcheck controller watches this resource and updates operator conditions based on the cluster state.

etcd/install.go

@@ -0,0 +1,26 @@
+package etcd
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	tnfv1alpha1 "github.com/openshift/api/etcd/tnf/v1alpha1"
+)
+
+const (
+	GroupName = "tnf.etcd.openshift.io"
+)
+
+var (
+	schemeBuilder = runtime.NewSchemeBuilder(tnfv1alpha1.Install)
+	// Install is a function which adds every version of this group to a scheme
+	Install = schemeBuilder.AddToScheme
+)
+
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+func Kind(kind string) schema.GroupKind {
+	return schema.GroupKind{Group: GroupName, Kind: kind}
+}

etcd/tnf/v1alpha1/Makefile

@@ -0,0 +1,7 @@
+.PHONY: verify-with-container
+verify-with-container:
+	$(MAKE) -f ../../Makefile $@
+
+.PHONY: update-with-container
+update-with-container:
+	$(MAKE) -f ../../Makefile $@

etcd/tnf/v1alpha1/README.md

@@ -0,0 +1,29 @@
+# tnf.etcd.openshift.io/v1alpha1
+
+This API group contains types related to two-node fencing for etcd cluster management.
+
+## PacemakerStatus
+
+The `PacemakerStatus` CRD provides visibility into the health and status of Pacemaker-managed clusters in dual-replica (two-node) OpenShift deployments.
+
+### Feature Gate
+
+- **FeatureGate**: `DualReplica`
+- **Component**: `two-node-fencing`
+
+### Usage
+
+The PacemakerStatus resource is a cluster-scoped, status-only singleton named "cluster". It is periodically updated by a privileged controller that runs `pcs status xml` and parses the output into structured fields for health checking.
+
+### Fields
+
+- **Summary**: High-level cluster state (quorum, node counts, resource counts, recent failures/fencing)
+- **Nodes**: Detailed per-node status (online, standby)
+- **Resources**: Detailed per-resource status (agent type, role, active state, node)
+- **NodeHistory**: Recent operation history for troubleshooting
+- **FencingHistory**: Recent fencing events
+- **RawXML**: Complete XML output (for debugging only, max 256KB)
+
+### Notes
+
+The spec field is reserved but unused - all meaningful data is in the status subresource.

etcd/tnf/v1alpha1/doc.go

@@ -0,0 +1,6 @@
+// +k8s:deepcopy-gen=package,register
+// +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-gen=true
+
+// +groupName=tnf.etcd.openshift.io
+package v1alpha1

etcd/tnf/v1alpha1/register.go

@@ -0,0 +1,39 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupName     = "tnf.etcd.openshift.io"
+	GroupVersion  = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+	schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// Install is a function which adds this version to a scheme
+	Install = schemeBuilder.AddToScheme
+
+	// SchemeGroupVersion generated code relies on this name
+	// Deprecated
+	SchemeGroupVersion = GroupVersion
+	// AddToScheme exists solely to keep the old generators creating valid code
+	// DEPRECATED
+	AddToScheme = schemeBuilder.AddToScheme
+)
+
+// Resource generated code relies on this being here, but it logically belongs to the group
+// DEPRECATED
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+
+	scheme.AddKnownTypes(GroupVersion,
+		&PacemakerStatus{},
+		&PacemakerStatusList{},
+	)
+
+	return nil
+}

etcd/tnf/v1alpha1/tests/pacemakerstatuses.tnf.etcd.openshift.io/DualReplica.yaml

@@ -0,0 +1,201 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "PacemakerStatus"
+crdName: pacemakerstatuses.tnf.etcd.openshift.io
+featureGates:
+- DualReplica
+tests:
+  onCreate:
+    - name: Should be able to create a minimal PacemakerStatus
+      initial: |
+        apiVersion: tnf.etcd.openshift.io/v1alpha1
+        kind: PacemakerStatus
+        metadata:
+          name: cluster
+        spec: {}
+      expected: |
+        apiVersion: tnf.etcd.openshift.io/v1alpha1
+        kind: PacemakerStatus
+        metadata:
+          name: cluster
+        spec: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/TBD
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: DualReplica
+  name: pacemakerstatuses.tnf.etcd.openshift.io
+spec:
+  group: tnf.etcd.openshift.io
+  names:
+    kind: PacemakerStatus
+    listKind: PacemakerStatusList
+    plural: pacemakerstatuses
+    singular: pacemakerstatus
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: 'PacemakerStatus represents the current state of the Pacemaker cluster as reported by the pcs status command'
+        type: object
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec is reserved for future use but is currently unused.
+            type: object
+            properties:
+              nodeName:
+                description: Reserved for future use
+                type: string
+          status:
+            description: status contains the actual pacemaker cluster status information collected from the cluster.
+            type: object
+            properties:
+              collectionError:
+                description: collectionError contains any error encountered while collecting status
+                type: string
+              fencingHistory:
+                description: fencingHistory provides recent fencing events
+                type: array
+                items:
+                  type: object
+                  required:
+                  - action
+                  - status
+                  - target
+                  properties:
+                    action:
+                      description: action is the fencing action performed (e.g., "reboot", "off", "on")
+                      type: string
+                    completed:
+                      description: completed is the timestamp when the fencing completed
+                      type: string
+                      format: date-time
+                    status:
+                      description: status is the status of the fencing operation (e.g., "success", "failed")
+                      type: string
+                    target:
+                      description: target is the node that was fenced
+                      type: string
+              lastUpdated:
+                description: lastUpdated is the timestamp when this status was last updated
+                type: string
+                format: date-time
+              nodeHistory:
+                description: nodeHistory provides recent operation history for troubleshooting
+                type: array
+                items:
+                  type: object
+                  required:
+                  - node
+                  - operation
+                  - rc
+                  - resource
+                  properties:
+                    lastRCChange:
+                      description: lastRCChange is the timestamp when the RC last changed
+                      type: string
+                      format: date-time
+                    node:
+                      description: node is the node where the operation occurred
+                      type: string
+                    operation:
+                      description: operation is the operation that was performed (e.g., "monitor", "start", "stop")
+                      type: string
+                    rc:
+                      description: rc is the return code from the operation
+                      type: integer
+                    rcText:
+                      description: rcText is the human-readable return code text (e.g., "ok", "error", "not running")
+                      type: string
+                    resource:
+                      description: resource is the resource that was operated on
+                      type: string
+              nodes:
+                description: nodes provides detailed information about each node in the cluster
+                type: array
+                items:
+                  type: object
+                  required:
+                  - name
+                  - online
+                  properties:
+                    name:
+                      description: name is the name of the node
+                      type: string
+                    online:
+                      description: online indicates if the node is online
+                      type: boolean
+                    standby:
+                      description: standby indicates if the node is in standby mode
+                      type: boolean
+              rawXML:
+                description: rawXML contains the raw XML output from pcs status xml command.
+                type: string
+                maxLength: 262144
+              resources:
+                description: resources provides detailed information about each resource in the cluster
+                type: array
+                items:
+                  type: object
+                  required:
+                  - name
+                  properties:
+                    active:
+                      description: active indicates if the resource is active
+                      type: boolean
+                    name:
+                      description: name is the name of the resource
+                      type: string
+                    node:
+                      description: node is the node where the resource is running
+                      type: string
+                    resourceAgent:
+                      description: resourceAgent is the resource agent type (e.g., "ocf:heartbeat:IPaddr2", "systemd:kubelet")
+                      type: string
+                    role:
+                      description: role is the current role of the resource (e.g., "Started", "Stopped")
+                      type: string
+              summary:
+                description: summary provides high-level counts and flags for the cluster state
+                type: object
+                properties:
+                  hasQuorum:
+                    description: hasQuorum indicates if the cluster has quorum
+                    type: boolean
+                  nodesOnline:
+                    description: nodesOnline is the count of online nodes
+                    type: integer
+                  nodesTotal:
+                    description: nodesTotal is the total count of configured nodes
+                    type: integer
+                  pacemakerdState:
+                    description: pacemakerdState indicates if pacemaker is running
+                    type: string
+                  recentFailures:
+                    description: recentFailures indicates if there are recent operation failures
+                    type: boolean
+                  recentFencing:
+                    description: recentFencing indicates if there are recent fencing events
+                    type: boolean
+                  resourcesStarted:
+                    description: resourcesStarted is the count of started resources
+                    type: integer
+                  resourcesTotal:
+                    description: resourcesTotal is the total count of configured resources
+                    type: integer
+    served: true
+    storage: true
+    subresources:
+      status: {}