OCPEDGE-2084: Add PacemakerStatus CRD for two-node fencing

Introduces etcd.openshift.io/v1alpha1 API group with a PacemakerCluster
custom resource. This provides visibility into Pacemaker cluster health for
Two Node Fencing (TNF) etcd deployments. The status-only resource is populated by a
privileged controller and consumed by the cluster-etcd-operator healthcheck
controller. This API is not explicitly gated because it's only created by CEO
once the transition to an ExternalEtcd has occured. This means that it is
naturally gated by the TNF topology.

Author: jaypoulz

etcd/.codegen.yaml

@@ -0,0 +1,2 @@
+swaggerdocs:
+  commentPolicy: Warn

etcd/README.md

@@ -0,0 +1,46 @@
+# etcd.openshift.io API Group
+
+This API group contains CRDs related to etcd cluster management. Specifically, this is only used for TNF (Two Node Fencing)
+for gathering status updates from the node to ensure the cluster-admin is warned about unhealthy setups.
+
+## API Versions
+
+### v1alpha1
+
+Contains the `PacemakerCluster` custom resource for monitoring Pacemaker cluster health in TNF (Two Node Fencing) deployments.
+
+#### PacemakerCluster
+
+- **Feature Gate**: None - this CRD is gated by cluster-etcd-operator start-up. It will only be created once a TNF cluster has transitioned to external etcd.
+- **Component**: `two-node-fencing`
+- **Scope**: Cluster-scoped singleton resource named "cluster"
+- **Resource Path**: `pacemakerclusters.etcd.openshift.io`
+
+The `PacemakerCluster` resource provides visibility into the health and status of a Pacemaker-managed cluster. It is periodically updated by the cluster-etcd-operator's status collector running as a privileged CronJob.
+
+**Status Fields:**
+- `lastUpdated` (required): Timestamp when status was last collected - used to detect stale data
+- `summary`: High-level cluster health metrics
+  - `pacemakerDaemonState`: Running state (enum: `Running`, `KnownNotRunning`)
+  - `quorumStatus`: Quorum state (enum: `Quorate`, `NoQuorum`)
+  - `nodesOnline`, `nodesTotal`: Node counts (0-2)
+  - `resourcesStarted`, `resourcesTotal`: Resource counts (0-16)
+- `nodes`: Detailed status of each node (1-2 nodes)
+  - Name, IPv4/IPv6 addresses, online status (enum), mode (enum: `Active`, `Standby`)
+- `resources`: Detailed status of each resource (1-16 resources)
+  - Name, resource agent, role (enum: `Started`, `Stopped`), active status (enum), node assignment
+- `nodeHistory`: Recent operation failures for troubleshooting (up to 16 entries, last 5 minutes)
+- `fencingHistory`: Recent fencing events (up to 16 events, last 24 hours)
+  - Target node, action (enum: `reboot`, `off`, `on`), status (enum: `success`, `failed`, `pending`), completion timestamp
+- `collectionError`: Any errors encountered during status collection (max 2KB)
+- `rawXML`: Full XML output from `pcs status xml` for debugging (max 256KB)
+
+**Design Principles:**
+The API follows "Act on Deterministic Information":
+- All fields except `lastUpdated` are optional
+- Missing data indicates unknown state, not error
+- Operator only acts on definitive information
+- Unknown state preserves the last known health condition
+
+**Usage:**
+The cluster-etcd-operator healthcheck controller watches this resource and updates operator conditions based on the cluster state.

etcd/install.go

@@ -0,0 +1,26 @@
+package etcd
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	v1alpha1 "github.com/openshift/api/etcd/v1alpha1"
+)
+
+const (
+	GroupName = "etcd.openshift.io"
+)
+
+var (
+	schemeBuilder = runtime.NewSchemeBuilder(v1alpha1.Install)
+	// Install is a function which adds every version of this group to a scheme
+	Install = schemeBuilder.AddToScheme
+)
+
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+func Kind(kind string) schema.GroupKind {
+	return schema.GroupKind{Group: GroupName, Kind: kind}
+}

etcd/v1alpha1/Makefile

@@ -0,0 +1,7 @@
+.PHONY: verify-with-container
+verify-with-container:
+	$(MAKE) -f ../../Makefile $@
+
+.PHONY: update-with-container
+update-with-container:
+	$(MAKE) -f ../../Makefile $@

etcd/v1alpha1/README.md

@@ -0,0 +1,43 @@
+# etcd.openshift.io/v1alpha1
+
+This API group contains types related to two-node fencing for etcd cluster management.
+
+## PacemakerCluster
+
+The `PacemakerCluster` CRD provides visibility into the health and status of Pacemaker-managed clusters in dual-replica (two-node) OpenShift deployments.
+
+### Feature Gate
+
+- **Feature Gate**: None - this CRD is gated by cluster-etcd-operator start-up. It will only be created once a TNF cluster has transitioned to external etcd.
+- **Component**: `two-node-fencing`
+
+### Usage
+
+The PacemakerCluster resource is a cluster-scoped, status-only singleton named "cluster". It is periodically updated by a privileged controller that runs `pcs status xml` and parses the output into structured fields for health checking.
+
+### Status Fields
+
+- **LastUpdated** (required): Timestamp when status was last collected
+- **Summary**: High-level cluster state including:
+  - `pacemakerDaemonState`: Running state of the pacemaker daemon (enum: `Running`, `KnownNotRunning`)
+  - `quorumStatus`: Whether cluster has quorum (enum: `Quorate`, `NoQuorum`)
+  - `nodesOnline`, `nodesTotal`: Node counts
+  - `resourcesStarted`, `resourcesTotal`: Resource counts
+- **Nodes**: Detailed per-node status (name, IPv4/IPv6 addresses, online status, mode)
+- **Resources**: Detailed per-resource status (name, resource agent type, role enum, active status, node assignment)
+- **NodeHistory**: Recent operation history for troubleshooting (operation failures within last 5 minutes)
+- **FencingHistory**: Recent fencing events (events within last 24 hours)
+- **RawXML**: Complete XML output from `pcs status xml` (for debugging only, max 256KB)
+- **CollectionError**: Any errors encountered during status collection
+
+### Design Principles
+
+The API follows a "Design Principle: Act on Deterministic Information" approach:
+- Almost all fields are optional except `lastUpdated`
+- Missing data means "unknown" not "error"
+- The operator only transitions between PacemakerHealthy and PacemakerDegraded states based on deterministic information
+- When information is unavailable, the last known state is preserved
+
+### Notes
+
+The spec field is reserved but unused - all meaningful data is in the status subresource.

etcd/v1alpha1/doc.go

@@ -0,0 +1,8 @@
+// +k8s:deepcopy-gen=package,register
+// +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-gen=true
+// +openshift:featuregated-schema-gen=true
+
+// +kubebuilder:validation:Optional
+// +groupName=etcd.openshift.io
+package v1alpha1

etcd/v1alpha1/register.go

@@ -0,0 +1,39 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupName     = "etcd.openshift.io"
+	GroupVersion  = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+	schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// Install is a function which adds this version to a scheme
+	Install = schemeBuilder.AddToScheme
+
+	// SchemeGroupVersion generated code relies on this name
+	// Deprecated
+	SchemeGroupVersion = GroupVersion
+	// AddToScheme exists solely to keep the old generators creating valid code
+	// DEPRECATED
+	AddToScheme = schemeBuilder.AddToScheme
+)
+
+// Resource generated code relies on this being here, but it logically belongs to the group
+// DEPRECATED
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+
+	scheme.AddKnownTypes(GroupVersion,
+		&PacemakerCluster{},
+		&PacemakerClusterList{},
+	)
+
+	return nil
+}

etcd/v1alpha1/tests/pacemakerclusters.etcd.openshift.io/AAA_ungated.yaml

@@ -0,0 +1,18 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "PacemakerCluster"
+crdName: pacemakerclusters.etcd.openshift.io
+tests:
+  onCreate:
+    - name: Should be able to create a minimal PacemakerCluster
+      initial: |
+        apiVersion: etcd.openshift.io/v1alpha1
+        kind: PacemakerCluster
+        metadata:
+          name: cluster
+        spec: {}
+      expected: |
+        apiVersion: etcd.openshift.io/v1alpha1
+        kind: PacemakerCluster
+        metadata:
+          name: cluster
+        spec: {}