feat: cluster-less crd pipeline (#2316)

## Description

- Adds new script to generate CRD yaml manifests and add to helm chart
- Removes register.ts
- Updates gen-crd to use this and local yaml files instead of requiring
cluster
- Adds check for templates path to existing crd check

## Related Issue

Fixes #2292

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Steps to Validate
- If this PR introduces new functionality to UDS Core or addresses a
bug, please document the steps to test the changes.

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

Author: briantwatson

.github/actions/autogenerated-check/action.yaml

@@ -1,4 +1,4 @@
-# Copyright 2025 Defense Unicorns
+# Copyright 2025-2026 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 name: autogenerated-check
@@ -18,13 +18,6 @@ runs:
         # renovate: datasource=github-tags depName=google/addlicense versioning=semver
         GOPATH="$HOME/go" go install github.com/google/addlicense@v1.1.1
 
-        # We need a cluster for generating our CRD files - args used to simplify cluster setup
-        k3d cluster create --k3s-arg "--disable=traefik@server:*" \
-          --k3s-arg "--disable=metrics-server@server:*" \
-          --k3s-arg "--disable=servicelb@server:*" \
-          --k3s-arg "--disable=local-storage@server:*" \
-          --no-lb
-
         # Generate CRD files
         uds run -f src/pepr/tasks.yaml gen-crds
 
@@ -43,10 +36,10 @@ runs:
         # Check for specific diffs
         DIFFS=false
 
-        if [ ! -z "$(git status -s src/pepr/operator/crd/generated/ schemas/ docs/reference/configuration/custom-resources/)" ]; then
+        if [ ! -z "$(git status -s src/pepr/operator/crd/generated/ schemas/ docs/reference/configuration/custom-resources/ src/pepr/uds-cluster-crds/templates/)" ]; then
           # Diffs for CRDs
           DIFFS=true
-          echo -e "\033[33m⚠️ Autogenerated CRD files are not up to date, please run \`uds run -f src/pepr/tasks.yaml gen-crds\` (with an active cluster) and commit the changes.\033[0m"
+          echo -e "\033[33m⚠️ Autogenerated CRD files are not up to date, please run \`uds run -f src/pepr/tasks.yaml gen-crds\` and commit the changes.\033[0m"
         fi
 
         if [ ! -z "$(git status -s src/istio/values/)" ]; then

adrs/0007-cluster-less-crd-generation-workflow.md

@@ -4,7 +4,7 @@ Date: 2026-01-13
 
 ## Status
 
-Proposed
+Accepted
 
 ## Context
 

docs/reference/configuration/custom-resources/clusterconfig-v1alpha1-cr.md

@@ -54,7 +54,7 @@ sidebar:
     </tr>
   </thead>
   <tbody>
-    <tr><td style="white-space: nowrap;">attributes</td><td style="white-space: nowrap;"><a href="#Attributes">Attributes</a></td><td></td></tr><tr><td style="white-space: nowrap;">caBundle</td><td style="white-space: nowrap;"><a href="#CaBundle">CaBundle</a></td><td></td></tr><tr><td style="white-space: nowrap;">expose</td><td style="white-space: nowrap;"><a href="#Expose">Expose</a></td><td></td></tr><tr><td style="white-space: nowrap;">networking</td><td style="white-space: nowrap;"><a href="#Networking">Networking</a></td><td></td></tr><tr><td style="white-space: nowrap;">policy</td><td style="white-space: nowrap;"><a href="#Policy">Policy</a></td><td></td></tr>
+    <tr><td style="white-space: nowrap;">attributes</td><td style="white-space: nowrap;"><a href="#Attributes">Attributes</a></td><td></td></tr><tr><td style="white-space: nowrap;">networking</td><td style="white-space: nowrap;"><a href="#Networking">Networking</a></td><td></td></tr><tr><td style="white-space: nowrap;">caBundle</td><td style="white-space: nowrap;"><a href="#CaBundle">CaBundle</a></td><td></td></tr><tr><td style="white-space: nowrap;">expose</td><td style="white-space: nowrap;"><a href="#Expose">Expose</a></td><td></td></tr><tr><td style="white-space: nowrap;">policy</td><td style="white-space: nowrap;"><a href="#Policy">Policy</a></td><td></td></tr>
   </tbody>
 </table>
 </div>
@@ -77,10 +77,10 @@ sidebar:
 </table>
 </div>
 
-<a id="CaBundle"></a>
+<a id="Networking"></a>
 <div style="margin-left: 60px; padding-top: 30px;">
 
-### CaBundle
+### Networking
 <table style="width: 100%; table-layout: fixed;">
   <thead>
     <tr>
@@ -90,15 +90,15 @@ sidebar:
     </tr>
   </thead>
   <tbody>
-    <tr><td style="white-space: nowrap;">certs</td><td style="white-space: nowrap;">string</td><td>Contents of user provided CA bundle certificates</td></tr><tr><td style="white-space: nowrap;">includeDoDCerts</td><td style="white-space: nowrap;">boolean</td><td>Include DoD CA certificates in the bundle</td></tr><tr><td style="white-space: nowrap;">includePublicCerts</td><td style="white-space: nowrap;">boolean</td><td>Include public CA certificates in the bundle</td></tr>
+    <tr><td style="white-space: nowrap;">kubeApiCIDR</td><td style="white-space: nowrap;">string</td><td>CIDR range for your Kubernetes control plane nodes. This is a manual override that can be used instead of relying on Pepr to automatically watch and update the values</td></tr><tr><td style="white-space: nowrap;">kubeNodeCIDRs</td><td style="white-space: nowrap;">string[]</td><td>CIDR(s) for all Kubernetes nodes (not just control plane). Similar reason to above,annual override instead of relying on watch</td></tr>
   </tbody>
 </table>
 </div>
 
-<a id="Expose"></a>
+<a id="CaBundle"></a>
 <div style="margin-left: 60px; padding-top: 30px;">
 
-### Expose
+### CaBundle
 <table style="width: 100%; table-layout: fixed;">
   <thead>
     <tr>
@@ -108,15 +108,15 @@ sidebar:
     </tr>
   </thead>
   <tbody>
-    <tr><td style="white-space: nowrap;">adminDomain</td><td style="white-space: nowrap;">string</td><td>Domain all cluster services on the admin gateway will be exposed on</td></tr><tr><td style="white-space: nowrap;">caCert</td><td style="white-space: nowrap;">string</td><td>The trusted CA that signed your domain certificates if using Private PKI</td></tr><tr><td style="white-space: nowrap;">domain</td><td style="white-space: nowrap;">string</td><td>Domain all cluster services will be exposed on</td></tr>
+    <tr><td style="white-space: nowrap;">certs</td><td style="white-space: nowrap;">string</td><td>Contents of user provided CA bundle certificates</td></tr><tr><td style="white-space: nowrap;">includeDoDCerts</td><td style="white-space: nowrap;">boolean</td><td>Include DoD CA certificates in the bundle</td></tr><tr><td style="white-space: nowrap;">includePublicCerts</td><td style="white-space: nowrap;">boolean</td><td>Include public CA certificates in the bundle</td></tr>
   </tbody>
 </table>
 </div>
 
-<a id="Networking"></a>
+<a id="Expose"></a>
 <div style="margin-left: 60px; padding-top: 30px;">
 
-### Networking
+### Expose
 <table style="width: 100%; table-layout: fixed;">
   <thead>
     <tr>
@@ -126,7 +126,7 @@ sidebar:
     </tr>
   </thead>
   <tbody>
-    <tr><td style="white-space: nowrap;">kubeApiCIDR</td><td style="white-space: nowrap;">string</td><td>CIDR range for your Kubernetes control plane nodes. This is a manual override that can be used instead of relying on Pepr to automatically watch and update the values</td></tr><tr><td style="white-space: nowrap;">kubeNodeCIDRs</td><td style="white-space: nowrap;">string[]</td><td>CIDR(s) for all Kubernetes nodes (not just control plane). Similar reason to above,annual override instead of relying on watch</td></tr>
+    <tr><td style="white-space: nowrap;">domain</td><td style="white-space: nowrap;">string</td><td>Domain all cluster services will be exposed on</td></tr><tr><td style="white-space: nowrap;">adminDomain</td><td style="white-space: nowrap;">string</td><td>Domain all cluster services on the admin gateway will be exposed on</td></tr><tr><td style="white-space: nowrap;">caCert</td><td style="white-space: nowrap;">string</td><td>The trusted CA that signed your domain certificates if using Private PKI</td></tr>
   </tbody>
 </table>
 </div>

docs/reference/configuration/custom-resources/exemptions-v1alpha1-cr.md

@@ -54,7 +54,7 @@ sidebar:
     </tr>
   </thead>
   <tbody>
-    <tr><td style="white-space: nowrap;">description</td><td style="white-space: nowrap;">string</td><td>Reasons as to why this exemption is needed</td></tr><tr><td style="white-space: nowrap;">matcher</td><td style="white-space: nowrap;"><a href="#Matcher">Matcher</a></td><td>Resource to exempt (Regex allowed for name)</td></tr><tr><td style="white-space: nowrap;">policies</td><td style="white-space: nowrap;">Policies[] (enum):<ul><li><code>DisallowHostNamespaces</code></li><li><code>DisallowNodePortServices</code></li><li><code>DisallowPrivileged</code></li><li><code>DisallowSELinuxOptions</code></li><li><code>DropAllCapabilities</code></li><li><code>RequireNonRootUser</code></li><li><code>RestrictCapabilities</code></li><li><code>RestrictExternalNames</code></li><li><code>RestrictHostPathWrite</code></li><li><code>RestrictHostPorts</code></li><li><code>RestrictIstioAmbientOverrides</code></li><li><code>RestrictIstioSidecarOverrides</code></li><li><code>RestrictIstioTrafficOverrides</code></li><li><code>RestrictIstioUser</code></li><li><code>RestrictProcMount</code></li><li><code>RestrictSeccomp</code></li><li><code>RestrictSELinuxType</code></li><li><code>RestrictVolumeTypes</code></li></ul></td><td>A list of policies to override</td></tr><tr><td style="white-space: nowrap;">title</td><td style="white-space: nowrap;">string</td><td>title to give the exemption for reporting purposes</td></tr>
+    <tr><td style="white-space: nowrap;">title</td><td style="white-space: nowrap;">string</td><td>title to give the exemption for reporting purposes</td></tr><tr><td style="white-space: nowrap;">description</td><td style="white-space: nowrap;">string</td><td>Reasons as to why this exemption is needed</td></tr><tr><td style="white-space: nowrap;">policies</td><td style="white-space: nowrap;">Policies[] (enum):<ul><li><code>DisallowHostNamespaces</code></li><li><code>DisallowNodePortServices</code></li><li><code>DisallowPrivileged</code></li><li><code>DisallowSELinuxOptions</code></li><li><code>DropAllCapabilities</code></li><li><code>RequireNonRootUser</code></li><li><code>RestrictCapabilities</code></li><li><code>RestrictExternalNames</code></li><li><code>RestrictHostPathWrite</code></li><li><code>RestrictHostPorts</code></li><li><code>RestrictIstioAmbientOverrides</code></li><li><code>RestrictIstioSidecarOverrides</code></li><li><code>RestrictIstioTrafficOverrides</code></li><li><code>RestrictIstioUser</code></li><li><code>RestrictProcMount</code></li><li><code>RestrictSeccomp</code></li><li><code>RestrictSELinuxType</code></li><li><code>RestrictVolumeTypes</code></li></ul></td><td>A list of policies to override</td></tr><tr><td style="white-space: nowrap;">matcher</td><td style="white-space: nowrap;"><a href="#Matcher">Matcher</a></td><td>Resource to exempt (Regex allowed for name)</td></tr>
   </tbody>
 </table>
 </div>
@@ -72,7 +72,7 @@ sidebar:
     </tr>
   </thead>
   <tbody>
-    <tr><td style="white-space: nowrap;">kind</td><td style="white-space: nowrap;">string (enum):<ul><li><code>pod</code></li><li><code>service</code></li></ul></td><td></td></tr><tr><td style="white-space: nowrap;">name</td><td style="white-space: nowrap;">string</td><td></td></tr><tr><td style="white-space: nowrap;">namespace</td><td style="white-space: nowrap;">string</td><td></td></tr>
+    <tr><td style="white-space: nowrap;">namespace</td><td style="white-space: nowrap;">string</td><td></td></tr><tr><td style="white-space: nowrap;">name</td><td style="white-space: nowrap;">string</td><td></td></tr><tr><td style="white-space: nowrap;">kind</td><td style="white-space: nowrap;">string (enum):<ul><li><code>pod</code></li><li><code>service</code></li></ul></td><td></td></tr>
   </tbody>
 </table>
 </div>