Merge pull request #2 from upbound/feature/split-platform-ref-aws

feat(split): split xirsa

Makefile

@@ -65,7 +65,7 @@ build.init: $(UP)
 # - UPTEST_DATASOURCE_PATH (optional), see https://github.com/upbound/uptest#injecting-dynamic-values-and-datasource
 uptest: $(UPTEST) $(KUBECTL) $(KUTTL)
 	@$(INFO) running automated tests
-	@KUBECTL=$(KUBECTL) KUTTL=$(KUTTL) $(UPTEST) e2e examples/eks-xr.yaml,examples/irsa-xr.yaml --data-source="${UPTEST_DATASOURCE_PATH}" --setup-script=test/setup.sh --default-timeout=2400 || $(FAIL)
+	@KUBECTL=$(KUBECTL) KUTTL=$(KUTTL) $(UPTEST) e2e examples/network-xr.yaml,examples/eks-xr.yaml,examples/irsa-xr.yaml --data-source="${UPTEST_DATASOURCE_PATH}" --setup-script=test/setup.sh --default-timeout=2400 || $(FAIL)
 	@$(OK) running automated tests
 
 # This target requires the following environment variables to be set:

apis/composition.yaml

@@ -0,0 +1,166 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: Composition
+metadata:
+  name: xirsas.aws.platform.upbound.io
+spec:
+  compositeTypeRef:
+    apiVersion: aws.platform.upbound.io/v1alpha1
+    kind: XIRSA
+  patchSets:
+    - name: Name
+      patches:
+        - type: FromCompositeFieldPath
+          fromFieldPath: metadata.name
+          toFieldPath: metadata.annotations[crossplane.io/external-name]
+    - name: providerConfigRef
+      patches:
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.parameters.providerConfigName
+          toFieldPath: spec.providerConfigRef.name
+    - name: deletionPolicy
+      patches:
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.parameters.deletionPolicy
+          toFieldPath: spec.deletionPolicy
+  resources:
+    - name: irsaRole
+      base:
+        apiVersion: iam.aws.upbound.io/v1beta1
+        kind: Role
+        metadata:
+          labels:
+            resource: "Role"
+      patches:
+        - type: PatchSet
+          patchSetName: Name
+        - type: PatchSet
+          patchSetName: providerConfigRef
+        - type: PatchSet
+          patchSetName: deletionPolicy
+        - type: ToCompositeFieldPath
+          fromFieldPath: status.atProvider.arn
+          toFieldPath: status.roleArn
+          policy:
+            fromFieldPath: Optional
+        - type: ToCompositeFieldPath
+          fromFieldPath: status.conditions
+          toFieldPath: status.observed.role.conditions
+          policy:
+            fromFieldPath: Optional
+        - type: CombineFromComposite
+          toFieldPath: spec.forProvider.assumeRolePolicy
+          combine:
+            strategy: string
+            variables:
+            - fromFieldPath: status.irsa.oidc_arn
+            - fromFieldPath: spec.parameters.condition
+            - fromFieldPath: status.irsa.oidc_host
+            - fromFieldPath: spec.parameters.serviceAccount.namespace
+            - fromFieldPath: spec.parameters.serviceAccount.name
+            string:
+              fmt: |
+                {
+                  "Version": "2012-10-17",
+                  "Statement": [
+                    {
+                      "Effect": "Allow",
+                      "Principal": {
+                        "Federated": "%s"
+                      },
+                      "Action": "sts:AssumeRoleWithWebIdentity",
+                      "Condition": {
+                        "%s": {
+                          "%s:sub": "system:serviceaccount:%s:%s"
+                        }
+                      }
+                    }
+                  ]
+                }
+    - name: irsaPolicy
+      base:
+        apiVersion: iam.aws.upbound.io/v1beta1
+        kind: Policy
+        metadata:
+          labels:
+            resource: "Policy"
+      patches:
+        - type: PatchSet
+          patchSetName: providerConfigRef
+        - type: PatchSet
+          patchSetName: deletionPolicy
+        - fromFieldPath: spec.parameters.policyDocument
+          toFieldPath: spec.forProvider.policy
+        - type: ToCompositeFieldPath
+          fromFieldPath: metadata.annotations[crossplane.io/external-name]
+          toFieldPath: status.policyArn
+        - type: ToCompositeFieldPath
+          fromFieldPath: status.conditions
+          toFieldPath: status.observed.policy.conditions
+          policy:
+            fromFieldPath: Optional
+    - name: irsaAttachment
+      base:
+        apiVersion: iam.aws.upbound.io/v1beta1
+        kind: RolePolicyAttachment
+        metadata:
+          labels:
+            resource: "RolePolicyAttachment"
+        spec:
+          forProvider:
+            policyArnSelector:
+              matchControllerRef: true
+              matchLabels:
+                resource: "Policy"
+            roleSelector:
+              matchControllerRef: true
+              matchLabels:
+                resource: "Role"
+      patches:
+        - type: PatchSet
+          patchSetName: providerConfigRef
+        - type: PatchSet
+          patchSetName: deletionPolicy
+        - type: ToCompositeFieldPath
+          fromFieldPath: status.conditions
+          toFieldPath: status.observed.rpa.conditions
+          policy:
+            fromFieldPath: Optional
+    - name: irsaSettings
+      base:
+        apiVersion: kubernetes.crossplane.io/v1alpha1
+        kind: Object
+        spec:
+          managementPolicy: Observe
+          forProvider:
+            manifest:
+              apiVersion: v1
+              kind: ConfigMap
+              metadata:
+                namespace: default
+      patches:
+        - fromFieldPath: spec.parameters.id
+          toFieldPath: spec.providerConfigRef.name
+        - type: PatchSet
+          patchSetName: deletionPolicy
+        - fromFieldPath: spec.parameters.id
+          toFieldPath: metadata.annotations[crossplane.io/external-name]
+          transforms:
+            - type: string
+              string:
+                fmt: "%s-irsa-settings"
+        - fromFieldPath: spec.parameters.id
+          toFieldPath: spec.forProvider.manifest.metadata.name
+          transforms:
+            - type: string
+              string:
+                fmt: "%s-irsa-settings"
+        - type: ToCompositeFieldPath
+          fromFieldPath: status.atProvider.manifest.data.oidc_arn
+          toFieldPath: status.irsa.oidc_arn
+          policy:
+            fromFieldPath: Optional
+        - type: ToCompositeFieldPath
+          fromFieldPath: status.atProvider.manifest.data.oidc_host
+          toFieldPath: status.irsa.oidc_host
+          policy:
+            fromFieldPath: Optional

apis/definition.yaml

@@ -0,0 +1,90 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: CompositeResourceDefinition
+metadata:
+  name: xirsas.aws.platform.upbound.io
+  labels:
+    provider: aws
+spec:
+  claimNames:
+    kind: IRSA
+    plural: irsas
+  group: aws.platform.upbound.io
+  names:
+    kind: XIRSA
+    plural: xirsas
+  versions:
+  - name: v1alpha1
+    served: true
+    referenceable: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              parameters:
+                type: object
+                description: IRSA configuration parameters.
+                properties:
+                  id:
+                    type: string
+                    description: ID of this Cluster that other objects will use to refer to it.
+                  deletionPolicy:
+                    description: Delete the external resources when the Claim/XR is deleted. Defaults to Delete
+                    enum:
+                    - Delete
+                    - Orphan
+                    type: string
+                    default: Delete
+                  providerConfigName:
+                    description: Crossplane ProviderConfig to use for provisioning this resources
+                    type: string
+                    default: default
+                  serviceAccount:
+                    type: object
+                    description: Configuration for SA
+                    properties:
+                      name:
+                        type: string
+                        description: name kubernetes SA
+                      namespace:
+                        type: string
+                        description: namespace kubernetes SA
+                    required:
+                    - name
+                    - namespace
+                  condition:
+                    type: string
+                    description: This is the whether or not the equals is a hard match or like query
+                    default: StringEquals
+                    enum:
+                    - StringEquals
+                    - StringLike
+                  policyDocument:
+                    type: string
+                    description: The JSON policy document that is the content for the policy.
+                required:
+                - id
+                - condition
+                - policyDocument
+                - serviceAccount
+            required:
+            - parameters
+          status:
+            type: object
+            properties:
+              irsa:
+                description: Freeform field containing status information for irsa
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+              roleArn:
+                description: The arn of the role
+                type: string
+              policyArn:
+                description: The arn of the policy
+                type: string
+              observed:
+                description: Freeform field containing information about the observed status.
+                type: object
+                x-kubernetes-preserve-unknown-fields: true

crossplane.yaml

@@ -0,0 +1,16 @@
+apiVersion: meta.pkg.crossplane.io/v1alpha1
+kind: Configuration
+metadata:
+  name: configuration-aws-eks-irsa
+  annotations:
+    meta.crossplane.io/maintainer: Upbound <[email protected]>
+    meta.crossplane.io/source: github.com/upbound/configuration-aws-eks-irsa
+    meta.crossplane.io/license: Apache-2.0
+spec:
+  crossplane:
+    version: ">=v1.13.2-0"
+  dependsOn:
+    - configuration: xpkg.upbound.io/upbound/configuration-aws-network
+      version: ">=v0.2.0"
+    - configuration: xpkg.upbound.io/upbound/configuration-aws-eks
+      version: ">=v0.1.0"

examples/configuration.yaml

@@ -0,0 +1,6 @@
+apiVersion: pkg.crossplane.io/v1
+kind: Configuration
+metadata:
+  name: cofiguration-aws-eks-irsa
+spec:
+  package: xpkg.upbound.io/upbound/configuration-aws-eks-irsa:v0.1.0

examples/eks-xr.yaml

@@ -0,0 +1,19 @@
+apiVersion: aws.platform.upbound.io/v1alpha1
+kind: XEKS
+metadata:
+  name: configuration-aws-eks-irsa
+spec:
+  parameters:
+    id: configuration-aws-eks-irsa
+    region: us-west-2
+    version: "1.27"
+    iam:
+      # replace with your custom arn like:
+      # roleArn: arn:aws:iam::123456789:role/AWSReservedSSO_AdministratorAccess_d703c73ed340fde7
+      roleArn: ${data.aws_eks_iam_default_admin}
+    nodes:
+      count: 3
+      instanceType: t3.small
+  writeConnectionSecretToRef:
+    name: configuration-aws-eks-irsa-kubeconfig
+    namespace: upbound-system

examples/irsa-xr.yaml

@@ -0,0 +1,25 @@
+apiVersion: aws.platform.upbound.io/v1alpha1
+kind: XIRSA
+metadata:
+  name: configuration-aws-eks-irsa
+spec:
+  parameters:
+    id: configuration-aws-eks-irsa
+    condition: StringEquals
+    policyDocument: |
+      {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Action": [
+                      "kms:Decrypt",
+                      "kms:DescribeKey"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": "*"
+              }
+          ]
+      }
+    serviceAccount:
+      name: kustomize-controller
+      namespace: flux-system

examples/network-xr.yaml

@@ -0,0 +1,8 @@
+apiVersion: aws.platform.upbound.io/v1alpha1
+kind: XNetwork
+metadata:
+  name: configuration-aws-eks-irsa
+spec:
+  parameters:
+    id: configuration-aws-eks-irsa
+    region: us-west-2

test/setup.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -aeuo pipefail
+
+echo "Running setup.sh"
+echo "Waiting until all configurations are healthy/installed..."
+"${KUBECTL}" wait configuration.pkg --all --for=condition=Healthy --timeout 5m
+"${KUBECTL}" wait configuration.pkg --all --for=condition=Installed --timeout 5m
+
+echo "Creating cloud credential secret..."
+"${KUBECTL}" -n upbound-system create secret generic aws-creds --from-literal=credentials="${UPTEST_CLOUD_CREDENTIALS}" \
+    --dry-run=client -o yaml | "${KUBECTL}" apply -f -
+
+echo "Waiting until all installed provider packages are healthy..."
+"${KUBECTL}" wait provider.pkg --all --for condition=Healthy --timeout 5m
+
+echo "Waiting for all pods to come online..."
+"${KUBECTL}" -n upbound-system wait --for=condition=Available deployment --all --timeout=5m
+
+echo "Waiting for all XRDs to be established..."
+"${KUBECTL}" wait xrd --all --for condition=Established
+
+echo "Creating a default provider config..."
+cat <<EOF | "${KUBECTL}" apply -f -
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    secretRef:
+      key: credentials
+      name: aws-creds
+      namespace: upbound-system
+    source: Secret
+EOF