-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from upbound/feature/split-platform-ref-aws
feat(split): split xirsa
- Loading branch information
Showing
9 changed files
with
366 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,166 @@ | ||
apiVersion: apiextensions.crossplane.io/v1 | ||
kind: Composition | ||
metadata: | ||
name: xirsas.aws.platform.upbound.io | ||
spec: | ||
compositeTypeRef: | ||
apiVersion: aws.platform.upbound.io/v1alpha1 | ||
kind: XIRSA | ||
patchSets: | ||
- name: Name | ||
patches: | ||
- type: FromCompositeFieldPath | ||
fromFieldPath: metadata.name | ||
toFieldPath: metadata.annotations[crossplane.io/external-name] | ||
- name: providerConfigRef | ||
patches: | ||
- type: FromCompositeFieldPath | ||
fromFieldPath: spec.parameters.providerConfigName | ||
toFieldPath: spec.providerConfigRef.name | ||
- name: deletionPolicy | ||
patches: | ||
- type: FromCompositeFieldPath | ||
fromFieldPath: spec.parameters.deletionPolicy | ||
toFieldPath: spec.deletionPolicy | ||
resources: | ||
- name: irsaRole | ||
base: | ||
apiVersion: iam.aws.upbound.io/v1beta1 | ||
kind: Role | ||
metadata: | ||
labels: | ||
resource: "Role" | ||
patches: | ||
- type: PatchSet | ||
patchSetName: Name | ||
- type: PatchSet | ||
patchSetName: providerConfigRef | ||
- type: PatchSet | ||
patchSetName: deletionPolicy | ||
- type: ToCompositeFieldPath | ||
fromFieldPath: status.atProvider.arn | ||
toFieldPath: status.roleArn | ||
policy: | ||
fromFieldPath: Optional | ||
- type: ToCompositeFieldPath | ||
fromFieldPath: status.conditions | ||
toFieldPath: status.observed.role.conditions | ||
policy: | ||
fromFieldPath: Optional | ||
- type: CombineFromComposite | ||
toFieldPath: spec.forProvider.assumeRolePolicy | ||
combine: | ||
strategy: string | ||
variables: | ||
- fromFieldPath: status.irsa.oidc_arn | ||
- fromFieldPath: spec.parameters.condition | ||
- fromFieldPath: status.irsa.oidc_host | ||
- fromFieldPath: spec.parameters.serviceAccount.namespace | ||
- fromFieldPath: spec.parameters.serviceAccount.name | ||
string: | ||
fmt: | | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Federated": "%s" | ||
}, | ||
"Action": "sts:AssumeRoleWithWebIdentity", | ||
"Condition": { | ||
"%s": { | ||
"%s:sub": "system:serviceaccount:%s:%s" | ||
} | ||
} | ||
} | ||
] | ||
} | ||
- name: irsaPolicy | ||
base: | ||
apiVersion: iam.aws.upbound.io/v1beta1 | ||
kind: Policy | ||
metadata: | ||
labels: | ||
resource: "Policy" | ||
patches: | ||
- type: PatchSet | ||
patchSetName: providerConfigRef | ||
- type: PatchSet | ||
patchSetName: deletionPolicy | ||
- fromFieldPath: spec.parameters.policyDocument | ||
toFieldPath: spec.forProvider.policy | ||
- type: ToCompositeFieldPath | ||
fromFieldPath: metadata.annotations[crossplane.io/external-name] | ||
toFieldPath: status.policyArn | ||
- type: ToCompositeFieldPath | ||
fromFieldPath: status.conditions | ||
toFieldPath: status.observed.policy.conditions | ||
policy: | ||
fromFieldPath: Optional | ||
- name: irsaAttachment | ||
base: | ||
apiVersion: iam.aws.upbound.io/v1beta1 | ||
kind: RolePolicyAttachment | ||
metadata: | ||
labels: | ||
resource: "RolePolicyAttachment" | ||
spec: | ||
forProvider: | ||
policyArnSelector: | ||
matchControllerRef: true | ||
matchLabels: | ||
resource: "Policy" | ||
roleSelector: | ||
matchControllerRef: true | ||
matchLabels: | ||
resource: "Role" | ||
patches: | ||
- type: PatchSet | ||
patchSetName: providerConfigRef | ||
- type: PatchSet | ||
patchSetName: deletionPolicy | ||
- type: ToCompositeFieldPath | ||
fromFieldPath: status.conditions | ||
toFieldPath: status.observed.rpa.conditions | ||
policy: | ||
fromFieldPath: Optional | ||
- name: irsaSettings | ||
base: | ||
apiVersion: kubernetes.crossplane.io/v1alpha1 | ||
kind: Object | ||
spec: | ||
managementPolicy: Observe | ||
forProvider: | ||
manifest: | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
namespace: default | ||
patches: | ||
- fromFieldPath: spec.parameters.id | ||
toFieldPath: spec.providerConfigRef.name | ||
- type: PatchSet | ||
patchSetName: deletionPolicy | ||
- fromFieldPath: spec.parameters.id | ||
toFieldPath: metadata.annotations[crossplane.io/external-name] | ||
transforms: | ||
- type: string | ||
string: | ||
fmt: "%s-irsa-settings" | ||
- fromFieldPath: spec.parameters.id | ||
toFieldPath: spec.forProvider.manifest.metadata.name | ||
transforms: | ||
- type: string | ||
string: | ||
fmt: "%s-irsa-settings" | ||
- type: ToCompositeFieldPath | ||
fromFieldPath: status.atProvider.manifest.data.oidc_arn | ||
toFieldPath: status.irsa.oidc_arn | ||
policy: | ||
fromFieldPath: Optional | ||
- type: ToCompositeFieldPath | ||
fromFieldPath: status.atProvider.manifest.data.oidc_host | ||
toFieldPath: status.irsa.oidc_host | ||
policy: | ||
fromFieldPath: Optional |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
apiVersion: apiextensions.crossplane.io/v1 | ||
kind: CompositeResourceDefinition | ||
metadata: | ||
name: xirsas.aws.platform.upbound.io | ||
labels: | ||
provider: aws | ||
spec: | ||
claimNames: | ||
kind: IRSA | ||
plural: irsas | ||
group: aws.platform.upbound.io | ||
names: | ||
kind: XIRSA | ||
plural: xirsas | ||
versions: | ||
- name: v1alpha1 | ||
served: true | ||
referenceable: true | ||
schema: | ||
openAPIV3Schema: | ||
type: object | ||
properties: | ||
spec: | ||
type: object | ||
properties: | ||
parameters: | ||
type: object | ||
description: IRSA configuration parameters. | ||
properties: | ||
id: | ||
type: string | ||
description: ID of this Cluster that other objects will use to refer to it. | ||
deletionPolicy: | ||
description: Delete the external resources when the Claim/XR is deleted. Defaults to Delete | ||
enum: | ||
- Delete | ||
- Orphan | ||
type: string | ||
default: Delete | ||
providerConfigName: | ||
description: Crossplane ProviderConfig to use for provisioning this resources | ||
type: string | ||
default: default | ||
serviceAccount: | ||
type: object | ||
description: Configuration for SA | ||
properties: | ||
name: | ||
type: string | ||
description: name kubernetes SA | ||
namespace: | ||
type: string | ||
description: namespace kubernetes SA | ||
required: | ||
- name | ||
- namespace | ||
condition: | ||
type: string | ||
description: This is the whether or not the equals is a hard match or like query | ||
default: StringEquals | ||
enum: | ||
- StringEquals | ||
- StringLike | ||
policyDocument: | ||
type: string | ||
description: The JSON policy document that is the content for the policy. | ||
required: | ||
- id | ||
- condition | ||
- policyDocument | ||
- serviceAccount | ||
required: | ||
- parameters | ||
status: | ||
type: object | ||
properties: | ||
irsa: | ||
description: Freeform field containing status information for irsa | ||
type: object | ||
x-kubernetes-preserve-unknown-fields: true | ||
roleArn: | ||
description: The arn of the role | ||
type: string | ||
policyArn: | ||
description: The arn of the policy | ||
type: string | ||
observed: | ||
description: Freeform field containing information about the observed status. | ||
type: object | ||
x-kubernetes-preserve-unknown-fields: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: meta.pkg.crossplane.io/v1alpha1 | ||
kind: Configuration | ||
metadata: | ||
name: configuration-aws-eks-irsa | ||
annotations: | ||
meta.crossplane.io/maintainer: Upbound <[email protected]> | ||
meta.crossplane.io/source: github.com/upbound/configuration-aws-eks-irsa | ||
meta.crossplane.io/license: Apache-2.0 | ||
spec: | ||
crossplane: | ||
version: ">=v1.13.2-0" | ||
dependsOn: | ||
- configuration: xpkg.upbound.io/upbound/configuration-aws-network | ||
version: ">=v0.2.0" | ||
- configuration: xpkg.upbound.io/upbound/configuration-aws-eks | ||
version: ">=v0.1.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: pkg.crossplane.io/v1 | ||
kind: Configuration | ||
metadata: | ||
name: cofiguration-aws-eks-irsa | ||
spec: | ||
package: xpkg.upbound.io/upbound/configuration-aws-eks-irsa:v0.1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: aws.platform.upbound.io/v1alpha1 | ||
kind: XEKS | ||
metadata: | ||
name: configuration-aws-eks-irsa | ||
spec: | ||
parameters: | ||
id: configuration-aws-eks-irsa | ||
region: us-west-2 | ||
version: "1.27" | ||
iam: | ||
# replace with your custom arn like: | ||
# roleArn: arn:aws:iam::123456789:role/AWSReservedSSO_AdministratorAccess_d703c73ed340fde7 | ||
roleArn: ${data.aws_eks_iam_default_admin} | ||
nodes: | ||
count: 3 | ||
instanceType: t3.small | ||
writeConnectionSecretToRef: | ||
name: configuration-aws-eks-irsa-kubeconfig | ||
namespace: upbound-system |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: aws.platform.upbound.io/v1alpha1 | ||
kind: XIRSA | ||
metadata: | ||
name: configuration-aws-eks-irsa | ||
spec: | ||
parameters: | ||
id: configuration-aws-eks-irsa | ||
condition: StringEquals | ||
policyDocument: | | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": [ | ||
"kms:Decrypt", | ||
"kms:DescribeKey" | ||
], | ||
"Effect": "Allow", | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
serviceAccount: | ||
name: kustomize-controller | ||
namespace: flux-system |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: aws.platform.upbound.io/v1alpha1 | ||
kind: XNetwork | ||
metadata: | ||
name: configuration-aws-eks-irsa | ||
spec: | ||
parameters: | ||
id: configuration-aws-eks-irsa | ||
region: us-west-2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
#!/usr/bin/env bash | ||
set -aeuo pipefail | ||
|
||
echo "Running setup.sh" | ||
echo "Waiting until all configurations are healthy/installed..." | ||
"${KUBECTL}" wait configuration.pkg --all --for=condition=Healthy --timeout 5m | ||
"${KUBECTL}" wait configuration.pkg --all --for=condition=Installed --timeout 5m | ||
|
||
echo "Creating cloud credential secret..." | ||
"${KUBECTL}" -n upbound-system create secret generic aws-creds --from-literal=credentials="${UPTEST_CLOUD_CREDENTIALS}" \ | ||
--dry-run=client -o yaml | "${KUBECTL}" apply -f - | ||
|
||
echo "Waiting until all installed provider packages are healthy..." | ||
"${KUBECTL}" wait provider.pkg --all --for condition=Healthy --timeout 5m | ||
|
||
echo "Waiting for all pods to come online..." | ||
"${KUBECTL}" -n upbound-system wait --for=condition=Available deployment --all --timeout=5m | ||
|
||
echo "Waiting for all XRDs to be established..." | ||
"${KUBECTL}" wait xrd --all --for condition=Established | ||
|
||
echo "Creating a default provider config..." | ||
cat <<EOF | "${KUBECTL}" apply -f - | ||
apiVersion: aws.upbound.io/v1beta1 | ||
kind: ProviderConfig | ||
metadata: | ||
name: default | ||
spec: | ||
credentials: | ||
secretRef: | ||
key: credentials | ||
name: aws-creds | ||
namespace: upbound-system | ||
source: Secret | ||
EOF |