chore(crossplane): use an environmentconfig

infrastructure/base/crossplane/configuration/environmentconfig.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.crossplane.io/v1alpha1
+kind: EnvironmentConfig
+metadata:
+  name: irsa-environment
+data:
+  clusterName: ${cluster_name}
+  oidcUrl: ${oidc_issuer_url}
+  oidcHost: ${oidc_issuer_host}
+  oidcArn: ${oidc_provider_arn}
+  accountId: ${aws_account_id}
+  region: ${region}
+  vpcId: ${vpc_id}

infrastructure/base/crossplane/configuration/irsa-composition.yaml

@@ -25,6 +25,14 @@ spec:
         - type: FromCompositeFieldPath
           fromFieldPath: spec.deletionPolicy
           toFieldPath: spec.deletionPolicy
+  environment:
+    environmentConfigs:
+      - type: Selector
+        selector:
+          matchLabels:
+            - type: FromCompositeFieldPath
+              key: clusterRef
+              valueFromFieldPath: spec.parameters.clusterRef.id
 
   resources:
     - name: irsa-role
@@ -71,7 +79,9 @@ spec:
           combine:
             strategy: string
             variables:
+              - fromFieldPath: oidcArn
               - fromFieldPath: condition
+              - fromFieldPath: oidcHost
               - fromFieldPath: serviceAccount.namespace
               - fromFieldPath: serviceAccount.name
             string:
@@ -82,12 +92,12 @@ spec:
                     {
                       "Effect": "Allow",
                       "Principal": {
-                        "Federated": "${oidc_provider_arn}"
+                        "Federated": "%s"
                       },
                       "Action": "sts:AssumeRoleWithWebIdentity",
                       "Condition": {
                         "%s": {
-                          "${oidc_issuer_host}:sub": "system:serviceaccount:%s:%s"
+                          "%s:sub": "system:serviceaccount:%s:%s"
                         }
                       }
                     }

infrastructure/base/crossplane/configuration/irsa-definition.yaml

@@ -47,10 +47,20 @@ spec:
                       enum:
                         - StringEquals
                         - StringLike
+                    clusterRef:
+                      type: object
+                      description: "A reference to the Cluster object that this IRSA should be connected to."
+                      properties:
+                        id:
+                          type: string
+                          description: ID of the Cluster object this ref points to.
+                      required:
+                        - id
                     policyDocument:
                       type: string
                       description: The JSON policy document that is the content for the policy.
                   required:
+                    - clusterRef
                     - condition
                     - policyDocument
                     - serviceAccount

infrastructure/base/crossplane/configuration/kustomization.yaml

@@ -4,6 +4,7 @@ namespace: crossplane-system
 
 # reference: https://github.com/upbound/platform-ref-aws/tree/main/package/cluster/irsa
 resources:
+  - environmentconfig.yaml
   - irsa-composition.yaml
   - irsa-definition.yaml
   - providerconfig.yaml

terraform/eks/flux.tf

@@ -25,6 +25,7 @@ resource "kubernetes_config_map" "flux_clusters_vars" {
   data = {
     cluster_name      = var.cluster_name
     oidc_provider_arn = module.eks.oidc_provider_arn
+    oidc_issuer_url   = module.eks.cluster_oidc_issuer_url
     oidc_issuer_host  = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
     aws_account_id    = data.aws_caller_identity.this.account_id
     region            = var.region