diff --git a/infrastructure/base/crossplane/configuration/environmentconfig.yaml b/infrastructure/base/crossplane/configuration/environmentconfig.yaml new file mode 100644 index 0000000..6ae0c30 --- /dev/null +++ b/infrastructure/base/crossplane/configuration/environmentconfig.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.crossplane.io/v1alpha1 +kind: EnvironmentConfig +metadata: + name: irsa-environment +data: + clusterName: ${cluster_name} + oidcUrl: ${oidc_issuer_url} + oidcHost: ${oidc_issuer_host} + oidcArn: ${oidc_provider_arn} + accountId: ${aws_account_id} + region: ${region} + vpcId: ${vpc_id} diff --git a/infrastructure/base/crossplane/configuration/irsa-composition.yaml b/infrastructure/base/crossplane/configuration/irsa-composition.yaml index 8ff679d..05d3d72 100644 --- a/infrastructure/base/crossplane/configuration/irsa-composition.yaml +++ b/infrastructure/base/crossplane/configuration/irsa-composition.yaml @@ -25,6 +25,14 @@ spec: - type: FromCompositeFieldPath fromFieldPath: spec.deletionPolicy toFieldPath: spec.deletionPolicy + environment: + environmentConfigs: + - type: Selector + selector: + matchLabels: + - type: FromCompositeFieldPath + key: clusterRef + valueFromFieldPath: spec.parameters.clusterRef.id resources: - name: irsa-role @@ -71,7 +79,9 @@ spec: combine: strategy: string variables: + - fromFieldPath: oidcArn - fromFieldPath: condition + - fromFieldPath: oidcHost - fromFieldPath: serviceAccount.namespace - fromFieldPath: serviceAccount.name string: @@ -82,12 +92,12 @@ spec: { "Effect": "Allow", "Principal": { - "Federated": "${oidc_provider_arn}" + "Federated": "%s" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "%s": { - "${oidc_issuer_host}:sub": "system:serviceaccount:%s:%s" + "%s:sub": "system:serviceaccount:%s:%s" } } } diff --git a/infrastructure/base/crossplane/configuration/irsa-definition.yaml b/infrastructure/base/crossplane/configuration/irsa-definition.yaml index 3315a87..6ea4083 100644 --- a/infrastructure/base/crossplane/configuration/irsa-definition.yaml +++ b/infrastructure/base/crossplane/configuration/irsa-definition.yaml @@ -47,10 +47,20 @@ spec: enum: - StringEquals - StringLike + clusterRef: + type: object + description: "A reference to the Cluster object that this IRSA should be connected to." + properties: + id: + type: string + description: ID of the Cluster object this ref points to. + required: + - id policyDocument: type: string description: The JSON policy document that is the content for the policy. required: + - clusterRef - condition - policyDocument - serviceAccount diff --git a/infrastructure/base/crossplane/configuration/kustomization.yaml b/infrastructure/base/crossplane/configuration/kustomization.yaml index df80e07..9a2962e 100644 --- a/infrastructure/base/crossplane/configuration/kustomization.yaml +++ b/infrastructure/base/crossplane/configuration/kustomization.yaml @@ -4,6 +4,7 @@ namespace: crossplane-system # reference: https://github.com/upbound/platform-ref-aws/tree/main/package/cluster/irsa resources: + - environmentconfig.yaml - irsa-composition.yaml - irsa-definition.yaml - providerconfig.yaml diff --git a/terraform/eks/flux.tf b/terraform/eks/flux.tf index 21fa422..78f2c92 100644 --- a/terraform/eks/flux.tf +++ b/terraform/eks/flux.tf @@ -25,6 +25,7 @@ resource "kubernetes_config_map" "flux_clusters_vars" { data = { cluster_name = var.cluster_name oidc_provider_arn = module.eks.oidc_provider_arn + oidc_issuer_url = module.eks.cluster_oidc_issuer_url oidc_issuer_host = replace(module.eks.cluster_oidc_issuer_url, "https://", "") aws_account_id = data.aws_caller_identity.this.account_id region = var.region