diff --git a/bootstrap/terraform/README.md b/bootstrap/terraform/README.md index 14e8cbfa..f0bb83e0 100644 --- a/bootstrap/terraform/README.md +++ b/bootstrap/terraform/README.md @@ -5,8 +5,10 @@ This example deploys the following components - Creates Internet gateway for Public Subnets and NAT Gateway for Private Subnets - Creates EKS Cluster Control plane with one managed node group - Crossplane Add-on to EKS Cluster +- Upbound AWS Provider for Crossplane - AWS Provider for Crossplane - Kubernetes Provider for Crossplane +- Helm Provider for Crossplane ## Crossplane Deployment Design @@ -45,7 +47,7 @@ Ensure that you have installed the following tools in your Mac or Windows Laptop ### Troubleshooting 1. If `terraform apply` errors out after creating the cluster when trying to apply the helm charts, try running the command: ```shell -aws eks --region update-kubeconfig --name +aws eks --region update-kubeconfig --name --alias ``` and executing terraform apply again. @@ -59,7 +61,8 @@ git clone https://github.com/aws-samples/crossplane-aws-blueprints.git ``` > [!IMPORTANT] -> The examples in this repository make use of one of the Crossplane AWS providers. For example, if you are using the `crossplane_upbound_aws_provider_enable` provider, make sure to set the [`crossplane_aws_provider_enable`](https://github.com/awslabs/crossplane-on-eks/blob/main/bootstrap/terraform/main.tf#L59) to `false` in order install only the necessary CRDs to the Kubernetes cluster. +> The examples in this repository make use of one of the Crossplane AWS providers. +For that reason `upbound_aws_provider.enable` is set to `true` and `aws_provider.enable` is set to `false`. If you use the examples for `aws_provider`, adjust the terraform [main.tf](https://github.com/awslabs/crossplane-on-eks/blob/main/bootstrap/terraform/main.tf) in order install only the necessary CRDs to the Kubernetes cluster. #### Step2: Run Terraform INIT Initialize a working directory with configuration files @@ -147,6 +150,10 @@ echo "$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{. ## Clean up 1. Delete resources created by Crossplane such as first Claims, then XRDs and Compositions. +1. Remove crossplane providers by setting `enable = false` in main.tf for each provider and running `terraform apply` + +1. Run `kubectl get providers` to validate all providers were removed. If any left, remove using `kubectl delete providers ` + 1. Delete the EKS cluster and it's resources with the following command ```bash ./destroy.sh diff --git a/bootstrap/terraform/addon/main.tf b/bootstrap/terraform/addon/main.tf new file mode 100644 index 00000000..6f536650 --- /dev/null +++ b/bootstrap/terraform/addon/main.tf @@ -0,0 +1,53 @@ +################################################################################ +# Crossplane +################################################################################ + +module "crossplane" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.0" + + create = var.enable_crossplane + + # https://github.com/crossplane/crossplane/tree/master/cluster/charts/crossplane + name = try(var.crossplane.name, "crossplane") + description = try(var.crossplane.description, "A Helm chart to deploy crossplane project") + namespace = try(var.crossplane.namespace, "crossplane-system") + create_namespace = try(var.crossplane.create_namespace, true) + chart = try(var.crossplane.chart, "crossplane") + chart_version = try(var.crossplane.chart_version, "1.13.2") + repository = try(var.crossplane.repository, "https://charts.crossplane.io/stable/") + values = try(var.crossplane.values, []) + + timeout = try(var.crossplane.timeout, null) + repository_key_file = try(var.crossplane.repository_key_file, null) + repository_cert_file = try(var.crossplane.repository_cert_file, null) + repository_ca_file = try(var.crossplane.repository_ca_file, null) + repository_username = try(var.crossplane.repository_username, null) + repository_password = try(var.crossplane.repository_password, null) + devel = try(var.crossplane.devel, null) + verify = try(var.crossplane.verify, null) + keyring = try(var.crossplane.keyring, null) + disable_webhooks = try(var.crossplane.disable_webhooks, null) + reuse_values = try(var.crossplane.reuse_values, null) + reset_values = try(var.crossplane.reset_values, null) + force_update = try(var.crossplane.force_update, null) + recreate_pods = try(var.crossplane.recreate_pods, null) + cleanup_on_fail = try(var.crossplane.cleanup_on_fail, null) + max_history = try(var.crossplane.max_history, null) + atomic = try(var.crossplane.atomic, null) + skip_crds = try(var.crossplane.skip_crds, null) + render_subchart_notes = try(var.crossplane.render_subchart_notes, null) + disable_openapi_validation = try(var.crossplane.disable_openapi_validation, null) + wait = try(var.crossplane.wait, false) + wait_for_jobs = try(var.crossplane.wait_for_jobs, null) + dependency_update = try(var.crossplane.dependency_update, null) + replace = try(var.crossplane.replace, null) + lint = try(var.crossplane.lint, null) + + postrender = try(var.crossplane.postrender, []) + set = try(var.crossplane.set, []) + set_sensitive = try(var.crossplane.set_sensitive, []) + + tags = var.tags +} + diff --git a/bootstrap/terraform/addon/variables.tf b/bootstrap/terraform/addon/variables.tf new file mode 100644 index 00000000..b05f5bd9 --- /dev/null +++ b/bootstrap/terraform/addon/variables.tf @@ -0,0 +1,22 @@ +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} + +################################################################################ +# Crossplane +################################################################################ + +variable "enable_crossplane" { + description = "Enable Crossplane Kubernetes add-on" + type = bool + default = false +} + +variable "crossplane" { + description = "Crossplane add-on configuration values" + type = any + default = {} +} + diff --git a/bootstrap/terraform/argocd-values.yaml b/bootstrap/terraform/argocd-values.yaml index 82d439fa..41e091ff 100644 --- a/bootstrap/terraform/argocd-values.yaml +++ b/bootstrap/terraform/argocd-values.yaml @@ -82,14 +82,6 @@ configs: end for i, condition in ipairs(obj.status.conditions) do - if condition.type == "Ready" then - if condition.status == "True" then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - end - if condition.type == "LastAsyncOperation" then if condition.status == "False" then health_status.status = "Degraded" @@ -105,6 +97,14 @@ configs: return health_status end end + + if condition.type == "Ready" then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end end return health_status @@ -121,14 +121,6 @@ configs: end for i, condition in ipairs(obj.status.conditions) do - if condition.type == "Ready" then - if condition.status == "True" then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - end - if condition.type == "LastAsyncOperation" then if condition.status == "False" then health_status.status = "Degraded" @@ -144,6 +136,14 @@ configs: return health_status end end + + if condition.type == "Ready" then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end end return health_status @@ -161,6 +161,22 @@ configs: end for i, condition in ipairs(obj.status.conditions) do + if condition.type == "LastAsyncOperation" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + + if condition.type == "Synced" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + if condition.type == "Ready" then if condition.status == "True" then health_status.status = "Healthy" @@ -168,7 +184,23 @@ configs: return health_status end end + end + return health_status + %{endif} + %{ if crossplane_kubernetes_provider_enable } + "kubernetes.crossplane.io/*": + health.lua: | + health_status = { + status = "Progressing", + message = "Provisioning ..." + } + + if obj.status == nil or obj.status.conditions == nil then + return health_status + end + + for i, condition in ipairs(obj.status.conditions) do if condition.type == "LastAsyncOperation" then if condition.status == "False" then health_status.status = "Degraded" @@ -184,6 +216,14 @@ configs: return health_status end end + + if condition.type == "Ready" then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end end return health_status diff --git a/bootstrap/terraform/destroy.sh b/bootstrap/terraform/destroy.sh index cf34856d..1e686718 100755 --- a/bootstrap/terraform/destroy.sh +++ b/bootstrap/terraform/destroy.sh @@ -2,8 +2,8 @@ set -xe +terraform destroy -target="module.crossplane" -auto-approve terraform destroy -target="module.eks_blueprints_addons" -auto-approve -terraform destroy -target="module.eks_blueprints_crossplane_addons" -auto-approve terraform destroy -target="module.eks" -auto-approve terraform destroy -target="module.vpc" -auto-approve terraform destroy -auto-approve diff --git a/bootstrap/terraform/environmentconfig.yaml b/bootstrap/terraform/environmentconfig.yaml new file mode 100644 index 00000000..fa838164 --- /dev/null +++ b/bootstrap/terraform/environmentconfig.yaml @@ -0,0 +1,8 @@ +apiVersion: apiextensions.crossplane.io/v1alpha1 +kind: EnvironmentConfig +metadata: + name: cluster +data: + awsAccountID: "${awsAccountID}" + eksOIDC: ${eksOIDC} + vpcID: ${vpcID} diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index e5c90b81..56e87f92 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -53,12 +53,6 @@ locals { vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3) - argocd_namespace = "argocd" - - # !NOTE!: only enable one AWS provider at a time - crossplane_aws_provider_enable = true - crossplane_upbound_aws_provider_enable = true - tags = { Blueprint = local.name GithubRepo = "github.com/awslabs/crossplane-on-eks" @@ -141,30 +135,38 @@ module "eks_blueprints_addons" { oidc_provider_arn = module.eks.oidc_provider_arn enable_argocd = true argocd = { - namespace = local.argocd_namespace - chart_version = "5.34.6" # ArgoCD v2.7.3 + namespace = "argocd" + chart_version = "5.46.1" # ArgoCD v2.8.3 values = [ templatefile("${path.module}/argocd-values.yaml", { - crossplane_aws_provider_enable = local.crossplane_aws_provider_enable - crossplane_upbound_aws_provider_enable = local.crossplane_upbound_aws_provider_enable + crossplane_aws_provider_enable = local.aws_provider.enable + crossplane_upbound_aws_provider_enable = local.upbound_aws_provider.enable + crossplane_kubernetes_provider_enable = local.kubernetes_provider.enable })] } enable_karpenter = true enable_metrics_server = true enable_kube_prometheus_stack = true + kube_prometheus_stack = { + values = [yamlencode({ + prometheus = { + service = { + type = "LoadBalancer" + } + } + })] + } - depends_on = [module.eks.managed_node_groups] + depends_on = [module.eks.eks_managed_node_groups] } -module "eks_blueprints_crossplane_addons" { - source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" - - eks_cluster_id = module.eks.cluster_name - # Deploy Crossplane - # Default helm chart and providers values set at https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/crossplane/locals.tf +#--------------------------------------------------------------- +# Crossplane +#--------------------------------------------------------------- +module "crossplane" { + source = "./addon/" enable_crossplane = true - crossplane_helm_config = { - version = "1.12.1" + crossplane = { values = [yamlencode({ args = ["--enable-environment-configs"] metrics = { @@ -192,47 +194,330 @@ module "eks_blueprints_crossplane_addons" { } })] } - #--------------------------------------------------------- - # Crossplane community AWS Provider deployment - #--------------------------------------------------------- - crossplane_aws_provider = { - # !NOTE!: only enable one AWS provider at a time - enable = local.crossplane_aws_provider_enable - provider_config = "aws-provider-config" - provider_aws_version = "v0.40.0" - # to override the default irsa policy: - # additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] + + depends_on = [module.eks.eks_managed_node_groups] +} + +resource "kubectl_manifest" "environmentconfig" { + yaml_body = templatefile("${path.module}/environmentconfig.yaml", { + awsAccountID = data.aws_caller_identity.current.account_id + eksOIDC = module.eks.oidc_provider + vpcID = module.vpc.vpc_id + }) + + depends_on = [module.crossplane] +} + +#--------------------------------------------------------------- +# Crossplane Providers Settings +#--------------------------------------------------------------- +locals { + crossplane_namespace = "crossplane-system" + + upbound_aws_provider = { + enable = true #NOTE: if you only use one aws provider, only enable one + version = "v0.40.0" + controller_config = "upbound-aws-controller-config" + provider_config_name = "aws-provider-config" #this is the providerConfigName used in all the examples in this repo + families = [ + "dynamodb", + "elasticache", + "iam", + "kms", + "lambda", + "rds", + "s3", + "sns", + "sqs", + "vpc" + ] + } + + aws_provider = { + enable = false #NOTE: if you only use one aws provider, only enable one + version = "v0.43.1" + name = "aws-provider" + controller_config = "aws-controller-config" + provider_config_name = "aws-provider-config" #this is the providerConfigName used in all the examples in this repo + } + + kubernetes_provider = { + enable = true + version = "v0.9.0" + service_account = "kubernetes-provider" + name = "kubernetes-provider" + controller_config = "kubernetes-controller-config" + provider_config_name = "default" + cluster_role = "cluster-admin" + } + + helm_provider = { + enable = true + version = "v0.15.0" + service_account = "helm-provider" + name = "helm-provider" + controller_config = "helm-controller-config" + provider_config_name = "default" + cluster_role = "cluster-admin" + } + +} + +#--------------------------------------------------------------- +# Crossplane Upbound AWS Provider +#--------------------------------------------------------------- +module "upbound_irsa_aws" { + count = local.upbound_aws_provider.enable == true ? 1 : 0 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.30" + + role_name_prefix = "${local.name}-upbound-aws-" + assume_role_condition_test = "StringLike" + + role_policy_arns = { + policy = "arn:aws:iam::aws:policy/AdministratorAccess" + } + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["${local.crossplane_namespace}:upbound-aws-provider-*"] + } + } + + tags = local.tags +} + +resource "kubectl_manifest" "upbound_aws_controller_config" { + count = local.upbound_aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/aws-upbound/controller-config.yaml", { + iam-role-arn = module.upbound_irsa_aws[0].iam_role_arn + controller-config = local.upbound_aws_provider.controller_config + }) + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "upbound_aws_provider" { + for_each = local.upbound_aws_provider.enable ? toset(local.upbound_aws_provider.families) : toset([]) + yaml_body = templatefile("${path.module}/providers/aws-upbound/provider.yaml", { + family = each.key + version = local.upbound_aws_provider.version + controller-config = local.upbound_aws_provider.controller_config + }) + wait = true + + depends_on = [kubectl_manifest.upbound_aws_controller_config] +} + +# Wait for the Upbound AWS Provider CRDs to be fully created before initiating upbound_aws_provider_config +resource "time_sleep" "upbound_wait_60_seconds" { + count = local.upbound_aws_provider.enable == true ? 1 : 0 + create_duration = "60s" + + depends_on = [kubectl_manifest.upbound_aws_provider] +} + +resource "kubectl_manifest" "upbound_aws_provider_config" { + count = local.upbound_aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/aws-upbound/provider-config.yaml", { + provider-config-name = local.upbound_aws_provider.provider_config_name + }) + + depends_on = [kubectl_manifest.upbound_aws_provider, time_sleep.upbound_wait_60_seconds] +} + +#--------------------------------------------------------------- +# Crossplane AWS Provider +#--------------------------------------------------------------- +module "irsa_aws_provider" { + count = local.aws_provider.enable == true ? 1 : 0 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.30" + + role_name_prefix = "${local.name}-aws-provider-" + assume_role_condition_test = "StringLike" + + role_policy_arns = { + policy = "arn:aws:iam::aws:policy/AdministratorAccess" } - #--------------------------------------------------------- - # Crossplane Upbound AWS Provider deployment - #--------------------------------------------------------- - crossplane_upbound_aws_provider = { - # !NOTE!: only enable one AWS provider at a time - enable = local.crossplane_upbound_aws_provider_enable - provider_config = "aws-provider-config" - provider_aws_version = "v0.35.0" - # to override the default irsa policy: - # additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["${local.crossplane_namespace}:aws-provider-*"] + } } - #--------------------------------------------------------- - # Crossplane Kubernetes Provider deployment - #--------------------------------------------------------- - crossplane_kubernetes_provider = { - enable = true - provider_kubernetes_version = "v0.9.0" + tags = local.tags +} + +resource "kubectl_manifest" "aws_controller_config" { + count = local.aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/aws/controller-config.yaml", { + iam-role-arn = module.irsa_aws_provider[0].iam_role_arn + controller-config = local.aws_provider.controller_config + }) + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "aws_provider" { + count = local.aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/aws/provider.yaml", { + aws-provider-name = local.aws_provider.name + version = local.aws_provider.version + controller-config = local.aws_provider.controller_config + }) + wait = true + + depends_on = [kubectl_manifest.aws_controller_config] +} + +# Wait for the Upbound AWS Provider CRDs to be fully created before initiating aws_provider_config +resource "time_sleep" "aws_wait_60_seconds" { + count = local.aws_provider.enable == true ? 1 : 0 + create_duration = "60s" + + depends_on = [kubectl_manifest.aws_provider] +} + +resource "kubectl_manifest" "aws_provider_config" { + count = local.aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/aws/provider-config.yaml", { + provider-config-name = local.aws_provider.provider_config_name + }) + + depends_on = [kubectl_manifest.aws_provider, time_sleep.aws_wait_60_seconds] +} + + +#--------------------------------------------------------------- +# Crossplane Kubernetes Provider +#--------------------------------------------------------------- +resource "kubernetes_service_account_v1" "kubernetes_controller" { + count = local.kubernetes_provider.enable == true ? 1 : 0 + metadata { + name = local.kubernetes_provider.service_account + namespace = local.crossplane_namespace } - #--------------------------------------------------------- - # Crossplane Helm Provider deployment - #--------------------------------------------------------- - crossplane_helm_provider = { - enable = true - provider_helm_version = "v0.15.0" + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "kubernetes_controller_clusterolebinding" { + count = local.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/kubernetes/clusterrolebinding.yaml", { + namespace = local.crossplane_namespace + cluster-role = local.kubernetes_provider.cluster_role + sa-name = kubernetes_service_account_v1.kubernetes_controller[0].metadata[0].name + }) + wait = true + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "kubernetes_controller_config" { + count = local.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/kubernetes/controller-config.yaml", { + sa-name = kubernetes_service_account_v1.kubernetes_controller[0].metadata[0].name + controller-config = local.kubernetes_provider.controller_config + }) + wait = true + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "kubernetes_provider" { + count = local.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/kubernetes/provider.yaml", { + version = local.kubernetes_provider.version + kubernetes-provider-name = local.kubernetes_provider.name + controller-config = local.kubernetes_provider.controller_config + }) + wait = true + + depends_on = [kubectl_manifest.kubernetes_controller_config] +} + +# Wait for the AWS Provider CRDs to be fully created before initiating provider_config deployment +resource "time_sleep" "wait_60_seconds_kubernetes" { + create_duration = "60s" + + depends_on = [kubectl_manifest.kubernetes_provider] +} + +resource "kubectl_manifest" "kubernetes_provider_config" { + count = local.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/kubernetes/provider-config.yaml", { + provider-config-name = local.kubernetes_provider.provider_config_name + }) + + depends_on = [kubectl_manifest.kubernetes_provider, time_sleep.wait_60_seconds_kubernetes] +} + +#--------------------------------------------------------------- +# Crossplane Helm Provider +#--------------------------------------------------------------- +resource "kubernetes_service_account_v1" "helm_controller" { + count = local.helm_provider.enable == true ? 1 : 0 + metadata { + name = local.helm_provider.service_account + namespace = local.crossplane_namespace } - depends_on = [module.eks.managed_node_groups, module.eks_blueprints_addons] + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "helm_controller_clusterolebinding" { + count = local.helm_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/helm/clusterrolebinding.yaml", { + namespace = local.crossplane_namespace + cluster-role = local.helm_provider.cluster_role + sa-name = kubernetes_service_account_v1.helm_controller[0].metadata[0].name + }) + wait = true + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "helm_controller_config" { + count = local.helm_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/helm/controller-config.yaml", { + sa-name = kubernetes_service_account_v1.helm_controller[0].metadata[0].name + controller-config = local.helm_provider.controller_config + }) + wait = true + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "helm_provider" { + count = local.helm_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/helm/provider.yaml", { + version = local.helm_provider.version + helm-provider-name = local.helm_provider.name + controller-config = local.helm_provider.controller_config + }) + wait = true + + depends_on = [kubectl_manifest.helm_controller_config] +} + +# Wait for the AWS Provider CRDs to be fully created before initiating provider_config deployment +resource "time_sleep" "wait_60_seconds_helm" { + create_duration = "60s" + + depends_on = [kubectl_manifest.helm_provider] +} + +resource "kubectl_manifest" "helm_provider_config" { + count = local.helm_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/helm/provider-config.yaml", { + provider-config-name = local.helm_provider.provider_config_name + }) + + depends_on = [kubectl_manifest.helm_provider, time_sleep.wait_60_seconds_helm] } diff --git a/bootstrap/terraform/providers/aws-upbound/controller-config.yaml b/bootstrap/terraform/providers/aws-upbound/controller-config.yaml new file mode 100644 index 00000000..6806bfd8 --- /dev/null +++ b/bootstrap/terraform/providers/aws-upbound/controller-config.yaml @@ -0,0 +1,13 @@ +# https://github.com/upbound/provider-aws/blob/main/docs/Configuration.md#create-a-controllerconfig +--- +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: ${controller-config} + annotations: + eks.amazonaws.com/role-arn: ${iam-role-arn} +spec: + podSecurityContext: + fsGroup: 2000 + args: + - --debug diff --git a/bootstrap/terraform/providers/aws-upbound/provider-config.yaml b/bootstrap/terraform/providers/aws-upbound/provider-config.yaml new file mode 100644 index 00000000..b1fbebd1 --- /dev/null +++ b/bootstrap/terraform/providers/aws-upbound/provider-config.yaml @@ -0,0 +1,9 @@ +# https://github.com/upbound/provider-aws/blob/main/docs/Configuration.md#create-a-providerconfig +--- +apiVersion: aws.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: ${provider-config-name} +spec: + credentials: + source: IRSA diff --git a/bootstrap/terraform/providers/aws-upbound/provider.yaml b/bootstrap/terraform/providers/aws-upbound/provider.yaml new file mode 100644 index 00000000..c3c7d7c0 --- /dev/null +++ b/bootstrap/terraform/providers/aws-upbound/provider.yaml @@ -0,0 +1,10 @@ +# https://github.com/upbound/provider-aws/blob/main/docs/Configuration.md#create-a-provider +--- +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: upbound-aws-provider-${family} +spec: + package: xpkg.upbound.io/upbound/provider-aws-${family}:${version} + controllerConfigRef: + name: ${controller-config} diff --git a/bootstrap/terraform/providers/aws/controller-config.yaml b/bootstrap/terraform/providers/aws/controller-config.yaml new file mode 100644 index 00000000..ea416165 --- /dev/null +++ b/bootstrap/terraform/providers/aws/controller-config.yaml @@ -0,0 +1,11 @@ +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: ${controller-config} + annotations: + eks.amazonaws.com/role-arn: ${iam-role-arn} +spec: + podSecurityContext: + fsGroup: 2000 + args: + - --debug diff --git a/bootstrap/terraform/providers/aws/provider-config.yaml b/bootstrap/terraform/providers/aws/provider-config.yaml new file mode 100644 index 00000000..fdb6c30e --- /dev/null +++ b/bootstrap/terraform/providers/aws/provider-config.yaml @@ -0,0 +1,7 @@ +apiVersion: aws.crossplane.io/v1beta1 +kind: ProviderConfig +metadata: + name: ${provider-config-name} +spec: + credentials: + source: InjectedIdentity diff --git a/bootstrap/terraform/providers/aws/provider.yaml b/bootstrap/terraform/providers/aws/provider.yaml new file mode 100644 index 00000000..c9d29ed5 --- /dev/null +++ b/bootstrap/terraform/providers/aws/provider.yaml @@ -0,0 +1,8 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: ${aws-provider-name} +spec: + package: xpkg.upbound.io/crossplane-contrib/provider-aws:${version} + controllerConfigRef: + name: ${controller-config} diff --git a/bootstrap/terraform/providers/helm/clusterrolebinding.yaml b/bootstrap/terraform/providers/helm/clusterrolebinding.yaml new file mode 100644 index 00000000..8fc135f9 --- /dev/null +++ b/bootstrap/terraform/providers/helm/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ${sa-name} +subjects: + - kind: ServiceAccount + name: ${sa-name} + namespace: ${namespace} +roleRef: + kind: ClusterRole + name: ${cluster-role} + apiGroup: rbac.authorization.k8s.io diff --git a/bootstrap/terraform/providers/helm/controller-config.yaml b/bootstrap/terraform/providers/helm/controller-config.yaml new file mode 100644 index 00000000..2e2f7748 --- /dev/null +++ b/bootstrap/terraform/providers/helm/controller-config.yaml @@ -0,0 +1,6 @@ +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: ${controller-config} +spec: + serviceAccountName: ${sa-name} diff --git a/bootstrap/terraform/providers/helm/provider-config.yaml b/bootstrap/terraform/providers/helm/provider-config.yaml new file mode 100644 index 00000000..bf38c00d --- /dev/null +++ b/bootstrap/terraform/providers/helm/provider-config.yaml @@ -0,0 +1,9 @@ +# https://github.com/crossplane-contrib/provider-helm/blob/master/examples/provider-config/provider-config-incluster.yaml +--- +apiVersion: helm.crossplane.io/v1beta1 +kind: ProviderConfig +metadata: + name: ${provider-config-name} +spec: + credentials: + source: InjectedIdentity diff --git a/bootstrap/terraform/providers/helm/provider.yaml b/bootstrap/terraform/providers/helm/provider.yaml new file mode 100644 index 00000000..b203e69e --- /dev/null +++ b/bootstrap/terraform/providers/helm/provider.yaml @@ -0,0 +1,8 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: ${helm-provider-name} +spec: + package: xpkg.upbound.io/crossplane-contrib/provider-helm:${version} + controllerConfigRef: + name: ${controller-config} diff --git a/bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml b/bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml new file mode 100644 index 00000000..8fc135f9 --- /dev/null +++ b/bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ${sa-name} +subjects: + - kind: ServiceAccount + name: ${sa-name} + namespace: ${namespace} +roleRef: + kind: ClusterRole + name: ${cluster-role} + apiGroup: rbac.authorization.k8s.io diff --git a/bootstrap/terraform/providers/kubernetes/controller-config.yaml b/bootstrap/terraform/providers/kubernetes/controller-config.yaml new file mode 100644 index 00000000..ebb41ac7 --- /dev/null +++ b/bootstrap/terraform/providers/kubernetes/controller-config.yaml @@ -0,0 +1,8 @@ +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: ${controller-config} +spec: + serviceAccountName: ${sa-name} + args: + - --debug diff --git a/bootstrap/terraform/providers/kubernetes/provider-config.yaml b/bootstrap/terraform/providers/kubernetes/provider-config.yaml new file mode 100644 index 00000000..ff25439b --- /dev/null +++ b/bootstrap/terraform/providers/kubernetes/provider-config.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kubernetes.crossplane.io/v1alpha1 +kind: ProviderConfig +metadata: + name: ${provider-config-name} +spec: + credentials: + source: InjectedIdentity diff --git a/bootstrap/terraform/providers/kubernetes/provider.yaml b/bootstrap/terraform/providers/kubernetes/provider.yaml new file mode 100644 index 00000000..be7db057 --- /dev/null +++ b/bootstrap/terraform/providers/kubernetes/provider.yaml @@ -0,0 +1,8 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: ${kubernetes-provider-name} +spec: + package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:${version} + controllerConfigRef: + name: ${controller-config} diff --git a/bootstrap/terraform/versions.tf b/bootstrap/terraform/versions.tf index 4fc6a264..2ffd5358 100644 --- a/bootstrap/terraform/versions.tf +++ b/bootstrap/terraform/versions.tf @@ -19,7 +19,7 @@ terraform { helm = { source = "hashicorp/helm" - version = ">= 2.10.0" + version = ">= 2.11.0" } } } diff --git a/examples/helm-provider/test-helm.yaml b/examples/helm-provider/test-helm.yaml new file mode 100644 index 00000000..636bdb78 --- /dev/null +++ b/examples/helm-provider/test-helm.yaml @@ -0,0 +1,11 @@ +apiVersion: helm.crossplane.io/v1beta1 +kind: Release +metadata: + name: hello-example +spec: + forProvider: + chart: + name: mysql + repository: https://charts.bitnami.com/bitnami + version: 9.12.1 + namespace: default diff --git a/examples/kubernetes-provider/test-namespace.yaml b/examples/kubernetes-provider/test-namespace.yaml index b2e0b573..663d500c 100644 --- a/examples/kubernetes-provider/test-namespace.yaml +++ b/examples/kubernetes-provider/test-namespace.yaml @@ -10,5 +10,3 @@ spec: metadata: labels: example: "true" - providerConfigRef: - name: kubernetes-provider-config # Refer this file for providerConfigRef.name -> bootstrap/terraform/crossplane-providers/kubernetes-provider.yaml