From a544d1a6708b9ca0b9b9c1bd8f60f8d6e55b00fb Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Fri, 8 Sep 2023 08:37:43 -0700 Subject: [PATCH 01/13] saving work --- bootstrap/terraform/README.md | 2 +- bootstrap/terraform/addon/main.tf | 53 +++++++++ bootstrap/terraform/addon/variables.tf | 22 ++++ bootstrap/terraform/main.tf | 158 ++++++++++++++++++------- 4 files changed, 190 insertions(+), 45 deletions(-) create mode 100644 bootstrap/terraform/addon/main.tf create mode 100644 bootstrap/terraform/addon/variables.tf diff --git a/bootstrap/terraform/README.md b/bootstrap/terraform/README.md index 14e8cbfa..16eaeb44 100644 --- a/bootstrap/terraform/README.md +++ b/bootstrap/terraform/README.md @@ -45,7 +45,7 @@ Ensure that you have installed the following tools in your Mac or Windows Laptop ### Troubleshooting 1. If `terraform apply` errors out after creating the cluster when trying to apply the helm charts, try running the command: ```shell -aws eks --region update-kubeconfig --name +aws eks --region update-kubeconfig --name --alias ``` and executing terraform apply again. diff --git a/bootstrap/terraform/addon/main.tf b/bootstrap/terraform/addon/main.tf new file mode 100644 index 00000000..6f536650 --- /dev/null +++ b/bootstrap/terraform/addon/main.tf @@ -0,0 +1,53 @@ +################################################################################ +# Crossplane +################################################################################ + +module "crossplane" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.0" + + create = var.enable_crossplane + + # https://github.com/crossplane/crossplane/tree/master/cluster/charts/crossplane + name = try(var.crossplane.name, "crossplane") + description = try(var.crossplane.description, "A Helm chart to deploy crossplane project") + namespace = try(var.crossplane.namespace, "crossplane-system") + create_namespace = try(var.crossplane.create_namespace, true) + chart = try(var.crossplane.chart, "crossplane") + chart_version = try(var.crossplane.chart_version, "1.13.2") + repository = try(var.crossplane.repository, "https://charts.crossplane.io/stable/") + values = try(var.crossplane.values, []) + + timeout = try(var.crossplane.timeout, null) + repository_key_file = try(var.crossplane.repository_key_file, null) + repository_cert_file = try(var.crossplane.repository_cert_file, null) + repository_ca_file = try(var.crossplane.repository_ca_file, null) + repository_username = try(var.crossplane.repository_username, null) + repository_password = try(var.crossplane.repository_password, null) + devel = try(var.crossplane.devel, null) + verify = try(var.crossplane.verify, null) + keyring = try(var.crossplane.keyring, null) + disable_webhooks = try(var.crossplane.disable_webhooks, null) + reuse_values = try(var.crossplane.reuse_values, null) + reset_values = try(var.crossplane.reset_values, null) + force_update = try(var.crossplane.force_update, null) + recreate_pods = try(var.crossplane.recreate_pods, null) + cleanup_on_fail = try(var.crossplane.cleanup_on_fail, null) + max_history = try(var.crossplane.max_history, null) + atomic = try(var.crossplane.atomic, null) + skip_crds = try(var.crossplane.skip_crds, null) + render_subchart_notes = try(var.crossplane.render_subchart_notes, null) + disable_openapi_validation = try(var.crossplane.disable_openapi_validation, null) + wait = try(var.crossplane.wait, false) + wait_for_jobs = try(var.crossplane.wait_for_jobs, null) + dependency_update = try(var.crossplane.dependency_update, null) + replace = try(var.crossplane.replace, null) + lint = try(var.crossplane.lint, null) + + postrender = try(var.crossplane.postrender, []) + set = try(var.crossplane.set, []) + set_sensitive = try(var.crossplane.set_sensitive, []) + + tags = var.tags +} + diff --git a/bootstrap/terraform/addon/variables.tf b/bootstrap/terraform/addon/variables.tf new file mode 100644 index 00000000..b05f5bd9 --- /dev/null +++ b/bootstrap/terraform/addon/variables.tf @@ -0,0 +1,22 @@ +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} + +################################################################################ +# Crossplane +################################################################################ + +variable "enable_crossplane" { + description = "Enable Crossplane Kubernetes add-on" + type = bool + default = false +} + +variable "crossplane" { + description = "Crossplane add-on configuration values" + type = any + default = {} +} + diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index e5c90b81..8cf61ae5 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -152,19 +152,26 @@ module "eks_blueprints_addons" { enable_karpenter = true enable_metrics_server = true enable_kube_prometheus_stack = true + kube_prometheus_stack = { + values = [yamlencode({ + prometheus = { + service = { + type = "LoadBalancer" + } + } + })] + } - depends_on = [module.eks.managed_node_groups] + depends_on = [module.eks.eks_managed_node_groups] } -module "eks_blueprints_crossplane_addons" { - source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" - - eks_cluster_id = module.eks.cluster_name - # Deploy Crossplane - # Default helm chart and providers values set at https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/crossplane/locals.tf +#--------------------------------------------------------------- +# Crossplane +#--------------------------------------------------------------- +module "crossplane" { + source = "./addon/" enable_crossplane = true - crossplane_helm_config = { - version = "1.12.1" + crossplane = { values = [yamlencode({ args = ["--enable-environment-configs"] metrics = { @@ -192,48 +199,111 @@ module "eks_blueprints_crossplane_addons" { } })] } - #--------------------------------------------------------- - # Crossplane community AWS Provider deployment - #--------------------------------------------------------- - crossplane_aws_provider = { - # !NOTE!: only enable one AWS provider at a time - enable = local.crossplane_aws_provider_enable - provider_config = "aws-provider-config" - provider_aws_version = "v0.40.0" - # to override the default irsa policy: - # additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] - } +} - #--------------------------------------------------------- - # Crossplane Upbound AWS Provider deployment - #--------------------------------------------------------- - crossplane_upbound_aws_provider = { - # !NOTE!: only enable one AWS provider at a time - enable = local.crossplane_upbound_aws_provider_enable - provider_config = "aws-provider-config" - provider_aws_version = "v0.35.0" - # to override the default irsa policy: - # additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] - } +locals { + crossplane_namespace = "crossplane-system" + crossplane_sa_prefix = "provider-aws-*" +} + +module "crossplane_irsa_aws" { +#todo count + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.30" + + role_name_prefix = "crossplane-${local.crossplane_sa_prefix}" - #--------------------------------------------------------- - # Crossplane Kubernetes Provider deployment - #--------------------------------------------------------- - crossplane_kubernetes_provider = { - enable = true - provider_kubernetes_version = "v0.9.0" + role_policy_arns = { + policy = "arn:aws:iam::aws:policy/AdministratorAccess" } - #--------------------------------------------------------- - # Crossplane Helm Provider deployment - #--------------------------------------------------------- - crossplane_helm_provider = { - enable = true - provider_helm_version = "v0.15.0" + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["${local.crossplane_namespace}:${local.crossplane_sa_prefix}"] + } } - depends_on = [module.eks.managed_node_groups, module.eks_blueprints_addons] + tags = local.tags } +#module "eks_blueprints_crossplane_addons" { +# source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" +# +# eks_cluster_id = module.eks.cluster_name +# # Deploy Crossplane +# # Default helm chart and providers values set at https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/crossplane/locals.tf +# enable_crossplane = true +# crossplane_helm_config = { +# version = "1.12.1" +# values = [yamlencode({ +# args = ["--enable-environment-configs"] +# metrics = { +# enabled = true +# } +# resourcesCrossplane = { +# limits = { +# cpu = "1" +# memory = "2Gi" +# } +# requests = { +# cpu = "100m" +# memory = "1Gi" +# } +# } +# resourcesRBACManager = { +# limits = { +# cpu = "500m" +# memory = "1Gi" +# } +# requests = { +# cpu = "100m" +# memory = "512Mi" +# } +# } +# })] +# } +# #--------------------------------------------------------- +# # Crossplane community AWS Provider deployment +# #--------------------------------------------------------- +# crossplane_aws_provider = { +# # !NOTE!: only enable one AWS provider at a time +# enable = local.crossplane_aws_provider_enable +# provider_config = "aws-provider-config" +# provider_aws_version = "v0.40.0" +# # to override the default irsa policy: +# # additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] +# } +# +# #--------------------------------------------------------- +# # Crossplane Upbound AWS Provider deployment +# #--------------------------------------------------------- +# crossplane_upbound_aws_provider = { +# # !NOTE!: only enable one AWS provider at a time +# enable = local.crossplane_upbound_aws_provider_enable +# provider_config = "aws-provider-config" +# provider_aws_version = "v0.35.0" +# # to override the default irsa policy: +# # additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] +# } +# +# #--------------------------------------------------------- +# # Crossplane Kubernetes Provider deployment +# #--------------------------------------------------------- +# crossplane_kubernetes_provider = { +# enable = true +# provider_kubernetes_version = "v0.9.0" +# } +# +# #--------------------------------------------------------- +# # Crossplane Helm Provider deployment +# #--------------------------------------------------------- +# crossplane_helm_provider = { +# enable = true +# provider_helm_version = "v0.15.0" +# } +# +# depends_on = [module.eks.managed_node_groups, module.eks_blueprints_addons] +#} #--------------------------------------------------------------- From 1678a0847ed69f3d3f662afb093afcd5bf18dd74 Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Sat, 9 Sep 2023 19:42:57 -0700 Subject: [PATCH 02/13] crosspalne v5 add on an upbound-aws-provider families working version --- bootstrap/terraform/main.tf | 179 +++++++++--------- .../providers/aws-upbound/.helmignore | 23 +++ .../aws-upbound/controller-config.yaml | 13 ++ .../aws-upbound/provider-config.yaml | 9 + .../providers/aws-upbound/provider.yaml | 10 + .../providers/kubernetes/.helmignore | 23 +++ .../kubernetes/clusterrolebinding.yaml | 12 ++ .../kubernetes/controllerconfig.yaml | 8 + .../providers/kubernetes/provider-config.yaml | 8 + .../providers/kubernetes/provider.yaml | 9 + bootstrap/terraform/versions.tf | 2 +- 11 files changed, 206 insertions(+), 90 deletions(-) create mode 100644 bootstrap/terraform/providers/aws-upbound/.helmignore create mode 100644 bootstrap/terraform/providers/aws-upbound/controller-config.yaml create mode 100644 bootstrap/terraform/providers/aws-upbound/provider-config.yaml create mode 100644 bootstrap/terraform/providers/aws-upbound/provider.yaml create mode 100644 bootstrap/terraform/providers/kubernetes/.helmignore create mode 100644 bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml create mode 100644 bootstrap/terraform/providers/kubernetes/controllerconfig.yaml create mode 100644 bootstrap/terraform/providers/kubernetes/provider-config.yaml create mode 100644 bootstrap/terraform/providers/kubernetes/provider.yaml diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index 8cf61ae5..05388663 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -55,10 +55,6 @@ locals { argocd_namespace = "argocd" - # !NOTE!: only enable one AWS provider at a time - crossplane_aws_provider_enable = true - crossplane_upbound_aws_provider_enable = true - tags = { Blueprint = local.name GithubRepo = "github.com/awslabs/crossplane-on-eks" @@ -145,8 +141,8 @@ module "eks_blueprints_addons" { chart_version = "5.34.6" # ArgoCD v2.7.3 values = [ templatefile("${path.module}/argocd-values.yaml", { - crossplane_aws_provider_enable = local.crossplane_aws_provider_enable - crossplane_upbound_aws_provider_enable = local.crossplane_upbound_aws_provider_enable + crossplane_aws_provider_enable = local.aws_provider.enable + crossplane_upbound_aws_provider_enable = local.upbound_aws_provider.enable })] } enable_karpenter = true @@ -199,19 +195,52 @@ module "crossplane" { } })] } + + depends_on = [module.eks.eks_managed_node_groups] } +#--------------------------------------------------------------- +# Crossplane Providers Settings +#--------------------------------------------------------------- locals { crossplane_namespace = "crossplane-system" - crossplane_sa_prefix = "provider-aws-*" + crossplane_sa_prefix = "provider-aws-" + kubernetes_provider = { + enable = true + } + upbound_aws_provider = { + enable = true + controller_config = "upbound-aws-controller-config" + provider_config_name = "aws-provider-config" + version = "v0.40.0" + sa_prefix = "upbound-aws-provider-" + families = [ + "dynamodb", + "elasticache", + "iam", + "kms", + "lambda", + "rds", + "s3", + "sns", + "sqs", + "vpc" + ] + } + aws_provider = { + enable = false + } } -module "crossplane_irsa_aws" { -#todo count +#--------------------------------------------------------------- +# Crossplane Upbound AWS Provider +#--------------------------------------------------------------- +module "upbound_irsa_aws" { + count = local.upbound_aws_provider.enable == true ? 1 : 0 source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" version = "~> 5.30" - role_name_prefix = "crossplane-${local.crossplane_sa_prefix}" + role_name_prefix = local.upbound_aws_provider.sa_prefix role_policy_arns = { policy = "arn:aws:iam::aws:policy/AdministratorAccess" @@ -220,91 +249,63 @@ module "crossplane_irsa_aws" { oidc_providers = { main = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${local.crossplane_namespace}:${local.crossplane_sa_prefix}"] + namespace_service_accounts = ["${local.crossplane_namespace}:${local.upbound_aws_provider.sa_prefix}"] } } tags = local.tags } -#module "eks_blueprints_crossplane_addons" { -# source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1" -# -# eks_cluster_id = module.eks.cluster_name -# # Deploy Crossplane -# # Default helm chart and providers values set at https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/crossplane/locals.tf -# enable_crossplane = true -# crossplane_helm_config = { -# version = "1.12.1" -# values = [yamlencode({ -# args = ["--enable-environment-configs"] -# metrics = { -# enabled = true -# } -# resourcesCrossplane = { -# limits = { -# cpu = "1" -# memory = "2Gi" -# } -# requests = { -# cpu = "100m" -# memory = "1Gi" -# } -# } -# resourcesRBACManager = { -# limits = { -# cpu = "500m" -# memory = "1Gi" -# } -# requests = { -# cpu = "100m" -# memory = "512Mi" -# } -# } -# })] -# } -# #--------------------------------------------------------- -# # Crossplane community AWS Provider deployment -# #--------------------------------------------------------- -# crossplane_aws_provider = { -# # !NOTE!: only enable one AWS provider at a time -# enable = local.crossplane_aws_provider_enable -# provider_config = "aws-provider-config" -# provider_aws_version = "v0.40.0" -# # to override the default irsa policy: -# # additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] -# } -# -# #--------------------------------------------------------- -# # Crossplane Upbound AWS Provider deployment -# #--------------------------------------------------------- -# crossplane_upbound_aws_provider = { -# # !NOTE!: only enable one AWS provider at a time -# enable = local.crossplane_upbound_aws_provider_enable -# provider_config = "aws-provider-config" -# provider_aws_version = "v0.35.0" -# # to override the default irsa policy: -# # additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] -# } -# -# #--------------------------------------------------------- -# # Crossplane Kubernetes Provider deployment -# #--------------------------------------------------------- -# crossplane_kubernetes_provider = { -# enable = true -# provider_kubernetes_version = "v0.9.0" -# } -# -# #--------------------------------------------------------- -# # Crossplane Helm Provider deployment -# #--------------------------------------------------------- -# crossplane_helm_provider = { -# enable = true -# provider_helm_version = "v0.15.0" -# } -# -# depends_on = [module.eks.managed_node_groups, module.eks_blueprints_addons] -#} +resource "kubectl_manifest" "upbound_aws_controller_config" { + count = local.upbound_aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/aws-upbound/controller-config.yaml", { + iam-role-arn = module.upbound_irsa_aws[0].iam_role_arn + controller-config = local.upbound_aws_provider.controller_config + }) + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "upbound_aws_provider" { + for_each = local.upbound_aws_provider.enable ? toset(local.upbound_aws_provider.families) : toset([]) + yaml_body = templatefile("${path.module}/providers/aws-upbound/provider.yaml", { + family = each.key + version = local.upbound_aws_provider.version + controller-config = local.upbound_aws_provider.controller_config + }) + wait = true + + depends_on = [kubectl_manifest.upbound_aws_controller_config] +} + +# Wait for the Upbound AWS Provider CRDs to be fully created before initiating upbound_aws_provider_config +resource "time_sleep" "upbound_wait_60_seconds" { + count = local.upbound_aws_provider.enable == true ? 1 : 0 + create_duration = "60s" + + depends_on = [kubectl_manifest.upbound_aws_provider] +} + +resource "kubectl_manifest" "upbound_aws_provider_config" { + count = local.upbound_aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/aws-upbound/provider-config.yaml", { + provider-config-name = local.upbound_aws_provider.provider_config_name + }) + + depends_on = [kubectl_manifest.upbound_aws_provider, time_sleep.upbound_wait_60_seconds] +} + +#--------------------------------------------------------------- +# Crossplane AWS Provider +#--------------------------------------------------------------- + +#--------------------------------------------------------------- +# Crossplane Kubernetes Provider +#--------------------------------------------------------------- + +#--------------------------------------------------------------- +# Crossplane Helm Provider +#--------------------------------------------------------------- #--------------------------------------------------------------- # Supporting Resources diff --git a/bootstrap/terraform/providers/aws-upbound/.helmignore b/bootstrap/terraform/providers/aws-upbound/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/bootstrap/terraform/providers/aws-upbound/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/bootstrap/terraform/providers/aws-upbound/controller-config.yaml b/bootstrap/terraform/providers/aws-upbound/controller-config.yaml new file mode 100644 index 00000000..6806bfd8 --- /dev/null +++ b/bootstrap/terraform/providers/aws-upbound/controller-config.yaml @@ -0,0 +1,13 @@ +# https://github.com/upbound/provider-aws/blob/main/docs/Configuration.md#create-a-controllerconfig +--- +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: ${controller-config} + annotations: + eks.amazonaws.com/role-arn: ${iam-role-arn} +spec: + podSecurityContext: + fsGroup: 2000 + args: + - --debug diff --git a/bootstrap/terraform/providers/aws-upbound/provider-config.yaml b/bootstrap/terraform/providers/aws-upbound/provider-config.yaml new file mode 100644 index 00000000..b1fbebd1 --- /dev/null +++ b/bootstrap/terraform/providers/aws-upbound/provider-config.yaml @@ -0,0 +1,9 @@ +# https://github.com/upbound/provider-aws/blob/main/docs/Configuration.md#create-a-providerconfig +--- +apiVersion: aws.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: ${provider-config-name} +spec: + credentials: + source: IRSA diff --git a/bootstrap/terraform/providers/aws-upbound/provider.yaml b/bootstrap/terraform/providers/aws-upbound/provider.yaml new file mode 100644 index 00000000..c3c7d7c0 --- /dev/null +++ b/bootstrap/terraform/providers/aws-upbound/provider.yaml @@ -0,0 +1,10 @@ +# https://github.com/upbound/provider-aws/blob/main/docs/Configuration.md#create-a-provider +--- +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: upbound-aws-provider-${family} +spec: + package: xpkg.upbound.io/upbound/provider-aws-${family}:${version} + controllerConfigRef: + name: ${controller-config} diff --git a/bootstrap/terraform/providers/kubernetes/.helmignore b/bootstrap/terraform/providers/kubernetes/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/bootstrap/terraform/providers/kubernetes/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml b/bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml new file mode 100644 index 00000000..d1111e72 --- /dev/null +++ b/bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: provider-kubernetes +subjects: + - kind: ServiceAccount + name: provider-kubernetes + namespace: crossplane-system +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/bootstrap/terraform/providers/kubernetes/controllerconfig.yaml b/bootstrap/terraform/providers/kubernetes/controllerconfig.yaml new file mode 100644 index 00000000..2877891f --- /dev/null +++ b/bootstrap/terraform/providers/kubernetes/controllerconfig.yaml @@ -0,0 +1,8 @@ +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: kubernetes-controller-config +spec: + serviceAccountName: kubernetes-provider + args: + - --debug diff --git a/bootstrap/terraform/providers/kubernetes/provider-config.yaml b/bootstrap/terraform/providers/kubernetes/provider-config.yaml new file mode 100644 index 00000000..db2e0e24 --- /dev/null +++ b/bootstrap/terraform/providers/kubernetes/provider-config.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kubernetes.crossplane.io/v1alpha1 +kind: ProviderConfig +metadata: + name: ${kubernetes-provider-config} +spec: + credentials: + source: InjectedIdentity diff --git a/bootstrap/terraform/providers/kubernetes/provider.yaml b/bootstrap/terraform/providers/kubernetes/provider.yaml new file mode 100644 index 00000000..a0dfb144 --- /dev/null +++ b/bootstrap/terraform/providers/kubernetes/provider.yaml @@ -0,0 +1,9 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: kubernetes-provider +spec: + revisionHistoryLimit: 0 + package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:v0.9.0 + controllerConfigRef: + name: kubernetes-controller-config diff --git a/bootstrap/terraform/versions.tf b/bootstrap/terraform/versions.tf index 4fc6a264..2ffd5358 100644 --- a/bootstrap/terraform/versions.tf +++ b/bootstrap/terraform/versions.tf @@ -19,7 +19,7 @@ terraform { helm = { source = "hashicorp/helm" - version = ">= 2.10.0" + version = ">= 2.11.0" } } } From 90f2f9c6de2e8af896c243c7169b248b6bfe855b Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Sat, 9 Sep 2023 20:47:21 -0700 Subject: [PATCH 03/13] kubernetes provider working --- bootstrap/terraform/main.tf | 78 ++++++++++++++++++- .../kubernetes/clusterrolebinding.yaml | 8 +- ...llerconfig.yaml => controller-config.yaml} | 4 +- .../providers/kubernetes/provider-config.yaml | 2 +- .../providers/kubernetes/provider.yaml | 6 +- .../kubernetes-provider/test-namespace.yaml | 2 - 6 files changed, 84 insertions(+), 16 deletions(-) rename bootstrap/terraform/providers/kubernetes/{controllerconfig.yaml => controller-config.yaml} (55%) diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index 05388663..5c5cdbe0 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -205,9 +205,7 @@ module "crossplane" { locals { crossplane_namespace = "crossplane-system" crossplane_sa_prefix = "provider-aws-" - kubernetes_provider = { - enable = true - } + upbound_aws_provider = { enable = true controller_config = "upbound-aws-controller-config" @@ -227,9 +225,21 @@ locals { "vpc" ] } + aws_provider = { enable = false } + + kubernetes_provider = { + enable = true + version = "v0.9.0" + service_account = "kubernetes-provider" + name = "kubernetes-provider" + controller_config = "kubernetes-controller-config" + provider_config_name = "default" + cluster_role = "cluster-admin" + } + } #--------------------------------------------------------------- @@ -249,7 +259,7 @@ module "upbound_irsa_aws" { oidc_providers = { main = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${local.crossplane_namespace}:${local.upbound_aws_provider.sa_prefix}"] + namespace_service_accounts = ["${local.crossplane_namespace}:${local.upbound_aws_provider.sa_prefix}*"] } } @@ -302,6 +312,66 @@ resource "kubectl_manifest" "upbound_aws_provider_config" { #--------------------------------------------------------------- # Crossplane Kubernetes Provider #--------------------------------------------------------------- +resource "kubernetes_service_account_v1" "kubernetes_controller" { + count = local.kubernetes_provider.enable == true ? 1 : 0 + metadata { + name = local.kubernetes_provider.service_account + namespace = local.crossplane_namespace + } + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "kubernetes_controller_clusterolebinding" { + count = local.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/kubernetes/clusterrolebinding.yaml", { + namespace = local.crossplane_namespace + cluster-role = local.kubernetes_provider.cluster_role + sa-name = kubernetes_service_account_v1.kubernetes_controller[0].metadata[0].name + }) + wait = true + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "kubernetes_controller_config" { + count = local.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/kubernetes/controller-config.yaml", { + sa-name = kubernetes_service_account_v1.kubernetes_controller[0].metadata[0].name + controller-config = local.kubernetes_provider.controller_config + }) + wait = true + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "kubernetes_provider" { + count = local.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/kubernetes/provider.yaml", { + version = local.kubernetes_provider.version + kubernetes-provider-name = local.kubernetes_provider.name + controller-config = local.kubernetes_provider.controller_config + }) + wait = true + + depends_on = [kubectl_manifest.kubernetes_controller_config] +} + +# Wait for the AWS Provider CRDs to be fully created before initiating aws_provider_config deployment +resource "time_sleep" "wait_60_seconds_kubernetes" { + create_duration = "60s" + + depends_on = [kubectl_manifest.kubernetes_provider] +} + +resource "kubectl_manifest" "kubernetes_provider_config" { + count = local.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/kubernetes/provider-config.yaml", { + provider-config-name = local.kubernetes_provider.provider_config_name + }) + + depends_on = [kubectl_manifest.kubernetes_provider, time_sleep.wait_60_seconds_kubernetes] +} #--------------------------------------------------------------- # Crossplane Helm Provider diff --git a/bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml b/bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml index d1111e72..8fc135f9 100644 --- a/bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml +++ b/bootstrap/terraform/providers/kubernetes/clusterrolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: provider-kubernetes + name: ${sa-name} subjects: - kind: ServiceAccount - name: provider-kubernetes - namespace: crossplane-system + name: ${sa-name} + namespace: ${namespace} roleRef: kind: ClusterRole - name: cluster-admin + name: ${cluster-role} apiGroup: rbac.authorization.k8s.io diff --git a/bootstrap/terraform/providers/kubernetes/controllerconfig.yaml b/bootstrap/terraform/providers/kubernetes/controller-config.yaml similarity index 55% rename from bootstrap/terraform/providers/kubernetes/controllerconfig.yaml rename to bootstrap/terraform/providers/kubernetes/controller-config.yaml index 2877891f..ebb41ac7 100644 --- a/bootstrap/terraform/providers/kubernetes/controllerconfig.yaml +++ b/bootstrap/terraform/providers/kubernetes/controller-config.yaml @@ -1,8 +1,8 @@ apiVersion: pkg.crossplane.io/v1alpha1 kind: ControllerConfig metadata: - name: kubernetes-controller-config + name: ${controller-config} spec: - serviceAccountName: kubernetes-provider + serviceAccountName: ${sa-name} args: - --debug diff --git a/bootstrap/terraform/providers/kubernetes/provider-config.yaml b/bootstrap/terraform/providers/kubernetes/provider-config.yaml index db2e0e24..ff25439b 100644 --- a/bootstrap/terraform/providers/kubernetes/provider-config.yaml +++ b/bootstrap/terraform/providers/kubernetes/provider-config.yaml @@ -2,7 +2,7 @@ apiVersion: kubernetes.crossplane.io/v1alpha1 kind: ProviderConfig metadata: - name: ${kubernetes-provider-config} + name: ${provider-config-name} spec: credentials: source: InjectedIdentity diff --git a/bootstrap/terraform/providers/kubernetes/provider.yaml b/bootstrap/terraform/providers/kubernetes/provider.yaml index a0dfb144..4a8019bf 100644 --- a/bootstrap/terraform/providers/kubernetes/provider.yaml +++ b/bootstrap/terraform/providers/kubernetes/provider.yaml @@ -1,9 +1,9 @@ apiVersion: pkg.crossplane.io/v1 kind: Provider metadata: - name: kubernetes-provider + name: ${kubernetes-provider-name} spec: revisionHistoryLimit: 0 - package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:v0.9.0 + package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:${version} controllerConfigRef: - name: kubernetes-controller-config + name: ${controller-config} diff --git a/examples/kubernetes-provider/test-namespace.yaml b/examples/kubernetes-provider/test-namespace.yaml index b2e0b573..663d500c 100644 --- a/examples/kubernetes-provider/test-namespace.yaml +++ b/examples/kubernetes-provider/test-namespace.yaml @@ -10,5 +10,3 @@ spec: metadata: labels: example: "true" - providerConfigRef: - name: kubernetes-provider-config # Refer this file for providerConfigRef.name -> bootstrap/terraform/crossplane-providers/kubernetes-provider.yaml From 27bed60a1375a81641721a9f9133888e4d1750ef Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Sat, 9 Sep 2023 21:48:34 -0700 Subject: [PATCH 04/13] updating destroy script --- bootstrap/terraform/destroy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/terraform/destroy.sh b/bootstrap/terraform/destroy.sh index cf34856d..1e686718 100755 --- a/bootstrap/terraform/destroy.sh +++ b/bootstrap/terraform/destroy.sh @@ -2,8 +2,8 @@ set -xe +terraform destroy -target="module.crossplane" -auto-approve terraform destroy -target="module.eks_blueprints_addons" -auto-approve -terraform destroy -target="module.eks_blueprints_crossplane_addons" -auto-approve terraform destroy -target="module.eks" -auto-approve terraform destroy -target="module.vpc" -auto-approve terraform destroy -auto-approve From 08173ef2261c5ea5f2878d11b491b12c7b52a96b Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Sun, 10 Sep 2023 10:14:13 -0700 Subject: [PATCH 05/13] irsa working --- bootstrap/terraform/README.md | 4 ++ bootstrap/terraform/argocd-values.yaml | 72 ++++++++++++++++++++------ bootstrap/terraform/main.tf | 10 ++-- 3 files changed, 65 insertions(+), 21 deletions(-) diff --git a/bootstrap/terraform/README.md b/bootstrap/terraform/README.md index 16eaeb44..fd3e6543 100644 --- a/bootstrap/terraform/README.md +++ b/bootstrap/terraform/README.md @@ -147,6 +147,10 @@ echo "$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{. ## Clean up 1. Delete resources created by Crossplane such as first Claims, then XRDs and Compositions. +1. Remove crossplane providers by setting `enable = false` in main.tf for each provider and running `terraform apply` + +1. Run `kubectl get providers` to validate all providers were removed. If any left, remove using `kubectl delete providers ` + 1. Delete the EKS cluster and it's resources with the following command ```bash ./destroy.sh diff --git a/bootstrap/terraform/argocd-values.yaml b/bootstrap/terraform/argocd-values.yaml index 82d439fa..41e091ff 100644 --- a/bootstrap/terraform/argocd-values.yaml +++ b/bootstrap/terraform/argocd-values.yaml @@ -82,14 +82,6 @@ configs: end for i, condition in ipairs(obj.status.conditions) do - if condition.type == "Ready" then - if condition.status == "True" then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - end - if condition.type == "LastAsyncOperation" then if condition.status == "False" then health_status.status = "Degraded" @@ -105,6 +97,14 @@ configs: return health_status end end + + if condition.type == "Ready" then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end end return health_status @@ -121,14 +121,6 @@ configs: end for i, condition in ipairs(obj.status.conditions) do - if condition.type == "Ready" then - if condition.status == "True" then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - end - if condition.type == "LastAsyncOperation" then if condition.status == "False" then health_status.status = "Degraded" @@ -144,6 +136,14 @@ configs: return health_status end end + + if condition.type == "Ready" then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end end return health_status @@ -161,6 +161,22 @@ configs: end for i, condition in ipairs(obj.status.conditions) do + if condition.type == "LastAsyncOperation" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + + if condition.type == "Synced" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + if condition.type == "Ready" then if condition.status == "True" then health_status.status = "Healthy" @@ -168,7 +184,23 @@ configs: return health_status end end + end + return health_status + %{endif} + %{ if crossplane_kubernetes_provider_enable } + "kubernetes.crossplane.io/*": + health.lua: | + health_status = { + status = "Progressing", + message = "Provisioning ..." + } + + if obj.status == nil or obj.status.conditions == nil then + return health_status + end + + for i, condition in ipairs(obj.status.conditions) do if condition.type == "LastAsyncOperation" then if condition.status == "False" then health_status.status = "Degraded" @@ -184,6 +216,14 @@ configs: return health_status end end + + if condition.type == "Ready" then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end end return health_status diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index 5c5cdbe0..6df96df1 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -143,6 +143,7 @@ module "eks_blueprints_addons" { templatefile("${path.module}/argocd-values.yaml", { crossplane_aws_provider_enable = local.aws_provider.enable crossplane_upbound_aws_provider_enable = local.upbound_aws_provider.enable + crossplane_kubernetes_provider_enable = local.kubernetes_provider.enable })] } enable_karpenter = true @@ -204,14 +205,12 @@ module "crossplane" { #--------------------------------------------------------------- locals { crossplane_namespace = "crossplane-system" - crossplane_sa_prefix = "provider-aws-" upbound_aws_provider = { enable = true controller_config = "upbound-aws-controller-config" - provider_config_name = "aws-provider-config" + provider_config_name = "aws-provider-config" #this is the providerConfigName used in all the examples in this repo version = "v0.40.0" - sa_prefix = "upbound-aws-provider-" families = [ "dynamodb", "elasticache", @@ -250,7 +249,8 @@ module "upbound_irsa_aws" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" version = "~> 5.30" - role_name_prefix = local.upbound_aws_provider.sa_prefix + role_name = "${local.name}-upbound-aws-provider" + assume_role_condition_test = "StringLike" role_policy_arns = { policy = "arn:aws:iam::aws:policy/AdministratorAccess" @@ -259,7 +259,7 @@ module "upbound_irsa_aws" { oidc_providers = { main = { provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["${local.crossplane_namespace}:${local.upbound_aws_provider.sa_prefix}*"] + namespace_service_accounts = ["${local.crossplane_namespace}:upbound-aws-provider-*"] } } From bfa45a5b176078a5932c7b6b063311128e87ff09 Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Sun, 10 Sep 2023 10:30:35 -0700 Subject: [PATCH 06/13] adding environmentconfig for irsa --- bootstrap/terraform/environmentconfig.yaml | 7 +++++++ bootstrap/terraform/main.tf | 9 +++++++++ 2 files changed, 16 insertions(+) create mode 100644 bootstrap/terraform/environmentconfig.yaml diff --git a/bootstrap/terraform/environmentconfig.yaml b/bootstrap/terraform/environmentconfig.yaml new file mode 100644 index 00000000..681c723c --- /dev/null +++ b/bootstrap/terraform/environmentconfig.yaml @@ -0,0 +1,7 @@ +apiVersion: apiextensions.crossplane.io/v1alpha1 +kind: EnvironmentConfig +metadata: + name: irsa +data: + awsAccountID: ${awsAccountID} + eksOIDC: ${eksOIDC} diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index 6df96df1..05b5ac23 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -200,6 +200,15 @@ module "crossplane" { depends_on = [module.eks.eks_managed_node_groups] } +resource "kubectl_manifest" "environmentconfig" { + yaml_body = templatefile("${path.module}/environmentconfig.yaml", { + awsAccountID = data.aws_caller_identity.current.account_id + eksOIDC = module.eks.oidc_provider_arn + }) + + depends_on = [module.crossplane] +} + #--------------------------------------------------------------- # Crossplane Providers Settings #--------------------------------------------------------------- From 79a386cb6fa6a81752fb7729049774d13fb56c74 Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Sun, 10 Sep 2023 11:00:24 -0700 Subject: [PATCH 07/13] fixing environmentconfig --- bootstrap/terraform/environmentconfig.yaml | 3 ++- bootstrap/terraform/main.tf | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/bootstrap/terraform/environmentconfig.yaml b/bootstrap/terraform/environmentconfig.yaml index 681c723c..d6e43f8a 100644 --- a/bootstrap/terraform/environmentconfig.yaml +++ b/bootstrap/terraform/environmentconfig.yaml @@ -1,7 +1,8 @@ apiVersion: apiextensions.crossplane.io/v1alpha1 kind: EnvironmentConfig metadata: - name: irsa + name: cluster data: awsAccountID: ${awsAccountID} eksOIDC: ${eksOIDC} + vpcID: ${vpcID} diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index 05b5ac23..5663ab76 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -203,7 +203,8 @@ module "crossplane" { resource "kubectl_manifest" "environmentconfig" { yaml_body = templatefile("${path.module}/environmentconfig.yaml", { awsAccountID = data.aws_caller_identity.current.account_id - eksOIDC = module.eks.oidc_provider_arn + eksOIDC = module.eks.oidc_provider + vpcID = module.vpc.vpc_id }) depends_on = [module.crossplane] From 7f584f283e2da5b3f59329cb703c4c8629d19440 Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Sun, 10 Sep 2023 11:29:26 -0700 Subject: [PATCH 08/13] fixing environmentconfig --- bootstrap/terraform/environmentconfig.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/terraform/environmentconfig.yaml b/bootstrap/terraform/environmentconfig.yaml index d6e43f8a..fa838164 100644 --- a/bootstrap/terraform/environmentconfig.yaml +++ b/bootstrap/terraform/environmentconfig.yaml @@ -3,6 +3,6 @@ kind: EnvironmentConfig metadata: name: cluster data: - awsAccountID: ${awsAccountID} + awsAccountID: "${awsAccountID}" eksOIDC: ${eksOIDC} vpcID: ${vpcID} From db366879f6e980a463631b8fb9fd77f0184fefbd Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Sun, 10 Sep 2023 16:35:43 -0700 Subject: [PATCH 09/13] adding helm provider --- bootstrap/terraform/main.tf | 73 ++++++++++++++++++- .../providers/helm/clusterrolebinding.yaml | 12 +++ .../providers/helm/controller-config.yaml | 6 ++ .../providers/helm/provider-config.yaml | 9 +++ .../terraform/providers/helm/provider.yaml | 8 ++ .../providers/kubernetes/provider.yaml | 1 - examples/helm-provider/test-helm.yaml | 11 +++ 7 files changed, 118 insertions(+), 2 deletions(-) create mode 100644 bootstrap/terraform/providers/helm/clusterrolebinding.yaml create mode 100644 bootstrap/terraform/providers/helm/controller-config.yaml create mode 100644 bootstrap/terraform/providers/helm/provider-config.yaml create mode 100644 bootstrap/terraform/providers/helm/provider.yaml create mode 100644 examples/helm-provider/test-helm.yaml diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index 5663ab76..b1afde19 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -249,6 +249,16 @@ locals { cluster_role = "cluster-admin" } + helm_provider = { + enable = true + version = "v0.15.0" + service_account = "helm-provider" + name = "helm-provider" + controller_config = "helm-controller-config" + provider_config_name = "default" + cluster_role = "cluster-admin" + } + } #--------------------------------------------------------------- @@ -367,7 +377,7 @@ resource "kubectl_manifest" "kubernetes_provider" { depends_on = [kubectl_manifest.kubernetes_controller_config] } -# Wait for the AWS Provider CRDs to be fully created before initiating aws_provider_config deployment +# Wait for the AWS Provider CRDs to be fully created before initiating provider_config deployment resource "time_sleep" "wait_60_seconds_kubernetes" { create_duration = "60s" @@ -386,6 +396,67 @@ resource "kubectl_manifest" "kubernetes_provider_config" { #--------------------------------------------------------------- # Crossplane Helm Provider #--------------------------------------------------------------- +resource "kubernetes_service_account_v1" "helm_controller" { + count = local.helm_provider.enable == true ? 1 : 0 + metadata { + name = local.helm_provider.service_account + namespace = local.crossplane_namespace + } + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "helm_controller_clusterolebinding" { + count = local.helm_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/helm/clusterrolebinding.yaml", { + namespace = local.crossplane_namespace + cluster-role = local.helm_provider.cluster_role + sa-name = kubernetes_service_account_v1.helm_controller[0].metadata[0].name + }) + wait = true + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "helm_controller_config" { + count = local.helm_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/helm/controller-config.yaml", { + sa-name = kubernetes_service_account_v1.helm_controller[0].metadata[0].name + controller-config = local.helm_provider.controller_config + }) + wait = true + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "helm_provider" { + count = local.helm_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/helm/provider.yaml", { + version = local.helm_provider.version + helm-provider-name = local.helm_provider.name + controller-config = local.helm_provider.controller_config + }) + wait = true + + depends_on = [kubectl_manifest.helm_controller_config] +} + +# Wait for the AWS Provider CRDs to be fully created before initiating provider_config deployment +resource "time_sleep" "wait_60_seconds_helm" { + create_duration = "60s" + + depends_on = [kubectl_manifest.helm_provider] +} + +resource "kubectl_manifest" "helm_provider_config" { + count = local.helm_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/helm/provider-config.yaml", { + provider-config-name = local.helm_provider.provider_config_name + }) + + depends_on = [kubectl_manifest.helm_provider, time_sleep.wait_60_seconds_helm] +} + #--------------------------------------------------------------- # Supporting Resources diff --git a/bootstrap/terraform/providers/helm/clusterrolebinding.yaml b/bootstrap/terraform/providers/helm/clusterrolebinding.yaml new file mode 100644 index 00000000..8fc135f9 --- /dev/null +++ b/bootstrap/terraform/providers/helm/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ${sa-name} +subjects: + - kind: ServiceAccount + name: ${sa-name} + namespace: ${namespace} +roleRef: + kind: ClusterRole + name: ${cluster-role} + apiGroup: rbac.authorization.k8s.io diff --git a/bootstrap/terraform/providers/helm/controller-config.yaml b/bootstrap/terraform/providers/helm/controller-config.yaml new file mode 100644 index 00000000..2e2f7748 --- /dev/null +++ b/bootstrap/terraform/providers/helm/controller-config.yaml @@ -0,0 +1,6 @@ +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: ${controller-config} +spec: + serviceAccountName: ${sa-name} diff --git a/bootstrap/terraform/providers/helm/provider-config.yaml b/bootstrap/terraform/providers/helm/provider-config.yaml new file mode 100644 index 00000000..bf38c00d --- /dev/null +++ b/bootstrap/terraform/providers/helm/provider-config.yaml @@ -0,0 +1,9 @@ +# https://github.com/crossplane-contrib/provider-helm/blob/master/examples/provider-config/provider-config-incluster.yaml +--- +apiVersion: helm.crossplane.io/v1beta1 +kind: ProviderConfig +metadata: + name: ${provider-config-name} +spec: + credentials: + source: InjectedIdentity diff --git a/bootstrap/terraform/providers/helm/provider.yaml b/bootstrap/terraform/providers/helm/provider.yaml new file mode 100644 index 00000000..b203e69e --- /dev/null +++ b/bootstrap/terraform/providers/helm/provider.yaml @@ -0,0 +1,8 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: ${helm-provider-name} +spec: + package: xpkg.upbound.io/crossplane-contrib/provider-helm:${version} + controllerConfigRef: + name: ${controller-config} diff --git a/bootstrap/terraform/providers/kubernetes/provider.yaml b/bootstrap/terraform/providers/kubernetes/provider.yaml index 4a8019bf..be7db057 100644 --- a/bootstrap/terraform/providers/kubernetes/provider.yaml +++ b/bootstrap/terraform/providers/kubernetes/provider.yaml @@ -3,7 +3,6 @@ kind: Provider metadata: name: ${kubernetes-provider-name} spec: - revisionHistoryLimit: 0 package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:${version} controllerConfigRef: name: ${controller-config} diff --git a/examples/helm-provider/test-helm.yaml b/examples/helm-provider/test-helm.yaml new file mode 100644 index 00000000..78a2ded1 --- /dev/null +++ b/examples/helm-provider/test-helm.yaml @@ -0,0 +1,11 @@ +apiVersion: helm.crossplane.io/v1beta1 +kind: Release +metadata: + name: hello-example +spec: + forProvider: + chart: + name: hello + repository: https://cloudecho.github.io/charts + version: 0.1.2 + namespace: default From f2235ca09f8680ab8a595d70d84dcd7ceb577024 Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Sun, 10 Sep 2023 17:43:05 -0700 Subject: [PATCH 10/13] aws_provider, role and readme update --- bootstrap/terraform/README.md | 5 +- bootstrap/terraform/main.tf | 75 +++++++++++++++++-- .../providers/aws/controller-config.yaml | 11 +++ .../providers/aws/provider-config.yaml | 7 ++ .../terraform/providers/aws/provider.yaml | 8 ++ 5 files changed, 100 insertions(+), 6 deletions(-) create mode 100644 bootstrap/terraform/providers/aws/controller-config.yaml create mode 100644 bootstrap/terraform/providers/aws/provider-config.yaml create mode 100644 bootstrap/terraform/providers/aws/provider.yaml diff --git a/bootstrap/terraform/README.md b/bootstrap/terraform/README.md index fd3e6543..f0bb83e0 100644 --- a/bootstrap/terraform/README.md +++ b/bootstrap/terraform/README.md @@ -5,8 +5,10 @@ This example deploys the following components - Creates Internet gateway for Public Subnets and NAT Gateway for Private Subnets - Creates EKS Cluster Control plane with one managed node group - Crossplane Add-on to EKS Cluster +- Upbound AWS Provider for Crossplane - AWS Provider for Crossplane - Kubernetes Provider for Crossplane +- Helm Provider for Crossplane ## Crossplane Deployment Design @@ -59,7 +61,8 @@ git clone https://github.com/aws-samples/crossplane-aws-blueprints.git ``` > [!IMPORTANT] -> The examples in this repository make use of one of the Crossplane AWS providers. For example, if you are using the `crossplane_upbound_aws_provider_enable` provider, make sure to set the [`crossplane_aws_provider_enable`](https://github.com/awslabs/crossplane-on-eks/blob/main/bootstrap/terraform/main.tf#L59) to `false` in order install only the necessary CRDs to the Kubernetes cluster. +> The examples in this repository make use of one of the Crossplane AWS providers. +For that reason `upbound_aws_provider.enable` is set to `true` and `aws_provider.enable` is set to `false`. If you use the examples for `aws_provider`, adjust the terraform [main.tf](https://github.com/awslabs/crossplane-on-eks/blob/main/bootstrap/terraform/main.tf) in order install only the necessary CRDs to the Kubernetes cluster. #### Step2: Run Terraform INIT Initialize a working directory with configuration files diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index b1afde19..567963ad 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -217,10 +217,10 @@ locals { crossplane_namespace = "crossplane-system" upbound_aws_provider = { - enable = true - controller_config = "upbound-aws-controller-config" + enable = true #NOTE: if you only use one aws provider, only enable one + version = "v0.40.0" + controller_config = "upbound-aws-controller-config" provider_config_name = "aws-provider-config" #this is the providerConfigName used in all the examples in this repo - version = "v0.40.0" families = [ "dynamodb", "elasticache", @@ -236,7 +236,11 @@ locals { } aws_provider = { - enable = false + enable = false #NOTE: if you only use one aws provider, only enable one + version = "v0.43.1" + name = "aws-provider" + controller_config = "aws-controller-config" + provider_config_name = "aws-provider-config" #this is the providerConfigName used in all the examples in this repo } kubernetes_provider = { @@ -269,7 +273,7 @@ module "upbound_irsa_aws" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" version = "~> 5.30" - role_name = "${local.name}-upbound-aws-provider" + role_name_prefix = "${local.name}-upbound-aws-" assume_role_condition_test = "StringLike" role_policy_arns = { @@ -328,6 +332,67 @@ resource "kubectl_manifest" "upbound_aws_provider_config" { #--------------------------------------------------------------- # Crossplane AWS Provider #--------------------------------------------------------------- +module "irsa_aws_provider" { + count = local.aws_provider.enable == true ? 1 : 0 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.30" + + role_name_prefix = "${local.name}-aws-provider-" + assume_role_condition_test = "StringLike" + + role_policy_arns = { + policy = "arn:aws:iam::aws:policy/AdministratorAccess" + } + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["${local.crossplane_namespace}:aws-provider-*"] + } + } + + tags = local.tags +} + +resource "kubectl_manifest" "aws_controller_config" { + count = local.aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/aws/controller-config.yaml", { + iam-role-arn = module.irsa_aws_provider[0].iam_role_arn + controller-config = local.aws_provider.controller_config + }) + + depends_on = [module.crossplane] +} + +resource "kubectl_manifest" "aws_provider" { + count = local.aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/aws/provider.yaml", { + aws-provider-name = local.aws_provider.name + version = local.aws_provider.version + controller-config = local.aws_provider.controller_config + }) + wait = true + + depends_on = [kubectl_manifest.aws_controller_config] +} + +# Wait for the Upbound AWS Provider CRDs to be fully created before initiating aws_provider_config +resource "time_sleep" "aws_wait_60_seconds" { + count = local.aws_provider.enable == true ? 1 : 0 + create_duration = "60s" + + depends_on = [kubectl_manifest.aws_provider] +} + +resource "kubectl_manifest" "aws_provider_config" { + count = local.aws_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/providers/aws/provider-config.yaml", { + provider-config-name = local.aws_provider.provider_config_name + }) + + depends_on = [kubectl_manifest.aws_provider, time_sleep.aws_wait_60_seconds] +} + #--------------------------------------------------------------- # Crossplane Kubernetes Provider diff --git a/bootstrap/terraform/providers/aws/controller-config.yaml b/bootstrap/terraform/providers/aws/controller-config.yaml new file mode 100644 index 00000000..ea416165 --- /dev/null +++ b/bootstrap/terraform/providers/aws/controller-config.yaml @@ -0,0 +1,11 @@ +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: ${controller-config} + annotations: + eks.amazonaws.com/role-arn: ${iam-role-arn} +spec: + podSecurityContext: + fsGroup: 2000 + args: + - --debug diff --git a/bootstrap/terraform/providers/aws/provider-config.yaml b/bootstrap/terraform/providers/aws/provider-config.yaml new file mode 100644 index 00000000..fdb6c30e --- /dev/null +++ b/bootstrap/terraform/providers/aws/provider-config.yaml @@ -0,0 +1,7 @@ +apiVersion: aws.crossplane.io/v1beta1 +kind: ProviderConfig +metadata: + name: ${provider-config-name} +spec: + credentials: + source: InjectedIdentity diff --git a/bootstrap/terraform/providers/aws/provider.yaml b/bootstrap/terraform/providers/aws/provider.yaml new file mode 100644 index 00000000..c9d29ed5 --- /dev/null +++ b/bootstrap/terraform/providers/aws/provider.yaml @@ -0,0 +1,8 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: ${aws-provider-name} +spec: + package: xpkg.upbound.io/crossplane-contrib/provider-aws:${version} + controllerConfigRef: + name: ${controller-config} From 300b7b42965d06556be28e7b6dc6b826349d8ae0 Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Mon, 11 Sep 2023 10:59:26 -0700 Subject: [PATCH 11/13] argocd version upgrade --- bootstrap/terraform/main.tf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index 567963ad..56e87f92 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -53,8 +53,6 @@ locals { vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3) - argocd_namespace = "argocd" - tags = { Blueprint = local.name GithubRepo = "github.com/awslabs/crossplane-on-eks" @@ -137,8 +135,8 @@ module "eks_blueprints_addons" { oidc_provider_arn = module.eks.oidc_provider_arn enable_argocd = true argocd = { - namespace = local.argocd_namespace - chart_version = "5.34.6" # ArgoCD v2.7.3 + namespace = "argocd" + chart_version = "5.46.1" # ArgoCD v2.8.3 values = [ templatefile("${path.module}/argocd-values.yaml", { crossplane_aws_provider_enable = local.aws_provider.enable From d1ad694816052572b2276bc60777db1161d6604f Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Mon, 11 Sep 2023 11:03:02 -0700 Subject: [PATCH 12/13] cleanup --- .../providers/aws-upbound/.helmignore | 23 ------------------- .../providers/kubernetes/.helmignore | 23 ------------------- 2 files changed, 46 deletions(-) delete mode 100644 bootstrap/terraform/providers/aws-upbound/.helmignore delete mode 100644 bootstrap/terraform/providers/kubernetes/.helmignore diff --git a/bootstrap/terraform/providers/aws-upbound/.helmignore b/bootstrap/terraform/providers/aws-upbound/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/bootstrap/terraform/providers/aws-upbound/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/bootstrap/terraform/providers/kubernetes/.helmignore b/bootstrap/terraform/providers/kubernetes/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/bootstrap/terraform/providers/kubernetes/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ From 7e0b624c02e06bad1d87eed1f5e094466c12dc71 Mon Sep 17 00:00:00 2001 From: Christina Andonov Date: Mon, 11 Sep 2023 17:10:24 -0700 Subject: [PATCH 13/13] updating helm chart --- examples/helm-provider/test-helm.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/helm-provider/test-helm.yaml b/examples/helm-provider/test-helm.yaml index 78a2ded1..636bdb78 100644 --- a/examples/helm-provider/test-helm.yaml +++ b/examples/helm-provider/test-helm.yaml @@ -5,7 +5,7 @@ metadata: spec: forProvider: chart: - name: hello - repository: https://cloudecho.github.io/charts - version: 0.1.2 + name: mysql + repository: https://charts.bitnami.com/bitnami + version: 9.12.1 namespace: default