Commit c19719f0 authored by malf's avatar malf
Browse files

add crossplane chart

parent 47ecbdd2
secrets.conf
these are manifests to bootstrap on a kind cluster (created with kind.config) and enable it to use crossplane to create EKS Clusters
https://github.com/aws-samples/eks-gitops-crossplane-argocd
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: crossplane-provider-aws
spec:
package: "public.ecr.aws/awsvijisarathy/crossplane-provider-aws:v0.17.0"
\ No newline at end of file
This diff is collapsed.
---
apiVersion: v2
name: crossplane-argocd
description: A Helm chart for deploying core Crossplane, Crossplane AWS provider, Crossplane Configuration package and Composite Resource for creating EKS cluster
type: application
version: 1.0.0
appVersion: "1.0"
dependencies:
- name: crossplane
version: 1.4.1
repository: https://charts.crossplane.io/stable
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
annotations: {}
labels:
name: sealed-secrets-service-proxier
name: sealed-secrets-service-proxier
namespace: sealed-secrets
rules:
- apiGroups:
- ""
resourceNames:
- 'http:sealed-secrets-controller:'
- sealed-secrets-controller
resources:
- services/proxy
verbs:
- create
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
annotations: {}
labels:
name: sealed-secrets-key-admin
name: sealed-secrets-key-admin
namespace: sealed-secrets
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- list
---
apiVersion: v1
kind: Service
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: sealed-secrets
spec:
ports:
- port: 8080
targetPort: 8080
selector:
name: sealed-secrets-controller
type: ClusterIP
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
annotations: {}
labels:
name: sealed-secrets-service-proxier
name: sealed-secrets-service-proxier
namespace: sealed-secrets
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sealed-secrets-service-proxier
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: sealedsecrets.bitnami.com
spec:
group: bitnami.com
names:
kind: SealedSecret
listKind: SealedSecretList
plural: sealedsecrets
singular: sealedsecret
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: sealed-secrets
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sealed-secrets-key-admin
subjects:
- kind: ServiceAccount
name: sealed-secrets-controller
namespace: sealed-secrets
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: secrets-unsealer
subjects:
- kind: ServiceAccount
name: sealed-secrets-controller
namespace: sealed-secrets
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
annotations: {}
labels:
name: secrets-unsealer
name: secrets-unsealer
rules:
- apiGroups:
- bitnami.com
resources:
- sealedsecrets
verbs:
- get
- list
- watch
- apiGroups:
- bitnami.com
resources:
- sealedsecrets/status
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: sealed-secrets
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: sealed-secrets
annotations:
argocd.argoproj.io/sync-wave: "1"
spec:
minReadySeconds: 30
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
name: sealed-secrets-controller
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
spec:
containers:
- args: []
command:
- controller
env: []
image: quay.io/bitnami/sealed-secrets-controller:v0.16.0
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: http
name: sealed-secrets-controller
ports:
- containerPort: 8080
name: http
readinessProbe:
httpGet:
path: /healthz
port: http
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
stdin: false
tty: false
volumeMounts:
- mountPath: /tmp
name: tmp
imagePullSecrets: []
initContainers: []
securityContext:
fsGroup: 65534
serviceAccountName: sealed-secrets-controller
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: tmp
---
apiVersion: batch/v1
kind: Job
metadata:
generateName: after-sealed-secret
namespace: sealed-secrets
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
argocd.argoproj.io/sync-wave: "2"
spec:
template:
spec:
containers:
- name: page-down
image: alpine:latest
command: ["sleep", "10"]
restartPolicy: Never
\ No newline at end of file
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: aws-credentials
namespace: crossplane-system
annotations:
argocd.argoproj.io/sync-wave: "10"
spec:
encryptedData:
credentials: AgCJux/DvhjKxtBiGMGq9DJcO4yZkgAqRJYxDV0Nw8fdsuc53Agk/1SfrGBvhx==
template:
data: null
metadata:
creationTimestamp: null
name: aws-credentials
namespace: crossplane-system
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: crossplane-provider-aws
annotations:
argocd.argoproj.io/sync-wave: "30"
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
package: "public.ecr.aws/awsvijisarathy/crossplane-provider-aws:v0.17.0"
---
apiVersion: batch/v1
kind: Job
metadata:
generateName: after-provider
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
argocd.argoproj.io/sync-wave: "40"
spec:
template:
spec:
containers:
- name: page-down
image: alpine:latest
command: ["sleep", "10"]
restartPolicy: Never
---
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: default
annotations:
argocd.argoproj.io/sync-wave: "50"
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: aws-credentials
key: credentials
apiVersion: pkg.crossplane.io/v1
kind: Configuration
metadata:
name: crossplane-eks-composition
annotations:
argocd.argoproj.io/sync-wave: "100"
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
ignoreCrossplaneConstraints: false
package: public.ecr.aws/awsvijisarathy/crossplane-eks-composition:3.0.11
packagePullPolicy: IfNotPresent
revisionActivationPolicy: Automatic
revisionHistoryLimit: 0
skipDependencyResolution: false
---
apiVersion: batch/v1
kind: Job
metadata:
generateName: post-configuration
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
argocd.argoproj.io/sync-wave: "200"
spec:
template:
spec:
containers:
- name: page-down
image: alpine:latest
command: ["sleep", "20"]
restartPolicy: Never
\ No newline at end of file
---
apiVersion: eks.sarathy.io/v1beta1
kind: EKSCluster
metadata:
name: crossplane-prod-cluster
annotations:
argocd.argoproj.io/sync-wave: "300"
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
parameters:
region: eu-west-1
vpc-name: "crossplane-vpc-only"
vpc-cidrBlock: "10.20.0.0/16"
subnet1-public-name: "public-worker-1 "
subnet1-public-cidrBlock: "10.20.1.0/28"
subnet1-public-availabilityZone: "eu-west-1a"
subnet2-public-name: "public-worker-2"
subnet2-public-cidrBlock: "10.20.2.0/28"
subnet2-public-availabilityZone: "eu-west-1b"
subnet1-private-name: "private-worker-1 "
subnet1-private-cidrBlock: "10.20.11.0/28"
subnet1-private-availabilityZone: "eu-west-1a"
subnet2-private-name: "private-worker-2"
subnet2-private-cidrBlock: "10.20.12.0/28"
subnet2-private-availabilityZone: "eu-west-1b"
k8s-version: "1.20"
workload-type: "non-gpu"
workers-size: 2
compositionRef:
name: amazon-eks-cluster
writeConnectionSecretToRef:
namespace: eks
name: crossplane-prod-cluster-connection
##!/bin/bash
#
# The Crossplane CLI extends kubectl with functionality to build, push, and install Crossplane packages
#
curl -sL https://raw.githubusercontent.com/crossplane/crossplane/release-1.0/install.sh | sh
sudo mv kubectl-crossplane /usr/local/bin
#
# Install Crossplane on your "management" cluster
#
kubectl create namespace crossplane-system
helm repo add crossplane-stable https://charts.crossplane.io/stable
helm repo update
#
# Install Crossplane core components using Helm chart
#
helm install crossplane --namespace crossplane-system crossplane-stable/crossplane --version 1.4.1
#
# Providers extend Crossplane with custom resources that can be used to declaratively configure a system.
# In order to provision a resource, a CRD needs to be registered in your Kubernetes cluster and its controller should be watching the Custom Resources those CRDs define.
# Crossplane provider packages contain many CRDs and their controllers.
# The 'provider-aws' package is the Crossplane infrastructure provider for AWS. This package contains the followig:
# 1. Custom Resource Definitions (CRDs) that model AWS infrastructure and services (e.g. RDS, S3, EKS clusters, etc.) These are called 'managed resources'
# 2. Controllers to provision these resources in AWS based on the users desired state captured in CRDs they create
# 3. Implementations of Crossplane's portable resource abstractions, enabling AWS resources to fulfill a user's general need for cloud services
#
# The core Crossplane controller can install provider controllers and CRDs for you through its own provider packaging mechanism, which is triggered by the application of a 'Provider' resource.
# In order to request installation of the provider-aws package, apply the 'aws-provider.yaml' resource to the cluster where Crossplane is running.
# Providers can be installed using the 'kubectl crossplane install provider' command as well.
# Check out documentation on installing providers: https://crossplane.io/docs/v1.3/concepts/providers.html
#
kubectl apply -f aws-provider.yaml
#
# In order to authenticate with the external provider API such as AWS, the provider controllers need to have access to credentials.
# It could be an IAM User for AWS
# An AWS user with Administrative privileges is needed to enable Crossplane to create the required resources
# We wil have to first create a configuration file, secrets.conf, with credeantials of an AWS account in the following format.
#
# [default]
# aws_access_key_id =ABCDEFGHIJ0123456789
# aws_secret_access_key = Ow3HUaP8BbqkV4dUrZr0H7yT5nGP5OPFcZJ+
#
# Then using that file, a Kubernetes Secret is created as follows
#
kubectl -n crossplane-system create secret generic aws-credentials --from-file=credentials=./secrets.conf
#
# Create a ProviderConfig resource, referencing the above Secret
#
kubectl apply -f aws-providerconfig.yaml
#
# Crossplane goes beyond simply modelling infrastructure primitives as ‘managed resources’.
# Composition is a concept that allows platform builders to define new custom resources that are composed of managed resources, like an RDS instance
# Crossplane calls these “composite resources” (XRs).
# Composition can be used to build a catalogue of custom resources and classes of configuration that fit the needs and opinions of your organisation.
# Crossplane uses two special resources to define and configure these new composite resources:
# A CompositeResourceDefinition (XRD) defines a new kind of composite resource, including its schema. An XRD may optionally offer a claim (XRC).
# A Composition specifies which managed resources a composite resource will be composed of, and how they should be configured.
# You can create multiple Composition options for each composite resource.
# Check out the composition documentation: https://crossplane.io/docs/v1.3/concepts/composition.html
#
# CompositeResourceDefinitions (XRDs) and Compositions may be packaged and installed as a configuration.
# A configuration is a package of composition configuration that can easily be installed to Crossplane by creating a declarative 'Configuration' resource, or by using 'kubectl crossplane install configuration'.
# Check out the documentation on creating configuration: https://crossplane.io/docs/v1.3/getting-started/create-configuration.html
#
#
# Create a package for EKS cluster creation
# This package will help create a new VPC with 2 private/public subnets, IGW, NATGW and the EKS cluster with managed node group
# Push this package to a repository in an image registry
#
cd eks-configuration
kubectl crossplane build configuration
kubectl crossplane push configuration IMAGE_REPO:IMAGE_TAG
#
# Install the package to a cluster
# Use one of the following two options to either install the one from the public repo in ECR and the one you built above.
#
kubectl apply -f crossplane-eks-composition.yaml
kubectl crossplane install configuration IMAGE_REPO:IMAGE_TAG
#
# Check if the package and the XRDs defined in it were installed properly
#
kubectl get Configuration crossplane-eks-composition
kubectl get CompositeResourceDefinition eksclusters.eks.sarathy.io
#
# Create an EKS cluster and a nodegroup using an XR
#
kubectl apply -f eks-cluster-xr.yaml
#
# Here are a set of CLI commands to look at various resources
#
kubectl get crossplane # get all resources related to Crossplane.
kubectl get managed # get all resources that represent a unit of external infrastructure such as RDSInstance.
kubectl get composite # get all resources that represent an XR
#
# Cleanup
#
kubectl delete -f crossplane-eks-composition.yaml
kubectl delete -f aws-providerconfig.yaml
kubectl delete -f aws-provider.yaml
kubectl delete -f aws-credentials.yaml
helm uninstall crossplane --namespace crossplane-system
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment