devops-toolkit/dot-kubernetes@v0.12.160
cluster-aws

cluster-aws

cluster-aws
devops-toolkit/dot-kubernetes@v0.12.160cluster-aws
Type

Composition

Referenced XRD

CompositeCluster

Source Codegithub.com/vfarcic/crossplane-kubernetes
YAML
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
  name: cluster-aws
  creationTimestamp: null
  labels:
    cluster: eks
    provider: aws
spec:
  compositeTypeRef:
    apiVersion: devopstoolkitseries.com/v1alpha1
    kind: CompositeCluster
  mode: Pipeline
  pipeline:
    - step: aws
      functionRef:
        name: crossplane-contrib-function-kcl
      input:
        apiVersion: krm.kcl.dev/v1alpha1
        kind: KCLRun
        spec:
          source: >
            version = "1.30"

            oxr = option("params").oxr

            ocds = option("params").ocds

            _metadata = lambda name: str, suffix: str, role: str -> any {
                {
                    if name != "":
                        name = oxr.spec.id + "-" + name
                    else:
                        name = oxr.spec.id
                    annotations = {
                        "krm.kcl.dev/composition-resource-name" = suffix
                    }
                    if role != "":
                        labels.role = oxr.spec.id + "-" + role
                }
            }

            _items = [{
                apiVersion = "eks.aws.upbound.io/v1beta1"
                kind = "Cluster"
                metadata = _metadata("", "ekscluster", "")
                spec.forProvider: {
                    region = "us-east-1"
                    bootstrapSelfManagedAddons = True
                    if oxr.spec.parameters.version:
                        version = oxr.spec.parameters.version
                    else:
                        version = version
                    roleArnSelector = {
                        matchControllerRef = True
                        matchLabels.role = oxr.spec.id + "-controlplane"
                    }
                    vpcConfig = [{
                        endpointPrivateAccess = True
                        endpointPublicAccess = True
                        subnetIdSelector.matchControllerRef = True
                    }]
                }
            }, {
                apiVersion = "eks.aws.upbound.io/v1beta1"
                kind = "ClusterAuth"
                metadata = _metadata("", "clusterAuth", "")
                spec = {
                    forProvider: {
                        region = "us-east-1"
                        clusterNameSelector.matchControllerRef = True
                    }
                    writeConnectionSecretToRef = {
                        name = oxr.spec.id + "-cluster"
                        namespace = oxr.spec.claimRef.namespace
                    }
                }
            }, {
                apiVersion = "eks.aws.upbound.io/v1beta1"
                kind = "NodeGroup"
                metadata = _metadata("", "eksnodegroup", "")
                spec = {
                    forProvider = {
                        region = "us-east-1"
                        clusterNameSelector.matchControllerRef = True
                        nodeRoleArnSelector = {
                            matchControllerRef = True
                            matchLabels.role = oxr.spec.id + "-nodegroup"
                        }
                        subnetIdSelector.matchControllerRef = True
                        scalingConfig = [{
                            minSize = 1
                            maxSize = 10
                            desiredSize = 1
                            minSize = oxr.spec.parameters.minNodeCount
                            desiredSize = oxr.spec.parameters.minNodeCount
                        }]
                        if oxr.spec.parameters.nodeSize == "small":
                            instanceTypes = ["t3.small"]
                        elif oxr.spec.parameters.nodeSize == "medium":
                            instanceTypes = ["t3.medium"]
                        else:
                            instanceTypes = ["t3.large"]
                    }
                }
            }, {
                apiVersion = "ec2.aws.upbound.io/v1beta1"
                kind = "VPC"
                metadata = _metadata("", "vpc-nodepool", "")
                spec = {
                    forProvider = {
                        region = "us-east-1"
                        cidrBlock = "10.0.0.0/16"
                        enableDnsSupport = True
                    }
                }
            }, {
                apiVersion: "ec2.aws.upbound.io/v1beta1"
                kind: "SecurityGroup"
                metadata = _metadata("", "sg-nodepool", "")
                spec.forProvider: {
                    name = oxr.spec.id
                    description = "Cluster communication with worker nodes"
                    region = "us-east-1"
                    vpcIdSelector.matchControllerRef = True
                }
            }, {
                apiVersion = "ec2.aws.upbound.io/v1beta1"
                kind = "SecurityGroupRule"
                metadata = _metadata("", "securityGroupRule", "")
                spec.forProvider: {
                    description = "I am too lazy to write descriptions"
                    region = "us-east-1"
                    type = "egress"
                    fromPort = 0
                    toPort = 0
                    protocol = "-1"
                    cidrBlocks = ["0.0.0.0/0"]
                    securityGroupIdSelector.matchControllerRef = True
                }
            }, {
                apiVersion = "ec2.aws.upbound.io/v1beta1"
                kind = "InternetGateway"
                metadata = _metadata("", "gateway", "")
                spec.forProvider = {
                    region = "us-east-1"
                    vpcIdSelector.matchControllerRef = True
                }
            }, {
                apiVersion = "ec2.aws.upbound.io/v1beta1"
                kind = "RouteTable"
                metadata = _metadata("", "routeTable", "")
                spec.forProvider: {
                    region = "us-east-1"
                    vpcIdSelector.matchControllerRef = True
                }
            }, {
                apiVersion: "ec2.aws.upbound.io/v1beta1"
                kind: "Route"
                metadata = _metadata("", "route", "")
                spec.forProvider: {
                    region = "us-east-1"
                    routeTableIdSelector.matchControllerRef = True
                    destinationCidrBlock = "0.0.0.0/0"
                    gatewayIdSelector.matchControllerRef = True
                }
            }, {
                apiVersion: "ec2.aws.upbound.io/v1beta1"
                kind: "MainRouteTableAssociation"
                metadata = _metadata("", "mainRouteTableAssociation", "")
                spec.forProvider: {
                    region = "us-east-1"
                    routeTableIdSelector.matchControllerRef = True
                    vpcIdSelector.matchControllerRef = True
                }
            }, {
                apiVersion = "eks.aws.upbound.io/v1beta1"
                kind = "Addon"
                metadata = _metadata("ebs", "addonEbs", "")
                spec.forProvider = {
                    addonName = "aws-ebs-csi-driver"
                    region = "us-east-1"
                    clusterNameSelector.matchControllerRef = True
                }
            }, {
                **oxr
                status.clusterName = oxr.spec.id
                if oxr.spec.id + "-cluster" in ocds:
                    status.controlPlaneStatus = ocds[oxr.spec.id + "-cluster"].Resource.status.conditions[0].reason
                if oxr.spec.id + "-node-group" in ocds:
                    status.nodePoolStatus = ocds[oxr.spec.id + "-node-group"].Resource.status.conditions[0].reason
            }]

            _zones = [
                {suffix = "1a", ip = "10.0.0.0/24"}
                {suffix = "1b", ip = "10.0.1.0/24"},
                {suffix = "1c", ip = "10.0.2.0/24"}
            ]

            _items += [{
                apiVersion = "ec2.aws.upbound.io/v1beta1"
                kind = "RouteTableAssociation"
                metadata = _metadata(_zone.suffix, "routeTableAssociation" + _zone.suffix, "")
                spec.forProvider: {
                    region = "us-east-1"
                    routeTableIdSelector.matchControllerRef = True
                    subnetIdSelector = {
                        matchControllerRef = True
                        matchLabels = {
                            zone = "us-east-" + _zone.suffix
                            access = "public"
                        }
                    }
                }
            } for _zone in _zones]

            _items += [{
                apiVersion = "ec2.aws.upbound.io/v1beta1"
                kind = "Subnet"
                metadata = {
                    name = oxr.spec.id + "-" + _zone.suffix
                    annotations = {
                        "krm.kcl.dev/composition-resource-name" = "subnet-nodepool-" + _zone.suffix
                    }
                    labels = {
                        zone = "us-east-" + _zone.suffix
                        access: "public"
                    }
                }
                spec: {
                    forProvider = {
                        region = "us-east-1"
                        availabilityZone = "us-east-" + _zone.suffix
                        cidrBlock = _zone.ip
                        vpcIdSelector.matchControllerRef = True
                        mapPublicIpOnLaunch = True
                        tags = {
                            "kubernetes.io/role/elb": "1"
                        }
                    }
                }
            } for _zone in _zones]

            _rpas = [
                {name = "controlplane", role = "controlplane", policyArn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"}
                {name = "service", role = "controlplane", policyArn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"}
                {name = "worker", role = "nodegroup", policyArn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"}
                {name = "cni", role = "nodegroup", policyArn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}
                {name = "registry", role = "nodegroup", policyArn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"}
            ]

            _items += [{
                apiVersion = "iam.aws.upbound.io/v1beta1"
                kind = "RolePolicyAttachment"
                metadata = _metadata(_rpa.name, "iamattachment-" + _rpa.name, "")
                spec = {
                    forProvider = {
                        policyArn = _rpa.policyArn
                        roleSelector = {
                            matchControllerRef = True
                            matchLabels.role = oxr.spec.id + "-" + _rpa.role
                        }
                    }
                }
            } for _rpa in _rpas]

            _roles = [
                {name = "controlplane", service = "eks"}
                {name = "nodegroup", service = "ec2"}
            ]

            _items += [{
                apiVersion = "iam.aws.upbound.io/v1beta1"
                kind = "Role"
                metadata = {
                    name = oxr.spec.id + "-" + _role.name
                    annotations = {
                        "krm.kcl.dev/composition-resource-name" = "iamrole-" + _role.name
                    }
                    labels.role = oxr.spec.id + "-" + _role.name
                }
                spec.forProvider.assumeRolePolicy = """\
            {
              "Version": "2012-10-17",
              "Statement": [{
                "Effect": "Allow",
                "Principal": {"Service": [\"""" + _role.service + """.amazonaws.com"]},
                "Action": ["sts:AssumeRole"]
              }]
            }

            """

            } for _role in _roles]

            items = _items
    - step: apps
      functionRef:
        name: crossplane-contrib-function-kcl
      input:
        apiVersion: krm.kcl.dev/v1alpha1
        kind: KCLRun
        spec:
          source: >
            crossplane = "1.14.5"

            argocd = "3.35.4"

            dapr = "1.12.4"

            traefik = "26.0.0"

            dynatraceOperator = "0.15.0"

            dynatraceDashboard = "0.2.2"

            externalSecrets = "0.9.11"

            cilium = "1.14.2"

            openFunctionUrl = "https://openfunction.github.io/charts/openfunction-v1.2.0-v0.7.0.tgz"

            oxr = option("params").oxr

            ocds = option("params").ocds

            _metadata = lambda suffix: str -> any {
                {
                    name = oxr.spec.id
                    annotations = {
                        "crossplane.io/external-name" = oxr.spec.id
                        "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-" + suffix
                    }
                }
            }

            schema usage:
                _nameSuffix: str
                _kind: str = "Object"
                apiVersion = "apiextensions.crossplane.io/v1alpha1"
                kind = "Usage"
                metadata = {
                    name = oxr.spec.id + "-" + _nameSuffix + "-usage"
                    annotations = {
                        "krm.kcl.dev/ready": "True"
                        "crossplane.io/external-name" = oxr.spec.id + "-" + _nameSuffix + "-usage"
                        "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-" + _nameSuffix + "-usage"
                    }
                }
                spec = {
                    of = {
                        apiVersion = "eks.aws.upbound.io/v1beta1"
                        kind = "Cluster"
                        resourceRef.name = oxr.spec.id
                    }
                    by = {
                        if _kind == "Object":
                            apiVersion = "kubernetes.crossplane.io/v1alpha2"
                        elif _kind == "Release":
                            apiVersion = "helm.crossplane.io/v1beta1"
                        kind = _kind
                        resourceRef.name = oxr.spec.id + "-" + _nameSuffix
                    }
                }
            schema chart:
                _name: str
                _chartName?: str
                _chartRepository?: str
                _chartVersion?: str
                _chartUrl?: str
                _namespace: str
                _values?: any
                _providerConfigRefName?: str
                apiVersion = "helm.crossplane.io/v1beta1"
                kind = "Release"
                metadata = {
                    name = oxr.spec.id + "-app-" + _name
                    annotations = {
                        "crossplane.io/external-name" = _name
                        "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-app-" + _name
                    }
                }
                spec = {
                    forProvider = {
                        chart = {
                            if _chartName:
                                name = _chartName
                            else:
                                name = _name
                            if _chartRepository:
                                repository = _chartRepository
                            if _chartVersion:
                                version = _chartVersion
                            if _chartUrl:
                                url = _chartUrl
                        }
                        if _values:
                            values = _values
                        namespace = _namespace
                    }
                    rollbackLimit = 3
                    if _providerConfigRefName:
                        providerConfigRef.name = _providerConfigRefName
                    else:
                        providerConfigRef.name = oxr.spec.id
                }
            schema object:
                _name: str
                _externalName?: str
                _manifest: any
                _references?: []
                apiVersion = "kubernetes.crossplane.io/v1alpha2"
                kind = "Object"
                metadata = {
                    name = oxr.spec.id + "-app-" + _name
                    annotations = {
                        if _externalName:
                            "crossplane.io/external-name" = _externalName
                        else:
                            "crossplane.io/external-name" = _name
                        "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-app-" + _name
                    }
                }
                spec = {
                    if _references:
                        references = _references
                    forProvider.manifest = _manifest
                    providerConfigRef.name = oxr.spec.id
                }
            _items = [
                {
                    apiVersion = "helm.crossplane.io/v1beta1"
                    kind = "ProviderConfig"
                    metadata = {
                        name = oxr.spec.id
                        annotations = {
                            "krm.kcl.dev/ready": "True"
                            "crossplane.io/external-name" = oxr.spec.id
                            "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-config-helm"
                        }
                    }
                    spec = {
                        credentials = {
                            secretRef = {
                                namespace = oxr.spec.claimRef.namespace
                                key = "kubeconfig"
                                name = oxr.spec.id + "-cluster"
                            }
                            source = "Secret"
                        }
                        if oxr.spec.compositionSelector.matchLabels.provider == "google":
                            identity = {
                                type = "GoogleApplicationCredentials"
                                source = "Secret"
                                secretRef = {
                                    name = "gcp-creds"
                                    namespace = "crossplane-system"
                                    key = "creds"
                                }
                            }
                    }
                }
                {
                    apiVersion = "helm.crossplane.io/v1beta1"
                    kind = "ProviderConfig"
                    metadata = {
                        name = oxr.spec.id + "-local"
                        annotations = {
                            "krm.kcl.dev/ready": "True"
                            "crossplane.io/external-name" = oxr.spec.id
                            "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-config-helm-local"
                        }
                    }
                    spec.credentials.source = "InjectedIdentity"
                }
                if oxr.spec.compositionSelector.matchLabels.provider != "aws":
                    {
                        apiVersion = "helm.crossplane.io/v1beta1"
                        kind = "Release"
                        metadata = {
                            name = oxr.spec.id + "-cilium"
                            annotations = {
                                "crossplane.io/external-name" = "cilium"
                                "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-app-cilium"
                            }
                        }
                        spec = {
                            forProvider = {
                                chart = {
                                    name = "cilium"
                                    repository = "https://helm.cilium.io"
                                    version = cilium
                                }
                                set = [
                                    if oxr.spec.compositionSelector.matchLabels.provider == "google":
                                        {name = "nodeinit.enabled", value = "true"}
                                        {name = "nodeinit.reconfigureKubelet", value = "true"}
                                        {name = "nodeinit.removeCbrBridge", value = "true"}
                                        {name = "cni.binPath", value = "/home/kubernetes/bin"}
                                        {name = "gke.enabled", value = "true"}
                                        {name = "ipam.mode", value = "kubernetes"}
                                        {
                                            name = "ipv4NativeRoutingCIDR"
                                            if oxr.spec.id + "-nodepool" in ocds:
                                                value = oxr.status.field1
                                        },
                                        {name = "authentication.mutual.spire.enabled", value = "true"}
                                        {name = "authentication.mutual.spire.install.enabled", value = "true"}
                                    if oxr.spec.compositionSelector.matchLabels.provider == "azure":
                                        {name = "aksbyocni.enabled", value = "true"}
                                        {name = "nodeinit.enabled", value = "true"}
                                        {name = "authentication.mutual.spire.enabled", value = "true"}
                                        {name = "authentication.mutual.spire.install.enabled", value = "true"}
                                ]
                                namespace = "kube-system"
                            }
                            rollbackLimit = 3
                            providerConfigRef.name = oxr.spec.id
                        }
                    }
                    if oxr.spec.parameters?.usage?.enabled:
                        usage { _nameSuffix = "cilium", _kind = "Release" }
                {
                    apiVersion = "kubernetes.crossplane.io/v1alpha1"
                    kind = "ProviderConfig"
                    metadata = {
                        name = oxr.spec.id
                        annotations = {
                            "krm.kcl.dev/ready": "True"
                            "crossplane.io/external-name" = oxr.spec.id
                            "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-config-kubernetes"
                        }
                    }
                    spec = {
                        credentials = {
                            secretRef = {
                                key = "kubeconfig"
                                name = oxr.spec.id + "-cluster"
                                namespace = oxr.spec.claimRef.namespace
                            }
                            source: "Secret"
                        }
                        if oxr.spec.compositionSelector.matchLabels.provider == "google":
                            identity = {
                                type = "GoogleApplicationCredentials"
                                source = "Secret"
                                secretRef = {
                                    name = "gcp-creds"
                                    namespace = "crossplane-system"
                                    key = "creds"
                                }
                            }
                    }
                }
                if oxr.spec.parameters?.apps?.crossplane?.enabled:
                    chart {
                        _name = "crossplane"
                        _chartRepository = "https://charts.crossplane.io/stable"
                        _chartVersion = crossplane
                        _namespace = "crossplane-system"
                    }
                    if oxr.spec.parameters?.usage?.enabled:
                        usage { _nameSuffix = "crossplane", _kind = "Release" }
                if oxr.spec.parameters?.apps?.argocd?.enabled:
                    chart {
                        _name = "argo-cd"
                        _chartRepository = "https://argoproj.github.io/argo-helm"
                        _chartVersion = argocd
                        _namespace = "argocd"
                        _values = {
                            global.domain = oxr.spec.parameters.apps.argocd.host
                            configs = {
                                secret = {
                                    argocdServerAdminPassword = "$2a$10$m3eTlEdRen0nS86c5Zph5u/bDFQMcWZYdG3NVdiyaACCqoxLJaz16"
                                    argocdServerAdminPasswordMtime = "2021-11-08T15:04:05Z"
                                }
                                cm = {
                                    "application.resourceTrackingMethod" = "annotation"
                                    "timeout.reconciliation" = "60s"
                                }
                                params = {
                                    "server.insecure" = True
                                }
                            }
                            server = {
                                if oxr.spec.parameters?.apps?.traefik?.enabled:
                                    ingress = {
                                        enabled = True
                                        ingressClassName = "traefik"
                                    }
                                extraArgs = ["--insecure"]
                            }
                        }
                    }
                    object {
                        _name = "argo-cd-app"
                        _manifest = {
                            apiVersion = "argoproj.io/v1alpha1"
                            kind = "Application"
                            metadata = {
                                name = "apps"
                                namespace = "argocd"
                                finalizers = ["resources-finalizer.argocd.argoproj.io"]
                            }
                            spec = {
                                project = "default"
                                source = {
                                    repoURL = oxr.spec.parameters.apps.argocd.repoURL
                                    targetRevision = "HEAD"
                                    path = oxr.spec.parameters.apps.argocd.sourcePath
                                }
                                destination = {
                                    server = "https://kubernetes.default.svc"
                                    namespace = oxr.spec.parameters.apps.argocd.destinationNamespace
                                }
                                syncPolicy.automated = {
                                    selfHeal = True
                                    prune = True
                                    allowEmpty = True
                                }
                            }
                        }
                    }
                    if oxr.spec.parameters?.usage?.enabled:
                        usage { _nameSuffix = "argo-cd", _kind = "Release" }
                        usage { _nameSuffix = "argo-cd-app" }
                if oxr.spec.parameters?.apps?.openfunction?.enabled:
                    chart {
                        _name = "openfunction"
                        _chartUrl = openFunctionUrl
                        _namespace = "openfunction"
                        _values = {
                            revisionController.enable = True
                        }
                    }
                    if oxr.spec.parameters?.usage?.enabled:
                        usage { _nameSuffix = "openfunction", _kind = "Release" }
                if oxr.spec.parameters?.apps?.dapr?.enabled:
                    chart {
                        _name = "dapr"
                        _chartRepository = "https://dapr.github.io/helm-charts/"
                        _chartVersion = dapr
                        _namespace = "dapr-system"
                    }
                    if oxr.spec.parameters?.usage?.enabled:
                        usage { _nameSuffix = "dapr", _kind = "Release" }
                if oxr.spec.parameters?.apps?.traefik?.enabled:
                    chart {
                        _name = "traefik"
                        _chartRepository = "https://helm.traefik.io/traefik"
                        _chartVersion = traefik
                        _namespace = "traefik"
                    }
                    if oxr.spec.parameters?.usage?.enabled:
                        usage { _nameSuffix = "traefik", _kind = "Release" }
                if oxr.spec.parameters?.apps?.dynatrace?.enabled:
                    chart {
                        _name = "dynatrace-operator"
                        _chartRepository = "https://raw.githubusercontent.com/Dynatrace/dynatrace-operator/main/config/helm/repos/stable"
                        _chartVersion = dynatraceOperator
                        _namespace = "dynatrace"
                        _values = {
                            installCRD = True
                            csidriver.enabled = True
                        }
                    }
                    object {
                        _name = "dynakube"
                        _manifest = {
                            apiVersion = "dynatrace.com/v1beta1"
                            kind = "DynaKube"
                            metadata = {
                                name = oxr.spec.id
                                namespace = "dynatrace"
                                annotations = {
                                    "feature.dynatrace.com/k8s-app-enabled" = "true"
                                }
                            }
                            spec = {
                                apiUrl = oxr.spec.parameters.apps.dynatrace.apiUrl
                                oneAgent.cloudNativeFullStack.image = ""
                                activeGate = {
                                    capabilities = [
                                        "kubernetes-monitoring"
                                        "routing"
                                        "metrics-ingest"
                                        "dynatrace-api"
                                    ]
                                    image = ""
                                    resources = {
                                        requests = {
                                            cpu = "500m"
                                            memory = "512Mi"
                                        }
                                        limits = {
                                            cpu = "1000m"
                                            memory = "1.5Gi"
                                        }
                                    }
                                }
                            }
                        }
                    }
                    chart {
                        _name = "dynatrace-dashboard"
                        _chartName = "kubernetes-cluster"
                        _chartRepository = "https://katharinasick.github.io/crossplane-observability-demo-dynatrace"
                        _chartVersion = dynatraceDashboard
                        _namespace = "dynatrace"
                        _values = {
                            oauthCredentialsSecretName = oxr.spec.parameters.apps.dynatrace.oathCredentialsSecretName
                            cluster = oxr.spec.id
                            dashboards = {
                                clusterOverview.enabled = True
                                crossplaneMetrics.enabled = False
                            }
                        }
                        _providerConfigRefName = oxr.spec.id + "-local"
                    }
                    if oxr.spec.parameters?.usage?.enabled:
                        usage { _nameSuffix = "dynatrace-operator", _kind = "Release" }
                        usage { _nameSuffix = "dynakube" }
                        usage { _nameSuffix = "dynatrace-dashboard", _kind = "Release" }
                if oxr.spec.parameters?.apps?.externalSecrets?.enabled:
                    chart {
                        _name = "external-secrets"
                        _chartRepository = "https://charts.external-secrets.io"
                        _chartVersion = externalSecrets
                        _namespace = "external-secrets"
                        _values = {
                            installCRDs = True
                        }
                    }
                    if oxr.spec.parameters?.usage?.enabled:
                        usage { _nameSuffix = "external-secrets", _kind = "Release" }
                if oxr.spec.parameters?.apps?.externalSecrets?.enabled and oxr.spec.parameters.apps?.externalSecrets?.store:
                    object {
                        _name = "secret-store"
                        _externalName = oxr.spec.compositionSelector.matchLabels.provider
                        _manifest = {
                            apiVersion = "external-secrets.io/v1beta1"
                            kind = "ClusterSecretStore"
                            metadata.name = oxr.spec.compositionSelector.matchLabels.provider
                            if oxr.spec.compositionSelector.matchLabels.provider == "google":
                                spec.provider.gcpsm.auth.secretRef.secretAccessKeySecretRef = {
                                    name: "gcp-creds"
                                    key: oxr.spec.parameters.apps.externalSecrets.googleCredentialsKey
                                    namespace: oxr.spec.parameters.creds.namespace
                                }
                            elif oxr.spec.compositionSelector.matchLabels.provider == "azure":
                                spec.provider.azurekv = {
                                    authType = "ManagedIdentity"
                                    vaultUrl = oxr.spec.parameters.apps.externalSecrets.azureVaultUrl
                                }
                            elif oxr.spec.compositionSelector.matchLabels.provider == "aws":
                                spec.provider.aws = {
                                    service = "SecretsManager"
                                    region = "us-east-1"
                                    auth.secretRef = {
                                        accessKeyIDSecretRef = {
                                            name = oxr.spec.parameters.creds.name
                                            key = oxr.spec.parameters.apps.externalSecrets.awsAccessKeyIDKey
                                            namespace = oxr.spec.parameters.creds.namespace
                                        }
                                        secretAccessKeySecretRef = {
                                            name = oxr.spec.parameters.creds.name
                                            key = oxr.spec.parameters.apps.externalSecrets.awsSecretAccessKeyKey
                                            namespace = oxr.spec.parameters.creds.namespace
                                        }
                                    }
                                }
                        }
                        if oxr.spec.compositionSelector.matchLabels.provider == "google":
                            _references = [{
                                patchesFrom = {
                                    apiVersion = "gcp.upbound.io/v1beta1"
                                    kind = "ProviderConfig"
                                    name = "default"
                                    fieldPath = "spec.projectID"
                                }
                                toFieldPath = "spec.provider.gcpsm.projectID"
                            }]
                    }
                    if oxr.spec.parameters?.usage?.enabled:
                        usage { _nameSuffix = "secret-store" }
            ]

            if oxr.spec.parameters?.apps?.externalSecrets?.secrets:
                _items += [{
                    apiVersion = "kubernetes.crossplane.io/v1alpha2"
                    kind = "Object"
                    metadata = {
                        name = oxr.spec.id + "-secret-" + _secret.toSecret
                        annotations = {
                            "crossplane.io/external-name" = _secret.toSecret
                            "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-secret-" + _secret.toSecret
                        }
                    }
                    spec = {
                        forProvider.manifest = {
                            apiVersion = "external-secrets.io/v1beta1"
                            kind = "ExternalSecret"
                            metadata = {
                                name: _secret.toSecret
                                namespace: _secret.toNamespace
                            }
                            spec = {
                                refreshInterval = "1h"
                                secretStoreRef = {
                                    kind: "ClusterSecretStore"
                                    name: oxr.spec.compositionSelector.matchLabels.provider
                                }
                                target = {
                                    name = _secret.toSecret
                                    creationPolicy = "Owner"
                                    template.type = _secret.type
                                }
                                dataFrom = [{ extract.key = _secret.fromSecret }]
                            }
                        }
                        providerConfigRef.name = oxr.spec.id
                    }
                } for _secret in oxr.spec.parameters.apps.externalSecrets.secrets ]
                if oxr.spec.parameters?.usage?.enabled:
                    _items += [ usage {
                        _nameSuffix = "secret-" + _secret.toSecret
                    } for _secret in oxr.spec.parameters.apps.externalSecrets.secrets ]
            if oxr.spec.parameters?.namespaces:
                _items += [{
                    apiVersion = "kubernetes.crossplane.io/v1alpha2"
                    kind = "Object"
                    metadata = {
                        name = oxr.spec.id + "-ns-" + _namespace
                        annotations = {
                            "crossplane.io/external-name" = _namespace
                            "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-ns-" + _namespace
                        }
                    }
                    spec = {
                        forProvider.manifest = {
                            apiVersion = "v1"
                            kind = "Namespace"
                            metadata.name = _namespace
                        }
                        deletionPolicy = "Orphan"
                        providerConfigRef.name = oxr.spec.id
                    }
                } for _namespace in oxr.spec.parameters.namespaces ]
            if oxr.spec.parameters?.creds:
                _items += [
                    {
                        apiVersion = "kubernetes.crossplane.io/v1alpha2"
                        kind = "Object"
                        metadata = {
                            name = oxr.spec.id + "-creds"
                            annotations = {
                                "crossplane.io/external-name" = oxr.spec.parameters.creds.name
                                "krm.kcl.dev/composition-resource-name" = oxr.spec.id + "-creds"
                            }
                        }
                        spec = {
                            references = [{
                                patchesFrom = {
                                    apiVersion = "v1"
                                    kind = "Secret"
                                    name: oxr.spec.parameters.creds.name
                                    namespace: oxr.spec.parameters.creds.namespace
                                    fieldPath: "data." + _credReference
                                }
                                toFieldPath: "data." + _credReference
                            } for _credReference in oxr.spec.parameters.creds.keys]
                            forProvider = {
                                manifest = {
                                    apiVersion = "v1"
                                    kind = "Secret"
                                    metadata = {
                                        name = oxr.spec.parameters.creds.name
                                        namespace = oxr.spec.parameters.creds.namespace
                                    }
                                }
                            }
                            providerConfigRef.name = oxr.spec.id
                        }
                    }
                    if oxr.spec.parameters?.usage?.enabled:
                        usage { _nameSuffix = "creds" }
                ]
            items = _items
    - step: automatically-detect-ready-composed-resources
      functionRef:
        name: crossplane-contrib-function-auto-ready
  writeConnectionSecretsToNamespace: crossplane-system
Discover the building blocks for your internal cloud platform.
© 2024 Upbound, Inc.
Solutions