YAML
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: cluster-aws
creationTimestamp: null
labels:
cluster: eks
provider: aws
spec:
compositeTypeRef:
apiVersion: devopstoolkitseries.com/v1alpha1
kind: CompositeCluster
mode: Pipeline
pipeline:
- step: patch-and-transform
functionRef:
name: crossplane-contrib-function-patch-and-transform
input:
apiVersion: pt.fn.crossplane.io/v1beta1
kind: Resources
resources:
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Cluster
spec:
forProvider:
region: us-east-1
roleArnSelector:
matchControllerRef: true
version: "1.29"
vpcConfig:
- endpointPrivateAccess: true
endpointPublicAccess: true
subnetIdSelector:
matchControllerRef: true
name: ekscluster
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- fromFieldPath: spec.parameters.version
toFieldPath: spec.forProvider.version
- fromFieldPath: spec.id
toFieldPath: spec.forProvider.roleArnSelector.matchLabels.role
transforms:
- string:
fmt: "%s-controlplane"
type: Format
type: string
- fromFieldPath: metadata.name
toFieldPath: status.clusterName
type: ToCompositeFieldPath
- fromFieldPath: status.conditions[0].reason
toFieldPath: status.controlPlaneStatus
type: ToCompositeFieldPath
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: ClusterAuth
spec:
forProvider:
clusterNameSelector:
matchControllerRef: true
region: us-east-1
connectionDetails:
- fromConnectionSecretKey: kubeconfig
name: kubeconfig
type: FromConnectionSecretKey
name: clusterAuth
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- fromFieldPath: spec.id
toFieldPath: spec.writeConnectionSecretToRef.name
transforms:
- string:
fmt: "%s-cluster"
type: Format
type: string
- fromFieldPath: spec.claimRef.namespace
toFieldPath: spec.writeConnectionSecretToRef.namespace
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: NodeGroup
spec:
forProvider:
clusterNameSelector:
matchControllerRef: true
instanceTypes:
- t3.small
nodeRoleArnSelector:
matchControllerRef: true
region: us-east-1
scalingConfig:
- desiredSize: 1
maxSize: 10
minSize: 1
subnetIdSelector:
matchControllerRef: true
name: eksnodegroup
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- fromFieldPath: spec.parameters.nodeSize
toFieldPath: spec.forProvider.instanceTypes[0]
transforms:
- map:
large: t3.large
medium: t3.medium
small: t3.small
type: map
- fromFieldPath: spec.id
toFieldPath: spec.forProvider.nodeRoleArnSelector.matchLabels.role
transforms:
- string:
fmt: "%s-nodegroup"
type: Format
type: string
- fromFieldPath: spec.parameters.minNodeCount
toFieldPath: spec.forProvider.scalingConfig[0].minSize
- fromFieldPath: spec.parameters.minNodeCount
toFieldPath: spec.forProvider.scalingConfig[0].desiredSize
- fromFieldPath: status.conditions[0].reason
toFieldPath: status.nodePoolStatus
type: ToCompositeFieldPath
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
spec:
forProvider:
assumeRolePolicy: |-
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Service": ["eks.amazonaws.com"]},
"Action": ["sts:AssumeRole"]
}]
}
name: iamrole-controlplane
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-controlplane"
type: Format
type: string
- fromFieldPath: spec.id
toFieldPath: metadata.labels.role
transforms:
- string:
fmt: "%s-controlplane"
type: Format
type: string
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
spec:
forProvider:
assumeRolePolicy: |-
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Service": ["ec2.amazonaws.com"]},
"Action": ["sts:AssumeRole"]
}]
}
name: iamrole-nodegroup
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-nodegroup"
type: Format
type: string
- fromFieldPath: spec.id
toFieldPath: metadata.labels.role
transforms:
- string:
fmt: "%s-nodegroup"
type: Format
type: string
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
roleSelector:
matchControllerRef: true
name: iamattachment-controlplane
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-controlplane"
type: Format
type: string
- fromFieldPath: spec.id
toFieldPath: spec.forProvider.roleSelector.matchLabels.role
transforms:
- string:
fmt: "%s-controlplane"
type: Format
type: string
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKSServicePolicy
roleSelector:
matchControllerRef: true
name: iamattachment-service
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-service"
type: Format
type: string
- fromFieldPath: spec.id
toFieldPath: spec.forProvider.roleSelector.matchLabels.role
transforms:
- string:
fmt: "%s-controlplane"
type: Format
type: string
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
roleSelector:
matchControllerRef: true
name: iamattachment-worker
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-worker"
type: Format
type: string
- fromFieldPath: spec.id
toFieldPath: spec.forProvider.roleSelector.matchLabels.role
transforms:
- string:
fmt: "%s-nodegroup"
type: Format
type: string
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
roleSelector:
matchControllerRef: true
name: iamattachment-cni
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-cni"
type: Format
type: string
- fromFieldPath: spec.id
toFieldPath: spec.forProvider.roleSelector.matchLabels.role
transforms:
- string:
fmt: "%s-nodegroup"
type: Format
type: string
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
roleSelector:
matchControllerRef: true
name: iamattachment-registry
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-registry"
type: Format
type: string
- fromFieldPath: spec.id
toFieldPath: spec.forProvider.roleSelector.matchLabels.role
transforms:
- string:
fmt: "%s-nodegroup"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: VPC
spec:
forProvider:
cidrBlock: 10.0.0.0/16
enableDnsSupport: true
region: us-east-1
name: vpc-nodepool
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroup
spec:
forProvider:
description: Cluster communication with worker nodes
region: us-east-1
vpcIdSelector:
matchControllerRef: true
name: sg-nodepool
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- fromFieldPath: spec.id
toFieldPath: spec.forProvider.name
readinessChecks:
- type: None
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroupRule
spec:
forProvider:
cidrBlocks:
- 0.0.0.0/0
description: I am too lazy to write descriptions
fromPort: 0
protocol: "-1"
region: us-east-1
securityGroupIdSelector:
matchControllerRef: true
toPort: 0
type: egress
name: securityGroupRule
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
labels:
access: public
zone: us-east-1a
spec:
forProvider:
availabilityZone: us-east-1a
cidrBlock: 10.0.0.0/24
mapPublicIpOnLaunch: true
region: us-east-1
tags:
kubernetes.io/role/elb: "1"
vpcIdSelector:
matchControllerRef: true
name: subnet-nodepool-1a
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-1a"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
labels:
access: public
zone: us-east-1b
spec:
forProvider:
availabilityZone: us-east-1b
cidrBlock: 10.0.1.0/24
mapPublicIpOnLaunch: true
region: us-east-1
tags:
kubernetes.io/role/elb: "1"
vpcIdSelector:
matchControllerRef: true
name: subnet-nodepool-1b
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-1b"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
labels:
access: public
zone: us-east-1c
spec:
forProvider:
availabilityZone: us-east-1c
cidrBlock: 10.0.2.0/24
mapPublicIpOnLaunch: true
region: us-east-1
tags:
kubernetes.io/role/elb: "1"
vpcIdSelector:
matchControllerRef: true
name: subnet-nodepool-1c
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-1c"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: InternetGateway
spec:
forProvider:
region: us-east-1
vpcIdSelector:
matchControllerRef: true
name: gateway
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTable
spec:
forProvider:
region: us-east-1
vpcIdSelector:
matchControllerRef: true
name: routeTable
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Route
spec:
forProvider:
destinationCidrBlock: 0.0.0.0/0
gatewayIdSelector:
matchControllerRef: true
region: us-east-1
routeTableIdSelector:
matchControllerRef: true
name: route
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: MainRouteTableAssociation
spec:
forProvider:
region: us-east-1
routeTableIdSelector:
matchControllerRef: true
vpcIdSelector:
matchControllerRef: true
name: mainRouteTableAssociation
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTableAssociation
spec:
forProvider:
region: us-east-1
routeTableIdSelector:
matchControllerRef: true
subnetIdSelector:
matchControllerRef: true
matchLabels:
access: public
zone: us-east-1a
name: routeTableAssociation1a
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-1a"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTableAssociation
spec:
forProvider:
region: us-east-1
routeTableIdSelector:
matchControllerRef: true
subnetIdSelector:
matchControllerRef: true
matchLabels:
access: public
zone: us-east-1b
name: routeTableAssociation1b
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-1b"
type: Format
type: string
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTableAssociation
spec:
forProvider:
region: us-east-1
routeTableIdSelector:
matchControllerRef: true
subnetIdSelector:
matchControllerRef: true
matchLabels:
access: public
zone: us-east-1c
name: routeTableAssociation1c
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-1c"
type: Format
type: string
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Addon
metadata:
name: aws-ebs-csi-driver
spec:
forProvider:
addonName: aws-ebs-csi-driver
clusterNameSelector:
matchControllerRef: true
region: us-east-1
name: addonEbs
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-ebs"
type: Format
type: string
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: kubeconfig
name: kubeconfig
namespace: crossplane-system
source: Secret
name: helm
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- fromFieldPath: spec.claimRef.namespace
toFieldPath: spec.credentials.secretRef.namespace
- fromFieldPath: spec.id
toFieldPath: spec.credentials.secretRef.name
transforms:
- string:
fmt: "%s-cluster"
type: Format
type: string
readinessChecks:
- type: None
- base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: kubeconfig
name: kubeconfig
namespace: crossplane-system
source: Secret
name: kubernetes
patches:
- fromFieldPath: spec.id
toFieldPath: metadata.name
- fromFieldPath: spec.claimRef.namespace
toFieldPath: spec.credentials.secretRef.namespace
- fromFieldPath: spec.id
toFieldPath: spec.credentials.secretRef.name
transforms:
- string:
fmt: "%s-cluster"
type: Format
type: string
readinessChecks:
- type: None
- step: app-crossplane
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >-
{{ if
.observed.composite.resource.spec.parameters.apps.crossplane.enabled
}}
---
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: '{{ $.observed.composite.resource.spec.id }}-app-crossplane'
annotations:
crossplane.io/external-name: crossplane
gotemplating.fn.crossplane.io/composition-resource-name: '{{ $.observed.composite.resource.spec.id }}-app-crossplane'
spec:
forProvider:
chart:
name: crossplane
repository: https://charts.crossplane.io/stable
version: 1.14.5
url: ""
set: []
namespace: crossplane-system
rollbackLimit: 3
providerConfigRef:
name: '{{ $.observed.composite.resource.spec.id }}'
{{ end }}
kind: GoTemplate
source: Inline
- step: app-openfunction
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >-
{{ if
.observed.composite.resource.spec.parameters.apps.openfunction.enabled
}}
---
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: '{{ $.observed.composite.resource.spec.id }}-app-openfunction'
annotations:
crossplane.io/external-name: openfunction
gotemplating.fn.crossplane.io/composition-resource-name: '{{ $.observed.composite.resource.spec.id }}-app-openfunction'
spec:
forProvider:
chart:
name: openfunction
repository: ""
version: ""
url: https://openfunction.github.io/charts/openfunction-v1.2.0-v0.7.0.tgz
set:
- name: revisionController.enable
value: "true"
namespace: openfunction
rollbackLimit: 3
providerConfigRef:
name: '{{ $.observed.composite.resource.spec.id }}'
{{ end }}
kind: GoTemplate
source: Inline
- step: app-external-secrets
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >-
{{ if
.observed.composite.resource.spec.parameters.apps.externalSecrets.enabled
}}
---
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: '{{ $.observed.composite.resource.spec.id }}-app-external-secrets'
annotations:
crossplane.io/external-name: external-secrets
gotemplating.fn.crossplane.io/composition-resource-name: '{{ $.observed.composite.resource.spec.id }}-app-external-secrets'
spec:
forProvider:
chart:
name: external-secrets
repository: https://charts.external-secrets.io
version: 0.9.11
url: ""
set:
- name: installCRDs
value: "true"
namespace: external-secrets
rollbackLimit: 3
providerConfigRef:
name: '{{ $.observed.composite.resource.spec.id }}'
{{ end }}
kind: GoTemplate
source: Inline
- step: secret-store
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >-
{{ if and
.observed.composite.resource.spec.parameters.apps.externalSecrets.enabled
.observed.composite.resource.spec.parameters.apps.externalSecrets.store
}}
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: {{ $.observed.composite.resource.spec.id }}-secret-store
annotations:
crossplane.io/external-name: aws
gotemplating.fn.crossplane.io/composition-resource-name: {{ $.observed.composite.resource.spec.id }}-secret-store
spec:
{{ if $.observed.composite.resource.spec.parameters.apps.externalSecrets.googleCredentialsKey }}
references:
- patchesFrom:
apiVersion: gcp.upbound.io/v1beta1
kind: ProviderConfig
name: default
fieldPath: spec.projectID
toFieldPath: spec.provider.gcpsm.projectID
{{ end }}
forProvider:
manifest:
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: aws
spec:
provider:
{{ if $.observed.composite.resource.spec.parameters.apps.externalSecrets.googleCredentialsKey }}
gcpsm:
auth:
secretRef:
secretAccessKeySecretRef:
name: {{ $.observed.composite.resource.spec.parameters.creds.name }}
key: {{ $.observed.composite.resource.spec.parameters.apps.externalSecrets.googleCredentialsKey }}
namespace: {{ $.observed.composite.resource.spec.parameters.creds.namespace }}
{{ end }}
{{ if and $.observed.composite.resource.spec.parameters.apps.externalSecrets.awsAccessKeyIDKey $.observed.composite.resource.spec.parameters.apps.externalSecrets.awsSecretAccessKeyKey }}
aws:
service: SecretsManager
region: us-east-1
auth:
secretRef:
accessKeyIDSecretRef:
name: {{ $.observed.composite.resource.spec.parameters.creds.name }}
key: {{ $.observed.composite.resource.spec.parameters.apps.externalSecrets.awsAccessKeyIDKey }}
namespace: {{ $.observed.composite.resource.spec.parameters.creds.namespace }}
secretAccessKeySecretRef:
name: {{ $.observed.composite.resource.spec.parameters.creds.name }}
key: {{ $.observed.composite.resource.spec.parameters.apps.externalSecrets.awsSecretAccessKeyKey }}
namespace: {{ $.observed.composite.resource.spec.parameters.creds.namespace }}
{{ end }}
{{ if $.observed.composite.resource.spec.parameters.apps.externalSecrets.azureVaultUrl }}
azurekv:
authType: ManagedIdentity
vaultUrl: {{ $.observed.composite.resource.spec.parameters.apps.externalSecrets.azureVaultUrl }}
{{ end }}
providerConfigRef:
name: {{ $.observed.composite.resource.spec.id }}
{{ end }}
kind: GoTemplate
source: Inline
- step: secrets
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >-
{{ range
.observed.composite.resource.spec.parameters.apps.externalSecrets.secrets
}}
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: '{{ $.observed.composite.resource.spec.id }}-secret-{{ .toSecret }}'
annotations:
crossplane.io/external-name: '{{ .toSecret }}'
gotemplating.fn.crossplane.io/composition-resource-name: '{{ $.observed.composite.resource.spec.id }}-secret-{{ .toSecret }}'
spec:
forProvider:
manifest:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: '{{ .toSecret }}'
namespace: '{{ .toNamespace }}'
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: aws
target:
name: '{{ .toSecret }}'
creationPolicy: Owner
template:
type: '{{ .type }}'
dataFrom:
- extract:
key: '{{ .fromSecret }}'
providerConfigRef:
name: '{{ $.observed.composite.resource.spec.id }}'
{{ end }}
kind: GoTemplate
source: Inline
- step: namespaces
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >-
{{ range .observed.composite.resource.spec.parameters.namespaces }}
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: {{ $.observed.composite.resource.spec.id }}-ns-{{ . }}
annotations:
crossplane.io/external-name: {{ . }}
gotemplating.fn.crossplane.io/composition-resource-name: {{ $.observed.composite.resource.spec.id }}-ns-{{ . }}
spec:
forProvider:
manifest:
apiVersion: "v1"
kind: "Namespace"
metadata:
name: {{ . }}
providerConfigRef:
name: {{ $.observed.composite.resource.spec.id }}
{{ end }}
kind: GoTemplate
source: Inline
- step: creds
functionRef:
name: crossplane-contrib-function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
inline:
template: >-
{{ if .observed.composite.resource.spec.parameters.creds }}
---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: {{ $.observed.composite.resource.spec.id }}-creds
annotations:
gotemplating.fn.crossplane.io/composition-resource-name: {{ $.observed.composite.resource.spec.id }}-creds
crossplane.io/external-name: {{ $.observed.composite.resource.spec.parameters.creds.name }}
spec:
references:
{{ range $.observed.composite.resource.spec.parameters.creds.keys }}
- patchesFrom:
apiVersion: v1
kind: Secret
name: {{ $.observed.composite.resource.spec.parameters.creds.name }}
namespace: {{ $.observed.composite.resource.spec.parameters.creds.namespace }}
fieldPath: data.{{ . }}
toFieldPath: data.{{ . }}
{{ end }}
forProvider:
manifest:
apiVersion: v1
kind: Secret
metadata:
name: {{ $.observed.composite.resource.spec.parameters.creds.name }}
namespace: {{ $.observed.composite.resource.spec.parameters.creds.namespace }}
providerConfigRef:
name: {{ $.observed.composite.resource.spec.id }}
{{ end }}
kind: GoTemplate
source: Inline
- step: automatically-detect-ready-composed-resources
functionRef:
name: crossplane-contrib-function-auto-ready
writeConnectionSecretsToNamespace: crossplane-system