kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: xeks.aws.platform.upbound.io
creationTimestamp: null
labels:
function: patch-and-transform
provider: aws
spec:
compositeTypeRef:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XEKS
mode: Pipeline
pipeline:
- step: patch-and-transform
functionRef:
name: crossplane-contrib-function-patch-and-transform
input:
apiVersion: pt.fn.crossplane.io/v1beta1
kind: Resources
patchSets:
- name: providerConfigRef
patches:
- fromFieldPath: spec.parameters.providerConfigName
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- name: deletionPolicy
patches:
- fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
type: FromCompositeFieldPath
- name: region
patches:
- fromFieldPath: spec.parameters.region
toFieldPath: spec.forProvider.region
type: FromCompositeFieldPath
resources:
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
labels:
role: controlplane
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
name: controlplaneRole
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
roleSelector:
matchControllerRef: true
matchLabels:
role: controlplane
name: clusterRolePolicyAttachment
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Cluster
spec:
forProvider:
roleArnSelector:
matchControllerRef: true
matchLabels:
role: controlplane
vpcConfig:
- endpointPrivateAccess: true
endpointPublicAccess: true
subnetIdSelector:
matchLabels:
access: public
name: kubernetesCluster
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.vpcConfig[0].subnetIdSelector.matchLabels[networks.aws.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.version
toFieldPath: spec.forProvider.version
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.identity[0].oidc[0].issuer
policy:
fromFieldPath: Optional
toFieldPath: status.eks.oidc
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.identity[0].oidc[0].issuer
policy:
fromFieldPath: Optional
toFieldPath: status.eks.oidcUri
transforms:
- string:
trim: https://
type: TrimPrefix
type: string
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.roleArn
policy:
fromFieldPath: Optional
toFieldPath: status.eks.accountId
transforms:
- string:
regexp:
group: 1
match: arn:aws:iam::(\d+):.*
type: Regexp
type: string
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.vpcConfig[0].clusterSecurityGroupId
policy:
fromFieldPath: Optional
toFieldPath: status.eks.clusterSecurityGroupId
type: ToCompositeFieldPath
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroup
name: clusterSecurityGroupImport
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: status.eks.clusterSecurityGroupId
policy:
fromFieldPath: Required
toFieldPath: metadata.annotations[crossplane.io/external-name]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.tags[eks.aws.platform.upbound.io/discovery]
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: ClusterAuth
spec:
forProvider:
clusterNameSelector:
matchControllerRef: true
connectionDetails:
- fromConnectionSecretKey: kubeconfig
name: kubeconfig
type: FromConnectionSecretKey
name: kubernetesClusterAuth
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.writeConnectionSecretToRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.writeConnectionSecretToRef.name
transforms:
- string:
fmt: "%s-ekscluster"
type: Format
type: string
type: FromCompositeFieldPath
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
labels:
role: nodegroup
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
name: nodegroupRole
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- fromFieldPath: status.atProvider.arn
policy:
fromFieldPath: Optional
toFieldPath: status.eks.nodeGroupRoleArn
type: ToCompositeFieldPath
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
roleSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
name: workerNodeRolePolicyAttachment
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
roleSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
name: cniRolePolicyAttachment
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
roleSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
name: ebsCsiRolePolicyAttachment
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
roleSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
name: containerRegistryRolePolicyAttachment
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: NodeGroup
spec:
forProvider:
clusterNameSelector:
matchControllerRef: true
instanceTypes:
- t3.medium
nodeRoleArnSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
scalingConfig:
- desiredSize: 1
maxSize: 100
minSize: 1
subnetIdSelector:
matchLabels:
access: public
name: nodeGroupPublic
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.nodes.count
toFieldPath: spec.forProvider.scalingConfig[0].desiredSize
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.nodes.instanceType
toFieldPath: spec.forProvider.instanceTypes[0]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.subnetIdSelector.matchLabels[networks.aws.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.clusterName
policy:
fromFieldPath: Optional
toFieldPath: status.eks.clusterName
type: ToCompositeFieldPath
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Addon
spec:
forProvider:
addonName: aws-ebs-csi-driver
clusterNameSelector:
matchControllerRef: true
name: ebsCsiAddon
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Addon
spec:
forProvider:
addonName: vpc-cni
clusterNameSelector:
matchControllerRef: true
configurationValues: '{"env": {"AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG":"false"}}'
preserve: false
name: cniAddon
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: OpenIDConnectProvider
spec:
forProvider:
clientIdList:
- sts.amazonaws.com
thumbprintList:
- 9e99a48a9960b14926bb7f3b02e22da2b0ab7280
name: oidcProvider
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- fromFieldPath: status.eks.oidc
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.url
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.arn
policy:
fromFieldPath: Optional
toFieldPath: status.eks.oidcArn
type: ToCompositeFieldPath
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: kubeconfig
source: Secret
name: providerConfigHelm
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
type: FromCompositeFieldPath
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.credentials.secretRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.credentials.secretRef.name
transforms:
- string:
fmt: "%s-ekscluster"
type: Format
type: string
type: FromCompositeFieldPath
readinessChecks:
- type: None
- base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: kubeconfig
source: Secret
name: providerConfigKubernetes
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
type: FromCompositeFieldPath
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.credentials.secretRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.credentials.secretRef.name
transforms:
- string:
fmt: "%s-ekscluster"
type: Format
type: string
type: FromCompositeFieldPath
readinessChecks:
- type: None
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
deletionPolicy: Orphan
forProvider:
manifest:
apiVersion: v1
kind: ConfigMap
metadata:
namespace: default
name: irsaSettings
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-irsa-settings"
type: Format
type: string
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.manifest.metadata.name
transforms:
- string:
fmt: "%s-irsa-settings"
type: Format
type: string
type: FromCompositeFieldPath
- fromFieldPath: status.eks.oidcArn
toFieldPath: spec.forProvider.manifest.data.oidc_arn
type: FromCompositeFieldPath
- fromFieldPath: status.eks.oidcUri
toFieldPath: spec.forProvider.manifest.data.oidc_host
type: FromCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
deletionPolicy: Orphan
forProvider:
manifest:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
name: awsAuth
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-aws-auth"
type: Format
type: string
type: FromCompositeFieldPath
- combine:
strategy: string
string:
fmt: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: %s
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:bootstrappers
- system:nodes
rolearn: %s
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: %s
username: adminrole
variables:
- fromFieldPath: status.eks.nodeGroupRoleArn
- fromFieldPath: spec.parameters.iam.autoscalerArn
- fromFieldPath: spec.parameters.iam.roleArn
policy:
fromFieldPath: Optional
toFieldPath: spec.forProvider.manifest.data.mapRoles
type: CombineFromComposite
- combine:
strategy: string
string:
fmt: |
- groups:
- system:masters
userarn: %s
username: adminuser
variables:
- fromFieldPath: spec.parameters.iam.userArn
policy:
fromFieldPath: Optional
toFieldPath: spec.forProvider.manifest.data.mapUsers
type: CombineFromComposite
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
forProvider:
chart:
name: universal-crossplane
repository: https://charts.upbound.io/stable
version: 1.16.0-up.1
namespace: upbound-system
rollbackLimit: 3
name: crossplane
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
forProvider:
manifest:
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: upbound-provider-gcp-compute
spec:
package: xpkg.upbound.io/upbound/provider-gcp-compute:v1.6.0
runtimeConfigRef:
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
name: upbound-provider-gcp-compute
name: provider
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- base:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XIRSA
spec:
parameters:
condition: StringEquals
id: configuration-aws-assume-gcp
policyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetAccessKeyLastUsed"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
serviceAccount:
name: upbound-provider-gcp-compute
namespace: upbound-system
name: provider-irsa
patches:
- fromFieldPath: status.roleArn
policy:
fromFieldPath: Optional
toFieldPath: status.eks.provider.irsaRoleArn
type: ToCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
forProvider:
manifest:
apiVersion: v1
kind: ConfigMap
metadata:
name: gcp-default-credentials
namespace: upbound-system
name: gcp-configmap
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- combine:
strategy: string
string:
fmt: >
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s",
"subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"environment_id": "aws1",
"region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
"regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
}
}
variables:
- fromFieldPath: spec.parameters.gcp.projectId
- fromFieldPath: spec.parameters.gcp.workloadIdentityPoolName
- fromFieldPath: spec.parameters.gcp.serviceAccountName
toFieldPath: spec.forProvider.manifest.data[gcp_default_credentials.json]
type: CombineFromComposite
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
forProvider:
manifest:
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: upbound-provider-gcp-compute
spec:
deploymentTemplate:
spec:
replicas: 1
selector: {}
template:
metadata:
labels: {}
spec:
containers:
- env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /tmp/gcp_default_credentials.json
name: package-runtime
volumeMounts:
- mountPath: /tmp/
name: gcp
volumes:
- configMap:
items:
- key: gcp_default_credentials.json
path: gcp_default_credentials.json
name: gcp-default-credentials
name: gcp
serviceAccountTemplate:
metadata:
name: upbound-provider-gcp-compute
name: drc
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- fromFieldPath: status.eks.provider.irsaRoleArn
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.manifest.spec.serviceAccountTemplate.metadata.annotations[eks.amazonaws.com/role-arn]
type: FromCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
forProvider:
manifest:
apiVersion: gcp.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
source: ImpersonateServiceAccount
name: gcp-providerconfig
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.gcp.projectName
toFieldPath: spec.forProvider.manifest.spec.projectID
type: FromCompositeFieldPath
- combine:
strategy: string
string:
fmt: "%s@%s.iam.gserviceaccount.com"
variables:
- fromFieldPath: spec.parameters.gcp.serviceAccountName
- fromFieldPath: spec.parameters.gcp.projectName
toFieldPath: spec.forProvider.manifest.spec.credentials.impersonateServiceAccount.name
type: CombineFromComposite
- step: sequence-creation
functionRef:
name: crossplane-contrib-function-sequencer
input:
apiVersion: sequencer.fn.crossplane.io/v1beta1
kind: Input
rules:
- sequence:
- kubernetesCluster
- cniAddon
- nodeGroupPublic
- ebsCsiAddon
- crossplane
writeConnectionSecretsToNamespace: upbound-system