xeks.aws.platform.upbound.io
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: xeks.aws.platform.upbound.io
creationTimestamp: null
labels:
provider: aws
spec:
compositeTypeRef:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XEKS
mode: Pipeline
pipeline:
- step: patch-and-transform
functionRef:
name: crossplane-contrib-function-patch-and-transform
input:
apiVersion: pt.fn.crossplane.io/v1beta1
kind: Resources
patchSets:
- name: providerConfigRef
patches:
- fromFieldPath: spec.parameters.providerConfigName
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- name: deletionPolicy
patches:
- fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
type: FromCompositeFieldPath
- name: region
patches:
- fromFieldPath: spec.parameters.region
toFieldPath: spec.forProvider.region
type: FromCompositeFieldPath
resources:
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
labels:
role: controlplane
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
name: controlplaneRole
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
roleSelector:
matchControllerRef: true
matchLabels:
role: controlplane
name: clusterRolePolicyAttachment
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Cluster
spec:
forProvider:
roleArnSelector:
matchControllerRef: true
matchLabels:
role: controlplane
vpcConfig:
- endpointPrivateAccess: true
endpointPublicAccess: true
subnetIdSelector:
matchLabels:
access: public
name: kubernetesCluster
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.vpcConfig[0].subnetIdSelector.matchLabels[networks.aws.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.version
toFieldPath: spec.forProvider.version
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.identity[0].oidc[0].issuer
policy:
fromFieldPath: Optional
toFieldPath: status.eks.oidc
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.identity[0].oidc[0].issuer
policy:
fromFieldPath: Optional
toFieldPath: status.eks.oidcUri
transforms:
- string:
trim: https://
type: TrimPrefix
type: string
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.roleArn
policy:
fromFieldPath: Optional
toFieldPath: status.eks.accountId
transforms:
- string:
regexp:
group: 1
match: arn:aws:iam::(\d+):.*
type: Regexp
type: string
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.vpcConfig[0].clusterSecurityGroupId
policy:
fromFieldPath: Optional
toFieldPath: status.eks.clusterSecurityGroupId
type: ToCompositeFieldPath
- base:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroup
name: clusterSecurityGroupImport
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: status.eks.clusterSecurityGroupId
policy:
fromFieldPath: Required
toFieldPath: metadata.annotations[crossplane.io/external-name]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.tags[eks.aws.platform.upbound.io/discovery]
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: ClusterAuth
spec:
forProvider:
clusterNameSelector:
matchControllerRef: true
connectionDetails:
- fromConnectionSecretKey: kubeconfig
name: kubeconfig
type: FromConnectionSecretKey
name: kubernetesClusterAuth
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.writeConnectionSecretToRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.writeConnectionSecretToRef.name
transforms:
- string:
fmt: "%s-ekscluster"
type: Format
type: string
type: FromCompositeFieldPath
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
labels:
role: nodegroup
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
name: nodegroupRole
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- fromFieldPath: status.atProvider.arn
policy:
fromFieldPath: Optional
toFieldPath: status.eks.nodeGroupRoleArn
type: ToCompositeFieldPath
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
roleSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
name: workerNodeRolePolicyAttachment
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
roleSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
name: cniRolePolicyAttachment
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
roleSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
name: ebsCsiRolePolicyAttachment
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: RolePolicyAttachment
spec:
forProvider:
policyArn: arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
roleSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
name: containerRegistryRolePolicyAttachment
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: NodeGroup
spec:
forProvider:
clusterNameSelector:
matchControllerRef: true
instanceTypes:
- t3.medium
nodeRoleArnSelector:
matchControllerRef: true
matchLabels:
role: nodegroup
scalingConfig:
- desiredSize: 1
maxSize: 100
minSize: 1
subnetIdSelector:
matchLabels:
access: public
name: nodeGroupPublic
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.nodes.count
toFieldPath: spec.forProvider.scalingConfig[0].desiredSize
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.nodes.instanceType
toFieldPath: spec.forProvider.instanceTypes[0]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.subnetIdSelector.matchLabels[networks.aws.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.clusterName
policy:
fromFieldPath: Optional
toFieldPath: status.eks.clusterName
type: ToCompositeFieldPath
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Addon
spec:
forProvider:
addonName: aws-ebs-csi-driver
clusterNameSelector:
matchControllerRef: true
name: ebsCsiAddon
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: status.eks.clusterName
policy:
fromFieldPath: Required
toFieldPath: metadata.annotations[crossplane.io/external-name]
transforms:
- string:
fmt: "%s:aws-ebs-csi-driver"
type: Format
type: string
type: FromCompositeFieldPath
- base:
apiVersion: eks.aws.upbound.io/v1beta1
kind: Addon
spec:
forProvider:
addonName: vpc-cni
clusterNameSelector:
matchControllerRef: true
preserve: false
name: cniAddon
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: status.eks.clusterName
policy:
fromFieldPath: Required
toFieldPath: metadata.annotations[crossplane.io/external-name]
transforms:
- string:
fmt: "%s:vpc-cni"
type: Format
type: string
type: FromCompositeFieldPath
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: OpenIDConnectProvider
spec:
forProvider:
clientIdList:
- sts.amazonaws.com
thumbprintList:
- 9e99a48a9960b14926bb7f3b02e22da2b0ab7280
name: oidcProvider
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- fromFieldPath: status.eks.oidc
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.url
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.arn
policy:
fromFieldPath: Optional
toFieldPath: status.eks.oidcArn
type: ToCompositeFieldPath
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: kubeconfig
source: Secret
name: providerConfigHelm
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
type: FromCompositeFieldPath
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.credentials.secretRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.credentials.secretRef.name
transforms:
- string:
fmt: "%s-ekscluster"
type: Format
type: string
type: FromCompositeFieldPath
readinessChecks:
- type: None
- base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: kubeconfig
source: Secret
name: providerConfigKubernetes
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
type: FromCompositeFieldPath
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.credentials.secretRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.credentials.secretRef.name
transforms:
- string:
fmt: "%s-ekscluster"
type: Format
type: string
type: FromCompositeFieldPath
readinessChecks:
- type: None
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
deletionPolicy: Orphan
forProvider:
manifest:
apiVersion: v1
kind: ConfigMap
metadata:
namespace: default
name: irsaSettings
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-irsa-settings"
type: Format
type: string
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.manifest.metadata.name
transforms:
- string:
fmt: "%s-irsa-settings"
type: Format
type: string
type: FromCompositeFieldPath
- fromFieldPath: status.eks.oidcArn
toFieldPath: spec.forProvider.manifest.data.oidc_arn
type: FromCompositeFieldPath
- fromFieldPath: status.eks.oidcUri
toFieldPath: spec.forProvider.manifest.data.oidc_host
type: FromCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
deletionPolicy: Orphan
forProvider:
manifest:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
name: awsAuth
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-aws-auth"
type: Format
type: string
type: FromCompositeFieldPath
- combine:
strategy: string
string:
fmt: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: %s
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:bootstrappers
- system:nodes
rolearn: %s
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: %s
username: adminrole
variables:
- fromFieldPath: status.eks.nodeGroupRoleArn
- fromFieldPath: spec.parameters.iam.autoscalerArn
- fromFieldPath: spec.parameters.iam.roleArn
policy:
fromFieldPath: Optional
toFieldPath: spec.forProvider.manifest.data.mapRoles
type: CombineFromComposite
- combine:
strategy: string
string:
fmt: |
- groups:
- system:masters
userarn: %s
username: adminuser
variables:
- fromFieldPath: spec.parameters.iam.userArn
policy:
fromFieldPath: Optional
toFieldPath: spec.forProvider.manifest.data.mapUsers
type: CombineFromComposite
writeConnectionSecretsToNamespace: upbound-system
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.