xawslbcontrollers.aws.platform.upbound.io
Composition
XAWSLBController
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: xawslbcontrollers.aws.platform.upbound.io
creationTimestamp: null
labels:
provider: helm
spec:
compositeTypeRef:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XAWSLBController
mode: Pipeline
pipeline:
- step: patch-and-transform
functionRef:
name: crossplane-contrib-function-patch-and-transform
input:
apiVersion: pt.fn.crossplane.io/v1beta1
kind: Resources
resources:
- base:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XPodIdentity
spec:
parameters:
inlinePolicy:
- name: aws-lb-controller-policy
policy: >
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeTags",
"ec2:GetCoipPoolUsage",
"ec2:DescribeCoipPools",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTrustStores"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:CreateProtection",
"shield:DeleteProtection"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeleteTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule"
],
"Resource": "*"
}
]
}
serviceAccount:
name: aws-load-balancer-controller
namespace: kube-system
name: podIdentity
patches:
- fromFieldPath: spec.parameters.region
toFieldPath: spec.parameters.region
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.providerConfigName
toFieldPath: spec.parameters.providerConfigName
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.parameters.deletionPolicy
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.clusterName
toFieldPath: spec.parameters.clusterName
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.clusterNameRef
toFieldPath: spec.parameters.clusterNameRef
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.clusterNameSelector
toFieldPath: spec.parameters.clusterNameSelector
type: FromCompositeFieldPath
- fromFieldPath: status.podIdentity.roleArn
toFieldPath: status.roleArn
type: ToCompositeFieldPath
- fromFieldPath: status.podIdentity.clusterName
toFieldPath: status.clusterName
type: ToCompositeFieldPath
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
forProvider:
chart:
name: aws-load-balancer-controller
repository: https://aws.github.io/eks-charts
version: 1.8.3
namespace: kube-system
values:
replicaCount: 0
serviceAccount:
name: aws-load-balancer-controller
rollbackLimit: 3
name: helmRelease
patches:
- fromFieldPath: metadata.labels
toFieldPath: metadata.labels
type: FromCompositeFieldPath
- fromFieldPath: metadata.annotations
toFieldPath: metadata.annotations
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.helm.providerConfigName
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.helm.chart.version
toFieldPath: spec.forProvider.chart.version
type: FromCompositeFieldPath
- fromFieldPath: status.clusterName
toFieldPath: spec.forProvider.values.clusterName
type: FromCompositeFieldPath
- fromFieldPath: status.roleArn
toFieldPath: spec.forProvider.values.serviceAccount.annotations["eks.amazonaws.com/role-arn"]
type: FromCompositeFieldPath
- fromFieldPath: status.roleArn
toFieldPath: spec.forProvider.values.replicaCount
transforms:
- match:
patterns:
- regexp: .*
result: 2
type: regexp
type: match
type: FromCompositeFieldPath
- base:
apiVersion: apiextensions.crossplane.io/v1alpha1
kind: Usage
spec:
by:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
resourceSelector:
matchControllerRef: true
of:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XEKS
resourceSelector:
matchLabels:
platform.upbound.io/deletion-ordering: enabled
name: usageXEksByAWSLBController
readinessChecks:
- type: None
writeConnectionSecretsToNamespace: upbound-system
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.