xaks.azure.platform.upbound.io
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: xaks.azure.platform.upbound.io
creationTimestamp: null
labels:
provider: azure
spec:
compositeTypeRef:
apiVersion: azure.platform.upbound.io/v1alpha1
kind: XAKS
mode: Pipeline
pipeline:
- step: patch-and-transform
functionRef:
name: crossplane-contrib-function-patch-and-transform
input:
apiVersion: pt.fn.crossplane.io/v1beta1
kind: Resources
patchSets:
- name: providerConfigRef
patches:
- fromFieldPath: spec.parameters.providerConfigName
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- name: deletionPolicy
patches:
- fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
type: FromCompositeFieldPath
- name: region
patches:
- fromFieldPath: spec.parameters.region
toFieldPath: spec.forProvider.location
type: FromCompositeFieldPath
resources:
- base:
apiVersion: containerservice.azure.upbound.io/v1beta1
kind: KubernetesCluster
spec:
forProvider:
defaultNodePool:
- name: default
identity:
- type: SystemAssigned
oidcIssuerEnabled: true
workloadIdentityEnabled: true
connectionDetails:
- fromConnectionSecretKey: kubeconfig
name: kubeconfig
type: FromConnectionSecretKey
name: kubernetesCluster
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.version
toFieldPath: spec.forProvider.kubernetesVersion
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
transforms:
- string:
fmt: "%s-aks"
type: Format
type: string
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.resourceGroupNameSelector.matchLabels[azure.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.defaultNodePool[0].vnetSubnetIdSelector.matchLabels[azure.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.dnsPrefix
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.nodes.instanceType
toFieldPath: spec.forProvider.defaultNodePool[0].vmSize
type: FromCompositeFieldPath
- fromFieldPath: spec.parameters.nodes.count
toFieldPath: spec.forProvider.defaultNodePool[0].nodeCount
type: FromCompositeFieldPath
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.writeConnectionSecretToRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.writeConnectionSecretToRef.name
transforms:
- string:
fmt: "%s-akscluster"
type: Format
type: string
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.oidcIssuerUrl
policy:
fromFieldPath: Optional
toFieldPath: status.aks.oidcIssuerUrl
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.oidcIssuerUrl
policy:
fromFieldPath: Optional
toFieldPath: status.aks.oidcIssuerUrl
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.oidcIssuerUrl
policy:
fromFieldPath: Optional
toFieldPath: status.aks.oidcIssuerUri
transforms:
- string:
trim: https://
type: TrimPrefix
type: string
type: ToCompositeFieldPath
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: kubeconfig
source: Secret
name: providerConfigHelm
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
type: FromCompositeFieldPath
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.credentials.secretRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.credentials.secretRef.name
transforms:
- string:
fmt: "%s-akscluster"
type: Format
type: string
type: FromCompositeFieldPath
readinessChecks:
- type: None
- base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: kubeconfig
source: Secret
name: providerConfigKubernetes
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
type: FromCompositeFieldPath
- fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.credentials.secretRef.namespace
type: FromCompositeFieldPath
- fromFieldPath: metadata.uid
toFieldPath: spec.credentials.secretRef.name
transforms:
- string:
fmt: "%s-akscluster"
type: Format
type: string
type: FromCompositeFieldPath
readinessChecks:
- type: None
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: OpenIDConnectProvider
spec:
forProvider:
clientIdList:
- sts.amazonaws.com
thumbprintList:
- df3c24f9bfd666761b268073fe06d1cc8d4f82a4
name: aws-oidc-provider
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- fromFieldPath: status.aks.oidcIssuerUrl
policy:
fromFieldPath: Optional
toFieldPath: spec.forProvider.url
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.arn
policy:
fromFieldPath: Optional
toFieldPath: status.aws.accountId
transforms:
- string:
regexp:
group: 1
match: arn:aws:iam::(\d{12}):oidc-provider/.+
type: Regexp
type: string
type: ToCompositeFieldPath
- base:
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
spec:
forProvider:
managedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
name: aws-role-assume-role-with-webidentity
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- combine:
strategy: string
string:
fmt: >
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::%[1]s:oidc-provider/%[2]s"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"%[2]s:sub": "system:serviceaccount:upbound-system:upbound-provider-aws-ec2",
"%[2]s:aud": "sts.amazonaws.com"
}
}
}
]
}
variables:
- fromFieldPath: status.aws.accountId
- fromFieldPath: status.aks.oidcIssuerUri
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.assumeRolePolicy
type: CombineFromComposite
- fromFieldPath: status.atProvider.arn
policy:
fromFieldPath: Optional
toFieldPath: status.aws.providerRoleArn
type: ToCompositeFieldPath
- base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
forProvider:
chart:
name: universal-crossplane
repository: https://charts.upbound.io/stable
version: 1.16.0-up.1
namespace: upbound-system
values: {}
rollbackLimit: 3
name: crossplane
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
forProvider:
manifest:
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: upbound-provider-aws-ec2
spec:
package: xpkg.upbound.io/upbound/provider-aws-ec2:v1.7.0
runtimeConfigRef:
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
name: upbound-provider-aws-ec2
name: provider
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
forProvider:
manifest:
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: upbound-provider-aws-ec2
spec:
deploymentTemplate:
spec:
replicas: 1
selector: {}
template:
metadata:
labels:
azure.workload.identity/use: "true"
spec:
containers:
- name: package-runtime
volumes:
- name: azure-identity-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: sts.amazonaws.com
expirationSeconds: 3600
path: azure-identity-token
serviceAccountTemplate:
metadata:
annotations:
azure.workload.identity/client-id: upbound-provider-aws-ec2
name: upbound-provider-aws-ec2
name: drc
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- base:
apiVersion: managedidentity.azure.upbound.io/v1beta1
kind: UserAssignedIdentity
spec:
forProvider:
name: upbound-provider-aws-ec2
name: user-assigned-identity
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- patchSetName: region
type: PatchSet
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.resourceGroupNameSelector.matchLabels[azure.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: status.atProvider.id
policy:
fromFieldPath: Optional
toFieldPath: status.aks.userAssignedIdentityId
type: ToCompositeFieldPath
- fromFieldPath: status.atProvider.principalId
policy:
fromFieldPath: Optional
toFieldPath: status.aks.userAssignedIdentitiyObjectId
type: ToCompositeFieldPath
- base:
apiVersion: managedidentity.azure.upbound.io/v1beta1
kind: FederatedIdentityCredential
spec:
forProvider:
audience:
- sts.amazonaws.com
subject: system:serviceaccount:upbound-system:upbound-provider-aws-ec2
name: federated-identity-credential
patches:
- patchSetName: providerConfigRef
type: PatchSet
- patchSetName: deletionPolicy
type: PatchSet
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.resourceGroupNameSelector.matchLabels[azure.platform.upbound.io/network-id]
type: FromCompositeFieldPath
- fromFieldPath: status.aks.oidcIssuerUrl
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.issuer
type: FromCompositeFieldPath
- fromFieldPath: status.aks.userAssignedIdentityId
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.parentId
type: FromCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
forProvider:
manifest:
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: pod-identity
spec:
credentials:
source: WebIdentity
webIdentity:
tokenConfig:
fs:
path: /var/run/secrets/azure/tokens/azure-identity-token
source: Filesystem
name: providerconfig-aws
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- fromFieldPath: status.aws.providerRoleArn
policy:
fromFieldPath: Required
toFieldPath: spec.forProvider.manifest.spec.credentials.webIdentity.roleARN
type: FromCompositeFieldPath
- base:
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
spec:
forProvider:
manifest:
apiVersion: ec2.aws.upbound.io/v1beta1
kind: VPC
metadata:
name: cfg-azure-assume-aws
spec:
forProvider:
cidrBlock: 10.1.0.0/16
region: eu-west-1
providerConfigRef:
name: pod-identity
readiness:
policy: AllTrue
name: vpc-via-azure
patches:
- fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
type: FromCompositeFieldPath
- step: ordered-creation
functionRef:
name: crossplane-contrib-function-sequencer
input:
apiVersion: template.fn.crossplane.io/v1beta1
kind: Input
rules:
- sequence:
- kubernetesCluster
- aws-oidc-provider
- sequence:
- kubernetesCluster
- aws-role-assume-role-with-webidentity
- sequence:
- kubernetesCluster
- crossplane
- sequence:
- kubernetesCluster
- provider
- sequence:
- kubernetesCluster
- drc
- sequence:
- kubernetesCluster
- providerconfig-aws
- sequence:
- providerconfig-aws
- vpc-via-azure
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.