The following resources are composed to implement the referenced Composite Resource Definition (XRD).
XNetwork
XEKS
XOss
XArgo
XKarpenter
Usage
Usage
Usage
XIRSA
Release
XIRSA
Release
Release
Object
Release
Release
Release
Zone
Object
Release
Release
ProviderConfig
Object
Group
Group
ClientScope
GroupMembershipProtocolMapper
Object
Client
ClientDefaultScopes
Object
Client
ClientDefaultScopes
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
name: xcnoe.aws.platformref.upbound.io
creationTimestamp: null
spec:
compositeTypeRef:
apiVersion: aws.platformref.upbound.io/v1alpha1
kind: XCNOE
resources:
- name: XNetwork
base:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XNetwork
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.parameters.id
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.region
toFieldPath: spec.parameters.region
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.parameters.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.providerConfigName
toFieldPath: spec.parameters.providerConfigName
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.networkSelector
toFieldPath: spec.compositionSelector.matchLabels[type]
- name: XEKS
base:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XEKS
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: metadata.labels[xeks.aws.platform.upbound.io/cluster-id]
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.parameters.id
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.region
toFieldPath: spec.parameters.region
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.parameters.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.providerConfigName
toFieldPath: spec.parameters.providerConfigName
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: metadata.annotations[crossplane.io/external-name]
- type: FromCompositeFieldPath
fromFieldPath: metadata.uid
toFieldPath: spec.writeConnectionSecretToRef.name
transforms:
- type: string
string:
type: Format
fmt: "%s-eks"
- type: FromCompositeFieldPath
fromFieldPath: spec.writeConnectionSecretToRef.namespace
toFieldPath: spec.writeConnectionSecretToRef.namespace
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.version
toFieldPath: spec.parameters.version
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.nodes.count
toFieldPath: spec.parameters.nodes.count
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.nodes.instanceType
toFieldPath: spec.parameters.nodes.instanceType
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.iam.roleArn
toFieldPath: spec.parameters.iam.roleArn
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.iam.userArn
toFieldPath: spec.parameters.iam.userArn
- type: FromCompositeFieldPath
fromFieldPath: status.cnoe.karpenter.instanceProfileRoleArn
toFieldPath: spec.parameters.iam.autoscalerArn
policy:
fromFieldPath: Optional
- type: ToCompositeFieldPath
fromFieldPath: status.eks.clusterName
toFieldPath: status.cnoe.eks.clusterName
policy:
fromFieldPath: Optional
connectionDetails:
- name: kubeconfig
type: FromConnectionSecretKey
fromConnectionSecretKey: kubeconfig
- name: XOss
base:
apiVersion: observe.platform.upbound.io/v1alpha1
kind: XOss
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.parameters.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.parameters.id
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.operators.prometheus.version
toFieldPath: spec.parameters.operators.prometheus.version
- name: XArgo
base:
apiVersion: gitops.platform.upbound.io/v1alpha1
kind: XArgo
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.parameters.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.parameters.providerConfigName
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.operators.argocd.version
toFieldPath: spec.parameters.operators.argocd.version
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.gitops
toFieldPath: spec.parameters.source
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
- fromFieldPath: status.cnoe.keycloak.argoCD.clientSecret
strategy: string
string:
fmt: |
name: Keycloak
issuer: https://keycloak-%s.%s/realms/master
clientID: argocd
clientSecret: %s
requestedScopes: ['openid', 'profile', 'email', 'groups']
toFieldPath: spec.parameters.oidcConfig
policy:
fromFieldPath: Required
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: argocd-%s.%s
toFieldPath: spec.parameters.ingressUrl
policy:
fromFieldPath: Required
- name: XKarpenter
base:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XKarpenter
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.parameters.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.parameters.id
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.region
toFieldPath: spec.parameters.region
- type: FromCompositeFieldPath
fromFieldPath: status.cnoe.eks.clusterName
toFieldPath: spec.parameters.clusterName
policy:
fromFieldPath: Required
- type: ToCompositeFieldPath
fromFieldPath: status.karpenter.IRSARoleArn
toFieldPath: status.cnoe.karpenter.IRSARoleArn
policy:
fromFieldPath: Optional
- type: ToCompositeFieldPath
fromFieldPath: status.karpenter.instanceProfileRoleArn
toFieldPath: status.cnoe.karpenter.instanceProfileRoleArn
policy:
fromFieldPath: Optional
- name: usageXEksByXKarpernter
base:
apiVersion: apiextensions.crossplane.io/v1alpha1
kind: Usage
spec:
by:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XKarpenter
resourceSelector:
matchControllerRef: true
of:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XEKS
resourceSelector:
matchControllerRef: true
- name: usageXEksByXArgo
base:
apiVersion: apiextensions.crossplane.io/v1alpha1
kind: Usage
spec:
by:
apiVersion: gitops.platform.upbound.io/v1alpha1
kind: XArgo
resourceSelector:
matchControllerRef: true
of:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XEKS
resourceSelector:
matchControllerRef: true
- name: usageXEksByXOss
base:
apiVersion: apiextensions.crossplane.io/v1alpha1
kind: Usage
spec:
by:
apiVersion: observe.platform.upbound.io/v1alpha1
kind: XOss
resourceSelector:
matchControllerRef: true
of:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XEKS
resourceSelector:
matchControllerRef: true
- name: XIRSAExternalDNS
base:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XIRSA
spec:
parameters:
condition: StringEquals
serviceAccount:
name: external-dns
namespace: external-dns
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.parameters.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.parameters.id
- type: ToCompositeFieldPath
fromFieldPath: status.roleArn
toFieldPath: status.cnoe.externalDNS.IRSARoleArn
policy:
fromFieldPath: Optional
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.route53zoneId
strategy: string
string:
fmt: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ListResourceRecordSets",
"route53:ListHostedZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/%s"
}
]
}
toFieldPath: spec.parameters.policyDocument
policy:
fromFieldPath: Required
- name: externalDNSChart
base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
forProvider:
chart:
name: external-dns
repository: https://charts.bitnami.com/bitnami
version: 6.28.4
namespace: external-dns
values:
aws:
batchChangeSize: 4
region: us-east-1
zoneType: public
metrics:
enabled: false
serviceMonitor:
enabled: false
podDisruptionBudget:
minAvailable: 1
policy: sync
provider: aws
rbac:
create: true
registry: txt
replicaCount: 1
replicas: 2
serviceAccount:
create: true
name: external-dns
source: ingress
txtOwnerId: external-dns
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: status.cnoe.route53Zone.name
toFieldPath: spec.forProvider.values.domainFilters[0]
policy:
fromFieldPath: Required
- type: FromCompositeFieldPath
fromFieldPath: status.cnoe.externalDNS.IRSARoleArn
toFieldPath: spec.forProvider.values.serviceAccount.annotations[eks.amazonaws.com/role-arn]
policy:
fromFieldPath: Required
- name: XIRSAAWSLoadBalancerController
base:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XIRSA
spec:
parameters:
condition: StringEquals
policyDocument: >
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeTags",
"ec2:GetCoipPoolUsage",
"ec2:DescribeCoipPools",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:CreateProtection",
"shield:DeleteProtection"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeleteTargetGroup"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule"
],
"Resource": "*"
}
]
}
serviceAccount:
name: aws-load-balancer-controller
namespace: kube-system
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.parameters.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.parameters.id
- type: ToCompositeFieldPath
fromFieldPath: status.roleArn
toFieldPath: status.cnoe.AWSLoadbalancerController.IRSARoleArn
policy:
fromFieldPath: Optional
- name: AWSLoadBalancerControllerChart
base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
forProvider:
chart:
name: aws-load-balancer-controller
repository: https://aws.github.io/eks-charts
namespace: kube-system
values:
serviceAccount:
name: aws-load-balancer-controller
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: status.cnoe.AWSLoadbalancerController.IRSARoleArn
toFieldPath: spec.forProvider.values.serviceAccount.annotations[eks.amazonaws.com/role-arn]
policy:
fromFieldPath: Required
- type: FromCompositeFieldPath
fromFieldPath: status.cnoe.eks.clusterName
toFieldPath: spec.forProvider.values.clusterName
policy:
fromFieldPath: Required
- name: CertManagerChart
base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
forProvider:
chart:
name: cert-manager
repository: https://charts.jetstack.io
version: v1.13.2
namespace: cert-manager
values:
global:
leaderElection:
namespace: cert-manager
installCRDs: true
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- name: clusterIssuer
base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: Object
spec:
forProvider:
manifest:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
ingressClassName: nginx
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- name: IngressNginxChart
base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
forProvider:
chart:
name: ingress-nginx
repository: https://kubernetes.github.io/ingress-nginx
version: 4.7.0
namespace: ingress-nginx
values:
controller:
config:
hsts: "false"
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-type: external
loadBalancerClass: service.k8s.aws/nlb
targetPorts:
https: https
type: LoadBalancer
fullnameOverride: nginx-ingress
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.values.controller.service.annotations[service.beta.kubernetes.io/aws-load-balancer-name]
- name: ExternalSecretChart
base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
forProvider:
chart:
name: external-secrets
repository: https://charts.external-secrets.io
version: 0.9.2
namespace: external-secrets
values:
installCRDs: true
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- name: CrossplaneChart
base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
forProvider:
chart:
name: crossplane
repository: https://charts.crossplane.io/stable
version: 1.14.3
namespace: crossplane-system
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- name: ObserveRoute53Zone
base:
apiVersion: route53.aws.upbound.io/v1beta1
kind: Zone
spec:
deletionPolicy: Orphan
forProvider:
region: us-east-1
managementPolicies:
- Observe
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.providerConfigName
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.route53zoneId
toFieldPath: metadata.annotations[crossplane.io/external-name]
- type: ToCompositeFieldPath
fromFieldPath: status.atProvider.name
toFieldPath: status.cnoe.route53Zone.name
policy:
fromFieldPath: Optional
- name: argocdIngress
base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: Object
spec:
forProvider:
manifest:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
name: argocd-server-ingress
namespace: argocd
spec:
ingressClassName: nginx
rules:
- http:
paths:
- backend:
service:
name: argocd-server
port:
name: https
path: /
pathType: Prefix
tls:
- secretName: argocd-server-tls
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: argocd-%s.%s
toFieldPath: spec.forProvider.manifest.spec.rules[0].host
policy:
fromFieldPath: Required
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: argocd-%s.%s
toFieldPath: spec.forProvider.manifest.spec.tls[0].hosts[0]
policy:
fromFieldPath: Required
- name: backstage
base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
annotations:
crossplane.io/external-name: backstage
spec:
forProvider:
chart:
name: backstage
repository: https://backstage.github.io/charts
namespace: backstage
set:
- name: backstage.appConfig.auth.providers.keycloak-oidc.development.clientSecret
valueFrom:
secretKeyRef:
key: clientSecret
namespace: upbound-system
optional: false
values:
backstage:
appConfig:
app:
title: CNOE Backstage
auth:
environment: development
providers:
keycloak-oidc:
development:
clientId: backstage
prompt: auto
scope: openid profile email groups
session:
secret: MW2sV-sIPngEl26vAzatV-6VqfsgAx4bPIz7PuE_2Lk=
backend:
cors:
credentials: true
methods:
- GET
- HEAD
- PATCH
- POST
- PUT
- DELETE
origin: http://localhost:3000
csp:
connect-src:
- "'self'"
- "http:"
- "https:"
database:
client: better-sqlite3
connection: ":memory:"
listen:
port: 7007
catalog:
import:
entityFilename: catalog-info.yaml
pullRequestBranchName: backstage-integration
locations:
- rules:
- allow:
- Group
- User
target: https://github.com/backstage/backstage/blob/master/packages/catalog-model/examples/acme/org.yaml
type: url
rules:
- allow:
- Component
- System
- API
- Resource
- Location
- Template
kubernetes:
clusterLocatorMethods:
- type: catalog
serviceLocatorMethod:
type: multiTenant
organization:
name: CNOE
proxy: null
scaffolder: null
techdocs:
builder: local
generator:
runIn: docker
publisher:
type: local
extraEnvVarsSecrets: []
image:
pullPolicy: IfNotPresent
registry: public.ecr.aws
repository: cnoe-io/backstage
tag: v0.0.2
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
className: nginx
enabled: true
tls:
enabled: true
secretName: backstage-tls
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: backstage-%s.%s
toFieldPath: spec.forProvider.values.ingress.host
policy:
fromFieldPath: Required
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: https://backstage-%s.%s
toFieldPath: spec.forProvider.values.backstage.appConfig.app.baseUrl
policy:
fromFieldPath: Required
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: https://backstage-%s.%s
toFieldPath: spec.forProvider.values.backstage.appConfig.backend.baseUrl
policy:
fromFieldPath: Required
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: https://keycloak-%s.%s/realms/master/.well-known/openid-configuration
toFieldPath: spec.forProvider.values.backstage.appConfig.auth.providers.keycloak-oidc.development.metadataUrl
policy:
fromFieldPath: Required
- fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.set[0].valueFrom.secretKeyRef.name
transforms:
- type: string
string:
fmt: "%s-backstage-client"
- name: keycloak
base:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
spec:
forProvider:
chart:
name: keycloak
repository: https://charts.bitnami.com/bitnami
namespace: keycloak
values:
auth:
adminPassword: admin
adminUser: admin
createAdminUser: true
managementPassword: manager
managementUser: manager
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
enabled: true
selfSigned: false
tls: true
metrics:
enabled: true
serviceMonitor:
enabled: true
postgresql:
auth:
password: password
postgresPassword: password
enabled: true
metrics:
enabled: true
serviceMonitor:
enabled: true
proxy: edge
proxyAddressForwarding: true
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: keycloak-%s.%s
toFieldPath: spec.forProvider.values.ingress.hostname
policy:
fromFieldPath: Required
- name: providerconfigKeycloak
base:
apiVersion: keycloak.crossplane.io/v1beta1
kind: ProviderConfig
spec:
credentials:
secretRef:
key: credentials
namespace: upbound-system
source: Secret
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: metadata.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.credentials.secretRef.name
transforms:
- type: string
string:
fmt: "%s-keycloak"
readinessChecks:
- type: None
- name: providerconfigSecretKeycloak
base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: Object
spec:
forProvider:
manifest:
apiVersion: v1
kind: Secret
metadata:
namespace: upbound-system
type: Opaque
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.manifest.metadata.name
transforms:
- type: string
string:
fmt: "%s-keycloak"
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: |
{
"client_id": "admin-cli",
"client_secret": "",
"username": "admin",
"password": "admin",
"url": "https://keycloak-%s.%s",
"realm": "master"
}
toFieldPath: spec.forProvider.manifest.stringData.credentials
policy:
fromFieldPath: Required
- name: keycloakGroupArgoCD
base:
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
labels:
type: argocd-admin
spec:
forProvider:
name: argocd-admin
realmId: master
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- name: keycloakGroupBackstage
base:
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
metadata:
labels:
type: backstage-admin
spec:
forProvider:
name: backstage-admin
realmId: master
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- name: keycloakOpenIdClientScope
base:
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
spec:
forProvider:
guiOrder: 1
includeInTokenScope: true
name: groups
realmId: master
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: ToCompositeFieldPath
fromFieldPath: status.atProvider.id
toFieldPath: status.cnoe.keycloak.argoCD.clientScopeId
policy:
fromFieldPath: Optional
- name: keycloakOpenIdGroupMembershipProtocolMapper
base:
apiVersion: openidgroup.keycloak.crossplane.io/v1alpha1
kind: GroupMembershipProtocolMapper
spec:
forProvider:
claimName: groups
fullPath: false
name: groups
realmId: master
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: status.cnoe.keycloak.argoCD.clientScopeId
toFieldPath: spec.forProvider.clientScopeId
policy:
fromFieldPath: Required
- name: keycloakArgoCDClientSecret
base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: Object
spec:
forProvider:
manifest:
apiVersion: v1
kind: Secret
metadata:
namespace: upbound-system
type: Opaque
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.manifest.metadata.name
transforms:
- type: string
string:
fmt: "%s-argocd-client"
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: metadata.uid
toFieldPath: spec.forProvider.manifest.stringData.clientSecret
- type: FromCompositeFieldPath
fromFieldPath: metadata.uid
toFieldPath: metadata.labels[keycloak.crossplane.io/client-secret]
- type: ToCompositeFieldPath
fromFieldPath: metadata.labels[keycloak.crossplane.io/client-secret]
toFieldPath: status.cnoe.keycloak.argoCD.clientSecret
policy:
fromFieldPath: Optional
- name: keycloakArgoCDOpenIdClient
base:
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
spec:
forProvider:
accessType: CONFIDENTIAL
baseUrl: /applications
clientId: argocd
clientSecretSecretRef:
key: clientSecret
namespace: upbound-system
directAccessGrantsEnabled: true
enabled: true
name: argocd
realmId: master
standardFlowEnabled: true
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.clientSecretSecretRef.name
transforms:
- type: string
string:
fmt: "%s-argocd-client"
- type: ToCompositeFieldPath
fromFieldPath: status.atProvider.id
toFieldPath: status.cnoe.keycloak.clientId
policy:
fromFieldPath: Optional
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: https://argocd-%s.%s/*
toFieldPath: spec.forProvider.validRedirectUris[0]
policy:
fromFieldPath: Required
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: https://argocd-%s.%s
toFieldPath: spec.forProvider.webOrigins[0]
policy:
fromFieldPath: Required
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: https://argocd-%s.%s
toFieldPath: spec.forProvider.validPostLogoutRedirectUris[0]
policy:
fromFieldPath: Required
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: https://argocd-%s.%s
toFieldPath: spec.forProvider.rootUrl
policy:
fromFieldPath: Required
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: https://argocd-%s.%s
toFieldPath: spec.forProvider.adminUrl
policy:
fromFieldPath: Required
- name: keycloakArgoCDOpenIdClientDefaultScopes
base:
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientDefaultScopes
spec:
forProvider:
defaultScopes:
- profile
- email
- roles
- web-origins
- groups
realmId: master
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: status.cnoe.keycloak.clientId
toFieldPath: spec.forProvider.clientId
policy:
fromFieldPath: Required
- name: keycloakBackstageClientSecret
base:
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: Object
spec:
forProvider:
manifest:
apiVersion: v1
kind: Secret
metadata:
namespace: upbound-system
type: Opaque
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.manifest.metadata.name
transforms:
- type: string
string:
fmt: "%s-backstage-client"
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: metadata.uid
toFieldPath: spec.forProvider.manifest.stringData.clientSecret
- name: keycloakBackstageOpenIdClient
base:
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
spec:
forProvider:
accessType: CONFIDENTIAL
baseUrl: /applications
clientId: backstage
clientSecretSecretRef:
key: clientSecret
namespace: upbound-system
directAccessGrantsEnabled: true
enabled: true
name: backstage
realmId: master
standardFlowEnabled: true
webOrigins:
- /*
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.forProvider.clientSecretSecretRef.name
transforms:
- type: string
string:
fmt: "%s-backstage-client"
- type: ToCompositeFieldPath
fromFieldPath: status.atProvider.id
toFieldPath: status.cnoe.keycloak.backstage.clientId
policy:
fromFieldPath: Optional
- type: CombineFromComposite
combine:
variables:
- fromFieldPath: spec.parameters.id
- fromFieldPath: status.cnoe.route53Zone.name
strategy: string
string:
fmt: https://backstage-%s.%s/api/auth/keycloak-oidc/handler/frame
toFieldPath: spec.forProvider.validRedirectUris[0]
policy:
fromFieldPath: Required
- name: keycloakBackstageOpenIdClientDefaultScopes
base:
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientDefaultScopes
spec:
forProvider:
defaultScopes:
- profile
- email
- roles
- web-origins
- groups
realmId: master
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.id
toFieldPath: spec.providerConfigRef.name
- type: FromCompositeFieldPath
fromFieldPath: spec.parameters.deletionPolicy
toFieldPath: spec.deletionPolicy
- type: FromCompositeFieldPath
fromFieldPath: status.cnoe.keycloak.backstage.clientId
toFieldPath: spec.forProvider.clientId
policy:
fromFieldPath: Required
writeConnectionSecretsToNamespace: upbound-system
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.