Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide alternative XEKS composition with function-kcl #65

Merged
merged 17 commits into from
May 2, 2024
Merged

Provide alternative XEKS composition with function-kcl #65

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
21fd9f8
KCL experiment
ytsarev Apr 16, 2024
137135a
Proceed with Cluster creation, import EKS SG
ytsarev Apr 16, 2024
359d580
Add clusterAuth and nodeGroupRole
ytsarev Apr 17, 2024
fbf85d1
Add nodeGroupRolePolicyAttachments utilizing the loop mechanics
ytsarev Apr 17, 2024
496ccea
Add NodeGroup
ytsarev Apr 17, 2024
7de0e00
Add EKS Addons
ytsarev Apr 17, 2024
290c727
Add oidcProvider, share data from Cluster
ytsarev Apr 17, 2024
254f091
Add Helm ProviderConfig. Switch to Default target
ytsarev Apr 17, 2024
876e0aa
Add providerConfigs
ytsarev Apr 17, 2024
64aa283
Add irsa-setting ConfigMap
ytsarev Apr 17, 2024
6c4d753
Add awsAuth and ConnectionSecret
ytsarev Apr 17, 2024
0381de0
Avoud initial empty lines in aws-auth configmap
ytsarev Apr 18, 2024
eae4b0a
Clarify metadata.name deviation for ProviderConfigs
ytsarev Apr 18, 2024
b4f9a8b
Switch to standard ProviderConfigs.name = id
ytsarev Apr 19, 2024
c30c433
Add default Composition pointing to P&T, extend uptest run
ytsarev Apr 19, 2024
d9fc371
Add missing nodeGroupRolePolicyAttachment, refactor referencing
ytsarev Apr 22, 2024
d3906d7
Aligh resource ordering creation, fix aws-auth configmap
ytsarev Apr 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,17 +63,20 @@ build.init: $(UP)
# - To ensure the proper functioning of the end-to-end test resource pre-deletion hook, it is crucial to arrange your resources appropriately.
# You can check the basic implementation here: https://github.com/upbound/uptest/blob/main/internal/templates/01-delete.yaml.tmpl.
# - UPTEST_DATASOURCE_PATH (optional), see https://github.com/upbound/uptest#injecting-dynamic-values-and-datasource
SKIP_DELETE ?=
uptest: $(UPTEST) $(KUBECTL) $(KUTTL)
@$(INFO) running automated tests
@KUBECTL=$(KUBECTL) KUTTL=$(KUTTL) CROSSPLANE_NAMESPACE=$(CROSSPLANE_NAMESPACE) $(UPTEST) e2e examples/network-xr.yaml,examples/eks-xr.yaml --data-source="${UPTEST_DATASOURCE_PATH}" --setup-script=test/setup.sh --default-timeout=2400 || $(FAIL)
@KUBECTL=$(KUBECTL) KUTTL=$(KUTTL) CROSSPLANE_NAMESPACE=$(CROSSPLANE_NAMESPACE) $(UPTEST) e2e examples/network-xr.yaml,examples/network-xr-kcl.yaml,examples/eks-xr.yaml,examples/eks-xr-kcl.yaml --data-source="${UPTEST_DATASOURCE_PATH}" --setup-script=test/setup.sh --default-timeout=2400 $(SKIP_DELETE) || $(FAIL)
@$(OK) running automated tests

# This target requires the following environment variables to be set:
# - UPTEST_CLOUD_CREDENTIALS, cloud credentials for the provider being tested, e.g. export UPTEST_CLOUD_CREDENTIALS=$(cat ~/.aws/credentials)
# Use `make e2e SKIP_DELETE=--skip-delete` to skip deletion of resources created during the test.
e2e: build controlplane.up local.xpkg.deploy.configuration.$(PROJECT_NAME) uptest

render:
crossplane beta render examples/eks-xr.yaml apis/composition.yaml examples/functions.yaml -r
crossplane beta render examples/eks-xr.yaml apis/composition-kcl.yaml examples/functions.yaml -r

yamllint:
@$(INFO) running yamllint
Expand Down
362 changes: 362 additions & 0 deletions apis/composition-kcl.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,362 @@
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: kcl.xeks.aws.platform.upbound.io
labels:
provider: aws
function: kcl
spec:
writeConnectionSecretsToNamespace: upbound-system
compositeTypeRef:
apiVersion: aws.platform.upbound.io/v1alpha1
kind: XEKS
mode: Pipeline
pipeline:
- step: kcl
functionRef:
name: crossplane-contrib-function-kcl
input:
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
spec:
source: |
xrName = option("params")?.oxr?.metadata.name
providerConfigName = option("params")?.oxr?.spec.parameters.providerConfigName or "default"
deletionPolicy = option("params")?.oxr?.spec.parameters.deletionPolicy or "Delete"
region = option("params")?.oxr?.spec.parameters.region or ""
id = option("params")?.oxr?.spec.parameters.id or ""

role = {
apiVersion = "iam.aws.upbound.io/v1beta1"
kind = "Role"
metadata.name = xrName + "-iam-role"
metadata.labels = {
"role" = "controlplane"
}
spec.providerConfigRef.name = providerConfigName
spec.deletionPolicy = deletionPolicy
spec.forProvider.assumeRolePolicy = """{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
"""
}

clusterRolePolicyAttachment = {
apiVersion = "iam.aws.upbound.io/v1beta1"
kind = "RolePolicyAttachment"
metadata.name = xrName + "-cluster-role-policy-attachment"
spec.providerConfigRef.name = providerConfigName
spec.deletionPolicy = deletionPolicy
spec.forProvider = {
policyArn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
roleSelector = {
matchControllerRef = True
matchLabels = {
"role" = "controlplane"
}
}
}
}

kubernetesVersion = option("params")?.oxr?.spec.parameters.version or ""
kubernetesCluster = {
apiVersion = "eks.aws.upbound.io/v1beta1"
kind = "Cluster"
metadata.name = xrName + "-kubernetes-cluster"
spec.providerConfigRef.name = providerConfigName
spec.deletionPolicy = deletionPolicy
spec.forProvider = {
region = region
version = kubernetesVersion
roleArnSelector = {
matchControllerRef = True
matchLabels = {
"role" = "controlplane"
}
}
vpcConfig = [
{
endpointPrivateAccess = True
subnetIdSelector.matchLabels = {
"access" = "public"
"networks.aws.platform.upbound.io/network-id" = id
}
}
]
}
}

clusterSecurityGroupId = option("params")?.ocds?[kubernetesCluster.metadata.name]?.Resource?.status?.atProvider?.vpcConfig?[0]?.clusterSecurityGroupId or False
if clusterSecurityGroupId:
clusterSecurityGroupImport = {
apiVersion = "ec2.aws.upbound.io/v1beta1"
kind = "SecurityGroup"
metadata.name = clusterSecurityGroupId
spec.providerConfigRef.name = providerConfigName
spec.deletionPolicy = deletionPolicy
spec.forProvider = {
region = region
tags = {
"eks.aws.platform.upbound.io/discovery" = id
}
}
}

uid = option("params")?.oxr?.metadata.uid or ""
connectionSecretNamespace = option("params")?.oxr?.spec.writeConnectionSecretToRef.namespace or "upbound-system"
kubernetesClusterAuth = {
apiVersion = "eks.aws.upbound.io/v1beta1"
kind = "ClusterAuth"
metadata.name = xrName + "cluster-auth"
spec.providerConfigRef.name = providerConfigName
spec.deletionPolicy = deletionPolicy
spec.forProvider = {
region = region
clusterNameSelector.matchControllerRef = True
}
spec.writeConnectionSecretToRef = {
name = "{}-ekscluster".format(uid)
namespace = connectionSecretNamespace
}
}

nodegroupRole = {
apiVersion = "iam.aws.upbound.io/v1beta1"
kind = "Role"
metadata.name = xrName + "-nodegroup-role"
metadata.labels = {
"role" = "nodegroup"
}
spec.providerConfigRef.name = providerConfigName
spec.deletionPolicy = deletionPolicy
spec.forProvider.assumeRolePolicy = """{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
"""
}

nodeGroupRolePolicies = [
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
]

nodeGroupRolePolicyAttachments = [{
apiVersion = "iam.aws.upbound.io/v1beta1"
kind = "RolePolicyAttachment"
metadata.name = xrName + "-nodegroup-rpa-{}".format(i)
spec.providerConfigRef.name = providerConfigName
spec.deletionPolicy = deletionPolicy
spec.forProvider = {
policyArn = p
roleSelector = {
matchControllerRef = True
matchLabels = {
"role" = "nodegroup"
}
}
}
} for i, p in nodeGroupRolePolicies]


nodeCount = option("params")?.oxr?.spec.parameters.nodes.count or ""
instanceType = option("params")?.oxr?.spec.parameters.nodes.instanceType or ""
nodeGroupPublic = {
apiVersion = "eks.aws.upbound.io/v1beta1"
kind = "NodeGroup"
metadata.name = xrName + "-nodegroup-public"
spec.providerConfigRef.name = providerConfigName
spec.deletionPolicy = deletionPolicy
spec.forProvider = {
region = region
clusterNameSelector.matchControllerRef = True
nodeRoleArnSelector = {
matchControllerRef = True
matchLabels = {
"role" = "nodegroup"
}
}
scalingConfig = [{
desiredSize = nodeCount
maxSize = 100
minSize = 1
}]
instanceTypes = [instanceType]
subnetIdSelector.matchLabels = {
"networks.aws.platform.upbound.io/network-id" = id
"access" = "public"
}
}
}

nodeGroupStatus = option("params")?.ocds?[nodeGroupPublic.metadata.name]?.Resource?.status?.atProvider?.status or ""
if nodeGroupStatus == "ACTIVE":
eksAddonNames = ["aws-ebs-csi-driver", "vpc-cni"]
_eksAddons = [{
apiVersion = "eks.aws.upbound.io/v1beta1"
kind = "Addon"
metadata.name = xrName + "-addon-" + a
spec.providerConfigRef.name = providerConfigName
spec.deletionPolicy = deletionPolicy
spec.forProvider = {
region = region
addonName = a
clusterNameSelector.matchControllerRef = True
}
} for a in eksAddonNames]
else:
_eksAddons = []

eksOidcIssuer = option("params")?.ocds?[kubernetesCluster.metadata.name]?.Resource?.status?.atProvider?.identity?[0]?.oidc?[0]?.issuer or ""
if len(eksOidcIssuer) > 0:
oidcProvider = {
apiVersion = "iam.aws.upbound.io/v1beta1"
kind = "OpenIDConnectProvider"
metadata.name = xrName + "-oidc-provider"
spec.providerConfigRef.name = providerConfigName
spec.deletionPolicy = deletionPolicy
spec.forProvider = {
clientIdList = ["sts.amazonaws.com"]
thumbprintList = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
url = eksOidcIssuer
}
}

providerConfigTypes = ["helm", "kubernetes"]
providerConfigs = [{
apiVersion = "{}.crossplane.io/v1alpha1".format(t)
kind = "ProviderConfig"
metadata.name = id
metadata.annotations = {
"krm.kcl.dev/ready": "True"
"krm.kcl.dev/composition-resource-name" = "providerConfig-" + t
}
spec.credentials = {
secretRef = {
name = "{}-ekscluster".format(uid)
namespace = connectionSecretNamespace
key = "kubeconfig"
}
source = "Secret"
}
} for t in providerConfigTypes]

oidcArn = option("params")?.ocds?[kubernetesCluster.metadata.name]?.Resource?.status?.atProvider?.arn or ""
oidcHost = eksOidcIssuer.strip("https://") or ""
irsaSettings = {
apiVersion = "kubernetes.crossplane.io/v1alpha2"
kind = "Object"
metadata.name = id + "-irsa-settings"
spec.providerConfigRef.name = id
spec.deletionPolicy = "Orphan"
spec.forProvider = {
manifest: {
apiVersion = "v1"
kind = "ConfigMap"
metadata.namespace = "default"
metadata.name = "{}-irsa-settings".format(id)
data = {
oidc_arn = oidcArn
oidc_host = oidcHost
}
}
}
}

nodeGroupRoleArn = option("params")?.ocds?[nodegroupRole.metadata.name]?.Resource?.status?.atProvider?.arn or ""
autoscalerArn = option("params")?.oxr?.spec.parameters.iam.autoscalerArn or ""
adminRoleArn = option("params")?.oxr?.spec.parameters.iam.roleArn or ""
adminUser = option("params")?.oxr?.spec.parameters.iam.userArn or ""
awsAuth = {
apiVersion = "kubernetes.crossplane.io/v1alpha2"
kind = "Object"
metadata.name = id + "-aws-auth"
spec.providerConfigRef.name = id
spec.deletionPolicy = "Orphan"
spec.forProvider = {
manifest: {
apiVersion = "v1"
kind = "ConfigMap"
metadata.namespace = "kube-system"
metadata.name = "aws-auth"
data = {
mapRoles = """\
- groups:
- system:bootstrappers
- system:nodes
rolearn: ${nodeGroupRoleArn}
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:bootstrappers
- system:nodes
rolearn: ${autoscalerArn}
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: ${adminRoleArn}
username: adminrole"""
mapUsers = """\
- groups:
- system:masters
userarn: ${adminUser}
username: adminuser"""
}
}
}
}

connectionDetails = {
apiVersion: "meta.krm.kcl.dev/v1alpha1"
kind: "CompositeConnectionDetails"
if kubernetesClusterAuth.metadata.name in option("params").ocds:
data: {
kubeconfig = option("params")?.ocds[kubernetesClusterAuth.metadata.name].ConnectionDetails.kubeconfig
}
else:
data: {}
}

items = [
role
clusterRolePolicyAttachment
kubernetesCluster
clusterSecurityGroupImport
kubernetesClusterAuth
nodegroupRole
nodeGroupPublic
oidcProvider
irsaSettings
awsAuth
connectionDetails
] + nodeGroupRolePolicyAttachments + _eksAddons + providerConfigs

- step: automatically-detect-ready-composed-resources
functionRef:
name: crossplane-contrib-function-auto-ready
1 change: 1 addition & 0 deletions apis/composition.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ metadata:
name: xeks.aws.platform.upbound.io
labels:
provider: aws
function: patch-and-transform
spec:
writeConnectionSecretsToNamespace: upbound-system
compositeTypeRef:
Expand Down
Loading