Skip to content

Commit 234d1c2

Browse files
ytsarevytsarev
authored
Merge pull request #65 from ytsarev/try-kcl
Provide alternative XEKS composition with function-kcl
2 parents fa59456 + d3906d7 commit 234d1c2

File tree

8 files changed

+422
-2
lines changed

8 files changed

+422
-2
lines changed

Makefile

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,17 +63,20 @@ build.init: $(UP)
6363
# - To ensure the proper functioning of the end-to-end test resource pre-deletion hook, it is crucial to arrange your resources appropriately.
6464
# You can check the basic implementation here: https://github.com/upbound/uptest/blob/main/internal/templates/01-delete.yaml.tmpl.
6565
# - UPTEST_DATASOURCE_PATH (optional), see https://github.com/upbound/uptest#injecting-dynamic-values-and-datasource
66+
SKIP_DELETE ?=
6667
uptest: $(UPTEST) $(KUBECTL) $(KUTTL)
6768
@$(INFO) running automated tests
68-
@KUBECTL=$(KUBECTL) KUTTL=$(KUTTL) CROSSPLANE_NAMESPACE=$(CROSSPLANE_NAMESPACE) $(UPTEST) e2e examples/network-xr.yaml,examples/eks-xr.yaml --data-source="${UPTEST_DATASOURCE_PATH}" --setup-script=test/setup.sh --default-timeout=2400 || $(FAIL)
69+
@KUBECTL=$(KUBECTL) KUTTL=$(KUTTL) CROSSPLANE_NAMESPACE=$(CROSSPLANE_NAMESPACE) $(UPTEST) e2e examples/network-xr.yaml,examples/network-xr-kcl.yaml,examples/eks-xr.yaml,examples/eks-xr-kcl.yaml --data-source="${UPTEST_DATASOURCE_PATH}" --setup-script=test/setup.sh --default-timeout=2400 $(SKIP_DELETE) || $(FAIL)
6970
@$(OK) running automated tests
7071

7172
# This target requires the following environment variables to be set:
7273
# - UPTEST_CLOUD_CREDENTIALS, cloud credentials for the provider being tested, e.g. export UPTEST_CLOUD_CREDENTIALS=$(cat ~/.aws/credentials)
74+
# Use `make e2e SKIP_DELETE=--skip-delete` to skip deletion of resources created during the test.
7375
e2e: build controlplane.up local.xpkg.deploy.configuration.$(PROJECT_NAME) uptest
7476

7577
render:
7678
crossplane beta render examples/eks-xr.yaml apis/composition.yaml examples/functions.yaml -r
79+
crossplane beta render examples/eks-xr.yaml apis/composition-kcl.yaml examples/functions.yaml -r
7780

7881
yamllint:
7982
@$(INFO) running yamllint

apis/composition-kcl.yaml

Lines changed: 362 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,362 @@
1+
apiVersion: apiextensions.crossplane.io/v1
2+
kind: Composition
3+
metadata:
4+
name: kcl.xeks.aws.platform.upbound.io
5+
labels:
6+
provider: aws
7+
function: kcl
8+
spec:
9+
writeConnectionSecretsToNamespace: upbound-system
10+
compositeTypeRef:
11+
apiVersion: aws.platform.upbound.io/v1alpha1
12+
kind: XEKS
13+
mode: Pipeline
14+
pipeline:
15+
- step: kcl
16+
functionRef:
17+
name: crossplane-contrib-function-kcl
18+
input:
19+
apiVersion: krm.kcl.dev/v1alpha1
20+
kind: KCLRun
21+
spec:
22+
source: |
23+
xrName = option("params")?.oxr?.metadata.name
24+
providerConfigName = option("params")?.oxr?.spec.parameters.providerConfigName or "default"
25+
deletionPolicy = option("params")?.oxr?.spec.parameters.deletionPolicy or "Delete"
26+
region = option("params")?.oxr?.spec.parameters.region or ""
27+
id = option("params")?.oxr?.spec.parameters.id or ""
28+
29+
role = {
30+
apiVersion = "iam.aws.upbound.io/v1beta1"
31+
kind = "Role"
32+
metadata.name = xrName + "-iam-role"
33+
metadata.labels = {
34+
"role" = "controlplane"
35+
}
36+
spec.providerConfigRef.name = providerConfigName
37+
spec.deletionPolicy = deletionPolicy
38+
spec.forProvider.assumeRolePolicy = """{
39+
"Version": "2012-10-17",
40+
"Statement": [
41+
{
42+
"Effect": "Allow",
43+
"Principal": {
44+
"Service": [
45+
"eks.amazonaws.com"
46+
]
47+
},
48+
"Action": [
49+
"sts:AssumeRole"
50+
]
51+
}
52+
]
53+
}
54+
"""
55+
}
56+
57+
clusterRolePolicyAttachment = {
58+
apiVersion = "iam.aws.upbound.io/v1beta1"
59+
kind = "RolePolicyAttachment"
60+
metadata.name = xrName + "-cluster-role-policy-attachment"
61+
spec.providerConfigRef.name = providerConfigName
62+
spec.deletionPolicy = deletionPolicy
63+
spec.forProvider = {
64+
policyArn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
65+
roleSelector = {
66+
matchControllerRef = True
67+
matchLabels = {
68+
"role" = "controlplane"
69+
}
70+
}
71+
}
72+
}
73+
74+
kubernetesVersion = option("params")?.oxr?.spec.parameters.version or ""
75+
kubernetesCluster = {
76+
apiVersion = "eks.aws.upbound.io/v1beta1"
77+
kind = "Cluster"
78+
metadata.name = xrName + "-kubernetes-cluster"
79+
spec.providerConfigRef.name = providerConfigName
80+
spec.deletionPolicy = deletionPolicy
81+
spec.forProvider = {
82+
region = region
83+
version = kubernetesVersion
84+
roleArnSelector = {
85+
matchControllerRef = True
86+
matchLabels = {
87+
"role" = "controlplane"
88+
}
89+
}
90+
vpcConfig = [
91+
{
92+
endpointPrivateAccess = True
93+
subnetIdSelector.matchLabels = {
94+
"access" = "public"
95+
"networks.aws.platform.upbound.io/network-id" = id
96+
}
97+
}
98+
]
99+
}
100+
}
101+
102+
clusterSecurityGroupId = option("params")?.ocds?[kubernetesCluster.metadata.name]?.Resource?.status?.atProvider?.vpcConfig?[0]?.clusterSecurityGroupId or False
103+
if clusterSecurityGroupId:
104+
clusterSecurityGroupImport = {
105+
apiVersion = "ec2.aws.upbound.io/v1beta1"
106+
kind = "SecurityGroup"
107+
metadata.name = clusterSecurityGroupId
108+
spec.providerConfigRef.name = providerConfigName
109+
spec.deletionPolicy = deletionPolicy
110+
spec.forProvider = {
111+
region = region
112+
tags = {
113+
"eks.aws.platform.upbound.io/discovery" = id
114+
}
115+
}
116+
}
117+
118+
uid = option("params")?.oxr?.metadata.uid or ""
119+
connectionSecretNamespace = option("params")?.oxr?.spec.writeConnectionSecretToRef.namespace or "upbound-system"
120+
kubernetesClusterAuth = {
121+
apiVersion = "eks.aws.upbound.io/v1beta1"
122+
kind = "ClusterAuth"
123+
metadata.name = xrName + "cluster-auth"
124+
spec.providerConfigRef.name = providerConfigName
125+
spec.deletionPolicy = deletionPolicy
126+
spec.forProvider = {
127+
region = region
128+
clusterNameSelector.matchControllerRef = True
129+
}
130+
spec.writeConnectionSecretToRef = {
131+
name = "{}-ekscluster".format(uid)
132+
namespace = connectionSecretNamespace
133+
}
134+
}
135+
136+
nodegroupRole = {
137+
apiVersion = "iam.aws.upbound.io/v1beta1"
138+
kind = "Role"
139+
metadata.name = xrName + "-nodegroup-role"
140+
metadata.labels = {
141+
"role" = "nodegroup"
142+
}
143+
spec.providerConfigRef.name = providerConfigName
144+
spec.deletionPolicy = deletionPolicy
145+
spec.forProvider.assumeRolePolicy = """{
146+
"Version": "2012-10-17",
147+
"Statement": [
148+
{
149+
"Effect": "Allow",
150+
"Principal": {
151+
"Service": [
152+
"ec2.amazonaws.com"
153+
]
154+
},
155+
"Action": [
156+
"sts:AssumeRole"
157+
]
158+
}
159+
]
160+
}
161+
"""
162+
}
163+
164+
nodeGroupRolePolicies = [
165+
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
166+
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
167+
"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
168+
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
169+
]
170+
171+
nodeGroupRolePolicyAttachments = [{
172+
apiVersion = "iam.aws.upbound.io/v1beta1"
173+
kind = "RolePolicyAttachment"
174+
metadata.name = xrName + "-nodegroup-rpa-{}".format(i)
175+
spec.providerConfigRef.name = providerConfigName
176+
spec.deletionPolicy = deletionPolicy
177+
spec.forProvider = {
178+
policyArn = p
179+
roleSelector = {
180+
matchControllerRef = True
181+
matchLabels = {
182+
"role" = "nodegroup"
183+
}
184+
}
185+
}
186+
} for i, p in nodeGroupRolePolicies]
187+
188+
189+
nodeCount = option("params")?.oxr?.spec.parameters.nodes.count or ""
190+
instanceType = option("params")?.oxr?.spec.parameters.nodes.instanceType or ""
191+
nodeGroupPublic = {
192+
apiVersion = "eks.aws.upbound.io/v1beta1"
193+
kind = "NodeGroup"
194+
metadata.name = xrName + "-nodegroup-public"
195+
spec.providerConfigRef.name = providerConfigName
196+
spec.deletionPolicy = deletionPolicy
197+
spec.forProvider = {
198+
region = region
199+
clusterNameSelector.matchControllerRef = True
200+
nodeRoleArnSelector = {
201+
matchControllerRef = True
202+
matchLabels = {
203+
"role" = "nodegroup"
204+
}
205+
}
206+
scalingConfig = [{
207+
desiredSize = nodeCount
208+
maxSize = 100
209+
minSize = 1
210+
}]
211+
instanceTypes = [instanceType]
212+
subnetIdSelector.matchLabels = {
213+
"networks.aws.platform.upbound.io/network-id" = id
214+
"access" = "public"
215+
}
216+
}
217+
}
218+
219+
nodeGroupStatus = option("params")?.ocds?[nodeGroupPublic.metadata.name]?.Resource?.status?.atProvider?.status or ""
220+
if nodeGroupStatus == "ACTIVE":
221+
eksAddonNames = ["aws-ebs-csi-driver", "vpc-cni"]
222+
_eksAddons = [{
223+
apiVersion = "eks.aws.upbound.io/v1beta1"
224+
kind = "Addon"
225+
metadata.name = xrName + "-addon-" + a
226+
spec.providerConfigRef.name = providerConfigName
227+
spec.deletionPolicy = deletionPolicy
228+
spec.forProvider = {
229+
region = region
230+
addonName = a
231+
clusterNameSelector.matchControllerRef = True
232+
}
233+
} for a in eksAddonNames]
234+
else:
235+
_eksAddons = []
236+
237+
eksOidcIssuer = option("params")?.ocds?[kubernetesCluster.metadata.name]?.Resource?.status?.atProvider?.identity?[0]?.oidc?[0]?.issuer or ""
238+
if len(eksOidcIssuer) > 0:
239+
oidcProvider = {
240+
apiVersion = "iam.aws.upbound.io/v1beta1"
241+
kind = "OpenIDConnectProvider"
242+
metadata.name = xrName + "-oidc-provider"
243+
spec.providerConfigRef.name = providerConfigName
244+
spec.deletionPolicy = deletionPolicy
245+
spec.forProvider = {
246+
clientIdList = ["sts.amazonaws.com"]
247+
thumbprintList = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
248+
url = eksOidcIssuer
249+
}
250+
}
251+
252+
providerConfigTypes = ["helm", "kubernetes"]
253+
providerConfigs = [{
254+
apiVersion = "{}.crossplane.io/v1alpha1".format(t)
255+
kind = "ProviderConfig"
256+
metadata.name = id
257+
metadata.annotations = {
258+
"krm.kcl.dev/ready": "True"
259+
"krm.kcl.dev/composition-resource-name" = "providerConfig-" + t
260+
}
261+
spec.credentials = {
262+
secretRef = {
263+
name = "{}-ekscluster".format(uid)
264+
namespace = connectionSecretNamespace
265+
key = "kubeconfig"
266+
}
267+
source = "Secret"
268+
}
269+
} for t in providerConfigTypes]
270+
271+
oidcArn = option("params")?.ocds?[kubernetesCluster.metadata.name]?.Resource?.status?.atProvider?.arn or ""
272+
oidcHost = eksOidcIssuer.strip("https://") or ""
273+
irsaSettings = {
274+
apiVersion = "kubernetes.crossplane.io/v1alpha2"
275+
kind = "Object"
276+
metadata.name = id + "-irsa-settings"
277+
spec.providerConfigRef.name = id
278+
spec.deletionPolicy = "Orphan"
279+
spec.forProvider = {
280+
manifest: {
281+
apiVersion = "v1"
282+
kind = "ConfigMap"
283+
metadata.namespace = "default"
284+
metadata.name = "{}-irsa-settings".format(id)
285+
data = {
286+
oidc_arn = oidcArn
287+
oidc_host = oidcHost
288+
}
289+
}
290+
}
291+
}
292+
293+
nodeGroupRoleArn = option("params")?.ocds?[nodegroupRole.metadata.name]?.Resource?.status?.atProvider?.arn or ""
294+
autoscalerArn = option("params")?.oxr?.spec.parameters.iam.autoscalerArn or ""
295+
adminRoleArn = option("params")?.oxr?.spec.parameters.iam.roleArn or ""
296+
adminUser = option("params")?.oxr?.spec.parameters.iam.userArn or ""
297+
awsAuth = {
298+
apiVersion = "kubernetes.crossplane.io/v1alpha2"
299+
kind = "Object"
300+
metadata.name = id + "-aws-auth"
301+
spec.providerConfigRef.name = id
302+
spec.deletionPolicy = "Orphan"
303+
spec.forProvider = {
304+
manifest: {
305+
apiVersion = "v1"
306+
kind = "ConfigMap"
307+
metadata.namespace = "kube-system"
308+
metadata.name = "aws-auth"
309+
data = {
310+
mapRoles = """\
311+
- groups:
312+
- system:bootstrappers
313+
- system:nodes
314+
rolearn: ${nodeGroupRoleArn}
315+
username: system:node:{{EC2PrivateDNSName}}
316+
- groups:
317+
- system:bootstrappers
318+
- system:nodes
319+
rolearn: ${autoscalerArn}
320+
username: system:node:{{EC2PrivateDNSName}}
321+
- groups:
322+
- system:masters
323+
rolearn: ${adminRoleArn}
324+
username: adminrole"""
325+
mapUsers = """\
326+
- groups:
327+
- system:masters
328+
userarn: ${adminUser}
329+
username: adminuser"""
330+
}
331+
}
332+
}
333+
}
334+
335+
connectionDetails = {
336+
apiVersion: "meta.krm.kcl.dev/v1alpha1"
337+
kind: "CompositeConnectionDetails"
338+
if kubernetesClusterAuth.metadata.name in option("params").ocds:
339+
data: {
340+
kubeconfig = option("params")?.ocds[kubernetesClusterAuth.metadata.name].ConnectionDetails.kubeconfig
341+
}
342+
else:
343+
data: {}
344+
}
345+
346+
items = [
347+
role
348+
clusterRolePolicyAttachment
349+
kubernetesCluster
350+
clusterSecurityGroupImport
351+
kubernetesClusterAuth
352+
nodegroupRole
353+
nodeGroupPublic
354+
oidcProvider
355+
irsaSettings
356+
awsAuth
357+
connectionDetails
358+
] + nodeGroupRolePolicyAttachments + _eksAddons + providerConfigs
359+
360+
- step: automatically-detect-ready-composed-resources
361+
functionRef:
362+
name: crossplane-contrib-function-auto-ready

apis/composition.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ metadata:
44
name: xeks.aws.platform.upbound.io
55
labels:
66
provider: aws
7+
function: patch-and-transform
78
spec:
89
writeConnectionSecretsToNamespace: upbound-system
910
compositeTypeRef:

0 commit comments

Comments
 (0)