From 88447c42e03d82467f0e64f01e401a48ecb9b986 Mon Sep 17 00:00:00 2001 From: David Landry Date: Sat, 1 Mar 2025 12:17:43 -0500 Subject: [PATCH] feat: add crossplane with AWS integration --- bootstrap/crossplane.yaml | 35 ++++ bootstrap/crossplane/helm-values.yaml | 214 +++++++++++++++++++++ bootstrap/crossplane/kustomization.yaml | 17 ++ bootstrap/crossplane/ns.yaml | 7 + bootstrap/crossplane/providerconfig.yaml | 15 ++ bootstrap/crossplane/secret-generator.yaml | 14 ++ bootstrap/crossplane/secret.aws.enc.yaml | 28 +++ 7 files changed, 330 insertions(+) create mode 100644 bootstrap/crossplane.yaml create mode 100644 bootstrap/crossplane/helm-values.yaml create mode 100644 bootstrap/crossplane/kustomization.yaml create mode 100644 bootstrap/crossplane/ns.yaml create mode 100644 bootstrap/crossplane/providerconfig.yaml create mode 100644 bootstrap/crossplane/secret-generator.yaml create mode 100644 bootstrap/crossplane/secret.aws.enc.yaml diff --git a/bootstrap/crossplane.yaml b/bootstrap/crossplane.yaml new file mode 100644 index 0000000..868dc44 --- /dev/null +++ b/bootstrap/crossplane.yaml @@ -0,0 +1,35 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + creationTimestamp: null + name: crossplane + namespace: argocd +spec: + destination: + namespace: argocd + server: https://kubernetes.default.svc + ignoreDifferences: + - group: argoproj.io + jsonPointers: + - /status + kind: Application + project: default + source: + path: bootstrap/crossplane + repoURL: ssh://git@gitea-ssh.gitops.svc.cluster.local:2222/davad/argo.git + syncPolicy: + automated: + allowEmpty: true + prune: true + selfHeal: true + syncOptions: + - allowEmpty=true +status: + health: {} + summary: {} + sync: + comparedTo: + destination: {} + source: + repoURL: "" + status: "" diff --git a/bootstrap/crossplane/helm-values.yaml b/bootstrap/crossplane/helm-values.yaml new file mode 100644 index 0000000..fc1f679 --- /dev/null +++ b/bootstrap/crossplane/helm-values.yaml @@ -0,0 +1,214 @@ +# helm-docs renders these comments into markdown. Use markdown formatting where +# appropiate. +# +# -- The number of Crossplane pod `replicas` to deploy. +replicas: 1 + +# -- The number of Crossplane ReplicaSets to retain. +revisionHistoryLimit: null + +# -- The deployment strategy for the Crossplane and RBAC Manager pods. +deploymentStrategy: RollingUpdate + +image: + # -- Repository for the Crossplane pod image. + repository: xpkg.upbound.io/crossplane/crossplane + # -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. + tag: "" + # -- The image pull policy used for Crossplane and RBAC Manager pods. + pullPolicy: IfNotPresent + +# -- Add `nodeSelectors` to the Crossplane pod deployment. +nodeSelector: {} +# -- Add `tolerations` to the Crossplane pod deployment. +tolerations: [] +# -- Add `affinities` to the Crossplane pod deployment. +affinity: {} +# -- Add `topologySpreadConstraints` to the Crossplane pod deployment. +topologySpreadConstraints: [] + +# -- Enable `hostNetwork` for the Crossplane deployment. Caution: enabling `hostNetwork` grants the Crossplane Pod access to the host network namespace. Consider setting `dnsPolicy` to `ClusterFirstWithHostNet`. +hostNetwork: false + +# -- Specify the `dnsPolicy` to be used by the Crossplane pod. +dnsPolicy: "" + +# -- Add custom `labels` to the Crossplane pod deployment. +customLabels: {} + +# -- Add custom `annotations` to the Crossplane pod deployment. +customAnnotations: {} + +serviceAccount: + # -- Specifies whether Crossplane ServiceAccount should be created + create: true + # -- Provide the name of an already created Crossplane ServiceAccount. Required when `serviceAccount.create` is `false` + name: "" + # -- Add custom `annotations` to the Crossplane ServiceAccount. + customAnnotations: {} + +# -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the Crossplane pod. +leaderElection: true +# -- Add custom arguments to the Crossplane pod. +args: [] + +provider: + # -- A list of Provider packages to install. + packages: + # - ghcr.io/crossplane-contrib/provider-aws-iam:v1.20.1 + - ghcr.io/crossplane-contrib/provider-aws-route53:v1.20.1 + - ghcr.io/crossplane-contrib/provider-aws-s3:v1.20.1 + +configuration: + # -- A list of Configuration packages to install. + packages: [] + +function: + # -- A list of Function packages to install + packages: [] + +# -- The imagePullSecret names to add to the Crossplane ServiceAccount. +imagePullSecrets: [] + +registryCaBundleConfig: + # -- The ConfigMap name containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates. + name: "" + # -- The ConfigMap key containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates. + key: "" + +service: + # -- Configure annotations on the service object. Only enabled when webhooks.enabled = true + customAnnotations: {} + +webhooks: + # -- Enable webhooks for Crossplane and installed Provider packages. + enabled: true + # -- The port the webhook server listens on. + port: "" + +rbacManager: + # -- Deploy the RBAC Manager pod and its required roles. + deploy: true + # -- Don't install aggregated Crossplane ClusterRoles. + skipAggregatedClusterRoles: false + # -- The number of RBAC Manager pod `replicas` to deploy. + replicas: 1 + # -- The number of RBAC Manager ReplicaSets to retain. + revisionHistoryLimit: null + # -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the RBAC Manager pod. + leaderElection: true + # -- Add custom arguments to the RBAC Manager pod. + args: [] + # -- Add `nodeSelectors` to the RBAC Manager pod deployment. + nodeSelector: {} + # -- Add `tolerations` to the RBAC Manager pod deployment. + tolerations: [] + # -- Add `affinities` to the RBAC Manager pod deployment. + affinity: {} + # -- Add `topologySpreadConstraints` to the RBAC Manager pod deployment. + topologySpreadConstraints: [] + +packageManager: + # -- Enable automatic dependency version downgrades. This configuration is only used when `--enable-dependency-version-upgrades` flag is passed. + enableAutomaticDependencyDowngrade: false + +# -- The PriorityClass name to apply to the Crossplane and RBAC Manager pods. +priorityClassName: "" + +resourcesCrossplane: + limits: + # -- CPU resource limits for the Crossplane pod. + cpu: 500m + # -- Memory resource limits for the Crossplane pod. + memory: 1024Mi + requests: + # -- CPU resource requests for the Crossplane pod. + cpu: 100m + # -- Memory resource requests for the Crossplane pod. + memory: 256Mi + +securityContextCrossplane: + # -- The user ID used by the Crossplane pod. + runAsUser: 65532 + # -- The group ID used by the Crossplane pod. + runAsGroup: 65532 + # -- Enable `allowPrivilegeEscalation` for the Crossplane pod. + allowPrivilegeEscalation: false + # -- Set the Crossplane pod root file system as read-only. + readOnlyRootFilesystem: true + +packageCache: + # -- Set to `Memory` to hold the package cache in a RAM backed file system. Useful for Crossplane development. + medium: "" + # -- The size limit for the package cache. If medium is `Memory` the `sizeLimit` can't exceed Node memory. + sizeLimit: 20Mi + # -- The name of a PersistentVolumeClaim to use as the package cache. Disables the default package cache `emptyDir` Volume. + pvc: "" + # -- The name of a ConfigMap to use as the package cache. Disables the default package cache `emptyDir` Volume. + configMap: "" + +resourcesRBACManager: + limits: + # -- CPU resource limits for the RBAC Manager pod. + cpu: 100m + # -- Memory resource limits for the RBAC Manager pod. + memory: 512Mi + requests: + # -- CPU resource requests for the RBAC Manager pod. + cpu: 100m + # -- Memory resource requests for the RBAC Manager pod. + memory: 256Mi + +securityContextRBACManager: + # -- The user ID used by the RBAC Manager pod. + runAsUser: 65532 + # -- The group ID used by the RBAC Manager pod. + runAsGroup: 65532 + # -- Enable `allowPrivilegeEscalation` for the RBAC Manager pod. + allowPrivilegeEscalation: false + # -- Set the RBAC Manager pod root file system as read-only. + readOnlyRootFilesystem: true + +metrics: + # -- Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods. + enabled: false + # -- The port the metrics server listens on. + port: "" + +readiness: + # -- The port the readyz server listens on. + port: "" + +# -- Add custom environmental variables to the Crossplane pod deployment. +# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`. +extraEnvVarsCrossplane: {} + +# -- Add custom environmental variables to the RBAC Manager pod deployment. +# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`. +extraEnvVarsRBACManager: {} + +# -- Add a custom `securityContext` to the Crossplane pod. +podSecurityContextCrossplane: {} + +# -- Add a custom `securityContext` to the RBAC Manager pod. +podSecurityContextRBACManager: {} + +# -- Add custom `volumes` to the Crossplane pod. +extraVolumesCrossplane: {} + +# -- Add custom `volumeMounts` to the Crossplane pod. +extraVolumeMountsCrossplane: {} + +# -- To add arbitrary Kubernetes Objects during a Helm Install +extraObjects: [] + # - apiVersion: pkg.crossplane.io/v1alpha1 + # kind: ControllerConfig + # metadata: + # name: aws-config + # annotations: + # eks.amazonaws.com/role-arn: arn:aws:iam::123456789101:role/example + # helm.sh/hook: post-install + # spec: + # podSecurityContext: + # fsGroup: 2000 + diff --git a/bootstrap/crossplane/kustomization.yaml b/bootstrap/crossplane/kustomization.yaml new file mode 100644 index 0000000..7bb9678 --- /dev/null +++ b/bootstrap/crossplane/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +helmCharts: + - name: crossplane + repo: https://charts.crossplane.io/stable + version: 1.19.0 + namespace: crossplane-system + releaseName: crossplane + valuesFile: helm-values.yaml + +resources: + - ns.yaml + - providerconfig.yaml + +generators: + - secret-generator.yaml diff --git a/bootstrap/crossplane/ns.yaml b/bootstrap/crossplane/ns.yaml new file mode 100644 index 0000000..12cfd26 --- /dev/null +++ b/bootstrap/crossplane/ns.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: crossplane-system + labels: + name: crossplane-system + diff --git a/bootstrap/crossplane/providerconfig.yaml b/bootstrap/crossplane/providerconfig.yaml new file mode 100644 index 0000000..1f7d8af --- /dev/null +++ b/bootstrap/crossplane/providerconfig.yaml @@ -0,0 +1,15 @@ +apiVersion: aws.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: default +spec: + credentials: + source: Secret + secretRef: + namespace: crossplane-system + name: aws-secret + key: creds + + assumeRole: + roleARN: "arn:aws:iam::000654387266:role/crossplane" + diff --git a/bootstrap/crossplane/secret-generator.yaml b/bootstrap/crossplane/secret-generator.yaml new file mode 100644 index 0000000..a677408 --- /dev/null +++ b/bootstrap/crossplane/secret-generator.yaml @@ -0,0 +1,14 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + # Specify a name + name: crossplane-secrets + annotations: + config.kubernetes.io/function: | + exec: + # if the binary is in your PATH, you can do + path: ksops + # otherwise, path should be relative to manifest files, like + # path: ../../../ksops +files: + - ./secret.aws.enc.yaml diff --git a/bootstrap/crossplane/secret.aws.enc.yaml b/bootstrap/crossplane/secret.aws.enc.yaml new file mode 100644 index 0000000..53e949a --- /dev/null +++ b/bootstrap/crossplane/secret.aws.enc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: aws-secret + namespace: crossplane-system +data: + creds: ENC[AES256_GCM,data:/O+OEz7rayPa7zoDbmU8fIrhfQDmDjGpwGZ6TC0+xabwYURlsGRKzPL55vAB2eOhO1yfTCGLFEEm9GMI9niukOqf4O3c31bYXSY4roFna1fpv/fCDimyAQ77vGlYOgKw9agw0xEsqzBvbZdXqTCCVbRbVkWG6zLPkVYEEW12mS0rP3IaavIT+bO/oZSW9IDfA45/RcSXdhxnBe4GWYYYXs0tvLs=,iv:VbBQ1fMe7+wNyTQXTi4yjSBxDMu+EJnuzsNwFOteUso=,tag:pmSkRDxRxcf66miw9w7ypg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvaFZEY2NwZVJOLzRrUEtx + andUa2NBQkhlVE5Xd3hmclBkV1Jadkc1RGtjCjVsSWdMSjlNYWNPWmdxZUN2VWVx + eXI5OWtGb0kvRENkNW0xVWZCUEVhdmsKLS0tIG1YUkdUSFBSN3BnRHZYbCtoUTJu + WE04a1llSndObHBEUFVkZldNZ1VPdkkK+BqNrTGwJL7+694cU6hIzh8rBSF2iIKf + btmDLQdRpRglPN4eMKMR/rb00uMF5RHKm8YycTCHfzSOx6ZAEsFQ+w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-01T17:13:29Z" + mac: ENC[AES256_GCM,data:5+iGPT8W9I0GJ3ZEwkVtBDm9EbrYEXQCGwijR5GJUU6HETSS7hvZ7SwEXZmBQ/BGKpPG7nLbggUl4oE8VVD5JeUfMnHs1MzL6RabSRuHZXd3UfrYE7bGxwb0kmosa5/2uvYBz/IR7T1Y6mCG0LY8+CMGw02VdKcyTsvvmex9bmc=,iv:NYB6gLjawUUeV7u0eaScD2eVgPedPpc2bB5KuWR7cxQ=,tag:SKINL/5pZiq3o/qywbuE8Q==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.2