diff --git a/docs/add-ons/crossplane.md b/docs/add-ons/crossplane.md index f7180fff37..91e1b43c1c 100644 --- a/docs/add-ons/crossplane.md +++ b/docs/add-ons/crossplane.md @@ -43,6 +43,7 @@ This module provides options to deploy the following AWS providers for Crossplan - [AWS Provider](https://github.com/crossplane/provider-aws) - [Terrajet AWS Provider](https://github.com/crossplane-contrib/provider-jet-aws) + - [Kubernetes Provider](https://github.com/crossplane-contrib/provider-kubernetes) _NOTE: Crossplane requires Admin like permissions to create and update resources similar to Terraform deploy role. This example config uses AdministratorAccess, but you should select a policy with the minimum permissions required to provision your resources._ @@ -67,4 +68,15 @@ crossplane_jet_aws_provider = { } ``` +_NOTE: Crossplane requires cluster-admin permissions to create and update Kubernetes resources._ + +Config to deploy [Kubernetes provider](https://github.com/crossplane-contrib/provider-kubernetes) +```hcl +# Creates ProviderConfig -> kubernetes-provider +crossplane_kubernetes_provider = { + enable = true + provider_kubernetes_version = "v0.4.1" # Get the latest version from https://github.com/crossplane-contrib/provider-jet-aws +} +``` + Checkout the full [example](https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/examples/crossplane) to deploy Crossplane with `kubernetes-addons` module diff --git a/examples/crossplane/main.tf b/examples/crossplane/main.tf index 269964cd81..f6bd7edfac 100644 --- a/examples/crossplane/main.tf +++ b/examples/crossplane/main.tf @@ -97,6 +97,13 @@ module "eks_blueprints_kubernetes_addons" { additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"] } + # Creates ProviderConfig -> kbuernetes-provider + crossplane_kubernetes_provider = { + # NOTE: Crossplane requires cluster-admin permissions to create and update resources. + enable = true + provider_kubernetes_version = "v0.4.1" + } + # Enable configmap reloader enable_reloader = true diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 27476d06f6..fa6a4c6e52 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -158,6 +158,7 @@ | [crossplane\_aws\_provider](#input\_crossplane\_aws\_provider) | AWS Provider config for Crossplane |
object({|
enable = bool
provider_aws_version = string
additional_irsa_policies = list(string)
})
{| no | | [crossplane\_helm\_config](#input\_crossplane\_helm\_config) | Crossplane Helm Chart config | `any` | `null` | no | | [crossplane\_jet\_aws\_provider](#input\_crossplane\_jet\_aws\_provider) | AWS Provider Jet AWS config for Crossplane |
"additional_irsa_policies": [],
"enable": false,
"provider_aws_version": "v0.24.1"
}
object({|
enable = bool
provider_aws_version = string
additional_irsa_policies = list(string)
})
{| no | +| [crossplane\_kubernetes\_provider](#input\_crossplane\_kubernetes\_provider) | Kubernetes Provider config for Crossplane |
"additional_irsa_policies": [],
"enable": false,
"provider_aws_version": "v0.24.1"
}
object({|
enable = bool
provider_kubernetes_version = string
})
{| no | | [csi\_secrets\_store\_provider\_aws\_helm\_config](#input\_csi\_secrets\_store\_provider\_aws\_helm\_config) | CSI Secrets Store Provider AWS Helm Configurations | `any` | `null` | no | | [custom\_image\_registry\_uri](#input\_custom\_image\_registry\_uri) | Custom image registry URI map of `{region = dkr.endpoint }` | `map(string)` | `{}` | no | | [data\_plane\_wait\_arn](#input\_data\_plane\_wait\_arn) | Addon deployment will not proceed until this value is known. Set to node group/Fargate profile ARN to wait for data plane to be ready before provisioning addons | `string` | `""` | no | diff --git a/modules/kubernetes-addons/crossplane/README.md b/modules/kubernetes-addons/crossplane/README.md index 86be4d63fd..761b7c2bf1 100644 --- a/modules/kubernetes-addons/crossplane/README.md +++ b/modules/kubernetes-addons/crossplane/README.md @@ -64,7 +64,12 @@ Refer to [docs](../../../docs/add-ons/crossplane.md) on how to deploy AWS Provid | [kubectl_manifest.jet_aws_controller_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [kubectl_manifest.jet_aws_provider](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [kubectl_manifest.jet_aws_provider_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.kubernetes_controller_clusterolebinding](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.kubernetes_controller_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.kubernetes_provider](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.kubernetes_provider_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource | | [kubernetes_namespace_v1.crossplane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource | +| [kubernetes_service_account_v1.kubernetes_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource | | [time_sleep.wait_30_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -78,6 +83,7 @@ Refer to [docs](../../../docs/add-ons/crossplane.md) on how to deploy AWS Provid | [aws\_provider](#input\_aws\_provider) | AWS Provider config for Crossplane |
"enable": false,
"provider_kubernetes_version": "v0.4.1"
}
object({| n/a | yes | | [helm\_config](#input\_helm\_config) | Helm provider config for the Argo Rollouts | `any` | `{}` | no | | [jet\_aws\_provider](#input\_jet\_aws\_provider) | AWS Provider Jet AWS config for Crossplane |
enable = bool
provider_aws_version = string
additional_irsa_policies = list(string)
})
object({| n/a | yes | +| [kubernetes\_provider](#input\_kubernetes\_provider) | Kubernetes Provider config for Crossplane |
enable = bool
provider_aws_version = string
additional_irsa_policies = list(string)
})
object({| n/a | yes | ## Outputs diff --git a/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-controller-clusterrolebinding.yaml b/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d0f4f1e506 --- /dev/null +++ b/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-controller-clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ${kubernetes-serviceaccount-name} +subjects: + - kind: ServiceAccount + name: ${kubernetes-serviceaccount-name} + namespace: ${namespace} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-controller-config.yaml b/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-controller-config.yaml new file mode 100644 index 0000000000..898ecfe5e6 --- /dev/null +++ b/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-controller-config.yaml @@ -0,0 +1,6 @@ +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: kubernetes-controller-config +spec: + serviceAccountName: ${kubernetes-serviceaccount-name} diff --git a/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-provider-config.yaml b/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-provider-config.yaml new file mode 100644 index 0000000000..311519766c --- /dev/null +++ b/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-provider-config.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kubernetes.crossplane.io/v1alpha1 +kind: ProviderConfig +metadata: + name: kubernetes-provider-config +spec: + credentials: + source: InjectedIdentity diff --git a/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-provider.yaml b/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-provider.yaml new file mode 100644 index 0000000000..a8e7d3f9a8 --- /dev/null +++ b/modules/kubernetes-addons/crossplane/kubernetes-provider/kubernetes-provider.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: ${kubernetes-provider-name} +spec: + package: crossplane/provider-kubernetes:${provider-kubernetes-version} + controllerConfigRef: + name: kubernetes-controller-config diff --git a/modules/kubernetes-addons/crossplane/locals.tf b/modules/kubernetes-addons/crossplane/locals.tf index 31270bc736..fa41adbe54 100644 --- a/modules/kubernetes-addons/crossplane/locals.tf +++ b/modules/kubernetes-addons/crossplane/locals.tf @@ -23,6 +23,7 @@ locals { aws_provider_sa = "aws-provider" jet_aws_provider_sa = "jet-aws-provider" + kubernetes_provider_sa = "kubernetes-provider" aws_current_account_id = var.account_id aws_current_partition = var.aws_partition } diff --git a/modules/kubernetes-addons/crossplane/main.tf b/modules/kubernetes-addons/crossplane/main.tf index e9318f115e..bdbcbca2a9 100644 --- a/modules/kubernetes-addons/crossplane/main.tf +++ b/modules/kubernetes-addons/crossplane/main.tf @@ -125,3 +125,52 @@ resource "kubectl_manifest" "jet_aws_provider_config" { depends_on = [kubectl_manifest.jet_aws_provider] } + +resource "kubernetes_service_account_v1" "kubernetes_controller" { + metadata { + name = local.kubernetes_provider_sa + namespace = local.namespace + } + + depends_on = [module.helm_addon] +} + +resource "kubectl_manifest" "kubernetes_controller_clusterolebinding" { + count = var.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/kubernetes-provider/kubernetes-controller-clusterrolebinding.yaml", { + kubernetes-serviceaccount-name = local.kubernetes_provider_sa + namespace = local.namespace + }) + wait = true + + depends_on = [module.helm_addon] +} + +resource "kubectl_manifest" "kubernetes_controller_config" { + count = var.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/kubernetes-provider/kubernetes-controller-config.yaml", { + kubernetes-serviceaccount-name = local.kubernetes_provider_sa + namespace = local.namespace + }) + wait = true + + depends_on = [module.helm_addon] +} + +resource "kubectl_manifest" "kubernetes_provider" { + count = var.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/kubernetes-provider/kubernetes-provider.yaml", { + provider-kubernetes-version = var.kubernetes_provider.provider_kubernetes_version + kubernetes-provider-name = local.kubernetes_provider_sa + }) + wait = true + + depends_on = [kubectl_manifest.kubernetes_controller_config] +} + +resource "kubectl_manifest" "kubernetes_provider_config" { + count = var.kubernetes_provider.enable == true ? 1 : 0 + yaml_body = templatefile("${path.module}/kubernetes-provider/kubernetes-provider-config.yaml", {}) + + depends_on = [kubectl_manifest.kubernetes_provider] +} diff --git a/modules/kubernetes-addons/crossplane/variables.tf b/modules/kubernetes-addons/crossplane/variables.tf index 63ef10f9ae..4360016814 100644 --- a/modules/kubernetes-addons/crossplane/variables.tf +++ b/modules/kubernetes-addons/crossplane/variables.tf @@ -39,6 +39,14 @@ variable "jet_aws_provider" { }) } +variable "kubernetes_provider" { + description = "Kubernetes Provider config for Crossplane" + type = object({ + enable = bool + provider_kubernetes_version = string + }) +} + variable "account_id" { description = "Current AWS Account ID" type = string diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index 048599e6d8..2e7972deba 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -251,14 +251,15 @@ module "coredns_autoscaler" { } module "crossplane" { - count = var.enable_crossplane ? 1 : 0 - source = "./crossplane" - helm_config = var.crossplane_helm_config - aws_provider = var.crossplane_aws_provider - jet_aws_provider = var.crossplane_jet_aws_provider - account_id = data.aws_caller_identity.current.account_id - aws_partition = data.aws_partition.current.id - addon_context = local.addon_context + count = var.enable_crossplane ? 1 : 0 + source = "./crossplane" + helm_config = var.crossplane_helm_config + aws_provider = var.crossplane_aws_provider + jet_aws_provider = var.crossplane_jet_aws_provider + kubernetes_provider = var.crossplane_kubernetes_provider + account_id = data.aws_caller_identity.current.account_id + aws_partition = data.aws_partition.current.id + addon_context = local.addon_context } module "datadog_operator" { diff --git a/modules/kubernetes-addons/variables.tf b/modules/kubernetes-addons/variables.tf index d19126866c..cd85990eed 100644 --- a/modules/kubernetes-addons/variables.tf +++ b/modules/kubernetes-addons/variables.tf @@ -253,6 +253,18 @@ variable "crossplane_jet_aws_provider" { } } +variable "crossplane_kubernetes_provider" { + description = "Kubernetes Provider config for Crossplane" + type = object({ + enable = bool + provider_kubernetes_version = string + }) + default = { + enable = false + provider_kubernetes_version = "v0.4.1" + } +} + #-----------ONDAT ADDON------------- variable "enable_ondat" { description = "Enable Ondat add-on"
enable = bool
provider_kubernetes_version = string
})