Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Crossplane Kubernetes Provider #1119

Merged
12 changes: 12 additions & 0 deletions docs/add-ons/crossplane.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ This module provides options to deploy the following AWS providers for Crossplan

- [AWS Provider](https://github.com/crossplane/provider-aws)
- [Terrajet AWS Provider](https://github.com/crossplane-contrib/provider-jet-aws)
- [Kubernetes Provider](https://github.com/crossplane-contrib/provider-kubernetes)

_NOTE: Crossplane requires Admin like permissions to create and update resources similar to Terraform deploy role.
This example config uses AdministratorAccess, but you should select a policy with the minimum permissions required to provision your resources._
Expand All @@ -67,4 +68,15 @@ crossplane_jet_aws_provider = {
}
```

_NOTE: Crossplane requires cluster-admin permissions to create and update Kubernetes resources._

Config to deploy [Kubernetes provider](https://github.com/crossplane-contrib/provider-kubernetes)
```hcl
# Creates ProviderConfig -> kubernetes-provider
crossplane_kubernetes_provider = {
enable = true
provider_kubernetes_version = "v0.4.1" # Get the latest version from https://github.com/crossplane-contrib/provider-jet-aws
}
```

Checkout the full [example](https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/examples/crossplane) to deploy Crossplane with `kubernetes-addons` module
7 changes: 7 additions & 0 deletions examples/crossplane/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,13 @@ module "eks_blueprints_kubernetes_addons" {
additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"]
}

# Creates ProviderConfig -> kbuernetes-provider
crossplane_kubernetes_provider = {
# NOTE: Crossplane requires cluster-admin permissions to create and update resources.
enable = true
provider_kubernetes_version = "v0.4.1"
}

# Enable configmap reloader
enable_reloader = true

Expand Down
1 change: 1 addition & 0 deletions modules/kubernetes-addons/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@
| <a name="input_crossplane_aws_provider"></a> [crossplane\_aws\_provider](#input\_crossplane\_aws\_provider) | AWS Provider config for Crossplane | <pre>object({<br> enable = bool<br> provider_aws_version = string<br> additional_irsa_policies = list(string)<br> })</pre> | <pre>{<br> "additional_irsa_policies": [],<br> "enable": false,<br> "provider_aws_version": "v0.24.1"<br>}</pre> | no |
| <a name="input_crossplane_helm_config"></a> [crossplane\_helm\_config](#input\_crossplane\_helm\_config) | Crossplane Helm Chart config | `any` | `null` | no |
| <a name="input_crossplane_jet_aws_provider"></a> [crossplane\_jet\_aws\_provider](#input\_crossplane\_jet\_aws\_provider) | AWS Provider Jet AWS config for Crossplane | <pre>object({<br> enable = bool<br> provider_aws_version = string<br> additional_irsa_policies = list(string)<br> })</pre> | <pre>{<br> "additional_irsa_policies": [],<br> "enable": false,<br> "provider_aws_version": "v0.24.1"<br>}</pre> | no |
| <a name="input_crossplane_kubernetes_provider"></a> [crossplane\_kubernetes\_provider](#input\_crossplane\_kubernetes\_provider) | Kubernetes Provider config for Crossplane | <pre>object({<br> enable = bool<br> provider_kubernetes_version = string<br> })</pre> | <pre>{<br> "enable": false,<br> "provider_kubernetes_version": "v0.4.1"<br>}</pre> | no |
| <a name="input_csi_secrets_store_provider_aws_helm_config"></a> [csi\_secrets\_store\_provider\_aws\_helm\_config](#input\_csi\_secrets\_store\_provider\_aws\_helm\_config) | CSI Secrets Store Provider AWS Helm Configurations | `any` | `null` | no |
| <a name="input_custom_image_registry_uri"></a> [custom\_image\_registry\_uri](#input\_custom\_image\_registry\_uri) | Custom image registry URI map of `{region = dkr.endpoint }` | `map(string)` | `{}` | no |
| <a name="input_data_plane_wait_arn"></a> [data\_plane\_wait\_arn](#input\_data\_plane\_wait\_arn) | Addon deployment will not proceed until this value is known. Set to node group/Fargate profile ARN to wait for data plane to be ready before provisioning addons | `string` | `""` | no |
Expand Down
6 changes: 6 additions & 0 deletions modules/kubernetes-addons/crossplane/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,12 @@ Refer to [docs](../../../docs/add-ons/crossplane.md) on how to deploy AWS Provid
| [kubectl_manifest.jet_aws_controller_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.jet_aws_provider](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.jet_aws_provider_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.kubernetes_controller_clusterolebinding](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.kubernetes_controller_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.kubernetes_provider](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.kubernetes_provider_config](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
| [kubernetes_namespace_v1.crossplane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
| [kubernetes_service_account_v1.kubernetes_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource |
| [time_sleep.wait_30_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

Expand All @@ -78,6 +83,7 @@ Refer to [docs](../../../docs/add-ons/crossplane.md) on how to deploy AWS Provid
| <a name="input_aws_provider"></a> [aws\_provider](#input\_aws\_provider) | AWS Provider config for Crossplane | <pre>object({<br> enable = bool<br> provider_aws_version = string<br> additional_irsa_policies = list(string)<br> })</pre> | n/a | yes |
| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for the Argo Rollouts | `any` | `{}` | no |
| <a name="input_jet_aws_provider"></a> [jet\_aws\_provider](#input\_jet\_aws\_provider) | AWS Provider Jet AWS config for Crossplane | <pre>object({<br> enable = bool<br> provider_aws_version = string<br> additional_irsa_policies = list(string)<br> })</pre> | n/a | yes |
| <a name="input_kubernetes_provider"></a> [kubernetes\_provider](#input\_kubernetes\_provider) | Kubernetes Provider config for Crossplane | <pre>object({<br> enable = bool<br> provider_kubernetes_version = string<br> })</pre> | n/a | yes |

## Outputs

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ${kubernetes-serviceaccount-name}
subjects:
- kind: ServiceAccount
name: ${kubernetes-serviceaccount-name}
namespace: ${namespace}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
name: kubernetes-controller-config
spec:
serviceAccountName: ${kubernetes-serviceaccount-name}
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: kubernetes-provider-config
spec:
credentials:
source: InjectedIdentity
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: ${kubernetes-provider-name}
spec:
package: crossplane/provider-kubernetes:${provider-kubernetes-version}
controllerConfigRef:
name: kubernetes-controller-config
1 change: 1 addition & 0 deletions modules/kubernetes-addons/crossplane/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ locals {

aws_provider_sa = "aws-provider"
jet_aws_provider_sa = "jet-aws-provider"
kubernetes_provider_sa = "kubernetes-provider"
aws_current_account_id = var.account_id
aws_current_partition = var.aws_partition
}
49 changes: 49 additions & 0 deletions modules/kubernetes-addons/crossplane/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -125,3 +125,52 @@ resource "kubectl_manifest" "jet_aws_provider_config" {

depends_on = [kubectl_manifest.jet_aws_provider]
}

resource "kubernetes_service_account_v1" "kubernetes_controller" {
metadata {
name = local.kubernetes_provider_sa
namespace = local.namespace
}

depends_on = [module.helm_addon]
}

resource "kubectl_manifest" "kubernetes_controller_clusterolebinding" {
count = var.kubernetes_provider.enable == true ? 1 : 0
yaml_body = templatefile("${path.module}/kubernetes-provider/kubernetes-controller-clusterrolebinding.yaml", {
kubernetes-serviceaccount-name = local.kubernetes_provider_sa
namespace = local.namespace
})
wait = true

depends_on = [module.helm_addon]
}

resource "kubectl_manifest" "kubernetes_controller_config" {
count = var.kubernetes_provider.enable == true ? 1 : 0
yaml_body = templatefile("${path.module}/kubernetes-provider/kubernetes-controller-config.yaml", {
kubernetes-serviceaccount-name = local.kubernetes_provider_sa
namespace = local.namespace
})
wait = true

depends_on = [module.helm_addon]
}

resource "kubectl_manifest" "kubernetes_provider" {
count = var.kubernetes_provider.enable == true ? 1 : 0
yaml_body = templatefile("${path.module}/kubernetes-provider/kubernetes-provider.yaml", {
provider-kubernetes-version = var.kubernetes_provider.provider_kubernetes_version
kubernetes-provider-name = local.kubernetes_provider_sa
})
wait = true

depends_on = [kubectl_manifest.kubernetes_controller_config]
}

resource "kubectl_manifest" "kubernetes_provider_config" {
count = var.kubernetes_provider.enable == true ? 1 : 0
yaml_body = templatefile("${path.module}/kubernetes-provider/kubernetes-provider-config.yaml", {})

depends_on = [kubectl_manifest.kubernetes_provider]
}
8 changes: 8 additions & 0 deletions modules/kubernetes-addons/crossplane/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,14 @@ variable "jet_aws_provider" {
})
}

variable "kubernetes_provider" {
description = "Kubernetes Provider config for Crossplane"
type = object({
enable = bool
provider_kubernetes_version = string
})
}

variable "account_id" {
description = "Current AWS Account ID"
type = string
Expand Down
17 changes: 9 additions & 8 deletions modules/kubernetes-addons/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -251,14 +251,15 @@ module "coredns_autoscaler" {
}

module "crossplane" {
count = var.enable_crossplane ? 1 : 0
source = "./crossplane"
helm_config = var.crossplane_helm_config
aws_provider = var.crossplane_aws_provider
jet_aws_provider = var.crossplane_jet_aws_provider
account_id = data.aws_caller_identity.current.account_id
aws_partition = data.aws_partition.current.id
addon_context = local.addon_context
count = var.enable_crossplane ? 1 : 0
source = "./crossplane"
helm_config = var.crossplane_helm_config
aws_provider = var.crossplane_aws_provider
jet_aws_provider = var.crossplane_jet_aws_provider
kubernetes_provider = var.crossplane_kubernetes_provider
account_id = data.aws_caller_identity.current.account_id
aws_partition = data.aws_partition.current.id
addon_context = local.addon_context
}

module "datadog_operator" {
Expand Down
12 changes: 12 additions & 0 deletions modules/kubernetes-addons/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,18 @@ variable "crossplane_jet_aws_provider" {
}
}

variable "crossplane_kubernetes_provider" {
description = "Kubernetes Provider config for Crossplane"
type = object({
enable = bool
provider_kubernetes_version = string
})
default = {
enable = false
provider_kubernetes_version = "v0.4.1"
}
}

#-----------ONDAT ADDON-------------
variable "enable_ondat" {
description = "Enable Ondat add-on"
Expand Down