├── .github ├── CODEOWNERS ├── renovate.json5 └── workflows │ ├── ci.yaml │ ├── e2e.yaml │ ├── tag.yml │ └── yamllint.yaml ├── .gitignore ├── .gitmodules ├── .yamllint ├── LICENSE ├── Makefile ├── README.md ├── apis └── pat │ ├── composition.yaml │ └── definition.yaml ├── crossplane.yaml ├── examples ├── app-claim.yaml ├── aws-default-provider.yaml ├── cluster-claim.yaml ├── configuration.yaml ├── functions.yaml ├── mariadb-claim.yaml └── postgres-claim.yaml ├── project.mk └── test └── setup.sh /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @upbound/team-solutions 2 | -------------------------------------------------------------------------------- /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: 'https://docs.renovatebot.com/renovate-schema.json', 3 | extends: [ 4 | 'config:recommended', 5 | 'helpers:pinGitHubActionDigests', 6 | ':semanticCommits', 7 | ], 8 | rebaseWhen: 'auto', 9 | rebaseLabel: 'rebase', 10 | prConcurrentLimit: 5, 11 | autoApprove: true, 12 | automerge: true, 13 | automergeType: 'pr', 14 | baseBranches: [ 15 | 'main', 16 | ], 17 | labels: [ 18 | 'automated', 19 | 'run-e2e-tests', 20 | ], 21 | ignorePaths: [ // default renovate ignorePaths without '**/examples/**' 22 | '**/node_modules/**', 23 | '**/bower_components/**', 24 | '**/vendor/**', 25 | '**/__tests__/**', 26 | '**/test/**', 27 | '**/tests/**', 28 | '**/__fixtures__/**' 29 | ], 30 | crossplane: { 31 | fileMatch: ['(^|/)examples/.*\\.ya?ml$'] 32 | }, 33 | packageRules: [ 34 | { 35 | matchFileNames: [ 36 | '.github/**', 37 | ], 38 | groupName: 'github-actions dependencies', 39 | }, 40 | { 41 | matchFileNames: [ 42 | 'crossplane.yaml', 43 | ], 44 | groupName: 'crossplane dependencies', 45 | }, 46 | { 47 | matchFileNames: [ 48 | 'Makefile', 49 | ], 50 | groupName: 'Makefile dependencies', 51 | }, 52 | { 53 | matchManagers: ['crossplane'], 54 | matchFileNames: ['examples/**'], 55 | groupName: 'examples' 56 | }, 57 | ], 58 | customManagers: [ 59 | { 60 | customType: 'regex', 61 | description: 'Bump up version in the Makefile', 62 | fileMatch: [ 63 | '^Makefile$', 64 | ], 65 | matchStrings: [ 66 | 'UP_VERSION = (?.*?)\\n', 67 | ], 68 | datasourceTemplate: 'github-releases', 69 | depNameTemplate: 'upbound/up', 70 | }, 71 | { 72 | customType: 'regex', 73 | description: 'Bump uptest version in the Makefile', 74 | fileMatch: [ 75 | '^Makefile$', 76 | ], 77 | matchStrings: [ 78 | 'UPTEST_VERSION = (?.*?)\\n', 79 | ], 80 | datasourceTemplate: 'github-releases', 81 | depNameTemplate: 'upbound/uptest', 82 | }, 83 | { 84 | customType: 'regex', 85 | description: 'Bump providers/functions/configurations in crossplane.yaml', 86 | fileMatch: [ 87 | 'crossplane.yaml', 88 | ], 89 | matchStrings: [ 90 | '#\\s*renovate:\\s*datasource=(?[^\\s]+)\\s+depName=(?[^\\s]+)\\s*\\n\\s*version:\\s*"(?[^"]+)"', 91 | ], 92 | datasourceTemplate: '{{{datasource}}}', 93 | depNameTemplate: '{{{depName}}}', 94 | }, 95 | ], 96 | "git-submodules": { 97 | "enabled": true 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | - release-* 8 | workflow_dispatch: {} 9 | 10 | env: 11 | DOCKER_BUILDX_VERSION: 'v0.8.2' 12 | 13 | XPKG_ACCESS_ID: ${{ secrets.XPKG_ACCESS_ID }} 14 | 15 | jobs: 16 | detect-noop: 17 | runs-on: ubuntu-24.04 18 | outputs: 19 | noop: ${{ steps.noop.outputs.should_skip }} 20 | steps: 21 | - name: Detect No-op Changes 22 | id: noop 23 | uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1 24 | with: 25 | github_token: ${{ secrets.GITHUB_TOKEN }} 26 | paths_ignore: '["**.md", "**.png", "**.jpg"]' 27 | do_not_skip: '["workflow_dispatch", "schedule", "push"]' 28 | 29 | publish-artifacts: 30 | runs-on: ubuntu-24.04 31 | needs: detect-noop 32 | if: needs.detect-noop.outputs.noop != 'true' 33 | 34 | steps: 35 | - name: Setup Docker Buildx 36 | uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 37 | with: 38 | version: ${{ env.DOCKER_BUILDX_VERSION }} 39 | install: true 40 | 41 | - name: Checkout 42 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 43 | with: 44 | submodules: true 45 | 46 | - name: Fetch History 47 | run: git fetch --prune --unshallow 48 | 49 | - name: Build Artifacts 50 | run: make -j2 build.all 51 | env: 52 | # We're using docker buildx, which doesn't actually load the images it 53 | # builds by default. Specifying --load does so. 54 | BUILD_ARGS: "--load" 55 | 56 | - name: Publish Artifacts to GitHub 57 | uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 58 | with: 59 | name: output 60 | path: _output/** 61 | 62 | - name: Login to Upbound 63 | uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 64 | if: env.XPKG_ACCESS_ID != '' 65 | with: 66 | registry: xpkg.upbound.io 67 | username: ${{ secrets.XPKG_ACCESS_ID }} 68 | password: ${{ secrets.XPKG_TOKEN }} 69 | 70 | - name: Publish Artifacts 71 | if: env.XPKG_ACCESS_ID != '' 72 | run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/} 73 | -------------------------------------------------------------------------------- /.github/workflows/e2e.yaml: -------------------------------------------------------------------------------- 1 | name: End to End Testing 2 | 3 | on: 4 | issue_comment: 5 | types: [created] 6 | pull_request: 7 | types: [labeled] 8 | jobs: 9 | e2e: 10 | uses: upbound/official-providers-ci/.github/workflows/pr-comment-trigger.yml@main 11 | with: 12 | package-type: configuration 13 | secrets: 14 | UPTEST_CLOUD_CREDENTIALS: ${{ secrets.UPTEST_CLOUD_CREDENTIALS }} 15 | UPTEST_DATASOURCE: ${{ secrets.UPTEST_DATASOURCE }} 16 | -------------------------------------------------------------------------------- /.github/workflows/tag.yml: -------------------------------------------------------------------------------- 1 | name: Tag 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | version: 7 | description: 'Release version (e.g. v0.1.0)' 8 | required: true 9 | message: 10 | description: 'Tag message' 11 | required: true 12 | 13 | jobs: 14 | create-tag: 15 | runs-on: ubuntu-24.04 16 | 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 20 | 21 | - name: Create Tag 22 | uses: negz/create-tag@39bae1e0932567a58c20dea5a1a0d18358503320 # v1 23 | with: 24 | version: ${{ github.event.inputs.version }} 25 | message: ${{ github.event.inputs.message }} 26 | token: ${{ secrets.GITHUB_TOKEN }} 27 | -------------------------------------------------------------------------------- /.github/workflows/yamllint.yaml: -------------------------------------------------------------------------------- 1 | name: yamllint 2 | on: [pull_request] 3 | jobs: 4 | yamllint: 5 | name: runner / yamllint 6 | runs-on: ubuntu-latest 7 | steps: 8 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 9 | - name: yamllint 10 | uses: reviewdog/action-yamllint@f01d8a48fd8d89f89895499fca2cff09f9e9e8c0 # v1.21.0 11 | with: 12 | reporter: github-pr-review 13 | filter_mode: nofilter 14 | yamllint_flags: 'apis/' 15 | fail_on_error: true 16 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /.cache 2 | /.work 3 | /_output 4 | /results 5 | /.idea 6 | 7 | *.xpkg 8 | kubeconfig -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "build"] 2 | path = build 3 | url = https://github.com/crossplane/build.git 4 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | extends: default 2 | 3 | rules: 4 | line-length: disable 5 | document-start: disable 6 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # ==================================================================================== 2 | # Crossplane Configuration Package Makefile 3 | # ==================================================================================== 4 | 5 | # USAGE DOCUMENTATION 6 | # ==================================================================================== 7 | # 8 | # This is a generic Makefile to be used across repositories building Crossplane 9 | # configuration packages. It provides a comprehensive set of targets for development, 10 | # testing, and deployment. 11 | # 12 | # PROJECT CONFIGURATION 13 | # ------------------- 14 | # Create a project.mk file in your repository to configure project-specific settings. 15 | # Required variables: 16 | # - PROJECT_NAME: Name of your Crossplane configuration package 17 | # 18 | # Example project.mk: 19 | # PROJECT_NAME = custom-config 20 | # UPTEST_DEFAULT_TIMEOUT = 3600s 21 | # UPTEST_SKIP_IMPORT = true 22 | # 23 | # PRIMARY TARGETS 24 | # -------------- 25 | # 26 | # Development Tools: 27 | # ----------------- 28 | # - `yamllint` 29 | # Runs yamllint recursively on all files in the `api` folder to ensure YAML 30 | # quality and consistency 31 | # 32 | # - `check-examples` 33 | # Validates consistency between example configurations and dependencies: 34 | # - Compares Function package versions in examples/ against crossplane.yaml 35 | # - Ensures all Function versions in examples match dependency declarations 36 | # - Helps prevent version mismatches that could cause deployment issues 37 | # Example errors: 38 | # - Example using function-foo:v1.2.0 while crossplane.yaml specifies v1.1.0 39 | # - Missing Function dependencies in crossplane.yaml that are used in examples 40 | # Usage: Run before committing changes to ensure example validity 41 | # 42 | # Rendering and Validation: 43 | # ----------------- 44 | # - `render` 45 | # Renders the composition output for rapid feedback during template development. 46 | # Requirements: 47 | # - Claims must have these annotations: 48 | # render.crossplane.io/composition-path: apis/pat/composition.yaml 49 | # render.crossplane.io/function-path: examples/functions.yaml 50 | # Note: This only populates the cache. Use `render.show` to view output. 51 | # 52 | # - `render.show` 53 | # Displays the rendered YAML output. Useful for: 54 | # - Manual validation 55 | # - Piping to validation tools, e.g.: 56 | # make render.show | crossplane beta validate crossplane.yaml - 57 | # 58 | # Testing: 59 | # ----------------- 60 | # - `render.test` 61 | # Executes kcl-unit tests on rendered manifests. Tests should be: 62 | # - Located in the `test` folder 63 | # - Written as standard kcl-tests 64 | # This ensures the rendered output meets expected specifications. 65 | # 66 | # - `e2e` 67 | # Comprehensive end-to-end testing, including: 68 | # - Cluster creation 69 | # - Configuration setup 70 | # - Testing create, import, and delete operations 71 | # 72 | # Cloud Provider Requirements: 73 | # For configurations creating cloud provider resources, set: 74 | # UPTEST_CLOUD_CREDENTIALS - Provider-specific credentials: 75 | # - AWS: export UPTEST_CLOUD_CREDENTIALS=$(cat ~/.aws/credentials) 76 | # - GCP: export UPTEST_CLOUD_CREDENTIALS=$(cat gcp-sa.json) 77 | # - Azure: export UPTEST_CLOUD_CREDENTIALS=$(cat azure.json) 78 | # 79 | # Configuration Options: 80 | # - UPTEST_SKIP_DELETE (default: false) 81 | # Skip deletion testing of created resources 82 | # - UPTEST_SKIP_UPDATE (default: false) 83 | # Skip testing of claim updates 84 | # - UPTEST_SKIP_IMPORT (default: false) 85 | # Skip testing of resource imports 86 | # 87 | # Example Usage: 88 | # make e2e UPTEST_SKIP_DELETE=true 89 | # 90 | # LANGUAGE-SPECIFIC OPTIONS 91 | # ------------------------ 92 | # 93 | # KCL Support: 94 | # - KCL_COMPOSITION_PATH 95 | # Path to the KCL file generating composition.yaml 96 | # Default: apis/kcl/generate.k 97 | # 98 | # NOTE: The platform setting is constrained to linux_amd64 as Configuration package 99 | # images are not architecture-specific. This avoids unnecessary multi-arch image 100 | # generation. 101 | 102 | # ==================================================================================== 103 | # Project Configuration 104 | # ==================================================================================== 105 | 106 | # Include project.mk for project specific settings 107 | include project.mk 108 | 109 | ifndef PROJECT_NAME 110 | $(error PROJECT_NAME is not set. Please create `project.mk` and set it there.) 111 | endif 112 | 113 | # Project Configuration 114 | # ------------------ 115 | PROJECT_REPO := github.com/upbound/$(PROJECT_NAME) 116 | PLATFORMS ?= linux_amd64 117 | 118 | # Tool Versions 119 | # ------------------ 120 | UP_VERSION = v0.39.0 121 | UP_CHANNEL = stable 122 | CROSSPLANE_CLI_VERSION = v1.18.0 123 | CROSSPLANE_VERSION = v1.18.0-up.1 124 | UPTEST_VERSION = v1.2.0 125 | 126 | # Crossplane Configuration 127 | # ------------------ 128 | CROSSPLANE_CHART_REPO = https://charts.upbound.io/stable 129 | CROSSPLANE_CHART_NAME = universal-crossplane 130 | CROSSPLANE_NAMESPACE = upbound-system 131 | CROSSPLANE_ARGS = "--enable-usages" 132 | KIND_CLUSTER_NAME ?= uptest-$(PROJECT_NAME) 133 | 134 | # XPKG Configuration 135 | # ------------------ 136 | XPKG_DIR = $(shell pwd) 137 | XPKG_IGNORE ?= .github/workflows/*.yaml,.github/workflows/*.yml,examples/*.yaml,.work/uptest-datasource.yaml,.cache/render/* 138 | XPKG_REG_ORGS ?= xpkg.upbound.io/upbound 139 | # NOTE: Skip promoting on xpkg.upbound.io as channel tags are inferred 140 | XPKG_REG_ORGS_NO_PROMOTE ?= xpkg.upbound.io/upbound 141 | XPKGS = $(PROJECT_NAME) 142 | 143 | # Testing Configuration 144 | # ------------------ 145 | UPTEST_LOCAL_DEPLOY_TARGET = local.xpkg.deploy.configuration.$(PROJECT_NAME) 146 | UPTEST_DEFAULT_TIMEOUT ?= 2400s 147 | 148 | # KCL Configuration 149 | # ------------------ 150 | KCL_COMPOSITION_PATH ?= apis/kcl/generate.k 151 | LANG_KCL := $(shell find ./apis -type f -name '*.k') 152 | 153 | # Overwrite example list if it is set by CI 154 | # For example with comment `/test-examples="path/to/example.yaml"` 155 | ifdef UPTEST_EXAMPLE_LIST 156 | UPTEST_INPUT_MANIFESTS=$(UPTEST_EXAMPLE_LIST) 157 | endif 158 | 159 | # Include makelib files 160 | # ------------------ 161 | -include build/makelib/common.mk 162 | -include build/makelib/k8s_tools.mk 163 | -include build/makelib/xpkg.mk 164 | -include build/makelib/local.xpkg.mk 165 | -include build/makelib/controlplane.mk 166 | -include build/makelib/uptest.mk 167 | 168 | # ==================================================================================== 169 | # Targets 170 | # ==================================================================================== 171 | 172 | # Initial Setup 173 | # ------------------ 174 | # We want submodules to be set up the first time `make` is run. 175 | # We manage the build/ folder and its Makefiles as a submodule. 176 | # The first time `make` is run, the includes of build/*.mk files will 177 | # all fail, and this target will be run. The next time, the default as defined 178 | # by the includes will be run instead. 179 | fallthrough: submodules ## Initial setup and submodule initialization 180 | @echo Initial setup complete. Running make again . . . 181 | @make 182 | 183 | submodules: ## Update the submodules, including common build scripts 184 | @git submodule sync 185 | @git submodule update --init --recursive 186 | 187 | # Build Targets 188 | # ------------------ 189 | # We must ensure up is installed in tool cache prior to build as including the k8s_tools 190 | # machinery prior to the xpkg machinery sets UP to point to tool cache. 191 | build.init: $(UP) ## Initialize build requirements 192 | 193 | # KCL Targets 194 | # ------------------ 195 | ifdef LANG_KCL 196 | kcl: $(KCL) ## Generate KCL-based Composition 197 | @$(INFO) Generating kcl composition 198 | @$(KCL) $(KCL_COMPOSITION_PATH) 1>/dev/null 199 | @$(OK) Generated kcl composition 200 | 201 | render: kcl ## Render the composition output 202 | build.init: kcl 203 | .PHONY: kcl 204 | endif 205 | 206 | # Testing Targets 207 | # ------------------ 208 | render.test: $(CROSSPLANE_CLI) $(KCL) render ## Test rendered compositions 209 | @for RENDERED_COMPOSITION in $$(find .cache/render -maxdepth 1 -type f -name '*.yaml'); do \ 210 | $(INFO) "Testing $${RENDERED_COMPOSITION}"; \ 211 | export RENDERED_COMPOSITION; \ 212 | $(KCL) test test/ && \ 213 | $(OK) "Success testing \"$${RENDERED_COMPOSITION}\"!" || \ 214 | ($(ERR) "Failure testing \"$${RENDERED_COMPOSITION}\"!" && exit 1); \ 215 | done 216 | 217 | check-examples: ## Validate package versions in examples match dependencies 218 | @$(INFO) Checking if package versions in dependencies match examples 219 | @FN_EXAMPLES=$$( \ 220 | find examples -type f -name "*.yaml" | \ 221 | xargs $(YQ) -r -o=json 'select(.kind == "Function" and (.apiVersion | test("^pkg.crossplane.io/"))) | .spec.package' | \ 222 | sort -u); \ 223 | FN_DEPS=$$( \ 224 | $(YQ) '.spec.dependsOn[] | select(.function != null) | (.function + ":" + .version)' crossplane.yaml | \ 225 | sort -u \ 226 | ); \ 227 | if [ "$$FN_EXAMPLES" != "$$FN_DEPS" ]; then \ 228 | echo "Function package versions in examples and in crossplane.yaml don't match!"; \ 229 | echo "" ; \ 230 | echo "Versions in dependencies:"; \ 231 | echo "---" ; \ 232 | echo "$$FN_DEPS"; \ 233 | echo "" ; \ 234 | echo "Versions in examples:"; \ 235 | echo "---" ; \ 236 | echo "$$FN_EXAMPLES"; \ 237 | exit 1; \ 238 | fi; 239 | @$(OK) Package versions are sane 240 | 241 | # Help Targets 242 | # ------------------ 243 | help: help.local ## Display this help message 244 | 245 | help.local: 246 | @echo "Available targets:" 247 | @echo 248 | @grep -E '^[a-zA-Z_-]+.*:.*?## .*$$' Makefile | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 249 | 250 | .PHONY: uptest e2e render yamllint help help.local check-examples render.test 251 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS Reference Platform 2 | 3 | This repository contains a reference AWS Platform Configuration for 4 | [Crossplane](https://crossplane.io). It's a great starting point for 5 | building internal cloud platforms with AWS and offering a self-service 6 | API to your internal development teams. 7 | 8 | This platform offers APIs for setting up fully configured EKS clusters 9 | with secure networking, stateful cloud services (RDS) that can securely 10 | connect to the EKS clusters, an Observability Stack, and a GitOps 11 | System. All these components are built using cloud service tools from 12 | the [Official Upbound AWS Provider](https://marketplace.upbound.io/providers/upbound/provider-aws). 13 | App deployments can securely access the necessary infrastructure through secrets 14 | distributed directly to the app namespace. 15 | 16 | ## Overview 17 | 18 | This reference platform outlines a specialized API for generating an EKS cluster 19 | ([XCluster](apis/pat/definition.yaml)) that incorporates XRs from the specified configurations: 20 | 21 | * [upbound-configuration-app](https://github.com/upbound/configuration-app) 22 | * [upbound-configuration-aws-database](https://github.com/upbound/configuration-aws-database) 23 | * [upbound-configuration-aws-eks](https://github.com/upbound/configuration-aws-eks) 24 | * [upbound-configuration-aws-network](https://github.com/upbound/configuration-aws-network) 25 | * [upbound-configuration-gitops-flux](https://github.com/upbound/configuration-gitops-flux) 26 | * [upbound-configuration-observability-oss](https://github.com/upbound/configuration-observability-oss) 27 | 28 | ```mermaid 29 | graph LR; 30 | MyApp(My App)---MyCluster(XRC: my-cluster); 31 | MyCluster---XRD1(XRD: XCluster); 32 | MyApp---MyDB(XRC: my-db); 33 | MyDB---XRD2(XRD: XSQLInstance); 34 | subgraph Configuration:upbound/platform-ref-aws; 35 | XRD1---Composition(XEKS, XNetwork, XFlux, XOss); 36 | XRD2---Composition2(Composition); 37 | end 38 | subgraph Provider:upbound/provider-aws 39 | Composition---IAM.MRs(MRs: IAM Role, RolePolicyAttachment,OpenIDConnectProvider); 40 | Composition---EKS.MRs(MRs: EKS Cluster, ClusterAuth, NodeGroup); 41 | Composition2---RDS.MRs(MRs: RDS SubnetGroup, Instance); 42 | end 43 | 44 | style MyApp color:#000,fill:#e6e6e6,stroke:#000,stroke-width:2px 45 | style MyCluster color:#000,fill:#D68A82,stroke:#000,stroke-width:2px 46 | style MyDB color:#000,fill:#D68A82,stroke:#000,stroke-width:2px 47 | style Configuration:upbound/platform-ref-aws fill:#f1d16d,opacity:0.3 48 | style Provider:upbound/provider-aws fill:#81CABB,opacity:0.3 49 | style XRD1 color:#000,fill:#f1d16d,stroke:#000,stroke-width:2px,stroke-dasharray: 5 5 50 | style XRD2 color:#000,fill:#f1d16d,stroke:#000,stroke-width:2px,stroke-dasharray: 5 5 51 | style Composition color:#000,fill:#f1d16d,stroke:#000,stroke-width:2px 52 | style Composition2 color:#000,fill:#f1d16d,stroke:#000,stroke-width:2px 53 | 54 | style IAM.MRs color:#000,fill:#81CABB,stroke:#000,stroke-width:2px 55 | style EKS.MRs color:#000,fill:#81CABB,stroke:#000,stroke-width:2px 56 | style RDS.MRs color:#000,fill:#81CABB,stroke:#000,stroke-width:2px 57 | ``` 58 | 59 | Learn more about Composite Resources in the [Crossplane 60 | Docs](https://docs.crossplane.io/latest/concepts/compositions/). 61 | 62 | ## Quickstart 63 | 64 | ### Prerequisites 65 | 66 | Before we can install the reference platform we should install the `up` CLI. 67 | This is a utility that makes following this quickstart guide easier. Everything 68 | described here can also be done in a declarative approach - which we highly 69 | recommend for any production type use-case. 70 | 71 | 72 | To install `up` run this install script: 73 | ```console 74 | curl -sL https://cli.upbound.io | sh 75 | ``` 76 | See [up docs](https://docs.upbound.io/cli/) for more install options. 77 | 78 | To intstall `crossplane` CLI follow https://docs.crossplane.io/latest/cli/#installing-the-cli 79 | 80 | We need a running Crossplane control plane to install our instance. We are 81 | using [Universal Crossplane (UXP)](https://github.com/upbound/universal-crossplane). 82 | Ensure that your kubectl context points to the correct Kubernetes cluster or 83 | create a new [kind](https://kind.sigs.k8s.io) cluster: 84 | 85 | ```console 86 | kind create cluster 87 | ``` 88 | 89 | Finally install UXP into the `upbound-system` namespace: 90 | 91 | ```console 92 | up uxp install --set='args[0]=--enable-usages' 93 | ``` 94 | 95 | We will need [Usages](https://docs.crossplane.io/latest/concepts/usages/) alpha feature 96 | for the correct deployment and eventual de-provisioning of this reference platform. 97 | 98 | You can validate the install by inspecting all installed components: 99 | 100 | ```console 101 | kubectl get all -n upbound-system 102 | ``` 103 | 104 | ### Install the AWS Reference Platform 105 | 106 | Now you can install this reference platform. It's packaged as a [Crossplane 107 | configuration package](https://docs.crossplane.io/latest/concepts/packages/) 108 | so there is a single command to install it: 109 | 110 | ```console 111 | up ctp configuration install xpkg.upbound.io/upbound/platform-ref-aws:v1.2.0 112 | ``` 113 | 114 | Validate the install by inspecting the provider and configuration packages: 115 | ```console 116 | kubectl get configurations,configurationrevisions 117 | kubectl get configurations --watch 118 | ``` 119 | 120 | After all Configurations are ready, you can check the status of associated 121 | Providers that were pulled as dependencies 122 | 123 | ```console 124 | kubectl get providers,providerrevision 125 | ``` 126 | 127 | Check the 128 | [marketplace](https://marketplace.upbound.io/configurations/upbound/platform-ref-aws/) 129 | for the latest version of this platform. 130 | 131 | ### Configure the AWS provider 132 | 133 | Before we can use the reference platform we need to configure it with AWS 134 | credentials: 135 | 136 | ```console 137 | # Create a creds.conf file with the aws cli: 138 | AWS_PROFILE=default && echo -e "[default]\naws_access_key_id = $(aws configure get aws_access_key_id --profile $AWS_PROFILE)\naws_secret_access_key = $(aws configure get aws_secret_access_key --profile $AWS_PROFILE)" > creds.conf 139 | 140 | # Create a K8s secret with the AWS creds: 141 | kubectl create secret generic aws-creds -n upbound-system --from-file=credentials=./creds.conf 142 | 143 | # Configure the AWS Provider to use the secret: 144 | kubectl apply -f https://raw.githubusercontent.com/upbound/platform-ref-aws/main/examples/aws-default-provider.yaml 145 | ``` 146 | 147 | See [provider-aws docs](https://marketplace.upbound.io/providers/upbound/provider-family-aws) 148 | for more detailed configuration options. 149 | 150 | ## Using the AWS reference platform 151 | 152 | 🎉 Congratulations. You have just installed your first Crossplane-powered 153 | platform! 154 | 155 | Application developers can now use the platform to request resources which then 156 | will be provisioned in AWS. This would usually be done by bundling a claim as part of 157 | the application code. In our example here we simply create the claims directly: 158 | 159 | Create a custom defined cluster: 160 | ```console 161 | kubectl apply -f https://raw.githubusercontent.com/upbound/platform-ref-aws/main/examples/cluster-claim.yaml 162 | ``` 163 | 164 | Create a custom defined database: 165 | ```console 166 | kubectl apply -f https://raw.githubusercontent.com/upbound/platform-ref-aws/main/examples/mariadb-claim.yaml 167 | ``` 168 | 169 | **NOTE**: The database abstraction relies on the cluster claim to be ready - it 170 | uses the same network to have connectivity with the EKS cluster. 171 | 172 | Alternatively, you can use a postgresql claim: 173 | 174 | ```console 175 | kubectl apply -f https://raw.githubusercontent.com/upbound/platform-ref-aws/main/examples/postgres-claim.yaml 176 | ``` 177 | 178 | Now deploy the sample application: 179 | 180 | ```console 181 | kubectl apply -f https://raw.githubusercontent.com/upbound/platform-ref-aws/main/examples/app-claim.yaml 182 | ``` 183 | 184 | **NOTE**: application has a strong dependency on mariadb type of the database 185 | 186 | You can verify the status by inspecting the claims, composites and managed 187 | resources: 188 | 189 | ```console 190 | kubectl get claim,composite,managed 191 | ``` 192 | 193 | To get nice representation of the Claim deployment status you can use 194 | [crossplane beta trace](https://docs.crossplane.io/latest/cli/command-reference/#beta-trace) command. 195 | If you don't have `crossplane` CLI, see the [installation 196 | instructions](https://docs.crossplane.io/latest/cli/). 197 | 198 | ```console 199 | crossplane beta trace cluster.aws.platformref.upbound.io/platform-ref-aws 200 | ``` 201 | 202 | To delete the provisioned resources you would simply delete the claims: 203 | 204 | ```console 205 | kubectl delete -f https://raw.githubusercontent.com/upbound/platform-ref-aws/main/examples/cluster-claim.yaml,https://raw.githubusercontent.com/upbound/platform-ref-aws/main/examples/mariadb-claim.yaml,https://raw.githubusercontent.com/upbound/platform-ref-aws/main/examples/app-claim.yaml 206 | ``` 207 | 208 | To uninstall the provider & platform configuration: 209 | 210 | ```console 211 | kubectl delete configurations.pkg.crossplane.io upbound-platform-ref-aws 212 | kubectl delete configurations.pkg.crossplane.io upbound-configuration-app 213 | kubectl delete configurations.pkg.crossplane.io upbound-configuration-aws-database 214 | kubectl delete configurations.pkg.crossplane.io upbound-configuration-aws-eks 215 | kubectl delete configurations.pkg.crossplane.io upbound-configuration-aws-network 216 | kubectl delete configurations.pkg.crossplane.io upbound-configuration-gitops-flux 217 | kubectl delete configurations.pkg.crossplane.io upbound-configuration-observability-oss 218 | 219 | kubectl delete providers.pkg.crossplane.io crossplane-contrib-provider-helm 220 | kubectl delete providers.pkg.crossplane.io crossplane-contrib-provider-kubernetes 221 | kubectl delete providers.pkg.crossplane.io grafana-provider-grafana 222 | kubectl delete providers.pkg.crossplane.io upbound-provider-aws-ec2 223 | kubectl delete providers.pkg.crossplane.io upbound-provider-aws-eks 224 | kubectl delete providers.pkg.crossplane.io upbound-provider-aws-iam 225 | kubectl delete providers.pkg.crossplane.io upbound-provider-aws-rds 226 | kubectl delete providers.pkg.crossplane.io upbound-provider-family-aws 227 | ``` 228 | 229 | ## Customize for your Organization 230 | 231 | So far we have used the existing reference platform but haven't made any 232 | changes. Let's change this and customize the platform by ensuring the EKS 233 | Cluster is deployed to Frankfurt (eu-central-1) and that clusters are limited 234 | to 10 nodes. 235 | 236 | For the following examples we are using `my-org` and `my-platform`: 237 | 238 | ```console 239 | ORG=my-org 240 | PLATFORM=my-platform 241 | ``` 242 | 243 | ### Pre-Requisites 244 | First you need to create a [free Upbound 245 | account](https://accounts.upbound.io/register) to push your custom platform. 246 | Afterwards you can log in: 247 | 248 | ```console 249 | up login 250 | ``` 251 | 252 | ### Make the changes 253 | 254 | To make your changes clone this repository: 255 | 256 | ```console 257 | git clone https://github.com/upbound/platform-ref-aws.git $PLATFORM && cd $PLATFORM 258 | ``` 259 | 260 | ### Build and push your platform 261 | 262 | To share your new platform you need to build and distribute this package. 263 | 264 | To build the package use the `up xpkg build` command: 265 | 266 | ```console 267 | up xpkg build --name package.xpkg --package-root=. --examples-root=examples --ignore=".github/workflows/*.yaml,.github/workflows/*.yml,examples/*.yaml,.work/uptest-datasource.yaml" 268 | ``` 269 | 270 | Afterwards you can push it to the marketplace. It will be not automatically 271 | listed but the OCI repository will be publicly accessible. 272 | 273 | ```console 274 | TAG=v0.1.0 275 | up repo -a $ORG create ${PLATFORM} 276 | up xpkg push ${ORG}/${PLATFORM}:${TAG} -f package.xpkg 277 | ``` 278 | 279 | ## Using your custom platform 280 | 281 | Now to use your custom platform, you can pull the Configuration package from 282 | your repository 283 | 284 | ```console 285 | up ctp configuration install xpkg.upbound.io/${ORG}/${PLATFORM}:${TAG} 286 | ``` 287 | 288 | For the alternative declarative installation approach see the [example Configuration 289 | manifest](examples/configuration.yaml). Please update to your org, platform and 290 | tag before applying. 291 | 292 | 🎉 Congratulations. You have just built and installed your first custom 293 | Crossplane-powered platform! 294 | 295 | 296 | ## Questions? 297 | 298 | For any questions, thoughts and comments don't hesitate to [reach 299 | out](https://www.upbound.io/contact) or drop by 300 | [slack.crossplane.io](https://slack.crossplane.io), and say hi! 301 | -------------------------------------------------------------------------------- /apis/pat/composition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.crossplane.io/v1 2 | kind: Composition 3 | metadata: 4 | name: xclusters.aws.platformref.upbound.io 5 | spec: 6 | writeConnectionSecretsToNamespace: upbound-system 7 | compositeTypeRef: 8 | apiVersion: aws.platformref.upbound.io/v1alpha1 9 | kind: XCluster 10 | mode: Pipeline 11 | pipeline: 12 | - step: patch-and-transform 13 | functionRef: 14 | name: crossplane-contrib-function-patch-and-transform 15 | input: 16 | apiVersion: pt.fn.crossplane.io/v1beta1 17 | kind: Resources 18 | resources: 19 | - name: XNetwork 20 | base: 21 | apiVersion: aws.platform.upbound.io/v1alpha1 22 | kind: XNetwork 23 | patches: 24 | - type: FromCompositeFieldPath 25 | fromFieldPath: spec.parameters.id 26 | toFieldPath: spec.parameters.id 27 | - type: FromCompositeFieldPath 28 | fromFieldPath: spec.parameters.region 29 | toFieldPath: spec.parameters.region 30 | - type: FromCompositeFieldPath 31 | fromFieldPath: spec.parameters.deletionPolicy 32 | toFieldPath: spec.parameters.deletionPolicy 33 | - type: FromCompositeFieldPath 34 | fromFieldPath: spec.parameters.providerConfigName 35 | toFieldPath: spec.parameters.providerConfigName 36 | - type: FromCompositeFieldPath 37 | fromFieldPath: spec.parameters.networkSelector 38 | toFieldPath: spec.compositionSelector.matchLabels[type] 39 | - type: ToCompositeFieldPath 40 | fromFieldPath: status.subnetIds 41 | policy: 42 | fromFieldPath: Required 43 | toFieldPath: status.subnetIds 44 | 45 | - name: XEKS 46 | base: 47 | apiVersion: aws.platform.upbound.io/v1alpha1 48 | kind: XEKS 49 | connectionDetails: 50 | - type: FromConnectionSecretKey 51 | fromConnectionSecretKey: kubeconfig 52 | name: kubeconfig 53 | patches: 54 | - type: FromCompositeFieldPath 55 | fromFieldPath: spec.parameters.id 56 | toFieldPath: metadata.labels[xeks.aws.platform.upbound.io/cluster-id] 57 | - type: FromCompositeFieldPath 58 | fromFieldPath: metadata.labels[platform.upbound.io/deletion-ordering] 59 | toFieldPath: metadata.labels[platform.upbound.io/deletion-ordering] 60 | - type: FromCompositeFieldPath 61 | fromFieldPath: spec.parameters.id 62 | toFieldPath: spec.parameters.id 63 | - type: FromCompositeFieldPath 64 | fromFieldPath: spec.parameters.region 65 | toFieldPath: spec.parameters.region 66 | - type: FromCompositeFieldPath 67 | fromFieldPath: spec.parameters.deletionPolicy 68 | toFieldPath: spec.parameters.deletionPolicy 69 | - type: FromCompositeFieldPath 70 | fromFieldPath: spec.parameters.providerConfigName 71 | toFieldPath: spec.parameters.providerConfigName 72 | - type: FromCompositeFieldPath 73 | fromFieldPath: spec.parameters.id 74 | toFieldPath: metadata.annotations[crossplane.io/external-name] 75 | - type: FromCompositeFieldPath 76 | fromFieldPath: metadata.uid 77 | toFieldPath: spec.writeConnectionSecretToRef.name 78 | transforms: 79 | - type: string 80 | string: 81 | fmt: '%s-eks' 82 | type: Format 83 | - type: FromCompositeFieldPath 84 | fromFieldPath: spec.writeConnectionSecretToRef.namespace 85 | toFieldPath: spec.writeConnectionSecretToRef.namespace 86 | - type: FromCompositeFieldPath 87 | fromFieldPath: spec.parameters.version 88 | toFieldPath: spec.parameters.version 89 | - type: FromCompositeFieldPath 90 | fromFieldPath: spec.parameters.nodes.count 91 | toFieldPath: spec.parameters.nodes.count 92 | - type: FromCompositeFieldPath 93 | fromFieldPath: spec.parameters.nodes.instanceType 94 | toFieldPath: spec.parameters.nodes.instanceType 95 | - type: FromCompositeFieldPath 96 | fromFieldPath: spec.parameters.iam.principalArn 97 | toFieldPath: spec.parameters.iam.principalArn 98 | - type: ToCompositeFieldPath 99 | fromFieldPath: status.eks.clusterName 100 | toFieldPath: status.clusterName 101 | 102 | - name: XOss 103 | base: 104 | apiVersion: observe.platform.upbound.io/v1alpha1 105 | kind: XOss 106 | patches: 107 | - type: FromCompositeFieldPath 108 | fromFieldPath: spec.parameters.deletionPolicy 109 | toFieldPath: spec.parameters.deletionPolicy 110 | - type: FromCompositeFieldPath 111 | fromFieldPath: spec.parameters.id 112 | toFieldPath: spec.parameters.id 113 | - type: FromCompositeFieldPath 114 | fromFieldPath: spec.parameters.operators.prometheus.version 115 | toFieldPath: spec.parameters.operators.prometheus.version 116 | 117 | - name: XFlux 118 | base: 119 | apiVersion: gitops.platform.upbound.io/v1alpha1 120 | kind: XFlux 121 | patches: 122 | - type: FromCompositeFieldPath 123 | fromFieldPath: spec.parameters.deletionPolicy 124 | toFieldPath: spec.parameters.deletionPolicy 125 | - type: FromCompositeFieldPath 126 | fromFieldPath: spec.parameters.id 127 | toFieldPath: spec.parameters.providerConfigName 128 | - type: FromCompositeFieldPath 129 | fromFieldPath: spec.parameters.operators.flux.version 130 | toFieldPath: spec.parameters.operators.flux.version 131 | - type: FromCompositeFieldPath 132 | fromFieldPath: spec.parameters.operators.flux-sync.version 133 | toFieldPath: spec.parameters.operators.flux-sync.version 134 | - type: FromCompositeFieldPath 135 | fromFieldPath: spec.parameters.gitops 136 | toFieldPath: spec.parameters.source 137 | 138 | - name: XAWSLBController 139 | base: 140 | apiVersion: aws.platform.upbound.io/v1alpha1 141 | kind: XAWSLBController 142 | spec: 143 | parameters: 144 | providerConfigName: platform-ref-aws 145 | patches: 146 | - type: FromCompositeFieldPath 147 | fromFieldPath: status.oidcProvider 148 | toFieldPath: spec.parameters.oidcProvider 149 | - type: FromCompositeFieldPath 150 | fromFieldPath: spec.parameters.deletionPolicy 151 | toFieldPath: spec.parameters.deletionPolicy 152 | - type: FromCompositeFieldPath 153 | fromFieldPath: spec.parameters.providerConfigName 154 | toFieldPath: spec.parameters.providerConfigName 155 | - type: FromCompositeFieldPath 156 | fromFieldPath: spec.parameters.id 157 | toFieldPath: spec.parameters.helm.providerConfigName 158 | - type: FromCompositeFieldPath 159 | fromFieldPath: spec.parameters.region 160 | toFieldPath: spec.parameters.region 161 | - type: FromCompositeFieldPath 162 | fromFieldPath: status.clusterName 163 | policy: 164 | fromFieldPath: Required 165 | toFieldPath: spec.parameters.clusterName 166 | 167 | - name: usageXNetworkByXEKS 168 | base: 169 | apiVersion: apiextensions.crossplane.io/v1alpha1 170 | kind: Usage 171 | spec: 172 | replayDeletion: true 173 | by: 174 | apiVersion: aws.platform.upbound.io/v1alpha1 175 | kind: XEKS 176 | resourceSelector: 177 | matchControllerRef: true 178 | of: 179 | apiVersion: aws.platform.upbound.io/v1alpha1 180 | kind: XNetwork 181 | resourceSelector: 182 | matchControllerRef: true 183 | 184 | - name: usageXEksByXFlux 185 | base: 186 | apiVersion: apiextensions.crossplane.io/v1alpha1 187 | kind: Usage 188 | spec: 189 | replayDeletion: true 190 | by: 191 | apiVersion: gitops.platform.upbound.io/v1alpha1 192 | kind: XFlux 193 | resourceSelector: 194 | matchControllerRef: true 195 | of: 196 | apiVersion: aws.platform.upbound.io/v1alpha1 197 | kind: XEKS 198 | resourceSelector: 199 | matchControllerRef: true 200 | 201 | - name: usageXEksByXOss 202 | base: 203 | apiVersion: apiextensions.crossplane.io/v1alpha1 204 | kind: Usage 205 | spec: 206 | replayDeletion: true 207 | by: 208 | apiVersion: observe.platform.upbound.io/v1alpha1 209 | kind: XOss 210 | resourceSelector: 211 | matchControllerRef: true 212 | of: 213 | apiVersion: aws.platform.upbound.io/v1alpha1 214 | kind: XEKS 215 | resourceSelector: 216 | matchControllerRef: true 217 | 218 | - name: usageXEksByArbitraryLabeledRelease 219 | base: 220 | apiVersion: apiextensions.crossplane.io/v1alpha1 221 | kind: Usage 222 | spec: 223 | replayDeletion: true 224 | by: 225 | apiVersion: helm.crossplane.io/v1beta1 226 | kind: Release 227 | resourceSelector: 228 | matchLabels: 229 | platform.upbound.io/deletion-ordering: enabled 230 | of: 231 | apiVersion: aws.platform.upbound.io/v1alpha1 232 | kind: XEKS 233 | resourceSelector: 234 | matchControllerRef: true 235 | readinessChecks: 236 | - type: None 237 | 238 | - name: usageXAWSLBControllerByArbitraryLabeledApp 239 | base: 240 | apiVersion: apiextensions.crossplane.io/v1alpha1 241 | kind: Usage 242 | spec: 243 | replayDeletion: true 244 | by: 245 | apiVersion: platform.upbound.io/v1alpha1 246 | kind: XApp 247 | resourceSelector: 248 | matchLabels: 249 | platform.upbound.io/deletion-ordering: enabled 250 | of: 251 | apiVersion: aws.platform.upbound.io/v1alpha1 252 | kind: XAWSLBController 253 | resourceSelector: 254 | matchControllerRef: true 255 | readinessChecks: 256 | - type: None 257 | -------------------------------------------------------------------------------- /apis/pat/definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.crossplane.io/v1 2 | kind: CompositeResourceDefinition 3 | metadata: 4 | name: xclusters.aws.platformref.upbound.io 5 | spec: 6 | defaultCompositeDeletePolicy: Foreground 7 | group: aws.platformref.upbound.io 8 | names: 9 | kind: XCluster 10 | plural: xclusters 11 | claimNames: 12 | kind: Cluster 13 | plural: clusters 14 | connectionSecretKeys: 15 | - kubeconfig 16 | versions: 17 | - name: v1alpha1 18 | served: true 19 | referenceable: true 20 | schema: 21 | openAPIV3Schema: 22 | type: object 23 | properties: 24 | spec: 25 | type: object 26 | properties: 27 | parameters: 28 | type: object 29 | description: Cluster configuration parameters. 30 | properties: 31 | clusterName: 32 | type: string 33 | description: The name of the cluster on the cloud platform. 34 | id: 35 | type: string 36 | description: ID of this Cluster that other objects will use to refer to it. 37 | region: 38 | type: string 39 | description: Region is the region you'd like your resource to be created in. 40 | iam: 41 | type: object 42 | description: IAM configuration to connect as ClusterAdmin. 43 | properties: 44 | principalArn: 45 | description: The IAM Principal ARN to connect as ClusterAdmin. 46 | type: string 47 | networkSelector: 48 | type: string 49 | description: NetworkSelector employs a specific type of network architecture. 50 | enum: 51 | - basic 52 | deletionPolicy: 53 | description: Delete the external resources when the Claim/XR is deleted. Defaults to Delete 54 | enum: 55 | - Delete 56 | - Orphan 57 | type: string 58 | default: Delete 59 | providerConfigName: 60 | description: Crossplane ProviderConfig to use for provisioning this resources 61 | type: string 62 | default: default 63 | version: 64 | type: string 65 | description: Kubernetes version of the Cluster 66 | enum: 67 | - "1.28" 68 | - "1.27" 69 | - "1.26" 70 | - "1.25" 71 | default: "1.27" 72 | nodes: 73 | type: object 74 | description: Cluster node configuration parameters. 75 | properties: 76 | count: 77 | type: integer 78 | description: Desired node count, from 1 to 100. 79 | instanceType: 80 | type: string 81 | description: instance types associated with the Node Group. 82 | default: t3.small 83 | required: 84 | - count 85 | - instanceType 86 | operators: 87 | description: Configuration for operators. 88 | type: object 89 | default: 90 | flux: 91 | version: "2.10.6" 92 | flux-sync: 93 | version: "1.7.2" 94 | prometheus: 95 | version: "52.1.0" 96 | properties: 97 | flux: 98 | description: Configuration for the Flux GitOps operator. 99 | type: object 100 | properties: 101 | version: 102 | description: flux helm-chart version to run. 103 | type: string 104 | default: "2.10.6" 105 | required: 106 | - version 107 | flux-sync: 108 | description: Configuration for the Flux Sync Helm-Chart. 109 | type: object 110 | properties: 111 | version: 112 | description: flux sync helm-chart version to run. 113 | type: string 114 | default: "1.7.2" 115 | required: 116 | - version 117 | prometheus: 118 | description: Configuration for the Prometheus Helm-Chart. 119 | type: object 120 | properties: 121 | version: 122 | description: prometheus helm-chart version to run. 123 | type: string 124 | default: "52.1.0" 125 | required: 126 | - version 127 | gitops: 128 | description: GitOps configure gitops system 129 | type: object 130 | properties: 131 | git: 132 | type: object 133 | properties: 134 | interval: 135 | default: "5m0s" 136 | description: Interval at which the GitRepository URL is checked for 137 | updates. This interval is approximate and may be subject to jitter 138 | to ensure efficient use of resources. 139 | pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ 140 | type: string 141 | timeout: 142 | default: "60s" 143 | description: Timeout for Git operations like cloning, defaults to 144 | 60s. 145 | pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ 146 | type: string 147 | url: 148 | description: URL specifies the Git repository URL, it can be an HTTP/S 149 | or SSH address. 150 | pattern: ^(http|https|ssh)://.*$ 151 | type: string 152 | path: 153 | type: string 154 | default: "/" 155 | ref: 156 | description: Reference specifies the Git reference to resolve and 157 | monitor for changes. 158 | type: object 159 | properties: 160 | name: 161 | description: "Name of the reference to check out; takes precedence 162 | over Branch, Tag and SemVer. \n It must be a valid Git reference: 163 | https://git-scm.com/docs/git-check-ref-format#_description Examples: 164 | \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", 165 | \"refs/merge-requests/1/head\"" 166 | type: string 167 | required: 168 | - interval 169 | - timeout 170 | - url 171 | - path 172 | - ref 173 | required: 174 | - git 175 | required: 176 | - deletionPolicy 177 | - gitops 178 | - id 179 | - nodes 180 | - operators 181 | - providerConfigName 182 | - region 183 | required: 184 | - parameters 185 | status: 186 | type: object 187 | properties: 188 | clusterName: 189 | type: string 190 | subnetIds: 191 | type: array 192 | items: 193 | type: string 194 | -------------------------------------------------------------------------------- /crossplane.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: meta.pkg.crossplane.io/v1alpha1 2 | kind: Configuration 3 | metadata: 4 | name: platform-ref-aws 5 | annotations: 6 | meta.crossplane.io/maintainer: Upbound 7 | meta.crossplane.io/source: github.com/upbound/platform-ref-aws 8 | meta.crossplane.io/license: Apache-2.0 9 | meta.crossplane.io/description: | 10 | This reference platform Configuration for Kubernetes and Data Services 11 | is a starting point to build, run, and operate your own internal cloud 12 | platform and offer a self-service console and API to your internal teams. 13 | 14 | meta.crossplane.io/readme: | 15 | This reference platform `Configuration` for Kubernetes and Data Services 16 | is a starting point to build, run, and operate your own internal cloud 17 | platform and offer a self-service console and API to your internal teams. 18 | It provides platform APIs to provision fully configured EKS clusters, 19 | with secure networking, and stateful cloud services (RDS) designed to 20 | securely connect to the nodes in each EKS cluster -- all composed using 21 | cloud service primitives from the [Upbound Official AWS 22 | Provider](https://marketplace.upbound.io/providers/upbound/provider-aws). App 23 | deployments can securely connect to the infrastructure they need using 24 | secrets distributed directly to the app namespace. 25 | 26 | To learn more checkout the [GitHub 27 | repo](https://github.com/upbound/platform-ref-aws/) that you can copy and 28 | customize to meet the exact needs of your organization! 29 | spec: 30 | crossplane: 31 | version: ">=v1.14.1-0" 32 | dependsOn: 33 | - configuration: xpkg.upbound.io/upbound/configuration-aws-lb-controller 34 | # renovate: datasource=github-releases depName=upbound/configuration-aws-lb-controller 35 | version: "v0.3.0" 36 | - configuration: xpkg.upbound.io/upbound/configuration-aws-network 37 | # renovate: datasource=github-releases depName=upbound/configuration-aws-network 38 | version: "v0.23.0" 39 | - configuration: xpkg.upbound.io/upbound/configuration-aws-database 40 | # renovate: datasource=github-releases depName=upbound/configuration-aws-database 41 | version: "v0.15.0" 42 | - configuration: xpkg.upbound.io/upbound/configuration-aws-eks 43 | # renovate: datasource=github-releases depName=upbound/configuration-aws-eks 44 | version: "v0.16.0" 45 | - configuration: xpkg.upbound.io/upbound/configuration-app 46 | # renovate: datasource=github-releases depName=upbound/configuration-app 47 | version: "v0.11.0" 48 | - configuration: xpkg.upbound.io/upbound/configuration-observability-oss 49 | # renovate: datasource=github-releases depName=upbound/configuration-observability-oss 50 | version: "v0.9.0" 51 | - configuration: xpkg.upbound.io/upbound/configuration-gitops-flux 52 | # renovate: datasource=github-releases depName=upbound/configuration-gitops-flux 53 | version: "v0.10.0" 54 | - function: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform 55 | # renovate: datasource=github-releases depName=crossplane-contrib/function-patch-and-transform 56 | version: "v0.8.2" 57 | -------------------------------------------------------------------------------- /examples/app-claim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: platform.upbound.io/v1alpha1 2 | kind: App 3 | metadata: 4 | name: platform-ref-aws-ghost 5 | namespace: default 6 | labels: 7 | platform.upbound.io/deletion-ordering: enabled 8 | spec: 9 | compositeDeletePolicy: Foreground 10 | parameters: 11 | helm: 12 | values: 13 | ingress: 14 | annotations: 15 | alb.ingress.kubernetes.io/scheme: internet-facing 16 | alb.ingress.kubernetes.io/target-type: ip 17 | enabled: true 18 | ingressClassName: alb 19 | service: 20 | type: ClusterIP 21 | wait: true 22 | providerConfigName: platform-ref-aws 23 | passwordSecretRef: 24 | namespace: default 25 | name: platform-ref-aws-db-conn-mariadb 26 | writeConnectionSecretToRef: 27 | name: platform-ref-aws-ghost-conn 28 | -------------------------------------------------------------------------------- /examples/aws-default-provider.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: aws.upbound.io/v1beta1 2 | kind: ProviderConfig 3 | metadata: 4 | name: default 5 | spec: 6 | credentials: 7 | source: Secret 8 | secretRef: 9 | namespace: upbound-system 10 | name: aws-creds 11 | key: credentials 12 | -------------------------------------------------------------------------------- /examples/cluster-claim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: aws.platformref.upbound.io/v1alpha1 2 | kind: Cluster 3 | metadata: 4 | annotations: 5 | render.crossplane.io/composition-path: apis/pat/composition.yaml 6 | render.crossplane.io/function-path: examples/functions.yaml 7 | name: platform-ref-aws 8 | namespace: default 9 | labels: 10 | platform.upbound.io/deletion-ordering: enabled 11 | spec: 12 | compositeDeletePolicy: Foreground 13 | parameters: 14 | id: platform-ref-aws 15 | region: us-west-2 16 | version: "1.27" 17 | #iam: 18 | # replace with your custom arn like: 19 | # principalArn: arn:aws:iam::123456789:role/AWSReservedSSO_AdministratorAccess_d703c73ed340fde7 20 | nodes: 21 | count: 3 22 | instanceType: t3.small 23 | gitops: 24 | git: 25 | url: https://github.com/upbound/platform-ref-aws/ 26 | ref: 27 | # refs/heads/main 28 | # refs/tags/v0.1.0 29 | # refs/pull/420/head 30 | # refs/merge-requests/1/head 31 | name: refs/heads/main 32 | writeConnectionSecretToRef: 33 | name: platform-ref-aws-kubeconfig 34 | -------------------------------------------------------------------------------- /examples/configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: pkg.crossplane.io/v1 2 | kind: Configuration 3 | metadata: 4 | name: platform-ref-aws 5 | spec: 6 | package: xpkg.upbound.io/upbound/platform-ref-aws:v1.4.0 7 | -------------------------------------------------------------------------------- /examples/functions.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: pkg.crossplane.io/v1beta1 2 | kind: Function 3 | metadata: 4 | name: crossplane-contrib-function-patch-and-transform 5 | spec: 6 | package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.9.0 7 | -------------------------------------------------------------------------------- /examples/mariadb-claim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: aws.platform.upbound.io/v1alpha1 2 | kind: SQLInstance 3 | metadata: 4 | name: platform-ref-aws-db-mariadb 5 | namespace: default 6 | spec: 7 | parameters: 8 | region: us-west-2 9 | engine: mariadb 10 | engineVersion: "10.6.19" 11 | storageGB: 5 12 | autoGeneratePassword: true 13 | passwordSecretRef: 14 | namespace: default 15 | name: mariadbsecret 16 | key: password 17 | networkRef: 18 | id: platform-ref-aws 19 | writeConnectionSecretToRef: 20 | name: platform-ref-aws-db-conn-mariadb 21 | -------------------------------------------------------------------------------- /examples/postgres-claim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: aws.platform.upbound.io/v1alpha1 2 | kind: SQLInstance 3 | metadata: 4 | name: platform-ref-aws-db-postgres 5 | namespace: default 6 | spec: 7 | parameters: 8 | region: us-west-2 9 | engine: postgres 10 | engineVersion: "13.7" 11 | storageGB: 5 12 | passwordSecretRef: 13 | namespace: default 14 | name: psqlsecret 15 | key: password 16 | networkRef: 17 | id: platform-ref-aws 18 | writeConnectionSecretToRef: 19 | name: platform-ref-aws-db-conn-postgres 20 | --- 21 | apiVersion: v1 22 | data: 23 | password: dXBiMHVuZHIwY2s1ITMxMzM3 24 | kind: Secret 25 | metadata: 26 | name: psqlsecret 27 | namespace: default 28 | type: Opaque 29 | -------------------------------------------------------------------------------- /project.mk: -------------------------------------------------------------------------------- 1 | PROJECT_NAME := platform-ref-aws 2 | UPTEST_INPUT_MANIFESTS := examples/cluster-claim.yaml,examples/mariadb-claim.yaml,examples/app-claim.yaml 3 | UPTEST_SKIP_IMPORT := true 4 | UPTEST_SKIP_UPDATE := true 5 | UPTEST_DEFAULT_TIMEOUT = 3600s 6 | -------------------------------------------------------------------------------- /test/setup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -aeuo pipefail 3 | 4 | echo "Running setup.sh" 5 | echo "Waiting until all configuration packages are healthy/installed..." 6 | "${KUBECTL}" wait configuration.pkg --all --for=condition=Healthy --timeout 5m 7 | "${KUBECTL}" wait configuration.pkg --all --for=condition=Installed --timeout 5m 8 | "${KUBECTL}" wait configurationrevisions.pkg --all --for=condition=Healthy --timeout 5m 9 | 10 | echo "Creating cloud credential secret..." 11 | "${KUBECTL}" -n upbound-system create secret generic aws-creds --from-literal=credentials="${UPTEST_CLOUD_CREDENTIALS}" \ 12 | --dry-run=client -o yaml | "${KUBECTL}" apply -f - 13 | 14 | echo "Waiting until all installed provider packages are healthy..." 15 | "${KUBECTL}" wait provider.pkg --all --for condition=Healthy --timeout 5m 16 | 17 | echo "Waiting for all pods to come online..." 18 | "${KUBECTL}" -n upbound-system wait --for=condition=Available deployment --all --timeout=5m 19 | 20 | echo "Waiting for all XRDs to be established..." 21 | "${KUBECTL}" wait xrd --all --for condition=Established 22 | 23 | echo "Creating a default provider config..." 24 | cat <