Skip to content

Instantly share code, notes, and snippets.

@moolen

moolen/eks-import.yaml

Last active November 5, 2023 21:58
Show Gist options
  • Save moolen/464917c00b34359df722680c9c0166f7 to your computer and use it in GitHub Desktop.
Save moolen/464917c00b34359df722680c9c0166f7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
eks-import.yaml
apiVersion: eks.aws.upbound.io/v1beta1
kind: Cluster
metadata:
name: mj-eso
namespace: default
annotations:
crossplane.io/external-name: mj-eso
spec:
forProvider:
region: eu-central-1
managementPolicies: ["Observe"]
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
name: subnet-1
annotations:
crossplane.io/external-name: subnet-0cf3034a523ce87ab
spec:
forProvider:
region: eu-central-1
managementPolicies: ["Observe"]
---
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
name: node-role
annotations:
crossplane.io/external-name: example-eks-node-group-20231105213352012800000007
spec:
forProvider: {}
managementPolicies: ["Observe"]
Raw
funcs.yaml
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-patch-and-transform
spec:
package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.2.1
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-go-templating
spec:
package: xpkg.upbound.io/crossplane-contrib/function-go-templating:v0.2.2
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-auto-ready
spec:
package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1
---
Raw
images
image: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1
image: xpkg.upbound.io/crossplane-contrib/function-go-templating:v0.2.2
image: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.2.1
image: xpkg.upbound.io/crossplane/crossplane:v1.14.0
image: xpkg.upbound.io/upbound/provider-aws-ec2:v0.43.1
image: xpkg.upbound.io/upbound/provider-aws-eks:v0.43.1
image: xpkg.upbound.io/upbound/provider-aws-iam:v0.43.1
image: xpkg.upbound.io/upbound/provider-aws-s3:v0.37.0
image: xpkg.upbound.io/upbound/provider-family-aws:v0.43.1
Raw
irsa-composition.yaml
# also see awslabs IRSA implementation:
# https://github.com/awslabs/crossplane-on-eks/tree/main/compositions/upbound-aws-provider/irsa
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: irsa
spec:
compositeTypeRef:
apiVersion: iam.foo.tech/v1alpha1
kind: IRSA
mode: Pipeline
pipeline:
- step: create-role
functionRef:
name: function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
kind: GoTemplate
source: Inline
inline:
template: |
apiVersion: iam.aws.upbound.io/v1beta1
kind: Role
metadata:
name: irsa-role
annotations:
gotemplating.fn.crossplane.io/composition-resource-name: "irsarole"
gotemplating.fn.crossplane.io/ready: "True"
spec:
{{- $resource := .observed.composite.resource }}
{{- $spec := $resource.spec }}
forProvider:
description: "IAM Role for IRSA"
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::{{ $spec.accountID }}:oidc-provider/{{ $spec.oidcProvider }}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"{{ $spec.oidcProvider }}:sub": "system:serviceaccount:{{ $spec.serviceAccountRef.namespace }}:{{ $spec.serviceAccountRef.name }}",
"{{ $spec.oidcProvider }}:aud": "sts.amazonaws.com"
}
}
}
]
}
inlinePolicy:
- name: "irsa-{{ $resource.metadata.name }}"
policy: {{ printf "%#v" $spec.policy }}
providerConfigRef:
name: "{{ $spec.providerConfigRef }}"
- step: patch-and-transform
functionRef:
name: function-patch-and-transform
input:
apiVersion: pt.fn.crossplane.io/v1beta1
kind: Resources
resources:
- name: irsarole
patches:
- type: ToCompositeFieldPath
fromFieldPath: "status.atProvider.id"
toFieldPath: "status.roleId"
- step: automatically-detect-readiness
functionRef:
name: function-auto-ready
Raw
irsa-xr.yaml
apiVersion: iam.foo.tech/v1alpha1
kind: IRSA
metadata:
name: my-irsa-role
namespace: "default"
spec:
accountID: "XXXXXXXXXXXXXX"
oidcProvider: "oidc.eks.eu-central-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXX"
providerConfigRef: "default"
serviceAccountRef:
name: "my-irsa"
namespace: "default"
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-pod-secrets-bucket"
}
]
}
Raw
irsa-xrd.yaml
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: irsas.iam.foo.tech
spec:
group: iam.foo.tech
names:
kind: IRSA
plural: irsas
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
debug:
type: string
accountID:
type: string
oidcProvider:
type: string
providerConfigRef:
type: string
serviceAccountRef:
type: object
properties:
name:
type: string
namespace:
type: string
required:
- name
policy:
type: string
required:
- accountID
- oidcProvider
- serviceAccountRef
- policy
status:
type: object
properties:
roleId:
type: string
served: true
referenceable: true
claimNames:
kind: IRSAClaim
plural: irsasclaim
Raw
node-group.yaml
apiVersion: eks.aws.upbound.io/v1beta1
kind: NodeGroup
metadata:
name: "new-ng"
spec:
forProvider:
region: eu-central-1
amiType: AL2_x86_64
scalingConfig:
- desiredSize: 1
maxSize: 1
minSize: 1
instanceTypes:
- t3.medium
clusterNameRef:
name: mj-eso
diskSize: 100
subnetIdRefs:
- name: subnet-1
nodeRoleArnRef:
name: node-role
labels:
foo: bar
Raw
provider-aws.yaml
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws
spec:
package: xpkg.upbound.io/upbound/provider-aws:v0.43.1
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws-eks
spec:
package: xpkg.upbound.io/upbound/provider-aws-eks:v0.43.1
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws-ec2
spec:
package: xpkg.upbound.io/upbound/provider-aws-ec2:v0.43.1
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws-iam
spec:
package: xpkg.upbound.io/upbound/provider-aws-iam:v0.43.1
---
Raw
quickstart.sh
helm repo add \
crossplane-stable https://charts.crossplane.io/stable
helm repo update
helm upgrade --install crossplane \
crossplane-stable/crossplane \
--namespace crossplane-system \
--create-namespace \
--set "args={--enable-environment-configs}"
kubectl create secret \
generic aws-secret \
-n crossplane-system \
--from-file=creds=./aws-credentials.txt || true
cat <<EOF | kubectl apply -f -
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws-s3
spec:
package: xpkg.upbound.io/upbound/provider-aws-s3:v0.37.0
EOF
cat <<EOF | kubectl apply -f -
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: aws-secret
key: creds
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment