diff --git a/bootstrap/eksctl/eksctl-fargate.yaml b/bootstrap/eksctl/eksctl-fargate.yaml index de3aab5f..46da0894 100644 --- a/bootstrap/eksctl/eksctl-fargate.yaml +++ b/bootstrap/eksctl/eksctl-fargate.yaml @@ -16,3 +16,5 @@ fargateProfiles: - namespace: crossplane-system iam: withOIDC: true +addons: + - name: eks-pod-identity-agent # required for `iam.podIdentityAssociations` \ No newline at end of file diff --git a/bootstrap/eksctl/eksctl.yaml b/bootstrap/eksctl/eksctl.yaml index ea767689..a6662b8f 100644 --- a/bootstrap/eksctl/eksctl.yaml +++ b/bootstrap/eksctl/eksctl.yaml @@ -14,3 +14,5 @@ managedNodeGroups: maxSize: 3 iam: withOIDC: true +addons: + - name: eks-pod-identity-agent # required for `iam.podIdentityAssociations` \ No newline at end of file diff --git a/bootstrap/terraform/README.md b/bootstrap/terraform/README.md index 87dd42ff..ed95ba52 100644 --- a/bootstrap/terraform/README.md +++ b/bootstrap/terraform/README.md @@ -152,7 +152,7 @@ echo "$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{. 1. Remove crossplane providers by running ```bash -terraform apply --var enable_upbound_aws_provider=false --var enable_aws_provider=false --var enable_kubernetes_provider=false --var enable_helm_provider=false +terraform apply --var enable_upjet_aws_provider=false --var enable_aws_provider=false --var enable_kubernetes_provider=false --var enable_helm_provider=false ``` 1. Run `kubectl get providers` to validate all providers were removed. If any left, remove using `kubectl delete providers ` diff --git a/bootstrap/terraform/config/environmentconfig.yaml b/bootstrap/terraform/config/environmentconfig.yaml index fa838164..873b4157 100644 --- a/bootstrap/terraform/config/environmentconfig.yaml +++ b/bootstrap/terraform/config/environmentconfig.yaml @@ -6,3 +6,6 @@ data: awsAccountID: "${awsAccountID}" eksOIDC: ${eksOIDC} vpcID: ${vpcID} + region: ${region} + clusterName: ${clusterName} + \ No newline at end of file diff --git a/bootstrap/terraform/destroy.sh b/bootstrap/terraform/destroy.sh new file mode 100755 index 00000000..2189068b --- /dev/null +++ b/bootstrap/terraform/destroy.sh @@ -0,0 +1,5 @@ +terraform destroy -target="module.crossplane" -auto-approve +terraform destroy -target="module.gatekeeper" -auto-approve +terraform destroy -target="module.eks_blueprints_addons" -auto-approve +terraform destroy -target="module.eks" -auto-approve +terraform destroy -auto-approve \ No newline at end of file diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index ee6bea6f..605c87b8 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -115,6 +115,9 @@ module "eks" { vpc-cni = { most_recent = true } + eks-pod-identity-agent = { + most_recent = true + } } # for production cluster, add a node group for add-ons that should not be inerrupted such as coredns @@ -220,6 +223,8 @@ resource "kubectl_manifest" "environmentconfig" { awsAccountID = data.aws_caller_identity.current.account_id eksOIDC = module.eks.oidc_provider vpcID = module.vpc.vpc_id + region = local.region + clusterName = local.name }) depends_on = [module.crossplane] @@ -250,7 +255,8 @@ locals { "vpc", "apigateway", "cloudwatch", - "cloudwatchlogs" + "cloudwatchlogs", + "eks" ] } diff --git a/compositions/upbound-aws-provider/podidentity-role/definition.yaml b/compositions/upbound-aws-provider/podidentity-role/definition.yaml new file mode 100644 index 00000000..44348732 --- /dev/null +++ b/compositions/upbound-aws-provider/podidentity-role/definition.yaml @@ -0,0 +1,58 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: xpodidentityroles.awsblueprints.io +spec: + claimNames: + kind: PodIdentityRole + plural: podidentityroles + group: awsblueprints.io + names: + kind: xPodIdentityRole + plural: xpodidentityroles + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + description: Schema for the podidentity role API + properties: + spec: + description: defines the desired state of PodIdentityRole + properties: + managedPolicyArns: + items: + type: string + type: array + inlinePolicy: + type: string + inlinePolicyName: + type: string + default: default + permissionsBoundaryArn: + type: string + resourceConfig: + description: ResourceConfig defines general properties of this AWS + resource. + properties: + providerConfigName: + type: string + region: + type: string + required: + - providerConfigName + type: object + required: + - resourceConfig + type: object + status: + description: Status defines the observed state of PodIdentityRole + properties: + roleArn: + type: string + type: object + type: object diff --git a/compositions/upbound-aws-provider/podidentity-role/kustomization.yaml b/compositions/upbound-aws-provider/podidentity-role/kustomization.yaml new file mode 100644 index 00000000..c381afd2 --- /dev/null +++ b/compositions/upbound-aws-provider/podidentity-role/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- definition.yaml +- podidentity-role.yaml + diff --git a/compositions/upbound-aws-provider/podidentity-role/podidentity-role.yaml b/compositions/upbound-aws-provider/podidentity-role/podidentity-role.yaml new file mode 100644 index 00000000..efe8edff --- /dev/null +++ b/compositions/upbound-aws-provider/podidentity-role/podidentity-role.yaml @@ -0,0 +1,60 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: xpodidentityrole-composition +spec: + compositeTypeRef: + apiVersion: awsblueprints.io/v1alpha1 + kind: xPodIdentityRole + patchSets: + - name: common-fields-composition + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.providerConfigName + toFieldPath: spec.providerConfigRef.name + resources: + - name: iam-role + base: + apiVersion: iam.aws.upbound.io/v1beta1 + kind: Role + spec: + forProvider: + assumeRolePolicy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowEksAuthToAssumeRoleForPodIdentity", + "Effect": "Allow", + "Principal": { + "Service": "pods.eks.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] + } + patches: + - type: PatchSet + patchSetName: common-fields-composition + - type: FromCompositeFieldPath + fromFieldPath: spec.inlinePolicy + toFieldPath: spec.forProvider.inlinePolicy[0].policy + - type: FromCompositeFieldPath + fromFieldPath: spec.inlinePolicyName + toFieldPath: spec.forProvider.inlinePolicy[0].name + - type: FromCompositeFieldPath + fromFieldPath: spec.managedPolicyArns + toFieldPath: spec.forProvider.managedPolicyArns + - type: FromCompositeFieldPath + fromFieldPath: spec.permissionsBoundaryArn + toFieldPath: spec.forProvider.permissionsBoundary + - type: ToCompositeFieldPath + fromFieldPath: status.atProvider.arn + toFieldPath: status.roleArn + \ No newline at end of file diff --git a/compositions/upbound-aws-provider/s3-irsa/definition.yaml b/compositions/upbound-aws-provider/s3-access/irsa/definition.yaml similarity index 98% rename from compositions/upbound-aws-provider/s3-irsa/definition.yaml rename to compositions/upbound-aws-provider/s3-access/irsa/definition.yaml index fb034d10..008df6e8 100644 --- a/compositions/upbound-aws-provider/s3-irsa/definition.yaml +++ b/compositions/upbound-aws-provider/s3-access/irsa/definition.yaml @@ -52,7 +52,7 @@ spec: type: object required: - providerConfigName - - region + # - region type: object serviceAccountName: type: string diff --git a/compositions/upbound-aws-provider/s3-irsa/s3-irsa.yaml b/compositions/upbound-aws-provider/s3-access/irsa/s3-irsa.yaml similarity index 90% rename from compositions/upbound-aws-provider/s3-irsa/s3-irsa.yaml rename to compositions/upbound-aws-provider/s3-access/irsa/s3-irsa.yaml index c87174ba..b3fd3a16 100644 --- a/compositions/upbound-aws-provider/s3-irsa/s3-irsa.yaml +++ b/compositions/upbound-aws-provider/s3-access/irsa/s3-irsa.yaml @@ -12,6 +12,16 @@ metadata: awsblueprints.io/provider: aws awsblueprints.io/environment: dev spec: + environment: + environmentConfigs: + - type: Reference + ref: + name: cluster + patches: + - type: ToCompositeFieldPath + fromFieldPath: region + toFieldPath: spec.resourceConfig.region + writeConnectionSecretsToNamespace: crossplane-system compositeTypeRef: apiVersion: awsblueprints.io/v1alpha1 diff --git a/compositions/upbound-aws-provider/s3-access/kustomization.yaml b/compositions/upbound-aws-provider/s3-access/kustomization.yaml new file mode 100644 index 00000000..0bb3f3a0 --- /dev/null +++ b/compositions/upbound-aws-provider/s3-access/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./podidentity/definition.yaml +- ./podidentity/s3-podidentity.yaml +- ./irsa/definition.yaml +- ./irsa/s3-irsa.yaml + + diff --git a/compositions/upbound-aws-provider/s3-access/podidentity/definition.yaml b/compositions/upbound-aws-provider/s3-access/podidentity/definition.yaml new file mode 100644 index 00000000..4001b8ee --- /dev/null +++ b/compositions/upbound-aws-provider/s3-access/podidentity/definition.yaml @@ -0,0 +1,71 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: xs3podidentities.awsblueprints.io +spec: + claimNames: + kind: S3PodIdentityclaim + plural: s3prodidentityclaims + group: awsblueprints.io + names: + kind: xS3PodIdentity + plural: xs3podidentities + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + description: S3PODIDENTITY is the Schema for the s3podidentity API + properties: + spec: + description: S3PODIDENTITYSpec defines the desired state of S3PODIDENTITY + properties: + policyArns: + items: + type: string + type: array + resourceConfig: + description: ResourceConfig defines general properties of this AWS + resource. + properties: + region: + type: string + deletionPolicy: + description: Defaults to Delete + enum: + - Delete + - Orphan + type: string + name: + description: Set the name of this resource in AWS to the value + provided by this field. + type: string + providerConfigName: + type: string + tags: + additionalProperties: + type: string + type: object + required: + - providerConfigName + type: object + required: + - resourceConfig + type: object + status: + description: defines the observed state of S3 PodIdentity + properties: + serviceAccountName: + type: string + bucketArn: + type: string + roleName: + type: string + roleArn: + type: string + type: object + type: object diff --git a/compositions/upbound-aws-provider/s3-irsa/kustomization.yaml b/compositions/upbound-aws-provider/s3-access/podidentity/kustomization.yaml similarity index 79% rename from compositions/upbound-aws-provider/s3-irsa/kustomization.yaml rename to compositions/upbound-aws-provider/s3-access/podidentity/kustomization.yaml index 71bc8e41..5177f2d1 100644 --- a/compositions/upbound-aws-provider/s3-irsa/kustomization.yaml +++ b/compositions/upbound-aws-provider/s3-access/podidentity/kustomization.yaml @@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - definition.yaml -- s3-irsa.yaml +- s3-podidentity.yaml + + diff --git a/compositions/upbound-aws-provider/s3-access/podidentity/s3-podidentity.yaml b/compositions/upbound-aws-provider/s3-access/podidentity/s3-podidentity.yaml new file mode 100644 index 00000000..0bdc7e09 --- /dev/null +++ b/compositions/upbound-aws-provider/s3-access/podidentity/s3-podidentity.yaml @@ -0,0 +1,144 @@ + +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: xs3podidentity-composition + annotations: + argocd.argoproj.io/sync-wave: "-10" + labels: + awsblueprints.io/provider: aws + awsblueprints.io/environment: dev +spec: + environment: + environmentConfigs: + - type: Reference + ref: + name: cluster + patches: + - type: ToCompositeFieldPath + fromFieldPath: region + toFieldPath: spec.resourceConfig.region + + writeConnectionSecretsToNamespace: crossplane-system + compositeTypeRef: + apiVersion: awsblueprints.io/v1alpha1 + kind: xS3PodIdentity + patchSets: + - name: common-fields-composition + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig + toFieldPath: spec.resourceConfig + resources: + - name: bucket + base: + apiVersion: awsblueprints.io/v1alpha1 + kind: XObjectStorage + metadata: + name: standard-object-storage + connectionDetails: + - fromConnectionSecretKey: bucketName + patches: + - type: PatchSet + patchSetName: common-fields-composition + - type: ToCompositeFieldPath + fromFieldPath: status.bucketArn + toFieldPath: status.bucketArn + + - name: service-account + base: + apiVersion: kubernetes.crossplane.io/v1alpha1 + kind: Object + spec: + forProvider: + manifest: + apiVersion: v1 + kind: ServiceAccount + metadata: + namespace: default + patches: + - type: FromCompositeFieldPath + fromFieldPath: metadata.labels[crossplane.io/claim-namespace] + toFieldPath: spec.forProvider.manifest.metadata.namespace + - type: FromCompositeFieldPath + fromFieldPath: metadata.labels[crossplane.io/claim-name] + toFieldPath: spec.forProvider.manifest.metadata.name + - type: ToCompositeFieldPath + fromFieldPath: metadata.labels[crossplane.io/claim-name] + toFieldPath: status.serviceAccountName + + - name: podidentity-role + base: + apiVersion: awsblueprints.io/v1alpha1 + kind: xPodIdentityRole + # spec: + patches: + - type: ToCompositeFieldPath + fromFieldPath: status.roleArn + toFieldPath: status.roleArn + - type: PatchSet + patchSetName: common-fields-composition + - type: CombineFromComposite + toFieldPath: spec.inlinePolicy + combine: + variables: + - fromFieldPath: status.bucketArn + - fromFieldPath: status.bucketArn + strategy: string + string: + fmt: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject" + ], + "Resource": [ + "%s/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "%s" + ] + } + ] + } + - name: podidentity-association + base: + apiVersion: eks.aws.upbound.io/v1beta1 + kind: PodIdentityAssociation + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.providerConfigName + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.resourceConfig.region + toFieldPath: spec.forProvider.region + - type: FromCompositeFieldPath + fromFieldPath: metadata.labels[crossplane.io/claim-namespace] + toFieldPath: spec.forProvider.namespace + + - type: FromCompositeFieldPath + fromFieldPath: status.roleArn + toFieldPath: spec.forProvider.roleArn + - type: FromEnvironmentFieldPath + fromFieldPath: clusterName + toFieldPath: spec.forProvider.clusterName + - type: FromCompositeFieldPath + fromFieldPath: status.serviceAccountName + toFieldPath: spec.forProvider.serviceAccount + \ No newline at end of file diff --git a/compositions/upbound-aws-provider/serverless/definition.yaml b/compositions/upbound-aws-provider/serverless/definition.yaml index 08f6ac0f..b9111e56 100644 --- a/compositions/upbound-aws-provider/serverless/definition.yaml +++ b/compositions/upbound-aws-provider/serverless/definition.yaml @@ -56,10 +56,8 @@ spec: type: string providerConfigName: type: string - default: "aws-provider-config" region: type: string - default: "us-west-2" required: - region type: object diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/README.md b/examples/upbound-aws-provider/composite-resources/s3-irsa/README.md deleted file mode 100644 index 6567aa56..00000000 --- a/examples/upbound-aws-provider/composite-resources/s3-irsa/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# Example to deploy s3-irsa application -This example deploys the archtecture depicted on the diagram. First, it applies the Crossplane XRDs and Composition. Then it applies an ArgoCD helm chart that contains the Crossplane Claim and a deployment. The Crossplane creates the S3 bucket and IRSA resources, then the deployment contains an aws-cli pod that upload a file to the bucket and list the content of the bucket to validate the IRSA connection works. - -![S3 IRSA App Diagram](../../diagrams/s3-irsa-app.png) - -## Pre-requisites - - [Upbound AWS Provider Crossplane Blueprint Examples](../../README.md) - - -### Deploy XRDs and Compositions -```shell -kubectl apply -k . -``` - -Verify the XRDs -```shell -kubectl get xrds -``` - -Expected output -``` -NAME ESTABLISHED OFFERED AGE -iampolicies.awsblueprints.io True 5m -xirsas.awsblueprints.io True True 5m -xobjectstorages.awsblueprints.io True True 5m -xs3irsas.awsblueprints.io True True 5m -``` - -Verify the Compositions -```shell -kubectl get compositions -``` - -Expected output. Note: the output might contain more compositions but these are the ones uses by the claim in the next step -``` -NAME XR-KIND XR-APIVERSION AGE -irsa.awsblueprints.io XIRSA awsblueprints.io/v1alpha1 5m -s3bucket.awsblueprints.io XObjectStorage awsblueprints.io/v1alpha1 5m -write-s3.iampolicy.awsblueprints.io IAMPolicy awsblueprints.io/v1alpha1 5m -xs3irsa.awsblueprints.io XS3IRSA awsblueprints.io/v1alpha1 5m -``` - -### Validate `EnvironmentConfig` - -Crossplane `environmentconfig` named `cluster` is created by the bootstrap terraform code. Validate it exists and contains proper values -``` -kubectl get environmentconfig cluster -o yaml -``` -Expected output -``` -apiVersion: apiextensions.crossplane.io/v1alpha1 -kind: EnvironmentConfig -metadata: - name: cluster -data: - awsAccountID: - eksOIDC: -``` - -### Apply ArgoCD application -The applications contains the claim and the deployment. -``` -kubectl apply -f argocd-s3-irsa-app.yaml -``` - -### Navigate to the ArgoCD UI -Find the ArgoCD URL: -``` -kubectl -n argocd get svc argo-cd-argocd-server -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' -``` -The username is `admin` and the password can be obtained by executing: -``` -kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d -``` - -### Sync the ArgoCD app and watch the s3-irsa-app come up. -![S3 IRSA App ArgoCD](../../diagrams/argo-cd-s3-irsa-sync.gif) - -### Check the pod logs to validate the application has access to the bucket -![S3 IRSA App Logs](../../diagrams/s3-irsa-app-check-pod-logs.gif) diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/Values.yaml b/examples/upbound-aws-provider/composite-resources/s3-irsa/Values.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/argocd-s3-irsa-app.yaml b/examples/upbound-aws-provider/composite-resources/s3-irsa/argocd-s3-irsa-app.yaml deleted file mode 100644 index 8fffa2a7..00000000 --- a/examples/upbound-aws-provider/composite-resources/s3-irsa/argocd-s3-irsa-app.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: s3-irsa-app - namespace: argocd -spec: - destination: - namespace: default - server: https://kubernetes.default.svc - project: default - source: - path: examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/ - repoURL: https://github.com/awslabs/crossplane-on-eks.git - targetRevision: HEAD - helm: - values: |- - s3irsa: - enabled: true - syncPolicy: {} diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/claim.yaml b/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/claim.yaml deleted file mode 100644 index 7cba930a..00000000 --- a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/claim.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.s3irsa.enabled }} -apiVersion: awsblueprints.io/v1alpha1 -kind: S3IRSA -metadata: - name: {{ include "s3-irsa-app.name" . }} - labels: - app.kubernetes.io/name: {{ include "s3-irsa-app.name" . }} - helm.sh/chart: {{ include "s3-irsa-app.chart" . }} - annotations: - argocd.argoproj.io/sync-wave: "-10" -spec: - writeConnectionSecretToRef: - name: {{ include "s3-irsa-app.name" . }} - resourceConfig: - providerConfigName: aws-provider-config - region: us-east-1 - {{- with .Values.s3irsa.tags }} - tags: - {{- toYaml . | nindent 6 }} - {{- end }} -{{- end }} diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/kustomization.yaml b/examples/upbound-aws-provider/composite-resources/s3-irsa/kustomization.yaml deleted file mode 100644 index 46089552..00000000 --- a/examples/upbound-aws-provider/composite-resources/s3-irsa/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -bases: -- ../../../../compositions/upbound-aws-provider/iam-policy/ -- ../../../../compositions/upbound-aws-provider/irsa/ -- ../../../../compositions/upbound-aws-provider/s3/ -- ../../../../compositions/upbound-aws-provider/s3-irsa/ diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/s3-irsa.yaml b/examples/upbound-aws-provider/composite-resources/s3-irsa/s3-irsa.yaml deleted file mode 100644 index 962e4d68..00000000 --- a/examples/upbound-aws-provider/composite-resources/s3-irsa/s3-irsa.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: awsblueprints.io/v1alpha1 -kind: S3IRSA -metadata: - name: s3-irsa-test -spec: - writeConnectionSecretToRef: - name: s3-irsa-test - resourceConfig: - providerConfigName: aws-provider-config - region: us-east-1 diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/.gitignore b/examples/upbound-aws-provider/composite-resources/s3/.gitignore similarity index 100% rename from examples/upbound-aws-provider/composite-resources/s3-irsa/.gitignore rename to examples/upbound-aws-provider/composite-resources/s3/.gitignore diff --git a/examples/upbound-aws-provider/composite-resources/s3/README.md b/examples/upbound-aws-provider/composite-resources/s3/README.md new file mode 100644 index 00000000..772a32d9 --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/s3/README.md @@ -0,0 +1,133 @@ +# Example to deploy s3 access application + +The example shows how to set up Crossplane to allow secure access to S3 from pods in an EKS cluster + + +## Pre-requisites + - [Upbound AWS Provider Crossplane Blueprint Examples](../../README.md) + + +### Deploy Composite Resource Definations(XRDs) and Compositions +Navigate to /crossplane-on-eks/examples/upbound-aws-provider/composite-resources/s3 +```shell +kubectl apply -k . +``` + +Verify XRDs +```shell +kubectl get xrds +``` + +Displays installed XRDs +``` +NAME ESTABLISHED OFFERED AGE +iampolicies.awsblueprints.io True 18h +xirsas.awsblueprints.io True True 18h +xobjectstorages.awsblueprints.io True True 18h +xpodidentityroles.awsblueprints.io True True 18h +xs3irsas.awsblueprints.io True True 18h +xs3podidentities.awsblueprints.io True True 18h +``` + +Verify Compositions +```shell +kubectl get compositions +``` + +Displays installed compositions +``` +NAME XR-KIND XR-APIVERSION AGE +irsa.awsblueprints.io XIRSA awsblueprints.io/v1alpha1 18h +lambda-invoke.iampolicy.awsblueprints.io IAMPolicy awsblueprints.io/v1alpha1 18h +read-kms.iampolicy.awsblueprints.io IAMPolicy awsblueprints.io/v1alpha1 18h +read-s3.iampolicy.awsblueprints.io IAMPolicy awsblueprints.io/v1alpha1 18h +read-sqs.iampolicy.awsblueprints.io IAMPolicy awsblueprints.io/v1alpha1 18h +. +. +. +``` + + + + + + + + + + + + + + + + + + + +The example uses ArgoCD to deploy the pod and crossplane resources. ArgoCD is already installed by Terraform. + +ArgoCD URL: +``` +kubectl -n argocd get svc argo-cd-argocd-server -o jsonpath='{.status.loadBalancer.ingress[0].hostname}' +``` +Use "admin" as the username. Execute the given command to get the password: +``` +kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d +``` + +Kubernetes service accounts act as identities for processes running inside pods. To enable a pod to access AWS services, its service account can be mapped to an IAM role that has the necessary permissions. There are two options for mapping the service account to an IAM role in order to grant AWS access: Amazon EKS Pod Identity and IRSA(Iam Roles for Service Accounts) + + + + + + +
+ +IRSA example + +![S3 Pod IRSA App Diagram](../../diagrams/s3-irsa-app.png) + +### Deploy ArgoCD IRSA application + +The ArgoCD application deploys a Kubernetes deployment to create a pod, along with Crossplane claims to provision an S3 bucket, service account, and IAM role with S3 write access using IRSA. +``` +kubectl apply -f argocd-s3-irsa.yaml +``` + +### Log in to the ArgoCD UI. + +Use the credentials retrieved previously to log in to the ArgoCD UI. + +### Validate pod access to bucket + It will take few minutes to create the pod. You can review pod logs to verify access to the bucket. + +![S3 IRSA App Logs](../../diagrams/irsa-irsa-access-success.gif) + +
+ +
+ +Pod Identity example + +![S3 Pod Identity App Diagram](../../diagrams/s3-access-podidentity.png) + + +### Deploy ArgoCD Pod Identity application + +The ArgoCD application deploys a Kubernetes deployment to create a pod, along with Crossplane claims to provision an S3 bucket, service account, and IAM role with S3 write access using IRSA. +``` +kubectl apply -f argocd-s3-podidentity.yaml +``` + +### Log in to the ArgoCD UI. + +Use the credentials retrieved previously to log in to the ArgoCD UI. + +### Validate pod access to bucket + It will take few minutes to create the pod. You can review pod logs to verify access to the bucket. + +![S3 Pod Identity App Logs](../../diagrams/s3-access-podidentity.gif) + +
diff --git a/examples/upbound-aws-provider/composite-resources/s3/argocd-s3-irsa.yaml b/examples/upbound-aws-provider/composite-resources/s3/argocd-s3-irsa.yaml new file mode 100644 index 00000000..78cc0f9e --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/s3/argocd-s3-irsa.yaml @@ -0,0 +1,26 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: s3-access-app + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: default + server: https://kubernetes.default.svc + project: default + source: + path: examples/upbound-aws-provider/composite-resources/s3/helm-chart/ + repoURL: https://github.com/satishbpatil/crossplane-on-eks.git + targetRevision: podidentity + helm: + values: |- + s3access: + enabled: true + #helm access value below defaults to irsa + access: irsa + syncPolicy: + automated: + prune: true + diff --git a/examples/upbound-aws-provider/composite-resources/s3/argocd-s3-podidentity.yaml b/examples/upbound-aws-provider/composite-resources/s3/argocd-s3-podidentity.yaml new file mode 100644 index 00000000..6aeecfe6 --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/s3/argocd-s3-podidentity.yaml @@ -0,0 +1,27 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: s3-access-app + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: default + server: https://kubernetes.default.svc + project: default + source: + path: examples/upbound-aws-provider/composite-resources/s3/helm-chart/ + repoURL: https://github.com/satishbpatil/crossplane-on-eks.git + targetRevision: podidentity + helm: + values: |- + s3access: + enabled: true + #access defaults to irsa + access: podidentity + + syncPolicy: + automated: + prune: true + diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/Chart.yaml b/examples/upbound-aws-provider/composite-resources/s3/helm-chart/Chart.yaml similarity index 97% rename from examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/Chart.yaml rename to examples/upbound-aws-provider/composite-resources/s3/helm-chart/Chart.yaml index ef31d7b8..65b93dc6 100644 --- a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/Chart.yaml +++ b/examples/upbound-aws-provider/composite-resources/s3/helm-chart/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: s3-irsa-app-chart +name: s3-access-app-chart description: A Helm chart for Kubernetes # A chart can be either an 'application' or a 'library' chart. diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/_helper.tpl b/examples/upbound-aws-provider/composite-resources/s3/helm-chart/templates/_helper.tpl similarity index 67% rename from examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/_helper.tpl rename to examples/upbound-aws-provider/composite-resources/s3/helm-chart/templates/_helper.tpl index 4e6e3f48..eb259122 100644 --- a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/_helper.tpl +++ b/examples/upbound-aws-provider/composite-resources/s3/helm-chart/templates/_helper.tpl @@ -1,9 +1,9 @@ {{/* Define a template to generate the name of the application */}} -{{- define "s3-irsa-app.name" -}} -{{- default "s3-irsa-app" }} +{{- define "s3-access-app.name" -}} +{{- default "s3-access-app" }} {{- end }} {{/* Define a template to generate the name and version of the chart */}} -{{- define "s3-irsa-app.chart" -}} +{{- define "s3-access-app.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version }} {{- end }} diff --git a/examples/upbound-aws-provider/composite-resources/s3/helm-chart/templates/claim.yaml b/examples/upbound-aws-provider/composite-resources/s3/helm-chart/templates/claim.yaml new file mode 100644 index 00000000..05438859 --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/s3/helm-chart/templates/claim.yaml @@ -0,0 +1,25 @@ +{{- if .Values.s3access.enabled }} +apiVersion: awsblueprints.io/v1alpha1 +{{- if eq (.Values.s3access.access | default "irsa") "irsa" }} +kind: S3IRSA +{{- else }} +kind: S3PodIdentityclaim +{{- end }} +metadata: + name: {{ include "s3-access-app.name" . }} + labels: + app.kubernetes.io/name: {{ include "s3-access-app.name" . }} + helm.sh/chart: {{ include "s3-access-app.chart" . }} + annotations: + argocd.argoproj.io/sync-wave: "-10" +spec: + writeConnectionSecretToRef: + name: {{ include "s3-access-app.name" . }} + resourceConfig: + providerConfigName: aws-provider-config + #region: us-east-1 + {{- with .Values.s3access.tags }} + tags: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/deployment.yaml b/examples/upbound-aws-provider/composite-resources/s3/helm-chart/templates/deployment.yaml similarity index 60% rename from examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/deployment.yaml rename to examples/upbound-aws-provider/composite-resources/s3/helm-chart/templates/deployment.yaml index 4010c347..35208cff 100644 --- a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/templates/deployment.yaml +++ b/examples/upbound-aws-provider/composite-resources/s3/helm-chart/templates/deployment.yaml @@ -1,21 +1,24 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "s3-irsa-app.name" . }} + rollme: {{ randAlphaNum 5 | quote }} + name: {{ include "s3-access-app.name" . }} labels: - app.kubernetes.io/name: {{ include "s3-irsa-app.name" . }} - helm.sh/chart: {{ include "s3-irsa-app.chart" . }} + app.kubernetes.io/name: {{ include "s3-access-app.name" . }} + helm.sh/chart: {{ include "s3-access-app.chart" . }} spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: {{ include "s3-irsa-app.name" . }} + app.kubernetes.io/name: {{ include "s3-access-app.name" . }} template: metadata: + annotations: + rollme: {{ randAlphaNum 5 | quote }} labels: - app.kubernetes.io/name: {{ include "s3-irsa-app.name" . }} + app.kubernetes.io/name: {{ include "s3-access-app.name" . }} spec: - serviceAccountName: {{ include "s3-irsa-app.name" . }} + serviceAccountName: {{ include "s3-access-app.name" . }} containers: - name: aws-cli image: amazon/aws-cli:latest @@ -37,6 +40,6 @@ spec: - name: BUCKET_NAME valueFrom: secretKeyRef: - name: {{ include "s3-irsa-app.name" . }} + name: {{ include "s3-access-app.name" . }} key: bucketName restartPolicy: Always diff --git a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/values.yaml b/examples/upbound-aws-provider/composite-resources/s3/helm-chart/values.yaml similarity index 90% rename from examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/values.yaml rename to examples/upbound-aws-provider/composite-resources/s3/helm-chart/values.yaml index 5c3f65c6..5e7305a8 100644 --- a/examples/upbound-aws-provider/composite-resources/s3-irsa/helm-chart/values.yaml +++ b/examples/upbound-aws-provider/composite-resources/s3/helm-chart/values.yaml @@ -2,8 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -s3irsa: +s3: enabled: true + access: irsa tags: owner: devops environment: production \ No newline at end of file diff --git a/examples/upbound-aws-provider/composite-resources/s3/kustomization.yaml b/examples/upbound-aws-provider/composite-resources/s3/kustomization.yaml new file mode 100644 index 00000000..f20c7991 --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/s3/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../compositions/upbound-aws-provider/podidentity-role/ + - ../../../../compositions/upbound-aws-provider/s3/ + - ../../../../compositions/upbound-aws-provider/s3-access/ + - ../../../../compositions/upbound-aws-provider/iam-policy/ + - ../../../../compositions/upbound-aws-provider/irsa/ + diff --git a/examples/upbound-aws-provider/diagrams/argo-cd-s3-irsa-sync.gif b/examples/upbound-aws-provider/diagrams/argo-cd-s3-irsa-sync.gif deleted file mode 100644 index b8136d24..00000000 Binary files a/examples/upbound-aws-provider/diagrams/argo-cd-s3-irsa-sync.gif and /dev/null differ diff --git a/examples/upbound-aws-provider/diagrams/irsa-irsa-access-success.gif b/examples/upbound-aws-provider/diagrams/irsa-irsa-access-success.gif new file mode 100644 index 00000000..7fc76d74 Binary files /dev/null and b/examples/upbound-aws-provider/diagrams/irsa-irsa-access-success.gif differ diff --git a/examples/upbound-aws-provider/diagrams/s3-access-podidentity.gif b/examples/upbound-aws-provider/diagrams/s3-access-podidentity.gif new file mode 100644 index 00000000..aac1c78a Binary files /dev/null and b/examples/upbound-aws-provider/diagrams/s3-access-podidentity.gif differ diff --git a/examples/upbound-aws-provider/diagrams/s3-access-podidentity.png b/examples/upbound-aws-provider/diagrams/s3-access-podidentity.png new file mode 100644 index 00000000..426f5093 Binary files /dev/null and b/examples/upbound-aws-provider/diagrams/s3-access-podidentity.png differ diff --git a/examples/upbound-aws-provider/diagrams/s3-irsa-app-check-pod-logs.gif b/examples/upbound-aws-provider/diagrams/s3-irsa-app-check-pod-logs.gif deleted file mode 100644 index 6ef1bc63..00000000 Binary files a/examples/upbound-aws-provider/diagrams/s3-irsa-app-check-pod-logs.gif and /dev/null differ diff --git a/examples/upbound-aws-provider/diagrams/s3-risa-access-denied.gif b/examples/upbound-aws-provider/diagrams/s3-risa-access-denied.gif new file mode 100644 index 00000000..96f70f40 Binary files /dev/null and b/examples/upbound-aws-provider/diagrams/s3-risa-access-denied.gif differ