diff --git a/apis/space-init/composition.yaml b/apis/space-init/composition.yaml index 6647dfc..f8b6fad 100644 --- a/apis/space-init/composition.yaml +++ b/apis/space-init/composition.yaml @@ -456,17 +456,14 @@ spec: - type: FromCompositeFieldPath fromFieldPath: spec.parameters.providerConfigName toFieldPath: spec.parameters.id + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.operators.externaldns.gcp.dnsProject + toFieldPath: spec.parameters.dnsProject - type: ToCompositeFieldPath - fromFieldPath: status.dnsSAID - toFieldPath: status.status.externalDNS.dnsSAID + fromFieldPath: status.googleServiceAccount.email + toFieldPath: status.status.externalDNS.googleServiceAccount.email policy: fromFieldPath: Optional - - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.operators.externaldns.gcp.dnsProject - toFieldPath: spec.parameters.project - - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZone - toFieldPath: spec.parameters.managedZone - name: external-dns condition: | @@ -484,10 +481,12 @@ spec: repository: https://charts.bitnami.com/bitnami values: replicaCount: 1 - provider: gcp + provider: google policy: sync source: ingress registry: txt + google: + batchChangeSize: 4 rbac: create: true serviceAccount: @@ -508,13 +507,16 @@ spec: fromFieldPath: spec.parameters.operators.externaldns.version toFieldPath: spec.forProvider.chart.version - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZone + fromFieldPath: spec.parameters.operators.externaldns.gcp.zoneName toFieldPath: spec.forProvider.values.domainFilters[0] - type: FromCompositeFieldPath - fromFieldPath: status.status.externalDNS.dnsSAID + fromFieldPath: status.status.externalDNS.googleServiceAccount.email toFieldPath: spec.forProvider.values.serviceAccount.annotations[iam.gke.io/gcp-service-account] policy: fromFieldPath: Required + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.operators.externaldns.gcp.dnsProject + toFieldPath: spec.forProvider.values.google.project - type: FromCompositeFieldPath fromFieldPath: metadata.uid toFieldPath: spec.forProvider.values.txtOwnerId diff --git a/apis/space-init/definition.yaml b/apis/space-init/definition.yaml index def4d4c..ffa9982 100644 --- a/apis/space-init/definition.yaml +++ b/apis/space-init/definition.yaml @@ -72,7 +72,7 @@ spec: type: boolean description: "Indicates if GCP external-dns is enabled." default: true - managedZone: + zoneName: type: string description: "The Managed Zone for external-dns to manage." dnsProject: diff --git a/apis/workload-identity/composition.yaml b/apis/workload-identity/composition.yaml index a5ebb12..f2f8f9c 100644 --- a/apis/workload-identity/composition.yaml +++ b/apis/workload-identity/composition.yaml @@ -31,13 +31,34 @@ spec: toFieldPath: spec.deletionPolicy type: FromCompositeFieldPath resources: - - name: projectiammember + - name: serviceaccount + base: + apiVersion: cloudplatform.gcp.upbound.io/v1beta1 + kind: ServiceAccount + patches: + - type: PatchSet + patchSetName: Name + - type: PatchSet + patchSetName: providerConfigRef + - type: PatchSet + patchSetName: deletionPolicy + - fromFieldPath: status.workloadIdentity.gkeProject + toFieldPath: spec.forProvider.project + type: FromCompositeFieldPath + - fromFieldPath: status.atProvider.email + toFieldPath: status.googleServiceAccount.email + type: ToCompositeFieldPath + - fromFieldPath: status.atProvider.id + toFieldPath: status.googleServiceAccount.id + type: ToCompositeFieldPath + + - name: projectiammember-dns-admin base: apiVersion: cloudplatform.gcp.upbound.io/v1beta1 kind: ProjectIAMMember spec: forProvider: - role: roles/dns.reader + role: roles/dns.admin patches: - type: PatchSet patchSetName: Name @@ -45,19 +66,39 @@ spec: patchSetName: providerConfigRef - type: PatchSet patchSetName: deletionPolicy - - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.id - toFieldPath: metadata.annotations[crossplane.io/external-name] - fromFieldPath: spec.parameters.dnsProject toFieldPath: spec.forProvider.project type: FromCompositeFieldPath - - fromFieldPath: spec.parameters.member + - fromFieldPath: status.googleServiceAccount.email toFieldPath: spec.forProvider.member type: FromCompositeFieldPath + transforms: + - string: + fmt: 'serviceAccount:%s' + type: Format + type: string + + - name: serviceaccountiammember + base: + apiVersion: cloudplatform.gcp.upbound.io/v1beta1 + kind: ServiceAccountIAMMember + spec: + forProvider: + role: roles/iam.workloadIdentityUser + patches: + - type: PatchSet + patchSetName: Name + - type: PatchSet + patchSetName: providerConfigRef + - type: PatchSet + patchSetName: deletionPolicy + - fromFieldPath: status.googleServiceAccount.id + toFieldPath: spec.forProvider.serviceAccountId + type: FromCompositeFieldPath - combine: strategy: string string: - fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" + fmt: "serviceAccount:%s.svc.id.goog[%s/%s]" variables: - fromFieldPath: status.workloadIdentity.gkeProject - fromFieldPath: spec.parameters.serviceAccount.namespace @@ -65,42 +106,31 @@ spec: toFieldPath: spec.forProvider.member type: CombineFromComposite - - name: managedzoneiammember + - name: projectiammember-workload-identity-user base: - apiVersion: dns.gcp.upbound.io/v1beta1 - kind: ManagedZoneIAMMember + apiVersion: cloudplatform.gcp.upbound.io/v1beta1 + kind: ProjectIAMMember spec: forProvider: - role: roles/dns.admin + role: roles/iam.workloadIdentityUser patches: + - type: PatchSet + patchSetName: Name - type: PatchSet patchSetName: providerConfigRef - type: PatchSet patchSetName: deletionPolicy - - fromFieldPath: status.atProvider.id - policy: - fromFieldPath: Optional - toFieldPath: status.dnsSAID - type: ToCompositeFieldPath - - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.id - toFieldPath: metadata.annotations[crossplane.io/external-name] - - fromFieldPath: spec.parameters.dnsProject + - fromFieldPath: status.workloadIdentity.gkeProject toFieldPath: spec.forProvider.project type: FromCompositeFieldPath - - fromFieldPath: spec.parameters.managedZone - toFieldPath: spec.forProvider.managedZone - type: FromCompositeFieldPath - - combine: - strategy: string - string: - fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" - variables: - - fromFieldPath: status.workloadIdentity.gkeProject - - fromFieldPath: spec.parameters.serviceAccount.namespace - - fromFieldPath: spec.parameters.serviceAccount.name + - fromFieldPath: status.googleServiceAccount.email toFieldPath: spec.forProvider.member - type: CombineFromComposite + type: FromCompositeFieldPath + transforms: + - string: + fmt: 'serviceAccount:%s' + type: Format + type: string - name: workloadIdentitySettings base: diff --git a/apis/workload-identity/definition.yaml b/apis/workload-identity/definition.yaml index 44b7122..cdba59d 100644 --- a/apis/workload-identity/definition.yaml +++ b/apis/workload-identity/definition.yaml @@ -61,17 +61,13 @@ spec: enum: - StringEquals - StringLike - project: + dnsProject: type: string description: The Project ID where the DNS managed zone lives. - managedZone: - type: string - description: The name of the GCP managed zone. required: - id - serviceAccount - - project - - managedZone + - dnsProject required: - parameters status: @@ -88,3 +84,16 @@ spec: description: Freeform field containing information about the observed status. type: object x-kubernetes-preserve-unknown-fields: true + googleServiceAccount: + type: object + description: Configuration for GSA + properties: + email: + type: string + description: email Google SA + id: + type: string + description: id Google SA + required: + - email + - id diff --git a/crossplane.yaml b/crossplane.yaml index 9e0fe53..e8721d6 100644 --- a/crossplane.yaml +++ b/crossplane.yaml @@ -29,7 +29,7 @@ spec: version: "v0.5.0" - configuration: xpkg.upbound.io/upbound/configuration-gcp-gke # renovate: datasource=github-releases depName=upbound/configuration-gcp-gke - version: "v0.6.0" + version: "v0.7.0" - provider: xpkg.upbound.io/upbound/provider-gcp-dns # renovate: datasource=github-releases depName=upbound/provider-gcp version: "v1.2.0" diff --git a/examples/gcp-host-space.yaml b/examples/gcp-host-space.yaml index 867a364..e4fd9dc 100644 --- a/examples/gcp-host-space.yaml +++ b/examples/gcp-host-space.yaml @@ -19,7 +19,7 @@ spec: enabled: true # To leverage external-dns for managing the spaces.dns.spacesRouterDomain zone entry, # substitute the placeholder values with your actual Managed Zone Name and GCP DNS Project Name. - managedZone: ${data.gcpManagedZoneName} + zoneName: ${data.gcpZoneName} dnsProject: ${data.gcpDNSProject} crossplane: providers: @@ -31,7 +31,7 @@ spec: localRbac: true argocd: enabled: true - ingressUrl: argocd-platform-ref-upbound-spaces.${data.gcpDNSName} + ingressUrl: argocd-platform-ref-upbound-spaces.${data.gcpZoneName} git: url: https://github.com/upbound/platform-ref-upbound-spaces.git path: gitops @@ -62,7 +62,7 @@ spec: - "*/controlplane-*" spaces: dns: - spacesRouterDomain: platform-ref-upbound-spaces-gke.${data.gcpDNSName} + spacesRouterDomain: platform-ref-upbound-spaces-gke.${data.gcpZoneName} clusterType: gke account: platform-ref writeConnectionSecretToRef: