From 537fbd476177a006ac80ebab28aa4ca955c7a7ab Mon Sep 17 00:00:00 2001 From: Mark Anderson-Trocme Date: Fri, 24 May 2024 15:44:58 -0400 Subject: [PATCH 01/10] feat: add external dns for gcp --- apis/space-init/composition.yaml | 86 ++++++++++++++++++++++ apis/workload-identity/composition.yaml | 96 +++++++++++++++++++++++++ apis/workload-identity/definition.yaml | 79 ++++++++++++++++++++ examples/gcp-host-space.yaml | 8 ++- 4 files changed, 268 insertions(+), 1 deletion(-) create mode 100644 apis/workload-identity/composition.yaml create mode 100644 apis/workload-identity/definition.yaml diff --git a/apis/space-init/composition.yaml b/apis/space-init/composition.yaml index bbada2e..feed9d7 100644 --- a/apis/space-init/composition.yaml +++ b/apis/space-init/composition.yaml @@ -305,6 +305,8 @@ spec: name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx set: + - name: "nameOverride" + value: "ingress-nginx" - name: "controller.service.type" value: "LoadBalancer" - name: "controller.allowSnippetAnnotations" @@ -436,6 +438,90 @@ spec: type: Format type: string + - name: external-dns-workloadidentity + condition: | + "externaldns" in observed.composite.resource.spec.parameters.operators && + "gcp" in observed.composite.resource.spec.parameters.operators.externaldns && + observed.composite.resource.spec.parameters.operators.externaldns.gcp.enabled == true + base: + apiVersion: gcp.platform.upbound.io/v1alpha1 + kind: XWORKLOADIDENTITY + spec: + parameters: + condition: StringEquals + serviceAccount: + name: external-dns + namespace: external-dns + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.providerConfigName + toFieldPath: spec.parameters.id + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.operators.externaldns.gcp.dnsProjectName + toFieldPath: spec.parameters.project + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZoneName + toFieldPath: spec.parameters.managedZone + - type: ToCompositeFieldPath + fromFieldPath: status.GKEprojectID + toFieldPath: spec.parameters.GKEProjectID + + - name: external-dns + condition: | + "externaldns" in observed.composite.resource.spec.parameters.operators && + "gcp" in observed.composite.resource.spec.parameters.operators.externaldns && + observed.composite.resource.spec.parameters.operators.externaldns.gcp.enabled == true + base: + apiVersion: helm.crossplane.io/v1beta1 + kind: Release + spec: + forProvider: + namespace: external-dns + chart: + name: external-dns + repository: https://charts.bitnami.com/bitnami + values: + replicaCount: 1 + provider: gcp + policy: sync + source: ingress + registry: txt + rbac: + create: true + serviceAccount: + create: true + name: external-dns + metrics: + enabled: false + serviceMonitor: + enabled: false + replicas: 2 + podDisruptionBudget: + minAvailable: 1 + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.providerConfigName + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.operators.externaldns.version + toFieldPath: spec.forProvider.chart.version + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZoneName + toFieldPath: spec.forProvider.values.domainFilters[0] + # - type: FromCompositeFieldPath + # fromFieldPath: status.status.externalDNS.IRSARoleArn + # toFieldPath: spec.forProvider.values.serviceAccount.annotations[eks.amazonaws.com/role-arn] + # policy: + # fromFieldPath: Required + - type: FromCompositeFieldPath + fromFieldPath: metadata.uid + toFieldPath: spec.forProvider.values.txtOwnerId + transforms: + - string: + fmt: 'upbound-spaces-%s' + type: Format + type: string + - name: universal-crossplane condition: observed.composite.resource.spec.parameters.operators.crossplane.enabled == true base: diff --git a/apis/workload-identity/composition.yaml b/apis/workload-identity/composition.yaml new file mode 100644 index 0000000..2649362 --- /dev/null +++ b/apis/workload-identity/composition.yaml @@ -0,0 +1,96 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: xworkloadidentity.gcp.platform.upbound.io +spec: + compositeTypeRef: + apiVersion: gcp.platform.upbound.io/v1alpha1 + kind: XWORKLOADIDENTITY + mode: Pipeline + pipeline: + - step: patch-and-transform + functionRef: + name: crossplane-contrib-function-patch-and-transform + input: + apiVersion: pt.fn.crossplane.io/v1beta1 + kind: Resources + patchSets: + - name: Name + patches: + - fromFieldPath: metadata.name + toFieldPath: metadata.annotations[crossplane.io/external-name] + type: FromCompositeFieldPath + - name: providerConfigRef + patches: + - fromFieldPath: spec.parameters.providerConfigName + toFieldPath: spec.providerConfigRef.name + type: FromCompositeFieldPath + - name: deletionPolicy + patches: + - fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + type: FromCompositeFieldPath + resources: + - name: projectiammember + base: + apiVersion: cloudplatform.gcp.upbound.io/v1beta1 + kind: ProjectIAMMember + spec: + forProvider: + role: roles/dns.reader + patches: + - type: PatchSet + patchSetName: providerConfigRef + - type: PatchSet + patchSetName: deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.annotations[crossplane.io/external-name] + - fromFieldPath: spec.parameters.dnsProject + toFieldPath: spec.forProvider.project + type: FromCompositeFieldPath + - fromFieldPath: spec.parameters.member + toFieldPath: spec.forProvider.member + type: FromCompositeFieldPath + - type: CombineFromComposite + combine: + variables: + - fromFieldPath: spec.parameters.GKEProjectID + - fromFieldPath: spec.parameters.serviceAccount.namespace + - fromFieldPath: spec.parameters.serviceAccount.name + strategy: string + string: + fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" + toFieldPath: spec.forProvider.member + + - name: managedzoneiammember + base: + apiVersion: dns.gcp.upbound.io/v1beta1 + kind: ManagedZoneIAMMember + spec: + forProvider: + role: roles/dns.admin + patches: + - type: PatchSet + patchSetName: providerConfigRef + - type: PatchSet + patchSetName: deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.annotations[crossplane.io/external-name] + - fromFieldPath: spec.parameters.dnsProject + toFieldPath: spec.forProvider.project + type: FromCompositeFieldPath + - fromFieldPath: spec.parameters.managedZone + toFieldPath: spec.forProvider.managedZone + type: FromCompositeFieldPath + - type: CombineFromComposite + combine: + variables: + - fromFieldPath: spec.parameters.GKEProjectID + - fromFieldPath: spec.parameters.serviceAccount.namespace + - fromFieldPath: spec.parameters.serviceAccount.name + strategy: string + string: + fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" + toFieldPath: spec.forProvider.member diff --git a/apis/workload-identity/definition.yaml b/apis/workload-identity/definition.yaml new file mode 100644 index 0000000..8aa256c --- /dev/null +++ b/apis/workload-identity/definition.yaml @@ -0,0 +1,79 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: xworkloadidentitys.gcp.platform.upbound.io + labels: + provider: gcp +spec: + claimNames: + kind: WorkloadIdentity + plural: workloadidentitys + group: gcp.platform.upbound.io + names: + kind: XWORKLOADIDENTITY + plural: xworkloadidentitys + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + parameters: + type: object + description: Workload Identity configuration parameters. + properties: + id: + type: string + description: ID of this Workload Identity that other objects will use to refer to it. + deletionPolicy: + description: Delete the external resources when the Claim/XR is deleted. Defaults to Delete. + enum: + - Delete + - Orphan + type: string + default: Delete + providerConfigName: + description: Crossplane ProviderConfig to use for provisioning this resources. + type: string + default: default + serviceAccount: + type: object + description: Configuration for SA + properties: + name: + type: string + description: name kubernetes SA + namespace: + type: string + description: namespace kubernetes SA + required: + - name + - namespace + required: + - id + - gkeProject + - knsName + - ksaName + - dnsProject + - zoneName + required: + - parameters + status: + type: object + properties: + workloadIdentity: + description: Freeform field containing status information for Workload Identity. + type: object + x-kubernetes-preserve-unknown-fields: true + member: + description: The member string used in IAM policies. + type: string + observed: + description: Freeform field containing information about the observed status. + type: object + x-kubernetes-preserve-unknown-fields: true diff --git a/examples/gcp-host-space.yaml b/examples/gcp-host-space.yaml index d048e0a..ee854bc 100644 --- a/examples/gcp-host-space.yaml +++ b/examples/gcp-host-space.yaml @@ -14,6 +14,12 @@ spec: count: 3 instanceType: e2-standard-4 operators: + externaldns: + gcp: + # To leverage external-dns for managing the spaces.dns.spacesRouterDomain zone entry, + # substitute the placeholder values with your actual Managed Zone Name and GCP DNS Project Name. + managedZoneName: ${data.gcpManagedZoneName} + dnsProjectName: ${data.gcpDNSProjectName} crossplane: providers: - name: provider-helm @@ -55,7 +61,7 @@ spec: - "*/controlplane-*" spaces: dns: - spacesRouterDomain: platform-ref-upbound-spaces-gke.${data.route53ZoneName} + spacesRouterDomain: platform-ref-upbound-spaces-gke.${data.gcpManagedZoneName} clusterType: gke account: platform-ref writeConnectionSecretToRef: From 4f3d799e8fd01e631735ee1dca9469b4ce531484 Mon Sep 17 00:00:00 2001 From: Mark Anderson-Trocme Date: Mon, 27 May 2024 09:43:48 -0400 Subject: [PATCH 02/10] use workloadIdentitySettings CM --- apis/space-init/composition.yaml | 20 +++++----- apis/workload-identity/composition.yaml | 50 +++++++++++++++++++++++-- apis/workload-identity/definition.yaml | 2 +- 3 files changed, 59 insertions(+), 13 deletions(-) diff --git a/apis/space-init/composition.yaml b/apis/space-init/composition.yaml index feed9d7..80e4be8 100644 --- a/apis/space-init/composition.yaml +++ b/apis/space-init/composition.yaml @@ -445,7 +445,7 @@ spec: observed.composite.resource.spec.parameters.operators.externaldns.gcp.enabled == true base: apiVersion: gcp.platform.upbound.io/v1alpha1 - kind: XWORKLOADIDENTITY + kind: XWorkloadIdentity spec: parameters: condition: StringEquals @@ -456,15 +456,17 @@ spec: - type: FromCompositeFieldPath fromFieldPath: spec.parameters.providerConfigName toFieldPath: spec.parameters.id + - type: ToCompositeFieldPath + fromFieldPath: status.dnsSAID + toFieldPath: status.externalDNS.dnsSAID + policy: + fromFieldPath: Optional - type: FromCompositeFieldPath fromFieldPath: spec.parameters.operators.externaldns.gcp.dnsProjectName toFieldPath: spec.parameters.project - type: FromCompositeFieldPath fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZoneName toFieldPath: spec.parameters.managedZone - - type: ToCompositeFieldPath - fromFieldPath: status.GKEprojectID - toFieldPath: spec.parameters.GKEProjectID - name: external-dns condition: | @@ -508,11 +510,11 @@ spec: - type: FromCompositeFieldPath fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZoneName toFieldPath: spec.forProvider.values.domainFilters[0] - # - type: FromCompositeFieldPath - # fromFieldPath: status.status.externalDNS.IRSARoleArn - # toFieldPath: spec.forProvider.values.serviceAccount.annotations[eks.amazonaws.com/role-arn] - # policy: - # fromFieldPath: Required + - type: FromCompositeFieldPath + fromFieldPath: status.externalDNS.dnsSAID + toFieldPath: spec.forProvider.values.serviceAccount.annotations[iam.gke.io/gcp-service-account] + policy: + fromFieldPath: Required - type: FromCompositeFieldPath fromFieldPath: metadata.uid toFieldPath: spec.forProvider.values.txtOwnerId diff --git a/apis/workload-identity/composition.yaml b/apis/workload-identity/composition.yaml index 2649362..bd184a4 100644 --- a/apis/workload-identity/composition.yaml +++ b/apis/workload-identity/composition.yaml @@ -5,7 +5,7 @@ metadata: spec: compositeTypeRef: apiVersion: gcp.platform.upbound.io/v1alpha1 - kind: XWORKLOADIDENTITY + kind: XWorkloadIdentity mode: Pipeline pipeline: - step: patch-and-transform @@ -55,7 +55,7 @@ spec: - type: CombineFromComposite combine: variables: - - fromFieldPath: spec.parameters.GKEProjectID + - fromFieldPath: status.worloadIdentity.gkeProject - fromFieldPath: spec.parameters.serviceAccount.namespace - fromFieldPath: spec.parameters.serviceAccount.name strategy: string @@ -75,6 +75,11 @@ spec: patchSetName: providerConfigRef - type: PatchSet patchSetName: deletionPolicy + - fromFieldPath: status.atProvider.id + policy: + fromFieldPath: Optional + toFieldPath: status.dnsSAID + type: ToCompositeFieldPath - type: FromCompositeFieldPath fromFieldPath: spec.parameters.id toFieldPath: metadata.annotations[crossplane.io/external-name] @@ -87,10 +92,49 @@ spec: - type: CombineFromComposite combine: variables: - - fromFieldPath: spec.parameters.GKEProjectID + - fromFieldPath: status.worloadIdentity.gkeProject - fromFieldPath: spec.parameters.serviceAccount.namespace - fromFieldPath: spec.parameters.serviceAccount.name strategy: string string: fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" toFieldPath: spec.forProvider.member + + - name: workloadIdentitySettings + base: + apiVersion: kubernetes.crossplane.io/v1alpha1 + kind: Object + spec: + deletionPolicy: Orphan + forProvider: + manifest: + apiVersion: v1 + kind: ConfigMap + metadata: + namespace: default + managementPolicy: Observe + patches: + - fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + type: FromCompositeFieldPath + - fromFieldPath: spec.parameters.id + toFieldPath: metadata.annotations[crossplane.io/external-name] + transforms: + - string: + fmt: '%s-worload-identity-settings' + type: Format + type: string + type: FromCompositeFieldPath + - fromFieldPath: spec.parameters.id + toFieldPath: spec.forProvider.manifest.metadata.name + transforms: + - string: + fmt: '%s-worload-identity-settings' + type: Format + type: string + type: FromCompositeFieldPath + - fromFieldPath: status.atProvider.manifest.data.gkeProject + policy: + fromFieldPath: Optional + toFieldPath: status.worloadIdentity.gkeProject + type: ToCompositeFieldPath diff --git a/apis/workload-identity/definition.yaml b/apis/workload-identity/definition.yaml index 8aa256c..8ed2986 100644 --- a/apis/workload-identity/definition.yaml +++ b/apis/workload-identity/definition.yaml @@ -10,7 +10,7 @@ spec: plural: workloadidentitys group: gcp.platform.upbound.io names: - kind: XWORKLOADIDENTITY + kind: XWorkloadIdentity plural: xworkloadidentitys versions: - name: v1alpha1 From 26eb3e792bed59d34cf39ab437a3f51ae2864847 Mon Sep 17 00:00:00 2001 From: Mark Anderson-Trocme Date: Mon, 27 May 2024 15:18:03 -0400 Subject: [PATCH 03/10] update configuration-gcp-gke to have workloadIdentity --- apis/workload-identity/composition.yaml | 6 +++--- crossplane.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apis/workload-identity/composition.yaml b/apis/workload-identity/composition.yaml index bd184a4..50572ac 100644 --- a/apis/workload-identity/composition.yaml +++ b/apis/workload-identity/composition.yaml @@ -55,7 +55,7 @@ spec: - type: CombineFromComposite combine: variables: - - fromFieldPath: status.worloadIdentity.gkeProject + - fromFieldPath: status.workloadIdentity.gkeProject - fromFieldPath: spec.parameters.serviceAccount.namespace - fromFieldPath: spec.parameters.serviceAccount.name strategy: string @@ -92,7 +92,7 @@ spec: - type: CombineFromComposite combine: variables: - - fromFieldPath: status.worloadIdentity.gkeProject + - fromFieldPath: status.workloadIdentity.gkeProject - fromFieldPath: spec.parameters.serviceAccount.namespace - fromFieldPath: spec.parameters.serviceAccount.name strategy: string @@ -136,5 +136,5 @@ spec: - fromFieldPath: status.atProvider.manifest.data.gkeProject policy: fromFieldPath: Optional - toFieldPath: status.worloadIdentity.gkeProject + toFieldPath: status.workloadIdentity.gkeProject type: ToCompositeFieldPath diff --git a/crossplane.yaml b/crossplane.yaml index 274bd30..cb7015c 100644 --- a/crossplane.yaml +++ b/crossplane.yaml @@ -29,7 +29,7 @@ spec: version: "v0.5.0" - configuration: xpkg.upbound.io/upbound/configuration-gcp-gke # renovate: datasource=github-releases depName=upbound/configuration-gcp-gke - version: "v0.5.0" + version: "v0.6.0" - configuration: xpkg.upbound.io/upbound/configuration-gitops-argocd # renovate: datasource=github-releases depName=upbound/configuration-gitops-argocd version: "v0.8.0" From c144aa57c327684041aa929e9c0f6671a4fce2f1 Mon Sep 17 00:00:00 2001 From: Mark Anderson-Trocme Date: Mon, 27 May 2024 15:44:56 -0400 Subject: [PATCH 04/10] add missing externaldns api defs --- apis/definition.yaml | 13 +++++++++++++ apis/space-init/definition.yaml | 13 +++++++++++++ examples/gcp-host-space.yaml | 1 + 3 files changed, 27 insertions(+) diff --git a/apis/definition.yaml b/apis/definition.yaml index ed03107..e501757 100644 --- a/apis/definition.yaml +++ b/apis/definition.yaml @@ -198,6 +198,19 @@ spec: route53ZoneName: type: string description: "The Route53 zone name for external-dns to manage." + gcp: + type: object + properties: + enabled: + type: boolean + description: "Indicates if GCP external-dns is enabled." + default: true + managedZoneName: + type: string + description: "The Managed Zone for external-dns to manage." + dnsProjectName: + type: string + description: "The ID of the Project where the DNS is managed." version: type: string description: "Specifies the version of external-dns to use." diff --git a/apis/space-init/definition.yaml b/apis/space-init/definition.yaml index c1ba952..62ca7d4 100644 --- a/apis/space-init/definition.yaml +++ b/apis/space-init/definition.yaml @@ -65,6 +65,19 @@ spec: route53ZoneName: type: string description: "The Route53 zone name for external-dns to manage." + gcp: + type: object + properties: + enabled: + type: boolean + description: "Indicates if GCP external-dns is enabled." + default: true + managedZoneName: + type: string + description: "The Managed Zone for external-dns to manage." + dnsProjectName: + type: string + description: "The ID of the Project where the DNS is managed." version: type: string description: "Specifies the version of external-dns to use." diff --git a/examples/gcp-host-space.yaml b/examples/gcp-host-space.yaml index ee854bc..a8315c1 100644 --- a/examples/gcp-host-space.yaml +++ b/examples/gcp-host-space.yaml @@ -16,6 +16,7 @@ spec: operators: externaldns: gcp: + enabled: true # To leverage external-dns for managing the spaces.dns.spacesRouterDomain zone entry, # substitute the placeholder values with your actual Managed Zone Name and GCP DNS Project Name. managedZoneName: ${data.gcpManagedZoneName} From 70be65451310491e2ebb515e97f535d400c034e8 Mon Sep 17 00:00:00 2001 From: Mark Anderson-Trocme Date: Mon, 27 May 2024 16:59:23 -0400 Subject: [PATCH 05/10] typo in CM name --- apis/workload-identity/composition.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apis/workload-identity/composition.yaml b/apis/workload-identity/composition.yaml index 50572ac..6190cd1 100644 --- a/apis/workload-identity/composition.yaml +++ b/apis/workload-identity/composition.yaml @@ -121,7 +121,7 @@ spec: toFieldPath: metadata.annotations[crossplane.io/external-name] transforms: - string: - fmt: '%s-worload-identity-settings' + fmt: '%s-workload-identity-settings' type: Format type: string type: FromCompositeFieldPath @@ -129,7 +129,7 @@ spec: toFieldPath: spec.forProvider.manifest.metadata.name transforms: - string: - fmt: '%s-worload-identity-settings' + fmt: '%s-workload-identity-settings' type: Format type: string type: FromCompositeFieldPath From 6997aa60372acfd2a7d965a5a3092cdaca2633ee Mon Sep 17 00:00:00 2001 From: Mark Anderson-Trocme Date: Tue, 28 May 2024 11:53:33 -0400 Subject: [PATCH 06/10] fixing xrds for workloadIdentity --- apis/definition.yaml | 4 ++-- apis/space-init/composition.yaml | 10 +++++----- apis/space-init/definition.yaml | 4 ++-- apis/workload-identity/composition.yaml | 22 ++++++++++++---------- apis/workload-identity/definition.yaml | 21 ++++++++++++++++----- crossplane.yaml | 3 +++ examples/gcp-host-space.yaml | 8 ++++---- 7 files changed, 44 insertions(+), 28 deletions(-) diff --git a/apis/definition.yaml b/apis/definition.yaml index e501757..40f3aa4 100644 --- a/apis/definition.yaml +++ b/apis/definition.yaml @@ -205,10 +205,10 @@ spec: type: boolean description: "Indicates if GCP external-dns is enabled." default: true - managedZoneName: + managedZone: type: string description: "The Managed Zone for external-dns to manage." - dnsProjectName: + dnsProject: type: string description: "The ID of the Project where the DNS is managed." version: diff --git a/apis/space-init/composition.yaml b/apis/space-init/composition.yaml index 80e4be8..6647dfc 100644 --- a/apis/space-init/composition.yaml +++ b/apis/space-init/composition.yaml @@ -458,14 +458,14 @@ spec: toFieldPath: spec.parameters.id - type: ToCompositeFieldPath fromFieldPath: status.dnsSAID - toFieldPath: status.externalDNS.dnsSAID + toFieldPath: status.status.externalDNS.dnsSAID policy: fromFieldPath: Optional - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.operators.externaldns.gcp.dnsProjectName + fromFieldPath: spec.parameters.operators.externaldns.gcp.dnsProject toFieldPath: spec.parameters.project - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZoneName + fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZone toFieldPath: spec.parameters.managedZone - name: external-dns @@ -508,10 +508,10 @@ spec: fromFieldPath: spec.parameters.operators.externaldns.version toFieldPath: spec.forProvider.chart.version - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZoneName + fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZone toFieldPath: spec.forProvider.values.domainFilters[0] - type: FromCompositeFieldPath - fromFieldPath: status.externalDNS.dnsSAID + fromFieldPath: status.status.externalDNS.dnsSAID toFieldPath: spec.forProvider.values.serviceAccount.annotations[iam.gke.io/gcp-service-account] policy: fromFieldPath: Required diff --git a/apis/space-init/definition.yaml b/apis/space-init/definition.yaml index 62ca7d4..def4d4c 100644 --- a/apis/space-init/definition.yaml +++ b/apis/space-init/definition.yaml @@ -72,10 +72,10 @@ spec: type: boolean description: "Indicates if GCP external-dns is enabled." default: true - managedZoneName: + managedZone: type: string description: "The Managed Zone for external-dns to manage." - dnsProjectName: + dnsProject: type: string description: "The ID of the Project where the DNS is managed." version: diff --git a/apis/workload-identity/composition.yaml b/apis/workload-identity/composition.yaml index 6190cd1..a5ebb12 100644 --- a/apis/workload-identity/composition.yaml +++ b/apis/workload-identity/composition.yaml @@ -39,6 +39,8 @@ spec: forProvider: role: roles/dns.reader patches: + - type: PatchSet + patchSetName: Name - type: PatchSet patchSetName: providerConfigRef - type: PatchSet @@ -52,16 +54,16 @@ spec: - fromFieldPath: spec.parameters.member toFieldPath: spec.forProvider.member type: FromCompositeFieldPath - - type: CombineFromComposite - combine: + - combine: + strategy: string + string: + fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" variables: - fromFieldPath: status.workloadIdentity.gkeProject - fromFieldPath: spec.parameters.serviceAccount.namespace - fromFieldPath: spec.parameters.serviceAccount.name - strategy: string - string: - fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" toFieldPath: spec.forProvider.member + type: CombineFromComposite - name: managedzoneiammember base: @@ -89,16 +91,16 @@ spec: - fromFieldPath: spec.parameters.managedZone toFieldPath: spec.forProvider.managedZone type: FromCompositeFieldPath - - type: CombineFromComposite - combine: + - combine: + strategy: string + string: + fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" variables: - fromFieldPath: status.workloadIdentity.gkeProject - fromFieldPath: spec.parameters.serviceAccount.namespace - fromFieldPath: spec.parameters.serviceAccount.name - strategy: string - string: - fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" toFieldPath: spec.forProvider.member + type: CombineFromComposite - name: workloadIdentitySettings base: diff --git a/apis/workload-identity/definition.yaml b/apis/workload-identity/definition.yaml index 8ed2986..44b7122 100644 --- a/apis/workload-identity/definition.yaml +++ b/apis/workload-identity/definition.yaml @@ -54,13 +54,24 @@ spec: required: - name - namespace + condition: + type: string + description: This is the whether or not the equals is a hard match or like query + default: StringEquals + enum: + - StringEquals + - StringLike + project: + type: string + description: The Project ID where the DNS managed zone lives. + managedZone: + type: string + description: The name of the GCP managed zone. required: - id - - gkeProject - - knsName - - ksaName - - dnsProject - - zoneName + - serviceAccount + - project + - managedZone required: - parameters status: diff --git a/crossplane.yaml b/crossplane.yaml index cb7015c..9e0fe53 100644 --- a/crossplane.yaml +++ b/crossplane.yaml @@ -30,6 +30,9 @@ spec: - configuration: xpkg.upbound.io/upbound/configuration-gcp-gke # renovate: datasource=github-releases depName=upbound/configuration-gcp-gke version: "v0.6.0" + - provider: xpkg.upbound.io/upbound/provider-gcp-dns + # renovate: datasource=github-releases depName=upbound/provider-gcp + version: "v1.2.0" - configuration: xpkg.upbound.io/upbound/configuration-gitops-argocd # renovate: datasource=github-releases depName=upbound/configuration-gitops-argocd version: "v0.8.0" diff --git a/examples/gcp-host-space.yaml b/examples/gcp-host-space.yaml index a8315c1..867a364 100644 --- a/examples/gcp-host-space.yaml +++ b/examples/gcp-host-space.yaml @@ -19,8 +19,8 @@ spec: enabled: true # To leverage external-dns for managing the spaces.dns.spacesRouterDomain zone entry, # substitute the placeholder values with your actual Managed Zone Name and GCP DNS Project Name. - managedZoneName: ${data.gcpManagedZoneName} - dnsProjectName: ${data.gcpDNSProjectName} + managedZone: ${data.gcpManagedZoneName} + dnsProject: ${data.gcpDNSProject} crossplane: providers: - name: provider-helm @@ -31,7 +31,7 @@ spec: localRbac: true argocd: enabled: true - ingressUrl: argocd-platform-ref-upbound-spaces.${data.route53ZoneName} + ingressUrl: argocd-platform-ref-upbound-spaces.${data.gcpDNSName} git: url: https://github.com/upbound/platform-ref-upbound-spaces.git path: gitops @@ -62,7 +62,7 @@ spec: - "*/controlplane-*" spaces: dns: - spacesRouterDomain: platform-ref-upbound-spaces-gke.${data.gcpManagedZoneName} + spacesRouterDomain: platform-ref-upbound-spaces-gke.${data.gcpDNSName} clusterType: gke account: platform-ref writeConnectionSecretToRef: From 78d3084d7f659f8c5ffd2d7724fddceeab03a9a6 Mon Sep 17 00:00:00 2001 From: Mark Anderson-Trocme Date: Wed, 29 May 2024 16:50:44 -0400 Subject: [PATCH 07/10] get external-dns working on GCP --- apis/space-init/composition.yaml | 24 ++++--- apis/space-init/definition.yaml | 2 +- apis/workload-identity/composition.yaml | 94 ++++++++++++++++--------- apis/workload-identity/definition.yaml | 21 ++++-- crossplane.yaml | 2 +- examples/gcp-host-space.yaml | 6 +- 6 files changed, 95 insertions(+), 54 deletions(-) diff --git a/apis/space-init/composition.yaml b/apis/space-init/composition.yaml index 6647dfc..f8b6fad 100644 --- a/apis/space-init/composition.yaml +++ b/apis/space-init/composition.yaml @@ -456,17 +456,14 @@ spec: - type: FromCompositeFieldPath fromFieldPath: spec.parameters.providerConfigName toFieldPath: spec.parameters.id + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.operators.externaldns.gcp.dnsProject + toFieldPath: spec.parameters.dnsProject - type: ToCompositeFieldPath - fromFieldPath: status.dnsSAID - toFieldPath: status.status.externalDNS.dnsSAID + fromFieldPath: status.googleServiceAccount.email + toFieldPath: status.status.externalDNS.googleServiceAccount.email policy: fromFieldPath: Optional - - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.operators.externaldns.gcp.dnsProject - toFieldPath: spec.parameters.project - - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZone - toFieldPath: spec.parameters.managedZone - name: external-dns condition: | @@ -484,10 +481,12 @@ spec: repository: https://charts.bitnami.com/bitnami values: replicaCount: 1 - provider: gcp + provider: google policy: sync source: ingress registry: txt + google: + batchChangeSize: 4 rbac: create: true serviceAccount: @@ -508,13 +507,16 @@ spec: fromFieldPath: spec.parameters.operators.externaldns.version toFieldPath: spec.forProvider.chart.version - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.operators.externaldns.gcp.managedZone + fromFieldPath: spec.parameters.operators.externaldns.gcp.zoneName toFieldPath: spec.forProvider.values.domainFilters[0] - type: FromCompositeFieldPath - fromFieldPath: status.status.externalDNS.dnsSAID + fromFieldPath: status.status.externalDNS.googleServiceAccount.email toFieldPath: spec.forProvider.values.serviceAccount.annotations[iam.gke.io/gcp-service-account] policy: fromFieldPath: Required + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.operators.externaldns.gcp.dnsProject + toFieldPath: spec.forProvider.values.google.project - type: FromCompositeFieldPath fromFieldPath: metadata.uid toFieldPath: spec.forProvider.values.txtOwnerId diff --git a/apis/space-init/definition.yaml b/apis/space-init/definition.yaml index def4d4c..ffa9982 100644 --- a/apis/space-init/definition.yaml +++ b/apis/space-init/definition.yaml @@ -72,7 +72,7 @@ spec: type: boolean description: "Indicates if GCP external-dns is enabled." default: true - managedZone: + zoneName: type: string description: "The Managed Zone for external-dns to manage." dnsProject: diff --git a/apis/workload-identity/composition.yaml b/apis/workload-identity/composition.yaml index a5ebb12..f2f8f9c 100644 --- a/apis/workload-identity/composition.yaml +++ b/apis/workload-identity/composition.yaml @@ -31,13 +31,34 @@ spec: toFieldPath: spec.deletionPolicy type: FromCompositeFieldPath resources: - - name: projectiammember + - name: serviceaccount + base: + apiVersion: cloudplatform.gcp.upbound.io/v1beta1 + kind: ServiceAccount + patches: + - type: PatchSet + patchSetName: Name + - type: PatchSet + patchSetName: providerConfigRef + - type: PatchSet + patchSetName: deletionPolicy + - fromFieldPath: status.workloadIdentity.gkeProject + toFieldPath: spec.forProvider.project + type: FromCompositeFieldPath + - fromFieldPath: status.atProvider.email + toFieldPath: status.googleServiceAccount.email + type: ToCompositeFieldPath + - fromFieldPath: status.atProvider.id + toFieldPath: status.googleServiceAccount.id + type: ToCompositeFieldPath + + - name: projectiammember-dns-admin base: apiVersion: cloudplatform.gcp.upbound.io/v1beta1 kind: ProjectIAMMember spec: forProvider: - role: roles/dns.reader + role: roles/dns.admin patches: - type: PatchSet patchSetName: Name @@ -45,19 +66,39 @@ spec: patchSetName: providerConfigRef - type: PatchSet patchSetName: deletionPolicy - - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.id - toFieldPath: metadata.annotations[crossplane.io/external-name] - fromFieldPath: spec.parameters.dnsProject toFieldPath: spec.forProvider.project type: FromCompositeFieldPath - - fromFieldPath: spec.parameters.member + - fromFieldPath: status.googleServiceAccount.email toFieldPath: spec.forProvider.member type: FromCompositeFieldPath + transforms: + - string: + fmt: 'serviceAccount:%s' + type: Format + type: string + + - name: serviceaccountiammember + base: + apiVersion: cloudplatform.gcp.upbound.io/v1beta1 + kind: ServiceAccountIAMMember + spec: + forProvider: + role: roles/iam.workloadIdentityUser + patches: + - type: PatchSet + patchSetName: Name + - type: PatchSet + patchSetName: providerConfigRef + - type: PatchSet + patchSetName: deletionPolicy + - fromFieldPath: status.googleServiceAccount.id + toFieldPath: spec.forProvider.serviceAccountId + type: FromCompositeFieldPath - combine: strategy: string string: - fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" + fmt: "serviceAccount:%s.svc.id.goog[%s/%s]" variables: - fromFieldPath: status.workloadIdentity.gkeProject - fromFieldPath: spec.parameters.serviceAccount.namespace @@ -65,42 +106,31 @@ spec: toFieldPath: spec.forProvider.member type: CombineFromComposite - - name: managedzoneiammember + - name: projectiammember-workload-identity-user base: - apiVersion: dns.gcp.upbound.io/v1beta1 - kind: ManagedZoneIAMMember + apiVersion: cloudplatform.gcp.upbound.io/v1beta1 + kind: ProjectIAMMember spec: forProvider: - role: roles/dns.admin + role: roles/iam.workloadIdentityUser patches: + - type: PatchSet + patchSetName: Name - type: PatchSet patchSetName: providerConfigRef - type: PatchSet patchSetName: deletionPolicy - - fromFieldPath: status.atProvider.id - policy: - fromFieldPath: Optional - toFieldPath: status.dnsSAID - type: ToCompositeFieldPath - - type: FromCompositeFieldPath - fromFieldPath: spec.parameters.id - toFieldPath: metadata.annotations[crossplane.io/external-name] - - fromFieldPath: spec.parameters.dnsProject + - fromFieldPath: status.workloadIdentity.gkeProject toFieldPath: spec.forProvider.project type: FromCompositeFieldPath - - fromFieldPath: spec.parameters.managedZone - toFieldPath: spec.forProvider.managedZone - type: FromCompositeFieldPath - - combine: - strategy: string - string: - fmt: "serviceAccount:%s.svc.id.goog/ns/%s/sa/%s" - variables: - - fromFieldPath: status.workloadIdentity.gkeProject - - fromFieldPath: spec.parameters.serviceAccount.namespace - - fromFieldPath: spec.parameters.serviceAccount.name + - fromFieldPath: status.googleServiceAccount.email toFieldPath: spec.forProvider.member - type: CombineFromComposite + type: FromCompositeFieldPath + transforms: + - string: + fmt: 'serviceAccount:%s' + type: Format + type: string - name: workloadIdentitySettings base: diff --git a/apis/workload-identity/definition.yaml b/apis/workload-identity/definition.yaml index 44b7122..cdba59d 100644 --- a/apis/workload-identity/definition.yaml +++ b/apis/workload-identity/definition.yaml @@ -61,17 +61,13 @@ spec: enum: - StringEquals - StringLike - project: + dnsProject: type: string description: The Project ID where the DNS managed zone lives. - managedZone: - type: string - description: The name of the GCP managed zone. required: - id - serviceAccount - - project - - managedZone + - dnsProject required: - parameters status: @@ -88,3 +84,16 @@ spec: description: Freeform field containing information about the observed status. type: object x-kubernetes-preserve-unknown-fields: true + googleServiceAccount: + type: object + description: Configuration for GSA + properties: + email: + type: string + description: email Google SA + id: + type: string + description: id Google SA + required: + - email + - id diff --git a/crossplane.yaml b/crossplane.yaml index 9e0fe53..e8721d6 100644 --- a/crossplane.yaml +++ b/crossplane.yaml @@ -29,7 +29,7 @@ spec: version: "v0.5.0" - configuration: xpkg.upbound.io/upbound/configuration-gcp-gke # renovate: datasource=github-releases depName=upbound/configuration-gcp-gke - version: "v0.6.0" + version: "v0.7.0" - provider: xpkg.upbound.io/upbound/provider-gcp-dns # renovate: datasource=github-releases depName=upbound/provider-gcp version: "v1.2.0" diff --git a/examples/gcp-host-space.yaml b/examples/gcp-host-space.yaml index 867a364..e4fd9dc 100644 --- a/examples/gcp-host-space.yaml +++ b/examples/gcp-host-space.yaml @@ -19,7 +19,7 @@ spec: enabled: true # To leverage external-dns for managing the spaces.dns.spacesRouterDomain zone entry, # substitute the placeholder values with your actual Managed Zone Name and GCP DNS Project Name. - managedZone: ${data.gcpManagedZoneName} + zoneName: ${data.gcpZoneName} dnsProject: ${data.gcpDNSProject} crossplane: providers: @@ -31,7 +31,7 @@ spec: localRbac: true argocd: enabled: true - ingressUrl: argocd-platform-ref-upbound-spaces.${data.gcpDNSName} + ingressUrl: argocd-platform-ref-upbound-spaces.${data.gcpZoneName} git: url: https://github.com/upbound/platform-ref-upbound-spaces.git path: gitops @@ -62,7 +62,7 @@ spec: - "*/controlplane-*" spaces: dns: - spacesRouterDomain: platform-ref-upbound-spaces-gke.${data.gcpDNSName} + spacesRouterDomain: platform-ref-upbound-spaces-gke.${data.gcpZoneName} clusterType: gke account: platform-ref writeConnectionSecretToRef: From 8d49b357ee79799aeeabf3232c83db2c62798f62 Mon Sep 17 00:00:00 2001 From: Mark Anderson-Trocme Date: Wed, 29 May 2024 20:10:04 -0400 Subject: [PATCH 08/10] xrd fixes --- apis/definition.yaml | 2 +- apis/workload-identity/definition.yaml | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/apis/definition.yaml b/apis/definition.yaml index 40f3aa4..814b5d3 100644 --- a/apis/definition.yaml +++ b/apis/definition.yaml @@ -205,7 +205,7 @@ spec: type: boolean description: "Indicates if GCP external-dns is enabled." default: true - managedZone: + zoneName: type: string description: "The Managed Zone for external-dns to manage." dnsProject: diff --git a/apis/workload-identity/definition.yaml b/apis/workload-identity/definition.yaml index cdba59d..4e2e5de 100644 --- a/apis/workload-identity/definition.yaml +++ b/apis/workload-identity/definition.yaml @@ -77,9 +77,6 @@ spec: description: Freeform field containing status information for Workload Identity. type: object x-kubernetes-preserve-unknown-fields: true - member: - description: The member string used in IAM policies. - type: string observed: description: Freeform field containing information about the observed status. type: object From 88ce2d9c92b1d4ea4aa4ccc08c6d5cc5ca9c8839 Mon Sep 17 00:00:00 2001 From: Mark Anderson-Trocme Date: Thu, 30 May 2024 08:51:04 -0400 Subject: [PATCH 09/10] review suggestions --- apis/space-init/composition.yaml | 2 -- apis/workload-identity/composition.yaml | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/apis/space-init/composition.yaml b/apis/space-init/composition.yaml index f8b6fad..e1e21da 100644 --- a/apis/space-init/composition.yaml +++ b/apis/space-init/composition.yaml @@ -305,8 +305,6 @@ spec: name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx set: - - name: "nameOverride" - value: "ingress-nginx" - name: "controller.service.type" value: "LoadBalancer" - name: "controller.allowSnippetAnnotations" diff --git a/apis/workload-identity/composition.yaml b/apis/workload-identity/composition.yaml index f2f8f9c..db03b1b 100644 --- a/apis/workload-identity/composition.yaml +++ b/apis/workload-identity/composition.yaml @@ -134,7 +134,7 @@ spec: - name: workloadIdentitySettings base: - apiVersion: kubernetes.crossplane.io/v1alpha1 + apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object spec: deletionPolicy: Orphan From 968368a0c558ee0e7f3ae538cd7df3bc11dd175a Mon Sep 17 00:00:00 2001 From: Mark Anderson-Trocme Date: Fri, 31 May 2024 12:53:40 -0400 Subject: [PATCH 10/10] typo and fix Object --- apis/workload-identity/composition.yaml | 2 +- apis/workload-identity/definition.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apis/workload-identity/composition.yaml b/apis/workload-identity/composition.yaml index db03b1b..cc279ca 100644 --- a/apis/workload-identity/composition.yaml +++ b/apis/workload-identity/composition.yaml @@ -144,7 +144,7 @@ spec: kind: ConfigMap metadata: namespace: default - managementPolicy: Observe + managementPolicies: ["Observe"] patches: - fromFieldPath: spec.parameters.id toFieldPath: spec.providerConfigRef.name diff --git a/apis/workload-identity/definition.yaml b/apis/workload-identity/definition.yaml index 4e2e5de..bf47441 100644 --- a/apis/workload-identity/definition.yaml +++ b/apis/workload-identity/definition.yaml @@ -1,17 +1,17 @@ apiVersion: apiextensions.crossplane.io/v1 kind: CompositeResourceDefinition metadata: - name: xworkloadidentitys.gcp.platform.upbound.io + name: xworkloadidentities.gcp.platform.upbound.io labels: provider: gcp spec: claimNames: kind: WorkloadIdentity - plural: workloadidentitys + plural: workloadidentities group: gcp.platform.upbound.io names: kind: XWorkloadIdentity - plural: xworkloadidentitys + plural: xworkloadidentities versions: - name: v1alpha1 served: true