diff --git a/README.md b/README.md index b5ba1cfd..f6c2e873 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ managed resources for [Yandex Cloud](https://cloud.yandex.com/). Install crossplane: -``` +```shell kubectl create namespace crossplane-system helm repo add crossplane-stable https://charts.crossplane.io/stable @@ -21,7 +21,7 @@ helm install crossplane --namespace crossplane-system crossplane-stable/crosspla Check crossplane status: -``` +```shell helm list -n crossplane-system kubectl get all -n crossplane-system @@ -36,16 +36,17 @@ sudo mv crossplane $(dirname $(which kubectl)) Install the provider by using the following command after changing tag to the latest release: - -``` -crossplane xpkg install provider xpkg.upbound.io/yandexcloud/crossplane-provider-yc:v0.4.1 +```shell +crossplane xpkg install provider xpkg.upbound.io/yandexcloud/crossplane-provider-yc:v0.14.0 ``` +or set in .Values.provider.package + ### Setup ProviderConfig Create service account: -``` +```shell yc iam service-account create --name ``` @@ -69,16 +70,16 @@ kubectl create secret generic yc-creds -n "crossplane-system" --from-file=creden Apply example ProviderConfig: -``` +```shell kubectl apply -f examples/providerconfig/providerconfig.yaml ``` ### Update crossplane-provider-yc -Update provider version on new tag (e.g. v0.4.1): +Update provider version on new tag (e.g. v0.14.0): -``` -kubectl crossplane update provider crossplane-provider-yc v0.4.1 +```shell +kubectl crossplane update provider crossplane-provider-yc v0.14.0 ``` ## Useful things diff --git a/helm/chart/README.md b/helm/chart/README.md index b691a917..2fead174 100644 --- a/helm/chart/README.md +++ b/helm/chart/README.md @@ -162,4 +162,3 @@ image: [Kubernetes cluster]: https://kubernetes.io/docs/setup/ [Minikube]: https://kubernetes.io/docs/tasks/tools/install-minikube/ [Helm]: https://docs.helm.sh/using_helm/ - diff --git a/helm/chart/templates/clusterrole.yaml b/helm/chart/templates/clusterrole.yaml index 5559ae3b..5fb9de27 100644 --- a/helm/chart/templates/clusterrole.yaml +++ b/helm/chart/templates/clusterrole.yaml @@ -59,8 +59,11 @@ rules: - "*" - apiGroups: - apiextensions.crossplane.io + - ops.crossplane.io - pkg.crossplane.io + # secrets.crossplane.io removed in 2.0 - secrets.crossplane.io + - protection.crossplane.io resources: - "*" verbs: diff --git a/helm/chart/templates/deployment.yaml b/helm/chart/templates/deployment.yaml index 9560df72..b527952b 100644 --- a/helm/chart/templates/deployment.yaml +++ b/helm/chart/templates/deployment.yaml @@ -57,7 +57,13 @@ spec: {{- end }} hostNetwork: {{ .Values.hostNetwork }} initContainers: - - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + - name: {{ .Chart.Name }}-init + {{- if .Values.image.ignoreTag }} + image: "{{ .Values.image.repository }}" + {{- else }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} args: - core - init @@ -73,8 +79,10 @@ spec: - --function - "{{ $arg }}" {{- end }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - name: {{ .Chart.Name }}-init + {{- range $arg := .Values.provider.defaultActivations }} + - --activation + - "{{ $arg }}" + {{- end }} resources: {{- toYaml .Values.resourcesCrossplane | nindent 12 }} {{- with .Values.securityContextCrossplane }} @@ -125,8 +133,17 @@ spec: value: crossplane-tls-server - name: "TLS_CLIENT_SECRET_NAME" value: crossplane-tls-client + {{- range $key, $value := .Values.extraEnvVarsCrossplaneInit }} + - name: {{ $key | replace "." "_" }} + value: {{ $value | quote }} + {{- end}} containers: - - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + - name: {{ .Chart.Name }} + {{- if .Values.image.ignoreTag }} + image: "{{ .Values.image.repository }}" + {{- else }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + {{- end }} args: - core - start @@ -134,7 +151,6 @@ spec: - {{ $arg }} {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} - name: {{ .Chart.Name }} resources: {{- toYaml .Values.resourcesCrossplane | nindent 12 }} startupProbe: diff --git a/helm/chart/templates/providerconfig.yaml b/helm/chart/templates/providerconfig.yaml index a009d557..d2f9597e 100644 --- a/helm/chart/templates/providerconfig.yaml +++ b/helm/chart/templates/providerconfig.yaml @@ -7,6 +7,25 @@ type: Opaque data: credentials: {{ .Values.providerJetYc.creds | default "" | b64enc }} --- +{{- if .Value.provider.config.new_api }} +apiVersion: yandex-cloud.m.jet.crossplane.io/v1beta1 +kind: ProviderConfig +metadata: + annotations: + upjet.upbound.io/manual-intervention: Namespaced ProviderConfig for Crossplane v2 with local secret references. + "helm.sh/resource-policy": keep + name: {{ .Values.providerJetYc.providerName }}-v2 +spec: + credentials: + cloudId: {{ .Values.providerJetYc.cloudId }} + folderId: {{ .Values.providerJetYc.folderId }} + endpoint: {{ .Values.providerJetYc.endpoint }} + secretRef: + key: credentials + name: {{ .Values.providerJetYc.secretName }} + namespace: {{ .Release.Namespace }} + source: Secret +{{ else }} apiVersion: yandex-cloud.jet.crossplane.io/v1alpha1 kind: ProviderConfig metadata: @@ -21,18 +40,8 @@ spec: namespace: {{ .Release.Namespace }} key: credentials endpoint: {{ .Values.providerJetYc.endpoint }} ---- -apiVersion: pkg.crossplane.io/v1 -kind: Provider -metadata: - name: provider-jet-yc - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/resource-policy": keep -spec: - package: {{ .Values.providerJetYc.package }} - runtimeConfigRef: - name: yc-pod-security +{{- end }} +# ! Delete provider because value .Values.provider.packages can install it --- apiVersion: pkg.crossplane.io/v1beta1 kind: DeploymentRuntimeConfig @@ -63,10 +72,9 @@ spec: volumes: - name: internal-root-ca secret: - defaultMode: 420 - secretName: {{ .Values.internalRootCaSecretName }} - items: - - key: internal-root-ca - path: ca-certificates.crt + defaultMode: 420 + secretName: {{ .Values.internalRootCaSecretName }} + items: + - key: internal-root-ca + path: ca-certificates.crt {{ end }} - diff --git a/helm/chart/templates/rbac-manager-allowed-provider-permissions.yaml b/helm/chart/templates/rbac-manager-allowed-provider-permissions.yaml index 9a373fff..b6b107d3 100644 --- a/helm/chart/templates/rbac-manager-allowed-provider-permissions.yaml +++ b/helm/chart/templates/rbac-manager-allowed-provider-permissions.yaml @@ -11,4 +11,4 @@ aggregationRule: clusterRoleSelectors: - matchLabels: rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true" -{{- end}} \ No newline at end of file +{{- end}} diff --git a/helm/chart/templates/rbac-manager-clusterrolebinding.yaml b/helm/chart/templates/rbac-manager-clusterrolebinding.yaml index 56e0300b..51e7068f 100644 --- a/helm/chart/templates/rbac-manager-clusterrolebinding.yaml +++ b/helm/chart/templates/rbac-manager-clusterrolebinding.yaml @@ -14,4 +14,4 @@ subjects: - kind: ServiceAccount name: rbac-manager namespace: {{ .Release.Namespace }} -{{- end}} \ No newline at end of file +{{- end}} diff --git a/helm/chart/templates/rbac-manager-deployment.yaml b/helm/chart/templates/rbac-manager-deployment.yaml index a04d7232..f2a85e53 100644 --- a/helm/chart/templates/rbac-manager-deployment.yaml +++ b/helm/chart/templates/rbac-manager-deployment.yaml @@ -52,12 +52,16 @@ spec: runtimeClassName: {{ .Values.runtimeClassName | quote }} {{- end }} initContainers: - - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + - name: {{ .Chart.Name }}-init + {{- if .Values.image.ignoreTag }} + image: "{{ .Values.image.repository }}" + {{- else }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + {{- end }} args: - rbac - init imagePullPolicy: {{ .Values.image.pullPolicy }} - name: {{ .Chart.Name }}-init resources: {{- toYaml .Values.resourcesRBACManager | nindent 12 }} {{- with .Values.securityContextRBACManager }} @@ -78,7 +82,12 @@ spec: resource: limits.memory divisor: "1" containers: - - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + - name: {{ .Chart.Name }} + {{- if .Values.image.ignoreTag }} + image: "{{ .Values.image.repository }}" + {{- else }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + {{- end }} args: - rbac - start @@ -87,7 +96,6 @@ spec: {{- end }} - --provider-clusterrole={{ template "crossplane.name" . }}:allowed-provider-permissions imagePullPolicy: {{ .Values.image.pullPolicy }} - name: {{ .Chart.Name }} resources: {{- toYaml .Values.resourcesRBACManager | nindent 12 }} {{- if .Values.metrics.enabled }} diff --git a/helm/chart/templates/rbac-manager-managed-clusterroles.yaml b/helm/chart/templates/rbac-manager-managed-clusterroles.yaml index 223ecba6..82f0b852 100644 --- a/helm/chart/templates/rbac-manager-managed-clusterroles.yaml +++ b/helm/chart/templates/rbac-manager-managed-clusterroles.yaml @@ -111,6 +111,14 @@ rules: - apiGroups: [apiextensions.k8s.io] resources: [customresourcedefinitions] verbs: [get, list, watch] +- apiGroups: + - protection.crossplane.io + resources: ["*"] + verbs: ["*"] +- apiGroups: + - ops.crossplane.io + resources: ["*"] + verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -147,6 +155,14 @@ rules: - secrets.crossplane.io resources: ["*"] verbs: ["*"] +- apiGroups: + - protection.crossplane.io + resources: ["*"] + verbs: ["*"] +- apiGroups: + - ops.crossplane.io + resources: ["*"] + verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -178,6 +194,14 @@ rules: - secrets.crossplane.io resources: ["*"] verbs: [get, list, watch] +- apiGroups: + - protection.crossplane.io + resources: ["*"] + verbs: [get, list, watch] +- apiGroups: + - ops.crossplane.io + resources: ["*"] + verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -199,74 +223,6 @@ rules: - apiextensions.crossplane.io resources: ["*"] verbs: [get, list, watch] -{{- if .Values.rbacManager.managementPolicy }} ---- -# The below ClusterRoles are aggregated to the namespaced RBAC roles created by -# the Crossplane RBAC manager when it is running in --manage=All mode. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "crossplane.name" . }}:aggregate-to-ns-admin - labels: - rbac.crossplane.io/aggregate-to-ns-admin: "true" - rbac.crossplane.io/base-of-ns-admin: "true" - app: {{ template "crossplane.name" . }} - {{- include "crossplane.labels" . | indent 4 }} -rules: -# Crossplane namespace admins have access to view events. -- apiGroups: [""] - resources: [events] - verbs: [get, list, watch] -# Crossplane namespace admins may need to read or otherwise interact with -# resource claim connection secrets. -- apiGroups: [""] - resources: [secrets] - verbs: ["*"] -# Crossplane namespace admins have access to view the roles that they may be -# able to grant to other subjects. -- apiGroups: [rbac.authorization.k8s.io] - resources: [roles] - verbs: [get, list, watch] -# Crossplane namespace admins have access to grant the access they have to other -# subjects. -- apiGroups: [rbac.authorization.k8s.io] - resources: [rolebindings] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "crossplane.name" . }}:aggregate-to-ns-edit - labels: - rbac.crossplane.io/aggregate-to-ns-edit: "true" - rbac.crossplane.io/base-of-ns-edit: "true" - app: {{ template "crossplane.name" . }} - {{- include "crossplane.labels" . | indent 4 }} -rules: -# Crossplane namespace editors have access to view events. -- apiGroups: [""] - resources: [events] - verbs: [get, list, watch] -# Crossplane namespace editors may need to read or otherwise interact with -# resource claim connection secrets. -- apiGroups: [""] - resources: [secrets] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "crossplane.name" . }}:aggregate-to-ns-view - labels: - rbac.crossplane.io/aggregate-to-ns-view: "true" - rbac.crossplane.io/base-of-ns-view: "true" - app: {{ template "crossplane.name" . }} - {{- include "crossplane.labels" . | indent 4 }} -rules: -# Crossplane namespace viewers have access to view events. -- apiGroups: [""] - resources: [events] - verbs: [get, list, watch] -{{- end }} +# remove rbac management policy because dont have value for this {{- end }} {{- end }} diff --git a/helm/chart/templates/rbac-manager-serviceaccount.yaml b/helm/chart/templates/rbac-manager-serviceaccount.yaml index fd1dcc97..6eca2a31 100644 --- a/helm/chart/templates/rbac-manager-serviceaccount.yaml +++ b/helm/chart/templates/rbac-manager-serviceaccount.yaml @@ -13,4 +13,4 @@ imagePullSecrets: - name: {{ $secret }} {{- end }} {{- end }} -{{- end}} \ No newline at end of file +{{- end}} diff --git a/helm/chart/templates/secret.yaml b/helm/chart/templates/secret.yaml index 78d05eb7..7e853014 100644 --- a/helm/chart/templates/secret.yaml +++ b/helm/chart/templates/secret.yaml @@ -40,4 +40,4 @@ kind: Secret metadata: name: crossplane-tls-client namespace: {{ .Release.Namespace }} -type: Opaque \ No newline at end of file +type: Opaque diff --git a/helm/chart/templates/serviceaccount.yaml b/helm/chart/templates/serviceaccount.yaml index e711adf8..b57ca9ff 100644 --- a/helm/chart/templates/serviceaccount.yaml +++ b/helm/chart/templates/serviceaccount.yaml @@ -16,4 +16,4 @@ imagePullSecrets: - name: {{ $secret }} {{- end }} {{ end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/template/chart/Chart.yaml b/helm/template/chart/Chart.yaml index 7d4ef9d9..c8b0de35 100644 --- a/helm/template/chart/Chart.yaml +++ b/helm/template/chart/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: ${IMAGE_TAG} +appVersion: ${IMAGE_TAG} # 2.1.3 description: Crossplane is an open source Kubernetes add-on that enables platform teams to assemble infrastructure from multiple vendors, and expose higher level self-service APIs for application teams to consume. diff --git a/helm/template/chart/values.yaml b/helm/template/chart/values.yaml index 4b959248..b3aef5e1 100644 --- a/helm/template/chart/values.yaml +++ b/helm/template/chart/values.yaml @@ -14,9 +14,11 @@ image: # -- Repository for the Crossplane pod image. repository: ${REGISTRY}/${IMAGE_PATH}/crossplane # -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. - tag: 1.20.1 + tag: "" # -- The image pull policy used for Crossplane and RBAC Manager pods. pullPolicy: IfNotPresent + # -- Do not use the {{ .image.tag }} value to compute the image uri. + ignoreTag: false # -- Add `nodeSelectors` to the Crossplane pod deployment. nodeSelector: {} @@ -54,7 +56,25 @@ args: [] provider: # -- A list of Provider packages to install. - packages: [] + packages: + - xpkg.upbound.io/yandexcloud/crossplane-provider-yc:v0.14.0 # with this dont need template for provider + # -- Define entries for the default managed resource activation policy. If defined, a default MRAP will contain these activations. + defaultActivations: ["*"] + config: + # Use new version api for ProviderConfig + new_api: false + # Provider name + providerName: yandexcloud-crossplane-provider-yc + # Secret name + secretName: yc-creds + # Credentials to store + creds: "" + # Endpoint to yandex cloud api + endpoint: api.cloud.yandex.net:443 + # Cloud ID your cloud in YC + cloudId: "" + # Folder ID your folder in YC + folderId: "" configuration: # -- A list of Configuration packages to install. @@ -195,7 +215,11 @@ readiness: # -- The port the readyz server listens on. port: "" -# -- Add custom environmental variables to the Crossplane pod deployment. +# -- Add custom environmental variables to the Crossplane pod deployment init container. +# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`. +extraEnvVarsCrossplaneInit: {} + +# -- Add custom environmental variables to the Crossplane pod deployment application container. # Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`. extraEnvVarsCrossplane: {} @@ -232,6 +256,7 @@ extraObjects: [] internalRootCaSecretName: "" # -- Settings for provider-jet-yc +# saved for old installations providerJetYc: package: ${REGISTRY}/${IMAGE_PATH}/${IMAGE_NAME}:${IMAGE_TAG} # Provider name @@ -242,3 +267,7 @@ providerJetYc: creds: "" # Endpoint to yandex cloud api endpoint: ${YC_API_ENDPOINT} + # Cloud ID your cloud in YC + cloudId: "" + # Folder ID your folder in YC + folderId: "" \ No newline at end of file