-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding new pattern for Crossplane Argocd GitOps #173
Merged
Merged
Changes from all commits
Commits
Show all changes
47 commits
Select commit
Hold shift + click to select a range
4eb131d
Adding new pattern for Crossplane Argocd GitOps
ajpaws 81ac009
fixing review comments for cleanup
ajpaws a5d7aa3
adding error handling during stack creation
ajpaws 26c4fd6
changing workloads path for argocd
ajpaws 7a6a63a
cleanup and add arch diagram
ajpaws ffe0608
fixing review comments
ajpaws a7f97ae
passing variables values via gitops approach from argoCD
ajpaws 60d940e
fixing doc errors
ajpaws ba54f88
add EKS Provider Addon and cleanup
ajpaws 41331fa
fixing typos
ajpaws 00b0337
fixing review comments
ajpaws fd069ae
automating iam role creation
ajpaws 32eb8da
testing the stack
ajpaws ee94079
fixing pipeline errors
ajpaws 32c457e
fixing deployment issues
ajpaws 896e62f
fixing few deployment issues
ajpaws c3e1995
adding custom iam role creator resource
ajpaws 80a8634
testing custom iam role creator resource
ajpaws f8f9442
fixing duplicate role creation
ajpaws 26e0dca
testing custom iam role provider resource
ajpaws 02aec06
fixing duplicate iam role creation
ajpaws 89f43f4
clean up
ajpaws 41bdaaf
cleanup
ajpaws d3a9bbf
Merge branch 'main' into main
shapirov103 2e5d709
creating dedicated IRSA role for EKS Provider
ajpaws 8443c72
Merge branch 'main' of https://github.com/ajpaws/cdk-eks-blueprints-p…
ajpaws 7bdb3db
creating dedicated iam role for eks provider pod
ajpaws f68efa8
automating secret creation
ajpaws 152fc70
automating argocd secret creation
ajpaws 8ae1ea7
cleanup and doc update
ajpaws 0dcda7a
Merge pull request #1 from aws-samples/main
ajpaws 58aaad5
update README
ajpaws 311efbb
Merge branch 'main' of https://github.com/ajpaws/cdk-eks-blueprints-p…
ajpaws fd22534
fixing README Issues
ajpaws e58d132
update README
ajpaws 1f3f4bb
Update multi-cluster-pipeline.ts
elamaran11 2902111
Update multi-cluster-pipeline.ts
elamaran11 55d345b
Update multi-cluster-pipeline.ts
elamaran11 d0d6615
removing secret store secret
ajpaws b18f5e7
fixing IRSA issues
ajpaws e796464
testing IRSA Issues
ajpaws c878437
testing IRSA roles
ajpaws ee3b16f
testing with new mgmt cluster
ajpaws 1c6d95b
re-creating mgmt cluster
ajpaws 146d656
fix number conversion issue
ajpaws 6185b1a
Clean up and Update README
ajpaws ffaac77
update README
ajpaws File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/usr/bin/env node | ||
import * as cdk from 'aws-cdk-lib'; | ||
import { errorHandler } from '../lib/common/construct-utils'; | ||
import MultiClusterPipelineConstruct from "../lib/crossplane-argocd-gitops/multi-cluster-pipeline"; | ||
|
||
const app = new cdk.App(); | ||
|
||
new MultiClusterPipelineConstruct().buildAsync(app, "crossplane-argocd-gitops").catch((e) => { | ||
errorHandler(app, "Pipeline construct failed because of error: ", e); | ||
}); |
Large diffs are not rendered by default.
Oops, something went wrong.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
84 changes: 84 additions & 0 deletions
84
lib/crossplane-argocd-gitops/custom-addons/crossplane-helm-provider-addon.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
import 'source-map-support/register'; | ||
import * as blueprints from '@aws-quickstart/eks-blueprints'; | ||
import * as eks from "aws-cdk-lib/aws-eks"; | ||
import { Construct } from 'constructs'; | ||
import { dependable } from '@aws-quickstart/eks-blueprints/dist/utils'; | ||
import { UpboundCrossplaneAddOn } from './upbound-crossplane-addon'; | ||
|
||
export class CrossplaneHelmProviderAddon implements blueprints.ClusterAddOn { | ||
id?: string | undefined; | ||
readonly helmProviderVersion: string; | ||
constructor(helmProviderVersion: string) { | ||
this.helmProviderVersion = helmProviderVersion; | ||
} | ||
|
||
@dependable(UpboundCrossplaneAddOn.name) | ||
deploy(clusterInfo: blueprints.ClusterInfo): void | Promise<Construct> { | ||
const cluster = clusterInfo.cluster; | ||
|
||
const roleBinding = { | ||
apiVersion: "rbac.authorization.k8s.io/v1", | ||
kind: "ClusterRoleBinding", | ||
metadata: { | ||
name: "helm-provider" | ||
}, | ||
subjects: [ | ||
{ | ||
kind: "ServiceAccount", | ||
name: "helm-provider", | ||
namespace: "upbound-system" | ||
} | ||
], | ||
roleRef: { | ||
kind: "ClusterRole", | ||
name: "cluster-admin", | ||
apiGroup: "rbac.authorization.k8s.io" | ||
} | ||
}; | ||
|
||
const runtimeConfig = { | ||
apiVersion: "pkg.crossplane.io/v1beta1", | ||
kind: "DeploymentRuntimeConfig", | ||
metadata: { | ||
name: "helm-runtime-config" | ||
}, | ||
spec: { | ||
deploymentTemplate: { | ||
spec: { | ||
replicas: 1, | ||
selector: {}, | ||
template: {} | ||
} | ||
}, | ||
serviceAccountTemplate: { | ||
metadata: { name: "helm-provider" } | ||
} | ||
} | ||
}; | ||
|
||
const provider = { | ||
apiVersion: "pkg.crossplane.io/v1", | ||
kind: "Provider", | ||
metadata: { name: "helm-provider" }, | ||
spec: { | ||
package: 'xpkg.upbound.io/crossplane-contrib/provider-helm:'+this.helmProviderVersion, | ||
runtimeConfigRef: { | ||
name: "helm-runtime-config" | ||
} | ||
} | ||
}; | ||
|
||
const runtimeHelmConfig = new eks.KubernetesManifest(clusterInfo.cluster.stack, "runtimeHelmConfig", { | ||
cluster: cluster, | ||
manifest: [roleBinding, runtimeConfig] | ||
}); | ||
|
||
const awsHelmProvider = new eks.KubernetesManifest(clusterInfo.cluster.stack, "providerHelmResource", { | ||
cluster: cluster, | ||
manifest: [provider] | ||
}); | ||
|
||
awsHelmProvider.node.addDependency(runtimeHelmConfig); | ||
return Promise.resolve(runtimeHelmConfig); | ||
} | ||
} |
83 changes: 83 additions & 0 deletions
83
lib/crossplane-argocd-gitops/custom-addons/crossplane-k8s-provider-addon.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
import 'source-map-support/register'; | ||
import * as blueprints from '@aws-quickstart/eks-blueprints'; | ||
import * as eks from "aws-cdk-lib/aws-eks"; | ||
import { Construct } from 'constructs'; | ||
import { dependable } from '@aws-quickstart/eks-blueprints/dist/utils'; | ||
import { UpboundCrossplaneAddOn } from './upbound-crossplane-addon'; | ||
|
||
export class CrossplaneK8sProviderAddon implements blueprints.ClusterAddOn { | ||
id?: string | undefined; | ||
readonly k8sProviderVersion: string; | ||
constructor(k8sProviderVersion: string) { | ||
this.k8sProviderVersion = k8sProviderVersion; | ||
} | ||
|
||
@dependable(UpboundCrossplaneAddOn.name) | ||
deploy(clusterInfo: blueprints.ClusterInfo): void | Promise<Construct> { | ||
const cluster = clusterInfo.cluster; | ||
|
||
const roleBinding = { | ||
apiVersion: "rbac.authorization.k8s.io/v1", | ||
kind: "ClusterRoleBinding", | ||
metadata: { name: "kubernetes-provider" }, | ||
subjects: [ | ||
{ | ||
kind: "ServiceAccount", | ||
name: "kubernetes-provider", | ||
namespace: "upbound-system" | ||
} | ||
], | ||
roleRef: { | ||
kind: "ClusterRole", | ||
name: "cluster-admin", | ||
apiGroup: "rbac.authorization.k8s.io" | ||
} | ||
}; | ||
|
||
const runtimeConfig = { | ||
apiVersion: "pkg.crossplane.io/v1beta1", | ||
kind: "DeploymentRuntimeConfig", | ||
metadata: { | ||
name: "kubernetes-runtime-config" | ||
}, | ||
spec: { | ||
deploymentTemplate: { | ||
spec: { | ||
replicas: 1, | ||
selector: {}, | ||
template: {} | ||
} | ||
}, | ||
serviceAccountTemplate: { | ||
metadata: { name: "kubernetes-provider" } | ||
} | ||
} | ||
}; | ||
|
||
const providerK8sResource = { | ||
apiVersion: "pkg.crossplane.io/v1", | ||
kind: "Provider", | ||
metadata: { name: "kubernetes-provider" }, | ||
spec: { | ||
package: 'xpkg.upbound.io/crossplane-contrib/provider-kubernetes:'+this.k8sProviderVersion, | ||
runtimeConfigRef: { | ||
name: "kubernetes-runtime-config" | ||
} | ||
} | ||
}; | ||
|
||
const runtimeK8sConfig = new eks.KubernetesManifest(clusterInfo.cluster.stack, "runtimeK8sConfig", { | ||
cluster: cluster, | ||
manifest: [roleBinding, runtimeConfig] | ||
}); | ||
|
||
const awsK8sProvider = new eks.KubernetesManifest(clusterInfo.cluster.stack, "awsK8sProvider", { | ||
cluster: cluster, | ||
manifest: [providerK8sResource] | ||
}); | ||
|
||
awsK8sProvider.node.addDependency(runtimeK8sConfig); | ||
|
||
return Promise.resolve(runtimeK8sConfig); | ||
} | ||
} |
24 changes: 24 additions & 0 deletions
24
lib/crossplane-argocd-gitops/custom-addons/custom-iam-role-creator.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
|
||
import * as iam from 'aws-cdk-lib/aws-iam'; | ||
import { IManagedPolicy } from 'aws-cdk-lib/aws-iam'; | ||
|
||
import * as blueprints from '@aws-quickstart/eks-blueprints'; | ||
|
||
export class CreateNamedRoleProvider implements blueprints.ResourceProvider<iam.Role> { | ||
|
||
/** | ||
* Constructor to create role provider. | ||
* @param roleId role id | ||
* @param assumedBy @example new iam.ServicePrincipal('ec2.amazonaws.com') | ||
* @param policies | ||
*/ | ||
constructor(private roleId: string, private roleName: string, private assumedBy: iam.IPrincipal, private policies?: IManagedPolicy[]){} | ||
|
||
provide(context: blueprints.ResourceContext): iam.Role { | ||
return new iam.Role(context.scope, this.roleId, { | ||
assumedBy: this.assumedBy, | ||
managedPolicies: this.policies, | ||
roleName: this.roleName | ||
}); | ||
} | ||
} |
88 changes: 88 additions & 0 deletions
88
lib/crossplane-argocd-gitops/custom-addons/upbound-crossplane-addon.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
import 'source-map-support/register'; | ||
import * as blueprints from '@aws-quickstart/eks-blueprints'; | ||
import { Construct } from 'constructs'; | ||
import { Values } from "@aws-quickstart/eks-blueprints/dist/spi"; | ||
import { merge } from "ts-deepmerge"; | ||
import { createNamespace } from '@aws-quickstart/eks-blueprints/dist/utils'; | ||
import { Policy, PolicyDocument} from 'aws-cdk-lib/aws-iam'; | ||
import * as cdk from 'aws-cdk-lib'; | ||
|
||
/** | ||
* User provided options for the Helm Chart | ||
*/ | ||
export interface UpboundCrossplaneAddOnProps extends blueprints.HelmAddOnUserProps { | ||
/** | ||
* To Create Namespace using CDK | ||
*/ | ||
createNamespace?: boolean; | ||
} | ||
|
||
const defaultProps: blueprints.HelmAddOnProps = { | ||
name: 'uxp', | ||
release: 'blueprints-addon-uxp', | ||
namespace: 'upbound-system', | ||
chart: 'universal-crossplane', | ||
version: '1.14.5-up.1', | ||
repository: 'https://charts.upbound.io/stable', | ||
values: {}, | ||
}; | ||
|
||
export class UpboundCrossplaneAddOn extends blueprints.HelmAddOn { | ||
|
||
readonly options: UpboundCrossplaneAddOnProps; | ||
|
||
constructor( props?: UpboundCrossplaneAddOnProps) { | ||
super({...defaultProps, ...props}); | ||
|
||
this.options = this.props as UpboundCrossplaneAddOnProps; | ||
} | ||
|
||
deploy(clusterInfo: blueprints.ClusterInfo): void | Promise<Construct> { | ||
const cluster = clusterInfo.cluster; | ||
|
||
// Create the `upbound-system` namespace. | ||
const ns = createNamespace(this.options.namespace!, cluster, true); | ||
|
||
// Create the CrossPlane AWS Provider IRSA. | ||
const serviceAccountName = "provider-aws"; | ||
const sa = cluster.addServiceAccount(serviceAccountName, { | ||
name: serviceAccountName, | ||
namespace: this.options.namespace!, | ||
}); | ||
sa.node.addDependency(ns); | ||
sa.role.attachInlinePolicy(new Policy(cluster.stack, 'eks-connect-policy', { | ||
document: PolicyDocument.fromJson({ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": ["sts:AssumeRole"], | ||
"Resource": `arn:aws:iam::${cluster.stack.account}:role/eks-workload-connector-role` | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Action": ["eks:*"], | ||
"Resource": `*` | ||
} | ||
] | ||
})})); | ||
|
||
clusterInfo.addAddOnContext(UpboundCrossplaneAddOn.name, { | ||
arn: sa.role.roleArn | ||
}); | ||
|
||
new cdk.CfnOutput(cluster.stack, 'providerawssaiamrole', | ||
{ | ||
value: sa.role.roleArn, | ||
description: 'provider AWS IAM role', | ||
exportName : 'providerawssaiamrole' | ||
}); | ||
|
||
let values: Values = this.options.values ?? {}; | ||
values = merge(values, values); | ||
|
||
const chart = this.addHelmChart(clusterInfo, values, false, true); | ||
chart.node.addDependency(sa); | ||
return Promise.resolve(chart); | ||
} | ||
} |
95 changes: 95 additions & 0 deletions
95
lib/crossplane-argocd-gitops/custom-addons/upbound-crossplane-eks-provider-addon.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
import 'source-map-support/register'; | ||
import * as blueprints from '@aws-quickstart/eks-blueprints'; | ||
import * as eks from "aws-cdk-lib/aws-eks"; | ||
import { Construct } from 'constructs'; | ||
import { dependable } from '@aws-quickstart/eks-blueprints/dist/utils'; | ||
import { UpboundCrossplaneAddOn } from './upbound-crossplane-addon'; | ||
import { Policy, PolicyDocument} from 'aws-cdk-lib/aws-iam'; | ||
|
||
export class UpboundCrossplaneEKSProviderAddOn implements blueprints.ClusterAddOn { | ||
id?: string | undefined; | ||
readonly UpboundEKSProviderVersion: string; | ||
constructor(UpboundEKSProviderVersion: string) { | ||
this.UpboundEKSProviderVersion = UpboundEKSProviderVersion; | ||
} | ||
@dependable(UpboundCrossplaneAddOn.name) | ||
deploy(clusterInfo: blueprints.ClusterInfo): void | Promise<Construct> { | ||
const cluster = clusterInfo.cluster; | ||
|
||
// Create the CrossPlane EKS Provider IRSA. | ||
const serviceAccountName = "provider-aws-eks"; | ||
const upboundNamespace = "upbound-system"; | ||
const sa = cluster.addServiceAccount(serviceAccountName, { | ||
name: serviceAccountName, | ||
namespace: upboundNamespace, | ||
}); | ||
sa.role.attachInlinePolicy(new Policy(cluster.stack, 'eks-workload-connector-policy', { | ||
document: PolicyDocument.fromJson({ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": ["sts:AssumeRole"], | ||
"Resource": `arn:aws:iam::${cluster.stack.account}:role/eks-workload-connector-role` | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Action": ["eks:*"], | ||
"Resource": `*` | ||
} | ||
] | ||
})})); | ||
|
||
// clusterInfo.addAddOnContext(UpboundCrossplaneEKSProviderAddOn.name, { | ||
// arn: sa.role.roleArn | ||
// }); | ||
|
||
const runtimeConfig = new eks.KubernetesManifest(clusterInfo.cluster.stack, "runtimeConfig", { | ||
cluster: cluster, | ||
manifest: [ | ||
{ | ||
apiVersion: "pkg.crossplane.io/v1beta1", | ||
kind: "DeploymentRuntimeConfig", | ||
metadata: { | ||
name: "aws-eks-runtime-config" | ||
}, | ||
spec: { | ||
deploymentTemplate: { | ||
spec: { | ||
replicas: 1, | ||
selector: {}, | ||
template: {} | ||
} | ||
}, | ||
serviceAccountTemplate: { | ||
metadata: { name: "provider-aws-eks" } | ||
} | ||
} | ||
}, | ||
], | ||
}); | ||
|
||
const awsEksProvider = new eks.KubernetesManifest(clusterInfo.cluster.stack, "EKSProvider", { | ||
cluster: cluster, | ||
manifest: [ | ||
{ | ||
apiVersion: "pkg.crossplane.io/v1", | ||
kind: "Provider", | ||
metadata: { | ||
name: "provider-aws-eks", | ||
}, | ||
spec: { | ||
package: 'xpkg.upbound.io/upbound/provider-aws-eks:'+this.UpboundEKSProviderVersion, | ||
runtimeConfigRef: { | ||
name: "aws-eks-runtime-config" | ||
} | ||
}, | ||
}, | ||
], | ||
}); | ||
|
||
// runtimeConfig.node.addDependency(sa); | ||
awsEksProvider.node.addDependency(runtimeConfig); | ||
return Promise.resolve(runtimeConfig); | ||
} | ||
} |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@elamaran11 is there a rationale why this addon is not in the blueprints repo? We have upbound addon there, it may be confusing to the customers how to reconcile this with the one in the blueprints repo. I assume we should deprecate or just replace the upbound addon in the blueprints.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shapirov103 The upbound addon in Blueprints is EKS Addon and they are no longer supporting it. I asked the team but no response so the Ubound addon on the bluepeints should be depracated or this should be updated there. I think for now lets depracate upbound addon for upcoming release. I will plan to work to move this later to blueprints.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is already in 1.15, let's replace it here, - too much code as it stands for the pattern.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not addressed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ajpaws This comment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we are deprecating upbound addon in Blueprints is EKS Addon so no changed made on this. I would recommend go ahead with this for now since anyway we have code for all other upbound addons at one place in custom addons folder.