Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding new pattern for Crossplane Argocd GitOps #173

Merged
merged 47 commits into from
Sep 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
47 commits
Select commit Hold shift + click to select a range
4eb131d
Adding new pattern for Crossplane Argocd GitOps
ajpaws May 15, 2024
81ac009
fixing review comments for cleanup
ajpaws Jun 3, 2024
a5d7aa3
adding error handling during stack creation
ajpaws Jun 10, 2024
26c4fd6
changing workloads path for argocd
ajpaws Jun 10, 2024
7a6a63a
cleanup and add arch diagram
ajpaws Jun 16, 2024
ffe0608
fixing review comments
ajpaws Jun 25, 2024
a7f97ae
passing variables values via gitops approach from argoCD
ajpaws Jun 25, 2024
60d940e
fixing doc errors
ajpaws Jun 25, 2024
ba54f88
add EKS Provider Addon and cleanup
ajpaws Jun 26, 2024
41331fa
fixing typos
ajpaws Jun 27, 2024
00b0337
fixing review comments
ajpaws Jul 22, 2024
fd069ae
automating iam role creation
ajpaws Aug 5, 2024
32eb8da
testing the stack
ajpaws Aug 5, 2024
ee94079
fixing pipeline errors
ajpaws Aug 7, 2024
32c457e
fixing deployment issues
ajpaws Aug 8, 2024
896e62f
fixing few deployment issues
ajpaws Aug 8, 2024
c3e1995
adding custom iam role creator resource
ajpaws Aug 14, 2024
80a8634
testing custom iam role creator resource
ajpaws Aug 14, 2024
f8f9442
fixing duplicate role creation
ajpaws Aug 14, 2024
26e0dca
testing custom iam role provider resource
ajpaws Aug 15, 2024
02aec06
fixing duplicate iam role creation
ajpaws Aug 16, 2024
89f43f4
clean up
ajpaws Aug 16, 2024
41bdaaf
cleanup
ajpaws Aug 17, 2024
d3a9bbf
Merge branch 'main' into main
shapirov103 Aug 26, 2024
2e5d709
creating dedicated IRSA role for EKS Provider
ajpaws Aug 27, 2024
8443c72
Merge branch 'main' of https://github.com/ajpaws/cdk-eks-blueprints-p…
ajpaws Aug 27, 2024
7bdb3db
creating dedicated iam role for eks provider pod
ajpaws Aug 28, 2024
f68efa8
automating secret creation
ajpaws Aug 28, 2024
152fc70
automating argocd secret creation
ajpaws Aug 28, 2024
8ae1ea7
cleanup and doc update
ajpaws Aug 28, 2024
0dcda7a
Merge pull request #1 from aws-samples/main
ajpaws Sep 4, 2024
58aaad5
update README
ajpaws Sep 4, 2024
311efbb
Merge branch 'main' of https://github.com/ajpaws/cdk-eks-blueprints-p…
ajpaws Sep 4, 2024
fd22534
fixing README Issues
ajpaws Sep 4, 2024
e58d132
update README
ajpaws Sep 10, 2024
1f3f4bb
Update multi-cluster-pipeline.ts
elamaran11 Sep 10, 2024
2902111
Update multi-cluster-pipeline.ts
elamaran11 Sep 10, 2024
55d345b
Update multi-cluster-pipeline.ts
elamaran11 Sep 10, 2024
d0d6615
removing secret store secret
ajpaws Sep 11, 2024
b18f5e7
fixing IRSA issues
ajpaws Sep 11, 2024
e796464
testing IRSA Issues
ajpaws Sep 11, 2024
c878437
testing IRSA roles
ajpaws Sep 11, 2024
ee3b16f
testing with new mgmt cluster
ajpaws Sep 12, 2024
1c6d95b
re-creating mgmt cluster
ajpaws Sep 12, 2024
146d656
fix number conversion issue
ajpaws Sep 16, 2024
6185b1a
Clean up and Update README
ajpaws Sep 17, 2024
ffaac77
update README
ajpaws Sep 17, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions bin/crossplane-argocd-gitops.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/usr/bin/env node
import * as cdk from 'aws-cdk-lib';
import { errorHandler } from '../lib/common/construct-utils';
import MultiClusterPipelineConstruct from "../lib/crossplane-argocd-gitops/multi-cluster-pipeline";

const app = new cdk.App();

new MultiClusterPipelineConstruct().buildAsync(app, "crossplane-argocd-gitops").catch((e) => {
errorHandler(app, "Pipeline construct failed because of error: ", e);
});
466 changes: 466 additions & 0 deletions docs/patterns/crossplane-argocd-gitops.md

Large diffs are not rendered by default.

Binary file added docs/patterns/images/amd-add-on.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/patterns/images/arm-add-on.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/patterns/images/aws_secret_codepipeline.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/patterns/images/codepipeline1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/patterns/images/codepipeline2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
import 'source-map-support/register';
import * as blueprints from '@aws-quickstart/eks-blueprints';
import * as eks from "aws-cdk-lib/aws-eks";
import { Construct } from 'constructs';
import { dependable } from '@aws-quickstart/eks-blueprints/dist/utils';
import { UpboundCrossplaneAddOn } from './upbound-crossplane-addon';

export class CrossplaneHelmProviderAddon implements blueprints.ClusterAddOn {
id?: string | undefined;
readonly helmProviderVersion: string;
constructor(helmProviderVersion: string) {
this.helmProviderVersion = helmProviderVersion;
}

@dependable(UpboundCrossplaneAddOn.name)
deploy(clusterInfo: blueprints.ClusterInfo): void | Promise<Construct> {
const cluster = clusterInfo.cluster;

const roleBinding = {
apiVersion: "rbac.authorization.k8s.io/v1",
kind: "ClusterRoleBinding",
metadata: {
name: "helm-provider"
},
subjects: [
{
kind: "ServiceAccount",
name: "helm-provider",
namespace: "upbound-system"
}
],
roleRef: {
kind: "ClusterRole",
name: "cluster-admin",
apiGroup: "rbac.authorization.k8s.io"
}
};

const runtimeConfig = {
apiVersion: "pkg.crossplane.io/v1beta1",
kind: "DeploymentRuntimeConfig",
metadata: {
name: "helm-runtime-config"
},
spec: {
deploymentTemplate: {
spec: {
replicas: 1,
selector: {},
template: {}
}
},
serviceAccountTemplate: {
metadata: { name: "helm-provider" }
}
}
};

const provider = {
apiVersion: "pkg.crossplane.io/v1",
kind: "Provider",
metadata: { name: "helm-provider" },
spec: {
package: 'xpkg.upbound.io/crossplane-contrib/provider-helm:'+this.helmProviderVersion,
runtimeConfigRef: {
name: "helm-runtime-config"
}
}
};

const runtimeHelmConfig = new eks.KubernetesManifest(clusterInfo.cluster.stack, "runtimeHelmConfig", {
cluster: cluster,
manifest: [roleBinding, runtimeConfig]
});

const awsHelmProvider = new eks.KubernetesManifest(clusterInfo.cluster.stack, "providerHelmResource", {
cluster: cluster,
manifest: [provider]
});

awsHelmProvider.node.addDependency(runtimeHelmConfig);
return Promise.resolve(runtimeHelmConfig);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
import 'source-map-support/register';
import * as blueprints from '@aws-quickstart/eks-blueprints';
import * as eks from "aws-cdk-lib/aws-eks";
import { Construct } from 'constructs';
import { dependable } from '@aws-quickstart/eks-blueprints/dist/utils';
import { UpboundCrossplaneAddOn } from './upbound-crossplane-addon';

export class CrossplaneK8sProviderAddon implements blueprints.ClusterAddOn {
id?: string | undefined;
readonly k8sProviderVersion: string;
constructor(k8sProviderVersion: string) {
this.k8sProviderVersion = k8sProviderVersion;
}

@dependable(UpboundCrossplaneAddOn.name)
deploy(clusterInfo: blueprints.ClusterInfo): void | Promise<Construct> {
const cluster = clusterInfo.cluster;

const roleBinding = {
apiVersion: "rbac.authorization.k8s.io/v1",
kind: "ClusterRoleBinding",
metadata: { name: "kubernetes-provider" },
subjects: [
{
kind: "ServiceAccount",
name: "kubernetes-provider",
namespace: "upbound-system"
}
],
roleRef: {
kind: "ClusterRole",
name: "cluster-admin",
apiGroup: "rbac.authorization.k8s.io"
}
};

const runtimeConfig = {
apiVersion: "pkg.crossplane.io/v1beta1",
kind: "DeploymentRuntimeConfig",
metadata: {
name: "kubernetes-runtime-config"
},
spec: {
deploymentTemplate: {
spec: {
replicas: 1,
selector: {},
template: {}
}
},
serviceAccountTemplate: {
metadata: { name: "kubernetes-provider" }
}
}
};

const providerK8sResource = {
apiVersion: "pkg.crossplane.io/v1",
kind: "Provider",
metadata: { name: "kubernetes-provider" },
spec: {
package: 'xpkg.upbound.io/crossplane-contrib/provider-kubernetes:'+this.k8sProviderVersion,
runtimeConfigRef: {
name: "kubernetes-runtime-config"
}
}
};

const runtimeK8sConfig = new eks.KubernetesManifest(clusterInfo.cluster.stack, "runtimeK8sConfig", {
cluster: cluster,
manifest: [roleBinding, runtimeConfig]
});

const awsK8sProvider = new eks.KubernetesManifest(clusterInfo.cluster.stack, "awsK8sProvider", {
cluster: cluster,
manifest: [providerK8sResource]
});

awsK8sProvider.node.addDependency(runtimeK8sConfig);

return Promise.resolve(runtimeK8sConfig);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@

import * as iam from 'aws-cdk-lib/aws-iam';
import { IManagedPolicy } from 'aws-cdk-lib/aws-iam';

import * as blueprints from '@aws-quickstart/eks-blueprints';

export class CreateNamedRoleProvider implements blueprints.ResourceProvider<iam.Role> {

/**
* Constructor to create role provider.
* @param roleId role id
* @param assumedBy @example new iam.ServicePrincipal('ec2.amazonaws.com')
* @param policies
*/
constructor(private roleId: string, private roleName: string, private assumedBy: iam.IPrincipal, private policies?: IManagedPolicy[]){}

provide(context: blueprints.ResourceContext): iam.Role {
return new iam.Role(context.scope, this.roleId, {
assumedBy: this.assumedBy,
managedPolicies: this.policies,
roleName: this.roleName
});
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
import 'source-map-support/register';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elamaran11 is there a rationale why this addon is not in the blueprints repo? We have upbound addon there, it may be confusing to the customers how to reconcile this with the one in the blueprints repo. I assume we should deprecate or just replace the upbound addon in the blueprints.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shapirov103 The upbound addon in Blueprints is EKS Addon and they are no longer supporting it. I asked the team but no response so the Ubound addon on the bluepeints should be depracated or this should be updated there. I think for now lets depracate upbound addon for upcoming release. I will plan to work to move this later to blueprints.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is already in 1.15, let's replace it here, - too much code as it stands for the pattern.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not addressed?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ajpaws This comment?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we are deprecating upbound addon in Blueprints is EKS Addon so no changed made on this. I would recommend go ahead with this for now since anyway we have code for all other upbound addons at one place in custom addons folder.

import * as blueprints from '@aws-quickstart/eks-blueprints';
import { Construct } from 'constructs';
import { Values } from "@aws-quickstart/eks-blueprints/dist/spi";
import { merge } from "ts-deepmerge";
import { createNamespace } from '@aws-quickstart/eks-blueprints/dist/utils';
import { Policy, PolicyDocument} from 'aws-cdk-lib/aws-iam';
import * as cdk from 'aws-cdk-lib';

/**
* User provided options for the Helm Chart
*/
export interface UpboundCrossplaneAddOnProps extends blueprints.HelmAddOnUserProps {
/**
* To Create Namespace using CDK
*/
createNamespace?: boolean;
}

const defaultProps: blueprints.HelmAddOnProps = {
name: 'uxp',
release: 'blueprints-addon-uxp',
namespace: 'upbound-system',
chart: 'universal-crossplane',
version: '1.14.5-up.1',
repository: 'https://charts.upbound.io/stable',
values: {},
};

export class UpboundCrossplaneAddOn extends blueprints.HelmAddOn {

readonly options: UpboundCrossplaneAddOnProps;

constructor( props?: UpboundCrossplaneAddOnProps) {
super({...defaultProps, ...props});

this.options = this.props as UpboundCrossplaneAddOnProps;
}

deploy(clusterInfo: blueprints.ClusterInfo): void | Promise<Construct> {
const cluster = clusterInfo.cluster;

// Create the `upbound-system` namespace.
const ns = createNamespace(this.options.namespace!, cluster, true);

// Create the CrossPlane AWS Provider IRSA.
const serviceAccountName = "provider-aws";
const sa = cluster.addServiceAccount(serviceAccountName, {
name: serviceAccountName,
namespace: this.options.namespace!,
});
sa.node.addDependency(ns);
sa.role.attachInlinePolicy(new Policy(cluster.stack, 'eks-connect-policy', {
document: PolicyDocument.fromJson({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Resource": `arn:aws:iam::${cluster.stack.account}:role/eks-workload-connector-role`
},
{
"Effect": "Allow",
"Action": ["eks:*"],
"Resource": `*`
}
]
})}));

clusterInfo.addAddOnContext(UpboundCrossplaneAddOn.name, {
arn: sa.role.roleArn
});

new cdk.CfnOutput(cluster.stack, 'providerawssaiamrole',
{
value: sa.role.roleArn,
description: 'provider AWS IAM role',
exportName : 'providerawssaiamrole'
});

let values: Values = this.options.values ?? {};
values = merge(values, values);

const chart = this.addHelmChart(clusterInfo, values, false, true);
chart.node.addDependency(sa);
return Promise.resolve(chart);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
import 'source-map-support/register';
import * as blueprints from '@aws-quickstart/eks-blueprints';
import * as eks from "aws-cdk-lib/aws-eks";
import { Construct } from 'constructs';
import { dependable } from '@aws-quickstart/eks-blueprints/dist/utils';
import { UpboundCrossplaneAddOn } from './upbound-crossplane-addon';
import { Policy, PolicyDocument} from 'aws-cdk-lib/aws-iam';

export class UpboundCrossplaneEKSProviderAddOn implements blueprints.ClusterAddOn {
id?: string | undefined;
readonly UpboundEKSProviderVersion: string;
constructor(UpboundEKSProviderVersion: string) {
this.UpboundEKSProviderVersion = UpboundEKSProviderVersion;
}
@dependable(UpboundCrossplaneAddOn.name)
deploy(clusterInfo: blueprints.ClusterInfo): void | Promise<Construct> {
const cluster = clusterInfo.cluster;

// Create the CrossPlane EKS Provider IRSA.
const serviceAccountName = "provider-aws-eks";
const upboundNamespace = "upbound-system";
const sa = cluster.addServiceAccount(serviceAccountName, {
name: serviceAccountName,
namespace: upboundNamespace,
});
sa.role.attachInlinePolicy(new Policy(cluster.stack, 'eks-workload-connector-policy', {
document: PolicyDocument.fromJson({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Resource": `arn:aws:iam::${cluster.stack.account}:role/eks-workload-connector-role`
},
{
"Effect": "Allow",
"Action": ["eks:*"],
"Resource": `*`
}
]
})}));

// clusterInfo.addAddOnContext(UpboundCrossplaneEKSProviderAddOn.name, {
// arn: sa.role.roleArn
// });

const runtimeConfig = new eks.KubernetesManifest(clusterInfo.cluster.stack, "runtimeConfig", {
cluster: cluster,
manifest: [
{
apiVersion: "pkg.crossplane.io/v1beta1",
kind: "DeploymentRuntimeConfig",
metadata: {
name: "aws-eks-runtime-config"
},
spec: {
deploymentTemplate: {
spec: {
replicas: 1,
selector: {},
template: {}
}
},
serviceAccountTemplate: {
metadata: { name: "provider-aws-eks" }
}
}
},
],
});

const awsEksProvider = new eks.KubernetesManifest(clusterInfo.cluster.stack, "EKSProvider", {
cluster: cluster,
manifest: [
{
apiVersion: "pkg.crossplane.io/v1",
kind: "Provider",
metadata: {
name: "provider-aws-eks",
},
spec: {
package: 'xpkg.upbound.io/upbound/provider-aws-eks:'+this.UpboundEKSProviderVersion,
runtimeConfigRef: {
name: "aws-eks-runtime-config"
}
},
},
],
});

// runtimeConfig.node.addDependency(sa);
awsEksProvider.node.addDependency(runtimeConfig);
return Promise.resolve(runtimeConfig);
}
}
Loading
Loading