diff --git a/.gitignore b/.gitignore index e19a6b2a72..50559dcb36 100644 --- a/.gitignore +++ b/.gitignore @@ -10,6 +10,9 @@ cover.out /.vendor-new .DS_Store kubeconfig +e2e/*/.cache +e2e/*/.work +e2e/*/_output # ignore IDE folders .vscode/ diff --git a/Makefile b/Makefile index 5926c77409..72e7e63b35 100644 --- a/Makefile +++ b/Makefile @@ -241,6 +241,38 @@ uptest: $(UPTEST_LOCAL) $(KUBECTL) $(KUTTL) @KUBECTL=$(KUBECTL) KUTTL=$(KUTTL) CROSSPLANE_NAMESPACE=$(CROSSPLANE_NAMESPACE) $(UPTEST_LOCAL) e2e "${UPTEST_EXAMPLE_LIST}" --data-source="${UPTEST_DATASOURCE_PATH}" --setup-script=cluster/test/setup.sh --default-conditions="Test" || $(FAIL) @$(OK) running automated tests +# This target triggers an e2e test for testing provider configs. +# It first builds and publishes the +# provider-family-aws, provider-aws-ec2 and provider-aws-rds. +# Then triggers the e2e provider config tests via `make`, +# which resides in the `e2e/providerconfig-aws-e2e-test` directory +# +# For the e2e test, an EKS cluster is created and some demo resources are +# created with different provider configs. The demo resources are from +# AWS EC2 and RDS providers. +# Therefore, the provider packages needs to be published to a registry +# that the EKS cluster has access to. This defaults to "xpkg.upbound.io" +# If another registry needs to be used, `XPKG_REG_ORGS` needs to be overridden +# with a registry that the EKS cluster has access, while invoking this make target. +# +# This target also requires the `UPTEST_CLOUD_CREDENTIALS` environment variable +# to be set. This is used for provisioning the target E2E test environment, +# including the EKS cluster and necessary environments. +providerconfig-e2e: + $(MAKE) SUBPACKAGES="ec2 rds config" build.all publish + AWS_FAMILY_PACKAGE_IMAGE="$(XPKG_REG_ORGS)/provider-family-aws:$(VERSION)" \ + AWS_EC2_PACKAGE_IMAGE="$(XPKG_REG_ORGS)/provider-aws-ec2:$(VERSION)" \ + AWS_RDS_PACKAGE_IMAGE="$(XPKG_REG_ORGS)/provider-aws-rds:$(VERSION)" \ + TARGET_CROSSPLANE_VERSION="1.15.2" \ + $(MAKE) -C e2e/providerconfig-aws-e2e-test e2e + +providerconfig-e2e-nopublish: + AWS_FAMILY_PACKAGE_IMAGE="$(XPKG_REG_ORGS)/provider-family-aws:$(VERSION)" \ + AWS_EC2_PACKAGE_IMAGE="$(XPKG_REG_ORGS)/provider-aws-ec2:$(VERSION)" \ + AWS_RDS_PACKAGE_IMAGE="$(XPKG_REG_ORGS)/provider-aws-rds:$(VERSION)" \ + TARGET_CROSSPLANE_VERSION="1.15.2" \ + $(MAKE) -C e2e/providerconfig-aws-e2e-test e2e + uptest-local: @$(WARN) "this target is deprecated, please use 'make uptest' instead" diff --git a/e2e/providerconfig-aws-e2e-test/Makefile b/e2e/providerconfig-aws-e2e-test/Makefile new file mode 100644 index 0000000000..4f43eb07bc --- /dev/null +++ b/e2e/providerconfig-aws-e2e-test/Makefile @@ -0,0 +1,106 @@ +# Project Setup +PROJECT_NAME := providerconfig-aws-e2e-test +PROJECT_REPO := github.com/upbound/provider-upjet-aws + +# NOTE(hasheddan): the platform is insignificant here as Configuration package +# images are not architecture-specific. We constrain to one platform to avoid +# needlessly pushing a multi-arch image. +PLATFORMS ?= linux_amd64 +-include ../../build/makelib/common.mk + +# ==================================================================================== +# Setup Kubernetes tools + +KIND_VERSION = v0.22.0 +UP_VERSION = v0.28.0 +UP_CHANNEL = stable +UPTEST_VERSION = v0.11.1 +YQ_VERSION = v4.40.5 + +-include ../../build/makelib/k8s_tools.mk +# ==================================================================================== +# Setup XPKG +XPKG_DIR = $(shell pwd)/package +XPKG_IGNORE = .github/workflows/*.yaml,.github/workflows/*.yml,examples/*.yaml,.work/uptest-datasource.yaml,.cache/**,_output/** +XPKG_REG_ORGS ?= xpkg.upbound.io/upbound +# NOTE(hasheddan): skip promoting on xpkg.upbound.io as channel tags are +# inferred. +XPKG_REG_ORGS_NO_PROMOTE ?= xpkg.upbound.io/upbound +XPKGS = $(PROJECT_NAME) +-include ../../build/makelib/xpkg.mk + +CROSSPLANE_NAMESPACE = upbound-system +CROSSPLANE_ARGS = "--enable-usages,--debug" +-include ../../build/makelib/local.xpkg.mk +-include ../../build/makelib/controlplane.mk + + +# ==================================================================================== +# Targets + +# run `make help` to see the targets and options + +# We want submodules to be set up the first time `make` is run. +# We manage the build/ folder and its Makefiles as a submodule. +# The first time `make` is run, the includes of build/*.mk files will +# all fail, and this target will be run. The next time, the default as defined +# by the includes will be run instead. +fallthrough: submodules + @echo Initial setup complete. Running make again . . . + @make + +# Update the submodules, such as the common build scripts. +submodules: + @git submodule sync + @git submodule update --init --recursive + +# We must ensure up is installed in tool cache prior to build as including the k8s_tools machinery prior to the xpkg +# machinery sets UP to point to tool cache. +build.init: $(UP) + +# ==================================================================================== +# End to End Testing + +# This target requires the following environment variables to be set: +# - UPTEST_CLOUD_CREDENTIALS, cloud credentials for the provider being tested, e.g. export UPTEST_CLOUD_CREDENTIALS=$(cat ~/.aws/credentials) +# - To ensure the proper functioning of the end-to-end test resource pre-deletion hook, it is crucial to arrange your resources appropriately. +# You can check the basic implementation here: https://github.com/upbound/uptest/blob/main/internal/templates/01-delete.yaml.tmpl. +# - UPTEST_DATASOURCE_PATH (optional), see https://github.com/upbound/uptest#injecting-dynamic-values-and-datasource +uptest: $(UPTEST) $(KUBECTL) $(KUTTL) $(YQ) + @$(INFO) running automated tests + @KUBECTL=$(KUBECTL) KUTTL=$(KUTTL) CROSSPLANE_NAMESPACE=$(CROSSPLANE_NAMESPACE) $(UPTEST) e2e package/examples/e2etestcluster-claim.yaml --data-source="${UPTEST_DATASOURCE_PATH}" --setup-script=test/setup.sh --default-timeout=5400 || $(FAIL) + @$(OK) running automated tests + +# This target requires the following environment variables to be set: +# - UPTEST_CLOUD_CREDENTIALS, cloud credentials for the provider being tested, e.g. export UPTEST_CLOUD_CREDENTIALS=$(cat ~/.aws/credentials) +e2e: build controlplane.up local.xpkg.deploy.configuration.$(PROJECT_NAME) uptest-e2e + +e2e-lite: build controlplane.up local.xpkg.deploy.configuration.$(PROJECT_NAME) + +uptest-e2e: $(UPTEST) $(KUBECTL) $(KUTTL) $(YQ) + @$(INFO) dump e2e claim: + @mkdir -p "_output" + @$(YQ) '(.spec.parameters.targetClusterParameters.provider.familyPackage = env(AWS_FAMILY_PACKAGE_IMAGE)) | \ + (.spec.parameters.targetClusterParameters.provider.ec2Package = env(AWS_EC2_PACKAGE_IMAGE)) | \ + (.spec.parameters.targetClusterParameters.provider.rdsPackage = env(AWS_RDS_PACKAGE_IMAGE)) | \ + (.spec.parameters.targetClusterParameters.crossplaneVersion = env(TARGET_CROSSPLANE_VERSION)) ' \ + package/examples/e2etestcluster-claim.yaml > '_output/e2etestcluster-claim.yaml' + if [ -n "${AWS_EKS_IAM_DEFAULT_ADMIN_ROLE}" ]; \ + then \ + echo "overriding EKS cluster default IAM role from environment";\ + $(YQ) -i '(.spec.parameters.iam.roleArn = env(AWS_EKS_IAM_DEFAULT_ADMIN_ROLE)) ' _output/e2etestcluster-claim.yaml;\ + fi + @cat _output/e2etestcluster-claim.yaml + @$(INFO) running automated tests + @KUBECTL=$(KUBECTL) KUTTL=$(KUTTL) CROSSPLANE_NAMESPACE=$(CROSSPLANE_NAMESPACE) $(UPTEST) e2e _output/e2etestcluster-claim.yaml --data-source="${UPTEST_DATASOURCE_PATH}" --setup-script=test/setup.sh --default-timeout=5400 || $(FAIL) + @$(OK) running automated tests + +render: + crossplane beta render package/examples/e2etestcluster-claim.yaml package/apis/e2etestcluster/composition.yaml package/examples/functions.yaml -r + +yamllint: + @$(INFO) running yamllint + @yamllint ./apis || $(FAIL) + @$(OK) running yamllint + +.PHONY: uptest e2e render yamllint diff --git a/e2e/providerconfig-aws-e2e-test/README.md b/e2e/providerconfig-aws-e2e-test/README.md new file mode 100644 index 0000000000..042d1af0a0 --- /dev/null +++ b/e2e/providerconfig-aws-e2e-test/README.md @@ -0,0 +1,190 @@ +# AWS ProviderConfig E2E testing + +## Introduction + +This Crossplane configuration package aims to provide a base environment for testing +various `ProviderConfig` scenarios of `provider-upjet-aws`. + +It provisions: +- An AWS EKS cluster +- AWS IRSA-related IAM resources for the EKS cluster for testing IRSA authentication +- AWS WebIdentity authentication related IAM resources for the EKS cluster, to test WebIdentity authentication +After creating the EKS cluster, it deploys: +- `Crossplane` into the EKS cluster +- `DeploymentRuntimeConfig`s for XP providers to enable IRSA +- `provider-family-aws` and 2 example providers for testing + - `provider-aws-ec2` and `provider-aws-rds` +- various AWS `ProviderConfig` manifests for testing scenarios +- example Managed Resources (MRs) from AWS EC2 and RDS groups, referencing the `ProviderConfig`s in test + +## Package Structure + +The package consists of the Composite Resource (XR) +`xe2etestclusters.aws.platformref.upbound.io` + +This composite resource makes use of the existing configuration +packages `configuration-aws-eks` and `configuration-aws-eks-irsa`. + +It is structured in a way that starting from a local crossplane control plane, +it sets up another control plane in an EKS cluster with Crossplane. +Via the `provider-kubernetes` and `provider-helm` at the local control plane, +the remote EKS control plane is bootstrapped and relevant test resources are deployed. +This can be considered as a "A crossplane control plane is Managed by another Crossplane control plane". +This setup allows conducting tests from a local control plane. + +![pc-e2e-diagram.png](docs%2Fimg%2Fpc-e2e-diagram.png) + +Explicit deletion ordering inside composition is implemented via `Usages`. For some resources, +Crossplane runtime already handles the implicit dependencies such as MR <-> ProviderConfig, ProviderConfig <-> Providers. +The dependencies are depicted in the diagram above. + +### `e2etestcluster.platformref.upbound.io` XRC + +You can find an example test cluster claim at [package/examples/e2etestcluster-claim.yaml](package%2Fexamples%2Fe2etestcluster-claim.yaml) +When this claim is is created and ready, it means that the tests are passing. + +```yaml +apiVersion: aws.platformref.upbound.io/v1alpha1 +kind: E2ETestCluster +metadata: + name: aws-pc-e2e-test + namespace: default +spec: + compositeDeletePolicy: Foreground + parameters: + id: aws-pc-e2e-test + region: us-west-2 # EKS cluster region + version: "1.28" # EKS cluster k8s version + iam: + # replace with your custom roleArn that will administer the EKS cluster: + roleArn: "arn:aws:iam::123456789012:role/mydefaulteksadminrole" + nodes: # eks nodes configuration + count: 1 + instanceType: t3.medium + irsa: # IRSA configuration for the AWS role that will be used by XP providers + condition: StringEquals + # The policy of the IRSA role + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ec2:*" + ], + "Effect": "Allow", + "Resource": "*" + } + ] + } + serviceAccount: # name of the k8s service account to be created for provider pods + name: my-xpsa + namespace: upbound-system + targetClusterParameters: # the parameters for the target EKS control plane cluster + provider: # provider package urls to be used in testing + familyPackage: "xpkg.upbound.io/upbound/provider-family-aws:v1.3.0" + ec2Package: "xpkg.upbound.io/upbound/provider-aws-ec2:v1.3.0" + rdsPackage: "xpkg.upbound.io/upbound/provider-aws-rds:v1.3.0" + crossplaneVersion: 1.15.2 # the crossplane version to be installed in the testing control plane + writeConnectionSecretToRef: + name: aws-pc-e2e-test-kubeconfig +status: + irsa: + roleArn: irsa-role-arn + chainedRoleARNs: + - "chained-role-arn" + webIdentity: + roleArn: webid-role-arn + chainedRoleARNs: + - "chained-role-arn" + +``` + +## Usage + +### Prerequisites + +- An AWS account and relevant credentials capable of creating and managing EC2, EKS and IAM resources +- An OCI image registry from which the EKS cluster can pull images (e.g. Dockerhub, xpkg.upbound.io) + +### Utilizing Uptest + +In order to conduct an e2e test using uptest, the `make` targets can be used. + +### option 1. inside configuration package: make target `e2e` + +This make target: +- builds the `providerconfig-aws-e2e-test` configuration package +- spins up a local `kind` cluster +- deploys the `providerconfig-aws-e2e-test` configuration package to the `kind` cluster +- runs the e2e tests + +This make target expects the target AWS provider packages in test to be already built and pushed to +a registry that the target EKS cluster can reach. + +The make target expects the following environment variables to be set: + +- `AWS_FAMILY_PACKAGE_IMAGE`: The package URL for `provider-family-aws` +- `AWS_EC2_PACKAGE_IMAGE`: The package URL for `provider-aws-ec2` +- `AWS_RDS_PACKAGE_IMAGE`: The package URL for `provider-aws-rds` +- `AWS_EKS_IAM_DEFAULT_ADMIN_ROLE`: the ARN of an existing IAM role. This will be assigned as the E2E test EKS cluster default admin +- `TARGET_CROSSPLANE_VERSION`: The target crossplane version to be deployed into the testing cluster +- `UPTEST_CLOUD_CREDENTIALS`: The AWS credentials for the AWS account that the e2e tests will run on. Should be in the format of AWS CLI INI config. + +An example usage: + +my-aws-creds.txt +```ini +[default] +aws_access_key_id = YOUR-AWS-ACCESS-KEY +aws_secret_access_key = your-aws-secret-access-key +``` + +```shell +export AWS_FAMILY_PACKAGE_IMAGE="xpkg.upbound.io/upbound/provider-family-aws:1.4.0" +export AWS_EC2_PACKAGE_IMAGE="xpkg.upbound.io/upbound/provider-aws-ec2:1.4.0" +export AWS_RDS_PACKAGE_IMAGE="xpkg.upbound.io/upbound/provider-aws-rds:1.4.0" +export AWS_EKS_IAM_DEFAULT_ADMIN_ROLE="arn:aws:iam::123456789012:role/mydefaulteksadminrole" +export TARGET_CROSSPLANE_VERSION="1.15.2" +export UPTEST_CLOUD_CREDENTIALS="$(cat my-aws-creds.txt)" +# from repo root +make -C e2e/providerconfig-aws-e2e-test e2e +``` + +### option 2. with provider image publish: target `providerconfig-e2e` + +This make target: +- builds and publishes the providers +- builds the `providerconfig-aws-e2e-test` configuration package +- spins up a local `kind` cluster +- deploys the `providerconfig-aws-e2e-test` configuration package to the `kind` cluster +- runs the e2e tests using `uptest` with the published provider images + +The make target expects +- `XPKG_REG_ORGS`: the target OCI repository URL for provider images to be published +- `VERSION`: the version tag of the published provider images +- `UPTEST_CLOUD_CREDENTIALS`: The AWS credentials for the AWS account that the e2e tests will run on. Should be in the format of AWS CLI INI config. +- `AWS_EKS_IAM_DEFAULT_ADMIN_ROLE`: the ARN of an existing IAM role. This will be assigned as the E2E test EKS cluster default admin + +example usage: +```shell +export UPTEST_CLOUD_CREDENTIALS="$(cat my-aws-creds.txt)" +export AWS_EKS_IAM_DEFAULT_ADMIN_ROLE="arn:aws:iam::123456789012:role/mydefaulteksadminrole" +# from repo root +make VERSION=v1.4.0-testversion XPKG_REG_ORGS=index.docker.io/erhancag providerconfig-e2e +``` + +### Via Github Actions from PR +TBD + +### Manual +In your desired k8s environment: + +- Deploy Crossplane +- build and publish the e2e testing configuration package +- install configuration package +- create the example claim in the `package/examples/e2etestcluster-claim.yaml`. Before creation, modify the claim accordingly if needed. +- wait for the claim to be ready. + +## Extending Test Scenarios +TBD \ No newline at end of file diff --git a/e2e/providerconfig-aws-e2e-test/docs/img/pc-e2e-diagram.png b/e2e/providerconfig-aws-e2e-test/docs/img/pc-e2e-diagram.png new file mode 100644 index 0000000000..28c690ad35 Binary files /dev/null and b/e2e/providerconfig-aws-e2e-test/docs/img/pc-e2e-diagram.png differ diff --git a/e2e/providerconfig-aws-e2e-test/package/apis/e2etestcluster/composition.yaml b/e2e/providerconfig-aws-e2e-test/package/apis/e2etestcluster/composition.yaml new file mode 100644 index 0000000000..3b54409f57 --- /dev/null +++ b/e2e/providerconfig-aws-e2e-test/package/apis/e2etestcluster/composition.yaml @@ -0,0 +1,1877 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: xe2etestclusters.aws.platformref.upbound.io +spec: + writeConnectionSecretsToNamespace: upbound-system + compositeTypeRef: + apiVersion: aws.platformref.upbound.io/v1alpha1 + kind: XE2ETestCluster + mode: Pipeline + pipeline: + - step: patch-and-transform + functionRef: + name: crossplane-contrib-function-patch-and-transform + input: + apiVersion: pt.fn.crossplane.io/v1beta1 + kind: Resources + resources: + # Network Setup + - name: XNetwork + base: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XNetwork + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.parameters.id + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.region + toFieldPath: spec.parameters.region + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.parameters.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.providerConfigName + toFieldPath: spec.parameters.providerConfigName + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.networkSelector + toFieldPath: spec.compositionSelector.matchLabels[type] + - type: ToCompositeFieldPath + fromFieldPath: status.subnetIds + policy: + fromFieldPath: Required + toFieldPath: status.subnetIds + + # EKS Cluster + - name: XEKS + base: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XEKS + connectionDetails: + - type: FromConnectionSecretKey + fromConnectionSecretKey: kubeconfig + name: kubeconfig + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.labels[xeks.aws.platform.upbound.io/cluster-id] + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.parameters.id + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.region + toFieldPath: spec.parameters.region + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.parameters.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.providerConfigName + toFieldPath: spec.parameters.providerConfigName + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.annotations[crossplane.io/external-name] + - type: FromCompositeFieldPath + fromFieldPath: metadata.uid + toFieldPath: spec.writeConnectionSecretToRef.name + transforms: + - type: string + string: + fmt: '%s-eks' + type: Format + - type: FromCompositeFieldPath + fromFieldPath: spec.writeConnectionSecretToRef.namespace + toFieldPath: spec.writeConnectionSecretToRef.namespace + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.version + toFieldPath: spec.parameters.version + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.nodes.count + toFieldPath: spec.parameters.nodes.count + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.nodes.instanceType + toFieldPath: spec.parameters.nodes.instanceType + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.iam.roleArn + toFieldPath: spec.parameters.iam.roleArn + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.iam.userArn + toFieldPath: spec.parameters.iam.userArn + + ### Role and policies for EKS IRSA testing + # XIRSA for IRSA-related role configuration + - name: XIRSA + base: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XIRSA + metadata: + labels: + component: irsa-bundle + spec: + parameters: + condition: StringEquals + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.parameters.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.parameters.id + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.irsa.policyDocument + toFieldPath: spec.parameters.policyDocument + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.irsa.serviceAccount.name + toFieldPath: spec.parameters.serviceAccount.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.irsa.serviceAccount.namespace + toFieldPath: spec.parameters.serviceAccount.namespace + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.irsa.condition + toFieldPath: spec.parameters.condition + - type: ToCompositeFieldPath + fromFieldPath: status.roleArn + policy: + fromFieldPath: Required + toFieldPath: status.irsa.roleArn + - type: ToCompositeFieldPath + fromFieldPath: status.policyArn + policy: + fromFieldPath: Required + toFieldPath: status.irsa.policyArn + + # chain role for IRSA - to be assumed by IRSA role + - name: chainedRoleIRSA + base: + apiVersion: iam.aws.upbound.io/v1beta1 + kind: Role + metadata: + labels: + resource: Role + spec: + forProvider: + inlinePolicy: + - name: ec2-access-test + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ec2:*" + ], + "Effect": "Allow", + "Resource": "*" + } + ] + } + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - fromFieldPath: spec.parameters.id + policy: + fromFieldPath: Required + toFieldPath: metadata.name + type: ToCompositeFieldPath + transforms: + - string: + fmt: '%s-irsa-chain' + type: Format + type: string + - fromFieldPath: status.atProvider.arn + policy: + fromFieldPath: Required + toFieldPath: status.irsa.chainedRoleARNs[0] + type: ToCompositeFieldPath + - combine: + strategy: string + string: + fmt: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "%s" + }, + "Action": "sts:AssumeRole" + } + ] + } + variables: + - fromFieldPath: status.irsa.roleArn + toFieldPath: spec.forProvider.assumeRolePolicy + policy: + fromFieldPath: Required + type: CombineFromComposite + + ### Role and policies for WebIdentity testing + # pseudo-XIRSA for simulating an external WebIdentity Provider + - name: XIRSA-PseudoWebIdentity + base: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XIRSA + metadata: + labels: + component: webidentity-bundle + spec: + parameters: + condition: StringEquals + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "rds:*" + ], + "Effect": "Allow", + "Resource": "*" + } + ] + } + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.parameters.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.parameters.id + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.irsa.serviceAccount.name + toFieldPath: spec.parameters.serviceAccount.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-nonirsa' + type: Format + type: string + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.irsa.serviceAccount.namespace + toFieldPath: spec.parameters.serviceAccount.namespace + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.irsa.condition + toFieldPath: spec.parameters.condition + - type: ToCompositeFieldPath + fromFieldPath: status.roleArn + policy: + fromFieldPath: Required + toFieldPath: status.webIdentity.roleArn + - type: ToCompositeFieldPath + fromFieldPath: status.policyArn + policy: + fromFieldPath: Required + toFieldPath: status.webIdentity.policyArn + + # chain role for WebIdentity starting role + - name: chainedRoleWebIdentity + base: + apiVersion: iam.aws.upbound.io/v1beta1 + kind: Role + metadata: + labels: + resource: WebIdentityChainRole + spec: + forProvider: + inlinePolicy: + - name: rds-access-test + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "rds:*" + ], + "Effect": "Allow", + "Resource": "*" + } + ] + } + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - fromFieldPath: status.atProvider.arn + policy: + fromFieldPath: Required + toFieldPath: status.webIdentity.chainedRoleARNs[0] + type: ToCompositeFieldPath + - fromFieldPath: spec.parameters.id + policy: + fromFieldPath: Required + toFieldPath: metadata.name + type: ToCompositeFieldPath + transforms: + - string: + fmt: '%s-webid-chain' + type: Format + type: string + - combine: + strategy: string + string: + fmt: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "%s" + }, + "Action": "sts:AssumeRole" + } + ] + } + variables: + - fromFieldPath: status.webIdentity.roleArn + toFieldPath: spec.forProvider.assumeRolePolicy + policy: + fromFieldPath: Required + type: CombineFromComposite + + ### + # Crossplane Helm Deployment + - name: CrossplaneDeploy + base: + apiVersion: helm.crossplane.io/v1beta1 + kind: Release + metadata: + name: crossplane + namespace: upbound-system + labels: + component: crossplane-deployment + annotations: + crossplane.io/external-name: crossplane + spec: + forProvider: + chart: + name: crossplane + repository: https://charts.crossplane.io/stable + version: 1.15.2 + namespace: upbound-system + providerConfigRef: + name: configuration-aws-eks + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.targetCluster.crossplaneVersion + toFieldPath: spec.forProvider.chart.version + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + + ### Deployment Runtime Config + # Deployment Runtime Config with IRSA-annotated k8s service account for providers + - name: IRSARuntimeConfig + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: irsa-runtime-config + labels: + component: irsa-runtime-config + spec: + deletionPolicy: Delete + forProvider: + manifest: + apiVersion: pkg.crossplane.io/v1beta1 + kind: DeploymentRuntimeConfig + metadata: + name: my-runtime-config + namespace: upbound-system + spec: + serviceAccountTemplate: + metadata: + name: my-xpsa + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: status.irsa.roleArn + policy: + fromFieldPath: Required + toFieldPath: spec.forProvider.manifest.spec.serviceAccountTemplate.metadata.annotations["eks.amazonaws.com/role-arn"] + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.irsa.serviceAccount.name + policy: + fromFieldPath: Required + toFieldPath: spec.forProvider.manifest.spec.serviceAccountTemplate.metadata.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.forProvider.manifest.metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-runtime-config' + type: Format + type: string + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-runtime-config' + type: Format + type: string + + # Deployment Runtime Config for non-IRSA k8s service account for providers + - name: WebIdentityRuntimeConfig + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: webidentity-runtime-config + labels: + component: webidentity-runtime-config + spec: + deletionPolicy: Delete + forProvider: + manifest: + apiVersion: pkg.crossplane.io/v1beta1 + kind: DeploymentRuntimeConfig + metadata: + name: webidentity-runtime-config + namespace: upbound-system + spec: + serviceAccountTemplate: + metadata: + name: my-xpsa-nonirsa + deploymentTemplate: + spec: + selector: + matchLabels: + pkg.crossplane.io/provider: provider-aws-rds + template: + spec: + containers: + - name: package-runtime + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: webid-token + volumes: + - name: webid-token + projected: + sources: + - serviceAccountToken: + path: webid-token + expirationSeconds: 7200 + audience: sts.amazonaws.com + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.irsa.serviceAccount.name + policy: + fromFieldPath: Required + toFieldPath: spec.forProvider.manifest.spec.serviceAccountTemplate.metadata.name + transforms: + - string: + fmt: '%s-nonirsa' + type: Format + type: string + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.forProvider.manifest.metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-webid-runtime-config' + type: Format + type: string + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-webid-runtime-config' + type: Format + type: string + + ### PROVIDER DEPLOYMENTS ### + # AWS Family provider + - name: AWSFamilyProvider + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: aws-family-provider + namespace: upbound-system + labels: + component: aws-family-provider + spec: + readiness: + policy: AllTrue + forProvider: + manifest: + apiVersion: pkg.crossplane.io/v1 + kind: Provider + metadata: + name: provider-family-aws + spec: + ignoreCrossplaneConstraints: false + # package: xpkg.upbound.io/upbound/provider-family-aws:v1.3.1 + packagePullPolicy: IfNotPresent + revisionActivationPolicy: Automatic + revisionHistoryLimit: 1 + skipDependencyResolution: true + runtimeConfigRef: + name: my-runtime-config + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.targetClusterParameters.provider.familyPackage + toFieldPath: spec.forProvider.manifest.spec.package + policy: + fromFieldPath: Required + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-provider-family-aws' + type: Format + type: string + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.forProvider.manifest.spec.runtimeConfigRef.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-runtime-config' + type: Format + type: string + + # AWS EC2 provider - for IRSA provider config testing + - name: ProviderAWSEC2 + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: aws-provider-ec2 + labels: + component: aws-provider-ec2 + spec: + readiness: + policy: AllTrue + forProvider: + manifest: + apiVersion: pkg.crossplane.io/v1 + kind: Provider + metadata: + name: provider-aws-ec2 + spec: + ignoreCrossplaneConstraints: false + # package: xpkg.upbound.io/upbound/provider-aws-ec2:v1.3.1 + packagePullPolicy: IfNotPresent + revisionActivationPolicy: Automatic + revisionHistoryLimit: 1 + skipDependencyResolution: true + runtimeConfigRef: + name: my-runtime-config + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.targetClusterParameters.provider.ec2Package + toFieldPath: spec.forProvider.manifest.spec.package + policy: + fromFieldPath: Required + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-provider-aws-ec2' + type: Format + type: string + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.forProvider.manifest.spec.runtimeConfigRef.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-runtime-config' + type: Format + type: string + + # AWS RDS provider - for non-IRSA provider config testing + - name: ProviderAWSRDS + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: aws-provider-rds + labels: + component: aws-provider-rds + spec: + readiness: + policy: AllTrue + forProvider: + manifest: + apiVersion: pkg.crossplane.io/v1 + kind: Provider + metadata: + name: provider-aws-rds + spec: + ignoreCrossplaneConstraints: false + # package: xpkg.upbound.io/upbound/provider-aws-rds:v1.3.1 + packagePullPolicy: IfNotPresent + revisionActivationPolicy: Automatic + revisionHistoryLimit: 1 + skipDependencyResolution: true + runtimeConfigRef: + name: my-webid-runtime-config + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.targetClusterParameters.provider.rdsPackage + toFieldPath: spec.forProvider.manifest.spec.package + policy: + fromFieldPath: Required + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-provider-aws-rds' + type: Format + type: string + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.forProvider.manifest.spec.runtimeConfigRef.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-webid-runtime-config' + type: Format + type: string + + ### PROVIDER CONFIGS ### + # IRSA-enabled Provider Config + - name: IRSAProviderConfig + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: irsa-provider-config + labels: + component: aws-irsa-provider-config + component-type: aws-provider-config + spec: + forProvider: + manifest: + apiVersion: aws.upbound.io/v1beta1 + kind: ProviderConfig + metadata: + name: irsa-config + spec: + credentials: + source: IRSA + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + + # IRSA-enabled Provider Config - with chained role + - name: IRSAProviderConfigWithChain + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: irsa-with-chain-provider-config + labels: + component: aws-irsa-chain-provider-config + component-type: aws-provider-config + spec: + forProvider: + manifest: + apiVersion: aws.upbound.io/v1beta1 + kind: ProviderConfig + metadata: + name: irsa-with-chain-config + spec: + assumeRoleChain: + - roleARN: to-be-patched + credentials: + source: IRSA + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: status.irsa.chainedRoleARNs[0] + policy: + fromFieldPath: Required + toFieldPath: spec.forProvider.manifest.spec.assumeRoleChain[0].roleARN + + # WebIdentity Provider Config - Legacy config with IRSA-dependency + - name: WebIdentityProviderConfigLegacy + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: webidentity-with-legacy-config + labels: + component-type: aws-provider-config + component: aws-webidentity-legacy-config + spec: + forProvider: + manifest: + apiVersion: aws.upbound.io/v1beta1 + kind: ProviderConfig + metadata: + name: webidentity-with-legacy-config + spec: + credentials: + source: WebIdentity + webIdentity: + roleARN: to-be-patched + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: status.irsa.roleArn + policy: + fromFieldPath: Required + toFieldPath: spec.forProvider.manifest.spec.credentials.webIdentity.roleARN + + # WebIdentity Provider Config with token at FileSystem + - name: WebIdentityProviderConfigFs + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: webidentity-with-fs-config + labels: + component-type: aws-provider-config + component: aws-webidentity-fs-config + spec: + forProvider: + manifest: + apiVersion: aws.upbound.io/v1beta1 + kind: ProviderConfig + metadata: + name: webidentity-with-fs-config + spec: + credentials: + source: WebIdentity + webIdentity: + roleARN: to-be-patched + tokenConfig: + source: Filesystem + fs: + path: "/var/run/secrets/tokens/webid-token" + + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: status.webIdentity.roleArn + policy: + fromFieldPath: Required + toFieldPath: spec.forProvider.manifest.spec.credentials.webIdentity.roleARN + + # WebIdentity Provider Config with token at secret + - name: WebIdentityProviderConfigTokenAtSecret + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: webidentity-with-secret-config + labels: + component-type: aws-provider-config + component: aws-webidentity-secret-config + spec: + forProvider: + manifest: + apiVersion: aws.upbound.io/v1beta1 + kind: ProviderConfig + metadata: + name: webidentity-with-secret-config + spec: + credentials: + source: WebIdentity + webIdentity: + roleArn: to-be-patched + tokenConfig: + source: Secret + secretRef: + key: token + name: example-web-identity-token-secret + namespace: upbound-system + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + + # WebIdentity Provider Config with token at FileSystem - with chained role + - name: WebIdentityProviderConfigFsWithChain + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: webidentity-with-fs-chain-config + labels: + component-type: aws-provider-config + component: aws-webidentity-fs-chain-config + spec: + forProvider: + manifest: + apiVersion: aws.upbound.io/v1beta1 + kind: ProviderConfig + metadata: + name: webidentity-with-fs-chain-config + spec: + assumeRoleChain: + - roleARN: to-be-patched + credentials: + source: WebIdentity + webIdentity: + roleARN: to-be-patched + tokenConfig: + source: Filesystem + fs: + path: "/var/run/secrets/tokens/webid-token" + + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: status.webIdentity.roleArn + policy: + fromFieldPath: Required + toFieldPath: spec.forProvider.manifest.spec.credentials.webIdentity.roleARN + - type: FromCompositeFieldPath + fromFieldPath: status.webIdentity.chainedRoleARNs[0] + policy: + fromFieldPath: Required + toFieldPath: spec.forProvider.manifest.spec.assumeRoleChain[0].roleARN + + ### DEMO MRs FOR TESTING ### + # Demo VPC MR for testing IRSA + - name: DemoVPC + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: demo-vpc-mr + labels: + resource-provider: aws-provider-ec2 + component: demo-vpc + spec: + readiness: + policy: AllTrue + forProvider: + manifest: + apiVersion: ec2.aws.upbound.io/v1beta1 + kind: VPC + metadata: + name: sample-vpc + annotations: + meta.upbound.io/example-id: ec2/v1beta1/vpc + spec: + providerConfigRef: + name: irsa-config + forProvider: + region: us-west-2 + cidrBlock: 172.16.0.0/16 + tags: + Name: PCTesting-Demo + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-demo-vpc-mr' + type: Format + type: string + + # Demo VPC MR for testing IRSA with chained Role + - name: DemoVPCIRSAChain + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: demo-vpc-irsa-chain-mr + labels: + resource-provider: aws-provider-ec2 + component: demo-vpc-irsa-chain + spec: + readiness: + policy: AllTrue + forProvider: + manifest: + apiVersion: ec2.aws.upbound.io/v1beta1 + kind: VPC + metadata: + name: sample-vpc-demo-irsa-chain + annotations: + meta.upbound.io/example-id: ec2/v1beta1/vpc + spec: + providerConfigRef: + name: irsa-with-chain-config + forProvider: + region: us-east-1 + cidrBlock: 172.19.0.0/16 + tags: + Name: PCTesting-IRSA-Chain-Demo + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-demo-vpc-irsa-chain-mr' + type: Format + type: string + + # Demo VPC MR for testing Legacy WebIdentity + - name: DemoVPCLegacyWebID + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: demo-vpc-legacy-webid-mr + labels: + resource-provider: aws-provider-ec2 + component: demo-vpc-legacy-webid + spec: + readiness: + policy: AllTrue + forProvider: + manifest: + apiVersion: ec2.aws.upbound.io/v1beta1 + kind: VPC + metadata: + name: sample-legacy-webid-vpc + annotations: + meta.upbound.io/example-id: ec2/v1beta1/vpc + spec: + providerConfigRef: + name: webidentity-with-legacy-config + forProvider: + region: us-east-2 + cidrBlock: 172.17.0.0/16 + tags: + Name: PCTesting-Demo-WebIDLegacy + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-demo-vpc-legacy-webid-mr' + type: Format + type: string + + # Demo RDS Parameter Group MR for testing WebIdentity + - name: DemoRDSParameterGroupWebIDFs + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: demo-parametergroup-webidfs-mr + labels: + resource-provider: aws-provider-rds + component: demo-pg-webidfs + spec: + readiness: + policy: AllTrue + forProvider: + manifest: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: ParameterGroup + metadata: + name: sample-parameter-group-webid + annotations: + meta.upbound.io/example-id: rds/v1beta1/parametergroup + labels: + testing.upbound.io/example-name: example + spec: + providerConfigRef: + name: webidentity-with-fs-config + forProvider: + region: us-west-2 + family: postgres12 + description: example + parameter: + - name: application_name + value: "example-webidfs" + applyMethod: immediate + + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-demo-rds-pg-webid-mr' + type: Format + type: string + + # Demo RDS Parameter Group MR for testing WebIdentity config with Chain + - name: DemoRDSParameterGroupWebIDFsChain + base: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + metadata: + name: demo-parametergroup-webidfs-chain-mr + labels: + resource-provider: aws-provider-rds + component: demo-pg-webidfs-chain + spec: + readiness: + policy: AllTrue + forProvider: + manifest: + apiVersion: rds.aws.upbound.io/v1beta1 + kind: ParameterGroup + metadata: + name: sample-parameter-group-webid-chain + annotations: + meta.upbound.io/example-id: rds/v1beta1/parametergroup + labels: + testing.upbound.io/example-name: example + spec: + providerConfigRef: + name: webidentity-with-fs-chain-config + forProvider: + region: us-west-2 + family: postgres12 + description: example + parameter: + - name: application_name + value: "example-webidfs-chain" + applyMethod: immediate + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.deletionPolicy + toFieldPath: spec.deletionPolicy + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: spec.providerConfigRef.name + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.id + toFieldPath: metadata.name + policy: + fromFieldPath: Required + transforms: + - string: + fmt: '%s-demo-rds-pg-webid-chain-mr' + type: Format + type: string + + #################### + ### USAGES ### + #################### + + # XEKS uses XNetwork + - name: usageXNetworkByXEKS + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XEKS + resourceSelector: + matchControllerRef: true + of: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XNetwork + resourceSelector: + matchControllerRef: true + readinessChecks: + - type: None + + # XIRSAs uses XEKS + - name: usageXEksByXIRSA + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XIRSA + resourceSelector: + matchControllerRef: true + matchLabels: + component: irsa-bundle + of: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XEKS + resourceSelector: + matchControllerRef: true + readinessChecks: + - type: None + + # pseudo-XIRSA for WebIdentity uses XEKS + - name: usageXEksByPseudoXIRSA + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XIRSA + resourceSelector: + matchControllerRef: true + matchLabels: + component: webidentity-bundle + of: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XEKS + resourceSelector: + matchControllerRef: true + readinessChecks: + - type: None + + # Crossplane Helm deployment uses XEKS + - name: usageXEksByCrossplaneDeployment + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: helm.crossplane.io/v1beta1 + kind: Release + resourceSelector: + matchLabels: + component: crossplane-deployment + of: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XEKS + resourceSelector: + matchControllerRef: true + readinessChecks: + - type: None + + # IRSA Deployment Runtime Config depends on XIRSA + - name: usageXIRSAByIRSADeploymentRuntime + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: irsa-runtime-config + of: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XIRSA + resourceSelector: + matchControllerRef: true + matchLabels: + component: irsa-bundle + readinessChecks: + - type: None + + # WebIdDeployment Runtime Config depends on pseudo-XIRSA + - name: usageXIRSAByWebIDDeploymentRuntime + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: webidentity-runtime-config + of: + apiVersion: aws.platform.upbound.io/v1alpha1 + kind: XIRSA + resourceSelector: + matchControllerRef: true + matchLabels: + component: webidentity-bundle + readinessChecks: + - type: None + + # IRSA Deployment Runtime Config depends on Crossplane Deployment + - name: usageCrossplaneByDeploymentRuntime + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: irsa-runtime-config + of: + apiVersion: helm.crossplane.io/v1alpha1 + kind: Release + resourceSelector: + matchLabels: + component: crossplane-deployment + matchControllerRef: true + readinessChecks: + - type: None + + # WebIdentity Deployment Runtime Config depends on Crossplane Deployment + - name: usageCrossplaneByWebIDDeploymentRuntime + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: webidentity-runtime-config + of: + apiVersion: helm.crossplane.io/v1alpha1 + kind: Release + resourceSelector: + matchLabels: + component: crossplane-deployment + matchControllerRef: true + readinessChecks: + - type: None + + # AWS Family Provider uses Crossplane Deployment + - name: usageCrossplaneByFamilyProvider + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-family-provider + of: + apiVersion: helm.crossplane.io/v1alpha1 + kind: Release + resourceSelector: + matchLabels: + component: crossplane-deployment + matchControllerRef: true + readinessChecks: + - type: None + + ### AWS Provider Deployments uses the DeploymentRuntimeConfigs ### + ### + # AWS Family Provider uses IRSA Deployment Runtime Config + - name: usageRuntimeConfigByFamilyProvider + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-family-provider + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: irsa-runtime-config + readinessChecks: + - type: None + + # AWS EC2 Provider depends on IRSA Deployment Runtime Config + - name: usageRuntimeConfigByEC2Provider + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-provider-ec2 + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: irsa-runtime-config + + readinessChecks: + - type: None + + # AWS RDS Provider depends on WebIdentity Deployment Runtime Config + - name: usageRuntimeConfigByRDSProvider + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-provider-rds + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: webidentity-runtime-config + + readinessChecks: + - type: None + + ### AWS Providers depend on AWS Family Provider + # AWS EC2 Provider depends on AWS Family Provider + - name: usageFamilyProviderByEC2Provider + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-provider-ec2 + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-family-provider + + readinessChecks: + - type: None + + # AWS RDS Provider depends on AWS Family Provider + - name: usageFamilyProviderByRDSProvider + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-provider-rds + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-family-provider + + readinessChecks: + - type: None + + #################################################### + ### Provider configs depend on AWS Family Provider # + #################################################### + # IRSA provider config depend on Family Provider + - name: usageFamilyProviderByIRSAProviderConfig + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-irsa-provider-config + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-family-provider + readinessChecks: + - type: None + + # IRSA with Chain + - name: usageFamilyProviderByIRSAChainProviderConfig + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-irsa-chain-provider-config + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-family-provider + readinessChecks: + - type: None + + # Legacy WebIdentity + - name: usageFamilyProviderByLegacyWebIdentityProviderConfig + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-webidentity-legacy-config + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-family-provider + readinessChecks: + - type: None + + # WebIdentity with token at FS + - name: usageFamilyProviderByWebIdentityFSProviderConfig + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-webidentity-fs-config + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-family-provider + readinessChecks: + - type: None + + # WebIdentity with token at Secret + - name: usageFamilyProviderByWebIdentitySecretProviderConfig + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-webidentity-secret-config + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-family-provider + readinessChecks: + - type: None + + # WebIdentity with token at FS with Chain + - name: usageFamilyProviderByWebIdentityFSChainProviderConfig + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-webidentity-fs-chain-config + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-family-provider + readinessChecks: + - type: None + + ################# + ### MR Usages of Providers ### + ################# + + - name: usageEC2ProviderByDemoVPC + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: demo-vpc + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-provider-ec2 + readinessChecks: + - type: None + + - name: usageEC2ProviderByDemoVpcIrsaChain + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: demo-vpc-irsa-chain + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-provider-ec2 + readinessChecks: + - type: None + + - name: usageEC2ProviderByDemoVpcLegacyWebID + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: demo-vpc-legacy-webid + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-provider-ec2 + readinessChecks: + - type: None + + - name: usageRDSProviderByPgWebIdFsMR + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: demo-pg-webidfs + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-provider-rds + readinessChecks: + - type: None + + - name: usageRDSProviderByPgWebIdFsMR + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: demo-pg-webidfs-chain + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-provider-rds + readinessChecks: + - type: None + + ################# + ### MR Usages of ProviderConfigs ### + ################# + + - name: usageIrsaProviderConfigByDemoVPC + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: demo-vpc + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-irsa-provider-config + readinessChecks: + - type: None + + - name: usageIrsaChainByDemoVpcIrsaChain + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: demo-vpc-irsa-chain + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-irsa-chain-provider-config + readinessChecks: + - type: None + + - name: usageLegacyWebIdentityProviderConfigByDemoVpc + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: demo-vpc-legacy-webid + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-webidentity-legacy-config + readinessChecks: + - type: None + + - name: usageWebIdentityFsProviderConfigByPgMR + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: demo-pg-webidfs + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-webidentity-fs-config + readinessChecks: + - type: None + + - name: usageWebIdentityFsChainProviderConfigByPgMR + base: + apiVersion: apiextensions.crossplane.io/v1alpha1 + kind: Usage + spec: + replayDeletion: true + by: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: demo-pg-webidfs-chain + of: + apiVersion: kubernetes.crossplane.io/v1alpha2 + kind: Object + resourceSelector: + matchControllerRef: true + matchLabels: + component: aws-webidentity-fs-chain-config + readinessChecks: + - type: None diff --git a/e2e/providerconfig-aws-e2e-test/package/apis/e2etestcluster/definition.yaml b/e2e/providerconfig-aws-e2e-test/package/apis/e2etestcluster/definition.yaml new file mode 100644 index 0000000000..40ab4ad77c --- /dev/null +++ b/e2e/providerconfig-aws-e2e-test/package/apis/e2etestcluster/definition.yaml @@ -0,0 +1,184 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: xe2etestclusters.aws.platformref.upbound.io +spec: + defaultCompositeDeletePolicy: Foreground + group: aws.platformref.upbound.io + names: + kind: XE2ETestCluster + plural: xe2etestclusters + claimNames: + kind: E2ETestCluster + plural: e2etestclusters + connectionSecretKeys: + - kubeconfig + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + parameters: + type: object + description: Cluster configuration parameters. + properties: + id: + type: string + description: ID of this Cluster that other objects will use to refer to it. + region: + type: string + description: Region is the region you'd like your resource to be created in. + iam: + type: object + description: IAM configuration to connect as ClusterAdmin. + properties: + roleArn: + description: The IAM Role ARN to connect as ClusterAdmin. + type: string + userArn: + description: The IAM User ARN to connect as ClusterAdmin. + type: string + networkSelector: + type: string + description: NetworkSelector employs a specific type of network architecture. + enum: + - basic + default: basic + deletionPolicy: + description: Delete the external resources when the Claim/XR is deleted. Defaults to Delete + enum: + - Delete + - Orphan + type: string + default: Delete + providerConfigName: + description: Crossplane ProviderConfig to use for provisioning this resources + type: string + default: default + version: + type: string + description: Kubernetes version of the Cluster + enum: + - "1.28" + - "1.27" + - "1.26" + - "1.25" + default: "1.27" + nodes: + type: object + description: Cluster node configuration parameters. + properties: + count: + type: integer + description: Desired node count, from 1 to 100. + instanceType: + type: string + description: instance types associated with the Node Group. + default: t3.small + required: + - count + - instanceType + irsa: + type: object + description: IRSA configuration parameters. + properties: + serviceAccount: + type: object + description: Configuration for SA + properties: + name: + type: string + description: name kubernetes SA + namespace: + type: string + description: namespace kubernetes SA + required: + - name + - namespace + condition: + type: string + description: This is the whether or not the equals is a hard match or like query + default: StringEquals + enum: + - StringEquals + - StringLike + policyDocument: + type: string + description: The JSON policy document that is the content for the policy. + required: + - condition + - policyDocument + - serviceAccount + targetClusterParameters: + type: object + description: Target EKS Cluster configuration parameters. + properties: + provider: + type: object + description: Configuration for providers to be installed + properties: + familyPackage: + type: string + description: provider-family-aws package url to be used + ec2Package: + type: string + description: provider-aws-ec2 package url to be used + rdsPackage: + type: string + description: provider-aws-iam package url to be used + required: + - familyPackage + - ec2Package + - rdsPackage + crossplaneVersion: + type: string + description: crossplane version to be deployed on the cluster + default: "1.15.2" + required: + - crossplaneVersion + - provider + required: + - deletionPolicy + - id + - nodes + - providerConfigName + - region + - irsa + - targetClusterParameters + required: + - parameters + status: + type: object + properties: + subnetIds: + type: array + items: + type: string + irsa: + type: object + properties: + roleArn: + type: string + policyArn: + type: string + chainedRoleARNs: + type: array + items: + type: string + webIdentity: + type: object + properties: + roleArn: + type: string + policyArn: + type: string + chainedRoleARNs: + type: array + items: + type: string \ No newline at end of file diff --git a/e2e/providerconfig-aws-e2e-test/package/crossplane.yaml b/e2e/providerconfig-aws-e2e-test/package/crossplane.yaml new file mode 100644 index 0000000000..f2d1b5b7c5 --- /dev/null +++ b/e2e/providerconfig-aws-e2e-test/package/crossplane.yaml @@ -0,0 +1,26 @@ +apiVersion: meta.pkg.crossplane.io/v1alpha1 +kind: Configuration +metadata: + name: providerconfig-aws-e2e-test + annotations: + meta.crossplane.io/maintainer: Upbound + meta.crossplane.io/source: github.com/crossplane-contrib/provider-upjet-aws + meta.crossplane.io/license: Apache-2.0 + meta.crossplane.io/description: | + This reference platform Configuration allows you to setup an EKS Cluster with Crossplane control plane tailored + for testing AWS provider configuration scenarios such as IRSA and WebIdentity. + meta.crossplane.io/readme: | + This reference platform Configuration allows you to setup an EKS Cluster with Crossplane control plane tailored + for testing AWS provider configuration scenarios such as IRSA and WebIdentity. + To learn more checkout the [GitHub + repo](https://github.com/crossplane-contrib/provider-upjet-aws/blob/main/e2e/providerconfig-aws-e2e-test/README.md) +spec: + crossplane: + version: ">=v1.15.2-0" + dependsOn: + - configuration: xpkg.upbound.io/upbound/configuration-aws-eks + # renovate: datasource=github-releases depName=upbound/configuration-aws-eks + version: "v0.9.0" + - configuration: xpkg.upbound.io/upbound/configuration-aws-eks-irsa + # renovate: datasource=github-releases depName=upbound/configuration-aws-eks-irsa + version: "v0.7.0" diff --git a/e2e/providerconfig-aws-e2e-test/package/examples/e2etestcluster-claim.yaml b/e2e/providerconfig-aws-e2e-test/package/examples/e2etestcluster-claim.yaml new file mode 100644 index 0000000000..2cac97cfaa --- /dev/null +++ b/e2e/providerconfig-aws-e2e-test/package/examples/e2etestcluster-claim.yaml @@ -0,0 +1,53 @@ +apiVersion: aws.platformref.upbound.io/v1alpha1 +kind: E2ETestCluster +metadata: + name: aws-pc-e2e-test + namespace: default +spec: + compositeDeletePolicy: Foreground + parameters: + id: aws-pc-e2e-test + region: us-west-2 + version: "1.28" + iam: + # replace with your custom roleArn that will administer the EKS cluster: + # "arn:aws:iam::123456789012:role/myeksadminrole" + roleArn: ${data.aws_eks_iam_default_admin} + nodes: + count: 1 + instanceType: t3.medium + irsa: + condition: StringEquals + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ec2:*" + ], + "Effect": "Allow", + "Resource": "*" + } + ] + } + serviceAccount: + name: my-xpsa + namespace: upbound-system + targetClusterParameters: + provider: + familyPackage: "xpkg.upbound.io/upbound/provider-family-aws:v1.3.0" + ec2Package: "xpkg.upbound.io/upbound/provider-aws-ec2:v1.3.0" + rdsPackage: "xpkg.upbound.io/upbound/provider-aws-rds:v1.3.0" + crossplaneVersion: 1.15.2 + writeConnectionSecretToRef: + name: aws-pc-e2e-test-kubeconfig +status: + irsa: + roleArn: abc + chainedRoleARNs: + - "chained-role-arn" + webIdentity: + roleArn: webid-role-arn + chainedRoleARNs: + - "chained-role-arn" diff --git a/e2e/providerconfig-aws-e2e-test/package/examples/functions.yaml b/e2e/providerconfig-aws-e2e-test/package/examples/functions.yaml new file mode 100644 index 0000000000..99674f2f2f --- /dev/null +++ b/e2e/providerconfig-aws-e2e-test/package/examples/functions.yaml @@ -0,0 +1,6 @@ +apiVersion: pkg.crossplane.io/v1beta1 +kind: Function +metadata: + name: crossplane-contrib-function-patch-and-transform +spec: + package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.4.0 diff --git a/e2e/providerconfig-aws-e2e-test/test/setup.sh b/e2e/providerconfig-aws-e2e-test/test/setup.sh new file mode 100755 index 0000000000..a22d68d9da --- /dev/null +++ b/e2e/providerconfig-aws-e2e-test/test/setup.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +set -aeuo pipefail + +echo "Running setup.sh" +echo "Waiting until all configuration packages are healthy/installed..." +"${KUBECTL}" wait configuration.pkg --all --for=condition=Healthy --timeout 5m +"${KUBECTL}" wait configuration.pkg --all --for=condition=Installed --timeout 5m +"${KUBECTL}" wait configurationrevisions.pkg --all --for=condition=Healthy --timeout 5m + +echo "Creating cloud credential secret..." +"${KUBECTL}" -n upbound-system create secret generic aws-creds --from-literal=credentials="${UPTEST_CLOUD_CREDENTIALS}" \ + --dry-run=client -o yaml | "${KUBECTL}" apply -f - + +echo "Waiting until all installed provider packages are healthy..." +"${KUBECTL}" wait provider.pkg --all --for condition=Healthy --timeout 5m + +echo "Waiting for all pods to come online..." +"${KUBECTL}" -n upbound-system wait --for=condition=Available deployment --all --timeout=5m + +echo "Waiting for all XRDs to be established..." +"${KUBECTL}" wait xrd --all --for condition=Established + +echo "Creating a default provider config..." +cat <