How-to guides: storage-aws
The storage-aws configuration package allows the creation of S3-compatible Buckets on AWS and automatically creates Policies for permission control. Furthermore, storage-aws includes a workflow to request/grant access to Buckets from other owners.
How-to guides
How to install the storage-aws configuration package
The storage-aws configuration package can be installed like any other configuration package with
apiVersion: pkg.crossplane.io/v1
kind: Configuration
metadata:
name: storage-aws
spec:
package: ghcr.io/versioneer-tech/provider-storage:v0.2-aws
This automatically installs the necessary dependencies:
- provider-aws-s3 >= v2.0.0
- provider-aws-iam >= v2.0.0
- provider-kubernetes >= v0.18.0
- function-auto-ready >= 0.5.0
- function-go-templating >= v0.10.0
However, it does not install the necessary ProviderConfigs, ServiceAccounts and Secrets that are actually needed for the storage-aws to work.
The provider-aws needs credentials for AWS. Therefore, it needs a Secret which includes the access key and secret key which need to be base64 encoded.
echo -n "[default]\naws_access_key_id = <your-access-key-id>\naws_secret_access_key = <your-secret-access-key>" | base64
apiVersion: v1
kind: Secret
metadata:
name: storage-aws
namespace: crossplane-system
data:
creds: |
<base64-encoded-string>
Furthermore, the ProviderConfig needs to reference this secret.
Warning
The name of the ProviderConfig needs to be storage-aws! The composition will not work with any other name and will not be able to create resources!
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: storage-aws
spec:
credentials:
source: Secret
secretRef:
name: storage-aws
namespace: crossplane-system
key: creds
The provider-kubernetes needs a ServiceAccount that can observe resources from policies.iam.aws.upbound.io. Below is an example ClusterRole which expands the default ClusterRole created by crossplane-rbac.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: storage-kubernetes
rules:
- apiGroups:
- kubernetes.crossplane.io
resources:
- objects
- objects/status
- observedobjectcollections
- observedobjectcollections/status
- providerconfigs
- providerconfigs/status
- providerconfigusages
- providerconfigusages/status
verbs:
- get
- list
- watch
- update
- patch
- create
- apiGroups:
- kubernetes.crossplane.io
resources:
- '*/finalizers'
verbs:
- update
- apiGroups:
- coordination.k8s.io
resources:
- secrets
- configmaps
- events
- leases
verbs:
- '*'
- apiGroups:
- iam.aws.upbound.io
resources:
- policies
verbs:
- watch
- get
When the ClusterRole is attached to the ServiceAccount via a ClusterRoleBinding, the actual provider-kubernetes can be updated with a DeploymentRuntimeConfig to use the newly created ServiceAccount. Furthermore, a standard ProviderConfig can be applied.
Warning
Make sure that the name and version of the Provider matches the name of the Kubernetes provider that is already installed in your cluster! If it does not match, crossplane installs a new Kubernetes provider with the given name. The standard name is crossplane-contrib-provider-kubernetes if the provider was installed as part of the dependencies in the configuration package.
Warning
The name of the ProviderConfig needs to be storage-kubernetes! The composition will not work with any other name and will not be able to observe resources!
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: <name>
spec:
package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:<version>
runtimeConfigRef:
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
name: <deploymenRuntimeConfigName>
---
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: <name>
spec:
serviceAccountTemplate:
metadata:
name: <serviceAccountName>
---
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: storage-kubernetes
spec:
credentials:
source: InjectedIdentity
This is everything that is needed for the storage-aws configuration package to function properly.