Skip to content

feat(crossplane): add provider-aws-s3 with ExternalSecret credentials#7627

Merged
h0lybyte merged 1 commit intodevfrom
trunk/crossplane-aws-s3-1772753574
Mar 5, 2026
Merged

feat(crossplane): add provider-aws-s3 with ExternalSecret credentials#7627
h0lybyte merged 1 commit intodevfrom
trunk/crossplane-aws-s3-1772753574

Conversation

@h0lybyte
Copy link
Member

@h0lybyte h0lybyte commented Mar 5, 2026

Summary

  • Install provider-aws-s3 v2.4.0 (Upbound family provider) — auto-pulls provider-family-aws for shared auth CRDs
  • Pull AWS credentials from existing kilobase-s3-secret via ExternalSecret cross-namespace access (same pattern as n8n)
  • Reformat credentials into INI format required by Crossplane ClusterProviderConfig
  • Sync-wave ordering ensures provider CRDs register before ClusterProviderConfig is applied

Architecture

providers-application.yaml (ArgoCD)
└── providers/
    ├── provider-aws-s3.yaml          [wave 0] Provider CRD
    ├── aws-externalsecret.yaml       [wave 1-2] SA + SecretStore + ExternalSecret
    ├── rbac.yaml                     [wave 1] Cross-namespace Role/RoleBinding
    └── cluster-provider-config.yaml  [wave 5] ClusterProviderConfig (needs provider CRDs)
  • SkipDryRunOnMissingResource=true handles the CRD timing gap
  • Retry policy (5 attempts, 10s backoff) covers provider startup time
  • Credentials flow: kilobase-s3-secret → ExternalSecret → aws-secret (INI format) → ClusterProviderConfig

What's Next (follow-up PRs)

  • S3 Bucket managed resource for CNPG backup bucket
  • BucketVersioning, BucketServerSideEncryptionConfiguration, etc.
  • Additional AWS providers as needed (EC2, IAM, etc.)

Test plan

  • All resources except ClusterProviderConfig pass kubectl apply --dry-run=client
  • ClusterProviderConfig uses SkipDryRunOnMissingResource=true (CRD doesn't exist until provider installs)
  • ArgoCD syncs provider → provider pod starts → CRDs register
  • ExternalSecret syncs aws-secret with INI-formatted credentials
  • ClusterProviderConfig applies successfully on retry
  • kubectl get provider shows upbound-provider-aws-s3 as HEALTHY

@h0lybyte
feat(crossplane): add provider-aws-s3 with ExternalSecret credentials
50cde69 
Install Crossplane AWS S3 family provider (v2.4.0) via ArgoCD.
Pull AWS credentials from existing kilobase-s3-secret using
ExternalSecret cross-namespace access and reformat to INI for
Crossplane ClusterProviderConfig. Sync-waves ensure provider
CRDs register before ClusterProviderConfig is applied.
@github-actions
Copy link
Contributor

github-actions bot commented Mar 5, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@h0lybyte h0lybyte merged commit d1510c5 into dev Mar 5, 2026
5 checks passed
@h0lybyte h0lybyte deleted the trunk/crossplane-aws-s3-1772753574 branch March 5, 2026 23:48
@github-actions github-actions bot mentioned this pull request Mar 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@h0lybyte