New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support patching from common data sources? #2099
Comments
CC @prasek |
@negz CRRs were in part motivated by the GitOps scenario of applying multiple related resources with dependencies on non-deterministic CSP generated names (e.g. AzureDB and VnetRule). IIRC #1770 was focused on making these CRRs more generic at the managed resource level to simplify codegen while ensuring that the correct creation order could entirely be handled behind the API line to preserve a clean GitOps UX. AFAIK composed resources benefit from this behavior as well, so if there were a new set of code generated managed resources would that make a case for doing both this and #1770? If one approach can solve all use cases would be helpful to see some example YAML showing what it would look like. Also would be a fan of opening up the resources that could be referenced to all kinds unless there were significant downsides to doing so. |
Exactly.
What I was trying to get across is that I can envision designs for #1770 that would make this feature redundant. Let's say for example that CRRs are implemented as an array of arbitrary references on a managed resource, each of which is a reference to an arbitrary fieldpath within an arbitrary object (i.e. GVK and name). That means you could have a CRR to a field within a ConfigMap and just patch to that field in your Composition - you wouldn't need this feature. That said there are some quirks to work out - I think we need to play around with both designs a little before we know for sure whether we should do one, the other, or both. I want to call out that we should consider the two holistically just to make sure we don't needlessly (and arguably confusingly) build two ways of doing one thing. |
I believe if we do this on managed resource layer #1770 in a way that covers all kinds, using it to solve both of these problems would be trivial. An example Composition could look like the following: ...
resources:
- base:
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
spec:
forProvider: somevalues...
references:
- source:
apiVersion: v1
kind: ConfigMap
name: config-store
namespace: default
fromFieldPath: data.providerConfigName
toFieldPath: spec.providerConfigRef.name
patches:
- fromFieldPath: spec.claimRef.namespace
toFieldPath: spec.references[0].source.namespace The FWIW, there is a workaround to the second problem today. Admins can create apiVersion: v1
kind: Namespace
metadata:
name: team-a
---
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: team-a
spec:
credentials: some settings here
---
apiVersion: v1
kind: Namespace
metadata:
name: team-b
---
apiVersion: aws.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: team-b
spec:
credentials: some other settings here Then ...
resources:
- base:
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
spec:
forProvider: somevalues...
patches:
- fromFieldPath: spec.claimRef.namespace
toFieldPath: spec.providerConfigRef.name
policy:
fromFieldPath: Required If they want to have multiple ...
resources:
- base:
apiVersion: database.aws.crossplane.io/v1beta1
kind: RDSInstance
spec:
forProvider: somevalues...
patches:
- fromFieldPath: spec.claimRef.namespace
toFieldPath: spec.providerConfigRef.name
- fromFieldPath: spec.pcSuffix
toFieldPath: spec.providerConfigRef.name
transforms:
- type: string
format: "%s-%s" # we need multiple input PR #2093 for this to work. |
@muvaf @negz As discussed in the community meeting, we strive to make an excellent application developer user experience. There are pieces of the K8s cluster like the VPC ID, Security Groups, DB Subnet Group, etc. that should not have to be known by someone creating a resource like an RDS Database. Terraform has the data block that allows the platform developer to incorporate these common resources. Crossplane should allow for common resources to be referenced regardless if they are managed by crossplane or not. Having this type of functionality is critical in the successful adoption and use of crossplane, else the experience is just too cumbersome. |
As explained in a Slack discussion with @muvaf, it seems that this proposition could help with the following use case : When a Crossplane resource depends on a piece of infrastructure managed by Kubernetes (e.g. a Real-life example : |
Following the research after my previous comment, I saw this syntax in the kubernetes crossplane provider : https://github.com/crossplane-contrib/provider-kubernetes/blob/main/examples/in-composition/composition.yaml#L162 Is this possible only because the Service is part of the Crossplane Helm |
This feature would help us a lot as we have to serve the same compositions for different environments. Would it be possible to extend the Compositions API similar to the generic patches in We would propose a patch structure like this: patches:
- type: FromObjectFieldPath
fromObjectRef:
apiVersion: v1
kind: ConfigMap
name: sample-config
namespace: sample-ns
fromFieldPath: data.value
toFieldPath: spec.forProvider.sampleField
policy:
fromFieldPath: Required # Dont render if referenced resource does not exist This way we it would integrate seamlessly into the composition workflow we already have. |
This would allow using an arbitrary |
@MisterMX I currently have workflow where I patch from one composition's connection secrets to another (shared infrastructure credentials for multiple application instances) and currently I have to do this in the application that generates claims. Is there any assumption that |
@ksawerykarwacki I don't think that will happen (though its not up to me) and I am not sure if its actually desirable to replace the common Secret resource with something Crossplane specific. However, you could add the |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as |
/fresh this is actively being worked on in #3007 and in high demand. |
References
Design: #3008
Implementation: #3007
What problem are you facing?
When platform teams design their XRs they may want to use environment scoped data to render out composed resources.
It's possible that this data varies enough that it's not ideal for it to be a fixed value in a Composition, but that it's also not something that the platform team desired claim owners (i.e. their API consumers) to have control over.
Some concrete examples:
How could Crossplane help solve your problem?
Crossplane could allow Compositions to patch from common Kubernetes data sources, possibly including ConfigMaps, Secrets, and (claim) Namespaces. Doing so would enable the above use cases:
cluster-info
in thecrossplane-system
namespace, then write a Composition that patched fromdata.vpc-name
within that ConfigMap.metadata.annotations[crossplane.io/provider-config
on the claim's namespace through tospec.providerConfigRef.name
on each composed resource.Note that this enhancement needs a little more thought. Specifically I'm wondering:
spec.forProvider.vpcName
was a cross-resource-reference to a ConfigMap?The text was updated successfully, but these errors were encountered: