Skip to content

giantswarm/xfnlib

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits

.circleci

.circleci

 
 

.github

.github

 
 

docs

docs

 
 

pkg

pkg

 
 

.nancy-ignore

.nancy-ignore

 
 

.nancy-ignore.generated

.nancy-ignore.generated

 
 

CHANGELOG.md

CHANGELOG.md

 
 

CODEOWNERS

CODEOWNERS

 
 

DCO

DCO

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

SECURITY.md

SECURITY.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

renovate.json5

renovate.json5

 
 

Repository files navigation

XFNLIB

xfnlib is a general library for working with crossplane composition functions.

It's purpose is to abstract functionality that may or will become boilerplate in many, if not all crossplane composition functions within the GiantSwarm ecosystem

This library is being composed with the security of your clusters in mind. In practice what this means is that whilst some functions may require additional permissions to be granted for them to execute, the absolute bare minimal set is documented (usually enough permissions to be able to get) and it is left to you to decide which permissions are required or not.

Warning

This does not mitigate any changes that may be introduced by upbound through crossplane-rbac-manager or any upstream changes implemented by #3718

Functionality

Composite

The following functions are provided for working with composite resources

  • New Should be called at the top of the RunFunction
  • ToResponse Sets the desired composite and composed resources into the response and returns it back to your function.
  • AddDesired Adds an object to the desired resources
  • ToUnstructured Convert an object into an unstructured object
  • ToUnstructuredKubernetesObject Wrap an object in a crossplane-contrib/provider-kubernetes:Object type
  • To Convert objects from one type to another by passing it through json.Marshal

Authentication

AWS

The following methods are available for authentication to AWS

  • GetAssumeRoleArn Loads the AWS ProviderConfig and reads the role chain, returning the first element in the chain
  • Config Sets up the AWS config for AssumeRole authentication

The AWS provider requires the service account the pod is running with to be granted permissions to access the ProviderConfig. It also requires the service account to be annotated to use AssumeRole.

At the very least this must look like the following:

Service account 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: SERVICE_ACCOUNT_NAME
  namespace: crossplane
  annotations:
    eks.amazonaws.com/role-arn: ASSUME_ROLE_ARN
Cluster role 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aws-provider-config-access
rules:
  - apiGroups:
      - aws.upbound.io
    resources:
      - providerconfigs
    verbs:
      - get
Cluster role binding 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: aws-provider-config-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: aws-provider-config-access
subjects:
  - kind: ServiceAccount
    name: SERVICE_ACCOUNT_NAME
    namespace: crossplane

Kubernetes

  • Client Get a kubernetes client using whatever authentication method is available. If inside the cluster, this will use the credentials linked to the service account the pod is running with. If outside the cluster, this wills use the current kubeconfig context.

Known issues

There are no current known issues. If you think you've found one? Please raise a Bug report

About

Support library for crossplane composition functions

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

6 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages