Skip to content

blog: initial code for composition function blog #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

blog: initial code for composition function blog #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e173a15
blog: initial code for composition function blog
deggja Jan 11, 2025
4d719e6
blog: update code
deggja Jan 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file added 1. Crossplane Composition Functions/README.md
View file
Open in desktop
Empty file.
38 changes: 38 additions & 0 deletions 1. Crossplane Composition Functions/providers/azure-providers.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-family-azure
spec:
package: xpkg.upbound.io/upbound/provider-family-azure:v1.11.0
runtimeConfigRef:
name: workload-identity-config
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-azure-managedidentity
spec:
package: xpkg.upbound.io/upbound/provider-azure-managedidentity:v1.11.0
skipDependencyResolution: true
runtimeConfigRef:
name: workload-identity-config
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-azure-authorization
spec:
package: xpkg.upbound.io/upbound/provider-azure-authorization:v1.11.0
skipDependencyResolution: true
runtimeConfigRef:
name: workload-identity-config
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-azure-storage
spec:
package: xpkg.upbound.io/upbound/provider-azure-storage:v1.11.0
skipDependencyResolution: true
runtimeConfigRef:
name: workload-identity-config
28 changes: 28 additions & 0 deletions 1. Crossplane Composition Functions/providers/workload-identity.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
azure.workload.identity/client-id: client-id
azure.workload.identity/tenant-id: tenant-id
name: workload-identity-crossplane
namespace: crossplane-system
---
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: workload-identity-config
namespace: crossplane-system
spec:
deploymentTemplate:
spec:
selector: {}
template:
metadata:
labels:
azure.workload.identity/use: "true"
spec:
serviceAccountName: workload-identity-crossplane
containers:
- name: package-runtime
args:
- --enable-management-policies
184 changes: 184 additions & 0 deletions 1. Crossplane Composition Functions/resources/composition-function.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
### XRD ###
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: azureapps.crossplane.io
spec:
group: crossplane.io
names:
kind: AzureApp
plural: azureapps
claimNames:
kind: AzureAppClaim
plural: azureappclaims
versions:
- name: v1alpha1
served: true
referenceable: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
parameters:
type: object
properties:
resourceGroup:
type: string
subscription:
type: string
tenant:
type: string
managedIdentity:
type: string
storageAccount:
type: string
roles:
type: array
items:
type: string
status:
type: object
properties:
principalId:
type: string
---
### Composition ###
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: example
spec:
compositeTypeRef:
apiVersion: crossplane.io/v1alpha1
kind: AzureApp
mode: Pipeline # We add this so Crossplane knows we are going to be using Functions
pipeline:
- step: create-resources
functionRef:
name: function-patch-and-transform
input:
apiVersion: pt.fn.crossplane.io/v1beta1
kind: Resources
resources:
- name: resource-group
base:
apiVersion: azure.upbound.io/v1beta1
kind: ResourceGroup
metadata:
labels:
testing.upbound.io/example-name: resource-group
spec:
forProvider:
location: West Europe
patches:
- fromFieldPath: "spec.parameters.resourceGroup"
toFieldPath: "spec.forProvider.name"
- name: storage-account
base:
apiVersion: storage.azure.upbound.io/v1beta1
kind: Account
spec:
forProvider:
accountKind: StorageV2
accountReplicationType: LRS
accountTier: Standard
isHnsEnabled: true
location: West Europe
resourceGroupNameSelector:
matchLabels:
testing.upbound.io/example-name: resource-group
patches:
- fromFieldPath: "spec.parameters.storageAccount"
toFieldPath: "metadata.name"
- name: managed-identity
base:
apiVersion: managedidentity.azure.upbound.io/v1beta1
kind: UserAssignedIdentity
metadata:
labels:
testing.upbound.io/example-name: managed-identity
spec:
forProvider:
location: West Europe
resourceGroupNameSelector:
matchLabels:
testing.upbound.io/example-name: resource-group
patches:
- fromFieldPath: "spec.parameters.managedIdentity"
toFieldPath: "spec.forProvider.name"
- type: ToCompositeFieldPath
fromFieldPath: "status.atProvider.principalId"
toFieldPath: "status.principalId"
- name: federated-credential
base:
apiVersion: managedidentity.azure.upbound.io/v1beta1
kind: FederatedIdentityCredential
spec:
forProvider:
issuer: "https://issuer"
audience:
- "api://AzureADTokenExchange"
subject: "system:serviceaccount:namespace:application"
parentIdSelector:
matchLabels:
testing.upbound.io/example-name: managed-identity
resourceGroupNameSelector:
matchLabels:
testing.upbound.io/example-name: resource-group
patches:
- type: FromCompositeFieldPath
fromFieldPath: "spec.parameters.managedIdentity"
toFieldPath: "metadata.name"
- step: create-role-assignments
functionRef:
name: function-go-templating
input:
apiVersion: gotemplating.fn.crossplane.io/v1beta1
kind: GoTemplate
source: Inline
inline:
template: |
{{- $subscription := .observed.composite.resource.spec.parameters.subscription -}}
{{- $resourceGroup := .observed.composite.resource.spec.parameters.resourceGroup -}}
{{- $roles := $composite.spec.parameters.roles -}}
{{- $principalId := $composite.status.principalId -}}
{{ range $index, $roleName := $roles }}
---
apiVersion: authorization.azure.upbound.io/v1beta1
kind: RoleAssignment
metadata:
name: roleassignment-{{ $index }}
annotations:
gotemplating.fn.crossplane.io/composition-resource-name: roleassignment-{{ $index }}
spec:
forProvider:
name: roleassignment-{{ $index }}
scope: {{ /subscriptions/{{ $subscription }}/resourceGroups/{{ $resourceGroup }}/providers/Microsoft.Storage/storageAccounts/example }}
roleDefinitionName: "{{ $roleName }}"
principalId: "{{ $principalId }}"
providerConfigRef:
name: workload-identity-provider-config
{{- end }}
---
### XR ###
apiVersion: crossplane.io
kind: AzureApp
metadata:
name: example
spec:
compositionRef:
name: azure-apps
parameters:
resourceGroup: resource-group
subscription: 12345678-aaaa-bbbb-cccc-123456789012
managedIdentity: managed-identity
storageAccount: example
roles:
- Reader
- Contributor
- Storage Blob Data Reader
- Storage Table Data Contributor
- Role Based Access Control Administrator
Loading