Migrate platform reference to Upbound official providers #22
Conversation
examples/network.yaml
Outdated
| @@ -0,0 +1,8 @@ | |||
| apiVersion: gcp.platformref.upbound.io/v1alpha1 | |||
There was a problem hiding this comment.
I'm torn between having this as an example given that Cluster already creates a network because I thought we needed to create both. Maybe have example of every definition or only Cluster would make it more clear?
There was a problem hiding this comment.
following the strategy in ref-aws and ref-gcp, I renamed example file to network-xr.yaml and cluster-claim.yaml to reflect their kind
cluster/gke/definition.yaml
Outdated
| required: | ||
| - nodes | ||
| - networkRef | ||
| - googleApplicationCredentialsSecret |
There was a problem hiding this comment.
| - googleApplicationCredentialsSecret | |
| - googleApplicationCredentialsSecret | |
| - compositeNetworkSelector |
| @@ -1,39 +1,28 @@ | |||
| apiVersion: apiextensions.crossplane.io/v1 | |||
| kind: Composition | |||
| metadata: | |||
| name: gke.gcp.platformref.crossplane.io | |||
| name: gke.gcp.platformref.upbound.io | |||
There was a problem hiding this comment.
I started with a bare ServiceAccount to be used in my providerconfig and it turns out that a ServiceAccount is necessary for Cluster to create the default node pool. If it's not given under spec.nodeConfig[0].serviceAccount, it falls back to using default in the Google project. I realized this because my fresh service account didn't have permissions to use default service account.
'apply failed: googleapi: Error 400: The user does not have access to
service account "283222062215-compute@developer.gserviceaccount.com". Ask a
project owner to grant you the iam.serviceAccountUser role on the service account.
I think having a ServiceAccount in Composition and referencing it from both Cluster and NodePool objects would be a better experience.
There was a problem hiding this comment.
Composition extended, things to note:
- I had to add ServiceAccount management role to the account that is used for GCP provider credentials
- Currently I hit
Warning CannotUpdateManagedResource 3m8s (x111 over 8m36s) managed/container.gcp.upbound.io/v1beta1, kind=cluster Operation cannot be fulfilled on clusters.container.gcp.upbound.io "platform-ref-gcp-cluster-fd76b-xbn5d": the object has been modified; please apply your changes to the latest version and try again
Maybe it is due
nodeConfig:
- serviceAccountSelector:
matchControllerRef: true
and similar to https://github.com/upbound/official-providers/issues/466#issuecomment-1253444978 , though the selector is part of the spec not a patch there, so I do not yet properly understand the root cause
@muvaf should we propagate ServiceAccount ID through XR status here?
There was a problem hiding this comment.
@ytsarev Yes, I'm afraid we need to patch through status. It's an array and core crossplane replaces the array item when you try to patch, hence it ends up having only matchControllerRef.
ytsarev
force-pushed
the
op-migration
branch
from
426a033
to
fa617a6
Compare
|
Caveat: ServiceAccount associated with provider-gcp credentials has to be quite powerful to manage ServiceAccounts, ServiceAccountKeys and create ProjectIAMMember |
crossplane.yaml
Outdated
| - provider: xpkg.upbound.io/upbound/provider-gcp | ||
| version: ">=v0.13.0-0" | ||
| - provider: xpkg.upbound.io/crossplane/provider-helm | ||
| version: ">=v0.10.0-0" |
There was a problem hiding this comment.
| version: ">=v0.10.0-0" | |
| version: ">=v0.11.1-0" |
There was a problem hiding this comment.
@muvaf , thanks, updated!
During the configuration testing, I got v0.12.rc build installed. Is that expected?
k get providers
NAME INSTALLED HEALTHY PACKAGE AGE
provider-aws True True xpkg.upbound.io/upbound/provider-aws:v0.14.0 5d15h
provider-gcp True True xpkg.upbound.io/upbound/provider-gcp:v0.13.0 16h
crossplane-provider-helm True True xpkg.upbound.io/crossplane/provider-helm:v0.12.0-rc.0.5.gb368192 30s
There was a problem hiding this comment.
- provider: xpkg.upbound.io/upbound/provider-gcp
version: ">=v0.13.0"
- provider: xpkg.upbound.io/crossplane/provider-helm
version: ">=v0.11.1"
@hasheddan let me know that they shouldn't have the suffix, especially the provider-helm one since it publishes RC builds as well to the original repo as opposed to the big three official providers.
|
@muvaf @stevendborrelli this PR is ready for the test, Configuration is also installable via examples/configuration.yaml |
cluster/gke/composition.yaml
Outdated
| kind: ServiceAccount | ||
| patches: | ||
| - fromFieldPath: spec.id | ||
| toFieldPath: metadata.name |
There was a problem hiding this comment.
| toFieldPath: metadata.name | |
| toFieldPath: metadata.annotations[crossplane.io/external-name] |
This is a better way of naming resources in general so that Crossplane can take care of metadata.name, making sure there is no conflict.
There was a problem hiding this comment.
Ah, got it. I always had an opposite vector of name -> external-name in mind. That makes sense, will update
cluster/gke/composition.yaml
Outdated
| - fromFieldPath: spec.id | ||
| toFieldPath: metadata.name |
There was a problem hiding this comment.
| - fromFieldPath: spec.id | |
| toFieldPath: metadata.name |
Seems like keys don't have names. Not patching it at all would be enough here to prevent conflicts I think.
| @@ -14,8 +14,6 @@ spec: | |||
| services: | |||
There was a problem hiding this comment.
I think using 1 as count would be faster to provision.
examples/configuration.yaml
Outdated
| metadata: | ||
| name: platform-ref-gcp-staging | ||
| spec: | ||
| package: xpkg.upbound.io/upbound/platform-ref-gcp-staging:v0.1.2 |
There was a problem hiding this comment.
Don't forget to replace with the real repo before merging.
@muvaf I actually ran into something similar here as part of https://github.com/upbound/official-providers/pull/657, where if there are two node pools (default and additional |
ytsarev
force-pushed
the
op-migration
branch
from
0a9b629
to
9cf57cf
Compare
|
Test with latest state. The deletion succeeded, too. |
|
|
||
| Ensure that the following roles are added to your service account: | ||
|
|
||
| * `roles/compute.networkAdmin` | ||
| * `roles/container.admin` | ||
| * `roles/iam.serviceAccountUser` | ||
| * `roles/iam.securityAdmin` |
There was a problem hiding this comment.
what caused these extra roles/permissions to now be needed?
There was a problem hiding this comment.
@jbw976 it is required to create ProjectIAMMember
I mentioned here #22 (comment)
we need all that machinery to enable automated access in the form of
identity:
type: GoogleApplicationCredentials
for the helm ProviderConfig here
There was a problem hiding this comment.
aha yes, thanks for clearing that up. So just to tie some loose ends together (for myself), this is the new approach for getting Auth to work with GKE clusters. This support was added to:
- provider-helm in Support GKE OAuth Authorization crossplane-contrib/provider-helm#109
- provider-kubernetes in Support GKE OAuth Authorization crossplane-contrib/provider-kubernetes#10
And that functionality generally address issues we've seen around this topic, like:
cluster/composition.yaml
Outdated
| - fromFieldPath: spec.parameters.googleApplicationCredentialsSecret.name | ||
| - fromFieldPath: spec.parameters.googleApplicationCredentialsSecret.namespace | ||
| - fromFieldPath: spec.parameters.googleApplicationCredentialsSecret.key |
There was a problem hiding this comment.
what do these fromFieldPath patches without a to* destination do? where does the from data go to? 🤔
There was a problem hiding this comment.
@jbw976 without toFieldPath it is patching exactly the same destination as mentioned in fromFieldPath
But these patches are actually leftovers from the previous intermediate implementation so I remove them anyway, thanks for the catch!
| @@ -0,0 +1,25 @@ | |||
| apiVersion: apiextensions.crossplane.io/v1 | |||
There was a problem hiding this comment.
this CompositeNetwork object is now consistently treated the same as the AWS and Azure platform refs?
We've historically had some problems here: When i first built reference platforms, I exposed the Networking as a claim, so app devs could create it on their own. That was a weird experience, because it's not something you'd expect app devs to have exposure to. Instead, the Networking should be created for them under the covers, alongside their cluster. Example issue: upbound/platform-ref-aws#25
We cleaned this up a bit in other reference platforms, but then I think GCP got updated in a different way, resulting in #21.
Would you say they are all consistent now, and #21 is fixed by this approach? 🙏
|
Do you want to squash the commit history a bit @ytsarev? |
* Migrate all XRD and Compositions to OP * Update package meta and examples * Use compositeNetworkSelector with matchLabels propagation * Add ServiceAccount creation within GKE Composition * Add ServiceAccountKey for Helm ProviderConfig * Reliably propagate ServiceAccount to Cluster and NodePool through XR status * Create ProjectIAMMember association * Update prometheus operator version to currently available one * Strict versioning in meta config Signed-off-by: Yury Tsarev <yury@upbound.io>
ytsarev
force-pushed
the
op-migration
branch
from
6c60bf0
to
f5353db
Compare
Description of your changes
I have:
make reviewableto ensure this PR is ready for review.backport release-x.ylabels to auto-backport this PR, as appropriate.How has this code been tested