From ddcef4add3913289a424d4e79901bd81ee286361 Mon Sep 17 00:00:00 2001 From: daanvi Date: Mon, 11 Nov 2024 13:18:38 +0100 Subject: [PATCH] some examples with abstractions --- cluster/images/provider-consul/Dockerfile | 8 +- examples-generated/acl/v1alpha1/policy.yaml | 6 +- examples/abstractionsv2/consulagent.yaml | 0 .../serviceACL/composition.yaml | 192 ++++++++++++++++++ .../abstractionsv2/serviceACL/example-2.yaml | 8 + .../abstractionsv2/serviceACL/example.yaml | 8 + .../abstractionsv2/serviceACL/tmp/test.yaml | 53 +++++ examples/abstractionsv2/serviceACL/xrd.yaml | 38 ++++ .../openstack/abstractions/adyencompute.yaml | 19 ++ .../openstack/abstractions/composition.yaml | 76 +++++++ examples/openstack/abstractions/xrd.yaml | 63 ++++++ examples/openstack/compute.yaml | 16 ++ examples/openstack/providerconfig.yaml | 11 + examples/providerconfig/secret.yaml.tmpl | 6 +- examples/vault/providerconfig.yaml | 13 ++ examples/vault/secret.yaml | 12 ++ 16 files changed, 520 insertions(+), 9 deletions(-) create mode 100644 examples/abstractionsv2/consulagent.yaml create mode 100644 examples/abstractionsv2/serviceACL/composition.yaml create mode 100644 examples/abstractionsv2/serviceACL/example-2.yaml create mode 100644 examples/abstractionsv2/serviceACL/example.yaml create mode 100644 examples/abstractionsv2/serviceACL/tmp/test.yaml create mode 100644 examples/abstractionsv2/serviceACL/xrd.yaml create mode 100644 examples/openstack/abstractions/adyencompute.yaml create mode 100644 examples/openstack/abstractions/composition.yaml create mode 100644 examples/openstack/abstractions/xrd.yaml create mode 100644 examples/openstack/compute.yaml create mode 100644 examples/openstack/providerconfig.yaml create mode 100644 examples/vault/providerconfig.yaml create mode 100644 examples/vault/secret.yaml diff --git a/cluster/images/provider-consul/Dockerfile b/cluster/images/provider-consul/Dockerfile index 61193f6..82518d8 100644 --- a/cluster/images/provider-consul/Dockerfile +++ b/cluster/images/provider-consul/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.17.1 +FROM alpine:3.20.3 RUN apk --no-cache add ca-certificates bash ARG TARGETOS @@ -26,8 +26,10 @@ ENV TF_FORK 0 RUN mkdir -p ${PLUGIN_DIR} -ADD https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip /tmp -ADD ${TERRAFORM_PROVIDER_DOWNLOAD_URL_PREFIX}/${TERRAFORM_PROVIDER_DOWNLOAD_NAME}_${TERRAFORM_PROVIDER_VERSION}_${TARGETOS}_${TARGETARCH}.zip /tmp +RUN echo "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip -O /tmp/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip" +RUN echo "${TERRAFORM_PROVIDER_DOWNLOAD_URL_PREFIX}/${TERRAFORM_PROVIDER_DOWNLOAD_NAME}_${TERRAFORM_PROVIDER_VERSION}_${TARGETOS}_${TARGETARCH}.zip -O /tmp/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip"; exit 1; +RUN wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip -O /tmp/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip +RUN wget ${TERRAFORM_PROVIDER_DOWNLOAD_URL_PREFIX}/${TERRAFORM_PROVIDER_DOWNLOAD_NAME}_${TERRAFORM_PROVIDER_VERSION}_${TARGETOS}_${TARGETARCH}.zip -O /tmp/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip ADD terraformrc.hcl ${TF_CLI_CONFIG_FILE} RUN unzip /tmp/terraform_${TERRAFORM_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/local/bin \ diff --git a/examples-generated/acl/v1alpha1/policy.yaml b/examples-generated/acl/v1alpha1/policy.yaml index 77c0e28..280867a 100644 --- a/examples-generated/acl/v1alpha1/policy.yaml +++ b/examples-generated/acl/v1alpha1/policy.yaml @@ -12,6 +12,6 @@ spec: - dc1 name: my_policy rules: | - node_prefix "" { - policy = "read" - } + node_prefix "" { + policy = "read" + } diff --git a/examples/abstractionsv2/consulagent.yaml b/examples/abstractionsv2/consulagent.yaml new file mode 100644 index 0000000..e69de29 diff --git a/examples/abstractionsv2/serviceACL/composition.yaml b/examples/abstractionsv2/serviceACL/composition.yaml new file mode 100644 index 0000000..9562939 --- /dev/null +++ b/examples/abstractionsv2/serviceACL/composition.yaml @@ -0,0 +1,192 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: consulserviceacl.composite.daanvinken +spec: + compositeTypeRef: + apiVersion: daanvinken.io/v1alpha1 + kind: ConsulServiceACL + resources: + # Consul ACL Policy Resource + - name: consul_acl_policy + base: + apiVersion: acl.daanvinken.io/v1alpha1 + kind: Policy + metadata: + generateName: "policy-" + labels: + crossplane.io/composite: "consulserviceacl" + spec: + forProvider: + datacenters: + - "" # Patch dynamically + rules: "" # Inject full policy dynamically + patches: + - fromFieldPath: "spec.parameters.dc" + toFieldPath: "spec.forProvider.datacenters[0]" + - fromFieldPath: "metadata.name" + toFieldPath: "spec.forProvider.name" + transforms: + - type: string + string: + fmt: "policy-%s" + - fromFieldPath: "metadata.name" + toFieldPath: "spec.forProvider.rules" + transforms: + - type: string + string: + fmt: | + agent_prefix "" { + policy = "read" + } + service_prefix "" { + policy = "read" + } + service_prefix "%[1]s" { + policy = "write" + } + key_prefix "%[1]s" { + policy = "write" + } + key_prefix "app/%[1]s" { + policy = "write" + } + session_prefix "" { + policy = "write" + } + session_prefix "session/%[1]s" { + policy = "write" + } + key_prefix "preloader/%[1]s" { + policy = "write" + } + + # Vault Consul Secret Backend Role + - name: consul_secret_backend_role + base: + apiVersion: consul.vault.upbound.io/v1alpha1 + kind: SecretBackendRole + metadata: + generateName: "backend-role-" + spec: + forProvider: + backend: "" # Patch backend path dynamically + policies: + - "policy-placeholder" # Reference policy dynamically + patches: + - fromFieldPath: "spec.parameters.consul_backend_path" + toFieldPath: "spec.forProvider.backend" + - fromFieldPath: "metadata.name" + toFieldPath: "spec.forProvider.name" + transforms: + - type: string + string: + fmt: "service_ref_%[1]s" + - fromFieldPath: "metadata.name" + toFieldPath: "spec.forProvider.policies[0]" + transforms: + - type: string + string: + fmt: "policy-%[1]s" + + # Consul ACL Role Resource + - name: consul_acl_role + base: + apiVersion: acl.daanvinken.io/v1alpha1 + kind: Role + metadata: + generateName: "role-" + spec: + forProvider: + description: "ACL Role for service" + serviceIdentities: + - serviceName: "foo" + patches: + - fromFieldPath: "metadata.name" + toFieldPath: "spec.forProvider.name" + transforms: + - type: string + string: + fmt: "role-%[1]s" + - fromFieldPath: "metadata.name" + toFieldPath: "spec.forProvider.policies[0]" + transforms: + - type: string + string: + fmt: "policy-%[1]s" + + # Vault Policy Resource + - name: vault_policy + base: + apiVersion: vault.vault.upbound.io/v1alpha1 + kind: Policy + metadata: + generateName: "vault-policy-" + spec: + forProvider: + name: "" # Patch dynamically + policy: "" # Inject full policy dynamically + patches: + - fromFieldPath: "metadata.name" + toFieldPath: "spec.forProvider.name" + transforms: + - type: string + string: + fmt: "policy_consul_service_ref_%[1]s" + - fromFieldPath: "metadata.name" + toFieldPath: "spec.forProvider.policy" + transforms: + - type: string + string: + fmt: | + path "consul/creds/service_ref_%[1]s" { + capabilities = ["read"] + } + + path "secrets/creds/service_ref_%[1]s" { + capabilities = ["read"] + } + + path "secrets-kv2/data/service/%[1]s/*" { + capabilities = ["read"] + } + + path "something/v1/ica1/v1/issue/%[1]s" { + capabilities = ["create", "update"] + } + + path "containersinfra/v1/ica2/v1/issue/%[1]s" { + capabilities = ["create", "update"] + } + + path "transit/encrypt/something-main_%[1]s" { + capabilities = ["update"] + } + + path "transit/decrypt/something-main_%[1]s" { + capabilities = ["update"] + } + + # Consul ACL Token Resource + - name: consul_acl_token + base: + apiVersion: acl.daanvinken.io/v1alpha1 + kind: Token + metadata: + generateName: "token-" + spec: + forProvider: + description: "Generated by Crossplane" + patches: + - fromFieldPath: "metadata.name" + toFieldPath: "spec.forProvider.name" + transforms: + - type: string + string: + fmt: "role-%[1]s" + - fromFieldPath: "metadata.name" + toFieldPath: "spec.forProvider.policies[0]" + transforms: + - type: string + string: + fmt: "policy-%[1]s" diff --git a/examples/abstractionsv2/serviceACL/example-2.yaml b/examples/abstractionsv2/serviceACL/example-2.yaml new file mode 100644 index 0000000..82a4ba0 --- /dev/null +++ b/examples/abstractionsv2/serviceACL/example-2.yaml @@ -0,0 +1,8 @@ +apiVersion: daanvinken.io/v1alpha1 +kind: ConsulServiceACL +metadata: + name: acr-main +spec: + parameters: + consul_backend_path: "consul" + dc: "AMS3" diff --git a/examples/abstractionsv2/serviceACL/example.yaml b/examples/abstractionsv2/serviceACL/example.yaml new file mode 100644 index 0000000..fd95eab --- /dev/null +++ b/examples/abstractionsv2/serviceACL/example.yaml @@ -0,0 +1,8 @@ +apiVersion: daanvinken.io/v1alpha1 +kind: ConsulServiceACL +metadata: + name: system-logsearch +spec: + parameters: + consul_backend_path: "consul" + dc: "AMS2" diff --git a/examples/abstractionsv2/serviceACL/tmp/test.yaml b/examples/abstractionsv2/serviceACL/tmp/test.yaml new file mode 100644 index 0000000..828978f --- /dev/null +++ b/examples/abstractionsv2/serviceACL/tmp/test.yaml @@ -0,0 +1,53 @@ +apiVersion: acl.daanvinken.io/v1alpha1 +kind: Policy +metadata: + name: policy-my-service +spec: + forProvider: + name: "policy-my-service" # Unique policy name + datacenters: + - "AMS2" # Specify the data center + rules: | + agent_prefix "" { + policy = "read" + } + + service_prefix "" { + policy = "read" + } + + service_prefix "my-service" { + policy = "write" + } + + key_prefix "my-service" { + policy = "write" + } + + key_prefix "app/my-service" { + policy = "write" + } + + session_prefix "" { + policy = "write" + } + + session_prefix "session/my-service" { + policy = "write" + } + + key_prefix "preloader/my-service" { + policy = "write" + } +--- +apiVersion: consul.vault.upbound.io/v1alpha1 +kind: SecretBackendRole +metadata: + name: example-consul-backend-role +spec: + forProvider: + backend: "consul" # The backend path for Consul secrets in Vault + name: "service_ref_my-service" # Unique name for the backend role, typically linked to a specific service + policies: + - "policy-my-service" # Consul ACL policy to associate with this role + diff --git a/examples/abstractionsv2/serviceACL/xrd.yaml b/examples/abstractionsv2/serviceACL/xrd.yaml new file mode 100644 index 0000000..802acbd --- /dev/null +++ b/examples/abstractionsv2/serviceACL/xrd.yaml @@ -0,0 +1,38 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: consulserviceacls.daanvinken.io +spec: + group: daanvinken.io + names: + kind: ConsulServiceACL + plural: consulserviceacls + shortNames: + - csa + claimNames: + kind: ConsulServiceACL + plural: consulserviceacls + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + parameters: + type: object + properties: + consul_backend_path: + type: string + description: "Backend path for the Consul secrets in Vault." + dc: + type: string + description: "Data center name for the Consul ACL." + required: + - consul_backend_path + - dc + diff --git a/examples/openstack/abstractions/adyencompute.yaml b/examples/openstack/abstractions/adyencompute.yaml new file mode 100644 index 0000000..7443b53 --- /dev/null +++ b/examples/openstack/abstractions/adyencompute.yaml @@ -0,0 +1,19 @@ +apiVersion: daanvinken.io/v1alpha1 +kind: AdyenCompute +metadata: + name: adyencompute-example-mvp +spec: + parameters: + computeInstanceName: "crossplane-instance-mvp" + imageName: "cirros" + flavorName: "1C-500M-1G-STG1-CIRROS" + network: + - name: osstg1test + securityGroups: + - default + consulServices: + - serviceName: service3 + main_keys: true + - serviceName: service4 + main_keys: false + providerConfigName: "openstack-ams2-nonprod" diff --git a/examples/openstack/abstractions/composition.yaml b/examples/openstack/abstractions/composition.yaml new file mode 100644 index 0000000..2aecca0 --- /dev/null +++ b/examples/openstack/abstractions/composition.yaml @@ -0,0 +1,76 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: adyencompute.composite.daanvinken +spec: + compositeTypeRef: + apiVersion: daanvinken.io/v1alpha1 + kind: AdyenCompute + resources: + # Compute Instance Resource + - name: instancev2 + base: + apiVersion: compute.openstack.crossplane.io/v1alpha1 + kind: InstanceV2 + spec: + forProvider: + name: "crossplane-instance-placeholder" + imageName: "placeholder-image" + flavorName: "placeholder-flavor" + network: [] + securityGroups: [] + providerConfigRef: + name: "placeholder" + patches: + - fromFieldPath: "spec.parameters.computeInstanceName" + toFieldPath: "spec.forProvider.name" + - fromFieldPath: "spec.parameters.imageName" + toFieldPath: "spec.forProvider.imageName" + - fromFieldPath: "spec.parameters.flavorName" + toFieldPath: "spec.forProvider.flavorName" + - fromFieldPath: "spec.parameters.network" + toFieldPath: "spec.forProvider.network" + - fromFieldPath: "spec.parameters.securityGroups" + toFieldPath: "spec.forProvider.securityGroups" + - fromFieldPath: "spec.parameters.providerConfigName" + toFieldPath: "spec.providerConfigRef.name" + + # ConsulServiceACL for the First Service + - name: consulserviceacl1 + base: + apiVersion: daanvinken.io/v1 + kind: ConsulServiceACL + spec: + parameters: + main_keys: false + patches: + - fromFieldPath: "spec.parameters.consulServices[0].serviceName" + toFieldPath: "metadata.name" # Set name of the ConsulServiceACL + transforms: + - type: string + string: + fmt: "consulserviceacl-%s" + - fromFieldPath: "spec.parameters.consulServices[0].serviceName" + toFieldPath: "spec.parameters.service" + - fromFieldPath: "spec.parameters.consulServices[0].main_keys" + toFieldPath: "spec.parameters.main_keys" + + # ConsulServiceACL for the Second Service + - name: consulserviceacl2 + base: + apiVersion: daanvinken.io/v1 + kind: ConsulServiceACL + spec: + parameters: + main_keys: false + patches: + - fromFieldPath: "spec.parameters.consulServices[1].serviceName" + toFieldPath: "metadata.name" # Set name of the ConsulServiceACL + transforms: + - type: string + string: + fmt: "consulserviceacl-%s" + - fromFieldPath: "spec.parameters.consulServices[1].serviceName" + toFieldPath: "spec.parameters.service" + - fromFieldPath: "spec.parameters.consulServices[1].main_keys" + toFieldPath: "spec.parameters.main_keys" diff --git a/examples/openstack/abstractions/xrd.yaml b/examples/openstack/abstractions/xrd.yaml new file mode 100644 index 0000000..b3ea3f9 --- /dev/null +++ b/examples/openstack/abstractions/xrd.yaml @@ -0,0 +1,63 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: adyencomputes.daanvinken.io +spec: + group: daanvinken.io + names: + kind: AdyenCompute + plural: adyencomputes + claimNames: + kind: AdyenCompute + plural: adyencomputes + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + parameters: + type: object + properties: + computeInstanceName: + type: string + description: "Name of the compute instance" + imageName: + type: string + description: "Name of the image to use for the instance" + flavorName: + type: string + description: "Flavor of the compute instance" + network: + type: array + items: + type: object + properties: + name: + type: string + description: "List of network configurations with name field" + securityGroups: + type: array + items: + type: string + description: "List of security groups for the instance" + consulServices: + type: array + items: + type: object + properties: + serviceName: + type: string + description: "Name of the service for ConsulServiceACL" + main_keys: + type: boolean + description: "Flag to include main keys for the service in the ACL policy" + description: "List of services to create ConsulServiceACL resources for each service" + providerConfigName: + type: string + description: "Full provider config name for the compute instance (e.g., openstack--)" diff --git a/examples/openstack/compute.yaml b/examples/openstack/compute.yaml new file mode 100644 index 0000000..687c7e2 --- /dev/null +++ b/examples/openstack/compute.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: compute.openstack.crossplane.io/v1alpha1 +kind: InstanceV2 +metadata: + name: crossplane-instance-daanvi +spec: + forProvider: + name: crossplane-instance-daanvi + imageName: cirros + flavorName: 1C-500M-1G-STG1-CIRROS + network: + - name: osstg1test + securityGroups: + - default + providerConfigRef: + name: openstack-ams2-nonprod \ No newline at end of file diff --git a/examples/openstack/providerconfig.yaml b/examples/openstack/providerconfig.yaml new file mode 100644 index 0000000..c263aae --- /dev/null +++ b/examples/openstack/providerconfig.yaml @@ -0,0 +1,11 @@ +apiVersion: openstack.crossplane.io/v1beta1 +kind: ProviderConfig +metadata: + name: openstack-ams2-nonprod +spec: + credentials: + secretRef: + key: config + name: provider-openstack-config + namespace: crossplane-system + source: Secret \ No newline at end of file diff --git a/examples/providerconfig/secret.yaml.tmpl b/examples/providerconfig/secret.yaml.tmpl index 107593d..f5d2ea1 100644 --- a/examples/providerconfig/secret.yaml.tmpl +++ b/examples/providerconfig/secret.yaml.tmpl @@ -1,12 +1,12 @@ apiVersion: v1 kind: Secret metadata: - name: example-creds + name: example-creds-consul namespace: crossplane-system type: Opaque stringData: credentials: | { - "address": "localhost:2222", - "token": "abcd" + "address": "http://localhost:8500", + "token": "9847975c-7ff7-6b13-0272-791103753035" } diff --git a/examples/vault/providerconfig.yaml b/examples/vault/providerconfig.yaml new file mode 100644 index 0000000..948d475 --- /dev/null +++ b/examples/vault/providerconfig.yaml @@ -0,0 +1,13 @@ +apiVersion: vault.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: default +spec: + address: "http://vault.vault.svc.cluster.local:8200" # Vault server URL + credentials: + source: Secret + secretRef: + name: example-vault-creds # Name of the secret storing the Vault token + namespace: crossplane-system # Namespace where the secret is located + key: credentials + skip_tls_verify: true # Set to true only for non-production environments \ No newline at end of file diff --git a/examples/vault/secret.yaml b/examples/vault/secret.yaml new file mode 100644 index 0000000..6b7a396 --- /dev/null +++ b/examples/vault/secret.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: example-vault-creds + namespace: crossplane-system +type: Opaque +stringData: + credentials: | + { + "token": "payments-made-easy" + }