Crossplane v1.1 - Vault integration, enhanced Composition, and AWS Provider code generation!

v1.1 adds enhanced security for production deployments with Vault integration and several key Composition enhancements including bi-directional patching, patch deduplication, and resource re-ordering support. Rounding out the release is enhanced AWS Provider code generation with a new developer guide that has been picked up by the community to add resources like RDS DBCluster, Lambda functions and more!

The momentum has continued to roll forward after a great Crossplane Community Day in December where we announced Crossplane v1.0with an amazing lineup of speakers including Kelsey Hightower, Joe Beda, Brendan Burns, Bassam Tabbara, Brian Grant, and many more!

Checkout the Community Day replay videos if you couldn't make it and don't forget to submit a proposal for the next Crossplane Community Day on May 4th, 2021 — the CNCF CFP deadline is Friday March 5th 11:59 pm PST!

Starting with the v1.0 release, Crossplane is released on an eight week cadence with feature freeze and code freeze intervals, so we can focus on post-v1.0 quality and stability. The 8-week release cycle also gives us time for more features and community contributions -- and there have been a lot so let's dive in!

The Crossplane community has grown rapidly over the past few months, with over 72 contributors from more than 66 companies and over 1,500 Slack members -- almost a 3x increase since May 2020 just 10 months ago! We'd like to give a special shout-out to:

  • @krishchow from @RedHatOfficial! for his work on Composition, helping maintain provider-aws, and the extensive work on S3 buckets including versioning, replication config, late initialization, and bucket policy
  • @mcavoyk for adding bi-directional patching to Compositionand doc fixes
  • @weastel for adding PackagePullSecrets for installing Providers and kubectl crossplane update support
  • @smcavallo for exposing metric endpoints for providers, helm chart enhancements (nodeSelector, tolerations, and affinity), and a new PR to add AWS Lambda support via code gen
  • @pdettori for continued work on provider-ibm-cloud
  • @benagricola for Composition patch dedup support plus work on provider-sql including MySQL grant priviledge support
  • @khos2ow for continued work on Crossplane Core plus CodeQLsecurity scanning.
  • @hiteshghia for adding RDS DBCluster support via code gen
  • @GiJsvanDulmen for doc fixes & enhancements
  • @chlunde upgrade error handling for IAMRole and InternetGateway to use the awsclient
  • anyone else we may have missed!

Crossplane Composition

Crossplane Composition allows you to define and offer your own cloud API abstractions, so your teams can self-service directly from Kubernetes using kubectl, GitOps, or anything that works with the Kubernetes API.

Composition is a major distinction vs other Cloud Provider Infrastructure Addons that only offer cloud service primitives similar to the Crossplane Providers for AWS, Azure, GCP, Alibaba, IBM Cloud, and many more.

Composition layers on top of these primitives and enables you to publish new declarative APIs backed by the Kubernetes API machinery and control plane approach that work seamlessly with GitOps tooling (Flux/ArgoCD) -- something that Terraform can't do as a command-line tool.

Key Composition enhancements in v1.1 include:

Bi-directional patching
Bi-directional patching for status has been a commonly requested feature to enable the status of a composed resource to be surfaced up into the composite resource's status. This works in the opposite direction of patching when a composite resource is first created, where the composite members are patched from the composite resource down onto the composed resources. The example below show using the new patch types: FromCompositeFieldPath and ToCompositeFieldPath. Thanks to @mcavoyk for his contribution to get this added to the v1.1 release!


patches:
  # inputs
  - fromFieldPath: spec.parameters.image
    toFieldPath: spec.template.spec.containers[0].image
    type: FromCompositeFieldPath
  - fromFieldPath: spec.parameters.replicas
    toFieldPath: spec.replicas
    type: FromCompositeFieldPath

  # outputs
  - fromFieldPath: spec.replicas
    toFieldPath: spec.parameters.replicas
    type: ToCompositeFieldPath

ConnectionDetails now supports fromFieldPath
The connection secret generated for an instance of a Compositiontemplate was previously limited to (a) pull from the secret key of a composed resource or (b) using a constant value. In the v1.1 release an additional fromFieldPath option is available in the ConnectionDetails to pull values from the status or spec of a composed resource. Thanks to @krishchow for adding this to the v1.1. release!

resources:
- base:
    # YAML..
  connectionDetails:
  - type: FromConnectionSecretKey  # The default, since this field needs to be optional
    fromConnectionSecretKey: somekey
  - type: FromFieldPath
    fromFieldPath: "status.interestingField"

Required patches
In v1.0 all patches were applied opportunistically and if fromFieldPath didn't exist the patch would be skipped without error. In v1.1 a new required option allows you to force errors when patch field paths don't exist.

patches:
  - fromFieldPath: "spec.claimRef.name"
    fromFieldPathPolicy: Required
    toFieldPath: "metadata.name"
    transforms:
      - type: string
        string:
          fmt: "example-%s"

Reordering resources in a Composition template
In v1.0 composed resources in a Composition are assumed to be append only to accomodate changes to the composed resources. This prohibited inserting, deleting, or reordering resources in a Composition. In v1.1 an elegant and backwards compatible change supports optional naming of the composed resources in a Composition so you can make changes in the future without reordering concerns.

resources:
  - name: dbinstance
    base:
      apiVersion: database.gcp.crossplane.io/v1beta1
      kind: CloudSQLInstance
      ...

Patch set support
In v1.0 when working with large a Composition with many composed resources, the same set of patches were often applied individually to many or all composed resources like patches for metadata.labels or metadata.annotations. In v1.1 you can now create customPatchTypes in a Composition and selectively apply them with a new type field in the patches for each composed resource. Thanks @benagricola for getting this added to v1.1!

apiVersion: apiextensions.crossplane.io/v1beta1
kind: Composition
...
spec:
  customPatchTypes:
    - type: Metadata
      patches:
      - fromFieldPath: metadata.labels
        toFieldPath: metadata.labels

    - type: Parameters
      patches:
      - fromFieldPath: spec.parameters.location
        toFieldPath: spec.forProvider.locationConstraint
        transforms:
          - type: map
            map:
              us: us-east-1
              uk: eu-west-2
              au: ap-southeast-2

  resources:
    - base:
      # ...
      patches:
        - type: Metadata
        - fromFieldPath: metadata.annotations
          toFieldPath: metadata.annotations
        - type: Parameters

TBS Episode #25: Composition 101
To learn more about Composition checkout TBS episode #25 with Crossplane maintainers Nic Cope and Dan Mangum!

Vault integration for Provider credentials

Multiple provider credential sources now supported
With v1.1 you can now use multiple credential sources including:

  • Kubernetes Secret
  • Environment Variable
  • Filesystem

Vault integration guide
The new guide on Using Vault for Provider Credentials shows how to use Vault in combintaion with a Filesystem credential source to provide enhanced security for your Crossplane deployments.

Steps from the guide:

  1. Install Crossplane & Vault Helm Charts
  2. Unseal Vault Instance & Enable Kubernetes Auth Backend
  3. Create Cloud Service Account & Store Credentials in Vault
  4. Create Vault Policy for Reading Provider Credentials
  5. Create a Role for Crossplane Provider Pods
  6. Install Crossplane Provider
  7. Configure Vault Mutating Webhook using the Crossplane ControllerConfig
  8. Provision Infrastructure using Vault-secured Provider Credentials

For example, configuring the GCP Provider for use with Vault using the Crossplane ControllerConfig:

echo "apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: vault-config
spec:
  metadata:
    annotations:
      vault.hashicorp.com/agent-inject: \"true\"
      vault.hashicorp.com/role: "crossplane-providers"
      vault.hashicorp.com/agent-inject-secret-creds.txt: "secret/provider-creds/gcp-default"
      vault.hashicorp.com/agent-inject-template-creds.txt: |
        {{- with secret \"secret/provider-creds/gcp-default\" -}}
         {{ .Data.data | toJSON }}
        {{- end -}}
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-gcp
spec:
  package: crossplane/provider-gcp:v0.16.0
  controllerConfigRef:
    name: vault-config" | kubectl apply -f -

This allows the following ProviderConfig to be used with a Filesystem credential source:

echo "apiVersion: gcp.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
  name: default
spec:
  projectID: ${PROJECT_ID}
  credentials:
    source: Filesystem
    fs:
      path: /vault/secrets/creds.txt" | kubectl apply -f -

New credential sources including Environment Variables and Filesystem support a wide variety of use cases and the Vault integration guide highlights one popular and requested scenario.

TBS episode #26: Provider Authentication
To learn more checkout TBS episode #26 with Dan Mangum on Provider Authentication and checkout the new guide on Using Vault for Provider Credentials!

AWS Provider code generation

Code Generation Guide for AWS Provider
It's exciting to see how the community has picked up the new Code Generation Guide for provider-aws that @muvaf put together based on our collaboration with @jaypipes and the AWS ACK team.

New code gen PRs have already been opened by @smcavallo and @hiteshghia to add provider-aws support for Lambda functions and RDS DBClusters -- very cool!

Planned improvements in the v1.2 release
Currently there are some manual custom parts that need to be added for each generated AWS resource, as outlined in the guide. The guide should be treated as a living document that will be simplified as the code gen pipline is enhanced with several upgrades planned for the v1.2 release!

TBS Episode #27: AWS Code Generation
Checkout TBS Episode #27 to learn more about AWS Code Generation with an in depth walkthrough with Crossplane maintainers Muvaffak Onuş and Dan Mangum.

What's Next

See ROADMAP.md for details, some highlights:

v1.2

  • Pluggable webhook support
  • Enhanced back-off across core controllers
  • Enhanced integration testing
  • AWS Bucket Late Init support provider-aws#536
  • AWS code generation of more Crossplane provider-aws resources
  • AWS code generation enhancements including reference/selector fields and late-init/is-up-to-date functions.
  • Azure code generation of the Crossplane provider-azure resources

Under Consideration

  • Observe-only Crossplane resources (e.g. VPC, Subnet) for use in Compositions
  • Composition revision support for incremental upgrades
  • Code Generation of Providers (100% coverage)
  • First-class multi-language support for Compositions and Configurations
  • Managed resources can accept an array of resource references for enhanced cross-resource reference (CRR) / dependency support.
  • Per-namespace mapping of IRSA and workload identity for finer grained infra permissions in multi-tenant clusters
  • Additional conversion strategies for XRDs with multiple versions of an XR
  • Conversion webhooks to support installing multiple API versions
  • CustomComposition support for use with cdk8s sidecar, TYY, and others
  • GitLab Integration with Crossplane v1.0+

Checkout the following to learn more:

Get involved!

We're excited to see the continual growth of the Crossplane community and would love for you to get involved. Whether you are a developer, user, or just interested in what we're up to, feel free to join us via one of the following methods:

Keep up with Upbound

* indicates required