Crossplane v1.12

Crossplane v1.12.0 is now live and available for the community to run in their control planes! Over the past handful of Crossplane releases, we had unfortunately fallen out of the habit of writing a specific blog post for each release, but we're getting back into it starting with today's post about all the exciting features in v1.12.  Let's dive in!

Observe-only Resources

Observe-only Resources (OOR) has been a highly demanded feature for awhile now, with almost 100 positive reactions on its tracking issue. Crossplane was originally designed to manage the full life cycle of resources, from initial provisioning to eventual deletion and clean-up.  With OOR, Crossplane is able to observe and expose the full live state of an external resource, without performing any write or destructive operations.

There are many interesting use cases that are enabled with this new functionality, such as:

  • Referencing resources managed by other tools - perhaps another tool like Terraform or CloudFormation created and is managing a given resource, such as a VPC, but now you want to reference some of its fields from within your Crossplane compositions. Now you can simply import an "observe-only" instance of this VPC, and reference any live data or status from it that you need.
  • Testing the waters with Crossplane - as people begin their early Crossplane journey, they may be hesitant at first to give Crossplane full control of their cloud resources.  To get more hands-on experience with Crossplane in a risk-free setting, new users can import their existing resources as observe-only, and gain more comfort with the functionality of Crossplane while having zero chance that any of their important resources will be updated or deleted.

More details on the use cases, architecture, and full behavior of the feature can be found in the design doc.

Composition Validation

Composition has proven to be a powerful feature of Crossplane while people are designing and building their own opinionated cloud native control planes. We have heard (and understand) from the community that the learning curve for adopting composition's feature set is a bit steep.  One specific problem in previous releases of Crossplane is that there is often no feedback about errors in your compositions until runtime when they are being executed, often with difficult to trace error conditions.  This previous blog post we wrote for the New Stack gets into more details about this challenging experience.

Starting with the v1.12 release, your Compositions will be validated for issues up front at the time they are being added to the control plane. This is a great step to "shift left" feedback and greatly improve the developer experience of Crossplane. For example, instead of incorrect but silent behavior at runtime, the Composition would be rejected by the API server with a specific and actionable error message like:

The Composition "xpostgresqlinstances.aws.database.example.org" is invalid:

* spec.resources[0].patches[2].fromFieldPath: Invalid value:
"spec.parameters.region": field 'region' is not valid according to the schema

More details about how the composition validation feature works and further investments we will be making in this area can be found in the design doc.

Pluggable Secret Stores

Crossplane has the ability to write sensitive credentials and connection information for the resources it provisions to a destination outside of the control plane.  This feature is called an external secret store (ESS), and is a great alternative to using the default of Kubernetes secrets.

In v1.12, we have taken our previous support of external secret stores further and set it up for broader adoption and collaboration by the community. Previously, any supported ESS was included in the core Crossplane code base and was subject to its release cycles and channels. For v1.12, we have instead made this ESS support a pluggable interface, allowing ESS implementations to be hosted, built, and released from anywhere.  We expect this to enable the ecosystem to implement support for a broader set of secret stores, so we look forward to seeing the collaboration and progress soon.

A functional implementation of Vault as a Crossplane external secret store for the community's adoption and reference can be found in the https://github.com/crossplane-contrib/ess-plugin-vault repository.

Other Improvements

The v1.12 release was full of many other exciting improvements and fixes, which we summarize briefly below:

  • CompositionRevisions have been promoted to v1, with no schema or functional changes that would impact adopters #3715
  • It is now possible to configure XRD's to specify the conversion strategy of their resulting CRD, allowing users to define multiple versions with different schemas #2608
  • Support was added for supplying additional volumes and volume mounts for Crossplane through its Helm chart #3830
  • Added defaultCompositeDeletePolicy and defaultCompositionUpdatePolicy attributes to the XRD to enable the author to specify defaults for how the Composite should be deleted and how Compositions should be updated in #3963
  • RBAC management for clusters which use OwnerReferencesPermissionEnforcement, such as OpenShift, was fixed in #3444

More to Come

Now that v1.12 has been released, we turn our focus to the next major release of v1.13, which is currently scheduled for late July of this year.  The high level areas of investment for this release can be found in the Crossplane roadmap. A critical area of focus during the v1.13 release cycle will be resolving the performance degredation caused by Crossplane providers installing a very large amount of CRDs.  You can follow along with the progress on this top priority issue, starting with the proposal in #3939.

Crossplane is a community driven project and we welcome you to join the community and contribute through a variety of opportunities, such as opening and commenting on issues, joining the community meetings, sharing your adoption story, and providing feedback on design docs and pull requests.

We love to hear from the community, as they are exactly what makes this project great. Whether you are a developer, user, or just interested in what we're up to, feel free to join us via one of the following methods:

Keep up with Upbound

* indicates required