Using Crossplane in GitOps: Bootstrap

Why Crossplane?

A good example such as Terraform provider allows people to integrate existing Terraform automation assets into Crossplane and modeled as Kubernetes custom resource. See: https://github.com/crossplane-contrib/provider-terraform

Bootstrap: Deploy Crossplane

---
apiVersion: v1
kind: Namespace
metadata:
name: crossplane-system
spec:
finalizers:
- kubernetes
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: crossplane-app
namespace: argocd
spec:
destination:
namespace: crossplane-system
server: https://kubernetes.default.svc
project: default
source:
repoURL: https://charts.crossplane.io/stable
chart: crossplane
targetRevision: 1.4.1
syncPolicy:
automated:
prune: true
selfHeal: true
apiVersion: pkg.crossplane.io/v1
kind: Configuration
metadata:
name: capabilities-shim
spec:
ignoreCrossplaneConstraints: false
package: quay.io/moyingbj/capabilities-shim:v0.0.1
packagePullPolicy: IfNotPresent
revisionActivationPolicy: Automatic
revisionHistoryLimit: 0
skipDependencyResolution: false

Setup ProviderConfig

apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
name: provider-config-dev
spec:
credentials:
source: Secret
secretRef:
namespace: dev
name: cluster-config
key: kubeconfig
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: sealed-secrets-controller
namespace: argocd
spec:
destination:
namespace: argocd
server: https://kubernetes.default.svc
project: default
source:
repoURL: https://bitnami-labs.github.io/sealed-secrets
targetRevision: 1.16.1
chart: sealed-secrets
helm:
values: |-
# https://github.com/argoproj/argo-cd/issues/5991
commandArgs:
- "--update-status"
syncPolicy:
automated:
prune: true
selfHeal: true
kubectl create secret generic cluster-config --from-literal=kubeconfig="`cat path/to/your/kubeconfig`" --dry-run -o yaml > cluster-config.yamlkubeseal -n dev --controller-namespace argocd < cluster-config.yaml > cluster-config.json

There are alternative approaches to handle secrets in GitOps, e.g. store secrets in external storage such as HashiCorp Vault, then store the secret key in git. It is not covered in this article.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store