diff --git a/content/master/get-started/get-started-with-mrds.md b/content/master/get-started/get-started-with-mrds.md index 8ab7ac80..18a005e6 100644 --- a/content/master/get-started/get-started-with-mrds.md +++ b/content/master/get-started/get-started-with-mrds.md @@ -51,13 +51,12 @@ You can edit the default activation policy directly: {{< tabs >}} {{< tab "Edit Existing Policy" >}} ```shell -# Permanently disable by using a non-matching pattern -kubectl patch mrap crossplane-default-activation-policy --type='merge' \ - -p='{"spec":{"activations":["nonexistent.example.com"]}}' - -# Or remove all activations entirely -kubectl patch mrap crossplane-default-activation-policy --type='merge' \ - -p='{"spec":{"activations":[]}}' +# Delete the default policy and restart Crossplane using Helm +kubectl delete mrap crossplane-default-activation-policy +helm upgrade crossplane crossplane-stable/crossplane \ + --set provider.defaultActivations=null \ + --namespace crossplane-system --reuse-values +kubectl rollout restart deployment/crossplane -n crossplane-system ``` {{< hint "note" >}} diff --git a/content/master/guides/implementing-safestart.md b/content/master/guides/implementing-safestart.md index 28d070f0..e1d80e91 100644 --- a/content/master/guides/implementing-safestart.md +++ b/content/master/guides/implementing-safestart.md @@ -19,12 +19,12 @@ Plan for breaking changes and thorough testing before implementing. safe-start transforms how your provider handles resource installation: **Without safe-start:** -- All managed resources become CRDs when provider installs +- All resources become MRDs that are automatically active and create CRDs - Users get all ~200 AWS resources even if they need only 5 - Higher memory usage and slower API server responses **With safe-start:** -- All managed resources become inactive MRDs when provider installs +- All resources become MRDs that are inactive by default - Users activate only needed resources through policies - Lower resource overhead and better performance @@ -51,7 +51,7 @@ metadata: spec: package: registry.example.com/provider-example:v1.0.0 capabilities: - - name: safe-start + - safe-start ``` {{< hint "tip" >}} @@ -148,42 +148,27 @@ func configureConnectionDetails(p *ujconfig.Provider) { {{< /tab >}} {{< /tabs >}} -### Step 3: Handle namespaced resources +### Step 3: Update RBAC Permissions -safe-start works best with namespaced managed resources. Update your resources -to support both cluster and namespaced scopes: +safe-start providers need extra permissions to manage CRDs dynamically. Crossplane's RBAC manager automatically provides these permissions when you install safe-start providers. -```go -// Update resource definitions to support namespacing -type Database struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec DatabaseSpec `json:"spec"` - Status DatabaseStatus `json:"status,omitempty"` -} +{{< hint "note" >}} +Manual RBAC configuration is only required if you disable Crossplane's RBAC manager (with `--args=--disable-rbac-manager`). +{{< /hint >}} -// Update your CRD generation -//+kubebuilder:resource:scope=Namespaced -//+kubebuilder:object:root=true -//+kubebuilder:subresource:status -type Database struct { - // ... resource definition -} - -// Optionally create cluster-scoped variants -//+kubebuilder:resource:scope=Cluster -//+kubebuilder:object:root=true -//+kubebuilder:subresource:status -type ClusterDatabase struct { - // ... same spec but cluster scoped -} +**Automatically provided permissions:** +```yaml +# Crossplane RBAC manager grants these permissions automatically +# safe-start permissions +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["apiextensions.crossplane.io"] + resources: ["managedresourcedefinitions"] + verbs: ["get", "list", "watch", "update", "patch"] ``` -### Step 4: Update RBAC Permissions - -safe-start providers need extra permissions to manage CRDs dynamically: - +**Manual configuration (only if you disable RBAC manager):** ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -207,7 +192,7 @@ rules: verbs: ["get", "list", "watch", "update", "patch"] ``` -### Step 5: Implement managed resource definition controller logic +### Step 4: Implement managed resource definition controller logic Add controller logic to handle MRD activation and CRD lifecycle: @@ -280,7 +265,7 @@ func (r *MRDReconciler) createCRD(ctx context.Context, mrd *xpv1alpha1.ManagedRe } ``` -### Step 6: Update build and continuous integration processes +### Step 5: Update build and continuous integration processes Update your build process to generate MRDs alongside CRDs: @@ -311,7 +296,7 @@ build-package: generate echo "kind: Provider" >> package/provider.yaml echo "spec:" >> package/provider.yaml echo " capabilities:" >> package/provider.yaml - echo " - name: safe-start" >> package/provider.yaml + echo " - safe-start" >> package/provider.yaml ``` {{< /tab >}} @@ -378,7 +363,7 @@ jobs: {{< /tab >}} {{< /tabs >}} -### Step 7: Add connection details documentation +### Step 6: Add connection details documentation Document connection details in your MRDs to help users understand resource capabilities: @@ -496,7 +481,7 @@ metadata: spec: package: registry.example.com/provider-example:latest capabilities: - - name: safe-start + - safe-start EOF # Wait for provider installation diff --git a/content/master/guides/mrd-activation-policies.md b/content/master/guides/mrd-activation-policies.md index b4c67260..2c999691 100644 --- a/content/master/guides/mrd-activation-policies.md +++ b/content/master/guides/mrd-activation-policies.md @@ -92,16 +92,12 @@ You can change the default activation policy directly and changes persist: # View current default policy kubectl get mrap crossplane-default-activation-policy -o yaml -# Permanently change to disable default activation -kubectl patch mrap crossplane-default-activation-policy --type='merge' \ - -p='{"spec":{"activations":["nonexistent.example.com"]}}' - -# Or remove all activations -kubectl patch mrap crossplane-default-activation-policy --type='merge' \ - -p='{"spec":{"activations":[]}}' - -# Or delete the default policy entirely +# Delete the default policy and restart Crossplane using Helm kubectl delete mrap crossplane-default-activation-policy +helm upgrade crossplane crossplane-stable/crossplane \ + --set provider.defaultActivations=null \ + --namespace crossplane-system --reuse-values +kubectl rollout restart deployment/crossplane -n crossplane-system ``` {{< hint "note" >}} diff --git a/content/master/managed-resources/managed-resource-definitions.md b/content/master/managed-resources/managed-resource-definitions.md index 34d841c3..8e590a84 100644 --- a/content/master/managed-resources/managed-resource-definitions.md +++ b/content/master/managed-resources/managed-resource-definitions.md @@ -9,7 +9,7 @@ Kubernetes Custom Resource Definitions (CRDs) that enables selective installation and better documentation of managed resources. {{< hint "note" >}} -MRDs are available in Crossplane v2.0+ as an alpha feature. +MRDs are available in Crossplane v2.0+ as a beta feature. {{< /hint >}} @@ -193,7 +193,7 @@ Without safe-start, all MRDs are active by default for backward compatibility. # In provider package metadata spec: capabilities: - - name: safe-start + - safe-start ``` {{< hint "note" >}} diff --git a/content/master/packages/provider-capabilities.md b/content/master/packages/provider-capabilities.md index 653d60e2..8ff7f31b 100644 --- a/content/master/packages/provider-capabilities.md +++ b/content/master/packages/provider-capabilities.md @@ -22,8 +22,8 @@ metadata: name: provider-aws spec: capabilities: - - name: safe-start - - name: CustomCapability + - safe-start + - CustomCapability ``` Crossplane reads these capabilities and modifies its behavior when installing @@ -39,19 +39,19 @@ The `safe-start` capability changes how Managed Resource Definitions (MRDs) are activated when you install the provider. **Without safe-start:** -- All MRDs are automatically activated -- Crossplane creates all corresponding CRDs when provider installs +- All resources become MRDs that are automatically active +- Active MRDs create corresponding CRDs - Compatible with legacy providers and existing workflows **With safe-start:** -- All MRDs start in `Inactive` state +- All resources become MRDs that start in `Inactive` state - No CRDs until you explicitly activate MRDs - Reduces initial resource overhead and improves performance ```yaml spec: capabilities: - - name: safe-start + - safe-start ``` {{< hint "tip" >}} @@ -79,7 +79,7 @@ Don't use safe-start when: Crossplane supports flexible matching for capability names: * **Exact match**: `safe-start` -* **Case variations**: `safestart`, `safe-start`, `safe-start` +* **Case variations**: `SafeStart`, `safestart`, `safe-start` * **Fuzzy matching**: Handles common spelling variations This flexibility prevents issues when providers use different naming conventions. @@ -180,7 +180,7 @@ metadata: spec: package: registry.example.com/my-provider:v2.0.0 capabilities: - - name: safe-start + - safe-start ``` ### Managed resource definition generation with connection details @@ -305,15 +305,6 @@ kubectl get mrap -o wide kubectl top nodes ``` -## Future capabilities - -The capability system is extendable. Future capabilities might include: - -* **ResourceQuotas** - Automatic resource limit management -* **NetworkPolicies** - Provider-specific network isolation -* **CustomValidation** - Enhanced resource validation -* **TelemetryOpt** - Telemetry and observability features - ## Troubleshooting capabilities ### Common issues