36 KiB
title | weight |
---|---|
GCP Quickstart | 140 |
Connect Crossplane to GCP to create and manage cloud resources from Kubernetes with the Upbound GCP Provider.
This guide is in three parts:
- Part 1 walks through installing Crossplane, configuring the provider to authenticate to GCP and creating a Managed Resource in GCP directly from your Kubernetes cluster. This shows Crossplane can communicate with GCP.
- [Part 2]({{< ref "provider-gcp-part-2" >}}) creates a Composite Resource Definition (XRD), Composite Resource (XR) and a Claim (XRC) to show how to create and use custom APIs.
- [Part 3]({{< ref "provider-gcp-part-3" >}}) demonstrates how to patch Compositions with values used in a Claim and how to build a Crossplane Package to make a Crossplane platform portable and reusable.
Prerequisites
This quickstart requires:
- a Kubernetes cluster with at least 6 GB of RAM
- permissions to create pods and secrets in the Kubernetes cluster
- Helm version
v3.2.0
or later - a GCP account with permissions to create a storage bucket
- GCP account keys
- GCP Project ID
Install Crossplane
Crossplane installs into an existing Kubernetes cluster.
{{< hint type="tip" >}} If you don't have a Kubernetes cluster create one locally with Kind. {{< /hint >}}
Install the Crossplane Helm chart
Helm enables Crossplane to install all its Kubernetes components through a Helm Chart.
Enable the Crossplane Helm Chart repository:
helm repo add \
crossplane-stable https://charts.crossplane.io/stable && helm repo update
Run the Helm dry-run to see all the Crossplane components Helm installs.
helm install crossplane \
crossplane-stable/crossplane \
--dry-run --debug \
--namespace crossplane-system \
--create-namespace
{{<expand "View the Helm dry-run" >}}
helm install crossplane \
crossplane-stable/crossplane \
--dry-run --debug \
--namespace crossplane-system \
--create-namespace
install.go:193: [debug] Original chart version: ""
install.go:210: [debug] CHART PATH: /home/vagrant/.cache/helm/repository/crossplane-1.10.1.tgz
NAME: crossplane
LAST DEPLOYED: Thu Jan 19 15:52:08 2023
NAMESPACE: crossplane-system
STATUS: pending-install
REVISION: 1
TEST SUITE: None
USER-SUPPLIED VALUES:
{}
COMPUTED VALUES:
affinity: {}
args: {}
configuration:
packages: []
customAnnotations: {}
customLabels: {}
deploymentStrategy: RollingUpdate
extraEnvVarsCrossplane: {}
extraEnvVarsRBACManager: {}
image:
pullPolicy: IfNotPresent
repository: crossplane/crossplane
tag: v1.10.1
imagePullSecrets: {}
leaderElection: true
metrics:
enabled: false
nodeSelector: {}
packageCache:
medium: ""
pvc: ""
sizeLimit: 5Mi
podSecurityContextCrossplane: {}
podSecurityContextRBACManager: {}
priorityClassName: ""
provider:
packages: []
rbacManager:
affinity: {}
args: {}
deploy: true
leaderElection: true
managementPolicy: All
nodeSelector: {}
replicas: 1
skipAggregatedClusterRoles: false
tolerations: {}
registryCaBundleConfig: {}
replicas: 1
resourcesCrossplane:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
resourcesRBACManager:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContextCrossplane:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
securityContextRBACManager:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
serviceAccount:
customAnnotations: {}
tolerations: {}
webhooks:
enabled: false
HOOKS:
MANIFEST:
---
# Source: crossplane/templates/rbac-manager-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: rbac-manager
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
---
# Source: crossplane/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: crossplane
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
---
# Source: crossplane/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-crossplane: "true"
---
# Source: crossplane/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:system:aggregate-to-crossplane
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
crossplane.io/scope: "system"
rbac.crossplane.io/aggregate-to-crossplane: "true"
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- "*"
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- serviceaccounts
- services
verbs:
- "*"
- apiGroups:
- apiextensions.crossplane.io
- pkg.crossplane.io
- secrets.crossplane.io
resources:
- "*"
verbs:
- "*"
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- create
- update
- patch
- delete
- watch
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- create
- update
- patch
- watch
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- list
- create
- update
- patch
- watch
- delete
---
# Source: crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:allowed-provider-permissions
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true"
---
# Source: crossplane/templates/rbac-manager-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-rbac-manager
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.crossplane.io
resources:
- compositeresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- pkg.crossplane.io
resources:
- providerrevisions
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- roles
verbs:
- get
- list
- watch
- create
- update
- patch
# The RBAC manager may grant access it does not have.
- escalate
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- bind
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- "*"
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- create
- update
- patch
- watch
- delete
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-admin
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-admin: "true"
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-edit
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-edit: "true"
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-view
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-view: "true"
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-browse
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-browse: "true"
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-admin
labels:
rbac.crossplane.io/aggregate-to-admin: "true"
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
rules:
# Crossplane administrators have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane administrators must create provider credential secrets, and may
# need to read or otherwise interact with connection secrets. They may also need
# to create or annotate namespaces.
- apiGroups: [""]
resources: [secrets, namespaces]
verbs: ["*"]
# Crossplane administrators have access to view the roles that they may be able
# to grant to other subjects.
- apiGroups: [rbac.authorization.k8s.io]
resources: [clusterroles, roles]
verbs: [get, list, watch]
# Crossplane administrators have access to grant the access they have to other
# subjects.
- apiGroups: [rbac.authorization.k8s.io]
resources: [clusterrolebindings, rolebindings]
verbs: ["*"]
# Crossplane administrators have full access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: ["*"]
- apiGroups:
- pkg.crossplane.io
resources: [providers, configurations, providerrevisions, configurationrevisions]
verbs: ["*"]
# Crossplane administrators have access to view CRDs in order to debug XRDs.
- apiGroups: [apiextensions.k8s.io]
resources: [customresourcedefinitions]
verbs: [get, list, watch]
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-edit
labels:
rbac.crossplane.io/aggregate-to-edit: "true"
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
rules:
# Crossplane editors have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane editors must create provider credential secrets, and may need to
# read or otherwise interact with connection secrets.
- apiGroups: [""]
resources: [secrets]
verbs: ["*"]
# Crossplane editors may see which namespaces exist, but not edit them.
- apiGroups: [""]
resources: [namespaces]
verbs: [get, list, watch]
# Crossplane editors have full access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: ["*"]
- apiGroups:
- pkg.crossplane.io
resources: [providers, configurations, providerrevisions, configurationrevisions]
verbs: ["*"]
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-view
labels:
rbac.crossplane.io/aggregate-to-view: "true"
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
rules:
# Crossplane viewers have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane viewers may see which namespaces exist.
- apiGroups: [""]
resources: [namespaces]
verbs: [get, list, watch]
# Crossplane viewers have read-only access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: [get, list, watch]
- apiGroups:
- pkg.crossplane.io
resources: [providers, configurations, providerrevisions, configurationrevisions]
verbs: [get, list, watch]
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-browse
labels:
rbac.crossplane.io/aggregate-to-browse: "true"
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
rules:
# Crossplane browsers have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane browsers have read-only access to compositions and XRDs. This
# allows them to discover and select an appropriate composition when creating a
# resource claim.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: [get, list, watch]
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
# The below ClusterRoles are aggregated to the namespaced RBAC roles created by
# the Crossplane RBAC manager when it is running in --manage=All mode.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-ns-admin
labels:
rbac.crossplane.io/aggregate-to-ns-admin: "true"
rbac.crossplane.io/base-of-ns-admin: "true"
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
rules:
# Crossplane namespace admins have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane namespace admins may need to read or otherwise interact with
# resource claim connection secrets.
- apiGroups: [""]
resources: [secrets]
verbs: ["*"]
# Crossplane namespace admins have access to view the roles that they may be
# able to grant to other subjects.
- apiGroups: [rbac.authorization.k8s.io]
resources: [roles]
verbs: [get, list, watch]
# Crossplane namespace admins have access to grant the access they have to other
# subjects.
- apiGroups: [rbac.authorization.k8s.io]
resources: [rolebindings]
verbs: ["*"]
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-ns-edit
labels:
rbac.crossplane.io/aggregate-to-ns-edit: "true"
rbac.crossplane.io/base-of-ns-edit: "true"
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
rules:
# Crossplane namespace editors have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane namespace editors may need to read or otherwise interact with
# resource claim connection secrets.
- apiGroups: [""]
resources: [secrets]
verbs: ["*"]
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-ns-view
labels:
rbac.crossplane.io/aggregate-to-ns-view: "true"
rbac.crossplane.io/base-of-ns-view: "true"
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
rules:
# Crossplane namespace viewers have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
---
# Source: crossplane/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crossplane
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crossplane
subjects:
- kind: ServiceAccount
name: crossplane
namespace: crossplane-system
---
# Source: crossplane/templates/rbac-manager-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crossplane-rbac-manager
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crossplane-rbac-manager
subjects:
- kind: ServiceAccount
name: rbac-manager
namespace: crossplane-system
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crossplane-admin
labels:
app: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crossplane-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: crossplane:masters
---
# Source: crossplane/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: crossplane
labels:
app: crossplane
release: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
spec:
replicas: 1
selector:
matchLabels:
app: crossplane
release: crossplane
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: crossplane
release: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
spec:
securityContext:
{}
serviceAccountName: crossplane
initContainers:
- image: crossplane/crossplane:v1.10.1
args:
- core
- init
imagePullPolicy: IfNotPresent
name: crossplane-init
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
containers:
- image: crossplane/crossplane:v1.10.1
args:
- core
- start
imagePullPolicy: IfNotPresent
name: crossplane
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LEADER_ELECTION
value: "true"
volumeMounts:
- mountPath: /cache
name: package-cache
volumes:
- name: package-cache
emptyDir:
medium:
sizeLimit: 5Mi
---
# Source: crossplane/templates/rbac-manager-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: crossplane-rbac-manager
labels:
app: crossplane-rbac-manager
release: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
spec:
replicas: 1
selector:
matchLabels:
app: crossplane-rbac-manager
release: crossplane
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: crossplane-rbac-manager
release: crossplane
helm.sh/chart: crossplane-1.10.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.10.1"
spec:
securityContext:
{}
serviceAccountName: rbac-manager
initContainers:
- image: crossplane/crossplane:v1.10.1
args:
- rbac
- init
imagePullPolicy: IfNotPresent
name: crossplane-init
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
containers:
- image: crossplane/crossplane:v1.10.1
args:
- rbac
- start
- --manage=All
- --provider-clusterrole=crossplane:allowed-provider-permissions
imagePullPolicy: IfNotPresent
name: crossplane
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
env:
- name: LEADER_ELECTION
value: "true"
NOTES:
Release: crossplane
Chart Name: crossplane
Chart Description: Crossplane is an open source Kubernetes add-on that enables
platform teams to assemble infrastructure from multiple vendors, and expose
higher level self-service APIs for application teams to consume.
Chart Version: 1.10.1
Chart Application Version: 1.10.1
Kube Version: v1.24.9
{{< /expand >}}
Install the Crossplane components using helm install
.
helm install crossplane \
crossplane-stable/crossplane \
--namespace crossplane-system \
--create-namespace
Verify Crossplane installed with kubectl get pods
.
kubectl get pods -n crossplane-system
NAME READY STATUS RESTARTS AGE
crossplane-644f4d5958-97m5v 1/1 Running 0 16s
crossplane-rbac-manager-7f8ccd95f8-nkq78 1/1 Running 0 16s
Installing Crossplane creates new Kubernetes API end-points. Look at the new
API end-points with kubectl api-resources | grep crossplane
.
kubectl api-resources | grep crossplane
compositeresourcedefinitions xrd,xrds apiextensions.crossplane.io/v1 false CompositeResourceDefinition
compositionrevisions apiextensions.crossplane.io/v1alpha1 false CompositionRevision
compositions apiextensions.crossplane.io/v1 false Composition
configurationrevisions pkg.crossplane.io/v1 false ConfigurationRevision
configurations pkg.crossplane.io/v1 false Configuration
controllerconfigs pkg.crossplane.io/v1alpha1 false ControllerConfig
locks pkg.crossplane.io/v1beta1 false Lock
providerrevisions pkg.crossplane.io/v1 false ProviderRevision
providers pkg.crossplane.io/v1 false Provider
storeconfigs secrets.crossplane.io/v1alpha1 false StoreConfig
Install the GCP provider
Install the provider into the Kubernetes cluster with a Kubernetes configuration file.
cat <<EOF | kubectl apply -f -
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: upbound-provider-gcp
spec:
package: xpkg.upbound.io/upbound/provider-gcp:v0.28.0
EOF
The {{< hover label="provider" line="3">}}kind: Provider{{< /hover >}} uses the
Crossplane Provider
Custom Resource Definition to connect your Kubernetes
cluster to your cloud provider.
Verify the provider installed with kubectl get providers
.
{{< hint type="note" >}}
It may take up to five minutes for the provider to list HEALTHY
as True
.
{{< /hint >}}
kubectl get providers
NAME INSTALLED HEALTHY PACKAGE AGE
upbound-provider-gcp True True xpkg.upbound.io/upbound/provider-gcp:v0.28.0 107s
A provider installs their own Kubernetes Custom Resource Definitions (CRDs). These CRDs allow you to create GCP resources directly inside Kubernetes.
You can view the new CRDs with kubectl get crds
. Every CRD maps to a unique
GCP service Crossplane can provision and manage.
{{< hint type="tip" >}} See details about all the supported CRDs in the Upbound Marketplace. {{< /hint >}}
Create a Kubernetes secret for GCP
The provider requires credentials to create and manage GCP resources. Providers use a Kubernetes Secret to connect the credentials to the provider.
First generate a Kubernetes Secret from a Google Cloud service account JSON file and then configure the Provider to use it.
{{< hint type="note" >}} Other authentication methods exist and are beyond the scope of this guide. The Provider documentation contains information on alternative authentication methods. {{< /hint >}}
Generate a GCP service account JSON file
For basic user authentication, use a Google Cloud service account JSON file.
{{< hint type="tip" >}} The GCP documentation provides information on how to generate a service account JSON file. {{< /hint >}}
Save this JSON file as gcp-credentials.json
{{< hint type="note" >}} The Configuration section of the Provider documentation describes other authentication methods. {{< /hint >}}
Create a Kubernetes secret with the GCP credentials
A Kubernetes generic secret has a name and contents. Use
{{< hover label="kube-create-secret" line="1">}}kubectl create secret{{< /hover >}}
to generate the secret object named
{{< hover label="kube-create-secret" line="2">}}gcp-secret{{< /hover >}} in the
{{< hover label="kube-create-secret" line="3">}}crossplane-system{{</ hover >}}
namespace.
Use the {{< hover label="kube-create-secret" line="4">}}--from-file={{}}
argument to set the value to the contents of the
{{< hover label="kube-create-secret" line="4">}}gcp-credentials.json{{< /hover >}}
file.
kubectl create secret \
generic gcp-secret \
-n crossplane-system \
--from-file=creds=./gcp-credentials.json
View the secret with kubectl describe secret
{{< hint type="note" >}} The size may be larger if there are extra blank spaces in your JSON file. {{< /hint >}}
kubectl describe secret gcp-secret -n crossplane-system
Name: gcp-secret
Namespace: crossplane-system
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
creds: 2330 bytes
Create a ProviderConfig
A ProviderConfig
customizes the settings of the GCP Provider.
Apply the {{< hover label="providerconfig" line="2">}}ProviderConfig{{</ hover >}}. Include your {{< hover label="providerconfig" line="7" >}}GCP project ID{{< /hover >}} in the ProviderConfig settings.
{{< hint type="warning" >}}
Find your GCP project ID from the project_id
field of the
gcp-credentials.json
file.
{{< /hint >}}
{{< editCode >}}
cat <<EOF | kubectl apply -f -
apiVersion: gcp.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: default
spec:
projectID: $@<PROJECT_ID>$@
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: gcp-secret
key: creds
EOF
{{< /editCode >}}
This attaches the GCP credentials, saved as a Kubernetes secret, as a {{< hover label="providerconfig" line="10">}}secretRef{{</ hover>}}.
The {{< hover label="providerconfig" line="12">}}spec.credentials.secretRef.name{{< /hover >}} value is the name of the Kubernetes secret containing the GCP credentials in the {{< hover label="providerconfig" line="11">}}spec.credentials.secretRef.namespace{{< /hover >}}.
Create a managed resource
A managed resource is anything Crossplane creates and manages outside of the Kubernetes cluster. This creates a GCP storage bucket with Crossplane. The storage bucket is a managed resource.
{{< hint type="note" >}}
To generate a unique name use
{{}}generateName{{}} instead of name
.
{{< /hint >}}
cat <<EOF | kubectl create -f -
apiVersion: storage.gcp.upbound.io/v1beta1
kind: Bucket
metadata:
generateName: crossplane-bucket-
labels:
docs.crossplane.io/example: provider-gcp
spec:
forProvider:
location: US
providerConfigRef:
name: default
EOF
The {{< hover label="xr" line="2">}}apiVersion{{< /hover >}} and {{< hover label="xr" line="3">}}kind{{}} are from the provider's CRDs.
The {{< hover label="xr" line="10">}}spec.forProvider.location{{< /hover >}} tells GCP which GCP region to use when deploying resources. For a {{}}bucket{{}} the region can be any GCP multi-region location
Use kubectl get bucket
to verify Crossplane created the bucket.
{{< hint type="tip" >}}
Crossplane created the bucket when the values READY
and SYNCED
are True
.
This may take up to 5 minutes.
{{< /hint >}}
kubectl get bucket
NAME READY SYNCED EXTERNAL-NAME AGE
crossplane-bucket-8b7gw True True crossplane-bucket-8b7gw 2m2s
Delete the managed resource
Before shutting down your Kubernetes cluster, delete the GCP bucket just created.
Use kubectl delete bucket
to remove the bucket.
{{<hint "tip" >}}
Use the --selector
flag to delete by label instead of by name.
{{}}
kubectl delete bucket --selector docs.crossplane.io/example=provider-gcp
bucket.storage.gcp.upbound.io "crossplane-bucket-8b7gw" deleted
Next steps
- [Continue to part 2]({{< ref "provider-gcp-part-2">}}) to create a Crossplane Composite Resource and Claim.
- Explore GCP resources that can Crossplane can configure in the Provider CRD reference.
- Join the Crossplane Slack and connect with Crossplane users and contributors.