From 6dae065737c05a3137e50233826866072e731ea0 Mon Sep 17 00:00:00 2001 From: Bychkov Date: Mon, 15 May 2023 17:10:14 +0300 Subject: [PATCH] crossplane-aws flow --- crossplane/aws/README.md | 121 ++++++++++++++++++++++ crossplane/aws/aws-credentials.txt | 3 + crossplane/aws/crossplane-provider.yaml | 6 ++ crossplane/aws/ignition-command.txt | 9 ++ crossplane/aws/instance.yaml | 60 +++++++++++ crossplane/aws/internet-gateway.yaml | 11 ++ crossplane/aws/provider-config.yaml | 11 ++ crossplane/aws/security-group-role.yaml | 127 ++++++++++++++++++++++++ crossplane/aws/security-group.yaml | 12 +++ crossplane/aws/startup-script.sh | 15 +++ crossplane/aws/subnet.yaml | 41 ++++++++ crossplane/aws/vpc.yaml | 10 ++ 12 files changed, 426 insertions(+) create mode 100644 crossplane/aws/README.md create mode 100644 crossplane/aws/aws-credentials.txt create mode 100644 crossplane/aws/crossplane-provider.yaml create mode 100644 crossplane/aws/ignition-command.txt create mode 100644 crossplane/aws/instance.yaml create mode 100644 crossplane/aws/internet-gateway.yaml create mode 100644 crossplane/aws/provider-config.yaml create mode 100644 crossplane/aws/security-group-role.yaml create mode 100644 crossplane/aws/security-group.yaml create mode 100644 crossplane/aws/startup-script.sh create mode 100644 crossplane/aws/subnet.yaml create mode 100644 crossplane/aws/vpc.yaml diff --git a/crossplane/aws/README.md b/crossplane/aws/README.md new file mode 100644 index 000000000..87835f20b --- /dev/null +++ b/crossplane/aws/README.md @@ -0,0 +1,121 @@ +# Connect Crossplane to AWS + +Crossplane installs into an existing Kubernetes cluster. +If you don’t have a Kubernetes cluster create one locally with Kind. + +### Install the Crossplane Helm chart +Helm enables Crossplane to install all its Kubernetes components through a Helm Chart. +Enable the Crossplane Helm Chart repository: + +``` +helm repo add \ +crossplane-stable https://charts.crossplane.io/stable +helm repo update +``` + +Install the Crossplane components: + +``` +helm install crossplane \ +crossplane-stable/crossplane \ +--namespace crossplane-system \ +--create-namespace +``` + +Verify Crossplane installed with kubectl get pods ```kubectl get pods -n crossplane-system```. + +# Install the AWS provider + +Install the provider into the Kubernetes cluster with a Kubernetes configuration file. +``` +kubectl apply -f crossplane-provider.yaml +``` + +Verify the provider installed with ```kubectl get providers```. + +It may take up to five minutes for the provider to list HEALTHY as True. + +``` +NAME INSTALLED HEALTHY PACKAGE AGE +upbound-provider-aws True True xpkg.upbound.io/upbound/provider-aws:v0.34.0 12m +``` + +A provider installs their own Kubernetes Custom Resource Definitions (CRDs). These CRDs allow you to create AWS resources directly inside Kubernetes. + +You can view the new CRDs with ```kubectl get crds``` + +## Generate an AWS key-pair file +For basic user authentication, use an AWS Access keys key-pair file. + +In [aws-credentials.txt](aws-credentials.txt) replace `````` and `````` with your data. + +Use kubectl create secret to generate the secret object named aws-secret in the crossplane-system namespace. +Use the --from-file= argument to set the value to the contents of the aws-credentials.txt file. +``` +kubectl create secret \ +generic aws-secret \ +-n crossplane-system \ +--from-file=creds=./aws-credentials.txt +``` + +View the secret with ```kubectl describe secret aws-secret -n crossplane-system``` + +## Create a ProviderConfig +A ProviderConfig customizes the settings of the AWS Provider. +Apply the ProviderConfig with the command +``` +kubectl apply -f provider-config.yaml +``` + +## Cassandra spin up with Crossplane + +### Create Cassandra On-premise cluster +In the Instaclustr Console create a Cassandra On-Premise cluster. + +### Create AWS resources + +VPC +``` +kubectl apply -f vpc.yaml +``` + +Internet Gateway +``` +kubectl apply -f internet-gateway.yaml +``` + +Subnets +``` +kubectl apply -f subnet.yaml +``` + +Security Group +``` +kubectl apply -f security-group.yaml +``` + +Roles for Security Group +``` +kubectl apply -f security-group-role.yaml +``` + +Paste your ssh into ```SSH_PUB_KEY``` in [startup-script.sh](startup-script.sh) and generate binary of this file: +``` +cat startup-script.sh | base64 -w0 +``` +Paste generated binary into each ```userDataBase64``` field in [instance.yaml](instance.yaml) manifests. + +Create instances +``` +kubectl apply -f instance.yaml +``` + +In the AWS Console -> VPC -> Route tables -> Edit routes -> add your [internet-gateway](internet-gateway.yaml) (Destination - 0.0.0.0/0). + +Get Private and Public IPs from instances and put into [ignition commands](ignition-command.txt). + +Run [ignition-commands](ignition-command.txt) in icadmnin. Take care to ensure that the right IPs are assigned to the right nodes and importantly are in the right rack +For each node, get the ignition scripts from Zendesk, add them to each instance accordingly, and make them executable. + +Run the ignition scripts as a root and after that we should have a functioning Cassandra cluster. + diff --git a/crossplane/aws/aws-credentials.txt b/crossplane/aws/aws-credentials.txt new file mode 100644 index 000000000..f652ea6f8 --- /dev/null +++ b/crossplane/aws/aws-credentials.txt @@ -0,0 +1,3 @@ +[default] +aws_access_key_id = +aws_secret_access_key = diff --git a/crossplane/aws/crossplane-provider.yaml b/crossplane/aws/crossplane-provider.yaml new file mode 100644 index 000000000..a2b60d0d3 --- /dev/null +++ b/crossplane/aws/crossplane-provider.yaml @@ -0,0 +1,6 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: upbound-provider-aws +spec: + package: xpkg.upbound.io/upbound/provider-aws:v0.33.0 diff --git a/crossplane/aws/ignition-command.txt b/crossplane/aws/ignition-command.txt new file mode 100644 index 000000000..8ff8dc8b0 --- /dev/null +++ b/crossplane/aws/ignition-command.txt @@ -0,0 +1,9 @@ +icadmin riemaint create $CLUSTER_ID all -t 196h -m "provisioning on prem cluster" + +icadmin node modify --private-address 192.168.1.example c052fe4d-6dce-4b2c-b89c-exampleNodeID +icadmin node modify --private-address 192.168.2.example af0fff66-3847-4002-8531-example +icadmin node modify --private-address 192.168.3.example 9737a4c9-04d8-405e-b787-example + +icadmin node modify --public-address 3.81.example.103 c052fe4d-6dce-4b2c-b89c-exampleNodeID +icadmin node modify --public-address 44.214.example.64 af0fff66-3847-4002-8531-example +icadmin node modify --public-address 44.212.example.220 9737a4c9-04d8-405e-b787-example diff --git a/crossplane/aws/instance.yaml b/crossplane/aws/instance.yaml new file mode 100644 index 000000000..ad683fd32 --- /dev/null +++ b/crossplane/aws/instance.yaml @@ -0,0 +1,60 @@ +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Instance +metadata: + labels: + instance-group: debian + instance: debian-1 + name: debian-1-test +spec: + forProvider: + ami: ami-0fec2c2e2017f4e7b + instanceType: i3en.xlarge + region: us-east-1 + associatePublicIpAddress: true + userDataBase64: exampleT0ic3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FEczZmaCt4SXNmRTVUanhCcUZpVitiMXlDRn + tenancy: default + subnetIdRef: + name: debian-subnet-st-a + vpcSecurityGroupIdRefs: + - name: debian-sg-test +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Instance +metadata: + labels: + instance-group: debian + instance: debian-2 + name: debian-2-test +spec: + forProvider: + ami: ami-0fec2c2e2017f4e7b + instanceType: i3en.xlarge + region: us-east-1 + associatePublicIpAddress: true + userDataBase64: exampleT0ic3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FEczZmaCt4SXNmRTVUanhCcUZpVitiMXlDRn + tenancy: default + subnetIdRef: + name: debian-subnet-st-b + vpcSecurityGroupIdRefs: + - name: debian-sg-test +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Instance +metadata: + labels: + instance-group: debian + instance: debian-3 + name: debian-3-test +spec: + forProvider: + ami: ami-0fec2c2e2017f4e7b + instanceType: i3en.xlarge + region: us-east-1 + associatePublicIpAddress: true + userDataBase64: exampleT0ic3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FEczZmaCt4SXNmRTVUanhCcUZpVitiMXlDRn + tenancy: default + subnetIdRef: + name: debian-subnet-st-c + vpcSecurityGroupIdRefs: + - name: debian-sg-test +--- diff --git a/crossplane/aws/internet-gateway.yaml b/crossplane/aws/internet-gateway.yaml new file mode 100644 index 000000000..88f3417bf --- /dev/null +++ b/crossplane/aws/internet-gateway.yaml @@ -0,0 +1,11 @@ +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: InternetGateway +metadata: + labels: + instance-group: debian + name: debian-igw-test +spec: + forProvider: + region: us-east-1 + vpcIdRef: + name: debian-vpc-test-crossplane diff --git a/crossplane/aws/provider-config.yaml b/crossplane/aws/provider-config.yaml new file mode 100644 index 000000000..f3c69b1c4 --- /dev/null +++ b/crossplane/aws/provider-config.yaml @@ -0,0 +1,11 @@ +apiVersion: aws.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: default +spec: + credentials: + source: Secret + secretRef: + namespace: crossplane-system + name: aws-secret + key: creds diff --git a/crossplane/aws/security-group-role.yaml b/crossplane/aws/security-group-role.yaml new file mode 100644 index 000000000..cd9d5adbd --- /dev/null +++ b/crossplane/aws/security-group-role.yaml @@ -0,0 +1,127 @@ +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroupRule +metadata: + name: debian-sg-ssh-test +spec: + forProvider: + cidrBlocks: + - 145.224.105.172/32 + region: us-east-1 + protocol: tcp + fromPort: 22 + toPort: 22 + securityGroupIdRef: + name: debian-sg-test + type: ingress +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroupRule +metadata: + name: debian-sg-cqlsh-test +spec: + forProvider: + cidrBlocks: + - 145.224.105.172/32 + region: us-east-1 + protocol: tcp + fromPort: 9042 + toPort: 9042 + securityGroupIdRef: + name: debian-sg-test + type: ingress +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroupRule +metadata: + name: debian-sg-internode-test +spec: + forProvider: + cidrBlocks: + - 0.0.0.0/0 + region: us-east-1 + protocol: tcp + fromPort: 7000 + toPort: 7000 + securityGroupIdRef: + name: debian-sg-test + type: ingress +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroupRule +metadata: + name: debian-sg-ssl-test +spec: + forProvider: + cidrBlocks: + - 0.0.0.0/0 + region: us-east-1 + protocol: tcp + fromPort: 7001 + toPort: 7001 + securityGroupIdRef: + name: debian-sg-test + type: ingress +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroupRule +metadata: + name: debian-sg-jmx-test +spec: + forProvider: + cidrBlocks: + - 0.0.0.0/0 + region: us-east-1 + protocol: tcp + fromPort: 7199 + toPort: 7199 + securityGroupIdRef: + name: debian-sg-test + type: ingress +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroupRule +metadata: + name: debian-sg-thrift-test +spec: + forProvider: + cidrBlocks: + - 0.0.0.0/0 + region: us-east-1 + protocol: tcp + fromPort: 9160 + toPort: 9160 + securityGroupIdRef: + name: debian-sg-test + type: ingress +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroupRule +metadata: + name: debian-sg-nodeagent-test +spec: + forProvider: + cidrBlocks: + - 0.0.0.0/0 + region: us-east-1 + protocol: tcp + fromPort: 8000 + toPort: 8000 + securityGroupIdRef: + name: debian-sg-test + type: ingress +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroupRule +metadata: + name: debian-sg-outbound-test +spec: + forProvider: + cidrBlocks: + - 0.0.0.0/0 + region: us-east-1 + protocol: tcp + fromPort: 0 + toPort: 65535 + securityGroupIdRef: + name: debian-sg-test + type: egress diff --git a/crossplane/aws/security-group.yaml b/crossplane/aws/security-group.yaml new file mode 100644 index 000000000..fcf3aae5d --- /dev/null +++ b/crossplane/aws/security-group.yaml @@ -0,0 +1,12 @@ +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroup +metadata: + labels: + instance-group: debian + name: debian-sg-test +spec: + forProvider: + name: debian-sg-test + region: us-east-1 + vpcIdRef: + name: debian-vpc-test-crossplane diff --git a/crossplane/aws/startup-script.sh b/crossplane/aws/startup-script.sh new file mode 100644 index 000000000..cbc78ee47 --- /dev/null +++ b/crossplane/aws/startup-script.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +export NEW_PASS="qwerty12345" +export SSH_PUB_KEY="ssh-rsa example_base64" +export BOOTSTRAP_SSH_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDgeaO3zkY5v1dww3fFONPzUnEgIqJ4kUK0Usu8iFdp+TWIulw9dDeQHa+PdWXP97l5Vv1mG9ipqShEIu7/2bp13KxSblWX4iV1MYZbtimhY3UDOsPn1G3E1Ipis6y+/tosDAm8LoWaGEMcLuE5UjP6gs6K57rCEjkVGjg7vjhIypAMC0J2N2+CxK9o/Y1+LZAec+FL5cmSJoajoo9y/VYJjz/a52jJ93wRafD2uu6ObAl5gkN/+gqY4IJFSMx20sPsIRXdbiBNDqiap56ibHHPKTeZhRbdXvZfjYkHtutXnSM2xn7BjnV8CguISxS3rXlzlzRVYwSUjnKUf5SKBbeyZbCokx271vCeUd5EXfHphvW6FIOna2AI5lpCSYkw5Kho3HaPi2NjXJ9i2dCr1zpcZpCiettDuaEjxR0Cl4Jd6PrAiAEZ0Ns0u2ysVhudshVzQrq6qdd7W9/MLjbDIHdTToNjFLZA6cbE0MQf18LXwJAl+G/QrXgcVaiopUmld+68JL89Xym55LzkMhI0NiDtWufawd/NiZ6jm13Z3+atvnOimdyuqBYeFWgbtcxjs0yN9v7h7PfPh6TbiQYFx37DCfQiIucqx1GWmMijmd7HMY6Nv3UvnoTUTSn4yz1NxhEpC61N+iAInZDpeJEtULSzlEMWlbzL4t5cF+Rm1dFdq3WpZt1mi8F4DgrsgZEuLGAw22RNW3++EWYFUNnJXaYyctPrMpWQktr4DB5nQGIHF92WR8uncxTNUXfWuT29O9e+bFYh1etmq8rsCoLcxN0zFHWvcECK55aE+47lfNAR+HEjuwYW10mGU/pFmO0F9FFmcQRSw4D4tnVUgl3XjKe3bBiTa4lUrzrKkLZ6n9/buW2e7c3jbjmXdPh2R+2Msr/vfuWs9glxQf+CYEbBW6Ye4pekIyI77SaB/bVhaHtXutKxm+QWdNle8aeqiA8Ji1Ml+s75vIg+n5v6viCnl5aV33xHRFpGQJzj2ktsXl9P9d5kgal9eXJYTywC2SnVbZVLb6FGN4kPZTVwX1f+u7v7JCm4YWlbQZtwwiXKjs99AVtQnBWqQvUH5sFUkVXlHA1Y9W6wlup0r+F6URL+7Yw+d0dHByfevrJg3pvmpLb3sEpjIAZodW3dIUReE7Ku3s/q/O9foFnfRBnCcZ2QsnxI5pqNrbrundD1ApOnNXEvICvPXHBBQ44cW0hzAO+WxY5VxyG8y/kXnb48G9efkIQFkNaITJrU9SiOk6bFP4QANdS/pmaSLjJIsHixa+7vmYjRy1SVoQ/39vDUnyCbqKtO56QMH32hQLRO3Vk7NVG6o4dYjFkiaMSaqVlHKMkJQHVzlK2PW9/fjVXfkAHmmhoD debian" + +echo "admin:$NEW_PASS" | chpasswd +echo "root:$NEW_PASS" | sudo chpasswd root +sudo echo "$SSH_PUB_KEY" >> /home/admin/.ssh/authorized_keys +sudo echo "$BOOTSTRAP_SSH_KEY" >> /home/admin/.ssh/authorized_keys +sudo chown -R admin: /home/admin/.ssh +sudo cp /usr/share/doc/apt/examples/sources.list /etc/apt/sources.list +device=$(lsblk -dfn -o NAME,PTUUID,FSTYPE | awk '$2 == "" && $3 == "" {print $1}') +sudo mkfs -t ext4 /dev/"${device}" +END diff --git a/crossplane/aws/subnet.yaml b/crossplane/aws/subnet.yaml new file mode 100644 index 000000000..d8dc6f87d --- /dev/null +++ b/crossplane/aws/subnet.yaml @@ -0,0 +1,41 @@ +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Subnet +metadata: + labels: + instance-group: debian + name: debian-subnet-st-a +spec: + forProvider: + availabilityZone: us-east-1a + cidrBlock: 192.168.1.0/24 + region: us-east-1 + vpcIdRef: + name: debian-vpc-test-crossplane +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Subnet +metadata: + labels: + instance-group: debian + name: debian-subnet-st-b +spec: + forProvider: + availabilityZone: us-east-1b + cidrBlock: 192.168.2.0/24 + region: us-east-1 + vpcIdRef: + name: debian-vpc-test-crossplane +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Subnet +metadata: + labels: + instance-group: debian + name: debian-subnet-st-c +spec: + forProvider: + availabilityZone: us-east-1c + cidrBlock: 192.168.3.0/24 + region: us-east-1 + vpcIdRef: + name: debian-vpc-test-crossplane diff --git a/crossplane/aws/vpc.yaml b/crossplane/aws/vpc.yaml new file mode 100644 index 000000000..a9f30c785 --- /dev/null +++ b/crossplane/aws/vpc.yaml @@ -0,0 +1,10 @@ +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: VPC +metadata: + labels: + instance-group: debian + name: debian-vpc-test-crossplane +spec: + forProvider: + cidrBlock: 192.168.0.0/16 + region: us-east-1