Crossplane aks role assignment to workload clusters (#37)

README.md

@@ -3,9 +3,21 @@
 Until the repo is private you need a ssh deploy key for ArgoCD to clone this repo.
 Obtain the key from the team and place it in `terraform/private_ssh_deploy_key`
 
-Run Terraform:
+Pre-requisites:
+
+- Create a service principal with the following permissions:
+  - Contributor on the subscription
 
+```azurecli
+az ad sp create-for-rbac --name "<service-principal-name>" --role Contributor --scopes /subscriptions/<subscription-id>
 ```
+
+- Fork the repo
+- Update the files cluster-claim.yaml in [dev](./gitops/clusters/crossplane/clusters/my-app-cluster/dev/cluster-claim.yaml) and [stage](./gitops/clusters/crossplane/clusters/my-app-cluster/stage/cluster-claim.yaml) folders for adminUser value as the objectId of the user/group to be designated as the admin for the cluster.
+
+Run Terraform:
+
+```bash
 cd terraform
 terraform init -upgrade
 # the gitops_addons_org needs to be in the git format to use the SSH key until the repo is private
@@ -19,13 +31,56 @@ terraform apply -var infrastructure_provider=crossplane \
 Get the initial admin password and the IP address of the ArgoCD web interface.
 (Wait a few minutes for the LoadBalancer to be created after the Terraform apply)
 
-```
+```kubectl
 kubectl --kubeconfig=kubeconfig get secrets argocd-initial-admin-secret -n argocd --template="{{index .data.password | base64decode}}"
 kubectl get svc -n argocd argo-cd-argocd-server
 ```
 
 In case something goes wrong and you don't find a public IP, connect to the ArgoCD server doing a port forward with kubectl
 
-```
+```kubectl
 kubectl port-forward svc/argo-cd-argocd-server -n argocd 8080:443
-```
+```
+
+Getting the credentials for the Hub Cluster
+
+```azurecli
+az aks get-credentials -n gitops-aks -g aks-gitops
+```
+
+Inspecting the Crossplane objects on the Hub Cluster
+
+```kubectl
+kubectl get AksClusterClaim -A
+kubectl get xaksclusters -A
+```
+
+Deploying apps to the workload clusters
+
+```azurecli
+
+az aks get-credentials -n my-app-cluster-dev -g my-app-cluster-dev
+```
+
+Deploy a sample app using an ArgoCD Application
+
+```kubectl
+kubectl apply -f - <<EOF
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+name: app-of-apps
+namespace: argocd
+spec:
+project: default
+source:    
+    repoURL: https://github.com/Azure-Samples/aks-store-demo.git    
+    targetRevision: HEAD
+    path: kustomize/overlays/dev             
+syncPolicy:
+    automated: {}
+destination:
+    namespace: argocd
+    server: https://kubernetes.default.svc
+EOF
+```

gitops/bootstrap/control-plane/addons/azure/addons-azure-oss-crossplane-upbound.yaml

@@ -72,4 +72,4 @@ spec:
         automated: {}
         syncOptions:
           - CreateNamespace=true
-          - ServerSideApply=true  # Big CRDs.
+          - ServerSideApply=true  # Big CRDs.

gitops/clusters/crossplane/base/cluster/aks-composite-resource-definition.yaml

@@ -218,6 +218,9 @@ spec:
                     description: specifies the tags for the Kubernetes cluster
                     additionalProperties:
                       type: string
+                  adminUser:
+                    type: string
+                    description: specifies the admin user for the Kubernetes cluster                     
                 required:
                   - defaultNodePool
                   - networkProfile
@@ -339,6 +342,19 @@ spec:
                     description: specifies the tags for the virtual network                  
             required:
               - location
+          status:
+            description: Property bag for resource IDs.
+            properties:
+              atProvider:
+                description: keeps the state for the external ids
+                properties:
+                  clusterId:
+                    description: Azure resource ID of the AKS cluster
+                    type: string
+                required:
+                - clusterId
+                type: object
+            type: object
     served: true
     referenceable: true
   claimNames:

gitops/clusters/crossplane/base/cluster/aks-composition.yaml

@@ -148,6 +148,9 @@ spec:
         - type: FromCompositeFieldPath
           fromFieldPath: spec.aks.tags
           toFieldPath: spec.forProvider.tags
+        - type: ToCompositeFieldPath
+          fromFieldPath: status.atProvider.id
+          toFieldPath: status.atProvider.clusterId
     - name: user-node-pool
       base:
         apiVersion: containerservice.azure.upbound.io/v1beta1
@@ -271,6 +274,21 @@ spec:
         - type: FromCompositeFieldPath
           fromFieldPath: spec.resourceGroup.tags
           toFieldPath: spec.forProvider.tags
+    - name: aks-role-assignment
+      base:
+        apiVersion: authorization.azure.upbound.io/v1beta1
+        kind: RoleAssignment
+        spec:
+          forProvider:
+            roleDefinitionName: "Azure Kubernetes Service RBAC Admin"
+            scope: "place-holder"
+      patches:
+        - type: FromCompositeFieldPath
+          fromFieldPath: status.atProvider.clusterId
+          toFieldPath: spec.forProvider.scope
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.aks.adminUser
+          toFieldPath: spec.forProvider.principalId
     - name: helm-provider-config
       base:
         apiVersion: helm.crossplane.io/v1beta1

gitops/clusters/crossplane/clusters/my-app-cluster/dev/cluster-claim.yaml

@@ -10,6 +10,7 @@ spec:
     name: my-app-cluster-dev-secret
   location: "North Europe"
   aks:
+    adminUser: #<<Insert Here: Object Id of the User>>
     tags:
       environment: dev
   virtualNetwork:

gitops/clusters/crossplane/clusters/my-app-cluster/stage/cluster-claim.yaml

@@ -10,6 +10,7 @@ spec:
     name: my-app-cluster-stage-secret    
   location: "EastUs"
   aks:
+    adminUser: #<<Insert Here: Object Id of the User>>
     tags:
       environment: stage
   virtualNetwork: