{"id":21126459,"url":"https://github.com/lreimer/k8s-native-iac","last_synced_at":"2025-07-08T23:32:04.636Z","repository":{"id":45756048,"uuid":"514399084","full_name":"lreimer/k8s-native-iac","owner":"lreimer","description":"Demo repository for K8s-native Infrastructure as Code.","archived":false,"fork":false,"pushed_at":"2024-03-28T07:42:22.000Z","size":115,"stargazers_count":6,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-03-28T13:58:29.967Z","etag":null,"topics":["ack","cluster-api","crossplane","devops","infrastructure-as-code","k8s","kubernetes","operator-sdk","pulumi"],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lreimer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-07-15T20:37:13.000Z","updated_at":"2024-03-28T13:58:29.968Z","dependencies_parsed_at":"2024-03-27T14:05:18.303Z","dependency_job_id":null,"html_url":"https://github.com/lreimer/k8s-native-iac","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lreimer%2Fk8s-native-iac","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lreimer%2Fk8s-native-iac/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lreimer%2Fk8s-native-iac/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lreimer%2Fk8s-native-iac/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lreimer","download_url":"https://codeload.github.com/lreimer/k8s-native-iac/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225470828,"owners_count":17479367,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ack","cluster-api","crossplane","devops","infrastructure-as-code","k8s","kubernetes","operator-sdk","pulumi"],"created_at":"2024-11-20T04:41:56.672Z","updated_at":"2024-11-20T04:41:57.466Z","avatar_url":"https://github.com/lreimer.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kubectl apply -f cloud-infrastructure.yaml with Crossplane et al.\n\nDemo repository for Kubernetes-native infrastructure as code showcases, including Pulumi Operator, Crossplane, AWS Controllers for Kubernetes (ACK) and Cluster API.\n\n## Bootstrapping\n\n```bash\n# define required ENV variables for the next steps to work\nexport AWS_ACCOUNT_ID=`aws sts get-caller-identity --query Account --output text`\nexport GITHUB_USER=lreimer\nexport GITHUB_TOKEN=\u003cyour-token\u003e\n\n# setup a GKE cluster with Flux2 for Crossplane and Pulumi demos\nmake create-gke-cluster\nmake bootstrap-gke-flux2\n\n# setup an EKS cluster with Flux2 for ACK demos\nmake create-eks-cluster\nmake bootstrap-eks-flux2\n\n# modify Flux kustomization and add\n# - cluster-sync.yaml\n\nmake destroy-clusters\n```\n\n## Custom Operator Demo\n\nA custom AWS ECR operator can be built easily using the Operator SDK.\n\n```bash\n# checkout the following Git repository\ngit clone https://github.com/lreimer/aws-ecr-operator\ncd aws-ecr-operator\nmake docker-build\nmake deploy\n\n# try to create an ECR and do cleanup afterwards\nkubectl apply -k config/samples\nkubectl delete -k config/samples\n\n# or locally\nkubectl apply -f custom/repository.yaml\n```\n\n## Google ConfigConnector Demo\n\nThe ConfigConnector add-on from GKE allows the declarative management of other GCP cloud resources such as SQL instances or storage bucket. However, after the installation it needs to be configured for it to work correctly.\n\n```yaml\nkind: Namespace\napiVersion: v1\nmetadata:\n  name: config-connector\n  annotations:\n    # required to configure Config Connector with Google Cloud ProjectID\n    cnrm.cloud.google.com/project-id: cloud-native-experience-lab\n---\napiVersion: core.cnrm.cloud.google.com/v1beta1\nkind: ConfigConnector\nmetadata:\n  # the name is restricted to ensure that there is only one\n  # ConfigConnector resource installed in your cluster\n  name: configconnector.core.cnrm.cloud.google.com\n  namespace: cnrm-system\nspec:\n mode: cluster\n googleServiceAccount: \"cloud-native-explab@cloud-native-experience-lab.iam.gserviceaccount.com\"\n```\n\n```bash\nkubectl annotate namespace default cnrm.cloud.google.com/project-id=\"cloud-native-experience-lab\"\n\ncd applications/gke-cluster/\nkubectl apply -f config-connector/storagebucket.yaml\n\nkubectl get storagebucket -n config-connector\nkubectl describe storagebucket k8s-native-iac-lab-demo -n config-connector\n\ngcloud storage buckets list\nopen https://console.cloud.google.com/storage/browser?project=cloud-native-experience-lab\n\nkubectl delete -f config-connector/storagebucket.yaml\ngcloud storage buckets list\n```\n\n## AWS Controllers for Kubernetes (ACK) Demo\n\nThe Amazon controllers for Kubernetes are a lightweight AWS only option to provision cloud infrastructure the K8s-native way.\n\n```bash\nexport ACK_SYSTEM_NAMESPACE=ack-system\nexport AWS_REGION=eu-north-1\nexport AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query \"Account\" --output text)\nexport OIDC_PROVIDER=$(aws eks describe-cluster --name eks-k8s-iac-cluster --region $AWS_REGION --query \"cluster.identity.oidc.issuer\" --output text | sed -e \"s/^https:\\/\\///\")\n\ncd applications/eks-cluster/\n\n# we need to login to the public chart ECR\naws ecr-public get-login-password --region $AWS_REGION | helm registry login --username AWS --password-stdin public.ecr.aws\n\n# install the S3 controller\nhelm install -n $ACK_SYSTEM_NAMESPACE ack-s3-controller \\\n    oci://public.ecr.aws/aws-controllers-k8s/s3-chart --version=1.0.7 --set=aws.region=$AWS_REGION\nkubectl get all -n ack-system\n\n# setup IAM permissions and IRSA\nenvsubst \u003c ack/s3/ack-s3-controller-trust.tpl \u003e ack/s3/ack-s3-controller-trust.json\naws iam create-role \\\n    --role-name ack-s3-controller-k8s-iac-cluster-eu-north-1 \\\n    --assume-role-policy-document file://ack/s3/ack-s3-controller-trust.json \\\n    --description \"IRSA role for ACK S3 controller\"\naws iam attach-role-policy \\\n    --role-name ack-s3-controller-k8s-iac-cluster-eu-north-1 \\\n    --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess\n\nexport ACK_CONTROLLER_IAM_ROLE_ARN=$(aws iam get-role --role-name=ack-s3-controller-k8s-iac-cluster-eu-north-1 --query Role.Arn --output text)\nexport IRSA_ROLE_ARN=eks.amazonaws.com/role-arn=$ACK_CONTROLLER_IAM_ROLE_ARN\nkubectl annotate serviceaccount -n ack-system ack-s3-controller $IRSA_ROLE_ARN\nkubectl -n ack-system rollout restart deployment ack-s3-controller-s3-chart\n\n# see https://github.com/aws-controllers-k8s/s3-controller/tree/main/test/e2e/resources\nkubectl apply -f ack/s3/bucket.yaml\nkubectl get buckets\naws s3 ls\nkubectl delete -f ack/s3/bucket.yaml\naws s3 ls\n\n# install the ECR controller\nhelm install -n $ACK_SYSTEM_NAMESPACE ack-ecr-controller \\\n    oci://public.ecr.aws/aws-controllers-k8s/ecr-chart --version=1.0.10 --set=aws.region=$AWS_REGION\nkubectl get all -n ack-system\n\nenvsubst \u003c ack/ecr/ack-ecr-controller-trust.tpl \u003e ack/ecr/ack-ecr-controller-trust.json\naws iam create-role \\\n    --role-name ack-ecr-controller-k8s-iac-cluster-eu-north-1 \\\n    --assume-role-policy-document file://ack/ecr/ack-ecr-controller-trust.json \\\n    --description \"IRSA role for ACK ECR controller\"\naws iam attach-role-policy \\\n    --role-name ack-ecr-controller-k8s-iac-cluster-eu-north-1 \\\n    --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess\n\nexport ACK_CONTROLLER_IAM_ROLE_ARN=$(aws iam get-role --role-name=ack-ecr-controller-k8s-iac-cluster-eu-north-1 --query Role.Arn --output text)\nexport IRSA_ROLE_ARN=eks.amazonaws.com/role-arn=$ACK_CONTROLLER_IAM_ROLE_ARN\nkubectl annotate serviceaccount -n ack-system ack-ecr-controller $IRSA_ROLE_ARN\nkubectl -n ack-system rollout restart deployment ack-ecr-controller-ecr-chart\n\n# see https://github.com/aws-controllers-k8s/ecr-controller/tree/main/test/e2e/resources\nkubectl apply -f ack/ecr/repository.yaml\nkubectl get repositories\naws ecr describe-repositories\nkubectl delete -f ack/ecr/repository.yaml\n\n# install the RDS controller\nhelm install -n $ACK_SYSTEM_NAMESPACE ack-rds-controller \\\n    oci://public.ecr.aws/aws-controllers-k8s/rds-chart --version=1.1.9 --set=aws.region=$AWS_REGION\nkubectl get all -n ack-system\n\nenvsubst \u003c ack/rds/ack-rds-controller-trust.tpl \u003e ack/rds/ack-rds-controller-trust.json\naws iam create-role \\\n    --role-name ack-rds-controller-k8s-iac-cluster-eu-north-1 \\\n    --assume-role-policy-document file://ack/rds/ack-rds-controller-trust.json \\\n    --description \"IRSA role for ACK RDS controller\"\naws iam attach-role-policy \\\n    --role-name ack-rds-controller-k8s-iac-cluster-eu-north-1 \\\n    --policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess\n\nexport ACK_CONTROLLER_IAM_ROLE_ARN=$(aws iam get-role --role-name=ack-rds-controller-k8s-iac-cluster-eu-north-1 --query Role.Arn --output text)\nexport IRSA_ROLE_ARN=eks.amazonaws.com/role-arn=$ACK_CONTROLLER_IAM_ROLE_ARN\nkubectl annotate serviceaccount -n ack-system ack-rds-controller $IRSA_ROLE_ARN\nkubectl -n ack-system rollout restart deployment ack-rds-controller-rds-chart\n\n# see https://github.com/aws-controllers-k8s/rds-controller/tree/main/test/e2e/resources\n# see https://aws-controllers-k8s.github.io/community/docs/tutorials/aurora-serverless-v2/\nkubectl create secret generic mydb-instance-creds --from-literal=password=topsecret\nkubectl apply -f ack/rds/db-subnet-group.yaml\nkubectl apply -f ack/rds/db-instance.yaml\n```\n\n## Azure Service Operator (for Kubernetes)\n\nsee https://github.com/Azure/azure-service-operator\n\n## Crossplane Demo\n\nFor AWS the configuration needs to reference the required credentials in the form of a secret.\nThese are basically the `aws_access_key_id` and `aws_secret_access_key` from the default profile found in the `${HOME}/.aws/credentials` file. With this information we can create a secret and reference it from a provider config resource.\n\n```bash\nkubectl create secret generic aws-secret -n crossplane-system --from-file=credentials=${HOME}/.aws/credentials\n\n# install individual crossplance providers and provider config\ncd crossplane/aws/\nkubectl apply -n crossplane-system -f provider-aws-xyz.yaml\nkubectl apply -n crossplane-system -f providerconfig-aws-xyz.yaml\nkubectl get -n crossplane-system providers.pkg.crossplane.io\n\n# you could also install the community-contrib provider\n# Caution: this one brings CRDs for all AWS services!\nkubectl apply -n crossplane-system -f provider-aws.yaml\n\ncd crossplane/aws/examples/\n\n# create an ECR in eu-central-1\nkubectl apply -f ecr/repository.yaml\naws ecr describe-repositories\n\n# create an S3 bucket in eu-central-1\nkubectl create -f s3/bucket.yaml\naws s3 ls\n\n# use XRD to create an ECR\nkubectl apply -f xrd/repository/definition.yaml\nkubectl apply -f xrd/repository/composition.yaml\nkubectl apply -f xrd/repository/examples/example-repository.yaml\naws ecr describe-repositories\n\n# use XRD to create an S3 bucket\nkubectl apply -f xrd/bucket/definition.yaml\nkubectl apply -f xrd/bucket/composition.yaml\nkubectl apply -f xrd/bucket/examples/example-bucket.yaml\naws s3 ls\n```\n\n## CAPI Demo\n\n```bash\n# see https://cluster-api-aws.sigs.k8s.io/getting-started.html\n\n# Make sure to export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY\nexport AWS_REGION=$(AWS_REGION)\n\n# needs to be done once to setup cloudformation stack and permissions\nclusterawsadm bootstrap iam create-cloudformation-stack --config bootstrap-config.yaml\n\n# You may need to set a personal GITHUB_TOKEN to avoid API rate limiting\nexport AWS_SSH_KEY_NAME=capi-default\nexport AWS_CONTROL_PLANE_MACHINE_TYPE=t3.medium\nexport AWS_NODE_MACHINE_TYPE=t3.medium\nexport AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile)\n\nclusterctl init --infrastructure aws\n\nclusterctl generate cluster capi-tenant-cluster --kubernetes-version v1.22.0 \\\n    --kubernetes-version v1.22.0 \\\n    --control-plane-machine-count=3 \\\n    --worker-machine-count=3 \\\n    \u003e cluster-api/capi-tenant-cluster.yaml\n\n# apply the tenant cluster resources to the management cluster\nkubectl apply -f cluster-api/capi-tenant-cluster.yaml\nkubectl get cluster\nclusterctl describe cluster capi-tenant-cluster\n\n# wait for the control plane to be Initialized\nkubectl get kubeadmcontrolplane\nclusterctl get kubeconfig capi-tenant-cluster \u003e cluster-api/capi-tenant-cluster.kubeconfig\n\n# install CNI plugin for CAPI tenant cluster\nkubectl --kubeconfig=cluster-api/capi-tenant-cluster.kubeconfig \\\n    apply -f https://docs.projectcalico.org/v3.21/manifests/calico.yaml\nkubectl --kubeconfig=cluster-api/capi-tenant-cluster.kubeconfig get nodes\n\n# always the the cluster object for proper cleanup\nkubectl delete cluster capi-tenant-cluster\n```\n\n## Pulumi Demo\n\n```bash\nkubectl create secret generic pulumi-api-secret -n pulumi-system --from-literal=accessToken=pul-4711abcExampleToken\n\nkubectl apply -f pulumi/nginx-k8s-stack.yaml\nkubectl get all -n pulumi-system\nkubectl delete -f pulumi/nginx-k8s-stack.yaml\n```\n\n## Maintainer\n\nM.-Leander Reimer (@lreimer), \u003cmario-leander.reimer@qaware.de\u003e\n\n## License\n\nThis software is provided under the MIT open source license, read the `LICENSE`\nfile for details.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flreimer%2Fk8s-native-iac","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flreimer%2Fk8s-native-iac","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flreimer%2Fk8s-native-iac/lists"}