Today, we're announcing the Azure Reference Platform for Kubernetes + Data Services configuration package release in Upbound Registry. The Upbound Platform Reference Architectures (AWS, GCP, Azure, Cloud-Native, and Multi-K8s) are foundations, intended to help accelerate understanding and application of Crossplane within your organization. We love to see how people build on these references, and encourage you to customize and publish your own configuration packages to the Upbound Registry.
Crossplane enables platform teams to offer simple and flexible self-service interfaces (via the Kubernetes API server) to provision any combination of API fronted resources, without sacrificing governance or control. The Azure Reference Platform for Kubernetes + Data Services is a great example of this. With this configuration, your platform team can offer a pair of resource kinds called "Cluster" and "PostgreSQLInstance" that allow your developers to provision the infrastructure they need in a self-service manner, while only having access to a limited set of configuration values.
With those limited values, we enable the requestor to provision a fully functional AKS cluster, with supporting infrastructure (e.g. Resource Group, Virtual Network, Subnet, and Azure DB) while the platform team maintains control of finer-grained attributes like Region, Network CIDR, and VM shapes. We also enforce Service Endpoint configuration to ensure the Azure DB instances are securely connected to the AKS nodes. As a bonus, we're using the Helm provider to include Prometheus in the provisioned cluster.
Note: Because Crossplane providers operate as Kubernetes controllers, the deployed infrastructure is continuously reconciled. If someone changes a value in the cloud provider portal, Crossplane will automatically revert it to our intended state.
The following manifests represent all that is required from a requestor. For Cluster, we allow node count, node size (This is transformed via a Composition from small/medium/large to predefined Azure VM types, the requestor cannot override those mappings), and Prometheus Helm chart version.
apiVersion: azure.platformref.crossplane.io/v1alpha1 kind: Cluster metadata: name: platform-ref-azure spec: id: platform-ref-azure parameters: nodes: count: 1 #1-100 size: small #small/medium/large services: operators: prometheus: version: "15.0.1" writeConnectionSecretToRef: name: platform-ref-azure-kubeconfig #Must be unique for each instance
For PostgreSQLInstance, we expose only provisioned storage size. We additionally require a reference to the AKS cluster ID to correlate the secure networking configuration. Notice there are no inputs required for network provisioning. Those details are abstracted from the requestor and entirely controlled by the platform team.
apiVersion: azure.platformref.crossplane.io/v1alpha1 kind: PostgreSQLInstance metadata: name: platform-ref-azure-db spec: parameters: storageGB: 5 #Minimum value is 5 clusterRef: id: platform-ref-azure #This field must match the cluster XR spec.id writeConnectionSecretToRef: name: platform-ref-azure-db-conn #Must be unique for each instance
Note: In the two sample manifests, you'll notice the 'writeConnectionSecretToRef' block. For resources that generate sensitive connection details, Crossplane will automatically write these to Kubernetes secrets. This block enables the requestor to specify a predictable name for future reference.
Using this Configuration, platform teams (and the application teams they support) can easily deploy Kubernetes clusters with securely connected database services to Azure Cloud, unlocking a lot of velocity and flexibility to deliver their software to multiple environments.
In the Kubernetes + Data Services Deployments on Azure platform reference architecture, we are offering requestors a semi-flexible self-service API (via the Kubernetes kubeapi). The platform team maintains control over the node sizes/mappings, regions, networking, and other supporting infrastructure configuration, while developers get a self-service experience that increases their deployment velocity. We encourage you to create an Upbound Cloud account and try it out for yourself with this quick start.