Deploy Secure EKS Clusters and Databases with Upbound and Crossplane on AWS
August 13, 2024
Read time: 8 mins
In today's fast-paced tech environment, the ability to rapidly provision and manage cloud infrastructure is a competitive advantage. For organizations leveraging AWS, creating internal cloud platforms with a self-service API can significantly enhance productivity and agility. The Upbound Platform Reference for AWS is a great starting point for building these internal platforms, offering your development teams a robust and user-friendly way to manage AWS resources. By using this reference platform, you can streamline your cloud operations, empower your developers with self-service capabilities, and ensure consistent, scalable infrastructure management across your organization.
In this blog, we'll explore the architecture of the Upbound Platform Reference for AWS and how it can streamline your cloud operations.
The GitHub repository for the AWS Reference Platform contains a reference AWS Platform Configuration for Crossplane. It's a great starting point for building internal cloud platforms with AWS and offering a self-service API to your internal development teams.
This platform offers APIs for setting up fully configured EKS clusters with secure networking, stateful cloud services (RDS) that can securely connect to the EKS clusters, an Observability Stack, and a GitOps System. All these components are built using cloud service tools from the Official Upbound AWS Provider. App deployments can securely access the necessary infrastructure through secrets distributed directly to the app namespace.
Overview
This reference platform outlines a specialized API for generating an EKS cluster (XCluster) that incorporates XRs from the specified configurations:
Learn more about Composite Resources in the Crossplane Docs.
Quickstart
Prerequisites
Before we can install the reference platform we should install the up
CLI. This is a utility that makes following this quickstart guide easier. Everything described here can also be done in a declarative approach - which we highly recommend for any production type use-case.
To install up
run this install script:
1
See up docs for more install options.
To intstall crossplane
CLI follow these Crossplane docs.
We need a running Crossplane control plane to install our instance. We are using Universal Crossplane (UXP). Ensure that your kubectl context points to the correct Kubernetes cluster or create a new kind cluster:
1
Finally install UXP into the upbound-system
namespace:
1
We will need Usages alpha feature for the correct deployment and eventual de-provisioning of this reference platform.
You can validate the install by inspecting all installed components:
1
Install the AWS Reference Platform
Now you can install this reference platform. It's packaged as a Crossplane configuration package so there is a single command to install it:
1
Validate the install by inspecting the provider and configuration packages:
1
After all Configurations are ready, you can check the status of associated Providers that were pulled as dependencies:
1
Check the marketplace for the latest version of this platform.
Configure the AWS provider
Before we can use the reference platform we need to configure it with AWS credentials:
1
See provider-aws docs for more detailed configuration options.
Using the AWS reference platform
🎉 Congratulations. You have just installed your first Crossplane-powered platform!
Application developers can now use the platform to request resources which then will be provisioned in AWS. This would usually be done by bundling a claim as part of the application deployment code, e.g. provisioning it together with the application helm chart. In our example here we simply create the claims directly:
Create a custom defined cluster:
1
Create a custom defined database:
1
NOTE: The database abstraction relies on the cluster claim to be ready - it uses the same network to have connectivity with the EKS cluster.
Alternatively, you can use a postgresql claim:
1
Now deploy the sample application:
1
Note: application has a strong dependency on mariadb type of the database.
You can verify the status by inspecting the claims, composites and managed resources:
1
To get nice representation of the Claim deployment status you can use the crossplane beta trace command:
1
To delete the provisioned resources you would simply delete the claims:
1
To uninstall the provider & platform configuration:
1
Customize for your Organization
So far we have used the existing reference platform but haven't made any changes. Let's change this and customize the platform by ensuring the EKS Cluster is deployed to Frankfurt (eu-central-1) and that clusters are limited to 10 nodes.
For the following examples we are using my-org
and my-platform
:
1
Pre-Requisites
First you need to create a free Upbound account to push your custom platform. Afterwards you can log in.
Make the changes
To make your changes clone this repository:
1
You can make arbitrary changes like extending the Composition or changing your custom platform API XRD. For example, you can change your XRD and Composition to serve your company's api group instead of upbound.io . Modify the composition and definition files according to this diff:
1
Now, you can create Configuration package that will encapsulate all your custom modifications.
Build and push your platform
To share your new platform you need to build and distribute this package.
To build the package use the up xpkg build
command:
1
Afterwards you can push it to the marketplace. It will be not automatically listed but the OCI repository will be publicly accessible.
1
Using your custom platform
Now to use your custom platform, you can pull the Configuration package from your repository:
1
For the alternative declarative installation approach see the example Configuration manifest. Please update to your org, platform and tag before applying.
🎉 Congratulations. You have just built and installed your first custom Crossplane-powered platform!
Set of encapsulated best practices
You might notice that the reference platform contains a set of highly opinionated practices that we believe are extremely useful in Crossplane Configuration management and maintenance.
Let’s review them one by one.
Configuration of Configurations pattern
Historically we maintained the reference platform as a single monorepo that contained all associated Compositions and XRDs in the same repository.
While getting more experience with Crossplane configuration development and maintenance we came up with the pattern that we can name as Configuration of Configurations.
The approach is pretty straightforward: we split the platform into a distinct set of Crossplane Configurations and collect them into a single higher-level configuration that we call ‘platform’.
The best illustration of this approach is the dependency list of the main `crossplane.yaml` of the reference platform.
As you can see, it mainly consists of other fine-grained configurations:
1
Each Configuration from the dependency list lives in a separate repository and has its own set of pipelines and independent lifecycle and versioning.
It enables us to test different parts of the platform like EKS cluster or Database in isolation, avoid huge blast radius, and evolve the platform and its pieces faster.
Strong versioning provides the reproducible platform build and explicit control of the underlying Configuration version. This way we minimize the ability of underlying side effects and bump the version of the included Configuration only after the associated testing happened in a context of scoped repository like the AWS EKS Configuration, AWS Network Configuration, AWS Database Configuration, or any other included in a higher level platform.
Renovate setup
We have quite an advanced Renovate setup that helps us keep track of all the dependencies of this reference platform.
It is especially useful in the context of the Configuration of Configurations pattern we discussed above.
Static linting and rendering
To enable fast development feedback and a consistent codebase we came up with two straightforward make targets:
- Build target and pipeline encapsulate proper xpkg packaging and publishing of Configuration to OCI registry
- Static yaml linting target and associated pipeline provide early feedback to the yaml structure and enable consistent formatting and catching simple yaml-related errors quickly
- Render target provides quick shortcut to crossplane cli rendering capabilities relevant to the specific repository setup so we don’t have to construct the rendering command manually
E2E Testing with Uptest
We use the Uptest e2e framework to enable automated e2e testing of our reference platforms and Configurations.
You can use uptest both locally and through the github action pipeline.
It provides a low code testing experience and will make sure that the examples under test are fully deployable in an actual cloud environment.
To learn more about uptest, check out the Crossplane Testing Patterns recording from the Level Up event that Upbound organized early this year.
Conclusion: Building with Crossplane and Upbound
In conclusion, the Upbound Platform Reference for AWS is an invaluable resource for any organization looking to build robust internal cloud platforms. By providing a self-service API to your development teams, you can significantly enhance their ability to manage and provision AWS resources efficiently.
This reference platform not only serves as a practical starting point but also exemplifies best practices in cloud infrastructure management.
By adopting the Upbound Reference Platform for AWS, you're equipping your teams with the tools they need to innovate faster and operate more autonomously. Empower your developers, streamline your cloud operations, and achieve greater scalability and consistency in your infrastructure.
To get started on your Crossplane AWS instance, check out our upcoming webinar this Thursday, August 15 at 8 am PT / 5 pm CET. Our experts will walk you through how to enable a quick setup and instant automations to spin up EKS clusters in AWS!