Upcoming Changes to Upbound Official Packages
January 15, 2025
Read time: 5 mins
Share:
Update 1/24/25 9:00AM EST – We understand how important it is for you to stay informed about policy changes and have ample time to prepare. Because our November announcement concerning updating access and support policies for Official Providers may not have reached everyone, we’re delaying the enforcement of the policy change described in this post until Tuesday, March 25th.
We hope this extension helps reduce any stress and gives you the time you need to update your provider configurations as outlined in this blog.
If you have any concerns or feedback, please don’t hesitate to reach out on the Upbound channel of the Crossplane community Slack. We value your perspective and want to ensure everyone feels supported through this transition. You can also read the Upbound docs for more details on how the new access policy will work starting March 25th. We’re here to help every step of the way.
On March 25, 2025, Upbound will roll out changes we announced in November 2024 that affect the access policy for Upbound Official Packages published on the Upbound Marketplace. Read this blog post to learn more about what's changing and to see a step-by-step walkthrough of what you should expect.
What's Changing
Upbound is rolling out new policies that impact users' ability to pull specific versions of Upbound official packages, starting with Upbound Official Providers. The Crossplane community will always be able to access the latest version of a given official package for free, including patch releases and security fixes. The prior versions of a package (those other than the latest) are available only for Upbound customers with active subscriptions.
To elaborate, Upbound official packages are OCI images with a package name and version number. Below is an example manifest for the Upbound Official Provider for AWS.
1
When Upbound publishes a new version of a package, it might be:
- A new major version, such as
xpkg.upbound.io/upbound/provider-family-aws:v1.0.0 - A new minor version, such as
xpkg.upbound.io/upbound/provider-family-aws:v1.19.0 - A new patch version, such as
xpkg.upbound.io/upbound/provider-family-aws:v1.19.1
Upbound paid customers with active subscriptions can access all versions within the support window provided by Upbound (12 months of maintenance, followed by 6 months of access). That means you can pull and use all images according to their vMajor.Minor.Patch version tag.
Community members and users of the free Individual tier on Upbound can access only the latest version of a given official package. For convenience, we've introduced new major tags following the form of v0, v1, v2 and so forth as new major versions of packages are published. The major version tag will always point to the latest published version of a given package. If you're in this audience, here's what the Upbound Marketplace will look like for you:
While community users can technically pull an image according to the latest vMajor.Minor.Patch tag, this tag is subject to change as we release new versions of images. Therefore, using the vMajor tag is advised to avoid breakages when prior versions are no longer accessible.
Why Upbound is making this change
Our CEO, Bassam, explains why we're making this change in the original announcement. In short, we believe this approach will ensure the long-term sustainability of official packages while ensuring that the Crossplane community continues to have access to the same high-quality and secure releases.
What you need to do
If you're a Crossplane community member or Individual tier user on Upbound, use the new vMajor tag when pulling Upbound Official Providers. For an example using Azure, your package manifest should look like this:
1
If you're an Upbound paid customer running in our SaaS environment, you don't need to do anything–access is automatically configured so you can pull whichever images you need.
Customers not running in our SaaS environment must have created an organization account on Upbound in the Team, Enterprise or Business Critical tier. If you need assistance, reach out to your Upbound account representative.
If you're a paid customer running on open source Crossplane, UXP, or have self-hosted deployments of Upbound Spaces, you'll need to configure a pull secret on your control planes to pull any older version of an Official Provider.
If you’re on Crossplane, UXP v1.18 or later, UXP v1.16.4, or UXP v1.17.3, use the ImageConfig API. Otherwise, configure a pull secret for each provider pod.
- Login to your Upbound org account (you can find the value by running
up org list):up login --account=<your organization account> - Create a robot and robot token using the
upCLI:up robot create provider-pull-botup robot token create provider-pull-bot provider-pull-token --output=- - Save the Access ID value of the output to a variable named ID. Save the Token value to a variable named TOKEN:
ID=<the ID outputted in the previous step>TOKEN=<the token outputted in the previous step> - Create a pull secret on your control plane:
kubectl -n crossplane-system create secret docker-registry up-provider-pull-secret --docker-server=xpkg.upbound.io --docker-username=$ID --docker-password=$TOKEN - Create an ImageConfig resource and reference the pull secret you created earlier:
1
This pull secret matches all packages with the xpkg.upbound.io/upbound prefix and provides the package pull secret when the control plane needs to pull the provider image.
Learn more about our updated access, support, and maintenance policies in the Official Provider documentation. Read the pull secrets documentation to learn more about setting up pull secrets for Official Providers.
Continued access to older versions and support
If you need access to older versions of Official Providers but don't have a subscription to Upbound, you can sign up today and create a Team tier organization. Until February 3rd, enjoy a free introductory period for the Team tier. After February 3rd, we'll require having a credit card on file. Support for Official Providers is available for customers in the Enterprise or Business Critical tiers of Upbound. Contact Upbound if you want to learn more.