package/cluster/gke/composition.yaml

apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: xgke.gcp.platformref.upbound.io
  labels:
    provider: GCP
spec:
  writeConnectionSecretsToNamespace: upbound-system
  compositeTypeRef:
    apiVersion: gcp.platformref.upbound.io/v1alpha1
    kind: XGKE
  resources:
    - name: service-account
      base:
        apiVersion: cloudplatform.gcp.upbound.io/v1beta1
        kind: ServiceAccount
      patches:
        - fromFieldPath: spec.id
          toFieldPath: metadata.annotations[crossplane.io/external-name]
        - fromFieldPath: spec.id
          toFieldPath: spec.forProvider.displayName
        - type: ToCompositeFieldPath
          fromFieldPath: status.atProvider.email
          toFieldPath: status.gke.serviceAccount
          policy:
            fromFieldPath: Required
        - type: ToCompositeFieldPath
          fromFieldPath: status.atProvider.id
          toFieldPath: status.gke.project
          transforms:
            - type: string
              string:
                type: Regexp
                regexp:
                  match: projects\/(.+)\/serviceAccounts\/.*
                  group: 1
          policy:
            fromFieldPath: Required
    - name: service-account-key
      base:
        apiVersion: cloudplatform.gcp.upbound.io/v1beta1
        kind: ServiceAccountKey
        spec:
          forProvider:
            serviceAccountIdSelector:
              matchControllerRef: true
      patches:
        - fromFieldPath: metadata.uid
          toFieldPath: spec.writeConnectionSecretToRef.name
          transforms:
            - type: string
              string:
                fmt: "%s-sakey"
        - fromFieldPath: spec.writeConnectionSecretToRef.namespace
          toFieldPath: spec.writeConnectionSecretToRef.namespace
    - name: project-iam-member
      base:
        apiVersion: cloudplatform.gcp.upbound.io/v1beta1
        kind: ProjectIAMMember
        spec:
          forProvider:
            role: roles/container.admin
      patches:
        - fromFieldPath: spec.id
          toFieldPath: metadata.annotations[crossplane.io/external-name]
        - fromFieldPath: status.gke.serviceAccount
          toFieldPath: spec.forProvider.member
          transforms:
            - type: string
              string:
                fmt: "serviceAccount:%s"
          policy:
            fromFieldPath: Required
        - fromFieldPath: status.gke.project
          toFieldPath: spec.forProvider.project
          policy:
            fromFieldPath: Required
    - name: gke-cluster
      base:
        apiVersion: container.gcp.upbound.io/v1beta1
        kind: Cluster
        spec:
          forProvider:
            location: us-west2
            ipAllocationPolicy:
              - clusterSecondaryRangeName: pods
                servicesSecondaryRangeName: services
            enableIntranodeVisibility: true
            loggingService: logging.googleapis.com/kubernetes
            monitoringService: monitoring.googleapis.com/kubernetes
            initialNodeCount: 1
      patches:
        - fromFieldPath: metadata.uid
          toFieldPath: spec.writeConnectionSecretToRef.name
          transforms:
            - type: string
              string:
                fmt: "%s-gkecluster"
        - fromFieldPath: spec.writeConnectionSecretToRef.namespace
          toFieldPath: spec.writeConnectionSecretToRef.namespace
        # Create this cluster in the Network and Subnetwork referenced by network ID
        - fromFieldPath: spec.parameters.XNetworkSelector.matchLabels
          toFieldPath: spec.forProvider.networkSelector.matchLabels
        - fromFieldPath: spec.parameters.XNetworkSelector.matchLabels
          toFieldPath: spec.forProvider.subnetworkSelector.matchLabels
        - fromFieldPath: status.gke.serviceAccount
          toFieldPath: spec.forProvider.nodeConfig[0].serviceAccount
          policy:
            fromFieldPath: Required
      # The control plane supplies the 'kubeconfig' connection secret key, which
      # is required by the XR.
      connectionDetails:
        - fromConnectionSecretKey: kubeconfig
    # Each cluster has one node pool. Its nodes are spread evenly across the zones
    # in which the cluster exists.
    - name: node-pool
      base:
        apiVersion: container.gcp.upbound.io/v1beta1
        kind: NodePool
        spec:
          forProvider:
            location: us-west2
            initialNodeCount: 1
            clusterSelector:
              # Attach this node pool to the GKECluster created above.
              matchControllerRef: true
            autoscaling:
              - minNodeCount: 1
                maxNodeCount: 3
            nodeConfig:
              - diskSizeGb: 10
                imageType: COS_CONTAINERD
                machineType: e2-medium
                preemptible: true
                shieldedInstanceConfig:
                  - enableIntegrityMonitoring: true
                    enableSecureBoot: true
                metadata:
                  disable-legacy-endpoints: "true"
                oauthScopes:
                  - https://www.googleapis.com/auth/cloud-platform
            management:
              - autoRepair: true
                autoUpgrade: true
            maxPodsPerNode: 55
      patches:
        # Derive the node count and type of this node pool from the XR. Note that
        # the XR's node count is set to initial, min, and max.
        - fromFieldPath: spec.parameters.nodes.size
          toFieldPath: spec.forProvider.nodeConfig[0].machineType
          transforms:
            - type: map
              map:
                small: n1-standard-4
                medium: n1-standard-16
                large: n1-standard-32
        - fromFieldPath: spec.parameters.nodes.count
          toFieldPath: spec.forProvider.initialNodeCount
        - fromFieldPath: spec.parameters.nodes.count
          toFieldPath: spec.forProvider.autoscaling[0].minNodeCount
        - fromFieldPath: spec.parameters.nodes.count
          toFieldPath: spec.forProvider.autoscaling[0].maxNodeCount
        - fromFieldPath: status.gke.serviceAccount
          toFieldPath: spec.forProvider.nodeConfig[0].serviceAccount
          policy:
            fromFieldPath: Required
    - name: helm-provider-config
      base:
        apiVersion: helm.crossplane.io/v1beta1
        kind: ProviderConfig
        spec:
          credentials:
            source: Secret
            secretRef:
              key: kubeconfig
          identity:
            type: GoogleApplicationCredentials
            source: Secret
            secretRef:
              key: private_key
      patches:
        - fromFieldPath: spec.id
          toFieldPath: metadata.name
        - fromFieldPath: spec.writeConnectionSecretToRef.namespace
          toFieldPath: spec.credentials.secretRef.namespace
        # This ProviderConfig uses the above GKE Cluster kubeconfig as
        # its credentials secret.
        - fromFieldPath: metadata.uid
          toFieldPath: spec.credentials.secretRef.name
          transforms:
            - type: string
              string:
                fmt: "%s-gkecluster"
        - fromFieldPath: spec.writeConnectionSecretToRef.namespace
          toFieldPath: spec.identity.secretRef.namespace
        # This ProviderConfig uses the above ServiceAccount secret as
        # its credentials secret.
        - fromFieldPath: metadata.uid
          toFieldPath: spec.identity.secretRef.name
          transforms:
            - type: string
              string:
                fmt: "%s-sakey"
      readinessChecks:
        - type: None