Switch to new upbound devex

Author: kaessert

.github/workflows/ci.yaml

@@ -4,69 +4,46 @@ on:
   push:
     branches:
       - main
-      - release-*
-  workflow_dispatch: {}
+  pull_request: {}
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Package version (e.g. v0.1.0)
+        required: false
 
 env:
-  DOCKER_BUILDX_VERSION: 'v0.8.2'
-
-  XPKG_ACCESS_ID: ${{ secrets.XPKG_ACCESS_ID }}
+  UP_API_TOKEN: ${{ secrets.UP_API_TOKEN }}
+  UP_ROBOT_ID: ${{ secrets.UP_ROBOT_ID }}
+  UP_ORG: ${{ secrets.UP_ORG }}
 
 jobs:
-  detect-noop:
-    runs-on: ubuntu-24.04
-    outputs:
-      noop: ${{ steps.noop.outputs.should_skip }}
-    steps:
-      - name: Detect No-op Changes
-        id: noop
-        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          paths_ignore: '["**.md", "**.png", "**.jpg"]'
-          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
-
-  publish-artifacts:
-    runs-on: ubuntu-24.04
-    needs: detect-noop
-    if: needs.detect-noop.outputs.noop != 'true'
-
+  deploy:
+    runs-on: ubuntu-latest
     steps:
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
-        with:
-          version: ${{ env.DOCKER_BUILDX_VERSION }}
-          install: true
-
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          submodules: true
-
-      - name: Fetch History
-        run: git fetch --prune --unshallow
+        id: checkout
+        uses: actions/checkout@v4
 
-      - name: Build Artifacts
-        run: make -j2 build.all
-        env:
-          # We're using docker buildx, which doesn't actually load the images it
-          # builds by default. Specifying --load does so.
-          BUILD_ARGS: "--load"
-
-      - name: Publish Artifacts to GitHub
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
+      - name: Install and login with up
+        if: env.UP_API_TOKEN != '' && env.UP_ORG != ''
+        uses: upbound/action-up@v1
         with:
-          name: output
-          path: _output/**
+          api-token: ${{ secrets.UP_API_TOKEN }}
+          organization: ${{ secrets.UP_ORG }}
 
-      - name: Login to Upbound
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
-        if: env.XPKG_ACCESS_ID != ''
+      # doesn't work with plain token when pushing otherwise
+      - name: Login to xpkg with robot
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           registry: xpkg.upbound.io
-          username: ${{ secrets.XPKG_ACCESS_ID }}
-          password: ${{ secrets.XPKG_TOKEN }}
+          username: ${{ env.UP_ROBOT_ID }}
+          password: ${{ env.UP_API_TOKEN }}
 
-      - name: Publish Artifacts
-        if: env.XPKG_ACCESS_ID != ''
-        run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/}
+      - name: Build and Push Upbound project
+        if: env.UP_API_TOKEN != ''
+        uses: upbound/action-up-project@v1
+        with:
+          push-project: true
+          tag: ${{ inputs.version || '' }}
+          # login-check does `up org list` which doesn't work with a robot-token
+          skip-login-check: true

.github/workflows/composition-tests.yaml

@@ -0,0 +1,26 @@
+name: Composition Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request: {}
+
+jobs:
+  composition-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Install up
+        uses: upbound/action-up@v1
+        with:
+          skip-login: true
+
+      - name: Build project
+        run: up project build
+
+      - name: Run composition tests
+        run: up test run tests/*

.github/workflows/e2e.yaml

@@ -1,14 +1,54 @@
 name: End to End Testing
 
 on:
-  issue_comment:
-    types: [created]
+  # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+  # pull_request_target is potentially dangerous target so we keep it strict
+  # under the label and benefit from secret propagation
+  pull_request_target:
+    types:
+      - synchronize
+      - labeled
+
+env:
+  UP_API_TOKEN: ${{ secrets.UP_E2E_API_TOKEN || secrets.UP_API_TOKEN }}
+  UP_ORG: ${{ secrets.UP_E2E_ORG || secrets.UP_ORG }}
+  UP_GROUP: ${{ secrets.UP_E2E_GROUP || secrets.UP_GROUP || 'default' }}
+  UP_ROBOT_ID: ${{ secrets.UP_E2E_ROBOT_ID || secrets.UP_ROBOT_ID }}
 
 jobs:
   e2e:
-    uses: upbound/official-providers-ci/.github/workflows/pr-comment-trigger.yml@main
-    with:
-      package-type: configuration
-    secrets:
-      UPTEST_CLOUD_CREDENTIALS: ${{ secrets.UPTEST_CLOUD_CREDENTIALS }}
-      UPTEST_DATASOURCE: ${{ secrets.UPTEST_DATASOURCE }}
+    if: contains(github.event.pull_request.labels.*.name, 'run-e2e-tests')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Install and login with up
+        if: env.UP_API_TOKEN != '' && env.UP_ORG != ''
+        uses: upbound/action-up@v1
+        with:
+          api-token: ${{ env.UP_API_TOKEN }}
+          organization: ${{ env.UP_ORG }}
+
+      # doesn't work with plain token when pushing otherwise
+      - name: Login to xpkg with robot
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        with:
+          registry: xpkg.upbound.io
+          username: ${{ env.UP_ROBOT_ID }}
+          password: ${{ env.UP_API_TOKEN }}
+
+      - name: Build project
+        run: up project build
+
+      - name: Switch up context
+        run: up ctx ${{ env.UP_ORG }}/upbound-gcp-us-central-1/${{ env.UP_GROUP }}
+
+      - name: Download and install Upbound-enhanced Chainsaw(remove me later)
+        run: |
+          curl -L -o /usr/local/bin/chainsaw https://yurychainsaw.blob.core.windows.net/chainsaw/chainsaw
+          chmod +x /usr/local/bin/chainsaw
+
+      - name: Run e2e tests
+        run: up test run tests/* --e2e

.gitignore

@@ -1,12 +1,4 @@
-/.cache
-/.work
-/_output
-/results
-/.idea
-/.kclvm
-
-*.xpkg
-kubeconfig
-
-# generated by kcl
-apis/kcl/composition.yaml
+_output
+.venv
+.up
+tests/*/model

.gitmodules

@@ -1,31 +1,24 @@
 # AWS EKS Pod Identity Configuration
 
-At a high level, EKS Pod Identity allows you to use the AWS API to define permissions that specific Kubernetes service accounts should have in AWS:
+This repository contains an Upbound project, tailored for users establishing their initial control plane with [Upbound](https://cloud.upbound.io). This configuration deploys fully managed AWS EKS Pod Identity resources.
 
-## Configuration
-This configuration is for implementing AWS EKS Pod Identity, which involves creating the IAM Role and configuring the EKS PodIdentityAssociation.
+## Overview
 
-```bash
-apiVersion: pkg.crossplane.io/v1
-kind: Configuration
-metadata:
-  name: configuration-aws-eks-pod-identity
-spec:
-  package: xpkg.upbound.io/upbound/configuration-aws-eks-pod-identity:v0.1.0
-```
+The core components of a custom API in [Upbound Project](https://docs.upbound.io/learn/control-plane-project/) include:
 
-## The How
+- **CompositeResourceDefinition (XRD):** Defines the API's structure.
+- **Composition(s):** Configures the Functions Pipeline
+- **Embedded Function(s):** Encapsulates the Composition logic and implementation within a self-contained, reusable unit
 
-The following step is automatically completed when you install your EKS Cluster using our predefined configuration for AWS EKS - which is installed as dependency per default:
+In this specific configuration, the API contains:
 
-```bash
-apiVersion: pkg.crossplane.io/v1
-kind: Configuration
-metadata:
-  name: configuration-aws-eks
-spec:
-  package: xpkg.upbound.io/upbound/configuration-aws-eks:v0.12.0
-```
+- **an [AWS EKS Pod Identity](/apis/definition.yaml) custom resource type.**
+- **Composition:** Configured in [/apis/composition.yaml](/apis/composition.yaml)
+- **Embedded Function:** The Composition logic is encapsulated within [embedded function](/functions/eks-pod-identity/main.k)
+
+## How It Works
+
+At a high level, EKS Pod Identity allows you to use the AWS API to define permissions that specific Kubernetes service accounts should have in AWS:
 
 Setting up Pod Identity starts by installing an add-on:
 https://github.com/aws/eks-pod-identity-agent
@@ -45,7 +38,6 @@ eks-pod-identity-agent   2         2         2       2            2           <n
 ```
 
 ![pod-identity](images/s3-access-podidentity.png)
-https://github.com/awslabs/crossplane-on-eks
 
 ### EKS Pod Identity at a glance
 
@@ -72,10 +64,9 @@ Here, YourPodRole has the following trust policy:
 }
 ```
 
-Once you’ve run the commands to configure Pod Identity, any pod that runs under the pod-service-account service account magically has access to AWS resources, through temporary Security Token Service (STS) credentials:
+Once you've run the commands to configure Pod Identity, any pod that runs under the pod-service-account service account magically has access to AWS resources, through temporary Security Token Service (STS) credentials:
 
 ```bash
-
 $ kubectl apply -f - <<EOF
 apiVersion: v1
 kind: Pod
@@ -95,7 +86,6 @@ $ kubectl exec pod/pod-with-aws-access -- aws sts get-caller-identity
     "Account": "012345678901",
     "Arn": "arn:aws:sts::012345678901:assumed-role/YourPodRole/eks-cluster-pod-xxx"
 }
-
 ```
 
 For a given EKS cluster, you can easily see which pods have access to AWS resources using eks:ListPodIdentityAssociations:
@@ -133,3 +123,26 @@ aws eks describe-pod-identity-association \
     }
 }
 ```
+
+## Testing
+
+The configuration can be tested using:
+
+- `up composition render --xrd=apis/definition.yaml apis/composition.yaml examples/pod-identity-xr.yaml` to render the composition
+- `up test run tests/*` to run composition tests in `tests/test-eks-pod-identity/`
+- `up test run tests/* --e2e` to run end-to-end tests in `tests/e2etest-eks-pod-identity/`
+
+## Deployment
+
+- Execute `up project run`
+- Alternatively, install the Configuration from the [Upbound Marketplace](https://marketplace.upbound.io/configurations/upbound/configuration-aws-eks-pod-identity)
+- Check [examples](/examples/) for example XR(Composite Resource)
+
+## Next steps
+
+This repository serves as a foundational step. To enhance the configuration, consider:
+
+1. create new API definitions in this same repo
+2. editing the existing API definition to your needs
+
+To learn more about how to build APIs for your managed control planes in Upbound, read the guide on [Upbound's docs](https://docs.upbound.io/).

README.md

@@ -0,0 +1,16 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: Composition
+metadata:
+  name: xpodidentities.aws.platform.upbound.io
+spec:
+  compositeTypeRef:
+    apiVersion: aws.platform.upbound.io/v1alpha1
+    kind: XPodIdentity
+  mode: Pipeline
+  pipeline:
+  - functionRef:
+      name: upbound-configuration-aws-eks-pod-identityeks-pod-identity
+    step: eks-pod-identity
+  - functionRef:
+      name: crossplane-contrib-function-auto-ready
+    step: crossplane-contrib-function-auto-ready

apis/composition.yaml

@@ -6,7 +6,7 @@ metadata:
     provider: aws
 spec:
   defaultCompositionRef:
-    name: pat.xpodidentities.aws.platform.upbound.io
+    name: xpodidentities.aws.platform.upbound.io
   group: aws.platform.upbound.io
   names:
     kind: XPodIdentity