Integration with Crossplane

Crossplane is an open-source Kubernetes add-on that helps you bring solutions from different providers into a single infrastructure and provide application developers access to this infrastructure through high-level APIs. With Crossplane, users can manage third-party services in the same way they manage Kubernetes resources.

To create a Yandex Compute Cloud VM using the Crossplane application installed in a Kubernetes cluster:

1. Get your cloud ready.
2. Create the Managed Service for Kubernetes resources.
3. Create Yandex Cloud resources using Crossplane.

If you no longer need the resources you created, delete them.

Required paid resourcesRequired paid resources

The support cost includes:

• Fee for the Managed Service for Kubernetes cluster: using the master and outgoing traffic (see Managed Service for Kubernetes pricing).
• Cluster nodes (VM) fee: using computing resources, operating system, and storage (see Compute Cloud pricing).
• Fee for a public IP address assigned to cluster nodes (see Virtual Private Cloud pricing).
• Fee for using the NAT gateway (see Virtual Private Cloud pricing).

Get your cloud readyGet your cloud ready

1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

   The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

2. Install the jq JSON stream processor.

Create the Managed Service for Kubernetes resourcesCreate the Managed Service for Kubernetes resources

1. Create a Kubernetes cluster and node group.

   Manually

   Terraform

   1. If you do not have a network yet, create one.

   2. If you do not have any subnets yet, create them in the availability zones where your Kubernetes cluster and node group will be created.

   3. Create service accounts:

      • Service account with the k8s.clusters.agent and vpc.publicAdmin roles for the folder where the Kubernetes cluster is created. This service account will be used to create the resources required for the Kubernetes cluster.
      • Service account with the container-registry.images.puller role. Nodes will pull the required Docker images from the registry on behalf of this account.

      Tip

      You can use the same service account to manage your Kubernetes cluster and its node groups.

   4. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

   5. Create a Kubernetes cluster and a node group in any suitable configuration. When creating them, specify the security groups prepared earlier.

   1. If you do not have Terraform yet, install it.

   2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

   3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

   4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

   5. Download the k8s-cluster.tf cluster configuration file to the same working directory. This file describes:

      • Network.

      • Subnet.

      • Kubernetes cluster.

      • Service account required for the Managed Service for Kubernetes cluster and node group.

      • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

        Warning

        The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

   6. Specify the following in the configuration file:

      • Folder ID.
      • Kubernetes version for the Kubernetes cluster and node groups.
      • Kubernetes cluster CIDR.
      • Name of the Managed Service for Kubernetes cluster service account.

   7. Check that the Terraform configuration files are correct using this command:

      terraform validate
      

      If there are any errors in the configuration files, Terraform will point them out.

   8. Create the required infrastructure:

      1. Run this command to view the planned changes:

         terraform plan
         

         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

      2. If everything looks correct, apply the changes:

         1. Run this command:

            terraform apply
            

         2. Confirm updating the resources.

         3. Wait for the operation to complete.

      All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

2. Install kubect and configure it to work with the new cluster.

3. Install Crossplane in the Kubernetes cluster.

4. Set up a NAT gateway for the Kubernetes cluster node subnet.

Create Yandex Cloud resources using CrossplaneCreate Yandex Cloud resources using Crossplane

1. Decide what resources you want to create using Crossplane. To get a list of available resources, run the following command:

   kubectl get crd | grep yandex-cloud.jet.crossplane.io
   

2. Decide the resources' parameters. To see what parameters are available for a particular resource, run this command:

   kubectl describe crd <resource_name>
   

3. Create the vm-instance-template.yml manifest template describing the network and subnet existing in the folder as well as the new crossplane-vm VM you are going to create with Crossplane:

   # Adding an existing network to the configuration
   apiVersion: vpc.yandex-cloud.jet.crossplane.io/v1alpha1
   kind: Network
   metadata:
     name: <name_of_existing_network>
     annotations:
       # Point out an existing network to the provider
       crossplane.io/external-name: <ID_of_existing_network>
   spec:
     # Prohibit deletion of an existing network
     deletionPolicy: Orphan
     forProvider:
       name: <name_of_existing_network>
     providerConfigRef:
       name: default
   ---
   # Adding an existing subnet to the configuration
   apiVersion: vpc.yandex-cloud.jet.crossplane.io/v1alpha1
   kind: Subnet
   metadata:
     name: <name_of_existing_subnet>
     annotations:
       # Point out an existing subnet to the provider
       crossplane.io/external-name: <ID_of_existing_subnet>
   spec:
     # Prohibit deletion of an existing subnet
     deletionPolicy: Orphan
     forProvider:
       name: <name_of_existing_subnet>
       networkIdRef:
         name: <name_of_existing_network>
       v4CidrBlocks:
         - <IPv4_CIDR_of_existing_subnet>
     providerConfigRef:
       name: default
   ---
   # Creating a VM instance
   apiVersion: compute.yandex-cloud.jet.crossplane.io/v1alpha1
   kind: Instance
   metadata:
     name: crossplane-vm
   spec:
     forProvider:
       name: crossplane-vm
       platformId: standard-v1
       zone: ru-central1-a
       resources:
         - cores: 2
           memory: 4
       bootDisk:
         - initializeParams:
             - imageId: fd80bm0rh4rkepi5ksdi
       networkInterface:
         - subnetIdRef:
             name: <name_of_existing_subnet>
           # Automatically provide a public IP address to the VM
           nat: true
       metadata:
         ssh-keys: "<public_SSH_key>"
     providerConfigRef:
       name: default
     # Write the credentials for connection to the VM into a secret
     writeConnectionSecretToRef:
       name: instance-conn
       namespace: default
   

   In the VM configuration section:

   • zone: ru-central1-a: Availability zone to deploy the VM in.
   • name: crossplane-vm: Name of the VM that will be created with Crossplane.
   • imageId: fd80bm0rh4rkepi5ksdi: ID of the VM's boot image. You can get it with the list of images. This example uses a Ubuntu 22.04 LTS image.

   For examples of how to configure Yandex Cloud resources, see the provider's GitHub repo.

4. Apply the vm-instance-template.yml manifest:

   kubectl apply -f vm-instance-template.yml
   

5. Check the state of the new resources:

   kubectl get network
   kubectl get subnet
   kubectl get instance
   

6. Make sure the new crossplane-vm VM has appeared in the folder:

   yc compute instance list
   

7. To retrieve the data needed to connect to the VM from the secret, run this command:

   kubectl get secret instance-conn -o json | jq -r '.data | map_values(@base64d)'
   

   Expected result:

   {
     "external_ip": "<public_IP_address>",
     "fqdn": "<full_domain_name>",
     "internal_ip": "<internal_IP_address>"
   }
   

Delete the resources you createdDelete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

1. Delete the crossplane-vm VM:

   kubectl delete instance crossplane-vm
   

2. Delete the other resources:

   Manually

   Terraform

   1. Delete the Kubernetes cluster.
   2. Delete the subnets you created.
   3. Delete the route table.
   4. Delete the NAT gateway.
   5. Delete the networks.
   6. Delete service accounts you created.

   1. In the terminal window, go to the directory containing the infrastructure plan.

      Warning

      Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

   2. Delete resources:

      1. Run this command:

         terraform destroy
         

      2. Confirm deleting the resources and wait for the operation to complete.

      All the resources described in the Terraform manifests will be deleted.