Crossplane-云基础架构管理平台

背景

Crossplane（跨平面，意思是可以跨越多个 公有云平台） 是一个开源的 Kubernetes 插件，它允许平台团队组装来自多个供应商的基础设施，并向应用程序团队公开更高级别的自助服务 api，而不需要编写任何代码。

Crossplane 扩展您的 Kubernetes 集群，为您提供任何基础设施或托管服务的 crd。将这些细粒度资源组合成更高级别的抽象，这些抽象可以使用您喜欢的工具，也可以和已经集成到集群中的现有流程进行版本管理、管理、部署和使用。

同类产品：Terraform

Composition

一个composition组织一个或多个自定义资源，以响应由 ApplicationDefinition 或 InfrastructureDefinition 定义的自定义资源的创建或修改：

• 可以定义怎样组合应用和基础设施

• 可以定义多个资源，包括组合资源

• 可以定义应用资源间的依赖关系

apiVersion: apiextensions.crossplane.io/v1alpha1
kind: Composition
metadata:
  name: private-mysql-server
  labels:
    connectivity: private
spec:
  # This composition declares that its input values will be read 'from' a
  # resource of the specified kind, which must be defined by an
  # InfrastructureDefinition. The field name denotes the relationship with the
  # 'fromFieldPath' notation below.
  from:
    apiVersion: database.example.org/v1alpha1
    kind: MySQLInstance
  # This composition declares that its input values will be written 'to' the
  # below resources. The field name denotes the relationship with the
  # 'toFieldPath' notation below.
  to:
  - base:
      apiVersion: azure.crossplane.io/v1alpha3
      kind: ResourceGroup
      spec:
        location: West US
        providerConfigRef:
          name: example
        reclaimPolicy: Delete
    patches:
    - fromFieldPath: "spec.region"
      toFieldPath: "spec.forProvider.location"
      transforms:
      - type: map
        map:
          us-west: "West US"
          us-east: "East US"
  - base:
      apiVersion: database.azure.crossplane.io/v1beta1
      kind: MySQLServer
      spec:
        forProvider:
          administratorLogin: myadmin
          resourceGroupNameSelector:
            matchComposite: true
          location: West US
          sslEnforcement: Disabled
          version: "5.6"
          sku:
            tier: Basic
            capacity: 1
            family: Gen5
          storageProfile:
            storageMB: 20480
        writeConnectionSecretToRef:
          namespace: crossplane-system
        providerConfigRef:
          name: example
        reclaimPolicy: Delete
    patches:
    - fromFieldPath: "metadata.uid"
      toFieldPath: "spec.writeConnectionSecretToRef.name"
    - fromFieldPath: "spec.engineVersion"
      toFieldPath: "spec.forProvider.version"
    - fromFieldPath: "spec.storageGB"
      toFieldPath: "spec.forProvider.storageMB"
      transforms:
      - type: math
        math:
          multiply: 1024
    - fromFieldPath: "spec.region"
      toFieldPath: "spec.forProvider.location"
      transforms:
      - type: map
        map:
          us-west: "West US"
          us-east: "East US"
    # Specifies the (potentially sensitive) connection details that this 'to'
    # resource should expose to the 'from' resource. Names are unique across all
    # 'to' resources within this composition. Ignored by application resources.
    connectionDetails:
    - name: username
      fromConnectionSecretKey: username
    - name: password
      fromConnectionSecretKey: password
    - name: endpoint
      fromConnectionSecretKey: endpoint
  - base:
      apiVersion: database.azure.crossplane.io/v1alpha3
      kind: MySQLServerVirtualNetworkRule
      spec:
        serverNameSelector:
          matchComposite: true
        resourceGroupNameSelector:
          matchComposite: true
        properties:
          virtualNetworkSubnetIdRef:
            name: sample-subnet
        reclaimPolicy: Delete
        providerConfigRef:
          name: azure-provider

InfrastructureDefinition

一个表示基础设施的自定义CRD资源，由基础设施提供商实现。基础设施资源是集群范围的，并且只能组成其他集群范围的基础设施资源。基础设施资源包括由基础设施提供商实施的“原始”基础设施资源以及其他组合基础设施资源。

apiVersion: apiextensions.crossplane.io/v1alpha1
kind: InfrastructureDefinition
metadata:
  # InfrastructureDefinition names are subject to the constraints of Kubernetes
  # CustomResourceDefinition names. They must be of the form ..
  name: mysqlinstances.database.example.org
spec:
  # Any composition that intends to satisfy an infrastructure resource must
  # expose each of the named connection details exactly once in any of its
  # connectionDetails objects. The connection secret published by the defined
  # infrastructure resource will include only these connection details.
  connectionDetails:
  - username
  - password
  - endpoint
  # Defines the structural schema and GroupVersionKind of this infrastructure.
  # Only a single API version of the application may exist. Additional fields
  # will be injected to support composition machinery.
  crdSpecTemplate:
    group: database.example.org
    version: v1alpha1
    names:
      kind: MySQLInstance
      listKind: MySQLInstanceList
      plural: mysqlinstances
      singular: mysqlinstance
    validation:
      openAPIV3Schema:
        properties:
          engineVersion:
            type: string
          region:
            type: string
          storageGB:
            type: int
        type: object
  # An optional service account that will be used to reconcile MySQLInstance
  # resources. This allows the use of RBAC to restrict which resources a
  # MySQLInstance may be composed of. The specified service account must have
  # full access to MySQLInstance resources, and 'get' access to Component
  # resources.
  #
  # If the service account is omitted Crossplane will use its pod service
  # account to manage MySQLInstance resources. This implies that anyone with
  # sufficient RBAC permissions to create a Composition and to create a
  # MySQLInstance will be able to compose their MySQLInstance of any
  # infrastructure resource that Crossplane is able to create.
  serviceAccountRef:
    namespace: crossplane-system
    name: mysqlinstances.database.example.org
  # An optional default composition that will be set automatically for any
  # MySQLInstance custom resources that omit both their compositeSelector and
  # their compositeRef.
  defaultCompositionRef:
    name: cheap-rds
  # An optional forced composition that will be set automatically for any
  # MySQLInstance custom resource, overriding their compositeSelector and their
  # compositeRef. If defaultComposition and forceComposition are both set, the
  # forced composition wins.
  enforcedCompositionRef:
    name: mysqlinstances.database.example.org

ApplicationDefinition

ApplicationDefinition 定义了一种代表应用程序的新型自定义资源

apiVersion: apiextensions.crossplane.io/v1alpha1
kind: ApplicationDefinition
metadata:
  # ApplicationDefinition names are subject to the constraints of Kubernetes
  # CustomResourceDefinition names. They must be of the form ..
  name: wordpresses.apps.example.org
spec:
  # Defines the structural schema and GroupVersionKind of this application. Only
  # a single API version of the application may exist. Additional fields will be
  # injected to support composition machinery.
  crdSpecTemplate:
    group: apps.example.org
    version: v1alpha1
    names:
      kind: Wordpress
      listKind: WordpressList
      plural: wordpresses
      singular: wordpress
    validation:
      openAPIV3Schema:
        properties:
          administratorLogin:
            type: string
          storageSize:
            type: int
          storageType:
            type: string
        type: object
  # An optional service account that will be used to reconcile Wordpress
  # resources. This allows the use of RBAC to restrict which resources a
  # Wordpress application may be composed of. The specified service account must
  # have full access to Wordpress resources, and 'get' access to Component
  # resources.
  #
  # If the service account is omitted Crossplane will use its pod service
  # account to manage Wordpress resources. This implies that anyone with
  # sufficient RBAC permissions to create a Composition and to create a
  # Wordpress resource in a particular namespace will be able to compose their
  # Wordpress of any resource Crossplane is able to create. Crossplane will
  # refuse to create resources at the cluster scope or outside of the namespace
  # in which the Wordpress was created.
  serviceAccountRef:
    namespace: crossplane-system
    name: wordpresses.apps.example.org
  # An optional default composition that will be set automatically for any
  # Wordpress custom resources that omit both their compositeSelector and their
  # compositeRef.
  defaultCompositionRef:
    name: local-wordpress
  # An optional forced composition that will be set automatically for any
  # Wordpress custom resource, overriding their compositeSelector and their
  # compositeRef. If defaultComposition and forceComposition are both set, the
  # forced composition wins.
  enforcedCompositionRef:
    name: wordpresses.apps.example.org

通过执行A上面的pplicationdefinition，crossplane将自动创建一个CRD，这将允许用户使用上面自定义的应用资源：Wordpress

apiVersion: example.org/v1alpha1
kind: Wordpress
metadata:
  namespace: default
  name: coolblog
spec:
  # The schema for the following three fields is defined by the above
  # ApplicationDefinition.
  administratorLogin: admin
  storageSize: 2
  storageType: SSD
  # The below schema is automatically injected into the CustomResourceDefinition
  # that is created by the ApplicationDefinition that defines the Wordpress
  # resource.
  # Multiple compositions may potentially satisfy a particular kind of
  # application. Each application instance may influence which composition is
  # used via label selectors. This could be used, for example, to determine
  # whether a Wordpress application renders to a KubernetesApplication or to a
  # plain old Kubernetes Deployment.
  compositionSelector:
    matchLabels:
      compute: kubernetes
      database: mysql
  # The Wordpress author may explicitly select which composition should be used
  # by setting the compositionRef. In the majority of cases the author will
  # ignore this field and it will be set by a controller, similar to the
  # contemporary classRef field.
  compositionRef:
  - name: wordpress-kubernetes-mysql
  # Each application maintains an array of the resources they compose.
  # Composed resources are always in the same namespace as the application
  # resource. Any namespaced resource may be composed; composed resources
  # model their relationship with the application resource via their
  # controller reference. The application must maintain this array because
  # there is currently no user friendly, performant way to discover which
  # resources (of arbitrary kinds) are controlled by a particular resource per
  # https://github.com/kubernetes/kubernetes/issues/54498
  resourceRefs:
  - apiVersion: database.example.org/v1alpha1
    kind: MySQLInstanceRequirement
    name: coolblog-3jmdf
  - apiVersion: workload.crossplane.io/v1alpha1
    kind: KubernetesApplication
    name: coolblog-3mdm2

Provider

基础设施资源提供者，它是一组k8s 的CRD和controllers的组合，用于一对一的定义各个provider 提供的资源。官方提供的provider 有：

• AWS provider

• GCP provider

• Azure

• Alibaba

• ......
  provider 主要有两种资源组成，Provider 和 ProviderConfig

与Terraform集成

因为crossplane想做平台，如果所有的底层设施provider全部由自己来实现，那比较耗时。但是第三方基础设施肯定也不想给crossplane做嫁衣，因此现在crossplane面临的窘境就是provider太少了。

基于此，推出了Terrajet 的项目，该项目将让提供商开发人员生成 CRD 并使用封装 Terraform CLI 操作的通用运行时。这样我们就可以在几分钟内添加对资源的支持。