Skip to content

feat: auto-bootstrap plural on crossplane#3791

Open
zreigz wants to merge 9 commits into
masterfrom
lukasz/prod-4581-auto-bootstrap-plural-on-crossplane-created-eksaksgke
Open

feat: auto-bootstrap plural on crossplane#3791
zreigz wants to merge 9 commits into
masterfrom
lukasz/prod-4581-auto-bootstrap-plural-on-crossplane-created-eksaksgke

Conversation

@zreigz

@zreigz zreigz commented Jul 1, 2026

Copy link
Copy Markdown
Member

Adds PluralCrossplaneCluster, a new deployment-operator CRD and controller that registers Crossplane-managed Kubernetes clusters (EKS, GKE, AKS)

I mirrored the Crossplane EKS Cluster type locally instead of importing provider-aws, because that dependency pins k8s/controller-runtime versions that conflict with the deployment-operator’s module

Test Plan

Test environment: https://console.your-env.onplural.sh/

Checklist

  • I have added a meaningful title and summary to convey the impact of this PR to a user.
  • If required, I have updated the Plural documentation accordingly.
  • I have added tests to cover my changes.
  • I have deployed the agent to a test environment and verified that it works as expected (required only when changing agent code).

Plural Flow: console

@zreigz zreigz added the enhancement New feature or request label Jul 1, 2026
@linear

linear Bot commented Jul 1, 2026

Copy link
Copy Markdown

PROD-4581

@zreigz zreigz changed the title auto-bootstrap plural on crossplane wip: auto-bootstrap plural on crossplane Jul 1, 2026
@soffi-ai

soffi-ai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Soffi AI Summary

This PR introduces a new PluralCrossplaneCluster CRD and reconciler in the deployment operator, enabling Plural Console to automatically bootstrap managed Kubernetes clusters that are provisioned via Crossplane. Rather than requiring manual cluster registration, the operator can now watch Crossplane-managed cluster resources (AWS EKS, Azure AKS, and GCP GKE) and automatically extract connection credentials and cluster metadata to register them with Console.

The motivation is to bridge the gap between Crossplane's infrastructure provisioning model and Plural's GitOps CD engine — clusters created via Crossplane CRDs (e.g., CompositeResourceClaim) should surface in Console automatically without additional user intervention.

Key additions:

  • New CRD PluralCrossplaneCluster (api/v1alpha1/pluralcrossplanecluster_types.go) — a custom resource that references a Crossplane cluster object and declares which cloud provider (AWS/AKS/GKE) provisioned it.
  • Provider-specific credential extractors (internal/crossplane/) — separate implementations for AWS EKS (aws_eks.go), Azure AKS (azure_aks.go), and GKE (gke_cluster.go) that know how to read Crossplane's output Secret and construct valid kubeconfig/cluster credentials for Console registration. AWS also includes STS-based cluster auth (aws_cluster_auth.go).
  • Reconciler (pluralcrossplanecluster_controller.go) — watches PluralCrossplaneCluster resources, resolves the referenced Crossplane cluster object, extracts credentials via the appropriate provider adapter, and registers the cluster with the Console API. Includes status condition tracking and owns a generated CRD manifest.
  • Scheme registration (internal/crossplane/scheme.go) — registers Crossplane runtime types so the controller can decode Crossplane-managed objects.
  • Sample manifests for all three providers and updated API docs.
  • Dependency additions: crossplane-runtime v1.20.10 and bumped go-openapi, docker/cli, and containerd/stargz-snapshotter versions in go.sum/go.mod.

Commits

Commit Summary
7d25dba Initial scaffolding of the PluralCrossplaneCluster CRD, types, and reconciler skeleton for auto-bootstrapping clusters created via Crossplane.
ac6a3c7 Added Azure AKS support — credential extractor that reads the Crossplane-managed AKS connection Secret and registers the cluster with Console.
b95ca68 Improved the AWS EKS provider implementation, including STS-based cluster auth and kubeconfig construction from Crossplane output Secrets.
cf7a114 Refactored and consolidated Crossplane type handling, scheme registration, and the shared cluster abstraction layer.
86971a6 Lint fixes across the new crossplane package.
aaee6d6 Added GKE support — credential extractor for Google Kubernetes Engine clusters provisioned via Crossplane.
f3f9882 Fixed mirrored/embedded Crossplane type definitions to correctly decode Crossplane composite resource objects without importing the full Crossplane CRD suite.
cdfb10b Updated API docs and added sample YAML manifests for PluralCrossplaneCluster (EKS, AKS, and GKE variants).
36a8f8c Merge from main to pick up upstream changes before the PR is finalized.

Deploy in Soffi


Updated: 2026-07-07 10:52 UTC

@socket-security

socket-security Bot commented Jul 1, 2026

Copy link
Copy Markdown

@socket-security

socket-security Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: golang github.com/crossplane/crossplane-runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: go/deployment-operator/go.modgolang/github.com/crossplane/[email protected]

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/crossplane/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@greptile-apps

greptile-apps Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a new PluralCrossplaneCluster CRD and controller that auto-bootstraps a Plural-managed cluster from a Crossplane-provisioned one, targeting AWS EKS (both crossplane-contrib and upbound providers). Once the Crossplane cluster is ready, the controller syncs the cluster to the Console API and deploys the Plural agent via Helm into the target cluster.

  • Introduces PluralCrossplaneCluster type with full RBAC binding support, console token secret ref, and flexible agent Helm configuration.
  • Adds a crossplane package with provider dispatch, AWS EKS mirror types, connection secret resolution (including ClusterAuth-based fallback), and scheme registration.
  • Contains a reconciliation bug where the spec hash is persisted and the resource is marked Ready=True even when the Helm agent deployment returns an "in-progress" error, preventing the controller from ever retrying the install.

Confidence Score: 3/5

The controller can permanently skip deploying the Plural agent into the target cluster if Helm happens to be busy during the first reconciliation pass.

When deployAgent returns a Helm "in progress" error, the code falls through and writes Status.SHA + Status.ID and sets Ready=True. The next reconcile sees HasID() && !changed and exits early, so the agent install is never retried — the cluster appears bootstrapped in Console but the agent is absent. This affects the primary purpose of the controller.

go/deployment-operator/internal/controller/pluralcrossplanecluster_controller.go — specifically the Helm "in progress" fallthrough around line 143.

Important Files Changed

Filename Overview
go/deployment-operator/internal/controller/pluralcrossplanecluster_controller.go New controller for PluralCrossplaneCluster; contains a bug where the spec hash is persisted even when the Helm agent deployment returns an "in progress" error, preventing future reconciliation retries.
go/deployment-operator/internal/crossplane/cluster.go Well-structured ManagedCluster interface, connection secret resolution, and kubeconfig extraction utilities; logic is clean and tested.
go/deployment-operator/internal/crossplane/aws_eks.go Local mirror types for AWS EKS Crossplane clusters (crossplane-contrib and upbound v1beta1/v1beta2) with proper DeepCopy implementations; no issues found.
go/deployment-operator/internal/crossplane/aws_cluster_auth.go Hydrates connection secret config from a ClusterAuth resource when the cluster itself has none; unfiltered cluster-wide List could cause false matches at scale.
go/deployment-operator/internal/crossplane/provider.go Provider dispatch with explicit ErrUnsupportedProvider sentinel; extensible structure for future GKE/AKS support.
go/deployment-operator/internal/crossplane/scheme.go Registers all three AWS EKS GVKs (crossplane-contrib v1beta1, upbound v1beta1, upbound v1beta2) into a runtime Scheme; straightforward and tested.
go/deployment-operator/api/v1alpha1/pluralcrossplanecluster_types.go CRD type definitions and helper methods for PluralCrossplaneCluster; clean implementation with proper attribute conversion for Console API.
go/deployment-operator/cmd/agent/kubernetes.go Registers PluralCrossplaneClusterController with the manager; consistent with existing controller registration pattern in the file.
go/deployment-operator/cmd/agent/main.go Adds crossplane scheme to the global scheme via AddToScheme; minimal, correct change.

Reviews (1): Last reviewed commit: "plural crossplane cluster" | Re-trigger Greptile

Comment thread go/deployment-operator/internal/crossplane/aws_cluster_auth.go
@zreigz zreigz changed the title wip: auto-bootstrap plural on crossplane feat: auto-bootstrap plural on crossplane Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant