Skip to main content
Version: Develop

Integrating RDS Services with Klutch

Prerequisite

These instructions assume that the Klutch Control Plane Cluster has been set up.

1. Install AWS Providers (Connectivity Layer)

Klutch relies on Crossplane® Providers to manage AWS resources securely. Each provider requires IAM credentials stored as Kubernetes Secrets.

1.1 Configure Credentials for RDS

The RDS providers require an AWS Secret containing access keys and the default region.

  1. Create and Apply AWS Secret: Replace the placeholders in the YAML below with the correct AWS access credentials and region, then apply the file.

    View RDS Secret Manifest (rds-secret.yaml)
    cat << 'EOF' > rds-secret.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: aws-rds-secret
      namespace: crossplane-system
    type: Opaque
    stringData:
      creds: |-
        [default]
        AWS_ACCESS_KEY_ID: #<AWS_ACCESS_KEY_ID>
        AWS_SECRET_ACCESS_KEY: #<AWS_SECRET_ACCESS_KEY>
        AWS_SESSION_TOKEN: #<AWS_SESSION_TOKEN> # Only required for SSO
      config: |-
        [default]
        AWS_DEFAULT_REGION: #<AWS_REGION> # Example: eu-central-1
    EOF
    kubectl apply -f rds-secret.yaml

  2. Install RDS Provider: Install the provider.

    kubectl apply -f - <<EOF
    apiVersion: pkg.crossplane.io/v1
    kind: Provider
    metadata:
      name: provider-aws-rds
    spec:
      package: xpkg.upbound.io/upbound/provider-aws-rds:v1.23.2
    EOF

    Verification:

    kubectl get provider -w

  3. Apply ProviderConfig: Create the configuration resource that links the providers to the secret.

    kubectl apply -f - <<EOF
    apiVersion: aws.upbound.io/v1beta1
    kind: ProviderConfig
    metadata:
      name: aws-rds-provider
    spec:
      credentials:
        source: Secret
        secretRef:
          namespace: crossplane-system
          name: aws-rds-secret
          key: creds
    EOF

2. Deploy Provider Kubernetes

Klutch utilizes Crossplane® Provider for Kubernetes to enables deployment and management of arbitrary Kubernetes objects.

info

If you have installed other data services previously (e.g. a9s data services), the required provider may already be installed in the cluster. Use the following command to check which providers are currently installed and apply only if it's missing.

  kubectl get providers

  1. Install the provider

    kubectl apply -f https://raw.githubusercontent.com/anynines/klutchio/refs/heads/main/crossplane-api/deploy/provider-kubernetes.yaml

    Verification:

    kubectl get provider -w

    Wait until provider-kubernetes is HEALTHY.

  2. Apply ProviderConfig

    A ProviderConfig authorizes the connectivity layer to manage resources within this local Control Plane cluster, effectively treating it as the a8s automation backend. This uses InjectedIdentity for authentication.

    kubectl apply -f https://raw.githubusercontent.com/anynines/klutchio/refs/heads/main/crossplane-api/deploy/config-in-cluster.yaml

    Verification:

    kubectl get providerconfigs.kubernetes.crossplane.io

3. Install Composition Functions

Klutch utilizes Crossplane® Composition Functions to process resource requests.

info

If you have installed other data services previously, some or all of the required functions may already be installed in the cluster. Use the following command to check which functions are currently installed and apply only the remaining ones.

  kubectl get function
View and Apply Composition Functions Manifest
kubectl apply -f - <<EOF
apiVersion: pkg.crossplane.io/v1
kind: Function
metadata:
  name: function-patch-and-transform
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.9.1
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-go-templating
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-go-templating:v0.11.0
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-auto-ready
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.5.1
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-extra-resources
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.1.0
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-render-rds-replicas
spec:
  package: public.ecr.aws/w5n9a2g2/anynines/klutch/function-render-rds-replicas:v0.1.0
EOF

Verification:

kubectl get function -w

Wait until the functions are HEALTHY.

4. Install Data Service Configurations

The AWS-RDS configuration package provides the service the Data Service Configurations, consisting of the APIs and Compositions for provisioning AWS RDS resources through Klutch.

Prerequisite

To run the command below, you need the Crossplane CLI installed locally. If you haven't installed it yet, please follow the instructions in the Control Plane Cluster prerequisites.

crossplane xpkg install configuration public.ecr.aws/w5n9a2g2/anynines/klutch/aws:v1.0.0

Verification:

kubectl get configuration -w

Wait until the configuration is HEALTHY.

5. Install ServiceBinding Operator

Klutch uses the a8s Service Binding Controller to create connection credentials for your workloads. You must install it with the correct integration flags.

Critical Configuration

The Service Binding Controller requires specific CRDs to be present for each enabled integration. Enabling an integration without the corresponding CRD will cause the controller to fail.

  • rds-postgresql: Required for Klutch RDS (always enabled in this guide).
  • postgresql: Required for a8s Postgres (only enable if installed).

Run the following command to automatically detect the presence of a8s Postgres and install the controller with the correct configuration:

# Check if a8s Postgres CRD exists to determine integration mode
if kubectl get crd postgresqls.postgresql.anynines.com >/dev/null 2>&1; then
  echo "a8s Postgres detected. Enabling full integration."
  INTEGRATION_ARGS="postgresql\,rds-postgresql"
else
  echo "a8s Postgres not found. Enabling RDS-only integration."
  INTEGRATION_ARGS="rds-postgresql"
fi

helm repo add service-binding-controller \
  https://anynines-artifacts.s3.eu-central-1.amazonaws.com/charts/service-binding-controller
helm repo update

helm upgrade --install service-binding-controller \
  service-binding-controller/service-binding-controller \
  --version 0.1.0 \
  --namespace a8s-system \
  --create-namespace \
  --set controllerConfig.enable-integration="$INTEGRATION_ARGS"

Verification:

kubectl get pods -n a8s-system -l app.kubernetes.io/name=service-binding-controller

The pod should be Running.

6. Install AWS BRM Operator

The AWS BRM Operator enables advanced backup and restore capabilities for AWS RDS instances, including:

  • Scheduled backups for AWS RDS instances
  • Point-in-time restores and restores from specific backups

To install the AWS BRM Operator, follow these steps:

6.1 Install CRDs

First, install the required Custom Resource Definitions (CRDs):

helm repo add aws-brm-operator-crds https://anynines-artifacts.s3.eu-central-1.amazonaws.com/charts/aws-brm-operator-crds
helm upgrade --install aws-brm-operator-crds aws-brm-operator-crds/aws-brm-operator-crds --version 0.1.0

6.2 Install the Operator

Next, install the AWS BRM Operator itself:

helm repo add aws-brm-operator https://anynines-artifacts.s3.eu-central-1.amazonaws.com/charts/aws-brm-operator
helm upgrade --install aws-brm-operator aws-brm-operator/aws-brm-operator \
  --namespace crossplane-system \
  --create-namespace \
  --version 0.1.0

Verification:

kubectl get pods -n crossplane-system -l app.kubernetes.io/name=aws-brm-operator

The pod should be Running.

7. Publish Data Service API

The final step exposes the binding APIs for RDS to the App Clusters using APIServiceExportTemplates.

kubectl apply -f - <<EOF
# PostgresqlInstance Export
apiVersion: bind.anynines.com/v1alpha1
kind: APIServiceExportTemplate
metadata:
  name: rds-postgresqlinstances
  namespace: crossplane-system
spec:
  APIServiceSelector:
    group: rds.aws.anynines.com
    resource:  postgresqlinstances
---
apiVersion: bind.anynines.com/v1alpha1
kind: APIServiceExportTemplate
metadata:
  name: rds-servicebindings
  namespace: crossplane-system
spec:
  APIServiceSelector:
    resource: servicebindings
    group: rds.aws.anynines.com
  permissionClaims:
    - group: ""
      resource: secrets
      version: v1
      selector: { owner: Provider }
EOF

Next Steps

The Control Plane is now fully configured with the necessary provisioning logic and exposed APIs for AWS RDS managed services.

If you want to add additional services to your catalog, you can configure:

Otherwise, you can proceed to bind an App Cluster to the Control Plane to start consuming AWS RDS and other configured services.