Integrating S3 Services with Klutch
These instructions assume that the Klutch Control Plane Cluster has been set up.
1. Install AWS Providers (Connectivity Layer)
Klutch relies on Crossplane® Providers to manage AWS resources securely. Each provider requires IAM credentials stored as Kubernetes Secrets.
1.1 Configure Credentials for S3 and KMS
The S3 and KMS providers require an AWS Secret containing access keys and the default region.
-
Create and Apply AWS Secret: Replace the placeholders in the YAML below with the correct AWS access credentials and region, then apply the file.
View S3/KMS Secret Manifest (s3-secret.yaml)
cat << 'EOF' > s3-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: aws-s3-secret
namespace: crossplane-system
type: Opaque
stringData:
creds: |-
[default]
AWS_ACCESS_KEY_ID: <AWS_ACCESS_KEY_ID>
AWS_SECRET_ACCESS_KEY: <AWS_SECRET_ACCESS_KEY>
AWS_SESSION_TOKEN: <AWS_SESSION_TOKEN> # Only required for SSO
config: |-
[default]
AWS_DEFAULT_REGION: <AWS_REGION> # Example: eu-central-1
EOFkubectl apply -f s3-secret.yaml -
Install S3 and KMS Providers: Install the providers, which will automatically use the secret above for configuration.
kubectl apply -f - <<EOF
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws-s3
spec:
package: xpkg.upbound.io/upbound/provider-aws-s3:v1.23.2
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws-kms
spec:
package: xpkg.upbound.io/upbound/provider-aws-kms:v1.23.2
EOF -
Apply ProviderConfig: Create the configuration resource that links the providers to the secret.
kubectl apply -f - <<EOF
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: aws-s3-provider
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: aws-s3-secret
key: creds
EOF
1.2 Install IAM Provider
The IAM provider is required for managing user permissions associated with the storage resources. It is configured with a separate secret (recommended for policy isolation).
-
Create and Apply IAM Secret: Replace the placeholders and apply the secret.
View IAM Secret Manifest (iam-secret.yaml)
cat << 'EOF' > iam-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: aws-iam-secret
namespace: crossplane-system
type: Opaque
stringData:
creds: |-
[default]
AWS_ACCESS_KEY_ID: <AWS_ACCESS_KEY_ID>
AWS_SECRET_ACCESS_KEY: <AWS_SECRET_ACCESS_KEY>
AWS_SESSION_TOKEN: <AWS_SESSION_TOKEN> # Only required for SSO
config: |-
[default]
AWS_DEFAULT_REGION: <AWS_REGION> # Example: eu-central-1
EOFkubectl apply -f iam-secret.yaml -
Install IAM Provider:
kubectl apply -f - <<EOF
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws-iam
spec:
package: xpkg.upbound.io/upbound/provider-aws-iam:v1.23.2
EOF -
Apply ProviderConfig: Create the configuration resource that links the IAM provider to its secret.
kubectl apply -f - <<EOF
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: aws-iam-provider
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: aws-iam-secret
key: creds
EOFVerification:
kubectl get provider -w
2. Install Composition Functions
Klutch utilizes Crossplane® Composition Functions to process resource requests.
If you have installed other data services previously, some or all of the required functions may already be installed in the cluster. Use the following command to check which functions are currently installed and apply only the remaining ones.
kubectl get function
View and Apply Composition Functions Manifest
kubectl apply -f - <<EOF
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-go-templating
spec:
package: xpkg.upbound.io/crossplane-contrib/function-go-templating:v0.11.0
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-auto-ready
spec:
package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.5.1
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-extra-resources
spec:
package: xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.1.0
EOF
Verification:
kubectl get function -w
Wait until the functions are HEALTHY.
3. Install Data Service Configurations
The objectstorage configuration package provides the Data Service Configurations, consisting of the APIs
and Compositions for provisioning S3 resources through Klutch.
To run the command below, you need the Crossplane CLI installed locally. If you haven't installed it yet, please follow the instructions in the Control Plane Cluster prerequisites.
crossplane xpkg install configuration public.ecr.aws/w5n9a2g2/anynines/klutch/objectstorage:v1.0.2
Verification:
kubectl get configuration -w
Wait until the configuration is HEALTHY.
4. Publish Data Service APIs
The final step exposes the ObjectStorageInstance and associated binding APIs to App Clusters using
APIServiceExportTemplates.
kubectl apply -f - <<EOF
apiVersion: bind.anynines.com/v1alpha1
kind: APIServiceExportTemplate
metadata:
name: objectstorageinstances
namespace: crossplane-system
spec:
APIServiceSelector:
group: anynines.com
resource: objectstorageinstances
---
apiVersion: bind.anynines.com/v1alpha1
kind: APIServiceExportTemplate
metadata:
name: objectstoragebindings
namespace: crossplane-system
spec:
APIServiceSelector:
resource: objectstoragebindings
group: anynines.com
permissionClaims:
- group: ""
resource: secrets
version: v1
selector:
owner: Provider
- group: ""
resource: configmaps
version: v1
selector:
owner: Provider
EOF
Next Steps
The Control Plane is now fully configured with the necessary provisioning logic and exposed APIs for AWS S3 managed services.
If you want to add additional services to your catalog, you can configure:
- AWS RDS backend to add RDS managed cloud services.
- anynines backend to add a9s/a8s data services.
Otherwise, you can proceed to bind an App Cluster to the Control Plane to start consuming AWS S3 and other configured services.