Integrating RDS Services with Klutch

Prerequisite

These instructions assume that the Klutch Control Plane Cluster has been set up.

1. Install AWS Providers (Connectivity Layer)

Klutch relies on Crossplane® Providers to manage AWS resources securely. Each provider requires IAM credentials stored as Kubernetes Secrets.

1.1 Configure Credentials for RDS

The RDS providers require an AWS Secret containing access keys and the default region.

1. Create and Apply AWS Secret: Replace the placeholders in the YAML below with the correct AWS access credentials and region, then apply the file.

   View RDS Secret Manifest (rds-secret.yaml)

   cat << 'EOF' > rds-secret.yaml
   apiVersion: v1
   kind: Secret
   metadata:
     name: aws-rds-secret
     namespace: crossplane-system
   type: Opaque
   stringData:
     creds: |-
       [default]
       AWS_ACCESS_KEY_ID: #<AWS_ACCESS_KEY_ID>
       AWS_SECRET_ACCESS_KEY: #<AWS_SECRET_ACCESS_KEY>
       AWS_SESSION_TOKEN: #<AWS_SESSION_TOKEN> # Only required for SSO
     config: |-
       [default]
       AWS_DEFAULT_REGION: #<AWS_REGION> # Example: eu-central-1
   EOF

   kubectl apply -f rds-secret.yaml

2. Install RDS Provider: Install the provider.

   kubectl apply -f - <<EOF
   apiVersion: pkg.crossplane.io/v1
   kind: Provider
   metadata:
     name: provider-aws-rds
   spec:
     package: xpkg.upbound.io/upbound/provider-aws-rds:v1.23.2
   EOF

   Verification:

   kubectl get provider -w

3. Apply ProviderConfig: Create the configuration resource that links the providers to the secret.

   kubectl apply -f - <<EOF
   apiVersion: aws.upbound.io/v1beta1
   kind: ProviderConfig
   metadata:
     name: aws-rds-provider
   spec:
     credentials:
       source: Secret
       secretRef:
         namespace: crossplane-system
         name: aws-rds-secret
         key: creds
   EOF

2. Deploy Provider Kubernetes

Klutch utilizes Crossplane® Provider for Kubernetes to enables deployment and management of arbitrary Kubernetes objects.

info

If you have installed other data services previously (e.g. a9s data services), the required provider may already be installed in the cluster. Use the following command to check which providers are currently installed and apply only if it's missing.

  kubectl get providers

1. Install the provider

   kubectl apply -f https://raw.githubusercontent.com/anynines/klutchio/refs/heads/main/crossplane-api/deploy/provider-kubernetes.yaml

   Verification:

   kubectl get provider -w

   Wait until provider-kubernetes is HEALTHY.

2. Apply ProviderConfig

   A ProviderConfig authorizes the connectivity layer to manage resources within this local Control Plane cluster, effectively treating it as the a8s automation backend. This uses InjectedIdentity for authentication.

   kubectl apply -f https://raw.githubusercontent.com/anynines/klutchio/refs/heads/main/crossplane-api/deploy/config-in-cluster.yaml

   Verification:

   kubectl get providerconfigs.kubernetes.crossplane.io

3. Install Composition Functions

Klutch utilizes Crossplane® Composition Functions to process resource requests.

info

If you have installed other data services previously, some or all of the required functions may already be installed in the cluster. Use the following command to check which functions are currently installed and apply only the remaining ones.

  kubectl get function

View and Apply Composition Functions Manifest

kubectl apply -f - <<EOF
apiVersion: pkg.crossplane.io/v1
kind: Function
metadata:
  name: function-patch-and-transform
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.9.1
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-go-templating
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-go-templating:v0.11.0
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-auto-ready
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.5.1
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-extra-resources
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.1.0
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-render-rds-replicas
spec:
  package: public.ecr.aws/w5n9a2g2/anynines/klutch/function-render-rds-replicas:v0.1.0
EOF

Verification:

kubectl get function -w

Wait until the functions are HEALTHY.

4. Install Data Service Configurations

The AWS-RDS configuration package provides the service the Data Service Configurations, consisting of the APIs and Compositions for provisioning AWS RDS resources through Klutch.

Prerequisite

To run the command below, you need the Crossplane CLI installed locally. If you haven't installed it yet, please follow the instructions in the Control Plane Cluster prerequisites.

crossplane xpkg install configuration public.ecr.aws/w5n9a2g2/anynines/klutch/aws:v1.0.0

Verification:

kubectl get configuration -w

Wait until the configuration is HEALTHY.

5. Install ServiceBinding Operator

Klutch uses the a8s Service Binding Controller to create connection credentials for your workloads. You must install it with the correct integration flags.

Critical Configuration

The Service Binding Controller requires specific CRDs to be present for each enabled integration. Enabling an integration without the corresponding CRD will cause the controller to fail.

• rds-postgresql: Required for Klutch RDS (always enabled in this guide).
• postgresql: Required for a8s Postgres (only enable if installed).

Run the following command to automatically detect the presence of a8s Postgres and install the controller with the correct configuration:

# Check if a8s Postgres CRD exists to determine integration mode
if kubectl get crd postgresqls.postgresql.anynines.com >/dev/null 2>&1; then
  echo "a8s Postgres detected. Enabling full integration."
  INTEGRATION_ARGS="postgresql\,rds-postgresql"
else
  echo "a8s Postgres not found. Enabling RDS-only integration."
  INTEGRATION_ARGS="rds-postgresql"
fi

helm repo add service-binding-controller \
  https://anynines-artifacts.s3.eu-central-1.amazonaws.com/charts/service-binding-controller
helm repo update

helm upgrade --install service-binding-controller \
  service-binding-controller/service-binding-controller \
  --version 0.1.0 \
  --namespace a8s-system \
  --create-namespace \
  --set controllerConfig.enable-integration="$INTEGRATION_ARGS"

Verification:

kubectl get pods -n a8s-system -l app.kubernetes.io/name=service-binding-controller

The pod should be Running.

6. Publish Data Service API

The final step exposes the binding APIs for RDS to the App Clusters using APIServiceExportTemplates.

kubectl apply -f - <<EOF
# PostgresqlInstance Export
apiVersion: bind.anynines.com/v1alpha1
kind: APIServiceExportTemplate
metadata:
  name: rds-postgresqlinstances
  namespace: crossplane-system
spec:
  APIServiceSelector:
    group: rds.aws.anynines.com
    resource:  postgresqlinstances
---
apiVersion: bind.anynines.com/v1alpha1
kind: APIServiceExportTemplate
metadata:
  name: rds-servicebindings
  namespace: crossplane-system
spec:
  APIServiceSelector:
    resource: servicebindings
    group: rds.aws.anynines.com
  permissionClaims:
    - group: ""
      resource: secrets
      version: v1
      selector: { owner: Provider }
EOF

Next Steps

The Control Plane is now fully configured with the necessary provisioning logic and exposed APIs for AWS RDS managed services.

If you want to add additional services to your catalog, you can configure:

• AWS S3 backend to add S3 managed cloud services.
• anynines backend to add a9s/a8s data services.

Otherwise, you can proceed to bind an App Cluster to the Control Plane to start consuming AWS RDS and other configured services.