IaC — Crossplane
Arquitetura
platform-gitops / cluster de gerenciamento Provedores de Nuvem
──────────────────────────────────────────────────────────────────────
crossplane/providers/ → Provider CRDs instalados GCP / AWS / Azure / IBM
crossplane/xrds/ → XRD: XGKECluster registrado (define a API)
crossplane/compositions/ → Composition: gke-cluster-gcp (implementa a API)
<domain>-gitops / cluster de gerenciamento Nuvem
──────────────────────────────────────────────────────────────────────
crossplane/claims/prod/gke-main.yaml
→ Claim: GKECluster em payments-prod-infra
→ Composite (XR) criado pelo Crossplane
→ Cluster GKE provisionado no GCP
Namespace de Infra
Um namespace por domínio por ambiente, separado dos namespaces de aplicação:
apiVersion: v1
kind: Namespace
metadata:
name: payments-prod-infra
labels:
project: payments
env: prod
purpose: infra
team: team-payments
backstage.io/domain: payments
backstage.io/managed-by: crossplane
argocd/app-set: crossplane-payments
Exemplo de Claim
# payments-gitops/crossplane/claims/prod/cloudsql-main.yaml
apiVersion: platform.myorg.io/v1alpha1
kind: CloudSQLInstance
metadata:
name: cloudsql-main # {resourceType}-{name}
namespace: payments-prod-infra # {domain}-{env}-infra
labels:
project: payments
env: prod
resource-type: cloudsql
provider: gcp
team: team-payments
backstage.io/system: gateway
backstage.io/resource: gcp-payments-prod-cloudsql-main
argocd/app: crossplane-payments-prod-cloudsql-main
argocd/app-set: crossplane-payments
annotations:
platform.myorg/backstage-entity: gcp-payments-prod-cloudsql-main
platform.myorg/ownership-level: system
spec:
parameters:
domain: payments
env: prod
project: payments-prod
location: us-central1
engine: POSTGRES_15
tier: db-custom-2-7680
availabilityType: REGIONAL
backupRetentionDays: 30
deletionPolicy: Orphan # nunca auto-deletar recursos de prod
writeConnectionSecretToRef:
name: gcp-payments-prod-cloudsql-main-conn
namespace: payments-prod-infra
compositionSelector:
matchLabels:
provider: gcp
resource-type: cloudsql
Níveis de Propriedade
| Nível | Claim possui | Caso de uso |
|---|---|---|
domain | Apenas backstage.io/domain | Cluster, VPC, KMS — compartilhado por todos os sistemas |
system | backstage.io/system | Banco de dados compartilhado, message bus — compartilhado dentro de um sistema |
component | backstage.io/system + dependsOn do Component | Fila, cache por serviço |
Provedores e Tipos de Recursos Suportados
| Slug de tipo | spec.type Backstage | GCP | AWS | Azure | IBM |
|---|---|---|---|---|---|
gke/eks/aks/iks | kubernetes-cluster | ✅ | ✅ | ✅ | ✅ |
cloudsql/rds/postgres/cosmos | database | ✅ | ✅ | ✅ | ✅ |
pubsub/sqs/servicebus/eventstreams | message-queue | ✅ | ✅ | ✅ | ✅ |
gcs/s3/blobstorage/cos | object-storage | ✅ | ✅ | ✅ | ✅ |
memorystore/elasticache/redis | cache | ✅ | ✅ | ✅ | — |
bigquery/dynamodb | data-store | ✅ | ✅ | — | — |
artifact-registry/ecr/acr | container-registry | ✅ | ✅ | ✅ | — |
secretmanager/keyvault/secrets-manager | secret-store | ✅ | ✅ | ✅ | ✅ |
Configuração de Provider
# platform-gitops/crossplane/providers/provider-gcp.yaml
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-gcp
annotations:
argocd.argoproj.io/sync-wave: "-10" # antes dos Claims
spec:
package: xpkg.upbound.io/upbound/provider-gcp:v0.41.0
---
apiVersion: gcp.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: gcp-provider-config
spec:
projectID: myorg-platform
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: gcp-credentials
key: credentials.json
Ordem de Sync Wave
Wave -10: Providers + XRDs + Compositions → AppSet crossplane-platform
Wave 0: Claims → AppSets crossplane-<domain>
Wave 10: Cargas de trabalho de app (opcional) → ApplicationSets de domínio
Crossplane vs Terraform
| Aspecto | Terraform | Crossplane |
|---|---|---|
| Definição de recurso | Arquivos .tf + módulos | XRD + Composition |
| Instância de recurso | Pipeline terraform apply | Claim (objeto Kubernetes) |
| Estado | .tfstate em S3/GCS | etcd (Kubernetes) |
| Reconciliação | Pipeline on push | Loop contínuo de controlador |
| Correção de drift | terraform plan na CI | Crossplane selfHeal: true |
| Saída de segredo | Output do Terraform | Kubernetes Secret no namespace de infra |