Posted on Oct 17 Providers are the meat around Crossplane’s bones, and they are used to extend the capabilities of Crossplane. When Crossplane is installed, it doesn't have any capabilities to interact with external systems. A core Crossplane pod will only watch the following resources.When you install a Provider, a new pod is created to Crossplane's installation namespace. This pod is a Kubernetes Controller that watches the CRDs that are also installed as part of the provider package.To find out what different kinds of providers are available, you can check the Upbound Marketplace and crossplane-contrib repository. For this series, we are going to work with the following providers:Those GCP providers are installed from the provider-family-gcp package. These provider-family packages are special packages that allow you to install only the provider packages you need instead of installing everything, which would mean 343 CRDs if you install the provider-gcp package instead. Crossplane also states:On average, 30 CRDs are used from Provider packages.Looking at the average number, you would still have ~313 CRDs in the cluster that aren't used 🤯.Install the providersAfter a little while, you should see the providers installed and in a healthy stateNow the providers are installed and ready, we need to set up the ProviderConfig, which configures the credentials for the provider to be able to interact with external systems, in this case, with Google Cloud. You can have multiple ProviderConfigs and reference them in managed resources using providerConfigRef. ProviderConfigs are cluster-scoped resources.You can set up a ProviderConfig per tenant when you have a multi-tenant cluster. When creating compositions, you could patch the value of providerConfigRef in managed resources with a value of spec.claimRef.namespace, which points to the namespace where the XRC was created.Every provider has their own individual settings available when it comes to ProviderConfig. For the GCP provider, you can find all the available configuration options here and for Terraform provider here. If you need to override Controller related settings eg. ServiceAccount you can use ControllerConfig for that.In upcoming chapters, we will create resources in Google Cloud that involve creating a bucket, serviceaccount, iam-binding, and serviceaccountkey. Use the following to configure a new service account with needed permissions in GCP:Create a service account key:Create a Kubernetes secret in crossplane-system namespace that contains the previously created credentials:Create ProviderConfig that uses these credentials:If you run this inside GKE, using the Workload Identity for authentication is much better. You can find detailed instructions for it here.You can also read the secret from the filesystem using fs. This might come in handy in cases where you are leveraging, for example, Hashicorp Vault with Vault Agent sidecar to inject secrets to pods. Here is a quick example of how you would configure it without going into too much detail about how to work with Vault Agent Injector:Now we can quickly test that everything is working by creating a Bucket resource:After a little while, you should see the bucket resource ready and synced:At this point, we are ready to start working with GCP using Crossplane. I will go through setting up the Terraform provider configs later in the series when it's time to start working with it.Remember to delete the test bucket resource:The next chapter quickly reviews available configuration options for managed resources.Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well Confirm For further actions, you may consider blocking this person and/or reporting abuse Bentil Shadrack - Oct 6 Alfonso Domenech - Sep 6 FL0 - Oct 9 Hardeep Jethwani - Oct 9 Once suspended, polarsquad will not be able to comment or publish posts until their suspension is removed. Once unsuspended, polarsquad will be able to comment and publish posts again. Once unpublished, all posts by polarsquad will become hidden and only accessible to themselves. If polarsquad is not suspended, they can still re-publish their posts from their dashboard. Note: Once unpublished, this post will become invisible to the public and only accessible to Joonas Venäläinen. They can still re-publish the post if they are not suspended. Thanks for keeping DEV Community safe. Here is what you can do to flag polarsquad: polarsquad consistently posts content that violates DEV Community's code of conduct because it is harassing, offensive or spammy. Unflagging polarsquad will restore default visibility to their posts. DEV Community — A constructive and inclusive social network for software developers. With you every step of your journey. Built on Forem — the open source software that powers DEV and other inclusive communities.Made with love and Ruby on Rails. DEV Community © 2016 - 2023. We're a place where coders share, stay up-to-date and grow their careers.