Intro

Prerequisites

1. A Kubernetes cluster (On-Prem, AKS, EKS, GKE, Kind, etc.).
2. An AWS account (or other supported cloud provider).

Story Resources

1. GitHub Link: https://github.com/olafkfreund/crossplane-terraform-manifests/
2. GitHub Branch: crossplane

---

Install Crossplane (2025 Best Practices)

You can use any Kubernetes cluster for this demo. For local testing, Kind is recommended. For production, use a managed service (AKS, EKS, GKE, etc.).

1. Add the Crossplane Helm repo and install the latest version

kubectl create namespace crossplane-system
helm repo add crossplane-stable https://charts.crossplane.io/stable
helm repo update
helm install crossplane --namespace crossplane-system crossplane-stable/crossplane \
  --version 1.16.0 # (replace with latest if newer)

• Check for the latest version: https://artifacthub.io/packages/helm/crossplane/crossplane
• Confirm installation:

  kubectl get all -n crossplane-system
  

2. Install Crossplane CLI (optional, for local development)

curl -sL https://raw.githubusercontent.com/crossplane/crossplane/master/install.sh | sh

---

Install a Provider (AWS example)

1. Apply the official AWS provider package (v0.47.0 or newer):

   apiVersion: pkg.crossplane.io/v1
   kind: Provider
   metadata:
     name: provider-aws
   spec:
     package: xpkg.upbound.io/upbound/provider-aws:v0.47.0
   

   Apply with:

   kubectl apply -f aws-provider.yaml
   

   • Check provider status:

     kubectl get providers.pkg.crossplane.io
     

2. Configure AWS credentials securely:
   • Use IRSA (EKS), Workload Identity (GKE), or Azure AD Workload Identity (AKS) for production.
   • For local/dev, use a Kubernetes secret:

     AWS_PROFILE=default
     aws configure export-credentials --profile $AWS_PROFILE --format env > creds.env
     kubectl create secret generic aws-secret-creds -n crossplane-system --from-env-file=creds.env
     

3. Create a ProviderConfig:

   apiVersion: aws.upbound.io/v1beta1
   kind: ProviderConfig
   metadata:
     name: default
   spec:
     credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: aws-secret-creds
      key: creds.env
   

---

Best Practices (2025)

• Use the latest Crossplane and provider versions (see ArtifactHub).
• Use managed identity for cloud credentials in production (avoid static secrets).
• Use Composition/Composite Resources for platform engineering and self-service.
• Use ProviderConfigUsage to scope credentials.
• Use RBAC and namespace isolation for multi-tenancy.
• Monitor Crossplane health with Prometheus/Grafana or Upbound Cloud.
• Use GitOps for all manifests (ArgoCD, Flux, etc.).

---

References

• Crossplane Docs
• Upbound Provider AWS
• Crossplane Helm Chart
• Production Patterns