Parent: #584
Priority: High
The PlatformCluster composition should create the Secrets Manager entry as part of cluster provisioning. Currently this is a manual step after the EKS cluster is ready.
The composition already has the ARN, VPC ID, and region. Add a Secrets Manager Secret resource to the composition that creates {clusterName}/config with:
server: cluster ARNconfig: {"tlsClientConfig":{"insecure":false}}metadata: JSON with aws_region, aws_cluster_name, aws_vpc_id, repo URLs, and other annotations
This eliminates the manual seeding step and makes spoke provisioning fully GitOps-driven:
- Add cluster to
fleet/kro-values/tenants/{tenant}/kro-clusters/values.yaml
- Add fleet member to
fleet/members/{name}/values.yaml
- Add environment
overlays/environments/{env}/enabled-addons.yaml
- Commit and push — Crossplane provisions cluster, seeds secret, ExternalSecret creates ArgoCD cluster secret, addons deploy
Challenges:
- Secrets Manager secret value is a JSON string containing nested JSON — composition patching may be complex
- The metadata JSON includes repo URLs and basepath which come from the hub cluster secret, not the composition
- Need to handle the hub cluster differently (seed secret created by Taskfile, not composition)
Parent: #584
Priority: High
The PlatformCluster composition should create the Secrets Manager entry as part of cluster provisioning. Currently this is a manual step after the EKS cluster is ready.
The composition already has the ARN, VPC ID, and region. Add a Secrets Manager Secret resource to the composition that creates
{clusterName}/configwith:server: cluster ARNconfig:{"tlsClientConfig":{"insecure":false}}metadata: JSON withaws_region,aws_cluster_name,aws_vpc_id, repo URLs, and other annotationsThis eliminates the manual seeding step and makes spoke provisioning fully GitOps-driven:
fleet/kro-values/tenants/{tenant}/kro-clusters/values.yamlfleet/members/{name}/values.yamloverlays/environments/{env}/enabled-addons.yamlChallenges: