<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: yelenary</title>
    <description>The latest articles on DEV Community by yelenary (@yelenary).</description>
    <link>https://dev.to/yelenary</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3245728%2Ff8cae4ce-0d7d-4e7a-840d-4109e15d3525.png</url>
      <title>DEV Community: yelenary</title>
      <link>https://dev.to/yelenary</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/yelenary"/>
    <language>en</language>
    <item>
      <title>Is CloudNativePG Ready to Replace RDS/Aurora for High-Traffic Databases?</title>
      <dc:creator>yelenary</dc:creator>
      <pubDate>Mon, 29 Jun 2026 01:27:56 +0000</pubDate>
      <link>https://dev.to/yelenary/is-cloudnativepg-ready-to-replace-rdsaurora-for-high-traffic-databases-4dng</link>
      <guid>https://dev.to/yelenary/is-cloudnativepg-ready-to-replace-rdsaurora-for-high-traffic-databases-4dng</guid>
      <description>&lt;p&gt;&lt;strong&gt;Is CloudNativePG Ready to Replace RDS/Aurora for High-Traffic Databases?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Short answer: Not for most teams. But for the right team, in the right conditions, it's a legitimate move.&lt;/p&gt;

&lt;p&gt;I spent time digging into CloudNativePG (CNPG) — the CNCF-backed Postgres operator for Kubernetes — to answer a question I keep hearing from platform engineers: "Can we drop RDS/Aurora and run Postgres on EKS ourselves?"&lt;/p&gt;

&lt;p&gt;Here's what I found, without the vendor spin.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The Evidence Problem&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Before anything else: the public evidence base for CNPG at true high-traffic scale is thin.&lt;/p&gt;

&lt;p&gt;Named enterprise adopters exist — GEICO Tech, HSBC, EDB's BigAnimal, IBM Cloud Paks. HSBC presented a real migration story at KubeCon EU 2026. The strongest concrete number comes from Mirakl: 450 Postgres clusters, 31 TB of data, 3,650 CPUs — impressive fleet scale.&lt;/p&gt;

&lt;p&gt;But there is no published, independent benchmark of CNPG handling thousands of TPS on a single multi-TB database that explicitly migrated off Aurora or RDS. If you're evaluating this for a tier-1 OLTP workload, you're operating without a public proof point at that scale.&lt;/p&gt;

&lt;p&gt;That's not a dealbreaker. But it's a flag.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where CNPG Actually Falls Short Today&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Failover is slower — and that's mostly Kubernetes, not CNPG&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Aurora Multi-AZ typically fails over in ~30 seconds. RDS Multi-AZ clusters: under 35 seconds, with zero data loss.&lt;/p&gt;

&lt;p&gt;The only public measured number for CNPG on node failure is a community report of 40–80 seconds — where the dominant term isn't CNPG's logic, it's Kubernetes' node-monitor-grace-period (40s on K8s 1.29–1.31, raised to 50s in 1.32+). After node detection, add EBS detach/reattach (20–90 seconds) before the new primary is writable.&lt;/p&gt;

&lt;p&gt;Pod-level failures are faster. But losing a node — the failure mode that actually keeps you up at night — is gated by K8s infrastructure, not the operator.&lt;/p&gt;

&lt;p&gt;RDS Proxy and Aurora also mask failover from clients by holding connections and re-routing. CNPG's PgBouncer Pooler doesn't queue connections across a failover the same way. Your clients see the blip.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;No automatic primary fencing — by design&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;CNPG explicitly chose not to auto-fence an isolated primary. In a network partition, CNPG prevents split-brain at rejoin time rather than force-shutting the isolated primary immediately (the Patroni model).&lt;/p&gt;

&lt;p&gt;With async replication, this is a real consistency risk. The mitigation is 3-node synchronous (quorum) replication across 3 AZs — which works, but adds write latency and means writes pause if a required standby goes unavailable.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Barman backup is mature, but you own it entirely&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;CNPG uses Barman Cloud for backups. It's solid. But there's a near-term migration required: the in-tree barmanObjectStore is deprecated as of CNPG 1.26 and removed in 1.28. New deployments need the plugin-barman-cloud sidecar architecture.&lt;/p&gt;

&lt;p&gt;Documented failure modes in the wild: stalled WAL archiving filling the PGDATA volume and causing crashloops. The XAmzContentSHA256Mismatch bug after a routine image bump is the kind of incident that reminds you who's on-call when AWS isn't managing your backups.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where CNPG Genuinely Wins&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Cost at large scale — but the math is less obvious than it looks&lt;/p&gt;

&lt;p&gt;Aurora I/O billing can be brutal. A busy OLTP workload at ~50,000 I/O/s is over $25,000/month in I/O charges alone under Standard pricing. Aurora I/O-Optimized helps when I/O exceeds 25% of your Aurora bill — but that's still you paying the AWS premium.&lt;/p&gt;

&lt;p&gt;CNPG on EKS pays EC2 + EBS + S3. The savings are real. The catch: a senior engineer in Canada runs CAD 150k–250k/year fully loaded. Even a 0.25 FTE allocation for on-call, patching, upgrades, and restore drills is CAD 40–60k/year of fixed cost. At small/medium managed-DB spend, CNPG's infrastructure savings don't cover the labor. The crossover only happens when you're spending tens of thousands per month on RDS/Aurora — large fleets or I/O-heavy workloads — AND you already employ the expertise, making the marginal labor near-zero.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The unexpected win: Debezium / CDC workloads&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;This is the one area where the "default to managed services" recommendation actually flips.&lt;/p&gt;

&lt;p&gt;Debezium depends on a logical replication slot surviving failover. Historically, on any self-managed HA Postgres, it didn't — which forced a full re-snapshot of a multi-TB database after every failover. Not acceptable at scale.&lt;/p&gt;

&lt;p&gt;Aurora is the weakest of the three here. Its shared-storage replication does not preserve logical slots across failover. You re-snapshot.&lt;/p&gt;

&lt;p&gt;CNPG ≥1.27 on PostgreSQL 17 natively synchronizes logical decoding slots across the HA cluster via synchronizeLogicalDecoding. Combined with CNPG's stable -rw service endpoint, Debezium reconnects after failover without re-snapshotting — the slot survives and the connection follows automatically. For a CDC-heavy shop, this is a legitimate reason to choose CNPG over Aurora.&lt;/p&gt;

&lt;p&gt;Caveat: this is feature-existence, not a published production benchmark at scale. Validate it before trusting it.&lt;/p&gt;

&lt;p&gt;Full Postgres control&lt;/p&gt;

&lt;p&gt;RDS/Aurora restrict extensions to an allow-list and withhold true superuser. CNPG gives you any extension, any version, on your schedule. For teams blocked by RDS extension limitations or needing newer Postgres majors immediately — this is real.&lt;/p&gt;

&lt;p&gt;GitOps-native operations&lt;/p&gt;

&lt;p&gt;CNPG was designed for Kubernetes from day one. Declarative cluster specs, immutable images with SBOM provenance, native Prometheus metrics, PGAudit support. If your team lives in GitOps, CNPG fits that model in a way RDS/Aurora never will.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Honest Decision Framework
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Stay on Aurora / RDS if:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;You don't have ≥2 engineers with deep overlapping Postgres + Kubernetes + storage/CSI expertise (bus factor matters — losing one person shouldn't be an existential risk)&lt;br&gt;
Your managed-DB spend isn't large enough to justify the fixed operational overhead&lt;br&gt;
Your RTO requirements are tight and you haven't benchmarked CNPG under your actual write load&lt;br&gt;
You need compliance coverage you can point at (SOC, PCI, HIPAA eligibility) without building your own evidence chain&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Consider CNPG if — and only if — at least 3 of these are true:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;You already employ the Postgres + Kubernetes + storage expertise (marginal labor ≈ zero)&lt;br&gt;
You're spending tens of thousands/month on managed DBs — fleet scale or I/O-heavy Aurora&lt;br&gt;
You have a hard requirement managed services can't meet: extension control, version control, multi-cloud portability, data sovereignty, or CDC/Debezium slot failover&lt;br&gt;
You can run 3 AZs with synchronous replication and accept the write-latency tradeoff&lt;br&gt;
You've completed the in-tree → plugin Barman migration and have tested PITR at your actual data size&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Before You Decide: Do This First&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The public evidence gap is the biggest risk. Before any migration decision, run your own benchmark:&lt;/p&gt;

&lt;p&gt;Stand up a 3-node CNPG cluster on EKS across 3 AZs. Drive it at your real write TPS. Measure pod-kill failover, node-kill failover (tuned node-monitor-grace-period + EBS reattach), and AZ-loss — under both async and sync replication. Compare against your Aurora/RDS SLOs.&lt;/p&gt;

&lt;p&gt;If CNPG can't hit your RTO target under load, stop there. If it can, you have a data point nobody else seems to have published.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Bottom Line&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;CNPG is excellent software, backed by a serious community (CNCF Sandbox, Incubation applied for), and used in production at real enterprises. It is not vaporware.&lt;/p&gt;

&lt;p&gt;But for a single high-traffic, multi-TB production database: the managed-service default holds. Aurora absorbs the 3am pages. CNPG hands them back to you — along with full control, which is either a feature or a burden depending entirely on your team's depth.&lt;/p&gt;

&lt;p&gt;The clearest exception isn't a cost argument. It's CDC. If Debezium failing over without re-snapshotting is critical to your architecture, CNPG ≥1.27 on PG17 deserves a serious look.&lt;/p&gt;

&lt;p&gt;I'm a Senior Staff DevOps/Platform Engineer working with Kubernetes, AWS, and Postgres at scale. What's your team's experience with CNPG in production? Drop it in the comments — there's a real gap in public production data here.&lt;/p&gt;

&lt;h1&gt;
  
  
  CloudNativePG #Kubernetes #PostgreSQL #DevOps #PlatformEngineering #AWS #EKS #Aurora #SRE #DatabaseEngineering
&lt;/h1&gt;

</description>
      <category>aws</category>
      <category>database</category>
      <category>kubernetes</category>
      <category>postgres</category>
    </item>
    <item>
      <title>Overview of Crossplane and Crossplane-provider-aws</title>
      <dc:creator>yelenary</dc:creator>
      <pubDate>Fri, 13 Jun 2025 19:46:03 +0000</pubDate>
      <link>https://dev.to/yelenary/overview-of-crossplane-and-crossplane-provider-aws-baj</link>
      <guid>https://dev.to/yelenary/overview-of-crossplane-and-crossplane-provider-aws-baj</guid>
      <description>&lt;h2&gt;
  
  
  Overview
&lt;/h2&gt;

&lt;p&gt;Crossplane is an opensource project primarily developed and maintained by Upbound, a company focused on building tools for cloud-native infrastructure and application management. The project also has contributions from various individual developers and organizations within the cloud-native and Kubernetes community. &lt;/p&gt;

&lt;p&gt;Essentially, it is a Kubernetes-native control plane that enables declarative infrastructure and application management via Custom Resource Definitions (CRDs). Its power comes from the provider system, which enables Crossplane to interface with external APIs (e.g., AWS, GCP, Azure, etc.). &lt;/p&gt;

&lt;p&gt;This document describes how Crossplane and a Crossplane provider (e.g., provider-aws) are interconnected, their dependencies, and how data flows between components. &lt;/p&gt;

&lt;h2&gt;
  
  
  Dataflow diagram
&lt;/h2&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb91pzhgvwba5f1fx6gcr.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb91pzhgvwba5f1fx6gcr.png" alt="Crossplane dataflow diagram" width="800" height="427"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Dataflow Steps Explained:
&lt;/h3&gt;

&lt;h4&gt;
  
  
  &lt;em&gt;User → Kubernetes API&lt;/em&gt;
&lt;/h4&gt;

&lt;p&gt;The user creates or applies a resource (like a CompositeResourceClaim or ManagedResource) using kubectl or a GitOps tool to the Kubernetes API server.&lt;/p&gt;

&lt;h4&gt;
  
  
  &lt;em&gt;Kubernetes → Crossplane Core&lt;/em&gt;
&lt;/h4&gt;

&lt;p&gt;Crossplane’s controllers (running in the cluster) watch for these resources, reconcile their state, and orchestrate the desired infrastructure.&lt;/p&gt;

&lt;h4&gt;
  
  
  &lt;em&gt;Crossplane Core → Crossplane Provider&lt;/em&gt;
&lt;/h4&gt;

&lt;p&gt;Crossplane core delegates concrete provisioning tasks to a Crossplane Provider (e.g., Provider-AWS) via custom resources (e.g., RDSInstance, S3Bucket).&lt;/p&gt;

&lt;h4&gt;
  
  
  &lt;em&gt;Provider → AWS&lt;/em&gt;
&lt;/h4&gt;

&lt;p&gt;The provider translates these Kubernetes custom resources into AWS API calls (using AWS SDK) to create/update/delete actual cloud resources.&lt;/p&gt;

&lt;h4&gt;
  
  
  &lt;em&gt;AWS → Provider → Kubernetes&lt;/em&gt;
&lt;/h4&gt;

&lt;p&gt;The provider monitors AWS for the resource’s real state and updates the status of the corresponding Kubernetes custom resource, closing the reconciliation loop.&lt;/p&gt;

&lt;h2&gt;
  
  
  Main components and roles
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Crossplane:
&lt;/h3&gt;

&lt;p&gt;*&lt;em&gt;Key Components *&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;*&lt;em&gt;1. Crossplane Core *&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Responsible for: &lt;/p&gt;

&lt;p&gt;Managing Provider, Configuration, and Composition resources. &lt;/p&gt;

&lt;p&gt;Bootstrapping and orchestrating the lifecycle of provider controllers via Provider and ProviderRevision resources. &lt;/p&gt;

&lt;p&gt;*&lt;em&gt;2. Provider *&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Custom resource of kind Provider (pkg.crossplane.io/v1). &lt;br&gt;
Triggers installation and deployment of the provider controller. &lt;/p&gt;

&lt;p&gt;Specifies the OCI image of a provider package (e.g., provider-aws:v0.50.0).&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;kubectl get provider.pkg 

NAME                  INSTALLED   HEALTHY   PACKAGE                                   AGE 

abc-provider   True        True      crossplane-contrib/provider-aws:v0.50.0   56d
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;apiVersion: pkg.crossplane.io/v1 
kind: Provider 
metadata: 
  annotations: 
    kustomize.toolkit.fluxcd.io/prune: disabled 
  labels: 
    app.kubernetes.io/instance: crossplane-provider 
    app.kubernetes.io/managed-by: Helm 
    app.kubernetes.io/name: crossplane-provider 
    helm.sh/chart: crossplane-provider-v0.10.0
    helm.toolkit.fluxcd.io/name: crossplane-provider 
  name: xxx-provider 
  namespace: crossplane-system 
spec: 
  package: crossplane-contrib/provider-aws:v0.50.0 
  runtimeConfigRef: 
    name: crossplane-provider-aws
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;*&lt;em&gt;3. ProviderRevision *&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Providerrevisions are typically not directly created or managed by users. Instead, theyare managed automatically when you install a Provider, upgrade Provider to a new version or Uninstall Provider &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Created automatically by Crossplane when a Provider is applied. &lt;/li&gt;
&lt;li&gt;Represents an exact, immutable snapshot of a provider version. &lt;/li&gt;
&lt;li&gt;Crossplane manages only ACTIVE revision. &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Responsible for: &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Installing CRDs defined in the provider package. &lt;/li&gt;
&lt;li&gt;Running the controller logic for reconciling managed resources. &lt;/li&gt;
&lt;li&gt;Can be rolled back or rolled forward by changing the package version in the Provider. &lt;/li&gt;
&lt;li&gt;Only one ProviderRevision can be ACTIVE at a time per Provider. &lt;/li&gt;
&lt;li&gt;Old revisions are marked INACTIVE but retained for rollback if needed. &lt;/li&gt;
&lt;li&gt;Updating the package field in a Provider creates a new ProviderRevision. &lt;/li&gt;
&lt;li&gt;Deleting the Provider will uninstall the provider, delete the CRDs, and stop the controller
&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;kubectl get providerrevision   
NAME                               HEALTHY   REVISION   IMAGE                                     STATE      DEP-FOUND   DEP-INSTALLED   AGE
aws-provider-6c3fd1826792   True      3          crossplane-contrib/provider-aws:v0.50.0   Active                                 16d
aws-provider-b4eafc5192c9   False     2          crossplanecontrib/provider-aws:v0.46.0    Inactive                               29d

&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;*&lt;em&gt;4. ProviderConfig *&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Defines credentials and configuration needed by the provider to interact with external APIs. &lt;/p&gt;

&lt;p&gt;Consumed by ManagedResources (e.g., RDSInstance, Bucket) via providerConfigRef. &lt;/p&gt;

&lt;p&gt;Example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;apiVersion: aws.crossplane.io/v1beta1 
kind: ProviderConfig 
metadata: 
  name: aws-provider 
spec: 
  credentials: 
    source: Secret 
    secretRef: 
      namespace: crossplane-system 
      name: aws-creds 
      key: creds 
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;*&lt;em&gt;5. DeploymentRuntimeConfig  *&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;An optional configuration resource that controls how provider controller pods (like crossplane-provider-aws) are deployed within the Kubernetes cluster. &lt;/p&gt;

&lt;p&gt;It belongs to the pkg.crossplane.io API group and is used in conjunction with a Provider or Configuration resource to customize runtime settings such as: &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;resource limits (CPU/memory) &lt;/li&gt;
&lt;li&gt;environment variables &lt;/li&gt;
&lt;li&gt;volume mounts &lt;/li&gt;
&lt;li&gt;labels and annotations &lt;/li&gt;
&lt;li&gt;security contexts &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;*&lt;em&gt;6. Managed Resources *&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Represent real infrastructure (e.g., Bucket, RDSInstance, Network) modeled as Kubernetes CRs. &lt;/p&gt;

&lt;p&gt;Managed by the provider controller. &lt;/p&gt;

&lt;p&gt;Always reference a ProviderConfig. &lt;/p&gt;

&lt;h2&gt;
  
  
  Crossplane-provider-aws
&lt;/h2&gt;

&lt;p&gt;After installing Crossplane, you install the AWS provider using a YAML manifest like:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;apiVersion: pkg.crossplane.io/v1 
kind: Provider 
metadata: 
  name: provider-aws 
spec: 
  package: xpkg.upbound.io/crossplane-contrib/provider-aws:v0.50.0 
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This triggers Crossplane to: &lt;/p&gt;

&lt;p&gt;Install the provider-aws OCI package &lt;/p&gt;

&lt;p&gt;Crossplane fetches the image from Upbound’s OCI registry. &lt;/p&gt;

&lt;p&gt;It spins up a new Deployment (in-cluster controller) for the provider.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;kubectl get deployment -n crossplane-system 

NAME                               READY   UP-TO-DATE   AVAILABLE   AGE 

crossplane-provider-6c3fd1826792   1/1     1            1           16d 

crossplane                         1/1     1            1           618d 

crossplane-rbac-manager            1/1     1            1           618d 
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The provider’s controller pod installs: &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Deployment (1 per provider): runs provider-aws controller manager &lt;/li&gt;
&lt;li&gt;ProviderRevision object: tracks version and status &lt;/li&gt;
&lt;li&gt;CustomResourceDefinitions (CRDs) for all supported AWS services 
E.g., s3buckets.aws.crossplane.io, rdsinstances.database.aws.crossplane.io, etc. &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You can list all the CRDs installed with the provider by:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;kubectl get crds | grep aws.crossplane.io 
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Dependency Flow
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;Crossplane Core is installed: installs built-in CRDs (e.g., Provider, Composition). &lt;/li&gt;
&lt;li&gt;Provider resource is applied: triggers Crossplane to fetch the provider package from an OCI registry. &lt;/li&gt;
&lt;li&gt;ProviderRevision is created: immutable snapshot of the provider package. &lt;/li&gt;
&lt;li&gt;CRDs are installed by the revision (e.g., buckets.s3.aws.crossplane.io). &lt;/li&gt;
&lt;li&gt;Controller Deployment is spun up: runs reconciliation logic for those CRDs. &lt;/li&gt;
&lt;li&gt;User applies ProviderConfig: specifies cloud credentials. &lt;/li&gt;
&lt;li&gt;User creates ManagedResource: such as Bucket, VPC, RDSInstance. &lt;/li&gt;
&lt;li&gt;ManagedResource refers to ProviderConfig: to get credentials. &lt;/li&gt;
&lt;li&gt;Provider controller reconciles the ManagedResource, calls external cloud API to provision/update/destroy real-world resources. &lt;/li&gt;
&lt;/ol&gt;

</description>
      <category>crossplane</category>
      <category>crossplaneprovider</category>
    </item>
    <item>
      <title>Step-by-Step: Configuring Internal YUM Repo Access on RPM-Based Hosts</title>
      <dc:creator>yelenary</dc:creator>
      <pubDate>Thu, 05 Jun 2025 17:29:23 +0000</pubDate>
      <link>https://dev.to/yelenary/step-by-step-configuring-internal-yum-repo-access-on-rpm-based-hosts-4387</link>
      <guid>https://dev.to/yelenary/step-by-step-configuring-internal-yum-repo-access-on-rpm-based-hosts-4387</guid>
      <description>&lt;h4&gt;
  
  
  Background
&lt;/h4&gt;

&lt;p&gt;In modern enterprise environments it's common to host private packages in an internal YUM repository. This guide walks through configuring a &lt;strong&gt;Rocky Linux 8/9&lt;/strong&gt; (or other RPM-based) host to securely access and install packages from a private YUM repository hosted in &lt;strong&gt;Google Artifact Registry&lt;/strong&gt;.&lt;/p&gt;

&lt;h4&gt;
  
  
  ✅ Prerequisites
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;A host running &lt;strong&gt;Rocky Linux 8 or 9&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;Access to a &lt;strong&gt;private YUM repo in Google Artifact Registry&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;A &lt;strong&gt;service account JSON key&lt;/strong&gt; with the required permissions&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;yum&lt;/code&gt; or &lt;code&gt;dnf&lt;/code&gt; installed&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  🛠 Step-by-Step Setup
&lt;/h4&gt;

&lt;h5&gt;
  
  
  🔹 Step 1: Import the GPG Key for Google Cloud RPM Packages
&lt;/h5&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;rpm &lt;span class="nt"&gt;--import&lt;/span&gt; https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h5&gt;
  
  
  🔹 Step 2: Add the Artifact Registry Plugin Repository
&lt;/h5&gt;

&lt;p&gt;Create a new repo file at /etc/yum.repos.d/artifact-registry-plugin.repo:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo tee&lt;/span&gt; /etc/yum.repos.d/artifact-registry-plugin.repo &lt;span class="o"&gt;&amp;lt;&amp;lt;&lt;/span&gt;&lt;span class="no"&gt;EOF&lt;/span&gt;&lt;span class="sh"&gt;
[ar-plugin]
name=Artifact Registry Plugin
baseurl=https://packages.cloud.google.com/yum/repos/dnf-plugin-artifact-registry-el9-stable
enabled=1
gpgcheck=1
&lt;/span&gt;&lt;span class="no"&gt;EOF
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;📝 This enables your host to install the required plugin for accessing Google Artifact Registry.&lt;/p&gt;

&lt;h5&gt;
  
  
  🔹 Step 3: Update YUM and Install the Artifact Registry Plugin
&lt;/h5&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;yum makecache
&lt;span class="nb"&gt;sudo &lt;/span&gt;yum &lt;span class="nb"&gt;install &lt;/span&gt;dnf-plugin-artifact-registry
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h5&gt;
  
  
  🔹 Step 4: Configure the Artifact Registry Plugin Credentials
&lt;/h5&gt;

&lt;p&gt;Create or edit the file /etc/dnf/plugins/artifact-registry.conf:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="o"&gt;[&lt;/span&gt;main]
&lt;span class="nv"&gt;enabled&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;1
service_account_json &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"/path/to/your/service-account.json"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;⚠️ Replace /path/to/your/service-account.json with the actual path to your GCP service account key file.&lt;/p&gt;

&lt;h5&gt;
  
  
  🔹 Step 5: Add Your Internal YUM Repository
&lt;/h5&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;Create the file /etc/yum.repos.d/yum-private.repo with the following content:
&lt;span class="nb"&gt;sudo tee&lt;/span&gt; /etc/yum.repos.d/yum-private.repo &lt;span class="o"&gt;&amp;lt;&amp;lt;&lt;/span&gt;&lt;span class="no"&gt;EOF&lt;/span&gt;&lt;span class="sh"&gt;
[yum-private]
name=Internal YUM Repo
baseurl=https://&amp;lt;region&amp;gt;-yum.pkg.dev/path/to/repo
enabled=1
repo_gpgcheck=0
gpgcheck=0
&lt;/span&gt;&lt;span class="no"&gt;EOF
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;🔁 Replace  with your Google Cloud region (e.g., europe-west3) and /path/to/repo with your actual repository path inside Artifact Registry.&lt;/p&gt;

&lt;h5&gt;
  
  
  🔹 Step 6: Refresh the Package Cache
&lt;/h5&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;yum makecache
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This ensures the repo metadata is up to date and packages are available to install.&lt;/p&gt;

&lt;h4&gt;
  
  
  ✅ Conclusion:
&lt;/h4&gt;

&lt;p&gt;You’ve now configured your RPM-based host to securely pull packages from a private YUM repository hosted in Google Artifact Registry. This is especially useful in production or enterprise environments where package access must be controlled, reproducible, and secure.&lt;/p&gt;

&lt;h4&gt;
  
  
  🧠 Bonus Tip
&lt;/h4&gt;

&lt;p&gt;To automate this process, consider:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Writing an Ansible role or bash script&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Integrating this configuration into your Packer build if you're baking AMIs or VM images&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Managing the credentials via Vault or GCP Secret Manager for security&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>yum</category>
      <category>rpm</category>
      <category>devops</category>
      <category>linux</category>
    </item>
  </channel>
</rss>
