feat(health): add crossplane and upbound health checks (#21479) (#22919)

Signed-off-by: Michael Crenshaw <[email protected]>
Signed-off-by: Alexandre Gaudreault <[email protected]>
Co-authored-by: Alexandre Gaudreault <[email protected]>

Author: crenshaw-dev

docs/operator-manual/health.md

@@ -168,7 +168,33 @@ To test the implemented custom health checks, run `go test -v ./util/lua/`.
 
 The [PR#1139](https://github.com/argoproj/argo-cd/pull/1139) is an example of Cert Manager CRDs custom health check.
 
-Please note that bundled health checks with wildcards are not supported.
+#### Wildcard Support for Built-in Health Checks
+
+You can use a single health check for multiple resources by using a wildcard in the group or kind directory names.
+
+The `_` character behaves like a `*` wildcard. For example, consider the following directory structure:
+
+```
+argo-cd
+|-- resource_customizations
+|    |-- _.group.io               # CRD group
+|    |    |-- _                   # Resource kind
+|    |    |    |-- health.lua     # Health check
+```
+
+Any resource with a group that ends with `.group.io` will use the health check in `health.lua`.
+
+Wildcard checks are only evaluated if there is no specific check for the resource.
+
+If multiple wildcard checks match, the first one in the directory structure is used.
+
+We use the [doublestar](https://github.com/bmatcuk/doublestar) glob library to match the wildcard checks. We currently
+only treat a path as a wildcard if it contains a `_` character, but this may change in the future.
+
+!!!important "Avoid Massive Scripts"
+
+    Avoid writing massive scripts to handle multiple resources. They'll get hard to read and maintain. Instead, just
+    duplicate the relevant parts in resource-specific scripts.
 
 ## Overriding Go-Based Health Checks
 

resource_customizations/_.crossplane.io/_/health.lua

@@ -0,0 +1,66 @@
+-- Health check copied from here: https://github.com/crossplane/docs/blob/bd701357e9d5eecf529a0b42f23a78850a6d1d87/content/master/guides/crossplane-with-argo-cd.md
+
+health_status = {
+  status = "Progressing",
+  message = "Provisioning ..."
+}
+
+local function contains (table, val)
+  for i, v in ipairs(table) do
+    if v == val then
+      return true
+    end
+  end
+  return false
+end
+
+local has_no_status = {
+  "Composition",
+  "CompositionRevision",
+  "DeploymentRuntimeConfig",
+  "ControllerConfig",
+  "ProviderConfig",
+  "ProviderConfigUsage"
+}
+if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then
+    health_status.status = "Healthy"
+    health_status.message = "Resource is up-to-date."
+  return health_status
+end
+
+if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then
+  if obj.kind == "ProviderConfig" and obj.status.users ~= nil then
+    health_status.status = "Healthy"
+    health_status.message = "Resource is in use."
+    return health_status
+  end
+  return health_status
+end
+
+for i, condition in ipairs(obj.status.conditions) do
+  if condition.type == "LastAsyncOperation" then
+    if condition.status == "False" then
+      health_status.status = "Degraded"
+      health_status.message = condition.message
+      return health_status
+    end
+  end
+
+  if condition.type == "Synced" then
+    if condition.status == "False" then
+      health_status.status = "Degraded"
+      health_status.message = condition.message
+      return health_status
+    end
+  end
+
+  if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then
+    if condition.status == "True" then
+      health_status.status = "Healthy"
+      health_status.message = "Resource is up-to-date."
+      return health_status
+    end
+  end
+end
+
+return health_status

resource_customizations/_.crossplane.io/_/health_test.yaml

@@ -0,0 +1,5 @@
+tests:
+  - healthStatus:
+      status: Healthy
+      message: "Resource is up-to-date."
+    inputPath: testdata/composition_healthy.yaml

resource_customizations/_.crossplane.io/_/testdata/composition_healthy.yaml

@@ -0,0 +1,25 @@
+# Taken from here May 9, 2025: https://docs.crossplane.io/latest/concepts/compositions/
+apiVersion: apiextensions.crossplane.io/v1
+kind: Composition
+metadata:
+  name: example
+spec:
+  compositeTypeRef:
+    apiVersion: custom-api.example.org/v1alpha1
+    kind: AcmeBucket
+  mode: Pipeline
+  pipeline:
+    - step: patch-and-transform
+      functionRef:
+        name: function-patch-and-transform
+      input:
+        apiVersion: pt.fn.crossplane.io/v1beta1
+        kind: Resources
+        resources:
+          - name: storage-bucket
+            base:
+              apiVersion: s3.aws.upbound.io/v1beta1
+              kind: Bucket
+              spec:
+                forProvider:
+                  region: "us-east-2"

resource_customizations/_.upbound.io/_/health.lua

@@ -0,0 +1,63 @@
+-- Health check copied from here: https://github.com/crossplane/docs/blob/bd701357e9d5eecf529a0b42f23a78850a6d1d87/content/master/guides/crossplane-with-argo-cd.md
+
+health_status = {
+  status = "Progressing",
+  message = "Provisioning ..."
+}
+
+local function contains (table, val)
+  for i, v in ipairs(table) do
+    if v == val then
+      return true
+    end
+  end
+  return false
+end
+
+local has_no_status = {
+  "ProviderConfig",
+  "ProviderConfigUsage"
+}
+
+if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then
+  health_status.status = "Healthy"
+  health_status.message = "Resource is up-to-date."
+  return health_status
+end
+
+if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then
+  if obj.kind == "ProviderConfig" and obj.status.users ~= nil then
+    health_status.status = "Healthy"
+    health_status.message = "Resource is in use."
+    return health_status
+  end
+  return health_status
+end
+
+for i, condition in ipairs(obj.status.conditions) do
+  if condition.type == "LastAsyncOperation" then
+    if condition.status == "False" then
+      health_status.status = "Degraded"
+      health_status.message = condition.message
+      return health_status
+    end
+  end
+
+  if condition.type == "Synced" then
+    if condition.status == "False" then
+      health_status.status = "Degraded"
+      health_status.message = condition.message
+      return health_status
+    end
+  end
+
+  if condition.type == "Ready" then
+    if condition.status == "True" then
+      health_status.status = "Healthy"
+      health_status.message = "Resource is up-to-date."
+      return health_status
+    end
+  end
+end
+
+return health_status

resource_customizations/_.upbound.io/_/health_test.yaml

@@ -0,0 +1,5 @@
+tests:
+  - healthStatus:
+      status: Healthy
+      message: "Resource is up-to-date."
+    inputPath: testdata/providerconfig_healthy.yaml

resource_customizations/_.upbound.io/_/testdata/providerconfig_healthy.yaml

@@ -0,0 +1,10 @@
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: irsa-with-role-chaining
+spec:
+  credentials:
+    source: IRSA
+  assumeRoleChain:
+    - roleARN: <roleARN-1>
+    - roleARN: <roleARN-2>

resource_customizations/embed.go

@@ -6,5 +6,5 @@ import (
 
 // Embedded contains embedded resource customization
 //
-//go:embed *
+//go:embed all:*
 var Embedded embed.FS