This example demonstrates using function-python with Crossplane Operations to check SSL certificate expiry for websites referenced in Kubernetes Ingress resources.
operation.yaml- The Operation that checks certificate expiryfunctions.yaml- Function definition for local developmentingress.yaml- Sample Ingress resource to checkrbac.yaml- RBAC permissions for Operations to access Ingress resourcesREADME.md- This file
Since Operations are runtime-only (they can't be statically rendered), you can
test this example locally using the new crossplane alpha render op command.
-
Run the function in development mode:
hatch run development
-
In another terminal, render the operation:
crossplane alpha render op operation.yaml functions.yaml --required-resources . -r
The -r flag includes function results in the output, and
--required-resources . tells the command to use the ingress.yaml file in this
directory as the required resource.
The Operation:
- Reads the Ingress resource specified in
requirements.requiredResources - Extracts the hostname from the Ingress rules (
google.comin this example) - Fetches the SSL certificate for that hostname
- Calculates expiry information (days until expiration)
- Annotates the Ingress with certificate monitoring annotations
- Returns status information in the Operation's output field
This pattern is useful for:
- Certificate monitoring and alerting
- Compliance checking
- Automated certificate renewal workflows
- Integration with monitoring tools that read annotations
The operation function (operate()) demonstrates key Operations patterns:
- Required Resources: Accessing pre-populated resources via
request.get_required_resources(req, "ingress") - Resource Updates: Using
rsp.desired.resourcesto update existing resources - Operation Output: Using
rsp.output.update()for monitoring data - Server-side Apply: Crossplane applies the changes with force ownership