Define a Crossplane Composition with a pipeline function to provision an RDS instance plus a SecretsManager secret and expose connection details as a composite resource claim
Define a CompositeResourceDefinition (XRD) with a spec.versions entry that declares the composite resource schema including database engine, instance class, and a connectionSecretToRef field for the output secret
Create a Composition that references the XRD and specifies mode: Pipeline in the spec; add a pipeline step that uses the function-patch-and-transform function to map composite resource fields to the managed resource fields of an RDS DBInstance
Add a second pipeline step that uses a function to create an AWS SecretsManager Secret managed resource; use a patch to copy the RDS endpoint output from the DBInstance status into the Secret's stringData via a from-field-path patch
Configure the Composition's writeConnectionSecretsToNamespace to extract the RDS username, password, and endpoint from the managed resource's status.atProvider and write them as a Kubernetes Secret in the claim namespace
Add a readinessCheck block on the DBInstance managed resource that waits for status.atProvider.dbInstanceStatus to equal available before the composite resource reports Ready=True
Use a usage resource or Composition-level dependencies to prevent deletion of the RDS instance while the Secret resource still exists, enforcing teardown order
Known gotchas
Crossplane function pipelines process steps sequentially but managed resources are reconciled asynchronously; a patch that reads status.atProvider from a resource created in step one may not have data available until several reconciliation loops after the resource is created
The function-patch-and-transform function in pipeline mode uses a different patch syntax from the classic Composition patches field; mixing classic and pipeline mode fields in the same Composition causes the Composition to fail validation
Connection details written to the claim namespace require the Crossplane provider's service account to have permission to create Secrets in all possible claim namespaces; a missing RBAC permission silently prevents secret creation without surfacing an error on the composite resource itself
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp