Merge pull request #21 from junior/5G-example

Extra seclist for VCN Native pod networking + Initial 5G NF Infra example

VERSION

@@ -1 +1 @@
-0.8.8
+0.8.9

defaults.tf

@@ -20,7 +20,7 @@
 ################################################################################
 locals {
  deploy_id = random_string.deploy_id.result
- deploy_tags = { "DeploymentID" = local.deploy_id, "AppName" = local.app_name, "Quickstart" = "terraform-oci-oke-quickstart" }
+ deploy_tags = { "DeploymentID" = local.deploy_id, "AppName" = local.app_name, "Quickstart" = "terraform-oci-oke-quickstart", "OKEclusterName" = "${local.app_name} (${local.deploy_id})" }
  oci_tag_values = {
  "freeformTags" = merge(var.tag_values.freeformTags, local.deploy_tags),
  "definedTags" = var.tag_values.definedTags

examples/5G-NF-Infra/README.md

@@ -0,0 +1,67 @@
+# Terraform Scripts for deploying the Unreal Pixel Streaming infrastructure on OCI OKE
+
+## Deploy Using the Terraform CLI
+
+### Clone the Module
+
+Clone the source code from suing the following command:
+
+```bash
+git clone github.com/oracle-quickstart/oke-unreal-pixel-streaming
+```
+
+```bash
+cd oke-unreal-pixel-streaming/deploy/terraform
+```
+
+### Updating Terraform variables
+
+```bash
+cp terraform.tfvars.example terraform.tfvars
+```
+
+Update the `terraform.tfvars` file with the required variables, including the OCI credentials information.
+
+Make sure that the information of the Instance Shape on each Node Pool are correct and you have enough quota to deploy the infrastructure, including the GPU nodes. This scripts defaults to `BM.GPU.A10.4`.
+
+### Running Terraform
+
+After specifying the required variables you can run the stack using the following commands:
+
+```bash
+terraform init
+```
+
+```bash
+terraform plan
+```
+
+```bash
+terraform apply
+```
+
+### Destroying the Stack
+
+```bash
+terraform destroy -refresh=false
+```
+
+> Note: The `-refresh=false` flag is required to prevent Terraform from attempting to refresh the state of the kubernetes API url, which will return `localhost` without the refresh-false.
+
+### Deploying the demo app
+
+After the infrastructure is deployed, you can deploy the demo app using the following commands:
+
+```bash
+kubectl create ns demo
+```
+
+```bash
+kubectl apply -f ../demo.yaml
+```
+
+> Note: Demo App uses Prebuilt images are included with this repo, along with a demo Pixel Streaming image. You can build your own images using the instructions [here](../README.md#pixel-streaming-build).
+
+## Questions
+
+If you have an issue or a question, please take a look at our [FAQs](./FAQs.md) or [open an issue](https://github.com/oracle-quickstart/oke-unreal-pixel-streaming/issues/new).

examples/5G-NF-Infra/VERSION

@@ -0,0 +1 @@
+0.0.3

examples/5G-NF-Infra/networking.tf

@@ -0,0 +1,250 @@
+# Copyright (c) 2022 Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+# 
+
+# Network locals
+locals {
+ vcn_cidr_blocks = split(",", var.vcn_cidr_blocks)
+ network_cidrs = {
+ VCN-MAIN-CIDR = local.vcn_cidr_blocks[0] # e.g.: "10.75.0.0/16" = 65536 usable IPs
+ VCN-NATIVE-POD-NETWORKING-REGIONAL-SUBNET-CIDR = cidrsubnet(local.vcn_cidr_blocks[0], 1, 1) # e.g.: "10.20.128.0/17" = 32766 usable IPs (10.20.128.0 - 10.20.255.255)
+ SUBNET-5GC-OAM-CIDR = cidrsubnet(local.vcn_cidr_blocks[0], 9, 128) # e.g.: "10.75.64.0/25" = 128 usable IPs
+ SUBNET-5GC-SIGNALLING-CIDR = cidrsubnet(local.vcn_cidr_blocks[0], 9, 129) # e.g.: "10.75.64.128/25" = 128 usable IPs
+ SUBNET-5G-RAN-CIDR = cidrsubnet(local.vcn_cidr_blocks[0], 11, 520) # e.g.: "10.75.65.0/27" = 32 usable IPs
+ SUBNET-LEGAL-INTERCEPT-CIDR = cidrsubnet(local.vcn_cidr_blocks[0], 11, 521) # e.g.: "10.75.65.32/27" = 32 usable IPs
+ SUBNET-5G-EPC-CIDR = cidrsubnet(local.vcn_cidr_blocks[0], 11, 522) # e.g.: "10.75.65.64/27" = 32 usable IPs
+ ALL-CIDR = "0.0.0.0/0"
+ }
+}
+
+# Extra Security Lists for the 5G NF
+locals {
+ extra_security_lists = [
+ {
+ security_list_name = "5gc_oam_security_list"
+ display_name = "5GC OAM Security List"
+ ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
+ egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
+ },
+ {
+ security_list_name = "5gc_signalling_security_list"
+ display_name = "5GC Signalling (SBI) Security List"
+ ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
+ egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
+ },
+ {
+ security_list_name = "5g_ran_security_list"
+ display_name = "5G RAN Security List"
+ ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
+ egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
+ },
+ {
+ security_list_name = "legal_intercept_security_list"
+ display_name = "Legal Intercept Security List"
+ ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
+ egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
+ },
+ {
+ security_list_name = "5g_epc_security_list"
+ display_name = "5G EPC Security List"
+ ingress_security_rules = concat(local.common_5g_security_list_ingress_rules, local.temp_all_vcn_security_list_ingress_rules)
+ egress_security_rules = concat(local.common_5g_security_list_egress_rules, local.temp_all_vcn_security_list_egress_rules)
+ }, {
+ security_list_name = "5g_for_pods_security_list"
+ display_name = "5G subnets x pods Security List"
+ ingress_security_rules = [{
+ description = "Allow 5GC OAM to pod communication"
+ source = lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR")
+ source_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.all_protocols
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = null
+ }, {
+ description = "Allow 5GC Signalling (SBI) to pod communication"
+ source = lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR")
+ source_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.all_protocols
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = null
+ }, {
+ description = "Allow 5G RAN to pod communication"
+ source = lookup(local.network_cidrs, "SUBNET-5G-RAN-CIDR ")
+ source_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.all_protocols
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = null
+ }, {
+ description = "Allow 5G Legal Intercept to pod communication"
+ source = lookup(local.network_cidrs, "SUBNET-LEGAL-INTERCEPT-CIDR")
+ source_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.all_protocols
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = null
+ }, {
+ description = "Allow 5G EPC to pod communication"
+ source = lookup(local.network_cidrs, "SUBNET-5G-EPC-CIDR ")
+ source_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.all_protocols
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = null
+ }]
+ egress_security_rules = []
+ },
+ ]
+ common_5g_security_list_ingress_rules = [{
+ description = "Allow pods to communicate with 5G subnets"
+ source = lookup(local.network_cidrs, "VCN-NATIVE-POD-NETWORKING-REGIONAL-SUBNET-CIDR")
+ source_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.all_protocols
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = null
+ }, {
+ description = "Path discovery"
+ source = lookup(local.network_cidrs, "ALL-CIDR")
+ source_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.icmp_protocol_number
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = { type = "3", code = "4" }
+ }]
+ common_5g_security_list_egress_rules = [{
+ description = "Allow 5G subnets to communicate with pods"
+ destination = lookup(local.network_cidrs, "VCN-NATIVE-POD-NETWORKING-REGIONAL-SUBNET-CIDR")
+ destination_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.all_protocols
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = null
+ }, {
+ description = "Path discovery"
+ destination = lookup(local.network_cidrs, "ALL-CIDR")
+ destination_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.icmp_protocol_number
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = { type = "3", code = "4" }
+ }]
+ temp_all_vcn_security_list_ingress_rules = [{
+ description = "Allow all from VCN"
+ source = lookup(local.network_cidrs, "ALL-CIDR")
+ source_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.all_protocols
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = null
+ }]
+ temp_all_vcn_security_list_egress_rules = [{
+ description = "Allow all to VCN"
+ destination = lookup(local.network_cidrs, "ALL-CIDR")
+ destination_type = "CIDR_BLOCK"
+ protocol = local.security_list_ports.all_protocols
+ stateless = false
+ tcp_options = { max = -1, min = -1, source_port_range = null }
+ udp_options = { max = -1, min = -1, source_port_range = null }
+ icmp_options = null
+ }]
+ security_list_ports = {
+ http_port_number = 80
+ https_port_number = 443
+ k8s_api_endpoint_port_number = 6443
+ k8s_api_endpoint_to_worker_port_number = 10250
+ k8s_worker_to_control_plane_port_number = 12250
+ ssh_port_number = 22
+ tcp_protocol_number = "6"
+ udp_protocol_number = "17"
+ icmp_protocol_number = "1"
+ all_protocols = "all"
+ }
+}
+
+# Extra Subnets for for the 5G NF
+locals {
+ extra_subnets = [
+ {
+ subnet_name = "5GC_OAM_subnet"
+ cidr_block = lookup(local.network_cidrs, "SUBNET-5GC-OAM-CIDR")
+ display_name = "5GC OAM subnet"
+ dns_label = "sn5gcoam"
+ prohibit_public_ip_on_vnic = true
+ prohibit_internet_ingress = true
+ route_table_id = null
+ alternative_route_table_name = "private"
+ dhcp_options_id = ""
+ security_list_ids = []
+ extra_security_list_names = ["5gc_oam_security_list"]
+ ipv6cidr_block = null
+ },
+ {
+ subnet_name = "5GC_Signalling_subnet"
+ cidr_block = lookup(local.network_cidrs, "SUBNET-5GC-SIGNALLING-CIDR")
+ display_name = "5GC Signalling (SBI) subnet"
+ dns_label = "sn5gcsig"
+ prohibit_public_ip_on_vnic = true
+ prohibit_internet_ingress = true
+ route_table_id = null
+ alternative_route_table_name = "private"
+ dhcp_options_id = ""
+ security_list_ids = []
+ extra_security_list_names = ["5gc_signalling_security_list"]
+ ipv6cidr_block = null
+ },
+ {
+ subnet_name = "5G_RAN_subnet"
+ cidr_block = lookup(local.network_cidrs, "SUBNET-5G-RAN-CIDR")
+ display_name = "5G RAN subnet"
+ dns_label = "sn5gran"
+ prohibit_public_ip_on_vnic = true
+ prohibit_internet_ingress = true
+ route_table_id = null
+ alternative_route_table_name = "private"
+ dhcp_options_id = ""
+ security_list_ids = []
+ extra_security_list_names = ["5g_ran_security_list"]
+ ipv6cidr_block = null
+ },
+ {
+ subnet_name = "Legal_Intercept_subnet"
+ cidr_block = lookup(local.network_cidrs, "SUBNET-LEGAL-INTERCEPT-CIDR")
+ display_name = "Legal Intercept subnet"
+ dns_label = "snlegalin"
+ prohibit_public_ip_on_vnic = true
+ prohibit_internet_ingress = true
+ route_table_id = null
+ alternative_route_table_name = "private"
+ dhcp_options_id = ""
+ security_list_ids = []
+ extra_security_list_names = ["legal_intercept_security_list"]
+ ipv6cidr_block = null
+ },
+ {
+ subnet_name = "5G_EPC_subnet"
+ cidr_block = lookup(local.network_cidrs, "SUBNET-5G-EPC-CIDR")
+ display_name = "5G EPC subnet"
+ dns_label = "sn5gcepc"
+ prohibit_public_ip_on_vnic = true
+ prohibit_internet_ingress = true
+ route_table_id = null
+ alternative_route_table_name = "private"
+ dhcp_options_id = ""
+ security_list_ids = []
+ extra_security_list_names = ["5g_epc_security_list"]
+ ipv6cidr_block = null
+ },
+ ]
+}

examples/5G-NF-Infra/oke.tf

@@ -0,0 +1,41 @@
+# Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+# 
+
+################################################################################
+# OKE Cluster
+################################################################################
+module "oke-quickstart" {
+ source = "github.com/oracle-quickstart/terraform-oci-oke-quickstart?ref=0.8.9"
+
+ # Oracle Cloud Infrastructure Tenancy and Compartment OCID
+ tenancy_ocid = var.tenancy_ocid
+ compartment_ocid = var.compartment_ocid
+ region = var.region
+
+ # Note: Just few arguments are showing here to simplify the basic example. All other arguments are using default values.
+ # App Name to identify deployment. Used for naming resources.
+ app_name = "Dev 5G NF Example"
+
+ # Freeform Tags + Defined Tags. Tags are applied to all resources.
+ tag_values = { "freeformTags" = { "Environment" = "Development", "DeploymentType" = "5G example", "QuickstartExample" = "5G-NF-Infra" }, "definedTags" = {} }
+
+ # VCN for OKE arguments
+ vcn_cidr_blocks = var.vcn_cidr_blocks
+ extra_security_lists = local.extra_security_lists
+ extra_subnets = local.extra_subnets
+
+ # OKE Node Pool 1 arguments
+ node_pool_cni_type_1 = "OCI_VCN_IP_NATIVE" # Use "FLANNEL_OVERLAY" for overlay network or "OCI_VCN_IP_NATIVE" for VCN Native PODs Network. If the node pool 1 uses the OCI_VCN_IP_NATIVE, the cluster will also be configured with same cni
+ cluster_autoscaler_enabled = true
+ node_pool_name_1 = "pool1"
+ node_pool_initial_num_worker_nodes_1 = 5 # Minimum number of nodes in the node pool
+ node_pool_max_num_worker_nodes_1 = 10 # Maximum number of nodes in the node pool
+ node_pool_instance_shape_1 = var.node_pool_instance_shape_1
+ extra_security_list_name_for_nodes = "5g_for_pods_security_list"
+ extra_security_list_name_for_vcn_native_pod_networking = "5g_for_pods_security_list"
+
+ # Cluster Tools
+ # ingress_nginx_enabled = true
+ # cert_manager_enabled = true
+}