From 88d157466c5fcba150c22e61c1f2ec0a93aadb5b Mon Sep 17 00:00:00 2001 From: Ali Mukadam Date: Fri, 12 Jun 2020 16:39:52 +1000 Subject: [PATCH] Use individual modules from base module so we can reuse the operator module as platform operator (#9) * use individual modules so we can reuse the operator module; renamed the initial operator module in olcne to olcne to avoid confusing names Signed-off-by: Ali Mukadam * upgraded base module, set default options, added docs Signed-off-by: Ali Mukadam * added changes recommended in review by Avi Signed-off-by: Ali Mukadam * added changes recommended by Mark in review Signed-off-by: Ali Mukadam * updated changelog Signed-off-by: Ali Mukadam --- CHANGELOG.adoc | 11 + README.md | 290 +++++++++ docs/prerequisites.adoc | 119 ++++ docs/terraformoptions.adoc | 605 ++++++++++++++++++ locals.tf | 174 +---- main.tf | 168 ++--- modules/master/compute.tf | 34 +- modules/master/datasources.tf | 16 +- modules/master/locals.tf | 4 +- modules/master/scripts/master.template.sh | 3 +- modules/master/variables.tf | 72 ++- modules/network/datasources.tf | 17 +- modules/network/locals.tf | 14 +- modules/network/nsg.tf | 24 +- modules/network/outputs.tf | 26 +- modules/network/subnets.tf | 42 +- modules/network/variables.tf | 52 +- modules/olcne/certificate.tf | 49 ++ .../cloudinit/operator.template.yaml | 0 modules/olcne/datasources.tf | 11 + modules/{operator => olcne}/environment.tf | 18 +- modules/{operator => olcne}/helm.tf | 6 +- modules/{operator => olcne}/kata.tf | 6 +- modules/{operator => olcne}/kubeconfig.tf | 6 +- .../{operator => olcne}/kubernetes_module.tf | 14 +- modules/olcne/locals.tf | 21 + modules/{operator => olcne}/nginx.tf | 6 +- .../certificate.tf => olcne/operator.tf} | 285 ++++----- .../{operator => olcne}/resources/kata.yaml | 0 .../resources/nginxpatch.template.yaml | 0 .../scripts/configure_agent.template.sh | 0 .../scripts/configure_api.template.sh | 0 .../scripts/configure_kata.template.sh | 0 .../scripts/create_certificate.template.sh | 0 .../scripts/create_environment.template.sh | 0 .../create_kubernetes_module.template.sh | 4 +- .../scripts/download_private_key.template.sh | 0 .../scripts/get_kubeconfig.template.sh | 0 .../scripts/install_helm.template.sh | 0 .../install_kubernetes_module.template.sh | 0 .../scripts/install_nginx.template.sh | 5 - modules/olcne/scripts/operator.template.sh | 36 ++ modules/{operator => olcne}/variables.tf | 57 +- modules/operator/compute.tf | 63 -- modules/operator/datasources.tf | 66 -- modules/operator/instance_principal.tf | 30 - modules/operator/locals.tf | 21 - modules/operator/outputs.tf | 6 - modules/operator/scripts/operator.template.sh | 37 -- modules/worker/compute.tf | 36 +- modules/worker/datasources.tf | 21 +- modules/worker/locals.tf | 4 +- modules/worker/scripts/worker.template.sh | 3 +- modules/worker/variables.tf | 81 ++- outputs.tf | 5 +- terraform.tfvars.example | 47 +- variables.tf | 144 ++--- 57 files changed, 1757 insertions(+), 1002 deletions(-) create mode 100644 README.md create mode 100644 docs/prerequisites.adoc create mode 100644 docs/terraformoptions.adoc create mode 100644 modules/olcne/certificate.tf rename modules/{operator => olcne}/cloudinit/operator.template.yaml (100%) create mode 100644 modules/olcne/datasources.tf rename modules/{operator => olcne}/environment.tf (80%) rename modules/{operator => olcne}/helm.tf (81%) rename modules/{operator => olcne}/kata.tf (80%) rename modules/{operator => olcne}/kubeconfig.tf (80%) rename modules/{operator => olcne}/kubernetes_module.tf (83%) create mode 100644 modules/olcne/locals.tf rename modules/{operator => olcne}/nginx.tf (86%) rename modules/{operator/certificate.tf => olcne/operator.tf} (51%) rename modules/{operator => olcne}/resources/kata.yaml (100%) rename modules/{operator => olcne}/resources/nginxpatch.template.yaml (100%) rename modules/{operator => olcne}/scripts/configure_agent.template.sh (100%) rename modules/{operator => olcne}/scripts/configure_api.template.sh (100%) rename modules/{operator => olcne}/scripts/configure_kata.template.sh (100%) rename modules/{operator => olcne}/scripts/create_certificate.template.sh (100%) rename modules/{operator => olcne}/scripts/create_environment.template.sh (100%) rename modules/{operator => olcne}/scripts/create_kubernetes_module.template.sh (76%) rename modules/{operator => olcne}/scripts/download_private_key.template.sh (100%) rename modules/{operator => olcne}/scripts/get_kubeconfig.template.sh (100%) rename modules/{operator => olcne}/scripts/install_helm.template.sh (100%) rename modules/{operator => olcne}/scripts/install_kubernetes_module.template.sh (100%) rename modules/{operator => olcne}/scripts/install_nginx.template.sh (85%) create mode 100644 modules/olcne/scripts/operator.template.sh rename modules/{operator => olcne}/variables.tf (65%) delete mode 100644 modules/operator/compute.tf delete mode 100644 modules/operator/datasources.tf delete mode 100644 modules/operator/instance_principal.tf delete mode 100644 modules/operator/locals.tf delete mode 100644 modules/operator/outputs.tf delete mode 100644 modules/operator/scripts/operator.template.sh diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 4d7e941..cd3d1be 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -7,6 +7,17 @@ All notable changes to this project are documented in this file. The format is based on {uri-changelog}[Keep a Changelog]. +== v0.1.1 (June 12, 2020) + +* Upgraded base module to 1.2.3 +* Use operator from base module as olcne operator +* Set default networking parameters and removed redundant variables +* Upgraded Oracle Linux version to 7.8 +* Added support for new regions (Hyderabad and Chuncheon) +* Added terraformoptions to documentation +* Added README.md for HashiCorp registry +* Removed default backend on nginxcontroller + == v0.1.0 (May 14, 2020) * First public release \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..b41a55e --- /dev/null +++ b/README.md @@ -0,0 +1,290 @@ +# Terraform for Oracle Linux Cloud Native Environment + +[uri-repo]: https://github.com/oracle-terraform-modules/terraform-oci-olcne + +[uri-docs]: https://github.com/oracle-terraform-modules/terraform-oci-olcne/blob/master/docs + +[uri-changelog]: https://github.com/oracle-terraform-modules/terraform-oci-olcne/blob/master/CHANGELOG.adoc +[uri-configuration]: https://github.com/oracle-terraform-modules/terraform-oci-olcne/blob/master/docs/configuration.adoc + +[uri-contribute]: https://github.com/oracle-terraform-modules/terraform-oci-olcne/blob/master/CONTRIBUTING.adoc +[uri-contributors]: https://github.com/oracle-terraform-modules/terraform-oci-olcne/blob/master/CONTRIBUTORS.adoc + +[uri-instructions]: https://github.com/oracle-terraform-modules/terraform-oci-olcne/blob/master/docs/instructions.adoc +[uri-license]: https://github.com/oracle-terraform-modules/terraform-oci-olcne/blob/master/LICENSE +[uri-canonical-license]: https://oss.oracle.com/licenses/upl/ +[uri-kubernetes]: https://kubernetes.io/ +[uri-networks-subnets-cidr]: https://erikberg.com/notes/networks.html +[uri-oci]: https://cloud.oracle.com/cloud-infrastructure +[uri-oci-bmshapes]:https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/References/computeshapes.htm#bmshapes +[uri-oci-documentation]: https://docs.cloud.oracle.com/iaas/Content/home.htm +[uri-oci-key]: https://docs.cloud.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys.htm +[uri-oci-vault]: https://docs.cloud.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingvaults.htm +[uri-oke]: https://docs.cloud.oracle.com/iaas/Content/ContEng/Concepts/contengoverview.htm +[uri-olcne]: https://docs.oracle.com/en/operating-systems/olcne/ +[uri-oracle]: https://www.oracle.com +[uri-prereqs]: https://github.com/oracle-terraform-modules/terraform-oci-olcne/blob/master/docs/prerequisites.adoc +[uri-quickstart]: https://github.com/oracle-terraform-modules/terraform-oci-olcne/blob/master/docs/quickstart.adoc +[uri-terraform]: https://www.terraform.io +[uri-terraform-cidrsubnet-deconstructed]: http://blog.itsjustcode.net/blog/2017/11/18/terraform-cidrsubnet-deconstructed/ +[uri-terraform-oci]: https://www.terraform.io/docs/providers/oci/index.html +[uri-terraform-oci-base]: https://github.com/oracle-terraform-modules/terraform-oci-base +[uri-terraform-oke]: https://github.com/oracle-terraform-modules/terraform-oci-oke +[uri-terraform-options]: https://github.com/oracle-terraform-modules/terraform-oci-olcne/blob/master/docs/terraformoptions.adoc +[uri-terraform-hashircorp-examples]: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples + +The [Terraform OCI OLCNE module][uri-repo] for [Oracle Cloud Infrastructure][uri-oci] provides a reusable and extensible Terraform module that provisions an [Oracle Linux Cloud Native Environment][uri-olcne] on OCI. It is developed as a tool for developers as a technical preview and simplifies the setup needed to quickly deploy using Oracle Cloud Infrastructure. + +This Technical Preview is not intended for production use, and has the following limitations: + +- OLCNE is currently supported on Bare Metal shapes only. You can use this module to install on Virtual Machine shapes, but you should be aware that while that may work, it is not a supported configuration. + +- Multi-master clusters are not supported. + +- The OLCNE nodes must opt out of OS Management Service to prevent RPM conflicts. + +If you are deploying a production Kubernetes cluster on OCI, you should consider using Oracle Cloud Infrastructure [Container Engine for Kubernetes (OKE)][uri-oke]. You can use [terraform-oci-oke][uri-terraform-oke] to provision an OKE cluster. + +## What this module will create + +This module will create the following resources: + +![Infrastructure](docs/images/infrastructure.png) + +1. Base module: + + * A VCN with internet, service and NAT gateways, and route tables. + * A security list, subnet and a bastion host (using Oracle Autonomous Linux). + * A security list, subnet for the operator host + * An optional notification topic and subscription. + +2. Network module: + + * Network security groups for operator, master and worker nodes as well as a public load balancer. + * Separate subnets for operator, master, worker and load balancer. + +3. OLCNE module: + + * Performs installation of OLCNE on the master and worker nodes. + * An ingress controller of type `NodePort`. + * An optional Kata container runtime class. + +4. Master: + + * Single master node. Multi-master is not supported yet. + * Instance pools to manage the master nodes. + +5. Worker: + + * A configurable number of worker nodes. + * Instance pools to manage to worker nodes. + +6. Load balancer: + + * A public load balancer with automatic backend creation. + + +## Instructions + +To use this module to create an OLCNE environment: + +### Vault + +Create a vault to store the SSH keys securely. + +#### Create a key + +- In the OCI Console, create a vault by navigating to Security > Vault. See [Managing Vaults][uri-oci-vault] for more details. +- Click on the vault and click 'Create Key'. See [Managing Keys][uri-oci-key] for more details. + +#### Creating a secret for private ssh key + +- Click on Secrets and click 'Create Secret'. +- Select compartment where you want to create the secret, enter a name and description. +- Select the encryption key you created previously. +- Set the secret type template as `plain-text`. +- Paste the contents of your private SSH key in secret contents. +- After the secret is created, click on the secret name and note down the OCID of the secret as you will need it later. + +### Create the base infrastructure + +The base infrastructure consists of the bastion and the admin server. It reuses the [terraform-oci-base][uri-terraform-oci-base] module to create a VCN, a bastion host and an operator host with `instance_principal` enabled. + +- Copy `terraform.tfvars.example`: + +```` +cp terraform.tfvars.example terraform.tfvars +```` + +- Edit `terraform.tfvars` and set the following parameters to the correct values for your environment: + +```` +api_fingerprint = "" +api_private_key_path = "" +compartment_id = "" +tenancy_id = "" +user_id = "" +ssh_private_key_path = "/path/to/ssh_private_key" +ssh_public_key_path = "/path/to/ssh_public_key" +```` + +- Run Terraform and create the base module: + +```` +terraform apply --target=module.base -auto-approve +```` + +- SSH to the bastion to check whether you can proceed: + +```` +ssh opc@xxx.xxx.xxx +```` + +If you are not able to ssh to the bastion host, you will not be able to proceed any further. + +### Complete the rest of the OLCNE infrastructure + +- Update your `terraform.tfvars` and enter the values for the `secret_id` and certificate information to create private CA certificates. + +```` +secret_id = "ocid1.vaultsecret....." +org_unit = "my org unit" +org = "my org" +city = "Sydney" +state = "NSW" +country = "au" +common_name = "common name" +```` + +- Run `terraform apply` again: + +```` +terraform apply -auto-approve +```` + +When complete, Terraform will output details of how to connect to the bastion, master and operator, for example: + +```` +Outputs: + +ssh_to_bastion = ssh -i /path/to/ssh/key opc@XXX.XXX.XXX.XXX +ssh_to_master = ssh -i /path/to/ssh/key -J opc@XXX.XXX.XXX.XXX opc@10.0.3.2 +ssh_to_operator = ssh -i /path/to/ssh/key -J opc@XXX.XXX.XXX.XXX opc@10.0.0.146 +```` + +You can SSH to the operator and access the cluster, for example: + +```` +[opc@cne-operator ~]$ kubectl get nodes +NAME STATUS ROLES AGE VERSION +cne-master Ready master 22m v1.17.4+1.0.1.el7 +cne-worker Ready 21m v1.17.4+1.0.1.el7 +cne-worker-550781 Ready 21m v1.17.4+1.0.1.el7 +cne-worker-585063 Ready 21m v1.17.4+1.0.1.el7 +```` + +### Controlling the cluster size + +#### Master nodes + +Only one master node is created in this release. + +#### Worker nodes + +By default, three worker nodes are created. You can change this by setting _worker_size = 5_. + +### Using Kata Containers + +If you want to use Kata containers, you must: + +- Select one of the [Bare Metal shapes][uri-oci-bmshapes] for your worker nodes. +- Enable the creation of kata runtime class in `terraform.tfvars`. + +```` +create_kata_runtime = true +```` + +By default, the name of the kata runtime class is 'kata'. You can configure that with the _kata_runtime_class_name_ parameter. + +When deploying kata containers, set the runtimeClassName accordingly: + +```` +apiVersion: v1 +kind: Pod +metadata: + name: kata-nginx +spec: + runtimeClassName: kata + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 +```` + +### Testing a deployment + +- Print out the output to access the operator: + +```` +terraform output +ssh_to_operator = ssh -i ~/.ssh/id_rsa -J opc@XXX.XXX.XXX.XXX opc@10.0.0.146 +```` +- Copy the ssh_to_operator command and run: + +```` +ssh -i ~/.ssh/id_rsa -J opc@XXX.XXX.XXX.XXX +```` + +- Deploy an application + +```` +git clone https://github.com/hyder/okesamples/ +cd okesamples +kubectl apply -f ingresscontrollers/acme/ +```` + +- Edit the ingresses in `ingresscontrollers/nginx` and replace `www.acme.com` with a domain within your control + +- Create the ingresses: + +```` +kubectl apply -f ingresscontrollers/nginx/ +```` + +- Follow the steps towards the end of this article to {uri-medium-dns}[configure DNS in OCI] and use the domain you set in the ingress above. + +## [Documentation][uri-docs] + +* [Pre-requisites][uri-prereqs] + +* [Terraform Options][uri-terraform-options] + +## Related Documentation, Blog +* [Oracle Cloud Infrastructure Documentation][uri-oci-documentation] +* [Oracle Linux Cloud Native Environment Documentation][uri-olcne] +* [Terraform OCI Provider Documentation][uri-terraform-oci] +* [Erik Berg on Networks, Subnets and CIDR][uri-networks-subnets-cidr] +* [Lisa Hagemann on Terraform cidrsubnet Deconstructed][uri-terraform-cidrsubnet-deconstructed] + +## Changelog + +View the [CHANGELOG][uri-changelog]. + +## Acknowledgement + +Code derived and adapted from [Terraform OKE Sample][uri-terraform-oke-sample] and Hashicorp's [Terraform 0.12 examples][uri-terraform-hashircorp-examples] + +## Contributors + +[Folks][uri-contributors] who contributed with explanations, code, feedback, ideas, testing etc. + +Learn how to [contribute][uri-contribute]. + + +## License + +Copyright (c) 2019 Oracle and/or its associates. All rights reserved. + +Licensed under the [Universal Permissive License 1.0][uri-license] as shown at +[https://oss.oracle.com/licenses/upl][uri-canonical-license]. \ No newline at end of file diff --git a/docs/prerequisites.adoc b/docs/prerequisites.adoc new file mode 100644 index 0000000..4adca1c --- /dev/null +++ b/docs/prerequisites.adoc @@ -0,0 +1,119 @@ += Pre-requisites + +:idprefix: +:idseparator: - +:sectlinks: +:sectnums: +:uri-repo: https://github.com/oracle-terraform-modules/terraform-oci-oke + +:uri-rel-file-base: link:{uri-repo}/blob/master +:uri-rel-tree-base: link:{uri-repo}/tree/master + +:uri-docs: {uri-rel-file-base}/docs + +:uri-instructions: {uri-docs}/instructions.adoc + +:uri-oci: https://cloud.oracle.com/cloud-infrastructure +:uri-oci-compartment: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingcompartments.htm#two +:uri-oci-ocids: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm#five +:uri-oci-documentation: https://docs.cloud.oracle.com/iaas/Content/home.htm +:uri-oci-keys: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm#two +:uri-oci-keys-upload: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm#two +:uri-oci-kms: https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Concepts/keyoverview.htm +:uri-oci-managing-keys: https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Tasks/managingkeys.htm +:uri-oci-managing-vaults: https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Tasks/managingvaults.htm +:uri-oci-oke-policy: https://docs.cloud.oracle.com/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#PolicyPrerequisitesService + +:uri-terraform: https://www.terraform.io +:uri-terraform-download: https://www.terraform.io/downloads.html + +This section will guide you through the pre-requisites before you can use this project. + +You can proceed to {uri-instructions}[creating the cluster] if you have already done these. + +. link:#identity-and-access-management-rights[Identity and Access Management Rights] +. link:#install-terraform[Install Terraform] +. link:#generate-api-keys[Generate API Keys] +. link:#upload-your-api-keys[Upload API Keys] +. link:#create-an-oci-compartment[Create an OCI Compartment] +. link:#obtain-the-necessary-ocids[Obtain the necessary OCIDs] + +== Identity and Access Management Rights + +The Terraform user must have the rights to: + +. manage dynamic groups +. manage policies in root tenancy + +== Install Terraform + +Start by installing Terraform and configuring your path. + +=== Download Terraform + +. Open your browser and navigate to the {uri-terraform-download}[Terraform download page]. You need version 0.12.16+. + +. Download the appropriate version for your operating system + +. Extract the the contents of compressed file and copy the terraform binary to a location that is in your path (see next section below) + +=== Configure path on Linux/macOS + +Open a terminal and type the following: + + +[source,bash] +---- +$ sudo mv /path/to/terraform /usr/local/bin +---- + +=== Configure path on Windows +Follow the steps below to configure your path on Windows: + +. Click on 'Start', type 'Control Panel' and open it +. Select System > Advanced System Settings > Environment Variables +. Select System variables > PATH and click 'Edit' +. Click New and paste the location of the directory where you have extracted the terraform.exe +. Close all open windows by clicking OK +. Open a new terminal and verify terraform has been properly installed + +=== Testing Terraform installation + +1. Open a terminal and test: + ++ +[source,bash] +---- +terraform -v +Terraform v0.12.4 +---- + +== Generate API keys + +Follow the documentation for generating keys on {uri-oci-keys}[OCI Documentation]. + +== Upload your API keys + +Follow the documentation for uploading your keys on {uri-oci-keys-upload}[OCI Documentation]. + +Note the fingerprint. + +== Create an OCI compartment + +Follow the documentation for {uri-oci-compartment}[creating a compartment]. + +== Obtain the necessary OCIDs + +The following OCIDs are required: + +. Compartment OCID +. Tenancy OCID +. User OCID + +Follow the documentation for obtaining the tenancy and user ids on {uri-oci-ocids}[OCI Documentation]. + +To obtain the compartment OCID: + +. Navigate to Identity > Compartments +. Click on your Compartment +. Locate OCID on the page and click on 'Copy' \ No newline at end of file diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc new file mode 100644 index 0000000..e387632 --- /dev/null +++ b/docs/terraformoptions.adoc @@ -0,0 +1,605 @@ += Terraform Options +:idprefix: +:idseparator: - +:sectlinks: +:sectnums: +:uri-repo: https://github.com/oracle-terraform-modules/terraform-oci-olcne + +:uri-rel-file-base: link:{uri-repo}/blob/master +:uri-rel-tree-base: link:{uri-repo}/tree/master +:uri-calico: https://www.projectcalico.org/ +:uri-calico-policy: https://docs.projectcalico.org/v3.8/getting-started/kubernetes/installation/other +:uri-cert-manager: https://cert-manager.readthedocs.io/en/latest/ +:uri-docs: {uri-rel-file-base}/docs +:uri-helm: https://helm.sh/ +:uri-kubernetes-hpa: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +:uri-metrics-server: https://github.com/kubernetes-incubator/metrics-server +:uri-oci-images: https://docs.cloud.oracle.com/iaas/images/ +:uri-oci-kms: https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Concepts/keyoverview.htm +:uri-oci-loadbalancer-annotations: https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md +:uri-oci-region: https://docs.cloud.oracle.com/iaas/Content/General/Concepts/regions.htm +:uri-terraform-cidrsubnet: https://www.terraform.io/docs/configuration/functions/cidrsubnet.html +:uri-timezones: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones + +Configuration Terraform Options: + +. link:#provider[Provider] +. link:#general-oci[General OCI] +. link:#ssh-keys[SSH Keys] +. link:#oci-networking[OCI Networking] +. link:#bastion-host[Bastion Host] +. link:#operator-host[Operator Host] +. link:#availability-domains[Availability Domains] +. link:#tagging[tagging] +. link:#olcne-master-nodes[OLCNE Master Nodes] +. link:#olcne-worker-nodes[OLCNE Worker Nodes] +. link:#certificate[Certificate] +. link:#olcne[OLCNE] + +== Provider + +[stripes=odd,cols="1d,4d,3a,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + + +|`api_fingerprint` +|ssl fingerprint of api public key. +| +|None +|*Required* + +|`api_private_key_path` +|path to api private key. +| +|None +|*Required* + +|`region` +|Region where to provision the OLCNE cluster. {uri-oci-region}[List of regions]. +| +|us-phoenix-1 +|*Required* + +|`tenancy_id` +|Tenancy id of the user. +| +|None +|*Required* + +|`user_id` +|User's id. +| +|None +|*Required* + +|=== + +== General OCI + +[stripes=odd,cols="1d,4d,3a,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`compartment_id` +|Compartment id where the OKE Cluster will be provisioned. +| +|None +|*Required* + +|`label_prefix` +|a string to be prepended to the name of resources. +| +| +|*Required* + +|=== + +== SSH Keys + +[stripes=odd,cols="1d,4d,3a,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`ssh_private_key_path` +|path to ssh private key. The same key will be used to access worker nodes using SSH. +| +|None +|*Required* + +|`ssh_public_key_path` +|path to ssh public key. The same key will be used to access worker nodes using SSH. +| +|None +|*Required* + +|=== + +== OCI Networking + +[stripes=odd,cols="1d,4d,3a,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`netnum` +|0-based index of the subnets when the VCN's CIDR is masked with the corresponding newbit value and specified in the form of a map. Used to define the boundaries of the subnets. The values of the map are used as the netnum parameter in the {uri-terraform-cidrsubnet}[cidrsubnet] Terraform function. CIDR blocks for workers and load balancer subnets must not overlap with the CIDR blocks for Kubernetes pods (specified with _pods_cidr_ parameter). +|e.g. +[source] +---- +netnum = { + bastion = 32 + int_lb = 16 + masters = 48 + operator = 33 + pub_lb = 17 + workers = 1 +} +---- +| +[source] +---- +netnum = { + bastion = 32 + int_lb = 16 + masters = 48 + operator = 33 + pub_lb = 17 + workers = 1 +} +---- +|Optional + +|`newbits` +|The difference between the VCN's netmask and the desired subnets' masks specified in the form of a map. The values of the map are used as the newbits parameter in the {uri-terraform-cidrsubnet}[cidrsubnet] Terraform function to calculate each subnet's mask. CIDR blocks for workers and load balancer subnets must not overlap with the CIDR blocks for Kubernetes pods (specified with _pods_cidr_ parameter). +|e.g. +[source] +---- +newbits = { + bastion = 13 + lb = 11 + masters = 12 + operator = 13 + workers = 2 +} +---- +| +[source] +---- +newbits = { + bastion = 13 + lb = 11 + masters = 12 + operator = 13 + workers = 2 +} +---- +|Optional + +|`vcn_cidr` +|The VCN's CIDR block. The CIDR block specified for the VCN must not overlap with the CIDR block specified for the Kubernetes services (specified with _services_cidr_ parameter). +| +|10.0.0.0/16 +|Optional + +|`vcn_dns_label` +|The internal DNS domain for resources created and prepended to "oraclevcn.com" which is the VCN-internal domain name. +| +| +|*Required* + +|`vcn_name` +|The name of the VCN that will be appended to the label_prefix. +| +|olcne +|*Required* + +|=== + +== Bastion Host + +[stripes=odd,cols="1d,4d,3a,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`bastion_access` +|CIDR block in the form of a string to which ssh access to the bastion must be restricted to. *_ANYWHERE_* is equivalent to 0.0.0.0/0 and allows ssh access from anywhere. +|XXX.XXX.XXX.XXX/YY +|ANYWHERE +|Optional + +|`bastion_image_id` +|Custom image id for the bastion host +|image_id or Autonomous. If the value is set to 'Autonomous', an Oracle Autonomous Linux Platform image will be used instead. If you want to use a custom image, set the image id instead. +|Autonomous +|Optional + +|`bastion_notification_enabled` +|Whether to enable ONS notification for the bastion host. +|true/false +|false +|Optional + +|`bastion_notification_endpoint` +|The subscription notification endpoint. Email address to be notified. Only email is currently supported although ONS can also support Slack, Pagerduty among others. +| +| +|Optional + +|`bastion_notification_protocol` +|The notification protocol used. +|EMAIL +|EMAIL +|Optional + +|`bastion_notification_topic` +|The name of the notification topic +| +|bastion +|Optional + +|`bastion_package_upgrade` +|Whether to also upgrade the packages on the bastion host. +|true/false +|true +|Optional + +|`bastion_shape` +|The shape of bastion instance. +| +|VM.Standard.E2.1 +|Optional + +|`bastion_timezone` +|The preferred timezone for the bastion host. {uri-timezones}[List of timezones]. +| +|Australia/Sydney +|*Required* + +|=== + +== Operator Host + +[stripes=odd,cols="1d,4d,3a,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`operator_image_id` +|Custom image id for the operator host +|image_id or Oracle. If the value is set to Oracle, an Oracle Platform image will be used instead. +|Oracle +|Optional + +|`operator_notification_enabled` +|Whether to enable ONS notification for the operator host. *Do not enable for now*. +|true/false +|false +|Optional + +|`operator_notification_endpoint` +|The subscription notification endpoint. Email address to be notified. Only email is currently supported although ONS can also support Slack, Pagerduty among others. +| +| +|Optional + +|`operator_notification_protocol` +|The notification protocol used. +|EMAIL +|EMAIL +|Optional + +|`operator_notification_topic` +|The name of the notification topic +| +|operator +|Optional + +|`operator_package_upgrade` +|Whether to also upgrade the packages for the operator host. +|true/false +|true +|Optional + +|`operator_shape` +|The shape of operator instance. *Required* +| +|VM.Standard.E2.1 +|Optional + +|`operator_timezone` +|The preferred timezone for the operator host. {uri-timezones}[List of timezones]. *Required* +|e.g. Australia/Sydney +|Australia/Sydney +|Optional + +|=== + +== Availability Domains + +[stripes=odd,cols="1d,4d,3a,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`availability_domains` +|The Availability Domain where to provision non-OKE resources e.g. bastion host. This is specified in the form of a map. +| e.g. +[source] +---- +availability_domains = { + bastion = 1 + operator = 1 +} +---- +| +[source] +---- + bastion = 1 + operator = 1 +---- +|Optional + +|=== + +== Tagging + +[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`tags` +|Tagging on the base module resources. This is specified in the form of a map of maps. +| e.g. +[source] +---- +tags = { + # vcn, bastion and operator tags are required + # add more tags in each as desired + vcn = { + # department = "finance" + environment = "dev" + } + bastion = { + department = "finance" + environment = "dev" + role = "bastion" + } + operator = { + department = "finance" + environment = "dev" + role = "operator" + } +} +---- +| +[source] +---- +tags = { + # vcn, bastion and operator tags are required + # add more tags in each as desired + vcn = { + environment = "dev" + } + bastion = { + environment = "dev" + role = "bastion" + } + operator = { + environment = "dev" + role = "operator" + } +} +---- +|Optional + +|=== + +== OLCNE Master Nodes + +[stripes=odd,cols="1d,3d,3a,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`master_image_id` +|image id to use for master nodes. Provide an image id or a platform Oracle Linux image will be used. +| +|Oracle Linux +|Optional + +|`master_package_upgrade` +|Whether to upgrade the master host packages after provisioning. it’s useful to set this to false during development so the master nodes are provisioned faster. +|true/false +|true +|Optional + +|`master_shape` +|shape of master instance. +|VM.Standard.E2.2 +|VM.Standard.E2.2 +|Optional + +|`master_size` +|number of master nodes to provision. Leave at 1 in this release. +|1 +|1 +|Optional + +|`master_timezone` +|the preferred timezone for the master nodes. +|Australia/Sydney +|Australia/Sydney +|Optional + +|=== + +== OLCNE Worker Nodes + +[stripes=odd,cols="1d,3d,3a,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`worker_image_id` +|image id to use for worker nodes. Provide an image id or a platform Oracle Linux image will be used. +| +|Oracle Linux +|Optional + +|`worker_package_upgrade` +|Whether to upgrade the worker host packages after provisioning. it’s useful to set this to false during development so the worker nodes are provisioned faster. +|true/false +|true +|Optional + +|`worker_shape` +|shape of worker instance. +|VM.Standard.E2.2 +|VM.Standard.E2.2 +|Optional + +|`worker_size` +|number of worker nodes to provision. +|3 +|3 +|Optional + +|`worker_timezone` +|the preferred timezone for the worker nodes. +|Australia/Sydney +|Australia/Sydney +|Optional + +|=== + +== Certififcate + +[stripes=odd,cols="1d,3d,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`org_unit` +| +| +| +|*Required* + +|`org` +| +| +| +|*Required* + +|`city` +| +| +| +|*Required* + +|`state` +| +| +| +|*Required* + +|`country` +|2 letter country code +| +| +|*Required* + +|`common_name` +| +| +| +|*Required* + +|=== + +== OLCNE + +[stripes=odd,cols="1d,3d,3a,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default Value +|Required/Optional + +|`secret_id` +|id of secret where the private ssh key is stored in encrypted format. +| +| +|*Required* + +|`environment_name` +|name of the environment. +|dev +|dev +|Optional + +|`cluster_name` +|name of the cluster. +| +|olcne +|Optional + +|`helm_version` +|version of helm client to install on operator +| +|3.1.1 +|Optional + +|`create_kata_runtime` +|whether to create kata runtime class +|true/false +|false +|Optional + +|`kata_runtime_class_name` +|the name of the kata runtime class +| +|kata +|Optional + +|=== \ No newline at end of file diff --git a/locals.tf b/locals.tf index 82574d3..d289de1 100644 --- a/locals.tf +++ b/locals.tf @@ -3,37 +3,38 @@ locals { - # base module parameters - oci_base_identity = { + oci_base_general = { + compartment_id = var.compartment_id + label_prefix = var.label_prefix + } + + oci_base_provider = { api_fingerprint = var.api_fingerprint api_private_key_path = var.api_private_key_path - compartment_id = var.compartment_id + region = var.region tenancy_id = var.tenancy_id user_id = var.user_id } + oci_base_vcn = { + internet_gateway_enabled = true + nat_gateway_enabled = true + service_gateway_enabled = true + tags = var.tags["vcn"] + vcn_cidr = var.vcn_cidr + vcn_dns_label = var.vcn_dns_label + vcn_name = var.vcn_name + } + oci_base_ssh_keys = { ssh_private_key_path = var.ssh_private_key_path ssh_public_key_path = var.ssh_public_key_path } - oci_base_general = { - label_prefix = var.label_prefix - region = var.region - } - - oci_base_vcn = { - nat_gateway_enabled = var.nat_gateway_enabled - service_gateway_enabled = var.service_gateway_enabled - vcn_cidr = var.vcn_cidr - vcn_dns_label = var.vcn_dns_label - vcn_name = var.vcn_name - } - oci_base_bastion = { - availability_domains = var.availability_domains["bastion"] + availability_domain = var.availability_domains["bastion"] bastion_access = var.bastion_access - bastion_enabled = var.bastion_enabled + bastion_enabled = true bastion_image_id = var.bastion_image_id bastion_shape = var.bastion_shape bastion_upgrade = var.bastion_package_upgrade @@ -45,98 +46,27 @@ locals { notification_topic = var.bastion_notification_topic ssh_private_key_path = var.ssh_private_key_path ssh_public_key_path = var.ssh_public_key_path + tags = var.tags["bastion"] timezone = var.bastion_timezone } - oci_base_admin = { - availability_domains = var.availability_domains["admin"] - admin_enabled = var.admin_enabled - admin_image_id = var.admin_image_id - admin_shape = var.admin_shape - admin_upgrade = var.admin_package_upgrade - enable_instance_principal = var.admin_instance_principal - netnum = var.netnum["admin"] - newbits = var.newbits["admin"] - notification_enabled = var.admin_notification_enabled - notification_endpoint = var.admin_notification_endpoint - notification_protocol = var.admin_notification_protocol - notification_topic = var.admin_notification_topic + oci_base_operator = { + availability_domain = var.availability_domains["operator"] + operator_enabled = true + operator_image_id = var.operator_image_id + operator_shape = var.operator_shape + operator_upgrade = var.operator_package_upgrade + enable_instance_principal = true + netnum = var.netnum["operator"] + newbits = var.newbits["operator"] + notification_enabled = var.operator_notification_enabled + notification_endpoint = var.operator_notification_endpoint + notification_protocol = var.operator_notification_protocol + notification_topic = var.operator_notification_topic ssh_private_key_path = var.ssh_private_key_path ssh_public_key_path = var.ssh_public_key_path - timezone = var.admin_timezone - } - - # reusable module parameters - olcne_general = { - ad_names = module.base.ad_names - compartment_id = var.compartment_id - label_prefix = var.label_prefix - } - - olcne_bastion = { - bastion_public_ip = module.base.bastion_public_ip - ssh_private_key_path = var.ssh_private_key_path - } - - - # network module parameters - olcne_network_access = { - allow_master_ssh_access = var.allow_master_ssh_access - allow_worker_ssh_access = var.allow_worker_ssh_access - } - - olcne_network_vcn = { - ig_route_id = module.base.ig_route_id - is_service_gateway_enabled = var.service_gateway_enabled - nat_route_id = module.base.nat_route_id - netnum = var.netnum - newbits = var.newbits - vcn_cidr = var.vcn_cidr - vcn_id = module.base.vcn_id - } - - - # master module parameters - olcne_master = { - master_image_id = var.master_image_id - master_shape = var.master_shape - master_upgrade = var.master_package_upgrade - size = var.master_size - ssh_public_key_path = var.ssh_public_key_path - timezone = var.master_timezone - } - - olcne_master_network = { - nsg_ids = module.network.nsg_ids - subnet_id = lookup(module.network.subnet_ids, "masters") - subnet_label = module.network.master_subnet_dns_label - subnet_mask = cidrnetmask(cidrsubnet(var.vcn_cidr, var.newbits["masters"], var.netnum["masters"])) - } - - # operator module parameters - - oci_provider = { - api_fingerprint = var.api_fingerprint - api_private_key_path = var.api_private_key_path - home_region = module.base.home_region - region = var.region - tenancy_id = var.tenancy_id - user_id = var.user_id - } - - olcne_operator = { - operator_image_id = var.operator_image_id - operator_shape = var.operator_shape - operator_upgrade = var.operator_package_upgrade - ssh_private_key_path = var.ssh_private_key_path - ssh_public_key_path = var.ssh_public_key_path - timezone = var.operator_timezone - } - - olcne_operator_network = { - nsg_ids = module.network.nsg_ids - subnet_id = lookup(module.network.subnet_ids, "operator") - subnet_label = module.network.operator_subnet_dns_label + tags = var.tags["bastion"] + timezone = var.operator_timezone } olcne_masters = { @@ -165,38 +95,4 @@ locals { create_kata_runtime = var.create_kata_runtime kata_runtime_class_name = var.kata_runtime_class_name } - - # worker module parameters - - olcne_worker = { - worker_image_id = var.worker_image_id - worker_shape = var.worker_shape - worker_upgrade = var.worker_package_upgrade - size = var.worker_size - ssh_public_key_path = var.ssh_public_key_path - timezone = var.worker_timezone - } - - olcne_worker_network = { - nsg_ids = module.network.nsg_ids - subnet_id = lookup(module.network.subnet_ids, "workers") - subnet_label = module.network.worker_subnet_dns_label - } - - # public load balancer module parameters - - olcne_pub_lb_network = { - nsg_ids = module.network.nsg_ids - subnet_id = lookup(module.network.subnet_ids, "pub_lb") - } - - olcne_lb_shapes = { - int_lb = var.int_lb_shape - pub_lb = var.public_lb_shape - } - - olcne_lb_workers = { - olcne_worker_ips = module.worker.worker_ip_list - worker_nodes_size = var.worker_size - } } diff --git a/main.tf b/main.tf index a27f243..33249bc 100644 --- a/main.tf +++ b/main.tf @@ -2,113 +2,91 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl terraform { - required_version = ">= 0.12.16" + required_version = ">= 0.12.24" } module "base" { source = "oracle-terraform-modules/base/oci" - version = "1.1.4" - - # identity - oci_base_identity = local.oci_base_identity + version = "1.2.3" # general oci parameters oci_base_general = local.oci_base_general + # identity + oci_base_provider = local.oci_base_provider + # vcn parameters oci_base_vcn = local.oci_base_vcn # bastion parameters oci_base_bastion = local.oci_base_bastion - # admin server parameters - oci_base_admin = local.oci_base_admin - - tagging = { - computetag = { - Environment = "dev" - } - networktag = { - Name = "network" - } - } + # operator server parameters + oci_base_operator = local.oci_base_operator + } module "network" { source = "./modules/network" - # general parameters - olcne_general = local.olcne_general - - # olcne networking parameters - olcne_network_vcn = local.olcne_network_vcn - - # olcne network access parameters - olcne_network_access = local.olcne_network_access + # general oci parameters + compartment_id = var.compartment_id + label_prefix = var.label_prefix + ad_names = module.base.ad_names + + # network parameters + ig_route_id = module.base.ig_route_id + nat_route_id = module.base.nat_route_id + netnum = var.netnum + newbits = var.newbits + vcn_id = module.base.vcn_id } module "master" { source = "./modules/master" - # general parameters - olcne_general = local.olcne_general - - # olcne master nodes parameters - olcne_master = local.olcne_master - - # olcne master network parameters - olcne_master_network = local.olcne_master_network -} - -module "operator" { - source = "./modules/operator" - - # home provider parameters - oci_provider = local.oci_provider - - # general parameters - olcne_general = local.olcne_general - - # bastion - olcne_bastion = local.olcne_bastion - - # olcne operator node parameters - olcne_operator = local.olcne_operator - - # olcne operator network parameters - olcne_operator_network = local.olcne_operator_network - - # list of master nodes - olcne_masters = local.olcne_masters - - # private CA Certificate - olcne_certificate = local.olcne_certificate - - # list of worker nodes - olcne_workers = local.olcne_workers - - # private key parameter to access other nodes - secret_id = var.secret_id - - # olcne environment - olcne_environment = local.olcne_environment - - helm_version = var.helm_version + # general oci parameters + compartment_id = var.compartment_id + label_prefix = var.label_prefix + ad_names = module.base.ad_names + + # networking parameters + nsg_id = module.network.nsg_ids["master"] + subnet_id = module.network.subnet_ids["masters"] + subnet_label = module.network.master_subnet_dns_label + + # master compute parameters + master_image_id = var.master_image_id + master_shape = var.master_shape + master_size = var.master_size + master_upgrade = var.master_package_upgrade + ssh_public_key = "" + ssh_public_key_path = var.ssh_public_key_path + timezone = var.master_timezone - loadbalancer_ip_address = module.loadbalancer.pub_lb_ip } module "worker" { source = "./modules/worker" - # general parameters - olcne_general = local.olcne_general - - # olcne worker nodes parameters - olcne_worker = local.olcne_worker - - # olcne worker network parameters - olcne_worker_network = local.olcne_worker_network + # general oci parameters + compartment_id = var.compartment_id + label_prefix = var.label_prefix + ad_names = module.base.ad_names + + # networking parameters + nsg_id = module.network.nsg_ids["worker"] + subnet_id = module.network.subnet_ids["workers"] + subnet_label = module.network.worker_subnet_dns_label + + # worker compute parameters + worker_image_id = var.worker_image_id + worker_shape = var.worker_shape + worker_size = var.worker_size + worker_upgrade = var.worker_package_upgrade + ssh_public_key = "" + ssh_public_key_path = var.ssh_public_key_path + timezone = var.worker_timezone # olcne public load balancer to attach to worker pool oci_loadbalancer_id = module.loadbalancer.pub_lb_id @@ -135,3 +113,39 @@ module "loadbalancer" { # workers ip addresses for backend resources olcne_workers = module.worker.worker_ip_list } + +# configuration +module "olcne" { + source = "./modules/olcne" + + # general oci parameters + compartment_id = var.compartment_id + label_prefix = var.label_prefix + region = var.region + + # bastion + bastion_public_ip = module.base.bastion_public_ip + ssh_private_key_path = var.ssh_private_key_path + + # operator + operator_ip = module.base.operator_private_ip + + # list of master nodes + olcne_masters = local.olcne_masters + + # private CA Certificate + olcne_certificate = local.olcne_certificate + + # list of worker nodes + olcne_workers = local.olcne_workers + + # private key parameter to access other nodes + secret_id = var.secret_id + + # olcne environment + olcne_environment = local.olcne_environment + + helm_version = var.helm_version + + loadbalancer_ip_address = module.loadbalancer.pub_lb_ip +} diff --git a/modules/master/compute.tf b/modules/master/compute.tf index c9f7d5d..6e507f0 100644 --- a/modules/master/compute.tf +++ b/modules/master/compute.tf @@ -2,36 +2,36 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ resource "oci_core_instance_configuration" "master" { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id - display_name = "${var.olcne_general.label_prefix}-master" + display_name = "${var.label_prefix}-master" instance_details { instance_type = "compute" launch_details { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id create_vnic_details { assign_public_ip = false - display_name = "${var.olcne_general.label_prefix}-master" + display_name = "${var.label_prefix}-master" hostname_label = "master" - nsg_ids = [lookup(var.olcne_master_network.nsg_ids, "master")] - subnet_id = var.olcne_master_network.subnet_id + nsg_ids = [var.nsg_id] + subnet_id = var.subnet_id } - display_name = "${var.olcne_general.label_prefix}-master" + display_name = "${var.label_prefix}-master" extended_metadata = { - subnet_id = var.olcne_master_network.subnet_id + subnet_id = var.subnet_id } metadata = { - ssh_authorized_keys = file(var.olcne_master.ssh_public_key_path) + ssh_authorized_keys = file(var.ssh_public_key_path) user_data = data.template_cloudinit_config.master.rendered } - shape = var.olcne_master.master_shape + shape = var.master_shape source_details { source_type = "image" image_id = local.master_image_id @@ -44,20 +44,24 @@ resource "oci_core_instance_configuration" "master" { } resource "oci_core_instance_pool" "master" { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id depends_on = [oci_core_instance_configuration.master] - display_name = "${var.olcne_general.label_prefix}-master" + display_name = "${var.label_prefix}-master" instance_configuration_id = oci_core_instance_configuration.master.id dynamic "placement_configurations" { iterator = ad_iterator - for_each = var.olcne_general.ad_names + for_each = var.ad_names content { availability_domain = ad_iterator.value - primary_subnet_id = var.olcne_master_network.subnet_id + primary_subnet_id = var.subnet_id } } - size = var.olcne_master.size + lifecycle { + ignore_changes = [display_name] + } + + size = var.master_size } diff --git a/modules/master/datasources.tf b/modules/master/datasources.tf index b49a7d4..4495c55 100644 --- a/modules/master/datasources.tf +++ b/modules/master/datasources.tf @@ -2,10 +2,10 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "oci_core_images" "master_images" { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id operating_system = "Oracle Linux" - operating_system_version = "7.7" - shape = var.olcne_master.master_shape + operating_system_version = "7.8" + shape = var.master_shape sort_by = "TIMECREATED" } @@ -18,8 +18,8 @@ data "template_file" "master_cloud_init_file" { vars = { master_sh_content = base64gzip(data.template_file.master_template.rendered) - master_upgrade = var.olcne_master.master_upgrade - timezone = var.olcne_master.timezone + master_upgrade = var.master_upgrade + timezone = var.timezone } } @@ -37,7 +37,7 @@ data "template_cloudinit_config" "master" { # Gets the list of master instances data "oci_core_instance_pool_instances" "master" { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id depends_on = [oci_core_instance_pool.master] instance_pool_id = oci_core_instance_pool.master.id } @@ -46,12 +46,12 @@ data "oci_core_instance_pool_instances" "master" { data "oci_core_instance" "master" { depends_on = [oci_core_instance_pool.master] instance_id = element(local.master_nodes_id_list, count.index) - count = var.olcne_master.size + count = var.master_size } # Gets a list of VNIC attachments on the primary master instance data "oci_core_vnic_attachments" "master_vnics_attachments" { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id depends_on = [oci_core_instance_pool.master] instance_id = element(local.master_nodes_id_list, 0) } diff --git a/modules/master/locals.tf b/modules/master/locals.tf index f4ac4df..bc8a054 100644 --- a/modules/master/locals.tf +++ b/modules/master/locals.tf @@ -2,7 +2,7 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl locals { - master_image_id = var.olcne_master.master_image_id == "Oracle" ? data.oci_core_images.master_images.images.0.id : var.olcne_master.master_image_id + master_image_id = var.master_image_id == "Oracle" ? data.oci_core_images.master_images.images.0.id : var.master_image_id unsorted_master_nodes_id_list = [ for instance in data.oci_core_instance_pool_instances.master.instances : @@ -13,7 +13,7 @@ locals { master_nodes_hostname_list = [ for instance in data.oci_core_instance.master : - "${instance.hostname_label}.${var.olcne_master_network.subnet_label}" + "${instance.hostname_label}.${var.subnet_label}" ] vnic_ids_list = [ diff --git a/modules/master/scripts/master.template.sh b/modules/master/scripts/master.template.sh index 49a7924..15d0197 100644 --- a/modules/master/scripts/master.template.sh +++ b/modules/master/scripts/master.template.sh @@ -8,8 +8,7 @@ yum update --security # enable olcne yum channels yum install -y oracle-olcne-release-el7 yum-config-manager --disable ol7_olcne -yum-config-manager --enable ol7_olcne11 ol7_kvm_utils ol7_addons ol7_latest -# ol7_UEKR5 +yum-config-manager --enable ol7_olcne11 ol7_kvm_utils ol7_addons ol7_latest ol7_UEKR5 # install oci cli pip3 install oci-cli diff --git a/modules/master/variables.tf b/modules/master/variables.tf index 708908c..7221912 100644 --- a/modules/master/variables.tf +++ b/modules/master/variables.tf @@ -1,34 +1,58 @@ # Copyright 2020, Oracle Corporation and/or affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -# general +# general oci parameters +variable "compartment_id" { + type = string +} -variable "olcne_general" { - type = object({ - ad_names = list(string) - compartment_id = string - label_prefix = string - }) +variable "label_prefix" { + type = string } -# master +# region parameters +variable "ad_names" { + type = list(string) +} -variable "olcne_master" { - type = object({ - master_image_id = string - master_shape = string - master_upgrade = bool - size = number - ssh_public_key_path = string - timezone = string - }) +# networking parameters +variable "nsg_id" { + type = string } -variable "olcne_master_network" { - type = object({ - nsg_ids = map(string) - subnet_id = string - subnet_label = string - subnet_mask = string - }) +variable "subnet_id" { + type = string } + +variable "subnet_label" { + type = string +} + +# master compute parameters +variable "master_image_id" { + type = string +} + +variable "master_shape" { + type = string +} + +variable "master_size" { + type = number +} + +variable "master_upgrade" { + type = string +} + +variable "ssh_public_key" { + type = string +} + +variable "ssh_public_key_path" { + type = string +} + +variable "timezone" { + type = string +} \ No newline at end of file diff --git a/modules/network/datasources.tf b/modules/network/datasources.tf index 38003da..8c6ec89 100644 --- a/modules/network/datasources.tf +++ b/modules/network/datasources.tf @@ -1,18 +1,9 @@ # Copyright 2020, Oracle Corporation and/or affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -data "oci_core_services" "all_oci_services" { - filter { - name = "name" - values = ["All .* Services In Oracle Services Network"] - regex = true - } - count = var.olcne_network_vcn.is_service_gateway_enabled == true ? 1 : 0 -} - data "oci_core_subnets" "olcne_subnets" { - compartment_id = var.olcne_general.compartment_id - vcn_id = var.olcne_network_vcn.vcn_id + compartment_id = var.compartment_id + vcn_id = var.vcn_id filter { name = "state" @@ -20,6 +11,6 @@ data "oci_core_subnets" "olcne_subnets" { } } -data "oci_core_vcn" "olcne_vcn" { - vcn_id = var.olcne_network_vcn.vcn_id +data "oci_core_vcn" "vcn" { + vcn_id = var.vcn_id } diff --git a/modules/network/locals.tf b/modules/network/locals.tf index f75ccb0..606faaf 100644 --- a/modules/network/locals.tf +++ b/modules/network/locals.tf @@ -3,12 +3,12 @@ locals { # subnet cidrs - used by subnets - bastion_subnet = cidrsubnet(var.olcne_network_vcn.vcn_cidr, var.olcne_network_vcn.newbits["bastion"], var.olcne_network_vcn.netnum["bastion"]) - int_lb_subnet = cidrsubnet(var.olcne_network_vcn.vcn_cidr, var.olcne_network_vcn.newbits["lb"], var.olcne_network_vcn.netnum["int_lb"]) - master_subnet = cidrsubnet(var.olcne_network_vcn.vcn_cidr, var.olcne_network_vcn.newbits["masters"], var.olcne_network_vcn.netnum["masters"]) - operator_subnet = cidrsubnet(var.olcne_network_vcn.vcn_cidr, var.olcne_network_vcn.newbits["operator"], var.olcne_network_vcn.netnum["operator"]) - pub_lb_subnet = cidrsubnet(var.olcne_network_vcn.vcn_cidr, var.olcne_network_vcn.newbits["lb"], var.olcne_network_vcn.netnum["pub_lb"]) - worker_subnet = cidrsubnet(var.olcne_network_vcn.vcn_cidr, var.olcne_network_vcn.newbits["workers"], var.olcne_network_vcn.netnum["workers"]) + bastion_subnet = cidrsubnet(data.oci_core_vcn.vcn.cidr_block, var.newbits["bastion"], var.netnum["bastion"]) + int_lb_subnet = cidrsubnet(data.oci_core_vcn.vcn.cidr_block, var.newbits["lb"], var.netnum["int_lb"]) + master_subnet = cidrsubnet(data.oci_core_vcn.vcn.cidr_block, var.newbits["masters"], var.netnum["masters"]) + operator_subnet = cidrsubnet(data.oci_core_vcn.vcn.cidr_block, var.newbits["operator"], var.netnum["operator"]) + pub_lb_subnet = cidrsubnet(data.oci_core_vcn.vcn.cidr_block, var.newbits["lb"], var.netnum["pub_lb"]) + worker_subnet = cidrsubnet(data.oci_core_vcn.vcn.cidr_block, var.newbits["workers"], var.netnum["workers"]) anywhere = "0.0.0.0/0" @@ -42,7 +42,7 @@ locals { { description = "Allow access to Platform API Server", protocol = local.tcp_protocol, port = 8091, - source = var.olcne_network_vcn.vcn_cidr + source = data.oci_core_vcn.vcn.cidr_block } ] diff --git a/modules/network/nsg.tf b/modules/network/nsg.tf index 6515a09..f2bb7b3 100644 --- a/modules/network/nsg.tf +++ b/modules/network/nsg.tf @@ -3,9 +3,9 @@ # operator nsg and rule resource "oci_core_network_security_group" "operator" { - compartment_id = var.olcne_general.compartment_id - display_name = "${var.olcne_general.label_prefix}-operator" - vcn_id = var.olcne_network_vcn.vcn_id + compartment_id = var.compartment_id + display_name = "${var.label_prefix}-operator" + vcn_id = var.vcn_id } resource "oci_core_network_security_group_security_rule" "operator_internet" { @@ -49,9 +49,9 @@ resource "oci_core_network_security_group_security_rule" "operator" { # master nsg and rule resource "oci_core_network_security_group" "master" { - compartment_id = var.olcne_general.compartment_id - display_name = "${var.olcne_general.label_prefix}-master" - vcn_id = var.olcne_network_vcn.vcn_id + compartment_id = var.compartment_id + display_name = "${var.label_prefix}-master" + vcn_id = var.vcn_id } resource "oci_core_network_security_group_security_rule" "master_internet" { @@ -121,9 +121,9 @@ resource "oci_core_network_security_group_security_rule" "master_vrrp" { # worker nsg and rule resource "oci_core_network_security_group" "worker" { - compartment_id = var.olcne_general.compartment_id - display_name = "${var.olcne_general.label_prefix}-worker" - vcn_id = var.olcne_network_vcn.vcn_id + compartment_id = var.compartment_id + display_name = "${var.label_prefix}-worker" + vcn_id = var.vcn_id } resource "oci_core_network_security_group_security_rule" "worker_internet" { @@ -222,9 +222,9 @@ resource "oci_core_network_security_group_security_rule" "worker_udp_nodeport" { # public load balancer nsg and rule resource "oci_core_network_security_group" "pub_lb" { - compartment_id = var.olcne_general.compartment_id - display_name = "${var.olcne_general.label_prefix}-lb" - vcn_id = var.olcne_network_vcn.vcn_id + compartment_id = var.compartment_id + display_name = "${var.label_prefix}-lb" + vcn_id = var.vcn_id } resource "oci_core_network_security_group_security_rule" "pub_lb" { diff --git a/modules/network/outputs.tf b/modules/network/outputs.tf index 8096bec..ab1c5a9 100644 --- a/modules/network/outputs.tf +++ b/modules/network/outputs.tf @@ -1,33 +1,27 @@ # Copyright 2020, Oracle Corporation and/or affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -output "subnet_ids" { - value = map( - "masters", join(",", oci_core_subnet.masters.*.id), - "workers", join(",", oci_core_subnet.workers.*.id), - "int_lb", join(",", oci_core_subnet.int_lb.*.id), - "pub_lb", join(",", oci_core_subnet.pub_lb.*.id), - "operator", join(",", oci_core_subnet.operator.*.id) - ) -} - output "nsg_ids" { value = map( "master", join(",", oci_core_network_security_group.master.*.id), - "operator", join(",", oci_core_network_security_group.operator.*.id), "pub_lb", join(",", oci_core_network_security_group.pub_lb.*.id), "worker", join(",", oci_core_network_security_group.worker.*.id), ) } -output "master_subnet_dns_label" { - value = "${oci_core_subnet.masters.dns_label}.${data.oci_core_vcn.olcne_vcn.dns_label}.oraclevcn.com" +output "subnet_ids" { + value = map( + "masters", join(",", oci_core_subnet.masters.*.id), + "workers", join(",", oci_core_subnet.workers.*.id), + "int_lb", join(",", oci_core_subnet.int_lb.*.id), + "pub_lb", join(",", oci_core_subnet.pub_lb.*.id), + ) } -output "operator_subnet_dns_label" { - value = "${oci_core_subnet.operator.dns_label}.${data.oci_core_vcn.olcne_vcn.dns_label}.oraclevcn.com" +output "master_subnet_dns_label" { + value = "${oci_core_subnet.masters.dns_label}.${data.oci_core_vcn.vcn.dns_label}.oraclevcn.com" } output "worker_subnet_dns_label" { - value = "${oci_core_subnet.workers.dns_label}.${data.oci_core_vcn.olcne_vcn.dns_label}.oraclevcn.com" + value = "${oci_core_subnet.workers.dns_label}.${data.oci_core_vcn.vcn.dns_label}.oraclevcn.com" } diff --git a/modules/network/subnets.tf b/modules/network/subnets.tf index bcc77df..f69dd8e 100644 --- a/modules/network/subnets.tf +++ b/modules/network/subnets.tf @@ -3,50 +3,40 @@ resource "oci_core_subnet" "masters" { cidr_block = local.master_subnet - compartment_id = var.olcne_general.compartment_id - display_name = "${var.olcne_general.label_prefix}-masters" + compartment_id = var.compartment_id + display_name = "${var.label_prefix}-masters" dns_label = "masters" prohibit_public_ip_on_vnic = true - route_table_id = var.olcne_network_vcn.nat_route_id - vcn_id = var.olcne_network_vcn.vcn_id -} - -resource "oci_core_subnet" "operator" { - cidr_block = local.operator_subnet - compartment_id = var.olcne_general.compartment_id - display_name = "${var.olcne_general.label_prefix}-operator" - dns_label = "operator" - prohibit_public_ip_on_vnic = true - route_table_id = var.olcne_network_vcn.nat_route_id - vcn_id = var.olcne_network_vcn.vcn_id + route_table_id = var.nat_route_id + vcn_id = var.vcn_id } resource "oci_core_subnet" "workers" { cidr_block = local.worker_subnet - compartment_id = var.olcne_general.compartment_id - display_name = "${var.olcne_general.label_prefix}-workers" + compartment_id = var.compartment_id + display_name = "${var.label_prefix}-workers" dns_label = "workers" prohibit_public_ip_on_vnic = true - route_table_id = var.olcne_network_vcn.nat_route_id - vcn_id = var.olcne_network_vcn.vcn_id + route_table_id = var.nat_route_id + vcn_id = var.vcn_id } resource "oci_core_subnet" "int_lb" { cidr_block = local.int_lb_subnet - compartment_id = var.olcne_general.compartment_id - display_name = "${var.olcne_general.label_prefix}-int-lb" + compartment_id = var.compartment_id + display_name = "${var.label_prefix}-int-lb" dns_label = "intlb" prohibit_public_ip_on_vnic = true - route_table_id = var.olcne_network_vcn.nat_route_id - vcn_id = var.olcne_network_vcn.vcn_id + route_table_id = var.nat_route_id + vcn_id = var.vcn_id } resource "oci_core_subnet" "pub_lb" { cidr_block = local.pub_lb_subnet - compartment_id = var.olcne_general.compartment_id - display_name = "${var.olcne_general.label_prefix}-pub-lb" + compartment_id = var.compartment_id + display_name = "${var.label_prefix}-pub-lb" dns_label = "publb" prohibit_public_ip_on_vnic = false - route_table_id = var.olcne_network_vcn.ig_route_id - vcn_id = var.olcne_network_vcn.vcn_id + route_table_id = var.ig_route_id + vcn_id = var.vcn_id } diff --git a/modules/network/variables.tf b/modules/network/variables.tf index e1f7355..332138c 100644 --- a/modules/network/variables.tf +++ b/modules/network/variables.tf @@ -2,34 +2,36 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl # general oci parameters +variable "compartment_id" { + type = string +} + +variable "label_prefix" { + type = string +} -variable "olcne_general" { - type = object({ - ad_names = list(string) - compartment_id = string - label_prefix = string - }) +# region parameters +variable "ad_names" { + type = list(string) } # networking parameters +variable "ig_route_id" { + type = string +} + +variable "nat_route_id" { + type = string +} + +variable "netnum" { + type = map(number) +} + +variable "newbits" { + type = map(number) +} -variable "olcne_network_vcn" { - type = object({ - ig_route_id = string - is_service_gateway_enabled = bool - nat_route_id = string - netnum = map(number) - newbits = map(number) - vcn_cidr = string - vcn_id = string - }) -} - -# olcne node - -variable "olcne_network_access" { - type = object({ - allow_master_ssh_access = bool - allow_worker_ssh_access = bool - }) +variable "vcn_id" { + type = string } diff --git a/modules/olcne/certificate.tf b/modules/olcne/certificate.tf new file mode 100644 index 0000000..aea6a69 --- /dev/null +++ b/modules/olcne/certificate.tf @@ -0,0 +1,49 @@ +# Copyright 2020, Oracle Corporation and/or affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ + +data "template_file" "create_certificate" { + template = file("${path.module}/scripts/create_certificate.template.sh") + + vars = { + org_unit = var.olcne_certificate.org_unit + org = var.olcne_certificate.org + city = var.olcne_certificate.city + state = var.olcne_certificate.state + country = var.olcne_certificate.country + common_name = var.olcne_certificate.common_name + operator_node = local.operator_node + master_nodes = join(",", sort(var.olcne_masters.olcne_master_nodes)) + worker_nodes = join(",", sort(var.olcne_workers.olcne_worker_nodes)) + scan_master_nodes = join(" ", sort(var.olcne_masters.olcne_master_nodes)) + scan_worker_nodes = join(" ", sort(var.olcne_workers.olcne_worker_nodes)) + } +} + +resource null_resource "create_certificate" { + connection { + host = local.operator_private_ip + private_key = file(var.ssh_private_key_path) + timeout = "40m" + type = "ssh" + user = "opc" + + bastion_host = var.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.ssh_private_key_path) + } + + depends_on = [null_resource.download_private_key, null_resource.wait_for_worker, null_resource.wait_for_master] + + provisioner "file" { + content = data.template_file.create_certificate.rendered + destination = "~/create_certificate.sh" + } + + provisioner "remote-exec" { + inline = [ + "chmod +x $HOME/create_certificate.sh", + "$HOME/create_certificate.sh", + # "rm -f $HOME/create_certificate.sh" + ] + } +} diff --git a/modules/operator/cloudinit/operator.template.yaml b/modules/olcne/cloudinit/operator.template.yaml similarity index 100% rename from modules/operator/cloudinit/operator.template.yaml rename to modules/olcne/cloudinit/operator.template.yaml diff --git a/modules/olcne/datasources.tf b/modules/olcne/datasources.tf new file mode 100644 index 0000000..26cacdf --- /dev/null +++ b/modules/olcne/datasources.tf @@ -0,0 +1,11 @@ +# Copyright 2020, Oracle Corporation and/or affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +data "template_file" "operator_template" { + template = file("${path.module}/scripts/operator.template.sh") +} + +data "oci_core_instances" "operator" { + compartment_id = var.compartment_id + display_name = "${var.label_prefix}-operator" +} \ No newline at end of file diff --git a/modules/operator/environment.tf b/modules/olcne/environment.tf similarity index 80% rename from modules/operator/environment.tf rename to modules/olcne/environment.tf index 468261d..08e9234 100644 --- a/modules/operator/environment.tf +++ b/modules/olcne/environment.tf @@ -8,14 +8,14 @@ data "template_file" "configure_api" { resource null_resource "configure_api" { connection { host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) + private_key = file(var.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" - bastion_host = var.olcne_bastion.bastion_public_ip + bastion_host = var.bastion_public_ip bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) + bastion_private_key = file(var.ssh_private_key_path) } depends_on = [null_resource.create_certificate] @@ -41,14 +41,14 @@ data "template_file" "configure_agent" { resource null_resource "configure_agent" { connection { host = element(local.all_nodes, count.index) - private_key = file(var.olcne_operator.ssh_private_key_path) + private_key = file(var.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" - bastion_host = var.olcne_bastion.bastion_public_ip + bastion_host = var.bastion_public_ip bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) + bastion_private_key = file(var.ssh_private_key_path) } depends_on = [null_resource.configure_api] @@ -79,14 +79,14 @@ data "template_file" "create_environment" { resource null_resource "create_environment" { connection { host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) + private_key = file(var.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" - bastion_host = var.olcne_bastion.bastion_public_ip + bastion_host = var.bastion_public_ip bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) + bastion_private_key = file(var.ssh_private_key_path) } depends_on = [null_resource.configure_agent] diff --git a/modules/operator/helm.tf b/modules/olcne/helm.tf similarity index 81% rename from modules/operator/helm.tf rename to modules/olcne/helm.tf index c3e7b8d..0333aaf 100644 --- a/modules/operator/helm.tf +++ b/modules/olcne/helm.tf @@ -12,14 +12,14 @@ data "template_file" "install_helm" { resource null_resource "install_helm" { connection { host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) + private_key = file(var.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" - bastion_host = var.olcne_bastion.bastion_public_ip + bastion_host = var.bastion_public_ip bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) + bastion_private_key = file(var.ssh_private_key_path) } depends_on = [null_resource.get_kubeconfig] diff --git a/modules/operator/kata.tf b/modules/olcne/kata.tf similarity index 80% rename from modules/operator/kata.tf rename to modules/olcne/kata.tf index 4e51ab3..d65327b 100644 --- a/modules/operator/kata.tf +++ b/modules/olcne/kata.tf @@ -9,14 +9,14 @@ data "template_file" "kata" { resource null_resource "create_kata_runtime" { connection { host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) + private_key = file(var.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" - bastion_host = var.olcne_bastion.bastion_public_ip + bastion_host = var.bastion_public_ip bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) + bastion_private_key = file(var.ssh_private_key_path) } depends_on = [null_resource.get_kubeconfig] diff --git a/modules/operator/kubeconfig.tf b/modules/olcne/kubeconfig.tf similarity index 80% rename from modules/operator/kubeconfig.tf rename to modules/olcne/kubeconfig.tf index 86ead50..8398e1e 100644 --- a/modules/operator/kubeconfig.tf +++ b/modules/olcne/kubeconfig.tf @@ -10,14 +10,14 @@ data "template_file" "get_kubeconfig" { resource null_resource "get_kubeconfig" { connection { host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) + private_key = file(var.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" - bastion_host = var.olcne_bastion.bastion_public_ip + bastion_host = var.bastion_public_ip bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) + bastion_private_key = file(var.ssh_private_key_path) } depends_on = [null_resource.install_kubernetes_module] diff --git a/modules/operator/kubernetes_module.tf b/modules/olcne/kubernetes_module.tf similarity index 83% rename from modules/operator/kubernetes_module.tf rename to modules/olcne/kubernetes_module.tf index 59f6de7..a6b3d0d 100644 --- a/modules/operator/kubernetes_module.tf +++ b/modules/olcne/kubernetes_module.tf @@ -7,7 +7,7 @@ data "template_file" "create_kubernetes_module" { vars = { environment = var.olcne_environment.environment_name cluster_name = var.olcne_environment.cluster_name - container_registry = lookup(var.container_registry_urls, var.oci_provider.region) + container_registry = lookup(var.container_registry_urls, var.region) master_vip = var.olcne_masters.primary_master_vip master_nodes_addresses = join(",", sort(local.master_nodes_addresses)) worker_nodes_addresses = join(",", sort(local.worker_nodes_addresses)) @@ -17,14 +17,14 @@ data "template_file" "create_kubernetes_module" { resource null_resource "create_kubernetes_module" { connection { host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) + private_key = file(var.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" - bastion_host = var.olcne_bastion.bastion_public_ip + bastion_host = var.bastion_public_ip bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) + bastion_private_key = file(var.ssh_private_key_path) } depends_on = [null_resource.create_environment] @@ -54,14 +54,14 @@ data "template_file" "install_kubernetes_module" { resource null_resource "install_kubernetes_module" { connection { host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) + private_key = file(var.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" - bastion_host = var.olcne_bastion.bastion_public_ip + bastion_host = var.bastion_public_ip bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) + bastion_private_key = file(var.ssh_private_key_path) } depends_on = [null_resource.create_kubernetes_module] diff --git a/modules/olcne/locals.tf b/modules/olcne/locals.tf new file mode 100644 index 0000000..a9c134d --- /dev/null +++ b/modules/olcne/locals.tf @@ -0,0 +1,21 @@ +# Copyright 2020, Oracle Corporation and/or affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +locals { + + operator_node = "${var.label_prefix}-operator.operator.olcne.oraclevcn.com" + + operator_private_ip = var.operator_ip + # join(",", data.oci_core_vnic.operator_vnic.*.private_ip_address) + + # to configure agent + all_nodes = concat(var.olcne_masters.olcne_master_nodes, var.olcne_workers.olcne_worker_nodes) + + # to create module + master_nodes_addresses = formatlist("%s:8090", var.olcne_masters.olcne_master_nodes) + + worker_nodes_addresses = formatlist("%s:8090", var.olcne_workers.olcne_worker_nodes) + + # to download ssh key + # policy_statement_secret = "Allow dynamic-group ${oci_identity_dynamic_group.operator_instance_principal.name} to read secret-bundles in compartment id ${var.olcne_general.compartment_id}" +} diff --git a/modules/operator/nginx.tf b/modules/olcne/nginx.tf similarity index 86% rename from modules/operator/nginx.tf rename to modules/olcne/nginx.tf index 99f9165..bcec2e6 100644 --- a/modules/operator/nginx.tf +++ b/modules/olcne/nginx.tf @@ -20,14 +20,14 @@ resource null_resource "install_nginxcontroller" { connection { host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) + private_key = file(var.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" - bastion_host = var.olcne_bastion.bastion_public_ip + bastion_host = var.bastion_public_ip bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) + bastion_private_key = file(var.ssh_private_key_path) } depends_on = [null_resource.install_helm] diff --git a/modules/operator/certificate.tf b/modules/olcne/operator.tf similarity index 51% rename from modules/operator/certificate.tf rename to modules/olcne/operator.tf index 92a49bd..05a6f51 100644 --- a/modules/operator/certificate.tf +++ b/modules/olcne/operator.tf @@ -1,155 +1,130 @@ -# Copyright 2020, Oracle Corporation and/or affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ - -data "template_file" "create_certificate" { - template = file("${path.module}/scripts/create_certificate.template.sh") - - vars = { - org_unit = var.olcne_certificate.org_unit - org = var.olcne_certificate.org - city = var.olcne_certificate.city - state = var.olcne_certificate.state - country = var.olcne_certificate.country - common_name = var.olcne_certificate.common_name - operator_node = local.operator_node - master_nodes = join(",", sort(var.olcne_masters.olcne_master_nodes)) - worker_nodes = join(",", sort(var.olcne_workers.olcne_worker_nodes)) - scan_master_nodes = join(" ", sort(var.olcne_masters.olcne_master_nodes)) - scan_worker_nodes = join(" ", sort(var.olcne_workers.olcne_worker_nodes)) - } -} - -resource null_resource "wait_for_operator" { - connection { - host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) - timeout = "40m" - type = "ssh" - user = "opc" - - bastion_host = var.olcne_bastion.bastion_public_ip - bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) - } - - depends_on = [oci_identity_policy.use_secret] - - provisioner "remote-exec" { - inline = [ - "while [ ! -f /home/opc/operator.finish ]; do echo 'Waiting for operator node to be ready';sleep 10; done", - ] - } -} - -resource null_resource "wait_for_master" { - connection { - host = var.olcne_masters.olcne_master_nodes[count.index] - private_key = file(var.olcne_operator.ssh_private_key_path) - timeout = "40m" - type = "ssh" - user = "opc" - - bastion_host = var.olcne_bastion.bastion_public_ip - bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) - } - - depends_on = [oci_identity_policy.use_secret] - - provisioner "remote-exec" { - inline = [ - "while [ ! -f /home/opc/master.finish ]; do echo 'Waiting for master node to be ready';sleep 10; done", - ] - } - count = var.olcne_masters.master_nodes_size -} - -resource null_resource "wait_for_worker" { - connection { - host = var.olcne_workers.olcne_worker_nodes[count.index] - private_key = file(var.olcne_operator.ssh_private_key_path) - timeout = "40m" - type = "ssh" - user = "opc" - - bastion_host = var.olcne_bastion.bastion_public_ip - bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) - } - - depends_on = [oci_identity_policy.use_secret] - - provisioner "remote-exec" { - inline = [ - "while [ ! -f /home/opc/worker.finish ]; do echo 'Waiting for worker node to be ready';sleep 10; done", - ] - } - count = var.olcne_workers.worker_nodes_size -} - -data "template_file" "download_private_key" { - template = file("${path.module}/scripts/download_private_key.template.sh") - - vars = { - secret_id = var.secret_id - } -} - -resource null_resource "download_private_key" { - connection { - host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) - timeout = "40m" - type = "ssh" - user = "opc" - - bastion_host = var.olcne_bastion.bastion_public_ip - bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) - } - - depends_on = [null_resource.wait_for_operator] - - provisioner "file" { - content = data.template_file.download_private_key.rendered - destination = "~/get_key.sh" - } - - provisioner "remote-exec" { - inline = [ - "sleep 10", - "chmod +x $HOME/get_key.sh", - "$HOME/get_key.sh", - "chmod go-rw ~/.ssh/id_rsa", - ] - } -} - -resource null_resource "create_certificate" { - connection { - host = local.operator_private_ip - private_key = file(var.olcne_operator.ssh_private_key_path) - timeout = "40m" - type = "ssh" - user = "opc" - - bastion_host = var.olcne_bastion.bastion_public_ip - bastion_user = "opc" - bastion_private_key = file(var.olcne_bastion.ssh_private_key_path) - } - - depends_on = [null_resource.download_private_key, null_resource.wait_for_worker, null_resource.wait_for_master] - - provisioner "file" { - content = data.template_file.create_certificate.rendered - destination = "~/create_certificate.sh" - } - - provisioner "remote-exec" { - inline = [ - "chmod +x $HOME/create_certificate.sh", - "$HOME/create_certificate.sh", - # "rm -f $HOME/create_certificate.sh" - ] - } -} +# Copyright 2020, Oracle Corporation and/or affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ + +resource null_resource "wait_for_operator" { + connection { + host = local.operator_private_ip + private_key = file(var.ssh_private_key_path) + timeout = "40m" + type = "ssh" + user = "opc" + + bastion_host = var.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.ssh_private_key_path) + } + provisioner "remote-exec" { + inline = [ + "while [ ! -f /home/opc/operator.finish ]; do echo 'Waiting for operator node to be ready';sleep 10; done", + ] + } +} + +resource null_resource "wait_for_master" { + connection { + host = var.olcne_masters.olcne_master_nodes[count.index] + private_key = file(var.ssh_private_key_path) + timeout = "40m" + type = "ssh" + user = "opc" + + bastion_host = var.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.ssh_private_key_path) + } + + provisioner "remote-exec" { + inline = [ + "while [ ! -f /home/opc/master.finish ]; do echo 'Waiting for master node to be ready';sleep 10; done", + ] + } + count = var.olcne_masters.master_nodes_size +} + +resource null_resource "wait_for_worker" { + connection { + host = var.olcne_workers.olcne_worker_nodes[count.index] + private_key = file(var.ssh_private_key_path) + timeout = "40m" + type = "ssh" + user = "opc" + + bastion_host = var.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.ssh_private_key_path) + } + + provisioner "remote-exec" { + inline = [ + "while [ ! -f /home/opc/worker.finish ]; do echo 'Waiting for worker node to be ready';sleep 10; done", + ] + } + count = var.olcne_workers.worker_nodes_size +} + +data "template_file" "download_private_key" { + template = file("${path.module}/scripts/download_private_key.template.sh") + + vars = { + secret_id = var.secret_id + } +} + +resource null_resource "prepare_operator" { + connection { + host = local.operator_private_ip + private_key = file(var.ssh_private_key_path) + timeout = "40m" + type = "ssh" + user = "opc" + + bastion_host = var.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.ssh_private_key_path) + } + + depends_on = [null_resource.wait_for_operator] + + provisioner "file" { + content = data.template_file.operator_template.rendered + destination = "~/prepare_operator.sh" + } + + provisioner "remote-exec" { + inline = [ + "sleep 10", + "chmod +x $HOME/prepare_operator.sh", + "$HOME/prepare_operator.sh" + ] + } +} + +resource null_resource "download_private_key" { + connection { + host = local.operator_private_ip + private_key = file(var.ssh_private_key_path) + timeout = "40m" + type = "ssh" + user = "opc" + + bastion_host = var.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.ssh_private_key_path) + } + + depends_on = [null_resource.prepare_operator] + + provisioner "file" { + content = data.template_file.download_private_key.rendered + destination = "~/get_key.sh" + } + + provisioner "remote-exec" { + inline = [ + "sleep 10", + "chmod +x $HOME/get_key.sh", + "$HOME/get_key.sh", + "chmod go-rw ~/.ssh/id_rsa", + ] + } +} \ No newline at end of file diff --git a/modules/operator/resources/kata.yaml b/modules/olcne/resources/kata.yaml similarity index 100% rename from modules/operator/resources/kata.yaml rename to modules/olcne/resources/kata.yaml diff --git a/modules/operator/resources/nginxpatch.template.yaml b/modules/olcne/resources/nginxpatch.template.yaml similarity index 100% rename from modules/operator/resources/nginxpatch.template.yaml rename to modules/olcne/resources/nginxpatch.template.yaml diff --git a/modules/operator/scripts/configure_agent.template.sh b/modules/olcne/scripts/configure_agent.template.sh similarity index 100% rename from modules/operator/scripts/configure_agent.template.sh rename to modules/olcne/scripts/configure_agent.template.sh diff --git a/modules/operator/scripts/configure_api.template.sh b/modules/olcne/scripts/configure_api.template.sh similarity index 100% rename from modules/operator/scripts/configure_api.template.sh rename to modules/olcne/scripts/configure_api.template.sh diff --git a/modules/operator/scripts/configure_kata.template.sh b/modules/olcne/scripts/configure_kata.template.sh similarity index 100% rename from modules/operator/scripts/configure_kata.template.sh rename to modules/olcne/scripts/configure_kata.template.sh diff --git a/modules/operator/scripts/create_certificate.template.sh b/modules/olcne/scripts/create_certificate.template.sh similarity index 100% rename from modules/operator/scripts/create_certificate.template.sh rename to modules/olcne/scripts/create_certificate.template.sh diff --git a/modules/operator/scripts/create_environment.template.sh b/modules/olcne/scripts/create_environment.template.sh similarity index 100% rename from modules/operator/scripts/create_environment.template.sh rename to modules/olcne/scripts/create_environment.template.sh diff --git a/modules/operator/scripts/create_kubernetes_module.template.sh b/modules/olcne/scripts/create_kubernetes_module.template.sh similarity index 76% rename from modules/operator/scripts/create_kubernetes_module.template.sh rename to modules/olcne/scripts/create_kubernetes_module.template.sh index 3e16c0f..25993c0 100644 --- a/modules/operator/scripts/create_kubernetes_module.template.sh +++ b/modules/olcne/scripts/create_kubernetes_module.template.sh @@ -3,7 +3,7 @@ # Copyright 2020, Oracle Corporation and/or affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -echo "Creating cluster ${cluster_name} in environment ${environment}" +echo "Creating Kubernetes module ${cluster_name} in environment ${environment}" olcnectl --api-server 127.0.0.1:8091 module create --environment-name "${environment}" \ --module kubernetes --name "${cluster_name}" \ @@ -12,4 +12,4 @@ olcnectl --api-server 127.0.0.1:8091 module create --environment-name "${environ --master-nodes "${master_nodes_addresses}" \ --worker-nodes "${worker_nodes_addresses}" 2> /dev/null -echo "Cluster ${cluster_name} created in environment ${environment}" +echo "Kubernetes module ${cluster_name} created in environment ${environment}" diff --git a/modules/operator/scripts/download_private_key.template.sh b/modules/olcne/scripts/download_private_key.template.sh similarity index 100% rename from modules/operator/scripts/download_private_key.template.sh rename to modules/olcne/scripts/download_private_key.template.sh diff --git a/modules/operator/scripts/get_kubeconfig.template.sh b/modules/olcne/scripts/get_kubeconfig.template.sh similarity index 100% rename from modules/operator/scripts/get_kubeconfig.template.sh rename to modules/olcne/scripts/get_kubeconfig.template.sh diff --git a/modules/operator/scripts/install_helm.template.sh b/modules/olcne/scripts/install_helm.template.sh similarity index 100% rename from modules/operator/scripts/install_helm.template.sh rename to modules/olcne/scripts/install_helm.template.sh diff --git a/modules/operator/scripts/install_kubernetes_module.template.sh b/modules/olcne/scripts/install_kubernetes_module.template.sh similarity index 100% rename from modules/operator/scripts/install_kubernetes_module.template.sh rename to modules/olcne/scripts/install_kubernetes_module.template.sh diff --git a/modules/operator/scripts/install_nginx.template.sh b/modules/olcne/scripts/install_nginx.template.sh similarity index 85% rename from modules/operator/scripts/install_nginx.template.sh rename to modules/olcne/scripts/install_nginx.template.sh index 00cb11c..c1cc16c 100644 --- a/modules/operator/scripts/install_nginx.template.sh +++ b/modules/olcne/scripts/install_nginx.template.sh @@ -24,11 +24,6 @@ helm install nginx stable/nginx-ingress \ --set controller.service.nodePorts.https=30443 \ --set controller.service.ports.http=30080 \ --set controller.service.ports.https=30443 \ ---set defaultBackend.enabled=true \ ---set defaultBackend.name=nginxdefaultbackend \ ---set defaultBackend.service.type=NodePort \ ---set defaultBackend.port=31080 \ ---set defaultBackend.service.type=NodePort \ --set rbac.create=true 2> /dev/null # patch to add nodeports for nginx health check diff --git a/modules/olcne/scripts/operator.template.sh b/modules/olcne/scripts/operator.template.sh new file mode 100644 index 0000000..476af0f --- /dev/null +++ b/modules/olcne/scripts/operator.template.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# Copyright 2020, Oracle Corporation and/or affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +# enable olcne yum channels +sudo yum install -y oracle-olcne-release-el7 +sudo yum-config-manager --disable ol7_olcne +sudo yum-config-manager --enable ol7_olcne11 ol7_kvm_utils ol7_addons ol7_latest +# ol7_UEKR5 + +# install oci cli +sudo pip3 install oci-cli + +# enable chronyd +sudo yum install -y chrony +sudo systemctl enable --now chronyd + +# br_netfilter +sudo modprobe br_netfilter +sudo sh -c 'echo "br_netfilter" > /etc/modules-load.d/br_netfilter.conf' + +# set SELinux to Permissive +sudo sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config +sudo /usr/sbin/setenforce 0 + +# firewalld +sudo firewall-offline-cmd --add-port=8091/tcp + +sudo systemctl restart firewalld + +# install the Platform CLI, Platform API Server, and utilities +sudo yum install -y olcnectl olcne-api-server olcne-utils + +# enable olcne-api-server +sudo systemctl enable olcne-api-server.service \ No newline at end of file diff --git a/modules/operator/variables.tf b/modules/olcne/variables.tf similarity index 65% rename from modules/operator/variables.tf rename to modules/olcne/variables.tf index e82494f..7b47450 100644 --- a/modules/operator/variables.tf +++ b/modules/olcne/variables.tf @@ -1,57 +1,34 @@ # Copyright 2020, Oracle Corporation and/or affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -# provider +# general oci parameters +variable "compartment_id" { + type = string +} -variable "oci_provider" { - type = object({ - api_fingerprint = string - api_private_key_path = string - home_region = string - region = string - tenancy_id = string - user_id = string - }) +variable "label_prefix" { + type = string } -# general -variable "olcne_general" { - type = object({ - ad_names = list(string) - compartment_id = string - label_prefix = string - }) +variable "region" { + type = string } # bastion -variable "olcne_bastion" { - type = object({ - bastion_public_ip = string - ssh_private_key_path = string - }) +variable "bastion_public_ip" { + type = string } -# operator - -variable "olcne_operator" { - type = object({ - operator_image_id = string - operator_shape = string - operator_upgrade = bool - ssh_private_key_path = string - ssh_public_key_path = string - timezone = string - }) +variable "ssh_private_key_path" { + type = string } -variable "olcne_operator_network" { - type = object({ - nsg_ids = map(string) - subnet_id = string - subnet_label = string - }) +# operator +variable "operator_ip" { + type = string } + variable "olcne_masters" { type = object({ master_nodes_size = number @@ -102,6 +79,8 @@ variable "loadbalancer_ip_address" { variable "container_registry_urls" { description = "urls of container-registries" default = { + ap-chuncheon-1 = "container-registry-yny.oracle.com" + ap-hyderabad-1 = "container-registry-hyd.oracle.com" ap-sydney-1 = "container-registry-syd.oracle.com" ap-melbourne-1 = "container-registry-mel.oracle.com" ap-mumbai-1 = "container-registry-bom.oracle.com" diff --git a/modules/operator/compute.tf b/modules/operator/compute.tf deleted file mode 100644 index 2050f21..0000000 --- a/modules/operator/compute.tf +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 2020, Oracle Corporation and/or affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ - -resource "oci_core_instance_configuration" "operator" { - compartment_id = var.olcne_general.compartment_id - - display_name = "${var.olcne_general.label_prefix}-operator" - - instance_details { - instance_type = "compute" - - launch_details { - compartment_id = var.olcne_general.compartment_id - - create_vnic_details { - assign_public_ip = false - display_name = "${var.olcne_general.label_prefix}-operator" - hostname_label = "operator" - nsg_ids = [lookup(var.olcne_operator_network.nsg_ids, "operator")] - subnet_id = var.olcne_operator_network.subnet_id - } - - display_name = "${var.olcne_general.label_prefix}-operator" - - extended_metadata = { - subnet_id = var.olcne_operator_network.subnet_id - } - - metadata = { - ssh_authorized_keys = file(var.olcne_operator.ssh_public_key_path) - user_data = data.template_cloudinit_config.operator.rendered - } - - shape = var.olcne_operator.operator_shape - source_details { - source_type = "image" - image_id = local.operator_image_id - } - } - } - lifecycle { - ignore_changes = [instance_details[0].launch_details[0].source_details[0].image_id] - } -} - -resource "oci_core_instance_pool" "operator" { - compartment_id = var.olcne_general.compartment_id - depends_on = [oci_core_instance_configuration.operator] - display_name = "${var.olcne_general.label_prefix}-operator" - instance_configuration_id = oci_core_instance_configuration.operator.id - - dynamic "placement_configurations" { - iterator = ad_iterator - for_each = var.olcne_general.ad_names - - content { - availability_domain = ad_iterator.value - primary_subnet_id = var.olcne_operator_network.subnet_id - } - } - - size = 1 -} diff --git a/modules/operator/datasources.tf b/modules/operator/datasources.tf deleted file mode 100644 index 39391e7..0000000 --- a/modules/operator/datasources.tf +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright 2020, Oracle Corporation and/or affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl - -data "oci_core_images" "operator_images" { - compartment_id = var.olcne_general.compartment_id - operating_system = "Oracle Linux" - operating_system_version = "7.7" - shape = var.olcne_operator.operator_shape - sort_by = "TIMECREATED" -} - -data "template_file" "operator_template" { - template = file("${path.module}/scripts/operator.template.sh") -} - -data "template_file" "operator_cloud_init_file" { - template = file("${path.module}/cloudinit/operator.template.yaml") - - vars = { - operator_sh_content = base64gzip(data.template_file.operator_template.rendered) - operator_upgrade = var.olcne_operator.operator_upgrade - timezone = var.olcne_operator.timezone - } -} - -# cloud init for operator -data "template_cloudinit_config" "operator" { - gzip = true - base64_encode = true - - part { - filename = "operator.yaml" - content_type = "text/cloud-config" - content = data.template_file.operator_cloud_init_file.rendered - } -} - -# Gets the list of operator instances -data "oci_core_instance_pool_instances" "operator" { - compartment_id = var.olcne_general.compartment_id - instance_pool_id = oci_core_instance_pool.operator.id -} - -# filter the operator instance -data "oci_core_instance" "operator" { - instance_id = element(data.oci_core_instance_pool_instances.operator.instances, 0).id - depends_on = [oci_core_instance_pool.operator] -} - -# Gets a list of VNIC attachments on the operator instance -data "oci_core_vnic_attachments" "operator_vnics_attachments" { - compartment_id = var.olcne_general.compartment_id - instance_id = data.oci_core_instance.operator.id - depends_on = [oci_core_instance_pool.operator] -} - -# Gets the olcne of the first (default) VNIC on the operator instance -data "oci_core_vnic" "operator_vnic" { - vnic_id = lookup(data.oci_core_vnic_attachments.operator_vnics_attachments.vnic_attachments[0], "vnic_id") - depends_on = [oci_core_instance_pool.operator] -} - -# get the tenancy details -data "oci_identity_tenancy" "tenancy" { - tenancy_id = var.oci_provider.tenancy_id -} diff --git a/modules/operator/instance_principal.tf b/modules/operator/instance_principal.tf deleted file mode 100644 index e8a7fdf..0000000 --- a/modules/operator/instance_principal.tf +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2020, Oracle Corporation and/or affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl - -# create a home region provider for identity operations -provider "oci" { - alias = "home" - fingerprint = var.oci_provider.api_fingerprint - private_key_path = var.oci_provider.api_private_key_path - region = var.oci_provider.home_region - tenancy_ocid = var.oci_provider.tenancy_id - user_ocid = var.oci_provider.user_id -} - -resource "oci_identity_dynamic_group" "operator_instance_principal" { - provider = oci.home - compartment_id = var.oci_provider.tenancy_id - depends_on = [oci_core_instance_pool.operator, data.oci_core_instance.operator] - description = "dynamic group to allow instances to call services for operator" - matching_rule = "ALL {instance.id = '${join(",", data.oci_core_instance.operator.*.id)}'}" - name = "${var.olcne_general.label_prefix}-operator-instance-principal" -} - -resource "oci_identity_policy" "use_secret" { - provider = oci.home - compartment_id = var.olcne_general.compartment_id - depends_on = [oci_identity_dynamic_group.operator_instance_principal] - description = "policy to allow dynamic group ${var.olcne_general.label_prefix}-operator-instance-principal to use secrets in vault" - name = "${var.olcne_general.label_prefix}-operator-use-secrets" - statements = [local.policy_statement_secret] -} diff --git a/modules/operator/locals.tf b/modules/operator/locals.tf deleted file mode 100644 index 0b27456..0000000 --- a/modules/operator/locals.tf +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2020, Oracle Corporation and/or affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl - -locals { - operator_image_id = var.olcne_operator.operator_image_id == "Oracle" ? data.oci_core_images.operator_images.images.0.id : var.olcne_operator.operator_image_id - - operator_node = "${data.oci_core_instance.operator.hostname_label}.${var.olcne_operator_network.subnet_label}" - - operator_private_ip = join(",", data.oci_core_vnic.operator_vnic.*.private_ip_address) - - # to configure agent - all_nodes = concat(var.olcne_masters.olcne_master_nodes, var.olcne_workers.olcne_worker_nodes) - - # to create module - master_nodes_addresses = formatlist("%s:8090", var.olcne_masters.olcne_master_nodes) - - worker_nodes_addresses = formatlist("%s:8090", var.olcne_workers.olcne_worker_nodes) - - # to download ssh key - policy_statement_secret = "Allow dynamic-group ${oci_identity_dynamic_group.operator_instance_principal.name} to read secret-bundles in compartment id ${var.olcne_general.compartment_id}" -} diff --git a/modules/operator/outputs.tf b/modules/operator/outputs.tf deleted file mode 100644 index f2ebbb4..0000000 --- a/modules/operator/outputs.tf +++ /dev/null @@ -1,6 +0,0 @@ -# Copyright 2020, Oracle Corporation and/or affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl - -output "operator_private_ip" { - value = join(",", data.oci_core_vnic.operator_vnic.*.private_ip_address) -} diff --git a/modules/operator/scripts/operator.template.sh b/modules/operator/scripts/operator.template.sh deleted file mode 100644 index 5cc03d5..0000000 --- a/modules/operator/scripts/operator.template.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -# Copyright 2020, Oracle Corporation and/or affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl - -yum update --security - -# enable olcne yum channels -yum install -y oracle-olcne-release-el7 -yum-config-manager --disable ol7_olcne -yum-config-manager --enable ol7_olcne11 ol7_kvm_utils ol7_addons ol7_latest -# ol7_UEKR5 - -# install oci cli -pip3 install oci-cli - -# enable chronyd -systemctl enable --now chronyd - -# br_netfilter -modprobe br_netfilter -sh -c 'echo "br_netfilter" > /etc/modules-load.d/br_netfilter.conf' - -# set SELinux to Permissive -sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config -/usr/sbin/setenforce 0 - -# firewalld -firewall-offline-cmd --add-port=8091/tcp - -systemctl restart firewalld - -# install the Platform CLI, Platform API Server, and utilities -yum install -y olcnectl olcne-api-server olcne-utils - -# enable olcne-api-server -systemctl enable olcne-api-server.service \ No newline at end of file diff --git a/modules/worker/compute.tf b/modules/worker/compute.tf index c4bd2d8..1ff7f38 100644 --- a/modules/worker/compute.tf +++ b/modules/worker/compute.tf @@ -2,36 +2,36 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ resource "oci_core_instance_configuration" "worker" { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id - display_name = "${var.olcne_general.label_prefix}-worker" + display_name = "${var.label_prefix}-worker" instance_details { instance_type = "compute" launch_details { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id create_vnic_details { assign_public_ip = false - display_name = "${var.olcne_general.label_prefix}-worker" + display_name = "${var.label_prefix}-worker" hostname_label = "worker" - nsg_ids = [lookup(var.olcne_worker_network.nsg_ids, "worker")] - subnet_id = var.olcne_worker_network.subnet_id + nsg_ids = [var.nsg_id] + subnet_id = var.subnet_id } - display_name = "${var.olcne_general.label_prefix}-worker" + display_name = "${var.label_prefix}-worker" extended_metadata = { - subnet_id = var.olcne_worker_network.subnet_id + subnet_id = var.subnet_id } metadata = { - ssh_authorized_keys = file(var.olcne_worker.ssh_public_key_path) + ssh_authorized_keys = file(var.ssh_public_key_path) user_data = data.template_cloudinit_config.worker.rendered } - shape = var.olcne_worker.worker_shape + shape = var.worker_shape source_details { source_type = "image" image_id = local.worker_image_id @@ -44,18 +44,18 @@ resource "oci_core_instance_configuration" "worker" { } resource "oci_core_instance_pool" "worker" { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id depends_on = [oci_core_instance_configuration.worker] - display_name = "${var.olcne_general.label_prefix}-worker" + display_name = "${var.label_prefix}-worker" instance_configuration_id = oci_core_instance_configuration.worker.id dynamic "placement_configurations" { iterator = ad_iterator - for_each = var.olcne_general.ad_names + for_each = var.ad_names content { availability_domain = ad_iterator.value - primary_subnet_id = var.olcne_worker_network.subnet_id + primary_subnet_id = var.subnet_id } } @@ -65,12 +65,16 @@ resource "oci_core_instance_pool" "worker" { for_each = local.ingress_ports content { - backend_set_name = "${var.olcne_general.label_prefix}-ic-${port_iterator.value}" + backend_set_name = "${var.label_prefix}-ic-${port_iterator.value}" load_balancer_id = var.oci_loadbalancer_id port = port_iterator.value vnic_selection = "PrimaryVnic" } } - size = var.olcne_worker.size + lifecycle { + ignore_changes = [display_name] + } + + size = var.worker_size } diff --git a/modules/worker/datasources.tf b/modules/worker/datasources.tf index a61285a..cdd454c 100644 --- a/modules/worker/datasources.tf +++ b/modules/worker/datasources.tf @@ -2,10 +2,10 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "oci_core_images" "worker_images" { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id operating_system = "Oracle Linux" - operating_system_version = "7.7" - shape = var.olcne_worker.worker_shape + operating_system_version = "7.8" + shape = var.worker_shape sort_by = "TIMECREATED" } @@ -13,14 +13,13 @@ data "template_file" "worker_template" { template = file("${path.module}/scripts/worker.template.sh") } - data "template_file" "worker_cloud_init_file" { template = file("${path.module}/cloudinit/worker.template.yaml") vars = { worker_sh_content = base64gzip(data.template_file.worker_template.rendered) - worker_upgrade = var.olcne_worker.worker_upgrade - timezone = var.olcne_worker.timezone + worker_upgrade = var.worker_upgrade + timezone = var.timezone } } @@ -38,25 +37,25 @@ data "template_cloudinit_config" "worker" { # Gets the list of worker instances data "oci_core_instance_pool_instances" "worker" { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id instance_pool_id = oci_core_instance_pool.worker.id } # filter the worker instances data "oci_core_instance" "worker" { instance_id = element(local.worker_nodes_id_list, count.index) - count = var.olcne_worker.size + count = var.worker_size } # Gets a list of VNIC attachments on the worker instances data "oci_core_vnic_attachments" "workers_vnics_attachments" { - compartment_id = var.olcne_general.compartment_id + compartment_id = var.compartment_id instance_id = element(local.worker_nodes_id_list, count.index) - count = var.olcne_worker.size + count = var.worker_size } # get a list of vnics for workers data "oci_core_vnic" "workers_vnic" { vnic_id = element(local.worker_nodes_vnic_attachments_list, count.index) - count = var.olcne_worker.size + count = var.worker_size } diff --git a/modules/worker/locals.tf b/modules/worker/locals.tf index d00d004..39e753a 100644 --- a/modules/worker/locals.tf +++ b/modules/worker/locals.tf @@ -2,7 +2,7 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl locals { - worker_image_id = var.olcne_worker.worker_image_id == "Oracle" ? data.oci_core_images.worker_images.images.0.id : var.olcne_worker.worker_image_id + worker_image_id = var.worker_image_id == "Oracle" ? data.oci_core_images.worker_images.images.0.id : var.worker_image_id worker_nodes_id_list = [ for instance in data.oci_core_instance_pool_instances.worker.instances : @@ -11,7 +11,7 @@ locals { worker_nodes_hostname_list = [ for instance in data.oci_core_instance.worker : - "${instance.hostname_label}.${var.olcne_worker_network.subnet_label}" + "${instance.hostname_label}.${var.subnet_label}" ] worker_nodes_vnic_attachments_list = [ diff --git a/modules/worker/scripts/worker.template.sh b/modules/worker/scripts/worker.template.sh index 3cef158..fa63c89 100644 --- a/modules/worker/scripts/worker.template.sh +++ b/modules/worker/scripts/worker.template.sh @@ -8,8 +8,7 @@ yum update --security # enable olcne yum channels yum install -y oracle-olcne-release-el7 yum-config-manager --disable ol7_olcne -yum-config-manager --enable ol7_olcne11 ol7_kvm_utils ol7_addons ol7_latest -# ol7_UEKR5 +yum-config-manager --enable ol7_olcne11 ol7_kvm_utils ol7_addons ol7_latest ol7_UEKR5 # enable chronyd systemctl enable --now chronyd diff --git a/modules/worker/variables.tf b/modules/worker/variables.tf index 4948fe0..ebb3b22 100644 --- a/modules/worker/variables.tf +++ b/modules/worker/variables.tf @@ -1,33 +1,60 @@ # Copyright 2020, Oracle Corporation and/or affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -# general -variable "olcne_general" { - type = object({ - ad_names = list(string) - compartment_id = string - label_prefix = string - }) -} - -# worker -variable "olcne_worker" { - type = object({ - worker_image_id = string - worker_shape = string - worker_upgrade = bool - size = number - ssh_public_key_path = string - timezone = string - }) -} - -variable "olcne_worker_network" { - type = object({ - nsg_ids = map(string) - subnet_id = string - subnet_label = string - }) +# general oci parameters +variable "compartment_id" { + type = string +} + +variable "label_prefix" { + type = string +} + +# region parameters +variable "ad_names" { + type = list(string) +} + +# networking parameters +variable "nsg_id" { + type = string +} + +variable "subnet_id" { + type = string +} + +variable "subnet_label" { + type = string +} + +# worker compute parameters +variable "worker_image_id" { + type = string +} + +variable "worker_shape" { + type = string +} + +variable "worker_size" { + type = number +} + +variable "worker_upgrade" { + type = string +} + +variable "ssh_public_key" { + type = string +} + +variable "ssh_public_key_path" { + type = string +} + +variable "timezone" { + type = string } variable "oci_loadbalancer_id" { diff --git a/outputs.tf b/outputs.tf index 1fe467b..221ba44 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,16 +3,15 @@ output "ssh_to_bastion" { description = "ssh to bastion" - value = module.base.ssh_to_bastion + value = "ssh -i ${var.ssh_private_key_path} -J opc@${module.base.bastion_public_ip}" } output "ssh_to_operator" { description = "ssh to operator" - value = "ssh -i ${var.ssh_private_key_path} -J opc@${module.base.bastion_public_ip} opc@${module.operator.operator_private_ip}" + value = "ssh -i ${var.ssh_private_key_path} -J opc@${module.base.bastion_public_ip} opc@${module.base.operator_private_ip}" } output "ssh_to_master" { description = "ssh to primary master node" value = "ssh -i ${var.ssh_private_key_path} -J opc@${module.base.bastion_public_ip} opc@${module.master.master_vip}" } - diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 6106b3b..e9b433e 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -24,45 +24,36 @@ label_prefix = "dev" # networking -nat_gateway_enabled = true - netnum = { - admin = 33 bastion = 32 int_lb = 16 - masters = 48 - operator = 18 + masters = 48 + operator = 33 pub_lb = 17 workers = 1 } newbits = { - admin = 13 bastion = 13 lb = 11 - masters = 12 + masters = 12 operator = 13 workers = 2 } -service_gateway_enabled = true - vcn_cidr = "10.0.0.0/16" vcn_dns_label = "olcne" vcn_name = "olcne" - # bastion bastion_access = "ANYWHERE" -bastion_enabled = true - bastion_image_id = "Autonomous" -bastion_notification_enabled = false +bastion_notification_enabled = true bastion_notification_endpoint = "" @@ -76,31 +67,26 @@ bastion_shape = "VM.Standard.E2.2" bastion_timezone = "Australia/Sydney" -admin_enabled = false - -admin_image_id = "Oracle" - -admin_instance_principal = false +operator_image_id = "Oracle" -admin_notification_enabled = false +operator_notification_enabled = false -admin_notification_endpoint = "" +operator_notification_endpoint = "" -admin_notification_protocol = "EMAIL" +operator_notification_protocol = "EMAIL" -admin_notification_topic = "" +operator_notification_topic = "" -admin_package_upgrade = false +operator_package_upgrade = false -admin_shape = "VM.Standard.E2.2" +operator_shape = "VM.Standard.E2.2" -admin_timezone = "Australia/Sydney" +operator_timezone = "Australia/Sydney" # availability_domains availability_domains = { bastion = 1 - admin = 1 operator = 1 } @@ -117,15 +103,6 @@ master_size = 1 master_timezone = "Australia/Sydney" -# olcne operator -operator_image_id = "Oracle" - -operator_package_upgrade = false - -operator_shape = "VM.Standard.E2.2" - -operator_timezone = "Australia/Sydney" - # private key for operator secret_id = "" diff --git a/variables.tf b/variables.tf index 514deba..1a4cfc1 100644 --- a/variables.tf +++ b/variables.tf @@ -12,16 +12,6 @@ variable "api_private_key_path" { type = string } -variable "compartment_id" { - description = "compartment id" - type = string -} - -variable "disable_auto_retries" { - default = false - type = bool -} - variable "region" { # List of regions: https://docs.cloud.oracle.com/iaas/Content/General/Concepts/regions.htm#ServiceAvailabilityAcrossRegions description = "region" @@ -38,6 +28,18 @@ variable "user_id" { type = string } +# general oci parameters +variable "compartment_id" { + description = "compartment id" + type = string +} + +variable "label_prefix" { + description = "a string that will be prependend to all resources" + default = "dev" + type = string +} + # ssh keys variable "ssh_private_key_path" { description = "path to ssh private key" @@ -49,26 +51,12 @@ variable "ssh_public_key_path" { type = string } -# general oci parameters - -variable "label_prefix" { - description = "a string that will be prependend to all resources" - default = "dev" - type = string -} - # networking parameters -variable "nat_gateway_enabled" { - description = "whether to create a nat gateway" - default = true - type = bool -} - variable "netnum" { description = "zero-based index of the subnet when the network is masked with the newbit." default = { - admin = 33 + operator = 33 bastion = 32 int_lb = 16 master = 48 @@ -82,7 +70,7 @@ variable "netnum" { variable "newbits" { description = "new mask for the subnet within the virtual network. use as newbits parameter for cidrsubnet function" default = { - admin = 13 + operator = 13 bastion = 13 lb = 11 master = 12 @@ -92,12 +80,6 @@ variable "newbits" { type = map } -variable "service_gateway_enabled" { - description = "whether to create a service gateway" - default = true - type = bool -} - variable "vcn_cidr" { description = "cidr block of VCN" default = "10.0.0.0/16" @@ -123,12 +105,6 @@ variable "bastion_access" { type = string } -variable "bastion_enabled" { - description = "whether to create a bastion host" - default = true - type = bool -} - variable "bastion_image_id" { description = "image id to use for bastion." default = "Autonomous" @@ -177,64 +153,58 @@ variable "bastion_timezone" { type = string } -# admin server +# operator server -variable "admin_enabled" { - description = "whether to create an admin server in a private subnet" - default = false - type = bool -} - -variable "admin_image_id" { - description = "image id to use for admin server. set either an image id or to Oracle. if value is set to Oracle, the default Oracle Linux platform image will be used." +variable "operator_image_id" { + description = "image id to use for operator server. set either an image id or to Oracle. if value is set to Oracle, the default Oracle Linux platform image will be used." default = "Oracle" type = string } -variable "admin_instance_principal" { - description = "enable the admin server host to call OCI API services without requiring api key" +variable "operator_instance_principal" { + description = "enable the operator server host to call OCI API services without requiring api key" default = true type = bool } -variable "admin_notification_enabled" { - description = "whether to enable notification on the admin host" +variable "operator_notification_enabled" { + description = "whether to enable notification on the operator host" default = false type = bool } -variable "admin_notification_endpoint" { - description = "the subscription notification endpoint for the admin. email address to be notified." +variable "operator_notification_endpoint" { + description = "the subscription notification endpoint for the operator. email address to be notified." default = "" type = string } -variable "admin_notification_protocol" { +variable "operator_notification_protocol" { description = "the notification protocol used." default = "EMAIL" type = string } -variable "admin_notification_topic" { +variable "operator_notification_topic" { description = "the name of the notification topic." - default = "admin" + default = "operator" type = string } -variable "admin_package_upgrade" { +variable "operator_package_upgrade" { description = "whether to upgrade the bastion host packages after provisioning. it’s useful to set this to false during development so the bastion is provisioned faster." default = true type = bool } -variable "admin_shape" { - description = "shape of admin server instance" +variable "operator_shape" { + description = "shape of operator server instance" default = "VM.Standard.E2.1" type = string } -variable "admin_timezone" { - description = "the preferred timezone for the admin host." +variable "operator_timezone" { + description = "the preferred timezone for the operator host." default = "Australia/Sydney" type = string } @@ -244,7 +214,6 @@ variable "availability_domains" { description = "Availability Domains where to provision specific resources" default = { bastion = 1 - admin = 1 operator = 1 } type = map @@ -295,33 +264,8 @@ variable "master_timezone" { type = string } -# olcne operator -variable "operator_image_id" { - description = "image id to use for operator node." - default = "Oracle Linux" - type = string -} - -variable "operator_package_upgrade" { - description = "whether to upgrade the operator host packages after provisioning. it’s useful to set this to false during development so the operator nodes are provisioned faster." - default = true - type = bool -} - -variable "operator_shape" { - description = "shape of operator instance" - default = "VM.Standard.E2.2" - type = string -} - -variable "operator_timezone" { - description = "the preferred timezone for the operator nodes." - default = "Australia/Sydney" - type = string -} - variable "secret_id" { - description = "id of secret where the private ssh key is stored in encrypted format" + description = "id of OCI secret where the private ssh key is stored in encrypted format" type = string } @@ -432,3 +376,27 @@ variable "public_lb_shape" { default = "100Mbps" type = string } + +# tagging +variable "tags" { + default = { + # vcn, bastion and operator tags are required + # add more tags in each as desired + vcn = { + # department = "finance" + environment = "dev" + } + bastion = { + # department = "finance" + environment = "dev" + role = "bastion" + } + operator = { + # department = "finance" + environment = "dev" + role = "operator" + } + } + description = "Tags to apply to different resources." + type = map(any) +}