Merge pull request #37 from oracle-devrel/pe

pe

Author: RahulMR42

AIO.md

@@ -1,6 +1,7 @@
 All in One reference for samples - In Alphabetical (A to Z) order.
 -------
 
+- Access resource with Private IP from OCI Build runner - https://github.com/oracle-devrel/oci-devops-examples/tree/main/oci-build-examples/oci-devops-pa-with-private-oke
 - Build Caching - https://github.com/oracle-devrel/oci-devops-examples/tree/main/oci-build-examples/oci-build-caching
 - Build Native image with Graal VM Enterprise edition - https://github.com/oracle-devrel/oci-devops-examples/tree/main/oci-build-examples/oci_devops_build_with_graalenterprise
 - Build a micronaut restapi application with Graal VM Enterprise - https://github.com/oracle-devrel/oci-devops-examples/tree/main/oci-build-examples/oci_devops_graalee_micronaut
@@ -26,3 +27,4 @@ All in One reference for samples - In Alphabetical (A to Z) order.
 - Invoke deployment pipeline on a container image upload  - https://github.com/oracle-devrel/oci-devops-examples/blob/main/oci-deployment-examples/oci-devops-deploy-on-imageupload
 - OCI Policy management using terraform - https://github.com/oracle-devrel/oci-devops-examples/blob/main/oci-config-examples/oci_devops_policy_dg_terraform
 - Scanning code for vulnerabilities for Maven packages - https://github.com/oracle-devrel/oci-devops-examples/tree/main/oci-build-examples/oci-devops-vulnerability-audit-management
+

oci-build-examples/README.md

@@ -20,6 +20,15 @@ All about OCI devops build samples ..
 * [Build a native executable application with Graal VM Enterprise](./oci_devops_build_with_graalenterprise/)
 * [Build a micronaut restapi application with Graal VM Enterprise](./oci_devops_graalee_micronaut/)
 
+</details>
+
+<details>
+  <summary>Private resource access - click to expand</summary>
+
+* [Access OKE with Private endpoint from build runner](./oci-devops-pa-with-private-oke/)
+
+
+
 </details>
 
 

oci-build-examples/oci-devops-pa-with-private-oke/.gitignore

@@ -0,0 +1 @@
+.idea

oci-build-examples/oci-devops-pa-with-private-oke/README.md

@@ -0,0 +1,153 @@
+# Access resource with Private IP from OCI Build runner
+
+This sample shows how to access resources which are with private IP addresses from an OCI Build runner.
+
+## Accessing Private Virtual Network from Build runner
+
+- You can access self-hosted repositories (GitLab Server and Bitbucket Server) with private IP from the Managed Build stage. With the private access configuration, you can write commands in the build specification file to access the private endpoints in your Virtual Cloud Network (VCN). During the build, the service-managed build runner facilitates the connection from the build stage to your tenancy subnet. Using FastConnect or other IPSec VPN peering solutions, you can also create a connection to access your on-premises code repository from an OCI DevOps build runner.
+
+## Specific instruction to clone only this example.
+
+   ```
+   $ git init oci-devops-pa-with-private-oke
+   $ cd oci-devops-pa-with-private-oke
+   $ git remote add origin <url to this git repo>
+   $ git config core. sparsecheckout true
+   $ echo "oci-build-examples/oci-devops-pa-with-private-oke/*">>.git/info/sparse-checkout
+   $ git pull --depth=1 origin main
+
+   ```
+
+## Objectives
+
+- Create an [Container Engine for Kubernetes (OKE)](https://docs.oracle.com/en-us/iaas/Content/ContEng/home.htm)
+- Associate OCI DevOps Build runner via Private Access endpoints.
+- Test and validate the access
+
+
+## Procedure to use this illustration.
+
+###OCI Notifications
+- Create an OCI notification topic - https://docs.oracle.com/en-us/iaas/Content/Notification/Tasks/managingtopicsandsubscriptions.htm#createTopic
+
+### OCI Container Engine for Kubernetes (OKE)
+- Create  Container Engine for Kubernetes (OKE) Cluster using Quick workflow - https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingclusterusingoke_topic-Using_the_Console_to_create_a_Quick_Cluster_with_Default_Settings.htm#create-quick-cluster
+
+![](images/oci-oke-wizzard.png)
+
+- Select `Private endpoints` and `Private workers`.
+
+![](images/oci-oke-private-cluster-details.png)
+
+
+- Make a note of OKE's Cluster Id.
+
+![](images/oci-oke-cluster-id.png)
+
+💡Specific note on the network setup
+- When you build OKE via wizard it will set up necessary VCN, subnet, gateways, route tables etc.
+- But if you are using custom workflow for OKE or connection for any other resources from build runner, ensure to set up NAT or Service gateway accordingly.
+- When using with a Private access endpoint, the Build runner instance is considered as a private instance in your VCN during the network setup. Using only an internet gateway does not allow egress to the internet from a private subnet. Therefore, the VCN must have a Network Address Translation (NAT) gateway or service gateway with routing rules to forward traffic configured in the routing table for the private access configuration to succeed in the Managed Build stage.
+
+### Validate VCN
+
+- As we have used the `Quick workflow`, it has created the VCN and necessary details.
+- From `OKE details` identify `VCN Name` and click on the link.
+
+![](images/oci-oke-vcn.png)
+
+- There will be 3 subnets, one for endpoint, one for the load balancer and another one for nodes.
+
+![](images/oci-vcn-subnets.png)
+
+- Check the `Route tables` and check the `Route Table` for private subnets. There will be a `NAT Gateway` for access to the internet and a `Service Gateway` to access the OCI services.
+
+![](images/oci-vcn-routerules.png)
+
+### OCI DevOps.
+
+- Create a DevOps project - https://docs.oracle.com/en-us/iaas/Content/devops/using/create_project.htm#create_a_project.
+  Associate with the notification topic.
+
+![](images/oci-devops-project.png)
+
+- Ensure to enable the logs for the DevOps project.
+
+![](images/oci-devops-logs.png)
+
+- Create an OCI code repo - https://docs.oracle.com/en-us/iaas/Content/devops/using/create_repo.htm#create_repo and push this content to the repo.
+
+![](images/oci-coderepo-files.png)
+
+- Create an OCI Build pipeline - https://docs.oracle.com/en-us/iaas/Content/devops/using/create_buildpipeline.htm
+
+![](images/oci-devops-buildpipeline.png)
+
+- Add the below parameters to the build pipeline with proper values.
+
+  - KUBECTL_VERSION - Version of the kubectl to be used - https://kubernetes.io/releases/,Example:1.24.0
+  - OCI_OKE_OCID - Cluster ID of the OKE, Example: ocid1.cluster.oc1.us-sanjose-1.xx
+  - OCI_REGION - OCI Region, Example: us-sanjose-1
+
+![](images/oci-build-paramters.png)
+
+
+- Use the `+` and add a `Managed Build` stage.
+
+![](images/oci-buildpipeline-addstages.png)
+
+![](images/oci-buildmanagedbuild-stage.png)
+
+- Provide a `Stage name` and `Stage description(Optional)`.
+
+![](images/oci-build-mb-1.png)
+
+- Click on `Connect to your tenancy subnet`
+- Select the VCN same as that of our private OKE.
+- Select oke-node subnet.
+
+![](images/oci-build-mb-2.png)
+
+- Click `Select` under `Primary code repository` and select the code repo of type `OCI Code Repository` created.
+
+![](images/oci-build-mb-3.png)
+
+- Click `Add`
+
+![](images/oci-build-mb-4.png)
+
+- Here the `Focus` is on accessing private IP-based resources from the build pipeline, to do so we are using sample kubectl actions, but the same can be extended as a full pipeline with other stages and connected to the deployment pipeline as well.
+
+### Let's test
+
+- Within the build pipeline, click `Start manual run` and start the pipeline.
+
+![](images/oci-build-manual-run.png)
+
+- Wait for all the steps to complete.
+
+- View the build execution logs and validate the access.
+
+![](images/oci-build-logs.png)
+
+References
+==========
+
+- Oracle Cloud Infrastructure DevOps - https://docs.oracle.com/en-us/iaas/Content/devops/using/home.htm
+
+
+Contributors
+===========
+
+- Author: [Rahul M R](https://github.com/RahulMR42).
+- Collaborators: NA
+- Last release: August 2022
+
+### Back to examples.
+----
+
+- 🍿 [Back to OCI DevOps Build sample](./../README.md)
+- 🏝️ [Back to OCI DevOps sample](./../../README.md)
+
+
+

oci-build-examples/oci-devops-pa-with-private-oke/build_spec.yaml

@@ -0,0 +1,56 @@
+version: 0.1
+component: build
+timeoutInSeconds: 6000
+runAs: root
+shell: bash
+env:
+  # these are local variables to the build config
+  variables:
+  # the value of a vaultVariable is the secret-id (in OCI ID format) stored in the OCI Vault service
+  # you can then access the value of that secret in your build_spec.yaml commands
+  vaultVariables:
+  #  EXAMPLE_SECRET: "YOUR-SECRET-OCID"
+  # exportedVariables are made available to use as parameters in sucessor Build Pipeline stages
+  # For this Build to run, the Build Pipeline needs to have a BUILDRUN_HASH parameter set
+  exportedVariables:
+  #Variable to export and use with in further stages.
+
+inputArtifacts:
+  - name: kubectl_cli
+    type: URL
+    url: https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
+    location: ${OCI_PRIMARY_SOURCE_DIR}/kubectl
+
+
+steps:
+  - type: Command
+    timeoutInSeconds: 6000
+    name: "Access a Private OKE from Build runner"
+    command: |
+      cd ${OCI_PRIMARY_SOURCE_DIR}
+      oci ce cluster create-kubeconfig --cluster-id ${OCI_OKE_OCID} --file kube_config --region ${OCI_REGION} --token-version 2.0.0  --kube-endpoint PRIVATE_ENDPOINT
+      export KUBECONFIG=./kube_config
+      chmod +x kubectl
+      export PATH=${PATH}:${OCI_PRIMARY_SOURCE_DIR}
+      kubectl get nodes
+      echo "Applying SVC Config..."
+      kubectl apply -f sample_oke_svc.yaml
+      echo "Validate the SVC..."
+      kubectl describe svc sample-svc
+      echo "Delete the SVC..."
+      kubectl delete -f sample_oke_svc.yaml
+    onFailure:
+      - type: Command
+        command: |
+          echo "Handling Failure"
+          echo "Failure successfully handled"
+        timeoutInSeconds: 40
+        runAs: root
+
+
+#outputArtifacts:
+#  - name: sample
+#    type: DOCKER_IMAGE/BINARY
+#    # this location tag doesn't effect the tag used to deliver the container image
+#    # to the Container Registry
+#    location: