Merge branch 'main' into alexandruporcescu-patch-oci-data-integration-1

Author: alexandruporcescu

app-dev/devops-and-containers/devops/ansible-jenkins/README.md

@@ -18,5 +18,5 @@ can eventually be modified or forked.
 
 Although these limitations might not fit every use case, the code can be used as a reference and there are ways to lift them.
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/raw/main/app-dev/devops/ansible-jenkins/ansible-jenkins-rm.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/raw/main/app-dev/devops-and-containers/devops/ansible-jenkins/ansible-jenkins-rm.zip)
 

app-dev/devops-and-containers/functions/java-helloworld-with-local-dev-and-oci-functions/README.md

@@ -118,7 +118,6 @@ docker build -t fra.ocir.io/<YOUR OCI TENANCY NAMESPACE>/helloworld-java:1
 </pre>
 
 In the docker build command above replace the <code>region</code> if necessary and the <code>&lt;YOUR OCI TENANCY NAMESPACE&gt;</code> with yours.
-
 <p>
 
 After building let's do <code>docker login</code> and <code>docker push</code> to push the container to the OCIR repo:
@@ -130,6 +129,16 @@ docker login ams.ocir.io -u '&lt;YOUR OCI TENANCY NAMESPACE&gt;/oracleidentitycl
 docker push fra.ocir.io/&lt;YOUR OCI TENANCY NAMESPACE&gt;/helloworld-java:1
 </pre>
 
+<p>
+The same as above but using OCI cli to get the &lt;YOUR OCI TENANCY NAMESPACE&gt; which is especially handy in scripting:
+
+<pre>
+export namespace=$(oci os ns get | jq .data | tr -d '"')
+docker build -t fra.ocir.io/$namespace/helloworld-java:1 .
+docker push fra.ocir.io/$namespace/helloworld-java:1
+</pre>
+
+<p>
 The last step is to create the Function Application and the function deployment for it. This can be easily done using the Cloud UI. 
 
 <p>

app-dev/devops-and-containers/oke/README.md

@@ -51,6 +51,7 @@ Reviewed: 20.12.2023
 - [Selecting a cloud native microservice framework](https://louwersj.medium.com/selecting-a-cloud-native-microservice-framework-9974e9534da1)
 - [Deploying a spring boot microservice in K8s](https://techdozo.dev/deploying-a-restful-spring-boot-microservice-on-kubernetes/)
 - [Collection of Labs](https://oracle.github.io/cloudtestdrive/AppDev/cloud-native/livelabs/)
+- [OKE policies](./oke-policies/policies.md)
 
 # Reusable Assets Overview
 

app-dev/devops-and-containers/oke/oke-policies/policies.md

@@ -0,0 +1,164 @@
+## OKE Policies
+
+  
+
+### VCN NATIVE CNI
+
+When network compartment is not the same as OKE compartment AND OKE is using VCN\_NATIVE CNI
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpodnetworking\_topic-OCI\_CNI\_plugin.htm](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpodnetworking_topic-OCI_CNI_plugin.htm)  
+
+```
+Allow any-user to manage instances in compartment <compartment-ocid-of-nodepool> where all { request.principal.id = '<cluster-ocid>' }
+Allow any-user to use private-ips in compartment <compartment-ocid-of-network-resources> where all { request.principal.id = '<cluster-ocid>' }
+Allow any-user to use network-security-groups in compartment <compartment-ocid-of-network-resources> where all { request.principal.id = '<cluster-ocid>' }
+```
+
+  
+
+### USE IPv6 WITH VCN NATIVE CNI
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpodnetworking\_topic-OCI\_CNI\_plugin.htm](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpodnetworking_topic-OCI_CNI_plugin.htm)  
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/conteng\_ipv4-and-ipv6.htm](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/conteng_ipv4-and-ipv6.htm)  
+
+UNCLEAR: Maybe this policy is necessary for every IPv6 cluster
+
+```
+Allow any-user to use ipv6s in compartment <compartment-ocid-of-network-resources> where all { request.principal.id = '<cluster-ocid>' }
+```
+
+  
+
+### ENCRYPT BOOT VOLUME WITH KEY
+
+To encrypt OKE worker nodes boot volume with a key that is in a different compartment than the worker nodes
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#contengpolicyconfig\_topic\_Create\_Policies\_for\_User\_Managed\_Encryption](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#contengpolicyconfig_topic_Create_Policies_for_User_Managed_Encryption)  
+
+```
+Allow any-user to use key-delegates in <compartment-key> where ALL {request.principal.type='nodepool', target.key.id = '<key_OCID>'}
+Allow service blockstorage to use keys in compartment <compartment-key> where target.key.id = '<key_OCID>'
+Allow any-user to use key-delegates in compartment <compartment-key> where ALL {request.principal.type='nodepool', target.key.id = '<key_OCID>'}
+```
+
+  
+
+### ENCRYPT BLOCK VOLUME WITH KEY
+
+To enable encryption on block volumes with a key in a different compartment than the worker nodes
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#contengpolicyconfig\_topic\_Create\_Policies\_for\_User\_Managed\_Encryption](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#contengpolicyconfig_topic_Create_Policies_for_User_Managed_Encryption)  
+
+```
+Allow service blockstorage to use keys in compartment <compartment-key> where target.key.id = '<key-ocid>'
+Allow any-user to use key-delegates in compartment <compartment-key> where ALL {request.principal.type = 'cluster', target.key.id = '<key-ocid>'}
+```
+
+  
+
+### ENCRYPT FILE SYSTEM
+
+To enable in-transit/in-place encryption of FSS
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#contengpolicyconfig\_topic\_Create\_Policies\_for\_User\_Managed\_Encryption](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#contengpolicyconfig_topic_Create_Policies_for_User_Managed_Encryption)  
+
+```
+Dynamic Group
+ALL { resource.type='filesystem', resource.compartment.id = '<file_system_compartment_OCID>' }
+
+Allow dynamic-group <domain>/<dynamic-group-name> to use keys in compartment <key-compartment-name>
+Allow any-user to use key-delegates in compartment <compartment-key> where ALL {request.principal.type = 'cluster', target.key.id = '<key_OCID>'}
+```
+
+  
+
+### ENABLE CCM TO MANAGE NSGs FOR LBs and NLBs
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer\_topic-Specifying\_Load\_Balancer\_Security\_Rule\_Management\_Annotation](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer_topic-Specifying_Load_Balancer_Security_Rule_Management_Annotation)
+
+```
+ALLOW any-user to manage network-security-groups in compartment <compartment-name> where request.principal.type = 'cluster'
+ALLOW any-user to manage vcns in compartment <compartment-name> where request.principal.type = 'cluster'
+ALLOW any-user to manage virtual-network-family in compartment <compartment-name> where request.principal.type = 'cluster'
+```
+
+  
+
+### TAGGING RESOURCES DIFFERENT COMPARTMENT
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengtaggingclusterresources\_iam-tag-namespace-policy.htm#contengtaggingclusterresources\_iam-tag-namespace-policy](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengtaggingclusterresources_iam-tag-namespace-policy.htm#contengtaggingclusterresources_iam-tag-namespace-policy)
+
+```
+Allow any-user to use tag-namespace in compartment <compartment-ocid-tag-namespace> where all { request.principal.id = '<cluster-ocid>' }
+```
+
+  
+
+### USE MANAGED NODE POOL WITH CAPACITY RESERVATION
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengmakingcapacityreservations.htm#contengmakingcapacityreservations\_topic\_Using\_capacity\_reservations](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengmakingcapacityreservations.htm#contengmakingcapacityreservations_topic_Using_capacity_reservations)  
+
+```
+Allow service oke to use compute-capacity-reservations in compartment id <compartment_capacity>
+Allow any-user to use compute-capacity-reservations in tenancy where request.principal.type = 'nodepool'
+```
+
+  
+
+### USE RESERVED PUBLIC IP IN DIFFERENT COMPARTMENTS THAN OKE
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer\_topic\_Specifying\_Load\_Balancer\_Reserved\_IP](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer_topic_Specifying_Load_Balancer_Reserved_IP)  
+
+If it is a LB:
+
+```
+ALLOW any-user to read public-ips in tenancy where request.principal.type = 'cluster'
+ALLOW any-user to manage floating-ips in tenancy where request.principal.type = 'cluster'
+```
+
+  
+
+If it is a NLB:
+
+```
+ALLOW any-user to use private-ips in TENANCY where ALL {request.principal.type = 'cluster', request.principal.compartment.id = 'target.compartment.id'}
+ALLOW any-user to manage public-ips in TENANCY where ALL {request.principal.type = 'cluster', request.principal.compartment.id = 'target.compartment.id'}
+```
+
+  
+
+### ATTACH NSGs WHEN THEY ARE IN DIFFERENT COMPARTMENT THAN OKE
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer\_topic\_Specifying\_Load\_Balancer\_Network\_Security\_Group](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer_topic_Specifying_Load_Balancer_Network_Security_Group)  
+
+```
+Allow any-user to use network-security-groups in compartment <network-compartment-ocid> where all { request.principal.id = '<cluster-ocid>' }
+```
+
+### USE A STATICALLY PROVISIONED SNAPSHOT WHEN IT IS IN A DIFFERENT COMPARTMENT
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingpersistentvolumeclaim_topic-Provisioning_PVCs_on_BV.htm#contengcreatingpersistentvolumeclaim_topic-Provisioning_PVCs_on_BV-PV_From_Snapshot_CSI__section_volume-snapshot-prerequisites](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingpersistentvolumeclaim_topic-Provisioning_PVCs_on_BV.htm#contengcreatingpersistentvolumeclaim_topic-Provisioning_PVCs_on_BV-PV_From_Snapshot_CSI__section_volume-snapshot-prerequisites)
+
+```
+ALLOW any-user to manage volume-backups in compartment <compartment-name> where request.principal.type = 'cluster'
+ALLOW any-user to use volumes in compartment <compartment-name> where request.principal.type = 'cluster'
+```
+
+### PROVISION A PVC ON A NEW FILE SYSTEM USING THE CSI VOLUME PLUGIN
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingpersistentvolumeclaim_Provisioning_PVCs_on_FSS.htm#contengcreatingpersistentvolumeclaim_topic-Provisioning_PVCs_on_FSS-Using-CSI-Volume-Plugin](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingpersistentvolumeclaim_Provisioning_PVCs_on_FSS.htm#contengcreatingpersistentvolumeclaim_topic-Provisioning_PVCs_on_FSS-Using-CSI-Volume-Plugin)
+
+Cluster will need policies to create a new file system and to handle network resources:
+
+```
+ALLOW any-user to manage file-family in compartment <oke-compartment-name> where request.principal.type = 'cluster'
+ALLOW any-user to use virtual-network-family in compartment <oke-compartment-name> where request.principal.type = 'cluster'
+```
+
+If the compartment to which a node pool, worker node subnet, file system, or mount target belongs, is different to the compartment to which a cluster belongs, IAM policies must exist to enable the CSI volume plugin to access the appropriate location.
+
+```
+ALLOW any-user to manage file-family in TENANCY where request.principal.type = 'cluster'
+ALLOW any-user to use virtual-network-family in TENANCY where request.principal.type = 'cluster'
+```

cloud-infrastructure/virtualization-solutions/openshift-on-oci/openshift-solution-definition-document/LICENSE.txt

@@ -0,0 +1,35 @@
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any
+person obtaining a copy of this software, associated documentation and/or data
+(collectively the "Software"), free of charge and under any and all copyright
+rights in the Software, and any and all patent rights owned or freely
+licensable by each licensor hereunder covering either (i) the unmodified
+Software as contributed to or provided by such licensor, or (ii) the Larger
+Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+one is included with the Software (each a "Larger Work" to which the Software
+is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create
+derivative works of, display, perform, and distribute the Software and make,
+use, sell, offer for sale, import, export, have made, and have sold the
+Software and the Larger Work(s), and to sublicense the foregoing rights on
+either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at
+a minimum a reference to the UPL must be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

cloud-infrastructure/virtualization-solutions/openshift-on-oci/openshift-solution-definition-document/README.md

@@ -0,0 +1,32 @@
+# Red Hat OpenShift on Oracle Cloud Infrastructure: Solution Definition Document
+
+This repository provides a comprehensive guide for deploying the Red Hat OpenShift Container Platform on Oracle Cloud Infrastructure (OCI). It outlines a high-level solution definition, including deployment architecture and the migration process for containerized workloads from an existing OpenShift environment—whether on-premises or in another cloud. The document captures the current state architecture, requirements, and a prospective state, along with potential project scope and anticipated timelines for implementation. 
+
+Reviewed: 11.04.2025
+
+# When to use this asset?
+
+This document is a critical resource for individuals and organizations planning to deploy Red Hat OpenShift on Oracle Cloud Infrastructure. It is particularly useful for:
+
+- Migrating containerized applications to a newly deployed OpenShift environment on OCI.
+- Greenfield implementations of Red Hat OpenShift on OCI.
+
+# Instructions for Utilizing This Asset
+
+This document serves as a template for defining your Red Hat OpenShift project solution. It includes:
+
+- Example architecture diagrams that can be customized to reflect customer-specific requirements.
+- Guidance on defining project scope, timelines, and technical requirements.
+
+# Conclusion
+
+The Red Hat OpenShift platform on Oracle Cloud Infrastructure delivers a robust, scalable, and secure environment for containerized workloads. This Solution Definition Document is designed to serve as a definitive guide for your project. We encourage all stakeholders to provide feedback, ask questions, and contribute to ensure the success of the implementation.
+
+# License
+
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.
+