oke-rm-1.1.2

Author: alcampag

app-dev/devops-and-containers/oke/oke-rm/README.md

@@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co
 * By default, everything is private, but there is the possibility to create public subnets
 * Be careful when modifying the default values, as inputs are not validated
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/infra.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.3/infra.zip)
 
 ## Step 2: Create the OKE control plane
 
 This stack is used to create the OKE control plane ONLY.
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/oke.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.3/oke.zip)
 
 Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI,
 you must add these policies:

app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     oci = {
       source  = "oracle/oci"
-      version = "7.4.0"
+      version = "7.7.0"
     }
     null = {
       source = "hashicorp/null"

app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf

@@ -6,5 +6,20 @@ locals {
   enable_cert_manager = var.cluster_type == "enhanced" && var.enable_cert_manager
   enable_metrics_server = var.cluster_type == "enhanced" && var.enable_cert_manager && var.enable_metrics_server
   enable_cluster_autoscaler = var.cluster_type == "enhanced" && var.enable_cluster_autoscaler
-  create_autoscaler_policies = var.cluster_type == "enhanced"&& var.enable_cluster_autoscaler && var.create_autoscaler_policies
+  create_autoscaler_policies = var.cluster_type == "enhanced" && var.enable_cluster_autoscaler && var.create_autoscaler_policies
+}
+
+# OIDC
+locals {
+  oidc_discovery_enabled = var.cluster_type == "enhanced" && var.enable_oidc_discovery
+  oidc_authentication_enabled = var.cluster_type == "enhanced" && var.enable_oidc_authentication
+  oidc_token_authentication_config = {
+    client_id = var.oidc_client_id
+    issuer_url = var.oidc_issuer
+    username_claim = var.oidc_username_claim
+    username_prefix = var.oidc_username_prefix
+    groups_claim = var.oidc_groups_claim
+    groups_prefix = var.oidc_groups_prefix
+  }
+
 }

app-dev/devops-and-containers/oke/oke-rm/oke/locals.tf

@@ -37,7 +37,7 @@ locals {
 
 module "oke" {
   source  = "oracle-terraform-modules/oke/oci"
-  version = "5.2.4"
+  version = "5.3.1"
   compartment_id = var.oke_compartment_id
   # IAM - Policies
   create_iam_autoscaler_policy = "never"
@@ -68,7 +68,7 @@ module "oke" {
   create_vcn = false
   vcn_id = var.vcn_id
   # Network module - security
-  control_plane_allowed_cidrs = var.cp_allowed_cidr_list # ["0.0.0.0/0"]
+  control_plane_allowed_cidrs = var.cp_allowed_cidr_list
   control_plane_is_public = ! local.is_cp_subnet_private
   load_balancers = local.is_lb_subnet_private ? "internal" : "public"
   preferred_load_balancer = local.is_lb_subnet_private ? "internal" : "public"
@@ -84,6 +84,15 @@ module "oke" {
   use_signed_images  = false
   use_defined_tags = false
 
+  # OIDC
+  oidc_discovery_enabled = local.oidc_discovery_enabled
+  oidc_token_auth_enabled = local.oidc_authentication_enabled
+  oidc_token_authentication_config = local.oidc_token_authentication_config
+
+  cluster_freeform_tags = {
+    cluster = var.cluster_name
+  }
+
   # Bastion
   create_bastion = false
 
@@ -101,7 +110,7 @@ module "oke" {
 
   # Set this to true to enable in-transit encryption on all node pools by default
   # NOTE: in-transit encryption is supported only for paravirtualized attached block volumes (NOT boot volumes), hence you will need to create another StorageClass in the cluster as the default oci-bv StorageClass uses iSCSI
-  # Also note that Bare Metal instances do not support paravirtualized volumes, so do not enable this for node pools that require BM instances
+  # Also note that Bare Metal instances do not support paravirtualized volumes, so do not enable this in node pools that require BM instances
   worker_pv_transit_encryption = false
   # Enable encryption of volumes with a key managed by you, in your OCI Vault
   #worker_volume_kms_key_id = local.volume_kms_key_id
@@ -110,7 +119,7 @@ module "oke" {
   #max_pods_per_node = 31
 
   worker_disable_default_cloud_init = false # If set to true, will let you full control over the cloud init, set it when using ubuntu nodes or nodes with taints (can even be set individually at the node pool level)
-  worker_cloud_init = [{ content_type = "text/cloud-config", content = yamlencode(local.cloud_init_ol)}]         # Cloud init is different, depending if you are using Ubuntu or Oracle Linux nodes
+  worker_cloud_init = [{ content_type = "text/cloud-config", content = yamlencode(local.cloud_init_ol)}]         # Cloud init is different, depending if you are using Ubuntu or Oracle Linux nodes. You can also set taints with the cloud init
 
   # GLOBAL TAGS TO BE APPLIED ON ALL NODES
   # NOTE: tags will be applied to both the node pool and the nodes
@@ -125,34 +134,23 @@ module "oke" {
 
   worker_pools = {
 
-    # SYSTEM NODE POOL TO BE ENABLED FOR THE CLUSTER AUTOSCALER
-    np-system-ad1 = {
-      shape = "VM.Standard.E4.Flex"
-      size = 1
-      placement_ads = ["1"]
-      ocpus = 1
-      memory = 16
-      node_cycling_enabled = true
-      node_cycling_max_surge = "50%"
-      node_cycling_max_unavailable = "25%"
-      node_labels = {
-        role = "system"
-      }
-      create = false
-    }
-
     # SAMPLE NODE POOL, SET create = true TO PROVISION IT
     np-ad1 = {
       shape = "VM.Standard.E4.Flex"
       size = 1
+      kubernetes_version = var.kubernetes_version   # You can set this value as fixed, so that control plane and data plane are upgraded separately
       placement_ads = ["1"]                 # As best practice, one node pool should be associated only to one specific AD
-      ocpus = 2                             # No need to specify ocpus and memory if you are not using a Flex shape
+      ocpus = 1                             # No need to specify ocpus and memory if you are not using a Flex shape
+      memory = 16
+      #image_type = "custom"
       #image_id = ""                        # You can override global worker node parameters individually in the node pool
-      memory = 16                           # No need to specify ocpus and memory if you are not using a Flex shape
-      node_cycling_enabled = true           # Option to enable/disable node pool cycling through Terraform. NOT SUPPORTED WITH BARE METAL NODES!
+      node_cycling_enabled = false           # Option to enable/disable node pool cycling through Terraform. Only works with Enhanced clusters!
       node_cycling_max_surge = "50%"
       node_cycling_max_unavailable = "25%"
-      boot_volume_size = 100                # For Oracle Linux, make sure the oci-growfs command is specified in the cloud-init script. This module already implement this
+
+      node_cycling_mode = ["boot_volume"]   # Valid values are instance and boot_volume. Only works when (kubernetes_version, image_id, boot_volume_size, node_metadata, ssh_public_key, volume_kms_key_id) are modified. If you need to change something else, switch to instance
+                                            # NOTE: boot_volume mode seems to work only for Flannel clusters for now
+      boot_volume_size = 100                # For Oracle Linux, make sure the oci-growfs command is specified in the cloud-init script. This module already implements this
       freeform_tags = {                     # Nodes in the node pool will be tagged with these freeform tags
         "oke-cluster-name" = var.cluster_name
       }
@@ -161,6 +159,23 @@ module "oke" {
       create = false                          # Set it to true so that the node pool is created
     }
 
+    # SYSTEM NODE POOL TO BE ENABLED FOR THE CLUSTER AUTOSCALER
+    np-system-ad1 = {
+      shape = "VM.Standard.E4.Flex"
+      size = 1
+      placement_ads = ["1"]
+      ocpus = 1
+      memory = 16
+      node_cycling_enabled = true         # Only works with Enhanced clusters!
+      node_cycling_max_surge = "50%"
+      node_cycling_max_unavailable = "25%"
+      node_cycling_mode = ["boot_volume"]
+      node_labels = {
+        role = "system"
+      }
+      create = false
+    }
+
 
     # SAMPLE NODE POOL WITH A CLOUD INIT TO SET NODE TAINTS
     np-taints = {         # An example of a node pool using a custom cloud-init script to define taints at the node pool level
@@ -174,12 +189,13 @@ module "oke" {
       node_cycling_enabled = true
       node_cycling_max_surge = "50%"
       node_cycling_max_unavailable = "25%"
+      node_cycling_mode = ["boot_volume"]
       boot_volume_size = 100
-      ignore_initial_pool_size = false
       create = false
     }
 
 
+    # SAMPLE AUTOSCALED NODE POOL
     # This is a sample pool where autoscaling is enabled, note the freeform tag
     # REQUIREMENTS FOR ENABLING THE CLUSTER AUTOSCALER
     # - THE CLUSTER AUTOSCALER ADDON MUST BE ENABLED
@@ -196,13 +212,41 @@ module "oke" {
       node_cycling_enabled = true
       node_cycling_max_surge = "50%"
       node_cycling_max_unavailable = "25%"
+      node_cycling_mode = ["boot_volume"]
       boot_volume_size = 100
       ignore_initial_pool_size = true
       freeform_tags = {
         cluster_autoscaler = "enabled"
       }
       create = false
     }
+
+    # SAMPLE AUTOSCALED PREEMPTIBLE NODE POOL
+    # Often, to save money it makes sense to provision preemptible instances, as autoscaled node pools are already very dynamic
+    np-autoscaled-preemptible-ad1 = {
+      shape = "VM.Standard.E4.Flex"
+      size = 1
+      placement_ads = ["1"]
+      ocpus = 1
+      memory = 16
+      node_cycling_enabled = true
+      node_cycling_max_surge = "50%"
+      node_cycling_max_unavailable = "25%"
+      node_cycling_mode = ["boot_volume"]
+      boot_volume_size = 70
+      ignore_initial_pool_size = true
+      freeform_tags = {
+        cluster_autoscaler = "enabled"
+      }
+      preemptible_config = {
+        enable = true
+        is_preserve_boot_volume = false
+      }
+      create = false
+    }
+
+
+
   }
 
   providers = {

app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf

@@ -0,0 +1,11 @@
+output "cluster_id" {
+  value = module.oke.cluster_id
+}
+
+output "worker_pools" {
+  value = module.oke.worker_pools
+}
+
+output "oidc_discovery_endpoint" {
+  value = module.oke.cluster_oidc_discovery_endpoint
+}

app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip

@@ -3,13 +3,9 @@ terraform {
   required_providers {
     oci = {
       source  = "oracle/oci"
-      version = "7.4.0"
+      version = "7.7.0"
       configuration_aliases = [oci.home]
     }
-    helm = {
-      source  = "hashicorp/helm"
-      version = "~> 2.9.0"
-    }
   }
 }
 

app-dev/devops-and-containers/oke/oke-rm/oke/output.tf

@@ -56,6 +56,21 @@ variableGroups:
       - oke_vault_id
       - cluster_kms_key_id
 
+  - title: "OIDC"
+    visible:
+      eq:
+        - ${cluster_type}
+        - enhanced
+    variables:
+      - enable_oidc_discovery
+      - enable_oidc_authentication
+      - oidc_issuer
+      - oidc_client_id
+      - oidc_username_claim
+      - oidc_username_prefix
+      - oidc_groups_claim
+      - oidc_groups_prefix
+
 variables:
 
   region:
@@ -281,4 +296,81 @@ variables:
     description: "Key used to encrypt secrets located in etcd"
     dependsOn:
       compartmentId: ${oke_vault_compartment_id}
-      vaultId: ${oke_vault_id}
+      vaultId: ${oke_vault_id}
+
+# OIDC
+
+  enable_oidc_discovery:
+    title: "Enable OIDC Discovery"
+    description: "Enable OKE to act as an Identity Provider to exchange pod SeviceAccounts for access tokens"
+    type: boolean
+
+  enable_oidc_authentication:
+    title: "Enable OIDC Authentication"
+    description: "Enable OIDC authentication performed by an external OIDC Identity Provider"
+    type: boolean
+
+  oidc_issuer:
+    title: "OIDC Issuer URL"
+    description: "URL of the external Identity Provider token issuer. Control Plane MUST be able to reach it"
+    type: string
+    required: true
+    visible: ${enable_oidc_authentication}
+
+  oidc_client_id:
+    title: "OIDC Client Id"
+    description: "OIDC Client Id on the external Identity Provider"
+    type: string
+    required: true
+    visible: ${enable_oidc_authentication}
+
+  oidc_username_claim:
+    title: "OIDC username claim"
+    description: "Claim representing the username"
+    type: string
+    required: true
+    visible: ${enable_oidc_authentication}
+
+  oidc_username_prefix:
+    title: "OIDC username prefix"
+    description: "Prefix prepended to the username"
+    type: string
+    required: true
+    visible: ${enable_oidc_authentication}
+
+  oidc_groups_claim:
+    title: "OIDC groups claim"
+    description: "Claim representing the groups"
+    type: string
+    required: true
+    visible: ${enable_oidc_authentication}
+
+  oidc_groups_prefix:
+    title: "OIDC groups prefix"
+    description: "Prefix prepended to the groups"
+    type: string
+    required: true
+    visible: ${enable_oidc_authentication}
+
+
+# OUTPUT SECTION
+
+outputGroups:
+  - title: OKE
+    outputs:
+      - cluster_id
+      - worker_pools
+      - oidc_discovery_endpoint
+
+outputs:
+  cluster_id:
+    type: ocid
+    title: OKE Cluster OCID
+
+  worker_pools:
+    type: map
+    title: Worker Pools
+
+  oidc_discovery_endpoint:
+    type: link
+    title: OIDC Discovery Endpoint

app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf

@@ -80,4 +80,35 @@ variable "oke_vault_id" {
 
 variable "cluster_kms_key_id" {
   default = null
+}
+
+# OIDC
+
+variable "enable_oidc_discovery" {
+  type = bool
+  default = false
+}
+
+variable "enable_oidc_authentication" {
+  type = bool
+  default = false
+}
+
+variable "oidc_issuer" {
+  default = null
+}
+variable "oidc_client_id" {
+  default = null
+}
+variable "oidc_username_claim" {
+  default = "sub"
+}
+variable "oidc_username_prefix" {
+  default = "oidc:"
+}
+variable "oidc_groups_claim" {
+  default = "groups"
+}
+variable "oidc_groups_prefix" {
+  default = "oidc:"
 }