diff --git a/app-dev/devops-and-containers/oke/oke-rm/README.md b/app-dev/devops-and-containers/oke/oke-rm/README.md index bec1af4f7..e698e5c97 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/README.md +++ b/app-dev/devops-and-containers/oke/oke-rm/README.md @@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co * By default, everything is private, but there is the possibility to create public subnets * Be careful when modifying the default values, as inputs are not validated -[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/infra.zip) +[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.3/infra.zip) ## Step 2: Create the OKE control plane This stack is used to create the OKE control plane ONLY. -[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/oke.zip) +[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.3/oke.zip) Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI, you must add these policies: diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip b/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip index 3c70bb932..b9c7a6088 100644 Binary files a/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip and b/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip differ diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf index 34d2ad9a5..c19cf34b9 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf @@ -3,7 +3,7 @@ terraform { required_providers { oci = { source = "oracle/oci" - version = "7.4.0" + version = "7.7.0" } null = { source = "hashicorp/null" diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/locals.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/locals.tf index 90af7488c..1c107893d 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/locals.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/locals.tf @@ -6,5 +6,20 @@ locals { enable_cert_manager = var.cluster_type == "enhanced" && var.enable_cert_manager enable_metrics_server = var.cluster_type == "enhanced" && var.enable_cert_manager && var.enable_metrics_server enable_cluster_autoscaler = var.cluster_type == "enhanced" && var.enable_cluster_autoscaler - create_autoscaler_policies = var.cluster_type == "enhanced"&& var.enable_cluster_autoscaler && var.create_autoscaler_policies + create_autoscaler_policies = var.cluster_type == "enhanced" && var.enable_cluster_autoscaler && var.create_autoscaler_policies +} + +# OIDC +locals { + oidc_discovery_enabled = var.cluster_type == "enhanced" && var.enable_oidc_discovery + oidc_authentication_enabled = var.cluster_type == "enhanced" && var.enable_oidc_authentication + oidc_token_authentication_config = { + client_id = var.oidc_client_id + issuer_url = var.oidc_issuer + username_claim = var.oidc_username_claim + username_prefix = var.oidc_username_prefix + groups_claim = var.oidc_groups_claim + groups_prefix = var.oidc_groups_prefix + } + } \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf index bf75ce78e..d32acf506 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf @@ -37,7 +37,7 @@ locals { module "oke" { source = "oracle-terraform-modules/oke/oci" - version = "5.2.4" + version = "5.3.1" compartment_id = var.oke_compartment_id # IAM - Policies create_iam_autoscaler_policy = "never" @@ -68,7 +68,7 @@ module "oke" { create_vcn = false vcn_id = var.vcn_id # Network module - security - control_plane_allowed_cidrs = var.cp_allowed_cidr_list # ["0.0.0.0/0"] + control_plane_allowed_cidrs = var.cp_allowed_cidr_list control_plane_is_public = ! local.is_cp_subnet_private load_balancers = local.is_lb_subnet_private ? "internal" : "public" preferred_load_balancer = local.is_lb_subnet_private ? "internal" : "public" @@ -84,6 +84,15 @@ module "oke" { use_signed_images = false use_defined_tags = false + # OIDC + oidc_discovery_enabled = local.oidc_discovery_enabled + oidc_token_auth_enabled = local.oidc_authentication_enabled + oidc_token_authentication_config = local.oidc_token_authentication_config + + cluster_freeform_tags = { + cluster = var.cluster_name + } + # Bastion create_bastion = false @@ -101,7 +110,7 @@ module "oke" { # Set this to true to enable in-transit encryption on all node pools by default # NOTE: in-transit encryption is supported only for paravirtualized attached block volumes (NOT boot volumes), hence you will need to create another StorageClass in the cluster as the default oci-bv StorageClass uses iSCSI - # Also note that Bare Metal instances do not support paravirtualized volumes, so do not enable this for node pools that require BM instances + # Also note that Bare Metal instances do not support paravirtualized volumes, so do not enable this in node pools that require BM instances worker_pv_transit_encryption = false # Enable encryption of volumes with a key managed by you, in your OCI Vault #worker_volume_kms_key_id = local.volume_kms_key_id @@ -110,7 +119,7 @@ module "oke" { #max_pods_per_node = 31 worker_disable_default_cloud_init = false # If set to true, will let you full control over the cloud init, set it when using ubuntu nodes or nodes with taints (can even be set individually at the node pool level) - worker_cloud_init = [{ content_type = "text/cloud-config", content = yamlencode(local.cloud_init_ol)}] # Cloud init is different, depending if you are using Ubuntu or Oracle Linux nodes + worker_cloud_init = [{ content_type = "text/cloud-config", content = yamlencode(local.cloud_init_ol)}] # Cloud init is different, depending if you are using Ubuntu or Oracle Linux nodes. You can also set taints with the cloud init # GLOBAL TAGS TO BE APPLIED ON ALL NODES # NOTE: tags will be applied to both the node pool and the nodes @@ -125,34 +134,23 @@ module "oke" { worker_pools = { - # SYSTEM NODE POOL TO BE ENABLED FOR THE CLUSTER AUTOSCALER - np-system-ad1 = { - shape = "VM.Standard.E4.Flex" - size = 1 - placement_ads = ["1"] - ocpus = 1 - memory = 16 - node_cycling_enabled = true - node_cycling_max_surge = "50%" - node_cycling_max_unavailable = "25%" - node_labels = { - role = "system" - } - create = false - } - # SAMPLE NODE POOL, SET create = true TO PROVISION IT np-ad1 = { shape = "VM.Standard.E4.Flex" size = 1 + kubernetes_version = var.kubernetes_version # You can set this value as fixed, so that control plane and data plane are upgraded separately placement_ads = ["1"] # As best practice, one node pool should be associated only to one specific AD - ocpus = 2 # No need to specify ocpus and memory if you are not using a Flex shape + ocpus = 1 # No need to specify ocpus and memory if you are not using a Flex shape + memory = 16 + #image_type = "custom" #image_id = "" # You can override global worker node parameters individually in the node pool - memory = 16 # No need to specify ocpus and memory if you are not using a Flex shape - node_cycling_enabled = true # Option to enable/disable node pool cycling through Terraform. NOT SUPPORTED WITH BARE METAL NODES! + node_cycling_enabled = false # Option to enable/disable node pool cycling through Terraform. Only works with Enhanced clusters! node_cycling_max_surge = "50%" node_cycling_max_unavailable = "25%" - boot_volume_size = 100 # For Oracle Linux, make sure the oci-growfs command is specified in the cloud-init script. This module already implement this + + node_cycling_mode = ["boot_volume"] # Valid values are instance and boot_volume. Only works when (kubernetes_version, image_id, boot_volume_size, node_metadata, ssh_public_key, volume_kms_key_id) are modified. If you need to change something else, switch to instance + # NOTE: boot_volume mode seems to work only for Flannel clusters for now + boot_volume_size = 100 # For Oracle Linux, make sure the oci-growfs command is specified in the cloud-init script. This module already implements this freeform_tags = { # Nodes in the node pool will be tagged with these freeform tags "oke-cluster-name" = var.cluster_name } @@ -161,6 +159,23 @@ module "oke" { create = false # Set it to true so that the node pool is created } + # SYSTEM NODE POOL TO BE ENABLED FOR THE CLUSTER AUTOSCALER + np-system-ad1 = { + shape = "VM.Standard.E4.Flex" + size = 1 + placement_ads = ["1"] + ocpus = 1 + memory = 16 + node_cycling_enabled = true # Only works with Enhanced clusters! + node_cycling_max_surge = "50%" + node_cycling_max_unavailable = "25%" + node_cycling_mode = ["boot_volume"] + node_labels = { + role = "system" + } + create = false + } + # SAMPLE NODE POOL WITH A CLOUD INIT TO SET NODE TAINTS np-taints = { # An example of a node pool using a custom cloud-init script to define taints at the node pool level @@ -174,12 +189,13 @@ module "oke" { node_cycling_enabled = true node_cycling_max_surge = "50%" node_cycling_max_unavailable = "25%" + node_cycling_mode = ["boot_volume"] boot_volume_size = 100 - ignore_initial_pool_size = false create = false } + # SAMPLE AUTOSCALED NODE POOL # This is a sample pool where autoscaling is enabled, note the freeform tag # REQUIREMENTS FOR ENABLING THE CLUSTER AUTOSCALER # - THE CLUSTER AUTOSCALER ADDON MUST BE ENABLED @@ -196,6 +212,7 @@ module "oke" { node_cycling_enabled = true node_cycling_max_surge = "50%" node_cycling_max_unavailable = "25%" + node_cycling_mode = ["boot_volume"] boot_volume_size = 100 ignore_initial_pool_size = true freeform_tags = { @@ -203,6 +220,33 @@ module "oke" { } create = false } + + # SAMPLE AUTOSCALED PREEMPTIBLE NODE POOL + # Often, to save money it makes sense to provision preemptible instances, as autoscaled node pools are already very dynamic + np-autoscaled-preemptible-ad1 = { + shape = "VM.Standard.E4.Flex" + size = 1 + placement_ads = ["1"] + ocpus = 1 + memory = 16 + node_cycling_enabled = true + node_cycling_max_surge = "50%" + node_cycling_max_unavailable = "25%" + node_cycling_mode = ["boot_volume"] + boot_volume_size = 70 + ignore_initial_pool_size = true + freeform_tags = { + cluster_autoscaler = "enabled" + } + preemptible_config = { + enable = true + is_preserve_boot_volume = false + } + create = false + } + + + } providers = { diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip index 026c45bb8..4a36d7445 100644 Binary files a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip and b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip differ diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/output.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/output.tf new file mode 100644 index 000000000..9bbe7e6db --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/output.tf @@ -0,0 +1,11 @@ +output "cluster_id" { + value = module.oke.cluster_id +} + +output "worker_pools" { + value = module.oke.worker_pools +} + +output "oidc_discovery_endpoint" { + value = module.oke.cluster_oidc_discovery_endpoint +} \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf index d2d690a12..91532e10c 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf @@ -3,13 +3,9 @@ terraform { required_providers { oci = { source = "oracle/oci" - version = "7.4.0" + version = "7.7.0" configuration_aliases = [oci.home] } - helm = { - source = "hashicorp/helm" - version = "~> 2.9.0" - } } } diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml b/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml index e57e236af..29c5fa692 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml @@ -56,6 +56,21 @@ variableGroups: - oke_vault_id - cluster_kms_key_id + - title: "OIDC" + visible: + eq: + - ${cluster_type} + - enhanced + variables: + - enable_oidc_discovery + - enable_oidc_authentication + - oidc_issuer + - oidc_client_id + - oidc_username_claim + - oidc_username_prefix + - oidc_groups_claim + - oidc_groups_prefix + variables: region: @@ -281,4 +296,81 @@ variables: description: "Key used to encrypt secrets located in etcd" dependsOn: compartmentId: ${oke_vault_compartment_id} - vaultId: ${oke_vault_id} \ No newline at end of file + vaultId: ${oke_vault_id} + +# OIDC + + enable_oidc_discovery: + title: "Enable OIDC Discovery" + description: "Enable OKE to act as an Identity Provider to exchange pod SeviceAccounts for access tokens" + type: boolean + + enable_oidc_authentication: + title: "Enable OIDC Authentication" + description: "Enable OIDC authentication performed by an external OIDC Identity Provider" + type: boolean + + oidc_issuer: + title: "OIDC Issuer URL" + description: "URL of the external Identity Provider token issuer. Control Plane MUST be able to reach it" + type: string + required: true + visible: ${enable_oidc_authentication} + + oidc_client_id: + title: "OIDC Client Id" + description: "OIDC Client Id on the external Identity Provider" + type: string + required: true + visible: ${enable_oidc_authentication} + + oidc_username_claim: + title: "OIDC username claim" + description: "Claim representing the username" + type: string + required: true + visible: ${enable_oidc_authentication} + + oidc_username_prefix: + title: "OIDC username prefix" + description: "Prefix prepended to the username" + type: string + required: true + visible: ${enable_oidc_authentication} + + oidc_groups_claim: + title: "OIDC groups claim" + description: "Claim representing the groups" + type: string + required: true + visible: ${enable_oidc_authentication} + + oidc_groups_prefix: + title: "OIDC groups prefix" + description: "Prefix prepended to the groups" + type: string + required: true + visible: ${enable_oidc_authentication} + + +# OUTPUT SECTION + +outputGroups: + - title: OKE + outputs: + - cluster_id + - worker_pools + - oidc_discovery_endpoint + +outputs: + cluster_id: + type: ocid + title: OKE Cluster OCID + + worker_pools: + type: map + title: Worker Pools + + oidc_discovery_endpoint: + type: link + title: OIDC Discovery Endpoint \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/variable.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/variable.tf index 61bdeb860..a2312dc78 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/variable.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/variable.tf @@ -80,4 +80,35 @@ variable "oke_vault_id" { variable "cluster_kms_key_id" { default = null +} + +# OIDC + +variable "enable_oidc_discovery" { + type = bool + default = false +} + +variable "enable_oidc_authentication" { + type = bool + default = false +} + +variable "oidc_issuer" { + default = null +} +variable "oidc_client_id" { + default = null +} +variable "oidc_username_claim" { + default = "sub" +} +variable "oidc_username_prefix" { + default = "oidc:" +} +variable "oidc_groups_claim" { + default = "groups" +} +variable "oidc_groups_prefix" { + default = "oidc:" } \ No newline at end of file