From a6e4131c5d27fe7846e2a225a9995bba844033b4 Mon Sep 17 00:00:00 2001 From: alcampag Date: Fri, 4 Jul 2025 11:00:42 +0200 Subject: [PATCH 1/2] oke-rm-1.1.2 --- .../oke/oke-rm/README.md | 4 +- .../oke/oke-rm/infra/infra.zip | Bin 22986 -> 22986 bytes .../oke/oke-rm/infra/provider.tf | 2 +- .../oke/oke-rm/oke/locals.tf | 17 +++- .../oke/oke-rm/oke/oke.tf | 94 +++++++++++++----- .../oke/oke-rm/oke/oke.zip | Bin 11979 -> 13511 bytes .../oke/oke-rm/oke/output.tf | 11 ++ .../oke/oke-rm/oke/provider.tf | 6 +- .../oke/oke-rm/oke/schema.yaml | 94 +++++++++++++++++- .../oke/oke-rm/oke/variable.tf | 31 ++++++ 10 files changed, 224 insertions(+), 35 deletions(-) create mode 100644 app-dev/devops-and-containers/oke/oke-rm/oke/output.tf diff --git a/app-dev/devops-and-containers/oke/oke-rm/README.md b/app-dev/devops-and-containers/oke/oke-rm/README.md index bec1af4f7..e698e5c97 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/README.md +++ b/app-dev/devops-and-containers/oke/oke-rm/README.md @@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co * By default, everything is private, but there is the possibility to create public subnets * Be careful when modifying the default values, as inputs are not validated -[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/infra.zip) +[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.3/infra.zip) ## Step 2: Create the OKE control plane This stack is used to create the OKE control plane ONLY. -[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/oke.zip) +[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.3/oke.zip) Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI, you must add these policies: diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip b/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip index 3c70bb932fdde01ff294db989f9111914dbf016b..03df89b0d4e545e3af8dbe2291b9184b9212ebd0 100644 GIT binary patch delta 1752 zcmY*ZYfKbZ6rQ=WyEDt;IZK}4JDn5gzT8YxAu^?J){83|-HkQ=JY889$$Ns{#fTI=HPg5|SkZ$=Pjbfz2v6x886*vijb+2>hfP zVu>S@LAwcDoShq;r~`J{dtki63LSQqC7>L*S;fO4wQEvIystLUlTt0oZ7`aphp#m0 zsvS~c;?J576)aiH3L|_e_u$KI(cQRPV*0EVG)p|0eHvHHZHoIbLJTT&H(0VDB#}O# z&y!{E>Mt|T$!;+6P-<{-^Pjk)`Pjs*h7!aQPnKR}D&kB=F)CmaKQPTgEb*SPhq;u7 zzGyNwae1N|vBZ0}YoEO1+?0l?9b1ySAkCU0b3UsHJy*@mj1pCGTut-hIMJ55k7mhQ zt|Mr7OMM>q4@PjG&rJ6BS@#NLQJdou{hVmKlZVD!J#=R$bB}BKqW@tNPiDs>mUy!K z%?utlN)H=r1-NKqnTZ#Zz_ z-SC=QotZ}hh2EIfZ*;5g(5Unf_eRf1UB|)Shiq#HK3W^|LQ?iy@BjLA{pqVaE-v&I z77mNIX5QU9^U?j%m0ewrOqt<>AyJdo68?FYHx#z&LdOh56$13-uw`*DdC|zLqDA+3epuYS}veJlu%i2 z)svfGdb-3f_6TT!3R*%sI9hIwn;t_n@NIFY+=TvB0qe2Cw}B+^d$g#Gl@iu@%oyTf zr^mu5I0`yd4!Gyl!MMkQhB+x@ydnm+uqFv!RbgRz)f6~52jo;c(TbRfkT8>_q2P!* zYa*M6&w^T16g#Of8e_zilhMqephuGpCw)3N8Q}R0YBniSdiJz!pM?|5u#mUl04LKF zN5Lp>heW>wYh4*TZrD%V=r5gmC)V5C}L?dIGcs8qwbd34IdqqGJM71e?%f zlZ2cN`p_9O#D^NttMcobwZLRjB<#XXe z^>XCMk&s|b5IxL+-kL_FnI|EpS}${X9zIjKcC4U-cb4#QxK@i+xg`2lt%Jj7zJW{w aoC+7{$cdkR7RW%%sPixw7whX<=>Gv>lWoBO delta 1785 zcmb7EeM}Q)7{7b3AIG4z(DKovEik55XiGajlx=EOJ_`MSLV-eO3rv%h43Z&pE@Cu| zE^`|Rc2B@%a|@YZ&_$=~bnc4{6U`Kzg1`)uIr(GzXZ%4HK}jULJGi@ce=ONu-sJB0 zdw$Qy`##TmJ%V44;BXY*D(&~w2k8}=#Lpu3M^;x4VM!-J?7j+5L`Jpbo;AoVw}TL= zFp_>5)+W+Ii;yS!Baf}t5(GavC1rj%^1eX>SL1R81C#Ls7;eykN_ZA#RI@zE zxZj>q$hqB@a);nKrbLNW0aH{FFODeFOHqu)Ev;2x)w;xJ_L9IXWX1^$p8XXUaU|O( zM8vcEV3Q|3y3l(YHG+=G=(U_uPWw&Hnbf7;N8c zK6v8QO14XxbMNSN$S<1{N|%b?nj$Xkf48ykvjKf!LGAE+cXl1xy?5f|5&OCG?Kf{k zwuX<4oPXi>A?)xcqfhPmrDD#w?zVML+tQnt{TKRd4}#zR)l`eMw_ohn{n(`_F~8mP zWoO+h-}|n}9{0E&pur*e=-16vZ!FF%O+SCG=VANfL(k3OALZqo8l3#|r~PGtA6E9} zg@(mr0~6_Phm?FYa`W%^F$^Pc3=@XQ)d7ZbEo^SoFhjwW!S(&HRRIfIHgeTRGK$CI z`1%*D!#puiawB^B+u&Zg9KtpVVHljTInZeY%eF09^wj(46!?e4()jQB7h4DnWMV2s zjN#0c;CA3hMF`i$tW7PN51k}nphBM%ZNRvoXa8uW2JH~RqlyjY)eA$AGgrnjb;3Ih zwB-qUQPFWjr$tcXRzjPEN~S|cYoj~|#c;Or|9ZYCW<96cwW!|%MRo)6x&(tP(g-Vd zC2VslV7X2X$es*$?OvoH!QyB}6C^7da(L14I9PE6@Gl_j&_TD;iMr$AnzI!l1#O~* zu|yqw?oq-%mk#}`fDc`MWK3e2lqv^$m;^hkUP8B&EHYbFiTYHaulA#zX)I!(C{{gQ ztwXtLSf~!5_H>$QLxmdn&h0}bI@T^BGZmaQ7DQ&i!J1|y&tlOhH7;~F3!Jq9WL(c8 z*J_<;aXqAZ0!XH3k?Bq8bOZ~U*2A1<2Re|$qW(HND$9jabV3FHK4KzEH&`_@< z#tj%8Fy*nCCD3(!Y+_9o>#I>)9@rZEsN2FKrTG-hHds)}v!L+$(M$o0_IQo(N4ZY) zX(8Qttu{0KW=lv^MjiKHsJjRY(|Kl8tOK)6MA9SdV`c+Jy~Rpq0HXVjnQvKRB|+nn Irp8YEA6Y(0$^ZZW diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf index 34d2ad9a5..c19cf34b9 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf @@ -3,7 +3,7 @@ terraform { required_providers { oci = { source = "oracle/oci" - version = "7.4.0" + version = "7.7.0" } null = { source = "hashicorp/null" diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/locals.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/locals.tf index 90af7488c..1c107893d 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/locals.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/locals.tf @@ -6,5 +6,20 @@ locals { enable_cert_manager = var.cluster_type == "enhanced" && var.enable_cert_manager enable_metrics_server = var.cluster_type == "enhanced" && var.enable_cert_manager && var.enable_metrics_server enable_cluster_autoscaler = var.cluster_type == "enhanced" && var.enable_cluster_autoscaler - create_autoscaler_policies = var.cluster_type == "enhanced"&& var.enable_cluster_autoscaler && var.create_autoscaler_policies + create_autoscaler_policies = var.cluster_type == "enhanced" && var.enable_cluster_autoscaler && var.create_autoscaler_policies +} + +# OIDC +locals { + oidc_discovery_enabled = var.cluster_type == "enhanced" && var.enable_oidc_discovery + oidc_authentication_enabled = var.cluster_type == "enhanced" && var.enable_oidc_authentication + oidc_token_authentication_config = { + client_id = var.oidc_client_id + issuer_url = var.oidc_issuer + username_claim = var.oidc_username_claim + username_prefix = var.oidc_username_prefix + groups_claim = var.oidc_groups_claim + groups_prefix = var.oidc_groups_prefix + } + } \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf index bf75ce78e..d32acf506 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf @@ -37,7 +37,7 @@ locals { module "oke" { source = "oracle-terraform-modules/oke/oci" - version = "5.2.4" + version = "5.3.1" compartment_id = var.oke_compartment_id # IAM - Policies create_iam_autoscaler_policy = "never" @@ -68,7 +68,7 @@ module "oke" { create_vcn = false vcn_id = var.vcn_id # Network module - security - control_plane_allowed_cidrs = var.cp_allowed_cidr_list # ["0.0.0.0/0"] + control_plane_allowed_cidrs = var.cp_allowed_cidr_list control_plane_is_public = ! local.is_cp_subnet_private load_balancers = local.is_lb_subnet_private ? "internal" : "public" preferred_load_balancer = local.is_lb_subnet_private ? "internal" : "public" @@ -84,6 +84,15 @@ module "oke" { use_signed_images = false use_defined_tags = false + # OIDC + oidc_discovery_enabled = local.oidc_discovery_enabled + oidc_token_auth_enabled = local.oidc_authentication_enabled + oidc_token_authentication_config = local.oidc_token_authentication_config + + cluster_freeform_tags = { + cluster = var.cluster_name + } + # Bastion create_bastion = false @@ -101,7 +110,7 @@ module "oke" { # Set this to true to enable in-transit encryption on all node pools by default # NOTE: in-transit encryption is supported only for paravirtualized attached block volumes (NOT boot volumes), hence you will need to create another StorageClass in the cluster as the default oci-bv StorageClass uses iSCSI - # Also note that Bare Metal instances do not support paravirtualized volumes, so do not enable this for node pools that require BM instances + # Also note that Bare Metal instances do not support paravirtualized volumes, so do not enable this in node pools that require BM instances worker_pv_transit_encryption = false # Enable encryption of volumes with a key managed by you, in your OCI Vault #worker_volume_kms_key_id = local.volume_kms_key_id @@ -110,7 +119,7 @@ module "oke" { #max_pods_per_node = 31 worker_disable_default_cloud_init = false # If set to true, will let you full control over the cloud init, set it when using ubuntu nodes or nodes with taints (can even be set individually at the node pool level) - worker_cloud_init = [{ content_type = "text/cloud-config", content = yamlencode(local.cloud_init_ol)}] # Cloud init is different, depending if you are using Ubuntu or Oracle Linux nodes + worker_cloud_init = [{ content_type = "text/cloud-config", content = yamlencode(local.cloud_init_ol)}] # Cloud init is different, depending if you are using Ubuntu or Oracle Linux nodes. You can also set taints with the cloud init # GLOBAL TAGS TO BE APPLIED ON ALL NODES # NOTE: tags will be applied to both the node pool and the nodes @@ -125,34 +134,23 @@ module "oke" { worker_pools = { - # SYSTEM NODE POOL TO BE ENABLED FOR THE CLUSTER AUTOSCALER - np-system-ad1 = { - shape = "VM.Standard.E4.Flex" - size = 1 - placement_ads = ["1"] - ocpus = 1 - memory = 16 - node_cycling_enabled = true - node_cycling_max_surge = "50%" - node_cycling_max_unavailable = "25%" - node_labels = { - role = "system" - } - create = false - } - # SAMPLE NODE POOL, SET create = true TO PROVISION IT np-ad1 = { shape = "VM.Standard.E4.Flex" size = 1 + kubernetes_version = var.kubernetes_version # You can set this value as fixed, so that control plane and data plane are upgraded separately placement_ads = ["1"] # As best practice, one node pool should be associated only to one specific AD - ocpus = 2 # No need to specify ocpus and memory if you are not using a Flex shape + ocpus = 1 # No need to specify ocpus and memory if you are not using a Flex shape + memory = 16 + #image_type = "custom" #image_id = "" # You can override global worker node parameters individually in the node pool - memory = 16 # No need to specify ocpus and memory if you are not using a Flex shape - node_cycling_enabled = true # Option to enable/disable node pool cycling through Terraform. NOT SUPPORTED WITH BARE METAL NODES! + node_cycling_enabled = false # Option to enable/disable node pool cycling through Terraform. Only works with Enhanced clusters! node_cycling_max_surge = "50%" node_cycling_max_unavailable = "25%" - boot_volume_size = 100 # For Oracle Linux, make sure the oci-growfs command is specified in the cloud-init script. This module already implement this + + node_cycling_mode = ["boot_volume"] # Valid values are instance and boot_volume. Only works when (kubernetes_version, image_id, boot_volume_size, node_metadata, ssh_public_key, volume_kms_key_id) are modified. If you need to change something else, switch to instance + # NOTE: boot_volume mode seems to work only for Flannel clusters for now + boot_volume_size = 100 # For Oracle Linux, make sure the oci-growfs command is specified in the cloud-init script. This module already implements this freeform_tags = { # Nodes in the node pool will be tagged with these freeform tags "oke-cluster-name" = var.cluster_name } @@ -161,6 +159,23 @@ module "oke" { create = false # Set it to true so that the node pool is created } + # SYSTEM NODE POOL TO BE ENABLED FOR THE CLUSTER AUTOSCALER + np-system-ad1 = { + shape = "VM.Standard.E4.Flex" + size = 1 + placement_ads = ["1"] + ocpus = 1 + memory = 16 + node_cycling_enabled = true # Only works with Enhanced clusters! + node_cycling_max_surge = "50%" + node_cycling_max_unavailable = "25%" + node_cycling_mode = ["boot_volume"] + node_labels = { + role = "system" + } + create = false + } + # SAMPLE NODE POOL WITH A CLOUD INIT TO SET NODE TAINTS np-taints = { # An example of a node pool using a custom cloud-init script to define taints at the node pool level @@ -174,12 +189,13 @@ module "oke" { node_cycling_enabled = true node_cycling_max_surge = "50%" node_cycling_max_unavailable = "25%" + node_cycling_mode = ["boot_volume"] boot_volume_size = 100 - ignore_initial_pool_size = false create = false } + # SAMPLE AUTOSCALED NODE POOL # This is a sample pool where autoscaling is enabled, note the freeform tag # REQUIREMENTS FOR ENABLING THE CLUSTER AUTOSCALER # - THE CLUSTER AUTOSCALER ADDON MUST BE ENABLED @@ -196,6 +212,7 @@ module "oke" { node_cycling_enabled = true node_cycling_max_surge = "50%" node_cycling_max_unavailable = "25%" + node_cycling_mode = ["boot_volume"] boot_volume_size = 100 ignore_initial_pool_size = true freeform_tags = { @@ -203,6 +220,33 @@ module "oke" { } create = false } + + # SAMPLE AUTOSCALED PREEMPTIBLE NODE POOL + # Often, to save money it makes sense to provision preemptible instances, as autoscaled node pools are already very dynamic + np-autoscaled-preemptible-ad1 = { + shape = "VM.Standard.E4.Flex" + size = 1 + placement_ads = ["1"] + ocpus = 1 + memory = 16 + node_cycling_enabled = true + node_cycling_max_surge = "50%" + node_cycling_max_unavailable = "25%" + node_cycling_mode = ["boot_volume"] + boot_volume_size = 70 + ignore_initial_pool_size = true + freeform_tags = { + cluster_autoscaler = "enabled" + } + preemptible_config = { + enable = true + is_preserve_boot_volume = false + } + create = false + } + + + } providers = { diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip index 026c45bb81931fded138402c2907dfa78d14e8f4..b5720e8c550e25b533855d69b5151ab8dbbfe79e 100644 GIT binary patch delta 8344 zcmZ{p1yEeivhWvohv4oGL4yT%cMY)E;sJsM!eR*;0xa(C?(P;`LU4E206{;v_vPLE zZ@urF>eF>bdaP?|e$zun{nluz3NWy^0L16_mHS8(8XF24g(3*!S)O&JG!6pHb27vb z;m!Z1Ys6bY#E_gI_lTGfNz zIyZVmxtjyk_vBM(fvn&$R3shx`?VfwUF&`OSA{rR`9N_m_ZGKYG~#uu`oYKhxv%!A z6TC&&@{FM-LOqKdbfB}@!ETs{g1NX#SD=YPpz;fq6!MCc#qN}RAw zHvVXJYE^EEtyJEv4{oC%ZPDc`I!1#zkQDy8FE)MHsC^B`J6cnlM0mv0`$h{TxP&;& zgo9?6`+)RIVb^v7$FSCb*9iQAeyKK$Q?47YTLN?OI1mHI>k!y`&!J`}mh9m77w0RLGX1Y5elqB-X6ni!$`FKsHU{hY3i1 zSrEFK1Y4W)9FSrYv9F-&FWq9vG+^3L*zP>6-}S|>=GMw0GI@#k08|wa5Ch}{HjSVF zfD%~1^FItM(!W>tWi<>DNFc(@MCfP$gg=Y&XR$*4Hz3(4%;20TOHkgkyyy{qd&dQ7 z?8h?W%GmOT9L(GXM|Ud<_elF%JR5^HSvj>DxJoJ=Y^>;^jp(Xr!^b;eu4ZqDdH+!@ z=xbixz}oO(iwM_`kcLE7IxFDSk>svcrg~KIQ;b?!IER25)sz#if(xGl(+Ht8-SM+DSKE`R+t0wk%t-kVIW(NS9qEBz!Vz_;nWP zTKZ@>{nR+h2mRH!!4cVZt;?}uWzM2U0y@)jeDHy2pLELsQsuN$BEyqC@V?$=M<&yQ z@%9s?GAvujT<<0J&o#(8Zz?Y?b7~mFuTaB0x~_@chR+Dyc;dNYZ9}1meVrPrydDQM z1Ou-vH>|d>LnB$}Wg|*9Ui%8TUJO6)WYMr;bNnB=@^tzGoq-sa+C zSnmwA4GbF;4(0teml)5q)E1aL=5Q%ATL7*IpQZ>_pz;cVq%CdRp`|AKL6PO&%^((u!?Wm`@$Z368|j9^d#m=cQ8Tdfw3)esByXl30lY?_Cv<7*_tOa;o1z} zdjDes3$MU8pEyma(VoWW#-glW{cYgWvUl&#B#(q1&dIw~+HbsfeZGBo6<(Jfk%em= z4{sAwApWH)QWLRMo$daKIWBmC{cX^qDqKwL6N$Zrh`*a5cZeH^_n}i`qgDWQ)}e<} zJ96{&@<#YI{|5N*X)AT>lP>!5)9i@>hCaf2yQGGji|awP@K?4AQKT}DI?oI+%_eqd zq(|H=k3R*~I|FX`qG5_B;LY4=OqrAUwp7+Cec6MmkL=a{^6E`uMEPfW2P5jtAQxJc z1Z}!D78LvU*s*tu)(uVh$W(Vm;x^phGaEI<`NGC6Cn+1aP@XpoGLAi4U}H7 zLz;Mb5z-CC74V)r{CwWaTvEB+zC%kMFp4Vh0lgt67e;w|ZpudlTT0ns76x zK5Ykw4bGv^s;%!O=pHG0$8lPbJa)ma2hel$P?FeExei3^^CVm(%e7dhG<%l<{M=4F zZ{w4GO|h{1eBC3b01;j`1bjo_V-L~GuZ${;Fnn^4JgF(%&jCoVg zET2F{WbGmOIh+#$rK{R8zdv6gk#7rJaRt+%y|p2k3k*W3pqs0M`fUx@A&Y-j80GMm zMCDDk>U=h^Un-AwCf=#!L~|EGZQzTmrK9l`5*N7;A`dCYea3!e9H``Vo=Ar{*+`B^ zm*iGqAlInm%3y|gG-t&iI8!rdrQAY>G(jzyOWh0@wB6A#pny_vBaR}B9LFWWE~tuva(B=XxPq+P6uC2?n|%KF*1>b)(v$8j|R@C|_3?~9F~ac-b~ zQj_bw+b=`E<9PMA3nbvkV~U|HU#P)um3k0nUomLO;sVjMe5*pM4ENW?enp)(@0oMY z4Ej;(0`>x|o`%c9D;KRgO55orUeY}CE_HtmClf0|9TG3C#7pajGn^)=EsS>Irb$P{ zc}By=%S{uO8q4`+@UZWVy6J#Y!C(l8)-9po1f(1##N*cA`-xu&a|r%BkwuVFoTPO4 zKp3kq<7tt1g|F??PR|j>sFqk6KqHCX*Gef9A~J?WrvbI*9^FGyh6>O&>9BV*p%QRYj; z4eb(lvef9W;N7$E%{i?H9rOZlXxRf2sGL$1>IWInc0@0yzd}wJF_i4## zTk(UN?ntx2@Df1SF86Zf)WicVbRmNU$wLW2B3K+pIyT*iUy47)f&Pceqw5*aMiOCO^;`3=N;QA$c%oGnhAI|i1sQ$_cey~_~ z4vT6@Wc*CR3{dT>qjaF68tK();4$E|xlA^7Vh&%m(!w}y{gwCneN)sV(>sF|y#+_T zX0805o~jeJMy8?jkE+gC^5&r~L7SSouBtNohd`!fO%XTsZ$~S34}uM50Y`!j#YD60 zc_MVg;3vzLgto*Re7-3$qd9C(a#{;$yTlANNLIKiqh`@~z#jI^xBYeOT_wL0#+lNo zDSR4a7H@}PLLPjB>9>MMJg;2t04u+j9Q&RI?YMc$N|bqd;CcH%QPNQLRGSB?X&G*Z zT}5;KL^Fjo?Qh4I4@`O|~X zz(+^ZADkI2`GDT87V#FPSv{hGsfZhcEMe3JY;p5)AXEcZ^dkYA%aCpq3|}If>a=18 zGSkFIiJLsKp{vYQ!KUl)1um~AjTc8Pb=GaXMH)XI#;niP^AzD#8Wzn8Ip#8vcGt(3 zmav^x((mbwjrPyf>p-M$M2G3aEO|HCz)(^S#v{v$I~oj}MyC+#?eC{Gbx0Jyq~{B~ zT!d4y%|E}!2!f0S8TanD8Bb)8`EUOCbPt!1>RJly)3mo^HY*6qY70Hq8i0#Cu!=2k z^PxH6jU1N-)s0#NdvJsnxn{1XP9bsot?y}`r`$_C)vTC{L$J(h#6LzwQr1C*fz{YQ z%%d|_PgsyR?-B-xP#@3*W74RHH3B&L2(thl{QBho3hRa^T#G6=p;H2A9hjt8h<# zf@Vqe4viVnR74;T!<9nxiYNIn44?d(oQg@KF;;E(*7tIXUF7&WVsf7CN+O*i@}QL@ zh#oY|c{rBoINOOQY4TLR+Z>eHc6rEA37_S>m+?@dQfQM;->$EMakU(V21Z}`E^PG~ z`y;WhjbKjNd|wZg9TM?`t->Zdi7zr7BYYe>FKW_~nhzyzJzRTko5>xN75#|q1d*T5 zmYZL!%x_@PNy_*qW>x1F4=08XU~R%0<9-TXgYs<5Ot z->oG*nsWq3kcb{wrtn1}9X$0bLrmD5;tSbbqL#aikP=75ek*s{o4!RUTSuYVi;1zj zBJ*Ig)58xd8Kf<;=|l3KCD99Qd$XEMBK`^xdFfA`+loEQ0{Sq5p)KE3_OKVNuluoqx| z?B_Pgx%8cU0xcqn%pMGHKL~#~-H3eOtytQ4=cT9DFVDkW6-3?w%t`x0D|}$*a^JmVT3WuGPMr22 zlO_3Aqox#PD~sn*3Ys;^QgdP~nqqg&Bh9JoP$riT@1t(IFCO_7f5Yt=>1+?tO_9RE zVA^PO&F0jC{Mwh*T&dH3f9;-K%b1UH%?#MMwmCnUnbLtAAnn7tBObq+N-ih2#iQ@? zTICgg#D?thl+}avRUXEV4sAYi_Qn`uDLVEXP2T{|Gq*M6gg{Ps*A2j)*m<&shbxX>*ecrc32?RBr*VkTj-N431`!%U(gRX?YXu|3D4X8Y$CubdYkZ zH2FM0bSfIP-7@WXMa6?zn16daSnfE%PFDQ6T`KI+#cBmiEn1y>f3_7}>hkUPv0UnX zregaio~(>w|@1YhpfRO<=Njo zb{rKV)O@pETlndatZ&UTHcqUBbu%Tlt7X-TT&z;PD6}q${pHseS;B{kkoi znve)cGmO{z)>+5L%fqq%9D&kytXD9|Vz&)?s=Dm!7vhooqPK}R4^RJMTrHNqPET|I zK%Mp9jQelIePP&N1iUDJ81{eImT19uLm%+hg9M-eIJ$m#@A?5E%8CnqreU85OAz>3 zUi9bDP9$FrOv#Bm?Mhu=QeB0}Lo)vfBsp!YN_Szzk4W!=o=i-5^tMK2n6;`=CeOr% z4+xYzR|$b?UW)VWNU4$@t6zkc%%FkRla80Yi0i3=>yIPlee_)*4Hw0FbFwmNltn!z=;CRYJqnRbPv1imAYMO;!c#{dk_Ka!vFxC|-OqC1_?v0* zPFh$3**8_kwh>11xCd*K1EmRtRkM6$UFTxHM8Q!cqI)7;pfd+t)Em|>t7arPlEhVC zLmocHG*(?C4f`N5v~rn0xtN`Be$)TvhgG0q3KCs93qlfa!g#@)4GT^Baoqr~ThMNg zF_#%h!Lae5LmT-ultI#i<&c;lblbn?wWVUDeeii+{hx0@{&ThUJn+9f01{5df%0b# z{>)9{^Zke*IR`l4`Iaj1Szh$C{)*!QKeo@cv6u(O?vMcJV0Lfa z7YOxM2Ud$-PMm6_NSaj(uTQlalTTAe`vE1 zyp3YC5BlVOb$ocVTlxFVl^RnX1jY%sV3+R}<%S4#!Uu!c^Zmyf$()i7e2F1@-79$Rjf8<@96Tig1eN z<9WF!WiYcU{0_k*tjMm4w#9+0$A5^#{oMhN&b zTZ)NxGH|U{Ma&DF*&bzFHLdLSba}N=L>LmqQOwe4C^UMs3TZBRW+}{ZGoi^36R{s> z_YVDzxG2#u2|~!Mjgm5R?eMS<7EqD12C}y9fmgzy_?Cfc{{utl>bo4=*#&5tG=q5X zbeA~cOcVM|oxSJxW>gawwBn#%%{;=2FO{x7?FfmTXh`p ze=H1dlP;FQjZ+;(i|m~HZ&;tCFfV_mG`l_FUQXMnMMEau&wKjf%yh`DxLM2aI;F*wB(A7m8toPJ&$0 z4qz1%Ck1yxZXPD;rq!RgQ^Tu?1cX-zXX*uDTeHq)Jx>SCdD|N(i5afQ!5>0fFWQn^ zq~GBAcE6r8ltBH=RfOw`2jH`FXTVEQm4Kr=MyOh!n?ADn`aiXOCE1Ff{ZNN|uy4b4#H}q|!G&S&@b|}KX9&%5CL`w6yzn+T$`VYQUDkqJXXncj z3gW}to<+mj=65TPwx&d3_`>-|Pw0WeHAA>VKa&Ex=1e$va zAGD4C;j1MNz1Bv6h)31lm%N&7l6RCL8?1_-?cHh~}i_7?_ zUJicUU~2T&tg~>s(H9M(EAzuKQdq`!&Ye^%$7VAgJ~CHTZZjqxeVA$OE?G1P&6^P& zIkSC|WmmDqy$RpLEYV6gt_m?DI(=#+^tIt&L^9bcif!ZF?e@Ub4(Me|>xWJRyYRt2 z`0XgkKAG-`t4fw;$hsM7?7_U7`K$e~+2@kWO1{}h3{QtsDHp}e=ky;b@<#OFL>PDQ zSjQqM&mGVEaGthhfCWuf+o(-xXV6k_J9l8Y64O_N+$D0ncFu~Un<|bCGcx<|-x<;s zU~J?7ljvN#+oGV7d7ECBGUQoauHVEh#CsnRpaE&7?lv zJM)s9OgF=Do+uzW+ZsU7j&7vHb!M9oXtVWBVO^B7PX8wawufYHaegfpJvenwvZWB#D2pUUq50#Fw9MZm%j|(s2Q`w`R%& zf+I?GNs3?LzmT)u>jMl_w6`=OcJUVKsy>`O3_-zu75vpmErVDyr=>L zYrx$*L5o>;nc|A#_Pf@)IG%%_d`u)z(d$8=D+ZEig_SMvOXvl|6GT9Q2mn;k{C)U% zIa&CTkwEC_$Wi{BF8-W4UZOI+bR7SPk)_70*e-Bj_OCqXAnsUr$;L;h&zfLRf0vj8 zQOFTmpi&Ou%jm`lJ-o;7d%RAKuB&FHw+~+_4iOS!+ zPS5c~Cu9iJZtX2C^R1)$9=td@v+`<)U5;77&ucs{$54ld3tR@h1?t(6SFJCGipLRm zp5S+LICD zW8)PzHRqvCm+Rx30t`Zp?P>~O&l4`%x@Qq-VTK$dKCKZWv6KPcQ`NTAi?^C=K1=YXFjXdISHsc2YeLO0JWVVl~Eh#k5a)dI2By7 zJ=MH5a@+P+Q)wVv#ul`Q5X=7E=XFL23#+NSI2Tn|^4y0G307xi7t_W*k;8XK#>xJ4 z4wcHCiGqr^2dZ9QDt=0Er%zN@jBTl>)YQfwJN@jUl_tf}`T%#TB(D-|14Deq>;vG~ z+wd*pm}i{18qf|}b(&6WeT07Tq}t`C_50@|Y#aRFp7i1^FP`+1fgI(Z0X%CoC}>=m z|Bd59+!%#$UIMwQ3ja*+Wt4$=PKRJHRiQsy)BjJf5HiNZ$?;r|n{90Km=E+1eCnXYtI`_&ERV6EB|o(gJ`D f02yRpAboD(-$me_9UK6_etxgv0Dva8m%sl91`i?f delta 6973 zcmZ`;1z1!~+g@U6iKV+yYDqzs6cG@Ru0=|^yKCuOKwMH91f&}zL}HOHX+e-qDe3(2 z{px+c|NYKfbFOn{=6SA}d*+8kLyIj12C?rhL+VobG0ln zCfa>5LLXD)-{riTT8O9E&WLL)LIfigGgdUclGX2wP{P{7{QdCH27egVV}oITa%feM z&|!ndhbOatfwS~1?g}MrRE0?IxjlNEompjW;;rwzSr?mqfAXn?n1G`l8(X374}Y{A zponRjEFyZgUX667Ba7of6sbtl;87LDh|8(lsG6@GRX)GX7qc0qi_X{;o~9V*%z;AM z@!p7l&dX#`cT8Arb*|bZ8%h?VZUaEYvtc0JkSXnjUubH{GHzFP40rLt7^0 zf@mK0YBb6LiFOZP53yb_GG9{%tc#qxOEr4$doV<9A@uTblEfvw!e=509j7hdh56UY z{v1g)(MI`3JFtowzYKt?A|}?46awF6NNl3S?k5PRj?VeKVrTf7cv8`L#n58hSR-zfF6)~X8 z6A=afnmfq0Fr*$ndk$?v%35(ZzR9U)D^~OF7?6_JWi%w(9AHrWQbnu@R;QJwtXngu zV#)nH(abvoQ(R9O;OACQ#~pa?|7p6n!u960xnE2jfl=Zai$lL^%xmkT*EHOdpK!t< zkz$-&t=#NS$Rv{$fiN6*f&%GvTjn1lGU-enAB{`VVXqtI!NOsoTILuZ35nb&Ul*8e z`a0HMlnq(h&qQL9OkPk|aU;V+BNHbR&; zoNlMuyw=-e(i*J7c@7C@B+(_^JXa`Y2w9%x@q=RFf9~j#*up(?n_`zQ)k#H&Hx$-OqNhB?VM{MnK6>SOWCdKMbj0ZJVD7nos5SOF zGodJuZxK}Ok|E_!40|taCA`*omu(XD@#d6u>VcLN^kRA`b1-6tmi*;g+SHeocN1Ra z@Stz8Pu}BjHo?!HtcVYvdwyDk)is|DbQF1h$~wt$XSjVSXfCYNNVj6`mWHX|)LlD- z#tLIh!3sy#c2*Ff6Kyp=GtKG8JJbmw4@q&0WftH80VSP(_N-%u>YQQpjF`Exi#h+K z!WPfqgaY)^&TF{pf>=4un#P^nRY;R}-GRkpV&GhXqycG|a>9d?XVN{(3Z(Njv?f_z zzRu6Rk_I$M3*%%zmR1G&xxJ$n&(_WRHUN7{^xAy1?Aogj1kX9KGIJVh1G}pg*;>-aNLE=kGn$uEly+krCpqBQ%~XQdOzNHLlrh z(8bX5OYEl5;zn?_J4Na)Pzran3ts|2EOaRdhXg;CYS}q{)j!_L(?IF4ToF>y7!Na0 zW456Jajj%bRz!BZT^hfP1J!6qO#ep&M!xLQPt#cY6V zv~a&#bLyuI`$|Xp3d~>b?oZis8G>`efJ3Q^>3dZ(l5wGX{Z*9mK(Y(5Q0W_8WiLk} zX{%7iN>vUo<~hiVx6medoqwd+DFU<1vz*T9e9Jf1U)>ki#-k-in+DB5D-W8l7JURh z`U>J|8!gzvn_q}ccHIR0|`-yg5085wsqaVECsKWiwtUfar}lY-UbW7sp#Kl zdgJL)@-soZ*>$DYBA(R8px~)Lf#6V)F2=4J({v7Jxzqdf944ag+$=g2zA>;v@kaAP zl!jta?&7pk!C2kW)4DZYc2G7UO@RNvhC$Gi5`{1o^hK3TvLt|?k6XbsR$W&E|B9ER zU`@`xzJ>a^?CVj*N8``yK(CZC=_5-Ovoe~Q$HA<-G3H(C@ESDoN|_IGGJASgELEix zRqsvDHfDxKH%fAx!qk^1ez?I3M_(w0-+Hr}<5@a>;W4TC1ZeIvy+8ig?0Q7=8kEsQ}e zc7?G9f})Zyfl`H#*dGRs)hKzQ==^4>jUB5c(v~y4vNP#80>j)03K5e}C%p<7 zV=E#ZwWiSX=)XV; z2eE(*c^XPTR^8mBqNHFP3Y2o6*&#`fScZ__L$D6<-pzHDc`x)thAB88*z*iT-Wv#D z#szYdyH21}_!H%~fKExwwaSwV1<1#+JC7=^(1VHNhj`YBg`7yJA6(&5eJ~3$32SXd z4uWEALiw1?qWWjVaWhd4S}J5{H+OMS3xK>lE6PpC3-el~QXkm&3w(#qK+jUusOrf@ z@vY*VH39xUtw#y$cm#c=f%Qfa+q))A3);#arF4+c8lcmDTx>)3k4hVxPpRiQXSb79 zeBPp`JQZv=&2_9t5(@q3=$ubI^J4j5GV7Mipm|`^$cH&&BQ(BN*@Q6hyJOqZnff?Z!kX80s6D~S z0XxX96A=YM+cwTP%=l`%P(R7c%=khRzRLhGnSiqdS^mz>mf5xJU;x{OQ!b8;`o-)5E9F0d>|xzJBgU5ev_x%{lhXNL<50H)C`R#xPdj z5i)E*CzjP;z+AFVc%hRBnJ3R)Qq^hR zTPDSDO;ppC zwwc_+Z#>u@CTE{5_LyhKpsp5Iu%YAdNfc+;ig6LJaIIP25t#?cp;4VB{WZ6B+lDS^nU6sl~BS zQX!IrZ)Q8dL4YgnXR+m45G66sBB(rGq&T&;seJDw5%Wd`-B>tsJ3PE73JwjfQWJ!+ zigeGPZ@U~%SUi{1N`R0>$ba1eXVFeg@d|aohg`5aPl$#K+tf1i8CAmJis9g?1{B_&+6F%ktEXLw`xGUuUn(zUUuR~gM9w`o~8pWT~2nDCR$ zNpf4f(%~a1+v-^n=~vm`+lUaQeZdgidTKH#oJ}Xjds3g~&Mtz33I&CMy}d8L+%wmm zv?c=Ms;QGFD-~aB@RZlnUqQgOXaH8BAMnEQy1D%D>B6tgD)mWE<@ihesKOsGh{(kq z+=-`jlh*5n$GcnN#Z)??`ebD&o~R z@y=X++1Q$pCmn}s=Zs&SfAAuoj(emfc%|8ArV^jM`DNEu3+3I7hl@ZPO+GsB-3HXy z<>baRq`mrp?qjS~09u7l)J{39BQIdnM<`QYiTA4}DuUBloYnv?DeR-kx%YrKDK94d z5K9I*w9d((yY7Ij70}Q>QOVo2Os@3QJmdJbfq9^w`fg!(*2e$q=(e~Y8C5vsafpdl zX=$TyqoM~?YBDCh;px-W)=As&nP%W*>*uzkHRkp{Q}ew$FTmATq>cU4tph(t+;LMn z?|#({j25oxRIGXG9_AQx!5OQ71dW@%&g@&@Z;2&<^4$3r4*=+3`$J;=Nn!0#3H`0Q zBBAB|clo^_tyQ7TLH$E^jWE(82pH)8UHLEds%A2QC}ZG-`8?LLYPpxhP50Sd)kv|6 zmk_pJ^rV^mgi%8c8Syg)PBeVnfbs3U;n&VLm$RQ(O7V)lv0engcoI?%SDPX#aRRqo z>y%=%B12B_JyiESRkpRnry39118QQOYH-@AIVW5&uma4Uy+LM;xz&-jwgn3hJ8l=8 z7n-+<&i;b+QUE7spm-#q?u6ww{wh668NU|Prz;en-v|A3cY$};BQ`Iz^T{QSm8h4$l`m; z*N4;4#SOG{W$oR0C`x}KxkmYoa5qt}?fSilB^pEdGsM498DSK~{TC|#LhJV?K@=13 zUj*zVbkT86h%n&H=&2XlB|qj?Lkguq(BK0-W_u9QItB%ZuGfr|HdAM1FOp5T^Y>&i zN06mFa2-zB zXTz#f@P*HUjBqPuSpinU`q1Cdp!1;sezy`LENGa#YIR@A+V*s-V?3m*qvS^9`sQHE zC;~=vD?+2mzp?s_5b4BAQTCDJqBS^0L8zXN00ZySH|qrv#S4KbVXx`FUc7a)ND-nS}gt*0oF0UuQEetwO;mk9A-c*qvrUefo)M(CI2l z-8H5}onK1Au7aSKCBz|hI3GfDlAnJIADzZV6U`U&wZtkqDtX(eYStUqU!tC#O7gkj z)B9fPO;+T~A#@{$7tmf-v#cAB-NLjGY1JG7dOBKaqH3y%l0mg}Km4VO1gv&7HTe5c zXXN>dgX)_+%Fh8Xe4Q3t76vj3Y1QL|K%#IoD1N`0BKZ9A2ZLDIh1U^2 zk%;#yRv$%}P`*Y_+uSfX&Uu)@QPXJ!DAMmMzEawvPgXt&eQHPJ_mv$r6}SSS)--#7^Bdd_WUMl|it1IM_2s$9-|!ASxK zt@+o-CX~XWaZ$A5<141R>DtmWYHH*!Jg>2Ll-MgMi@jzEwrt9AVte4CYk2dVGZ!=Igq*Q0Xm6Y zn?n~1_CnK{{lQ$OtBnKh+!7GuP;H6O%f%6Sby|4>mAAJO zlPL^9RrgRiNKHM{zI2DHhI@$?fh_Mnzt0eM6+=LfVu95k>Z7(GDc#eqVX^@Zab+hw zbv(B@Sg%rY-nN*z)Bb2v63_fJuPE4GtnV6Pa2wnPp|qitgk;yG{q%U-noqx&biD9h zi3m1o@zwMVv9{&As0F3#L#xK`0mA8Y@Y=nBEPD9PE7qqQUu${jTlv$KjP$ES47DBI zqCe$VyyKJ=A&>0hpEbP~NldYZ^jti;~ z%P-=s1&FmP@3Y>oi-xbNW#~S6@j*m0iH4COFX87i9K7lj-eGRK(8uYdK^!ZmV^K+Y z>Ad(G`u#W`vHYUwBi}A~B_-fDml(oeCTmx|BuDTJw$x@^%3U%20`KFkCao(_dL}l( za^2mS-A0b59Mq&hC6v1V+%qvg%KQH8)kl9$8KED-wqI*F02j!n-U; zuaro!>O?+Nv#psAm7#V)An#kI247NA}jtDvh&V5qSzHFx`53)|aQpe`69sw^;Y*7ubK# z^e!P3Et*@NX$yz5|0{*RpX{Vi0i&scP_QB^05k1F1l^ZkMSaI$oD!B9&jMGaq(_kr zsPDVEC16Q-b6O~18pg!V;KcbnTN0ip2_P?;uu0M+dvuj5cH*;oe4j%dg?DANXWStR z?5~PM3&Ip&#P!x@eclsX4vxizDi#>KhZ$o<1Wx5vbv8&OoXpBB_(dyn4VOFm z&RijpMzrIv9=F0WhI+Nl^1PCP@4MKR#pP7Pq@9-IBKx_#ukS33|sS{~52dA-b}c``a=HIXeg zC>?kOou}3qCBtQUfzfOsn@3U^R1VHv=%Qk5hsr)Ut-YqMfzq*;^Cuqo=Kz-qpXO0T zhRFv8;&xM-8{_X3M_8;ZtsHyY&Wn}w>olm8?#zoOMQA#by}=D})%`i)_XlS=_KR4{ zxTh-z=zllS?BM^NXlq0(80QZX*asFP{(VfLs)&M0g7)v@5CjE}9NK+3!i1*=|9(;E z{by?*!NkkQ_ctbbDU^6o+V{jM|2~rdDDLn7xZVdX-~bTbxNL$z0LtGP{+ZKa{KYUC z7l7cyqagcxLj)clHQFWx0C7vj{6CxUQ=?~60sshn2AcoX#(OS8Z(8_g41d$bd%tLIbO6L6Kjad z-{~a*`oEo>-=1$-?+3;CNZ{|W(fjj~_^aoSYzSUK#{cCPwfqqxNRW%_9}@+<|9b!c Pg!f4q2mn~J|9<;FU*CPa diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/output.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/output.tf new file mode 100644 index 000000000..9bbe7e6db --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/output.tf @@ -0,0 +1,11 @@ +output "cluster_id" { + value = module.oke.cluster_id +} + +output "worker_pools" { + value = module.oke.worker_pools +} + +output "oidc_discovery_endpoint" { + value = module.oke.cluster_oidc_discovery_endpoint +} \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf index d2d690a12..91532e10c 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf @@ -3,13 +3,9 @@ terraform { required_providers { oci = { source = "oracle/oci" - version = "7.4.0" + version = "7.7.0" configuration_aliases = [oci.home] } - helm = { - source = "hashicorp/helm" - version = "~> 2.9.0" - } } } diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml b/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml index e57e236af..29c5fa692 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml @@ -56,6 +56,21 @@ variableGroups: - oke_vault_id - cluster_kms_key_id + - title: "OIDC" + visible: + eq: + - ${cluster_type} + - enhanced + variables: + - enable_oidc_discovery + - enable_oidc_authentication + - oidc_issuer + - oidc_client_id + - oidc_username_claim + - oidc_username_prefix + - oidc_groups_claim + - oidc_groups_prefix + variables: region: @@ -281,4 +296,81 @@ variables: description: "Key used to encrypt secrets located in etcd" dependsOn: compartmentId: ${oke_vault_compartment_id} - vaultId: ${oke_vault_id} \ No newline at end of file + vaultId: ${oke_vault_id} + +# OIDC + + enable_oidc_discovery: + title: "Enable OIDC Discovery" + description: "Enable OKE to act as an Identity Provider to exchange pod SeviceAccounts for access tokens" + type: boolean + + enable_oidc_authentication: + title: "Enable OIDC Authentication" + description: "Enable OIDC authentication performed by an external OIDC Identity Provider" + type: boolean + + oidc_issuer: + title: "OIDC Issuer URL" + description: "URL of the external Identity Provider token issuer. Control Plane MUST be able to reach it" + type: string + required: true + visible: ${enable_oidc_authentication} + + oidc_client_id: + title: "OIDC Client Id" + description: "OIDC Client Id on the external Identity Provider" + type: string + required: true + visible: ${enable_oidc_authentication} + + oidc_username_claim: + title: "OIDC username claim" + description: "Claim representing the username" + type: string + required: true + visible: ${enable_oidc_authentication} + + oidc_username_prefix: + title: "OIDC username prefix" + description: "Prefix prepended to the username" + type: string + required: true + visible: ${enable_oidc_authentication} + + oidc_groups_claim: + title: "OIDC groups claim" + description: "Claim representing the groups" + type: string + required: true + visible: ${enable_oidc_authentication} + + oidc_groups_prefix: + title: "OIDC groups prefix" + description: "Prefix prepended to the groups" + type: string + required: true + visible: ${enable_oidc_authentication} + + +# OUTPUT SECTION + +outputGroups: + - title: OKE + outputs: + - cluster_id + - worker_pools + - oidc_discovery_endpoint + +outputs: + cluster_id: + type: ocid + title: OKE Cluster OCID + + worker_pools: + type: map + title: Worker Pools + + oidc_discovery_endpoint: + type: link + title: OIDC Discovery Endpoint \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/variable.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/variable.tf index 61bdeb860..a2312dc78 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/variable.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/variable.tf @@ -80,4 +80,35 @@ variable "oke_vault_id" { variable "cluster_kms_key_id" { default = null +} + +# OIDC + +variable "enable_oidc_discovery" { + type = bool + default = false +} + +variable "enable_oidc_authentication" { + type = bool + default = false +} + +variable "oidc_issuer" { + default = null +} +variable "oidc_client_id" { + default = null +} +variable "oidc_username_claim" { + default = "sub" +} +variable "oidc_username_prefix" { + default = "oidc:" +} +variable "oidc_groups_claim" { + default = "groups" +} +variable "oidc_groups_prefix" { + default = "oidc:" } \ No newline at end of file From e7368ba71ff2b612e8ecb0ea18003b74cc5d6c87 Mon Sep 17 00:00:00 2001 From: alcampag Date: Fri, 4 Jul 2025 11:08:45 +0200 Subject: [PATCH 2/2] oke-rm-1.1.3 --- .../oke/oke-rm/infra/infra.zip | Bin 22986 -> 22986 bytes .../oke/oke-rm/oke/oke.zip | Bin 13511 -> 13511 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip b/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip index 03df89b0d4e545e3af8dbe2291b9184b9212ebd0..b9c7a60882a2f709f026dc24a894d871ee558a33 100644 GIT binary patch delta 952 zcmX|E>3S`nguNWz$?)*&j8nwz*9=b#61=Rs@w%VTLzJMO}EK zmiBa$bP-`-ME^Ju^oIxnNxP^nil8irx{(OxdcNQLyytn(cg`eJPcrq8 z$hvo=h$b#!xV#%VNtu=ClKfoLzKTk*SQd>}L8*N7~$tPtF32 z>wc&Afj(1U?j`O2%R_bny=5l64@h`v7ubR9L2cU04(2k&$IhFaiiX_7YRtKc4;h65 zdn5KKv$L0lNkwDKCg7nii#@S!|Idc(E0Ji52}Gk~d^Otaw;g$uA|3eR3{U zG|!gjUGTBt@^^|KT_pl)%qG~PBKA0!uvHaTl^PpSe^d0`#RciD4&j4a4@;Yl@{Pf z)J5O*D2Y{~%xlw(8C1w#B;try#s*yRMrc&PPj8rJ1vG_>=*$q&TkoPfIk;6Hrc@56 z7N1}9I9G+`nWaeijHnI>m=EjeoROE``Jxmv!R1eqn8(RAf0VxDA>~idyqS|@fe1ab zU?Q+r?L#Oe;YE&w+bu?%XpqQUh>?ak^+>X{5avcdRTW`hV>?-_oJ=*=)07pCV4QBO zCU9NP}Ne3Q>c2j=|_hnfv2sF7Uv<9b}k`yWB^iNX*S<4V; zPEe1FlZoa4Rj-4kB|)tfoV;C~FDJN2+JMh39W=g?(|FiNgPU+YoTOkSCkuZ$={F+M zDruH&R^e3HT0U8pe6FusxMi+2NO!lw6N%HaDo%E;7cmuaQGYdrXq;@doDM`wG3b$K zx)wJ*e!935^PUR%rZX|^7PY=z@}2JWl;fi(E61o>y6`;s8a=bZts0&ymfwXA_uEW= E0c>wo7ytkO delta 1032 zcmYk4Ur19?9LMj@y_xC$y4j!Wc3qRzYP;Ii(%~@FXq#?x)6}`F%%~8p9;DZzgscZc z=?fZ>=0i_D_=f|&L=Qa#p;-@-5hPSZQJM(#P$Am&dhh5w{m$p}`^VwTP~8mG4e<2* zalMX|3}MRO4KZk@T=jdhb-#jfQ=b-&nICH5v_%cOv65>>r&o{bwoLjxhf6m~`8B?# z_NFVjU8)|$U`(K<-NT&boDQm$(onunje9T~u+i+j>#UY{%{{2@)=h7F+S2h!?95omvttIVa4O!~Sn@>8$ud8XDcpo&vk>WW3rb^AHrv49!>%G_(%YDk+_T8q0j@4i z&g7t}?lgI7Rmix&W2sIew`>sNt)wkip$X@1OvWYFy_3OTr&n$xk)L}M)s~2`Pk06c zZlC-#92OHIS+gtZ$NoGOnUJg(*yj!g4?G@>)=OkQUrAZ553~233@&>`bTmk0#HHYV z(Jo)D_}U<_9R&<33Vql(A(5y16g@8G;n4|+?cL9ywRlSnA5c`hF-k5T#Bk#&V)Q9w zqjV2mG+Oa8BCv0K493bttT$O9Mg=k?Dk*pTb{R>ey%17!I}r~lR0s%o-7K+x4l#HY z@S-p&k?ay#b&&ZI%qCBh&Qc|@wTf3JRE7moT!ypZIC1zf751Y)7Nz|@x&QKGE|J|lZI+ksWtWy#HP=0=A% zq~DEXYtFqsf-S-Cw_jqveTVsN3-6_fSNt#7j(hZ*HJha}e|r_f`Y&*+&w zgM~lxcKxV#>v?$j=4)@my)*SrylfGknPNEap3bwW)v|s0*OeBib`^N4_5^MF%G)e8 zGh$9*1nQ9{kul z>(B46U#>o>YO*>g+qC=WmuIh!M;-0_Ah)A;!u}&FRlTp*UJJG_vEDr^&c{$SoaM4~ zVYTVL88s^`LxuRGVvfG3e{?lv&y1K|cQ0_6=@oA`-H==nvruEzzVvNh$|An6?mWTY z;CkrFm+xV}zb;$d>QEsn-)3ccI4N}V>Z`M(C&ubTC~ji230Pv8|8@3W4_=p7EBEdD z^g8-W_wlTU`4<=czjO0D$Auit`kI|7ukR%9s}54H*SMS?@2hrwd-u!A-TSTUUrE;P zEID8sn3vh&b+zx5QD`}jo|b9M{mn7?%J)vDSU5Ii-ri?lQ2mPWZF1C)ZCh_I3yV5y z{KYM}#hQmFut4QY)SCZCJU*V6XsiG2ylBJI_0M#R4xirp{)I-sxW@5|l0 zz44FZiCe`V&m~IkT7Tfnn(W07-Hi9Y@>f%+`)?oM&Cap(-_qTcd<+ahx(o~f-pni_ z3>-iRO11B#%(!5w_TJ3R4xCx=yzqxZV6!5JEG+GBfj)!6L9tGLS z0YE-GP(G2DVe)-N4KSb6NRCAs=)}o<3Nn-3jSQK73QVptvYDJm5CiGW z>B4`w>+>$xsl+}LTNUP(iwI)rqSc-idu|AkCU>p#z{Ti@R?*Piw2^nLT9^$jm)tE!qWIVilpJ>jmG z*ttZ7b@%Uln&=&}Wwz_hdPkiQ$KSip?w+g9nDFIq!NebjKmW7v`N{e+HvHLXwac=s z%mP`#hi)v{n$fubUSO&6yq~>?Z#-OZYhvlb=EvW&KE1zwIehYK&Q~nu9Ph*~&t5N| zEvkN~`hl6#KcUGlOxJCX^8b6`?VGGB!=qDT1by<4yuJD(>C?hzA)YoFg`$hQ>%%91 zOe%U==B#~V$C$BI1F+B{ek$825 zr#tlQy0H8_*RqWXttX^DI81!D=W6~pB~yWw%YXekwLbr%zTE28{jS~riqr2aJ8WM1 z=i}2!Ym57TzVn>>XQ9vjTGN>^_w|-NfBWyvYIn!yPNG z6x5zC+S^;9KKUUF=d#@2{|>xe$-bpO^Wp7ld9$N3P0wGD_7!|*VBm6a;)U#u|Adu~ z+9yl=d&}Q>Xxjc++fVT7f8V!QSyC!V<&5awqVT%viu~iB*cG$SAGK~zeX)<}^5%8D zZPI7|tg@f^L*eg#h5&DNj!>Or2P^p)7=m;efP7{a5e5z*1f|-4ie_A}R0~PqllKb# zg{5^>J{4vtdvZ3fz~%^^NKo1b=L1RR-5d~h(?+RoXjaIYyho2~vWSTsGXn#|myTtjWo6nOv+d$5NvN^!Z19 w{mDo4<(NNeF-%^_tudL`KzQ;oJvrvp+6)tAWuYFFV`9*oY_4xKd9#TK0B|(#JOBUy