added support for Cardiff, secret name to be customized.. (#232)

hyder · web-flow · commit 28cdcbe693c3 · 2020-11-03T21:17:42.000+11:00
* added support for Cardiff, secret name to be customized, IAM requirements already linked to OKE documentation

* updated IAM
diff --git a/docs/prerequisites.adoc b/docs/prerequisites.adoc
@@ -41,10 +41,13 @@ You can proceed to {uri-instructions}[creating the cluster] if you have already
 
 == Identity and Access Management Rights
 
-The Terraform user must have the rights to:
+The Terraform user must have the permission to:
 
 . manage dynamic groups
 . manage policies in root tenancy
+. manage cluster-family in compartment
+. manage virtual-network-family in compartment
+. manage instance-family in compartment
 
 == Install Terraform
 
@@ -86,7 +89,7 @@ Follow the steps below to configure your path on Windows:
 [source,bash]
 ----
 terraform -v
-Terraform v0.12.4
+Terraform v0.12.24
 ----
 
 == Generate API keys
diff --git a/docs/quickstart.adoc b/docs/quickstart.adoc
@@ -116,7 +116,7 @@ provider "oci" {
 ----
 module "oke" {
   source  = "oracle-terraform-modules/oke/oci"
-  version = "2.2.2"
+  version = "2.3.2"
   # insert the 9 required variables here
 }
 ----
@@ -145,8 +145,8 @@ module "oke" {
   bastion_shape                         =   var.bastion_shape
   bastion_timezone                      =   var.bastion_timezone
 
-  admin_shape                           =   var.admin_shape
-  admin_timezone                        =   var.admin_timezone
+  operator_shape                           =   var.operator_shape
+  operator_timezone                        =   var.operator_timezone
 
   # add additional parameters for availability_domains, oke etc as you need
 
diff --git a/locals.tf b/locals.tf
@@ -123,9 +123,10 @@ locals {
   oke_ocir = {
     email_address = var.email_address
     ocir_urls     = var.ocir_urls
+    secret_id     = var.secret_id
+    secret_name   = var.secret_name
     tenancy_name  = var.tenancy_name
     username      = var.username
-    secret_id     = var.secret_id
   }
 
   calico = {
diff --git a/modules/oke/k8stools.tf b/modules/oke/k8stools.tf
@@ -0,0 +1,99 @@
+# Copyright 2017, 2019, Oracle Corporation and/or affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+# kubectl
+data "template_file" "install_kubectl" {
+  template = file("${path.module}/scripts/install_kubectl.template.sh")
+}
+
+resource "null_resource" "install_kubectl_operator" {
+  connection {
+    host        = var.oke_operator.operator_private_ip
+    private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+    timeout     = "40m"
+    type        = "ssh"
+    user        = "opc"
+
+    bastion_host        = var.oke_operator.bastion_public_ip
+    bastion_user        = "opc"
+    bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+  }
+
+  provisioner "file" {
+    content     = data.template_file.install_kubectl.rendered
+    destination = "~/install_kubectl.sh"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "chmod +x $HOME/install_kubectl.sh",
+      "bash $HOME/install_kubectl.sh",
+      "rm -f $HOME/install_kubectl.sh"
+    ]
+  }
+
+  count = var.oke_operator.bastion_enabled == true && var.oke_operator.operator_enabled == true ? 1 : 0
+}
+
+# wait for 1. operator being ready 2. kubectl is installed (the script will create the .kube directory)
+resource null_resource "wait_for_operator" {
+  connection {
+    host        = var.oke_operator.operator_private_ip
+    private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+    timeout     = "40m"
+    type        = "ssh"
+    user        = "opc"
+
+    bastion_host        = var.oke_operator.bastion_public_ip
+    bastion_user        = "opc"
+    bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+  }
+
+  depends_on = [null_resource.install_kubectl_operator]
+
+  provisioner "remote-exec" {
+    inline = [
+      "while [ ! -f /home/opc/operator.finish ]; do sleep 10; done",
+    ]
+  }
+
+  count = var.oke_operator.bastion_enabled == true && var.oke_operator.operator_enabled == true ? 1 : 0
+}
+
+# helm
+data "template_file" "install_helm" {
+  template = file("${path.module}/scripts/install_helm.template.sh")
+
+  count = var.oke_operator.operator_enabled == true ? 1 : 0
+}
+
+resource null_resource "install_helm_operator" {
+  connection {
+    host        = var.oke_operator.operator_private_ip
+    private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+    timeout     = "40m"
+    type        = "ssh"
+    user        = "opc"
+
+    bastion_host        = var.oke_operator.bastion_public_ip
+    bastion_user        = "opc"
+    bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+  }
+
+  depends_on = [null_resource.install_kubectl_operator, null_resource.write_kubeconfig_on_operator]
+
+  provisioner "file" {
+    content     = data.template_file.install_helm[0].rendered
+    destination = "~/install_helm.sh"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "chmod +x $HOME/install_helm.sh",
+      "bash $HOME/install_helm.sh",
+      "rm -f $HOME/install_helm.sh"
+    ]
+  }
+
+  count = var.oke_operator.bastion_enabled == true && var.oke_operator.operator_enabled == true ? 1 : 0
+}
diff --git a/modules/oke/kubeconfig.tf b/modules/oke/kubeconfig.tf
@@ -25,64 +25,6 @@ resource "local_file" "kube_config_file" {
   filename   = "${path.root}/generated/kubeconfig"
 }
 
-data "template_file" "install_kubectl" {
-  template = file("${path.module}/scripts/install_kubectl.template.sh")
-}
-
-resource "null_resource" "install_kubectl_operator" {
-  connection {
-    host        = var.oke_operator.operator_private_ip
-    private_key = file(var.oke_ssh_keys.ssh_private_key_path)
-    timeout     = "40m"
-    type        = "ssh"
-    user        = "opc"
-
-    bastion_host        = var.oke_operator.bastion_public_ip
-    bastion_user        = "opc"
-    bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path)
-  }
-
-  provisioner "file" {
-    content     = data.template_file.install_kubectl.rendered
-    destination = "~/install_kubectl.sh"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "chmod +x $HOME/install_kubectl.sh",
-      "bash $HOME/install_kubectl.sh",
-      "rm -f $HOME/install_kubectl.sh"
-    ]
-  }
-
-  count = var.oke_operator.bastion_enabled == true && var.oke_operator.operator_enabled == true ? 1 : 0
-}
-
-# wait for 1. operator being ready 2. kubectl is installed (the script will create the .kube directory)
-resource null_resource "wait_for_operator" {
-  connection {
-    host        = var.oke_operator.operator_private_ip
-    private_key = file(var.oke_ssh_keys.ssh_private_key_path)
-    timeout     = "40m"
-    type        = "ssh"
-    user        = "opc"
-
-    bastion_host        = var.oke_operator.bastion_public_ip
-    bastion_user        = "opc"
-    bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path)
-  }
-
-  depends_on = [null_resource.install_kubectl_operator]
-
-  provisioner "remote-exec" {
-    inline = [
-      "while [ ! -f /home/opc/operator.finish ]; do sleep 10; done",
-    ]
-  }
-
-  count = var.oke_operator.bastion_enabled == true && var.oke_operator.operator_enabled == true ? 1 : 0
-}
-
 data "template_file" "generate_kubeconfig" {
   template = file("${path.module}/scripts/generate_kubeconfig.template.sh")
 
diff --git a/modules/oke/kubernetestools.tf b/modules/oke/kubernetestools.tf
diff --git a/modules/oke/scripts/secret.py b/modules/oke/scripts/secret.py
@@ -9,9 +9,10 @@
           
 compartment_id  = '${compartment_id}'
 region          = '${region}'
-secret_id       = '${secret_id}'
 email_address   = '${email_address}'
 region_registry = '${region_registry}'
+secret_id       = '${secret_id}'
+secret_name     = '${secret_name}'
 tenancy_name    = '${tenancy_name}'
 username        = '${username}'
 
@@ -34,10 +35,10 @@ def read_secret_value(secret_client, secret_id):
 try:
     secret_content = read_secret_value(secret_client, secret_id=secret_id)
     secret_content = re.escape(secret_content)
-    delsecret = "kubectl -n default delete secret ocirsecret"
+    delsecret = "kubectl -n default delete secret ${secret_name}"
     os.system(delsecret)
 
-    crtsecret = ("kubectl create secret docker-registry ocirsecret -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content)
+    crtsecret = ("kubectl create secret docker-registry ${secret_name} -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content)
 
     subprocess.call(["/bin/bash" , "-c" , crtsecret])
  
diff --git a/modules/oke/secrets.tf b/modules/oke/secrets.tf
@@ -7,9 +7,11 @@
    vars = {
      compartment_id  = var.compartment_id
      region          = var.region
-     secret_id       = var.oke_ocir.secret_id
+
      email_address   = var.oke_ocir.email_address
      region_registry = var.oke_ocir.ocir_urls[var.region]
+     secret_id       = var.oke_ocir.secret_id
+     secret_name     = var.oke_ocir.secret_name
      tenancy_name    = var.oke_ocir.tenancy_name
      username        = var.oke_ocir.username
 
diff --git a/modules/oke/variables.tf b/modules/oke/variables.tf
@@ -73,9 +73,10 @@ variable "lbs" {
 # ocir
 variable "oke_ocir" {
   type = object({
-    secret_id     = string
     email_address = string
-    ocir_urls     = map(string)
+    ocir_urls     = map(string)    
+    secret_id     = string
+    secret_name   = string
     tenancy_name  = string
     username      = string
   })
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
@@ -168,9 +168,11 @@ public_lb_ports = [80, 443]
 waf_enabled = false
 
 # ocir
+email_address = ""
+
 secret_id = "none"
 
-email_address = ""
+secret_name = "ocirsecret"
 
 tenancy_name = ""
 
@@ -196,4 +198,4 @@ service_account_name = "kubeconfigsa"
 
 service_account_namespace = "kube-system"
 
-service_account_cluster_role_binding = ""
+service_account_cluster_role_binding = "cluster-admin"
diff --git a/variables.tf b/variables.tf
@@ -104,7 +104,7 @@ variable "vcn_name" {
 # bastion
 variable "bastion_access" {
   default     = "ANYWHERE"
-  description = "The cidr from where the bastion can be sshed into. default is ANYWHERE and equivalent to 0.0.0.0/0."
+  description = "The cidr from where the bastion can be ssh'ed into. default is ANYWHERE and equivalent to 0.0.0.0/0."
   type        = string
 }
 
@@ -282,9 +282,9 @@ variable "kubernetes_version" {
 
 variable "node_pools" {
   default = {
-    np1 = {shape="VM.Standard.E3.Flex",ocpus=2,node_pool_size=2,boot_volume_size=150}
-    np2 = {shape="VM.Standard.E2.2",node_pool_size=2,boot_volume_size=150}
-    np3 = {shape="VM.Standard.E2.2",node_pool_size=1}
+    np1 = { shape = "VM.Standard.E3.Flex", ocpus = 2, node_pool_size = 2, boot_volume_size = 150 }
+    np2 = { shape = "VM.Standard.E2.2", node_pool_size = 2, boot_volume_size = 150 }
+    np3 = { shape = "VM.Standard.E2.2", node_pool_size = 1 }
   }
   description = "Tuple of node pools. Each key maps to a node pool. Each value is a tuple of shape (string),ocpus(number) , node_pool_size(number) and boot_volume_size(number)"
   type        = map(any)
@@ -374,11 +374,6 @@ variable "public_lb_ports" {
 }
 
 # ocir
-variable "secret_id" {
-  description = "OCID of Oracle Vault Secret"
-  type        =  string
-  default     = "none"
-}
 
 variable "email_address" {
   default     = "none"
@@ -406,6 +401,7 @@ variable "ocir_urls" {
     me-dubai-1     = "dxb.ocir.io"
     me-jeddah-1    = "jed.ocir.io"
     sa-saopaulo-1  = "gru.ocir.io"
+    uk-cardiff-1   = "cwl.ocir.io"
     uk-london-1    = "lhr.ocir.io"
     us-ashburn-1   = "iad.ocir.io"
     us-phoenix-1   = "phx.ocir.io"
@@ -414,6 +410,18 @@ variable "ocir_urls" {
   type = map(string)
 }
 
+variable "secret_id" {
+  description = "OCID of Oracle Vault Secret"
+  type        = string
+  default     = "none"
+}
+
+variable "secret_name" {
+  description = "Secret name in Kubernetes that will hold the authentication token"
+  type        = string
+  default     = "ocirsecret"
+}
+
 variable "tenancy_name" {
   default     = "none"
   description = "The tenancy name to use when creating the ocir secret."
@@ -481,6 +489,7 @@ variable "service_account_namespace" {
 
 variable "service_account_cluster_role_binding" {
   description = "cluster role binding name"
+  default     = "cluster-admin"
   type        = string
 }
 
