Base module to 2.0.0 (#255)

* updated default kubernetes version to v1.18.10, fixed deprecated interpolation-only expressions

* updated base module to 2.0.0

* added support for vertical pod autoscaler

* updated and simplified calico installation

Author: hyder

CHANGELOG.adoc

@@ -7,6 +7,9 @@ All notable changes to this project are documented in this file.
 
 The format is based on {uri-changelog}[Keep a Changelog].
 
+= 2.3.3 (October 30, 2020)
+* Upgraded base module to 1.3.3 to temporarily disable OSMS as fix for #225
+
 == 2.3.2 (August 19, 2020)
 * Unable to install kube in operator (#197)
 * node_pool_image_id value should be "none" in case no custom image is used. In previous versions, this was in upper case (#207)

docs/configuration.adoc

@@ -50,7 +50,7 @@
 . link:#configure-oci-parameters[Configure OCI parameters]
 . link:#configure-oci-networking-parameters[Configure OCI Networking parameters]
 . link:#configure-bastion-host-parameters[Configure Bastion Host parameters]
-. link:#configure-operator-host-parameters[Configure Admin Host parameters]
+. link:#configure-operator-host-parameters[Configure Operator Host parameters]
 . link:#configure-oke-parameters[Configure OKE parameters]
 . link:#configure-oke-node-pool-parameters[Configure OKE Node Pool parameters]
 . link:#configure-oke-load-balancer-parameters[Configure OKE Load Balancer parameters]

docs/dependencies.adoc

@@ -28,24 +28,30 @@ The following table documents the {uri-terraform-options}[Terraform Options] dep
 
 |create_service_account
 |Creates a service account that can be used for CI/CD. 
-|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true
+|bastion_enabled = true, operator_enabled = true, admin_instance_principal = true
 
 |calico_enabled
 |Installs calico as network policy engine
-|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true
+|bastion_enabled = true, operator_enabled = true, admin_instance_principal = true
 
 |metricserver_enabled
 |Installs Kubernetes metrics server for Horizontal Pod Autoscaling
-|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true
+|bastion_enabled = true, operator_enabled = true, admin_instance_principal = true
 
 |node_pools_to_drain
 |Drains existing node pools before upgrading
-|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true
+|bastion_enabled = true, operator_enabled = true, admin_instance_principal = true
 
 |ocir secret
 |Whether to create an authentication secret for OCIR
-|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true, secret_id = secret ocid
+|bastion_enabled = true, operator_enabled = true, admin_instance_principal = true, secret_id = secret ocid
 
 |use_encryption
 |Uses OCI KMS to encrypt data in OKE's underlying etcd
-|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true
+|bastion_enabled = true, operator_enabled = true, admin_instance_principal = true
+
+|vpa
+|Installs Kubernetes Vertical Pod Autoscaler
+|bastion_enabled = true, operator_enabled = true, admin_instance_principal = true, metricserver_enabled = true
+
+|===

docs/instructions.adoc

@@ -49,6 +49,7 @@
 :uri-metricserver: https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/#metrics-server
 :uri-k8s-dashboard: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
 :uri-psp: https://docs.cloud.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingpspswithoke.htm#Using_Pod_Security_Polices_with_Container_Engine_for_Kubernetes
+:uri-kubernetes-vpa: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler
 
 . link:#assumptions[Assumptions]
 . link:#kms-integration[KMS Integration]
@@ -65,6 +66,7 @@
 . link:#creating-a-secret-for-ocir[Creating a Secret for OCIR]
 . link:#installing-calico[Installing Calico]
 . link:#installing-kubernetes-metrics-server[Installing Kubernetes Metrics Server]
+. link:#installing-vertical-pod-autoscaler[Installing Vertical Pod Autoscaler]
 . link:#scaling-the-number-of-node-pools[Scaling the number of node pools]
 . link:#accessing-the-kubernetes-dashboard[Accessing the Kubernetes dashboard]
 . link:#destroying-the-cluster[Destroying the cluster]
@@ -247,6 +249,17 @@ Calico enables network policy in Kubernetes clusters. To install calico set the
 
 {uri-metricserver}[Kubernetes Metrics Server] can be installed by setting the parameter *metricserver_enabled = true* in terraform.tfvars. By default, the latest version is installed in kube-system namespace. This is required if you need to use Horizontal Pod Autoscaling.
 
+=== Installing Vertical Pod Autoscaler
+
+{uri-kubernetes-vpa}[Vertical Pod Autoscaler] can be installed by configuring the `vpa` parameter:
+
+`vpa = {
+  enabled = true,
+  version = 0.8
+}`
+
+NOTE: Installing the Vertical Pod Autoscaler also requires installing the Metrics Server, so you need to enable that too.
+
 === Scaling the node pools
 
 There are 2 ways you can scale the node pools:

docs/terraformoptions.adoc

@@ -8,10 +8,11 @@
 :uri-rel-file-base: link:{uri-repo}/blob/master
 :uri-rel-tree-base: link:{uri-repo}/tree/master
 :uri-calico: https://www.projectcalico.org/
-:uri-calico-policy: https://docs.projectcalico.org/v3.8/getting-started/kubernetes/installation/other
+:uri-calico-policy: https://docs.projectcalico.org/getting-started/kubernetes/flannel/flannel
 :uri-cert-manager: https://cert-manager.readthedocs.io/en/latest/
 :uri-docs: {uri-rel-file-base}/docs
 :uri-kubernetes-hpa: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+:uri-kubernetes-vpa: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler
 :uri-metrics-server: https://github.com/kubernetes-incubator/metrics-server
 :uri-oci-images: https://docs.cloud.oracle.com/iaas/images/
 :uri-oci-kms: https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Concepts/keyoverview.htm
@@ -29,7 +30,7 @@ Configuration Terraform Options:
 . link:#general-oci[General OCI]
 . link:#oci-networking[OCI Networking]
 . link:#bastion-host[Bastion Host]
-. link:#operator-host[Admin Host]
+. link:#operator-host[Operator Host]
 . link:#oke[OKE]
 . link:#oke-load-balancers[OKE Load Balancers]
 . link:#ocir[OCIR]
@@ -244,7 +245,13 @@ newbits = {
 |`bastion_shape`
 |The shape of bastion instance. *Required*
 |
-|VM.Standard.E2.1
+|`bastion_shape = {
+  # shape = "VM.Standard.E2.2"
+  shape            = "VM.Standard.E3.Flex",
+  ocpus            = 1,
+  memory           = 4,
+  boot_volume_size = 50
+}`
 
 |`bastion_timezone`
 |The preferred timezone for the bastion host. {uri-timezones}[List of timezones]. *Required*
@@ -253,7 +260,7 @@ newbits = {
 
 |===
 
-== Admin Host
+== Operator Host
 
 [stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] 
 |===
@@ -305,7 +312,13 @@ newbits = {
 |`operator_shape`
 |The shape of operator instance. *Required*
 |
-|
+|`operator_shape = {
+  # shape = "VM.Standard.E2.2"
+  shape            = "VM.Standard.E3.Flex",
+  ocpus            = 1,
+  memory           = 4,
+  boot_volume_size = 50
+}`
 
 |`operator_timezone`
 |The preferred timezone for the operator host. {uri-timezones}[List of timezones]. *Required*
@@ -462,7 +475,7 @@ a|The number, shape of node pools and node_pool_size to create. Each key and tup
 * node_pool_size defines the number of worker nodes in each nodepool
 * boot_volume_size defines the custom boot volume size in GBs for the worker nodes.
 
-If an empty nodepool like np3 = {} is specified, then a nodepool will default values: 
+If an empty nodepool like np3 = {} is specified, then a nodepool will have the following default values: 
 
 * shape=VM.Standard.E3.Flex
 * ocpus=1
@@ -520,7 +533,7 @@ node_pools = {
 |`node_pool_os_version`
 |The corresponding version of the Operating System image to use to provision the worker nodes.
 |
-|7.8
+|7.9
 
 |`pods_cidr`
 |The CIDR for the Kubernetes POD network for flannel networking. CIDR blocks for pods must not overlap with the CIDR blocks for workers and load balancer subnets (calculated using vcn_cidr, newbits and subnets parameters).
@@ -621,11 +634,6 @@ Refer to {uri-topology}[topology] for more thorough examples.
 |Values
 |Default
 
-|`calico_version`
-|Version of {uri-calico}[Calico] to install.
-|
-|3.12
-
 |`calico_enabled`
 |Whether to install {uri-calico}[Calico] as {uri-calico-policy}[pod network policy].
 |true/false
@@ -645,6 +653,17 @@ Refer to {uri-topology}[topology] for more thorough examples.
 |Whether to install {uri-metrics-server}[Kubernetes Metrics Server]. *Required* for {uri-kubernetes-hpa}[Horizontal Pod Autoscaling].
 |true/false
 |false
+
+|`vpa`
+|Whether to install {uri-kubernetes-vpa}[Vertical Pod Autoscaler] and the version to install. *Requires*  {uri-metrics-server}[Kubernetes Metrics Server].
+|`vpa = {
+  enabled = true,
+  version = 0.8
+}`
+|`vpa = {
+  enabled = false,
+  version = 0.8
+}`
 |===
 
 == KMS integration

locals.tf

@@ -129,11 +129,6 @@ locals {
     username      = var.username
   }
 
-  calico = {
-    calico_enabled = var.calico_enabled
-    calico_version = var.calico_version
-  }
-
   oke_kms = {
     use_encryption = var.use_encryption
     key_id         = var.existing_key_id

main.tf

@@ -3,7 +3,7 @@
 
 module "base" {
   source  = "oracle-terraform-modules/base/oci"
-  version = "2.0.0-RC1"
+  version = "2.0.0"
 
   # general oci parameters
   oci_base_general = local.oci_base_general
@@ -103,10 +103,11 @@ module "oke" {
   oke_ocir = local.oke_ocir
 
   # calico parameters
-  calico = local.calico
+  calico_enabled = var.calico_enabled
 
   # metric server
   metricserver_enabled = var.metricserver_enabled
+  vpa                  = var.vpa
 
   # service account
   service_account = local.service_account

modules/oke/calico.tf

@@ -4,14 +4,7 @@
 data "template_file" "calico_enabled" {
   template = file("${path.module}/scripts/install_calico.template.sh")
 
-  vars = {
-    calico_version     = var.calico.calico_version
-    number_of_nodes    = local.total_nodes
-    pod_cidr           = var.oke_cluster.cluster_options_kubernetes_network_config_pods_cidr
-    number_of_replicas = min(20, max((local.total_nodes) / 200, 3))
-  }
-
-  count = var.calico.calico_enabled == true ? 1 : 0
+  count = var.calico_enabled == true ? 1 : 0
 }
 
 resource null_resource "calico_enabled" {
@@ -42,5 +35,5 @@ resource null_resource "calico_enabled" {
     ]
   }
 
-  count = var.oke_operator.bastion_enabled == true && var.oke_operator.operator_enabled == true && var.calico.calico_enabled == true ? 1 : 0
+  count = var.oke_operator.bastion_enabled == true && var.oke_operator.operator_enabled == true && var.calico_enabled == true ? 1 : 0
 }

modules/oke/metricserver.tf

@@ -4,6 +4,11 @@
 data "template_file" "metricserver_enabled" {
   template = file("${path.module}/scripts/install_metricserver.template.sh")
 
+  vars = {
+    vpa_enabled = var.vpa.enabled
+    vpa_version = var.vpa.version
+  }
+
   count = var.metricserver_enabled == true ? 1 : 0
 }
 

modules/oke/scripts/install_calico.template.sh

@@ -2,21 +2,10 @@
 # Copyright 2017, 2019, Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
-mkdir calico
+echo "Installing calico for network policy"
 
-cd calico
+mkdir calico && cd calico > /dev/null 2>&1
 
-curl https://docs.projectcalico.org/v${calico_version}/manifests/calico-policy-only.yaml -O
+curl https://docs.projectcalico.org/manifests/canal.yaml -O > /dev/null 2>&1
 
-sed -i -e "s?192.168.0.0/16?${pod_cidr}?g" calico-policy-only.yaml
-
-sleep 10
-
-if [ ${number_of_nodes} -gt 50 ]; then
-  echo "More than 50 nodes detected. Setting the typha service name"
-  sed -i -e 's/typha_service_name:\s"none"/typha_service_name: calico-typha/g' calico-policy-only.yaml
-  kubectl apply -f calico-policy-only.yaml
-  kubectl -n kube-system scale --current-replicas=1 --replicas=${number_of_replicas} deployment/calico-typha
-else
-  kubectl apply -f calico-policy-only.yaml
-fi
+kubectl apply -f canal.yaml > /dev/null 2>&1