Secondary VNIC for IP/CN, compatible defaults for block volume/AD (#635)

* Secondary VNIC for IP/CN, compatible defaults for block volume/AD

Signed-off-by: Devon Crouse <[email protected]>

* Consistent worker image lookup and variables

Signed-off-by: Devon Crouse <[email protected]>

---------

Signed-off-by: Devon Crouse <[email protected]>

Author: devoncrouse

docs/terraformoptions.adoc

@@ -799,25 +799,25 @@ node_pools = {
 }
 |{}
 
-|node_pool_image_id
-|The OCID of custom image to use when provisioning worker nodes. When no OCID is specified, the worker nodes will use the node_pool_os and node_pool_os_version to identify an image to provision the worker nodes.
+|worker_image_id
+|The OCID of custom image to use when provisioning worker nodes. When no OCID is specified, the worker nodes will use the worker_image_os and worker_image_os_version to identify an image to provision the worker nodes.
 |
 |"none"
 
-|node_pool_image_type
-|Whether to use a Platform, OKE or custom image. When custom is set, the node_pool_image_id *must* be specified. Using an OKE image minimizes the time it takes to provision worker nodes at runtime when compared to platform images and custom images. OKE images are optimized for use as worker node base images, with all the necessary configurations and required software. The use of OKE images reduces worker node provisioning time by more than half when compared to platform images. OKE images are provided by Oracle and built on top of platform images.
+|worker_image_type
+|Whether to use a Platform, OKE or custom image. When custom is set, the worker_image_id *must* be specified. Using an OKE image minimizes the time it takes to provision worker nodes at runtime when compared to platform images and custom images. OKE images are optimized for use as worker node base images, with all the necessary configurations and required software. The use of OKE images reduces worker node provisioning time by more than half when compared to platform images. OKE images are provided by Oracle and built on top of platform images.
 | "custom","oke","platform"
 |"oke"
 
-|node_pool_os
+|worker_image_os
 |The name of the Operating System image to use to provision the worker nodes.
 |
 |Oracle Linux
 
-|node_pool_os_version
+|worker_image_os_version
 |The corresponding version of the Operating System image to use to provision the worker nodes.
 |
-|7.9
+|8
 
 |cloudinit_nodepool_common
 |cloud-init common for all nodepools when no specific script mentioned for nodepool in cloudinit_nodepool.

locals.tf

@@ -12,6 +12,4 @@ locals {
   validate_drg_input = var.create_drg && (var.drg_id != null) ? tobool("[ERROR]: create_drg variable can not be true if drg_id is provided.]") : true
 
   worker_pool_subnet_id = coalesce(var.worker_pool_subnet_id, lookup(module.network.subnet_ids, "workers", ""))
-  worker_image_id       = length(var.worker_pool_image_id) > 0 ? var.worker_pool_image_id : var.node_pool_image_id != "none" ? var.node_pool_image_id : ""
-  worker_image_type     = length(var.worker_pool_image_type) > 0 ? var.worker_pool_image_type : var.node_pool_image_type != "none" ? var.node_pool_image_type : ""
 }

main.tf

@@ -268,10 +268,10 @@ module "oke" {
   max_pods_per_node               = var.max_pods_per_node
   node_pools                      = var.node_pools
   node_pool_name_prefix           = var.node_pool_name_prefix
-  node_pool_image_id              = var.node_pool_image_id
-  node_pool_image_type            = var.node_pool_image_type
-  node_pool_os                    = var.node_pool_os
-  node_pool_os_version            = var.node_pool_os_version
+  node_pool_image_id              = var.worker_image_id
+  node_pool_image_type            = var.worker_image_type
+  node_pool_os                    = var.worker_image_os
+  node_pool_os_version            = var.worker_image_os_version
   node_pool_timezone              = var.node_pool_timezone
   enable_pv_encryption_in_transit = var.enable_pv_encryption_in_transit
   use_node_pool_volume_encryption = var.use_node_pool_volume_encryption

modules/workerpools/README.md

@@ -41,7 +41,7 @@ Many parameters to a worker pool can be defined at multiple levels, taken in pri
 label_prefix                   = ""
 worker_pool_enabled           = true
 worker_pool_size              = 0
-worker_pool_image_id          = "ocid1.image..." # Required here and/or on group
+worker_image_id          = "ocid1.image..." # Required here and/or on group
 worker_pool_mode              = "node-pool"
 worker_pool_shape             = "VM.Standard.E4.Flex"
 worker_pool_ocpus             = 2

modules/workerpools/clusternetworks.tf

@@ -6,27 +6,30 @@ resource "oci_core_cluster_network" "workers" {
   # Create an OCI Cluster Network resource for each enabled entry of the worker_pools map with that mode.
   for_each       = local.enabled_cluster_networks
   compartment_id = each.value.compartment_id
-  display_name   = "${each.value.label_prefix}-${each.key}"
+  display_name   = each.key
   defined_tags   = merge(local.defined_tags, contains(keys(each.value), "defined_tags") ? each.value.defined_tags : {})
   freeform_tags  = merge(local.freeform_tags, contains(keys(each.value), "freeform_tags") ? each.value.freeform_tags : { worker_pool = each.key })
 
   instance_pools {
     instance_configuration_id = oci_core_instance_configuration.workers[each.key].id
-    display_name              = join("-", compact([lookup(each.value, "label_prefix", var.label_prefix), each.key]))
+    display_name              = each.key
     size                      = each.value.size
     defined_tags              = merge(coalesce(local.defined_tags, {}), contains(keys(each.value), "defined_tags") ? each.value.defined_tags : {})
     freeform_tags             = merge(coalesce(local.freeform_tags, {}), contains(keys(each.value), "freeform_tags") ? each.value.freeform_tags : { worker_pool = each.key })
   }
 
   placement_configuration {
-    # Define the configured availability domain for placement, bounded to a single value
-    # The configured AD number e.g. 2 is converted into a tenancy/compartment-specific name
-    availability_domain = lookup(local.ad_number_to_name, (
-      contains(keys(each.value), "placement_ads")
-      ? element(tolist(setintersection(each.value.placement_ads, local.ad_numbers)), 1)
-      : element(local.ad_numbers, 1)
-    ), local.first_ad_name)
-    primary_subnet_id = each.value.subnet_id
+    availability_domain = element(each.value.availability_domains, 1)
+    primary_subnet_id   = each.value.subnet_id
+
+    dynamic "secondary_vnic_subnets" {
+      for_each = lookup(each.value, "secondary_vnics", {})
+      iterator = vnic
+      content {
+        display_name = vnic.key
+        subnet_id    = lookup(vnic.value, "subnet_id", each.value.subnet_id)
+      }
+    }
   }
 
   lifecycle {
@@ -35,10 +38,16 @@ resource "oci_core_cluster_network" "workers" {
       instance_pools["display_name"], instance_pools["defined_tags"], instance_pools["freeform_tags"],
       placement_configuration["availability_domain"],
     ]
+
     precondition {
       condition     = var.cni_type == "flannel"
       error_message = "Cluster Networks require a cluster with `cni_type = flannel`."
     }
+
+    precondition {
+      condition = coalesce(each.value.image_id, "none") != "none"
+      error_message = "Missing image_id for pool ${each.key}. Check provided value for image_id if image_type is 'custom', or image_os/image_os_version if image_type is 'oke' or 'platform'."
+    }
   }
 
   depends_on = [

modules/workerpools/datasources.tf

@@ -15,8 +15,3 @@ data "oci_containerengine_node_pool_option" "np_options" {
 data "oci_containerengine_cluster_kube_config" "kube_config" {
   cluster_id = var.cluster_id
 }
-
-data "oci_core_image" "worker_images" {
-  count    = length(local.enabled_worker_pool_image_ids)
-  image_id = local.enabled_worker_pool_image_ids[count.index]
-}

modules/workerpools/instanceconfig.tf

@@ -5,13 +5,17 @@ resource "oci_core_instance_configuration" "workers" {
   # Create an OCI Instance Configuration resource for each enabled entry of the worker_pools map with a mode that uses one.
   for_each       = local.enabled_instance_configs
   compartment_id = each.value.compartment_id
-  display_name   = "${each.value.label_prefix}-${each.key}"
+  display_name   = each.key
 
   instance_details {
     instance_type = "compute"
 
+
+
     launch_details {
-      compartment_id = each.value.compartment_id
+      availability_domain = element(each.value.availability_domains, 1)
+      compartment_id      = each.value.compartment_id
+
       defined_tags = merge(
         local.defined_tags,
         lookup(each.value, "defined_tags", {}),
@@ -61,19 +65,47 @@ resource "oci_core_instance_configuration" "workers" {
         source_type             = "image"
       }
 
-      is_pv_encryption_in_transit_enabled = var.enable_pv_encryption_in_transit
+      is_pv_encryption_in_transit_enabled = each.value.pv_encryption
     }
 
-    block_volumes {
-      attach_details {
-        type                                = var.block_volume_type
-        is_pv_encryption_in_transit_enabled = var.block_volume_type == "paravirtualized" && var.enable_pv_encryption_in_transit
+    dynamic "block_volumes" {
+      for_each = each.value.availability_domains
+      iterator = ad
+      content {
+        attach_details {
+          type                                = each.value.block_volume_type
+          is_pv_encryption_in_transit_enabled = each.value.pv_encryption
+        }
+
+        create_details {
+          availability_domain = ad.value
+          compartment_id      = each.value.compartment_id
+          display_name        = each.key
+          kms_key_id          = var.volume_kms_key_id
+        }
       }
+    }
+
+    dynamic "secondary_vnics" {
+      for_each = lookup(each.value, "secondary_vnics", {})
+      iterator = vnic
 
-      create_details {
-        display_name   = "${each.value.label_prefix}-${each.key}"
-        kms_key_id     = var.volume_kms_key_id
-        compartment_id = each.value.compartment_id
+      content {
+        display_name = vnic.key
+        nic_index    = lookup(vnic.value, "nic_index", null)
+
+        create_vnic_details {
+          assign_private_dns_record = lookup(vnic.value, "assign_private_dns_record", null)
+          assign_public_ip          = lookup(vnic.value, "assign_public_ip", null)
+          display_name              = vnic.key
+          defined_tags              = lookup(vnic.value, "defined_tags", null)
+          freeform_tags             = lookup(vnic.value, "freeform_tags", null)
+          hostname_label            = lookup(vnic.value, "hostname_label", null)
+          nsg_ids                   = lookup(vnic.value, "nsg_ids", null)
+          private_ip                = lookup(vnic.value, "private_ip", null)
+          skip_source_dest_check    = lookup(vnic.value, "skip_source_dest_check", null)
+          subnet_id                 = lookup(vnic.value, "subnet_id", each.value.subnet_id)
+        }
       }
     }
   }

modules/workerpools/instancepools.tf

@@ -6,24 +6,28 @@ resource "oci_core_instance_pool" "workers" {
   # Create an OCI Instance Pool resource for each enabled entry of the worker_pools map with that mode.
   for_each                  = local.enabled_instance_pools
   compartment_id            = each.value.compartment_id
-  display_name              = "${each.value.label_prefix}-${each.key}"
+  display_name              = each.key
   size                      = each.value.size
   instance_configuration_id = oci_core_instance_configuration.workers[each.key].id
   defined_tags              = merge(local.defined_tags, contains(keys(each.value), "defined_tags") ? each.value.defined_tags : {})
   freeform_tags             = merge(local.freeform_tags, contains(keys(each.value), "freeform_tags") ? each.value.freeform_tags : { worker_pool = each.key })
 
   dynamic "placement_configurations" {
-    # Define each configured availability domain for placement, with bounds on # available
-    # Configured AD numbers e.g. [1,2,3] are converted into tenancy/compartment-specific names
-    iterator = ad_number
-    for_each = (contains(keys(each.value), "placement_ads")
-      ? tolist(setintersection(each.value.placement_ads, local.ad_numbers))
-      : local.ad_numbers
-    )
+    for_each = each.value.availability_domains
+    iterator = ad
 
     content {
-      availability_domain = lookup(local.ad_number_to_name, ad_number.value, local.first_ad_name)
+      availability_domain = ad.value
       primary_subnet_id   = each.value.subnet_id
+
+      dynamic "secondary_vnic_subnets" {
+        for_each = lookup(each.value, "secondary_vnics", {})
+        iterator = vnic
+        content {
+          display_name = vnic.key
+          subnet_id    = lookup(vnic.value, "subnet_id", each.value.subnet_id)
+        }
+      }
     }
   }
 
@@ -32,10 +36,16 @@ resource "oci_core_instance_pool" "workers" {
       display_name, defined_tags, freeform_tags,
       placement_configurations,
     ]
+
     precondition {
       condition     = var.cni_type == "flannel"
       error_message = "Instance Pools require a cluster with `cni_type = flannel`."
     }
+
+    precondition {
+      condition = coalesce(each.value.image_id, "none") != "none"
+      error_message = "Missing image_id for pool ${each.key}. Check provided value for image_id if image_type is 'custom', or image_os/image_os_version if image_type is 'oke' or 'platform'."
+    }
   }
 
   dynamic "load_balancers" {

modules/workerpools/locals.tf

@@ -8,7 +8,6 @@ locals {
   ad_number_to_name = local.ads != null ? {
     for ad in local.ads : parseint(substr(ad.name, -1, -1), 10) => ad.name
   } : { -1 : "" } # Fallback handles failure when unavailable but not required
-  first_ad_name = local.ad_number_to_name[1]
 
   k8s_version_length = length(var.kubernetes_version)
   k8s_version_only   = substr(var.kubernetes_version, 1, local.k8s_version_length)
@@ -23,9 +22,7 @@ locals {
   freeform_tags = merge(coalesce(var.freeform_tags, {}), { "role" = "worker" })
 
   # OKE managed node pool images
-  node_pool_images = try(data.oci_containerengine_node_pool_option.np_options.sources, [{
-    source_type = "IMAGE"
-  }])
+  node_pool_images = try(data.oci_containerengine_node_pool_option.np_options.sources, [])
 
   # Parse platform/operating system information from node pool image names
   parsed_images = {
@@ -51,44 +48,55 @@ locals {
   }
 
   worker_pools_default = {
-    mode             = var.mode
-    size             = var.size
-    shape            = var.shape
-    image_id         = var.image_id
-    image_type       = var.image_type
-    os               = var.os
-    os_version       = var.os_version
-    boot_volume_size = var.boot_volume_size
-    memory           = var.memory
-    ocpus            = var.ocpus
-    compartment_id   = local.worker_compartment_id
-    subnet_id        = var.subnet_id
-    pod_subnet_id    = var.pod_subnet_id
-    pod_nsgs         = var.pod_nsg_ids
-    worker_nsgs      = var.worker_nsg_ids
-    assign_public_ip = var.assign_public_ip
-    label_prefix     = var.label_prefix # TODO Deprecate
-    node_labels      = {}
+    mode              = var.mode
+    size              = var.size
+    shape             = var.shape
+    image_id          = var.image_id
+    image_type        = var.image_type
+    os                = var.os
+    os_version        = var.os_version
+    boot_volume_size  = var.boot_volume_size
+    memory            = var.memory
+    ocpus             = var.ocpus
+    compartment_id    = local.worker_compartment_id
+    placement_ads     = local.ad_numbers
+    block_volume_type = var.block_volume_type
+    pv_encryption     = var.enable_pv_encryption_in_transit
+    subnet_id         = var.subnet_id
+    pod_subnet_id     = var.pod_subnet_id
+    pod_nsgs          = var.pod_nsg_ids
+    worker_nsgs       = var.worker_nsg_ids
+    assign_public_ip  = var.assign_public_ip
+    node_labels       = {}
   }
 
   # Filter worker_pools map variable for enabled entries
-  worker_pools_enabled = {
+  worker_pools_enabled = { for x, y in { # Final dynamic configuration for pool requirements
+    # Merge desired pool configuration onto defaults
     for k, v in var.worker_pools : k => merge(local.worker_pools_default, v) if lookup(v, "enabled", var.enabled)
+    } : x => merge(y, {
+      # Translate configured + available  AD numbers e.g. 2 into a tenancy/compartment-specific name
+      availability_domains = compact([for ad_number in tolist(setintersection(y.placement_ads, local.ad_numbers)) :
+        lookup(local.ad_number_to_name, ad_number, null)
+      ])
+      block_volume_type = y.mode == "cluster-network" ? "iscsi" : var.block_volume_type
+      pv_encryption     = var.enable_pv_encryption_in_transit && y.block_volume_type == "paravirtualized" && y.mode != "cluster-network"
+      image_id = (y.image_type == "custom" ? y.image_id : element(tolist(setintersection([
+        lookup(local.image_ids, y.image_type, null),
+        length(regexall("GPU", y.shape)) > 0 ? local.image_ids.gpu : local.image_ids.nongpu,
+        length(regexall("A1", y.shape)) > 0 ? local.image_ids.aarch64 : local.image_ids.x86_64,
+        [for parsed_image_id, iv in local.parsed_images : parsed_image_id
+          if length(regexall(iv.os, y.os)) > 0 && trimprefix(iv.os_version, y.os_version) != iv.os_version
+        ],
+      ]...)), 0))
+    })
   }
 
   worker_compartments = distinct(compact([for k, v in local.worker_pools_enabled : lookup(v, "compartment_id", "")]))
 
   # Number of nodes expected from enabled worker pools
   expected_node_count = length(local.worker_pools_enabled) == 0 ? 0 : sum([for k, v in local.worker_pools_enabled : lookup(v, "size", 0)])
 
-  # Filter worker_pools map variable for entries with image_id defined, returning a distinct list
-  enabled_worker_pool_image_ids = distinct([
-    for v in local.worker_pools_enabled : v.image_id if contains(keys(v), "image_id")
-  ])
-
-  # Intermediate worker image result from data source
-  enabled_worker_pool_images = data.oci_core_image.worker_images
-
   # Filter enabled worker_pool map entries for node pools
   enabled_node_pools = {
     for k, v in local.worker_pools_enabled : k => v if lookup(v, "mode", "") == "node-pool"