added support for out-of-place upgrade (#184)

* added support for out-of-place upgrade

* code formatting, updated example var file and docs

* added ability to enable PSP, fixed documentation bug

Author: hyder

README.adoc

@@ -36,7 +36,7 @@
 :uri-terraform-options: {uri-docs}/terraformoptions.adoc
 :uri-terraform-hashircorp-examples: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples
 :uri-topology: {uri-docs}/topology.adoc
-
+:uri-upgrade: {uri-docs}/upgrade.adoc
 
 {uri-oke}[Oracle Container Engine] (OKE) is {uri-oracle}[Oracle]'s managed {uri-kubernetes}[Kubernetes] service on {uri-oci}[Oracle Cloud Infrastructure (OCI)].
 
@@ -56,6 +56,8 @@ This {uri-repo}[Terraform OKE Installer] for {uri-oci}[Oracle Cloud Infrastructu
 
 * {uri-terraform-options}[Terraform Options]
 
+* {uri-upgrade}[Upgrading OKE]
+
 * {uri-terraform-dependencies}[Feature Dependencies]
 
 == Related Documentation, Blog

docs/configuration.adoc

@@ -78,7 +78,6 @@ Enter the values for the following parameters in the terraform.tfvars file:
 
 * api_fingerprint
 * api_private_key_path
-* compartment_name
 * compartment_id
 * tenancy_id
 * user_id
@@ -147,7 +146,7 @@ The bastion host parameters concern whether you want to enable the bastion.
 
 === Configure operator host parameters
 
-The operator host parameters concern whether you want to enable the bastion. 1 parameter to keep in mind here is the operator_instance_principal. Be aware that if this is enabled, it gives API access to the operator host without authentication.
+The operator host parameters concern whether you want to enable the operator host. 1 parameter to keep in mind here is the operator_instance_principal. Be aware that if this is enabled, it gives API access to the operator host without authentication.
 
 Read {uri-instructions}#enabling-instance_principal-on-the-operator-host[more] about {uri-oci-instance-principal}[instance_principal].
 

docs/dependencies.adoc

@@ -38,10 +38,14 @@ The following table documents the {uri-terraform-options}[Terraform Options] dep
 |Installs Kubernetes metrics server for Horizontal Pod Autoscaling
 |bastion_enabled = true, admin_enabled = true, admin_instance_principal = true
 
+|node_pools_to_drain
+|Drains existing node pools before upgrading
+|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true
+
 |ocir secret
 |Whether to create an authentication secret for OCIR
 |bastion_enabled = true, admin_enabled = true, admin_instance_principal = true, secret_id = secret ocid
 
 |use_encryption
 |Uses OCI KMS to encrypt data in OKE's underlying etcd
-|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true
+|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true

docs/instructions.adoc

@@ -49,6 +49,7 @@
 :uri-helm: https://helm.sh/
 :uri-metricserver: https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/#metrics-server
 :uri-k8s-dashboard: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
+:uri-psp: https://docs.cloud.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingpspswithoke.htm#Using_Pod_Security_Polices_with_Container_Engine_for_Kubernetes
 
 . link:#assumptions[Assumptions]
 . link:#kms-integration[KMS Integration]
@@ -71,6 +72,7 @@
 . link:#destroying-the-cluster[Destroying the cluster]
 . link:#creating-a-service-account-for-cicd-tools[Creating a service account for CI/CD tools]
 . link:#enabling-waf[Monitor and Protect your application using OCI WAF]
+. link:#enabling-podsecuritypolicy[Enabling PodSecurityPolicy Admissions Controller]
 
 === Assumptions
 
@@ -87,7 +89,7 @@ If you wish to use {uri-oci-kms}[OCI KMS] to encrypt Kubernetes secrets, the fol
 ** {uri-oci-manage-dynamic-groups}[manage dynamic groups]
 ** {uri-oci-manage-policies}[manage policies in root tenancy]
 * link:#adding-the-bastion-host[bastion must be enabled]
-* link:#enabling-instance_principal-on-the-bastion-host[bastion instance_principal must be enabled]
+* link:#enabling-instance_principal-on-the-operator-host[operator instance_principal must be enabled]
 * use_encryption must be set to _true_
 * existing_key_id must be provided
 
@@ -301,7 +303,6 @@ service_account_name = "kubeconfigsa"
 service_account_namespace = "kube-system"
 
 service_account_cluster_role_binding = ""
-````
 ----
 
 === Enabling WAF
@@ -325,3 +326,17 @@ N.B.
 . It is good and recommended practice to monitor and protect your application using WAF.
 . WAF protection currently only works if you use a public load balancer as a front end to your services. This means that services deployed as NodePort services are currently *not protected* by WAF.
 ****
+
+=== Enabling PodSecurityPolicy
+
+If you would like to enable the PodSecurityPolicy Admission Controller, set 
+
+[source]
+admission_controller_options = {
+  PodSecurityPolicy = true
+}
+
+Ensure you also read {uri-psp}[the documentation] before enabling it. 
+
+****
+N.B. This field is updatable. You can set to `true` and `false` and run terraform apply again.

docs/quickstart.adoc

@@ -54,12 +54,11 @@ cp terraform.tfvars.example terraform.tfvars
 +
 ----
 provider "oci" {
-  tenancy_ocid         = var.tenancy_id
-  user_ocid            = var.user_id
   fingerprint          = var.api_fingerprint
   private_key_path     = var.api_private_key_path
   region               = var.region
-  disable_auto_retries = var.disable_auto_retries
+  tenancy_ocid         = var.tenancy_id
+  user_ocid            = var.user_id
 }
 ----
 
@@ -68,7 +67,6 @@ provider "oci" {
 * api_fingerprint
 * api_private_key_path
 * compartment_id
-* compartment_name
 * tenancy_id
 * user_id
 
@@ -95,19 +93,18 @@ terraform plan
 terraform apply
 ----
 
-=== Provisioning using the Hashicorp registry module
+=== Provisioning using the HashiCorp registry module
 
 . In your project root, create a provider.tf file and add the following:
 
 +
 ----
 provider "oci" {
-  tenancy_ocid         = var.tenancy_id
-  user_ocid            = var.user_id
   fingerprint          = var.api_fingerprint
   private_key_path     = var.api_private_key_path
   region               = var.region
-  disable_auto_retries = var.disable_auto_retries
+  tenancy_ocid         = var.tenancy_id
+  user_ocid            = var.user_id
 }
 ----
 
@@ -119,8 +116,8 @@ provider "oci" {
 ----
 module "oke" {
   source  = "oracle-terraform-modules/oke/oci"
-  version = "2.1.5"
-  # insert the 23 required variables here
+  version = "2.2.2"
+  # insert the 9 required variables here
 }
 ----