Skip to content

fix: Added Missing parts in OCP DA #780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 21 commits into from
Sep 9, 2025
Merged

fix: Added Missing parts in OCP DA #780

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
a4cb785
Testing
Aug 22, 2025
cc3566e
fix: Updated terraform version
Aug 22, 2025
e11604f
Merge branch 'main' into gaps-ocp
arya-girish-k Aug 22, 2025
4dfc29c
Updated permission description
Sep 1, 2025
597b4f5
Merge branch 'main' into gaps-ocp
vkuma17 Sep 2, 2025
30ad5eb
addressed epx issues
vkuma17 Sep 2, 2025
4812ac2
Merge branch 'gaps-ocp' of github.com:terraform-ibm-modules/terraform…
vkuma17 Sep 2, 2025
d680c81
addressed epx issues
vkuma17 Sep 3, 2025
d28bde3
changed permissions
vkuma17 Sep 3, 2025
227d3a6
Update variables.tf
vkuma17 Sep 3, 2025
1d65a60
Update variables.tf
vkuma17 Sep 3, 2025
2859e9e
modified sm permission
vkuma17 Sep 4, 2025
fafc0c6
Update ibm_catalog.json
vkuma17 Sep 5, 2025
94ef69d
Merge branch 'main' into gaps-ocp
vkuma17 Sep 5, 2025
7436405
Merge branch 'main' into gaps-ocp
vkuma17 Sep 8, 2025
0500090
Update ibm_catalog.json
vkuma17 Sep 8, 2025
5f377d7
Update ibm_catalog.json
vkuma17 Sep 8, 2025
a954aeb
Merge branch 'main' into gaps-ocp
vkuma17 Sep 9, 2025
e86b611
Update ibm_catalog.json
vkuma17 Sep 9, 2025
64cc5bf
SKIP UPGRADE TEST
vkuma17 Sep 9, 2025
12bec55
Merge branch 'main' into gaps-ocp
vkuma17 Sep 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 19 additions & 26 deletions ibm_catalog.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "iam-access-groups",
"service_name": "iam-groups",
"notes": "[Optional] Required for managing IAM access groups."
},
{
Expand Down Expand Up @@ -139,7 +139,7 @@
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "cloud-object-storage",
"notes": "Required to manage Object storage bucket for the cluster internal registry."
"notes": "Required to manage Object storage for the cluster internal registry."
},
{
"service_name": "containers-kubernetes",
Expand All @@ -158,24 +158,24 @@
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator",
"crn:v1:bluemix:public:iam::::role:Editor",
"crn:v1:bluemix:public:iam::::serviceRole:Manager"
],
"service_name": "secrets-manager",
"notes": "[Optional] Required when enabling the Secrets Manager integration."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Administrator"
"crn:v1:bluemix:public:iam::::role:Editor",
"crn:v1:bluemix:public:iam::::serviceRole:Manager"
],
"service_name": "sysdig-monitor",
"notes": "[Optional] Required to create an instance of Cloud Monitoring."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
"crn:v1:bluemix:public:iam::::role:Editor",
"crn:v1:bluemix:public:iam::::serviceRole:Manager"
],
"service_name": "logs",
"notes": "[Optional] Required to create an instance of Cloud logs."
Expand All @@ -195,17 +195,10 @@
],
"notes": "[Optional] Required when enabling the Activity Tracker Event Routing."
},
{
"service_name": "metrics-router",
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"notes": "[Optional] Required to enable metrics routing to the Cloud Monitoring."
},
{
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Administrator"
"crn:v1:bluemix:public:iam::::role:Editor"
],
"service_name": "event-notifications",
"notes": "[Optional] Required when enabling the Event Notifications integration."
Expand Down Expand Up @@ -249,7 +242,7 @@
"required": true
},
{
"key": "ocp_version",
"key": "openshift_version",
"required": true,
"default_value": "4.18",
"options": [
Expand Down Expand Up @@ -518,7 +511,7 @@
]
},
{
"key": "disable_public_endpoint",
"key": "allow_public_access_to_cluster",
"required": true
},
{
Expand Down Expand Up @@ -688,7 +681,7 @@
]
},
{
"key": "disable_outbound_traffic_protection"
"key": "allow_outbound_traffic"
},
{
"key": "verify_worker_network_readiness"
Expand Down Expand Up @@ -1131,30 +1124,30 @@
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"notes": "Required to reset the cluster API key, create and edit the OpenShift cluster, and manage all related resources."
"notes": "Required to create and manage the Openshift cluster."
},
{
"service_name": "iam-identity",
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator",
"crn:v1:bluemix:public:iam-identity::::serviceRole:UserApiKeyCreator"
],
"notes": "Required to create the cluster API key needed by the OpenShift cluster on IBM Cloud and for managing and operating resources within the IBM Cloud environment."
"notes": "Required to create the containers-kubernetes-key for the OpenShift cluster."
},
{
"service_name": "is.vpc",
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Editor"
],
"notes": "Required for creating Virtual Private Cloud (VPC)."
"notes": "Required to create VPC."
},
{
"service_name": "cloud-object-storage",
"role_crns": [
"crn:v1:bluemix:public:iam::::serviceRole:Manager",
"crn:v1:bluemix:public:iam::::role:Editor"
],
"notes": "Required for creating the OpenShift cluster's internal registry storage bucket."
"notes": "Required to manage Object storage for the cluster internal registry."
},
{
"role_crns": [
Expand All @@ -1178,7 +1171,7 @@
"url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/refs/heads/main/reference-architecture/deployable-architecture-ocp-cluster-qs.svg",
"type": "image/svg+xml"
},
"description": "This deployable architecture enables deployment of a <b>Red Hat OpenShift cluster</b> within an IBM Cloud Virtual Private Cloud (VPC). It provisions the OpenShift cluster and its foundational VPC infrastructure with a limited set of essential options for rapid and streamlined setup. Additionally, the deployment creates an <b>Object Storage bucket</b> that serves as the internal container image registry for the OpenShift cluster. Thus, it helps ensure seamless storage integration.<br><br>Users can select from predefined cluster sizes — <b>mini (default), small, medium, and large.</b> Each size determines the number of availability zones, worker nodes per zone, and the <b>machine type</b> (worker node flavor). [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/solutions/quickstart/DA_docs.md).<br><br>By default, the architecture provisions a <b>two-zone VPC</b>, forming the foundation for the OpenShift cluster. The cluster comprises a single worker pool distributed across these zones, with <b>two worker nodes per zone</b> in the mini configuration.<br><br>This streamlined architecture balances ease of use with flexibility, enabling rapid OpenShift cluster deployments with the infrastructure, integrated storage services, and right-sized compute resources of IBM Cloud."
"description": "This deployable architecture enables deployment of a <b>Red Hat OpenShift cluster</b> within an IBM Cloud Virtual Private Cloud (VPC). It provisions the OpenShift cluster and its foundational VPC infrastructure with a limited set of essential options for rapid and streamlined setup. Additionally, the deployment creates an <b>Object Storage bucket</b> that serves as the internal container image registry for the OpenShift cluster. Thus, it helps ensure seamless storage integration.<br><br>Users can select from predefined cluster sizes — <b>mini (default), small, medium, and large.</b> The chosen size determines the <b>machine type</b> of the worker nodes, <b>the number of availability zones</b> the cluster spans, and <b>number of worker nodes</b> deployed in each zone. To get more information on this, refer [here](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc/blob/main/solutions/quickstart/DA_docs.md).<br><br>By default, the architecture provisions a <b>two-zone VPC</b>, forming the foundation for the OpenShift cluster. The cluster comprises a single worker pool distributed across these zones, with <b>two worker nodes per zone</b> in the mini configuration.<br><br>This streamlined architecture balances ease of use with flexibility, enabling rapid OpenShift cluster deployments with the infrastructure, integrated storage services, and right-sized compute resources of IBM Cloud."
}
]
},
Expand Down Expand Up @@ -1266,7 +1259,7 @@
"key": "cluster_name"
},
{
"key": "ocp_version",
"key": "openshift_version",
"default_value": "4.18",
"required": true,
"options": [
Expand Down Expand Up @@ -1329,10 +1322,10 @@
}
},
{
"key": "disable_public_endpoint"
"key": "allow_public_access_to_cluster"
},
{
"key": "disable_outbound_traffic_protection"
"key": "allow_outbound_traffic"
}
],
"dependency_version_2": true,
Expand Down
8 changes: 4 additions & 4 deletions solutions/fully-configurable/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ locals {
# Managing the ODF version accordingly, as it changes with each OCP version.
addons = lookup(var.addons, "openshift-data-foundation", null) != null ? lookup(var.addons["openshift-data-foundation"], "version", null) == null ? { for key, value in var.addons :
key => value != null ? {
version = lookup(value, "version", null) == null && key == "openshift-data-foundation" ? "${var.ocp_version}.0" : lookup(value, "version", null)
version = lookup(value, "version", null) == null && key == "openshift-data-foundation" ? "${var.openshift_version}.0" : lookup(value, "version", null)
parameters_json = lookup(value, "parameters_json", null)
} : null } : var.addons : var.addons
}
Expand All @@ -211,7 +211,7 @@ module "ocp_base" {
existing_cos_id = var.existing_cos_instance_crn
vpc_id = local.existing_vpc_id
vpc_subnets = local.vpc_subnets
ocp_version = var.ocp_version
ocp_version = var.openshift_version
worker_pools = local.worker_pools
access_tags = var.access_tags
ocp_entitlement = var.ocp_entitlement
Expand All @@ -224,8 +224,8 @@ module "ocp_base" {
cbr_rules = var.cbr_rules
cluster_ready_when = var.cluster_ready_when
custom_security_group_ids = var.custom_security_group_ids
disable_outbound_traffic_protection = var.disable_outbound_traffic_protection
disable_public_endpoint = var.disable_public_endpoint
disable_outbound_traffic_protection = var.allow_outbound_traffic
disable_public_endpoint = !var.allow_public_access_to_cluster
enable_ocp_console = var.enable_ocp_console
ignore_worker_pool_size_changes = var.ignore_worker_pool_size_changes
kms_config = local.kms_config
Expand Down
20 changes: 10 additions & 10 deletions solutions/fully-configurable/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ variable "cluster_name" {
default = "openshift"
}

variable "ocp_version" {
variable "openshift_version" {
type = string
description = "Version of the OpenShift cluster to provision."
default = null
Expand Down Expand Up @@ -266,10 +266,16 @@ variable "use_private_endpoint" {
default = true
}

variable "disable_public_endpoint" {
variable "allow_public_access_to_cluster" {
type = bool
description = "Whether access to the public service endpoint is disabled when the cluster is created. Does not affect existing clusters. You can't disable a public endpoint on an existing cluster, so you can't convert a public cluster to a private cluster. To change a public endpoint to private, create another cluster with this input set to `true`. Warning: Set this field to `false` if you want to retain public access to the cluster. Once the cluster is created, this cannot be changed."
default = true
description = "Set to true to allow public access to master node of the cluster by enabling public endpoint."
default = false
}

variable "allow_outbound_traffic" {
type = bool
description = "Set to true to allow public outbound access from the cluster workers."
default = false
}

variable "cluster_config_endpoint_type" {
Expand All @@ -279,12 +285,6 @@ variable "cluster_config_endpoint_type" {
nullable = false
}

variable "disable_outbound_traffic_protection" {
type = bool
description = "Whether to allow public outbound access from the cluster workers. This is only applicable for OCP 4.15 and later."
default = false
}

variable "verify_worker_network_readiness" {
type = bool
description = "By setting this to true, a script runs kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, set this value to false."
Expand Down
2 changes: 1 addition & 1 deletion solutions/fully-configurable/version.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ terraform {
required_providers {
ibm = {
source = "IBM-Cloud/ibm"
version = "1.81.0"
version = "1.81.1"
}
helm = {
source = "hashicorp/helm"
Expand Down
6 changes: 3 additions & 3 deletions solutions/quickstart/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,14 +135,14 @@ module "ocp_base" {
cluster_name = local.cluster_name
resource_group_id = module.resource_group.resource_group_id
region = var.region
ocp_version = var.ocp_version
ocp_version = var.openshift_version
ocp_entitlement = var.ocp_entitlement
vpc_id = module.vpc.vpc_id
vpc_subnets = local.cluster_vpc_subnets
worker_pools = local.worker_pools
disable_outbound_traffic_protection = var.disable_outbound_traffic_protection
disable_outbound_traffic_protection = var.allow_outbound_traffic
access_tags = var.access_tags
disable_public_endpoint = var.disable_public_endpoint
disable_public_endpoint = !var.allow_public_access_to_cluster
use_private_endpoint = true
cluster_config_endpoint_type = "default"
}
12 changes: 6 additions & 6 deletions solutions/quickstart/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ variable "region" {
default = "us-south"
}

variable "ocp_version" {
variable "openshift_version" {
type = string
description = "Version of the OpenShift cluster to provision."
default = null
Expand Down Expand Up @@ -91,14 +91,14 @@ variable "size" {
default = "mini"
}

variable "disable_public_endpoint" {
variable "allow_public_access_to_cluster" {
type = bool
description = "Disables the public endpoint, which allows internet access to the cluster, during creation only."
default = false
description = "Set to true to allow public access to master node of the cluster by enabling public endpoint."
default = true
}

variable "disable_outbound_traffic_protection" {
variable "allow_outbound_traffic" {
type = bool
description = "Whether to allow public outbound access from the cluster workers. This is only applicable for OCP 4.15 and later. [Learn more](https://cloud.ibm.com/docs/openshift?topic=openshift-sbd-allow-outbound)."
description = "Set to true to allow public outbound access from the cluster workers."
default = true
}
2 changes: 1 addition & 1 deletion solutions/quickstart/version.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ terraform {
required_providers {
ibm = {
source = "IBM-Cloud/ibm"
version = "1.80.3"
version = "1.81.1"
}
}
}