├── .github ├── ISSUE_TEMPLATE.md ├── ISSUE_TEMPLATE │ ├── Bug_Report.md │ ├── Feature_Request.md │ └── Question.md └── workflows │ └── mdbook.yaml ├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── README.md ├── THIRD_PARTY_LICENSES.txt ├── data-common.tf ├── data-images.tf ├── docs ├── book.toml ├── clusterautoscaler.adoc ├── footer.md ├── src │ ├── SUMMARY.md │ ├── codingconventions.md │ ├── css │ │ ├── general.css │ │ └── mdbook-admonish.css │ ├── dependencies.md │ ├── gs │ │ ├── gs.md │ │ ├── intro.md │ │ └── prerequisites.md │ ├── guide │ │ ├── bastion.md │ │ ├── bastion_ssh.md │ │ ├── cluster.md │ │ ├── cluster_addons.md │ │ ├── cluster_oidc_authentication.md │ │ ├── cluster_oidc_discovery.md │ │ ├── configuration.md │ │ ├── deploy.md │ │ ├── extensions.md │ │ ├── extensions_cluster_autoscaler.md │ │ ├── extensions_monitoring.md │ │ ├── extensions_networking.md │ │ ├── identity.md │ │ ├── identity_policies.md │ │ ├── identity_tags.md │ │ ├── loadbalancers.md │ │ ├── network.md │ │ ├── network_nsgs.md │ │ ├── network_subnets.md │ │ ├── oci_integrations.md │ │ ├── operator.md │ │ ├── operator_cloudinit.md │ │ ├── operator_identity.md │ │ ├── operator_ssh.md │ │ ├── releases.md │ │ ├── rms_cluster.md │ │ ├── rms_clusternetwork.md │ │ ├── rms_instance.md │ │ ├── rms_instancepool.md │ │ ├── rms_network.md │ │ ├── rms_nodepool.md │ │ ├── rms_virtualnodepool.md │ │ ├── ssh.md │ │ ├── storage.md │ │ ├── terraform.md │ │ ├── tfoke.drawio │ │ ├── topology.md │ │ ├── ug.md │ │ ├── upgrade.md │ │ ├── workers.md │ │ ├── workers_cloudinit.md │ │ ├── workers_drain.md │ │ ├── workers_image.md │ │ ├── workers_mode.md │ │ ├── workers_mode_clusternetwork.md │ │ ├── workers_mode_computecluster.md │ │ ├── workers_mode_instance.md │ │ ├── workers_mode_instancepool.md │ │ ├── workers_mode_nodepool.md │ │ ├── workers_mode_virtualnodepool.md │ │ ├── workers_network.md │ │ ├── workers_node_cycle.md │ │ ├── workers_scaling.md │ │ └── workers_storage.md │ ├── images │ │ ├── bastion-large.svg │ │ ├── bastion.png │ │ ├── bastion.svg │ │ ├── defaultmad-large.svg │ │ ├── defaultmad.png │ │ ├── defaultmad.svg │ │ ├── defaultsad-large.svg │ │ ├── defaultsad.png │ │ ├── defaultsad.svg │ │ ├── loadbalancers-large.svg │ │ ├── loadbalancers.svg │ │ ├── mixedarch.png │ │ ├── mixedworkload.png │ │ ├── networking-large.svg │ │ ├── networking.png │ │ ├── networking.svg │ │ ├── np311.png │ │ ├── np312.png │ │ ├── np351.png │ │ ├── oidc-discovery.png │ │ ├── privatecluster-large.svg │ │ ├── privatecluster.png │ │ ├── privatecluster.svg │ │ ├── privatelbs.png │ │ ├── privateworkers-large.svg │ │ ├── privateworkers.png │ │ ├── privateworkers.svg │ │ ├── publiccluster-large.svg │ │ ├── publiccluster.png │ │ ├── publiccluster.svg │ │ ├── publicworkers-large.svg │ │ ├── publicworkers.png │ │ └── publicworkers.svg │ ├── inputs_root.md │ ├── inputs_submodule.md │ ├── intro.md │ ├── outputs.md │ ├── resources.md │ └── support.md ├── tfdocs-all.yml ├── tfdocs-inputs.yml ├── tfdocs-outputs.yml ├── tfdocs-resources.yml └── theme │ ├── index.hbs │ ├── pagetoc.css │ └── pagetoc.js ├── examples ├── bastion │ └── vars-bastion.auto.tfvars ├── cluster-addons │ └── vars-cluster-addons.auto.tfvars ├── cluster │ ├── vars-cluster-basic.auto.tfvars │ ├── vars-cluster-enhanced.auto.tfvars │ ├── vars-cluster-oidc-auth-multiple.auto.tfvars │ ├── vars-cluster-oidc-auth-single.auto.tfvars │ └── vars-cluster-oidc-discovery.auto.tfvars ├── extensions │ ├── vars-extensions-calico.auto.tfvars │ ├── vars-extensions-cilium.auto.tfvars │ ├── vars-extensions-cluster-autoscaler.auto.tfvars │ ├── vars-extensions-dcgm-exporter.auto.tfvars │ ├── vars-extensions-gatekeeper.auto.tfvars │ ├── vars-extensions-metrics-server.auto.tfvars │ ├── vars-extensions-mpi-operator.auto.tfvars │ ├── vars-extensions-multus.auto.tfvars │ ├── vars-extensions-prometheus.auto.tfvars │ ├── vars-extensions-rdma-cni.auto.tfvars │ ├── vars-extensions-service-account.auto.tfvars │ ├── vars-extensions-sriov-cni.auto.tfvars │ ├── vars-extensions-sriov-device.auto.tfvars │ └── vars-extensions-whereabouts.auto.tfvars ├── iam │ ├── vars-iam-policies.auto.tfvars │ └── vars-iam-tags.auto.tfvars ├── istio-mc │ ├── README.md │ ├── c1.tf │ ├── c2.tf │ ├── contexts.tf │ ├── docs │ │ └── assets │ │ │ └── multi-primary multi-networks.png │ ├── istio.tf │ ├── locals.tf │ ├── outputs.tf │ ├── providers.tf │ ├── resources │ │ └── istio.template.yaml │ ├── scripts │ │ ├── cloud-init.sh │ │ ├── generate_kubeconfig.template.sh │ │ ├── istioctl.template.sh │ │ ├── kubeconfig_set_credentials.template.sh │ │ ├── set_alias.template.sh │ │ └── token_helper.template.sh │ ├── templates.tf │ ├── terraform.tfvars.example │ ├── variables.tf │ └── versions.tf ├── network │ ├── vars-network-drg-create.auto.tfvars.example │ ├── vars-network-nsgs-create.auto.tfvars │ ├── vars-network-nsgs-existing.auto.tfvars │ ├── vars-network-subnets-create-cidr-ipv4-and-ipv6.tfvars │ ├── vars-network-subnets-create-cidr.auto.tfvars │ ├── vars-network-subnets-create-force.auto.tfvars │ ├── vars-network-subnets-create.auto.tfvars │ ├── vars-network-subnets-existing.auto.tfvars │ └── vars-network.auto.tfvars ├── operator │ ├── vars-operator-cloudinit.auto.tfvars │ └── vars-operator.auto.tfvars ├── profiles │ ├── cluster-workers-only │ │ ├── main.tf │ │ ├── variables.tf │ │ └── versions.tf │ ├── network-cluster-workers │ │ ├── main.tf │ │ ├── variables.tf │ │ └── versions.tf │ ├── network-only │ │ ├── main.tf │ │ ├── variables.tf │ │ └── versions.tf │ └── workers-only │ │ ├── main.tf │ │ ├── variables.tf │ │ └── versions.tf ├── provider-basic.tf ├── provider.tf ├── rms │ ├── oke-cluster-only │ │ ├── data.tf │ │ ├── main.tf │ │ ├── output.tf │ │ ├── provider.tf │ │ ├── schema.yaml │ │ ├── variables-cluster.tf │ │ ├── variables-extensions.tf │ │ ├── variables-iam.tf │ │ ├── variables-network.tf │ │ ├── variables-operator.tf │ │ └── versions.tf │ ├── oke-network-only │ │ ├── data.tf │ │ ├── main.tf │ │ ├── output.tf │ │ ├── provider.tf │ │ ├── schema.yaml │ │ ├── variables-bastion.tf │ │ ├── variables-iam.tf │ │ ├── variables-network.tf │ │ ├── variables-subnets.tf │ │ └── versions.tf │ └── oke-workers-only │ │ ├── data.tf │ │ ├── main.tf │ │ ├── output.tf │ │ ├── provider.tf │ │ ├── schema.yaml │ │ ├── variables.tf │ │ └── versions.tf ├── utilities │ ├── vars-utilities-drain.auto.tfvars │ ├── vars-utilities-ocir.auto.tfvars │ └── vars-utilities-serviceaccount.auto.tfvars ├── vars-common.auto.tfvars ├── vars-provider.auto.tfvars └── workers │ ├── vars-workers-advanced.auto.tfvars │ ├── vars-workers-agent.auto.tfvars │ ├── vars-workers-autoscaling.auto.tfvars │ ├── vars-workers-basic.auto.tfvars │ ├── vars-workers-cloudinit-global.auto.tfvars │ ├── vars-workers-cloudinit-pool.auto.tfvars │ ├── vars-workers-clusternetwork.auto.tfvars │ ├── vars-workers-computecluster.auto.tfvars │ ├── vars-workers-drain.auto.tfvars │ ├── vars-workers-instance.auto.tfvars │ ├── vars-workers-instancepool.auto.tfvars │ ├── vars-workers-network-nsgs.auto.tfvars │ ├── vars-workers-network-subnets.auto.tfvars │ ├── vars-workers-network-vnics.auto.tfvars │ ├── vars-workers-node-cycling.auto.tfvars │ ├── vars-workers-nodepool.auto.tfvars │ ├── vars-workers-virtualnodepool.auto.tfvars │ └── vars-workers.auto.tfvars ├── migration.tf ├── module-bastion.tf ├── module-cluster-addons.tf ├── module-cluster.tf ├── module-extensions.tf ├── module-iam.tf ├── module-network.tf ├── module-operator.tf ├── module-utilities.tf ├── module-workers.tf ├── modules ├── bastion │ ├── cloudinit.tf │ ├── compute.tf │ ├── variables.tf │ └── versions.tf ├── cluster-addons │ ├── addons.tf │ ├── delete_addons.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── cluster │ ├── cluster.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── extensions │ ├── autoscaler.tf │ ├── cilium.tf │ ├── dcgm_exporter.tf │ ├── gatekeeper.tf │ ├── locals.tf │ ├── metricserver.tf │ ├── mpi_operator.tf │ ├── multus.tf │ ├── prometheus.tf │ ├── rdma_cni_plugin.tf │ ├── service_account.tf │ ├── sriov_cni_plugin.tf │ ├── sriov_device_plugin.tf │ ├── variables.tf │ ├── versions.tf │ └── whereabouts.tf ├── iam │ ├── await.tf │ ├── group-autoscaling.tf │ ├── group-cluster.tf │ ├── group-operator.tf │ ├── group-workers.tf │ ├── outputs.tf │ ├── policy.tf │ ├── tagging.tf │ ├── variables.tf │ └── versions.tf ├── network │ ├── datasources.tf │ ├── drgs.tf │ ├── locals.tf │ ├── nsg-bastion.tf │ ├── nsg-controlplane.tf │ ├── nsg-fss.tf │ ├── nsg-loadbalancers-int.tf │ ├── nsg-loadbalancers-pub.tf │ ├── nsg-operator.tf │ ├── nsg-pods.tf │ ├── nsg-workers.tf │ ├── rules.tf │ ├── subnets.tf │ ├── variables.tf │ └── versions.tf ├── operator │ ├── cloudinit.tf │ ├── compute.tf │ ├── variables.tf │ └── versions.tf ├── utilities │ ├── drain.tf │ ├── nodeready.tf │ ├── ocir.tf │ ├── resources │ │ └── await_node_readiness.tpl.sh │ ├── variables.tf │ └── versions.tf └── workers │ ├── README.md │ ├── cloudinit-oke.sh │ ├── cloudinit.tf │ ├── clusternetworks.tf │ ├── computecluster.tf │ ├── data-faultdomains.tf │ ├── data-shapes.tf │ ├── instance.tf │ ├── instanceconfig.tf │ ├── instancepools.tf │ ├── locals.tf │ ├── nodepools.tf │ ├── outputs.tf │ ├── variables.tf │ ├── versions.tf │ └── virtualnodepools.tf ├── variables-bastion.tf ├── variables-cluster-addons.tf ├── variables-cluster.tf ├── variables-common.tf ├── variables-extensions.tf ├── variables-iam.tf ├── variables-network.tf ├── variables-operator.tf ├── variables-utilities.tf ├── variables-workers.tf └── versions.tf /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/Feature_Request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: 🚀 Feature Request 3 | about: I have a suggestion (and might want to implement myself 🙂)! 4 | labels: enhancement 5 | --- 6 | 7 | 8 | 9 | ### Community Note 10 | 11 | * Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request 12 | * Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request 13 | * If you are interested in working on this issue or have submitted a pull request, please leave a comment 14 | 15 | 16 | 17 | ### Description 18 | 19 | 20 | 21 | ### New or Affected Resource(s) 22 | 23 | 24 | 25 | 26 | ### Potential Terraform Configuration 27 | 28 | 29 | 30 | ```hcl 31 | # Copy-paste any Terraform configurations for how the requested feature may be used. 32 | ``` 33 | 34 | ### References 35 | 36 | 42 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/Question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: 💬 Question 3 | about: Questions regarding the Terraform Oracle Cloud Infrastructure OKE module 4 | labels: question 5 | --- 6 | 7 | This Github template is intended for questions regarding the Terraform **Oracle Cloud Infrastructure** OKE module. 8 | 9 | If you have a support request or question related to core Terraform functionality or the OCI provider, please submit them to one of these resources: 10 | 11 | * [Terraform OCI provider](https://github.com/terraform-providers/terraform-provider-oci) 12 | * [Terraform community resources](https://www.terraform.io/docs/extend/community/index.html) 13 | * [HashiCorp support](https://support.hashicorp.com) (Terraform Enterprise customers) -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | provider.tf 5 | 6 | # .tfstate files 7 | *.tfstate 8 | *.tfstate.* 9 | 10 | # .tfvars files 11 | *.tfvars 12 | 13 | generated/** 14 | 15 | # visual code 16 | **/.vscode/* 17 | **/.metals* 18 | 19 | .terraform.lock.hcl 20 | 21 | # Generated documentation 22 | docs/book 23 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | Oracle welcomes contributions to this repository from anyone. 4 | 5 | If you want to submit a pull request to fix a bug or enhance an existing feature, please first open an issue and link to that issue when you submit your pull request. 6 | 7 | If you have any questions about a possible submission, feel free to open an issue too. 8 | 9 | ## Contributing to the terraform-oci-oke repository 10 | 11 | Pull requests can be made under [The Oracle Contributor Agreement](https://oca.opensource.oracle.com/). 12 | 13 | For pull requests to be accepted, the bottom of your commit message must have the following line using your name and e-mail address as it appears in the OCA Signatories list. 14 | 15 | ``` 16 | Signed-off-by: Your Name 17 | ``` 18 | 19 | This can be automatically added to pull requests by committing with: 20 | 21 | ``` 22 | git commit --signoff 23 | ``` 24 | 25 | Only pull requests from committers that can be verified as having 26 | signed the OCA can be accepted. 27 | 28 | ### Pull request process 29 | 30 | 1. Fork this repository 31 | 1. Create a branch in your fork to implement the changes. We recommend using the issue number as part of your branch name, e.g. `1234-fixes` 32 | 1. Ensure that any documentation is updated with the changes that are required by your fix. 33 | 1. Ensure that any samples are updated if the base image has been changed. 34 | 1. Submit the pull request. *Do not leave the pull request blank*. Explain exactly what your changes are meant to do and provide simple steps on how to validate your changes. Ensure that you reference the issue you created as well. We will assign the pull request to 2-3 people for review before it is merged. 35 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019 Oracle and/or its affiliates. 2 | 3 | The Universal Permissive License (UPL), Version 1.0 4 | 5 | Subject to the condition set forth below, permission is hereby granted to any 6 | person obtaining a copy of this software, associated documentation and/or data 7 | (collectively the "Software"), free of charge and under any and all copyright 8 | rights in the Software, and any and all patent rights owned or freely 9 | licensable by each licensor hereunder covering either (i) the unmodified 10 | Software as contributed to or provided by such licensor, or (ii) the Larger 11 | Works (as defined below), to deal in both 12 | 13 | (a) the Software, and 14 | (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if 15 | one is included with the Software (each a "Larger Work" to which the Software 16 | is contributed by such licensors), 17 | 18 | without restriction, including without limitation the rights to copy, create 19 | derivative works of, display, perform, and distribute the Software and make, 20 | use, sell, offer for sale, import, export, have made, and have sold the 21 | Software and the Larger Work(s), and to sublicense the foregoing rights on 22 | either these or other terms. 23 | 24 | This license is subject to the following condition: 25 | The above copyright notice and either this complete permission notice or at 26 | a minimum a reference to the UPL must be included in all copies or 27 | substantial portions of the Software. 28 | 29 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 30 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 31 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 32 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 33 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 34 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 35 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Terraform OKE for Oracle Cloud Infrastructure 2 | 3 | [![Documentation](https://github.com/oracle-terraform-modules/terraform-oci-oke/actions/workflows/mdbook.yaml/badge.svg?branch=5.x-mdbook&status=Documentation)](https://oracle-terraform-modules.github.io/terraform-oci-oke/) 4 | 5 | Documentation for this module is available at: 6 | 7 | - [Terraform OKE Module](https://oracle-terraform-modules.github.io/terraform-oci-oke/) 8 | 9 | This project implements a reusable Terraform module for [Oracle Cloud Infrastructure (OCI)](https://cloud.oracle.com/cloud-infrastructure) to provision an [OCI Kubernetes Engine (OKE)](https://docs.cloud.oracle.com/iaas/Content/ContEng/Concepts/contengoverview.htm) cluster with supporting infrastructure. 10 | 11 | 12 | ## Further Documentation 13 | 14 | - [Terraform OCI Provider](https://www.terraform.io/docs/providers/oci/index.html) 15 | - [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/iaas/Content/home.htm) 16 | - [OCI Kubernetes Engine](https://docs.cloud.oracle.com/iaas/Content/ContEng/Concepts/contengoverview.htm) 17 | 18 | ## Acknowledgement 19 | 20 | Code derived and adapted from [Terraform OKE Sample](https://github.com/terraform-providers/terraform-provider-oci/tree/master/examples/container_engine) and Hashicorp’s [Terraform 0.12 examples](https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples). 21 | 22 | ## Contributing 23 | 24 | Learn how to [contribute](./CONTRIBUTING.md). 25 | 26 | ## License 27 | Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. Licensed under the [Universal Permissive License 1.0](./LICENSE) as shown at [https://oss.oracle.com/licenses/upl](https://oss.oracle.com/licenses/upl/). 28 | -------------------------------------------------------------------------------- /data-common.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | state_id = coalesce(var.state_id, random_string.state_id.id) 6 | } 7 | 8 | resource "random_string" "state_id" { 9 | length = 6 10 | lower = true 11 | numeric = false 12 | special = false 13 | upper = false 14 | } 15 | 16 | output "state_id" { 17 | value = local.state_id 18 | } 19 | -------------------------------------------------------------------------------- /docs/book.toml: -------------------------------------------------------------------------------- 1 | [book] 2 | authors = ["The Terraform OCI OKE Module contributors"] 3 | language = "en" 4 | multilingual = false 5 | src = "src" 6 | title = "Terraform OCI module for OKE" 7 | 8 | [output.html] 9 | curly-quotes = false 10 | git-repository-url = "https://github.com/oracle-terraform-modules/terraform-oci-oke" 11 | additional-css = ["./src/css/mdbook-admonish.css", "theme/pagetoc.css"] 12 | additional-js = ["theme/pagetoc.js"] 13 | default-theme = "light" 14 | 15 | [output.html.playground] 16 | editable = true 17 | 18 | [preprocessor.admonish] 19 | command = "mdbook-admonish" 20 | assets_version = "3.0.2" # do not edit: managed by `mdbook-admonish install` 21 | 22 | [preprocessor.toc] 23 | max-level = 3 24 | 25 | [preprocessor.pagetoc] 26 | 27 | [preprocessor.variables] 28 | use_env = true 29 | -------------------------------------------------------------------------------- /docs/footer.md: -------------------------------------------------------------------------------- 1 | 2 | >Copyright © 2019, 2023 Oracle Corporation and/or its affiliates.
Licensed under the [Universal Permissive License v1.0](https://github.com/oracle-terraform-modules/terraform-oci-oke/blob/main/LICENSE) as shown at https://oss.oracle.com/licenses/upl. -------------------------------------------------------------------------------- /docs/src/guide/bastion.md: -------------------------------------------------------------------------------- 1 | # Bastion 2 | 3 | The bastion instance provides a public SSH entrypoint into the VCN from which resources in private subnets may be accessed - recommended to limit public IP usage and exposure. 4 | 5 | The bastion host parameters concern: 6 | 0. whether you want to enable the bastion 7 | 0. from where you can access the bastion 8 | 0. the different parameters about the bastion host e.g. shape, image id etc. 9 | 10 | ## Image 11 | 12 | The OS image for the created bastion instance. 13 | 14 | **Recommended:** [Oracle Autonomous Linux 8.x](https://docs.oracle.com/en-us/iaas/images/autonomous-linux-8x) 15 | 16 | ## Example usage 17 | ```javascript 18 | {{#include ../../../examples/bastion/vars-bastion.auto.tfvars:4:}} 19 | ``` 20 | -------------------------------------------------------------------------------- /docs/src/guide/bastion_ssh.md: -------------------------------------------------------------------------------- 1 | # Bastion: SSH 2 | 3 | Command usage for `ssh` through the created bastion to the operator host is included in the module's output: 4 | ```shell 5 | $ terraform output 6 | cluster = { 7 | "bastion_public_ip" = "138.0.0.1" 8 | "ssh_to_operator" = "ssh -J opc@138.0.0.1 opc@10.0.0.16" 9 | ... 10 | } 11 | 12 | $ ssh -J opc@138.0.0.1 opc@10.0.0.16 kubectl get nodes 13 | NAME STATUS ROLES AGE VERSION 14 | 10.1.48.175 Ready node 7d10h v1.25.6 15 | 10.1.50.102 Ready node 3h12m v1.25.6 16 | 10.1.52.76 Ready node 7d10h v1.25.6 17 | 10.1.54.237 Ready node 5h41m v1.25.6 18 | 10.1.58.74 Ready node 5h22m v1.25.4 19 | 10.1.62.90 Ready node 3h12m v1.25.6 20 | 21 | $ ssh -J opc@138.0.0.1 opc@10.1.54.237 systemctl status kubelet 22 | ● kubelet.service - Kubernetes Kubelet 23 | Active: active (running) since Tue 2023-03-28 01:48:08 UTC; 5h 48min ago 24 | ... 25 | ``` 26 | -------------------------------------------------------------------------------- /docs/src/guide/cluster.md: -------------------------------------------------------------------------------- 1 | # Cluster 2 | 3 | See also: 4 | * [Creating a Kubernetes Cluster](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingclusterusingoke.htm) 5 | 6 | The OKE parameters concern mainly the following: 7 | * whether you want your OKE control plane to be public or private 8 | * whether to assign a public IP address to the API endpoint for public access 9 | * whether you want to deploy public or private worker nodes 10 | * whether you want to allow NodePort or ssh access to the worker nodes 11 | * Kubernetes options such as dashboard, networking 12 | * number of node pools and their respective size of the cluster 13 | * services and pods cidr blocks 14 | * whether to use encryption 15 | * whether you want to enable [dual-stack](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/conteng_ipv4-and-ipv6.htm): IPv4 & IPv6 16 | 17 | ```admonish notice 18 | If you need to change the default services and pods' CIDRs, note the following: 19 | * The CIDR block you specify for the VCN *must not* overlap with the CIDR block you specify for the Kubernetes services. 20 | * The CIDR blocks you specify for pods running in the cluster *must not* overlap with CIDR blocks you specify for worker node and load balancer subnets. 21 | ``` 22 | 23 | ## Example usage 24 | 25 | Basic cluster with defaults: 26 | ```javascript 27 | {{#include ../../../examples/cluster/vars-cluster-basic.auto.tfvars:4:}} 28 | ``` 29 | 30 | Enhanced cluster with extra configuration: 31 | ```javascript 32 | {{#include ../../../examples/cluster/vars-cluster-enhanced.auto.tfvars:4:}} 33 | ``` 34 | -------------------------------------------------------------------------------- /docs/src/guide/cluster_addons.md: -------------------------------------------------------------------------------- 1 | # Cluster Add-ons 2 | 3 | With this module you can manage both essential and optional add-ons on **enhanced** OKE clusters. 4 | 5 | This module provides the option to remove [Essential addons](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengintroducingclusteraddons.htm#contengintroducingclusteraddons__section-essential-addons) and to manage, both essential & [optional addons](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengintroducingclusteraddons.htm#contengintroducingclusteraddons__section-optional-addons). 6 | 7 | Cluster add-on removal (using the `cluster_addons_to_remove` variable) requires the creation of the operator host. 8 | 9 | To list the available cluster add-ons for a specific Kubernetes version you can run the following oci-cli command: 10 | 11 | ``` 12 | oci ce addon-option list --kubernetes-version 13 | ``` 14 | 15 | **Note**: For the cluster autoscaler you should choose **only one** of the options: 16 | - the stand-alone cluster-autoscaler deployment, using the [extension module](./extensions_cluster_autoscaler.md) 17 | - the cluster-autoscaler add-on 18 | 19 | When customizing the configuration of an existing addon, use the flag `override_existing=true`. Default value is false if not specified. 20 | 21 | ## Example usage 22 | ```javascript 23 | {{#include ../../../examples/cluster-addons/vars-cluster-addons.auto.tfvars:4:}} 24 | ``` 25 | 26 | ## Reference 27 | * [OKE Cluster Add-ons Documentation](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringclusteraddons.htm) 28 | -------------------------------------------------------------------------------- /docs/src/guide/cluster_oidc_discovery.md: -------------------------------------------------------------------------------- 1 | # OpenID Connect Discovery 2 | 3 | With OKE OIDC Discovery, it is possible to validate Kubernetes pods running on OKE clusters with third-party STS (Security Token Service) issuers, whether on-premises or in cloud service providers (CSPs) such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), and authorize them to access non-OCI resources. OKE OIDC Discovery enables this integration. 4 | 5 | ## Prerequisites 6 | 7 | Note the following points when using OIDC Discovery: 8 | 9 | - The cluster must be an enhanced cluster. OIDC Discovery is not supported for basic clusters. 10 | - The cluster must be running Kubernetes version 1.21 (or later). 11 | 12 | ## Configuration 13 | 14 | When you enable OIDC discovery for an OKE cluster, OKE provides an OpenID Connect issuer endpoint. This endpoint serves the OIDC discovery document and the JSON web key set (JWKS), which contain the public key necessary for token validation. These resources enable third-party IdP to validate tokens issued for pods in the OKE cluster, allowing those pods to access non-OCI resources. 15 | 16 | [ ![](../images/oidc-discovery.png) ](../images/oidc-discovery.png) 17 | *Figure 1: OIDC Discovery* 18 | 19 | To enable the OKE OIDC Discovery, you have to set the following variable: 20 | 21 | ``` 22 | open_id_connect_discovery_enabled = true 23 | ``` 24 | 25 | The OpenID Connect issuer endpoint is available in the output: 26 | 27 | ``` 28 | cluster_oidc_discovery_endpoint 29 | ``` 30 | 31 | ## Example usage 32 | 33 | OIDC Discovery setup using Kubernetes API server flags 34 | 35 | ```javascript 36 | {{#include ../../../examples/cluster-addons/vars-cluster-oidc-discovery.auto.tfvars:4:}} 37 | ``` 38 | 39 | ## Reference 40 | * [OKE OpenID Discovery](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengOpenIDConnect-Discovery.htm) 41 | * [OKE Cluster Terraform resource](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/containerengine_cluster) 42 | * [OKE Pods access AWS resources](https://umashankar-s.medium.com/multicloud-use-case-oke-apps-pods-accessing-aws-resources-using-openid-disovery-8e147500656f) 43 | -------------------------------------------------------------------------------- /docs/src/guide/configuration.md: -------------------------------------------------------------------------------- 1 | # Configuration 2 | 3 | This section assumes you have completed all the {uri-prereqs}[Prerequisites]. 4 | 5 | ## Identity 6 | 7 | Enter the values for the following parameters in the terraform.tfvars file: 8 | 9 | * api_fingerprint 10 | * api_private_key_path 11 | * compartment_id 12 | * tenancy_id 13 | * user_id 14 | 15 | For example: 16 | 17 | ```properties 18 | api_fingerprint = "1a:bc:23:45:6d:78:e9:f0:gh:ij:kl:m1:23:no:4p:5q" 19 | ``` 20 | 21 | Alternatively, you can also specify these using Terraform environment variables by prepending TF_variable_name e.g. 22 | 23 | ```properties 24 | export TF_api_fingerprint = "1a:bc:23:45:6d:78:e9:f0:gh:ij:kl:m1:23:no:4p:5q" 25 | ``` 26 | 27 | ## OCI parameters 28 | 29 | The 3 OCI parameters here mainly concern: 30 | 31 | * `compartment_id`: is the compartment where all the resources will be created in 32 | * `region`: this allows you to select the region where you want the OKE cluster deployed 33 | 34 | For example: 35 | 36 | ```properties 37 | compartment_id = "ocid1.compartment...." 38 | home_region = "us-phoenix-1" 39 | region = "ap-sydney-1" 40 | ``` 41 | 42 | Regions must have exactly 2 entries as above: 43 | 44 | * home_region: is the tenancy's home region. This may be different from the region where you want to create OKE. 45 | * region: is the actual region where you want to create the OKE cluster. 46 | 47 | The list of regions can be found [here](https://docs.cloud.oracle.com/iaas/Content/General/Concepts/regions.htm). 48 | -------------------------------------------------------------------------------- /docs/src/guide/deploy.md: -------------------------------------------------------------------------------- 1 | # Deploy the OKE Terraform Module 2 | 3 | ## Prerequisites 4 | * [Required Keys and OCIDs](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm) 5 | * [Required IAM policies](https://docs.cloud.oracle.com/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#PolicyPrerequisitesService) 6 | * `git`, `ssh` client to run locally 7 | * Terraform `>= 1.2.0` to run locally 8 | 9 | ## Provisioning from an OCI Resource Manager Stack 10 | 11 | ### Network 12 | {{#include ./rms_network.md}} 13 | 14 | ### Cluster 15 | {{#include ./rms_cluster.md}} 16 | 17 | ### Node Pool 18 | {{#include ./rms_nodepool.md}} 19 | 20 | ### Virtual Node Pool 21 | {{#include ./rms_virtualnodepool.md}} 22 | 23 | ### Instance 24 | {{#include ./rms_instance.md}} 25 | 26 | ### Instance Pool 27 | {{#include ./rms_instancepool.md}} 28 | 29 | ### Cluster Network 30 | {{#include ./rms_clusternetwork.md}} 31 | -------------------------------------------------------------------------------- /docs/src/guide/extensions.md: -------------------------------------------------------------------------------- 1 | # Extensions 2 | 3 | **** 4 | **WARNING:** The following options are provided as a reference for evaluation only, and may install software to the cluster that is not supported by or sourced from Oracle. These features should be enabled with caution as their operation is not guaranteed! 5 | **** 6 | 7 | ## Gatekeeper 8 | 9 | ### Usage 10 | ```javascript 11 | {{#include ../../../examples/extensions/vars-extensions-gatekeeper.auto.tfvars:4:}} 12 | ``` 13 | 14 | ### References 15 | * [Gatekeeper](https://open-policy-agent.github.io/gatekeeper) 16 | * [open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper) 17 | 18 | **** 19 | 20 | ## MPI Operator 21 | 22 | ### Usage 23 | ```javascript 24 | {{#include ../../../examples/extensions/vars-extensions-mpi-operator.auto.tfvars:4:}} 25 | ``` 26 | 27 | ### References 28 | * [kubeflow/mpi-operator](https://github.com/kubeflow/mpi-operator) 29 | 30 | **** 31 | -------------------------------------------------------------------------------- /docs/src/guide/extensions_monitoring.md: -------------------------------------------------------------------------------- 1 | # Extensions: Monitoring 2 | 3 | **** 4 | **WARNING:** The following options are provided as a reference for evaluation only, and may install software to the cluster that is not supported by or sourced from Oracle. These features should be enabled with caution as their operation is not guaranteed! 5 | **** 6 | 7 | ## Metrics Server 8 | 9 | ### Usage 10 | ```javascript 11 | {{#include ../../../examples/extensions/vars-extensions-metrics-server.auto.tfvars:4:}} 12 | ``` 13 | 14 | ### References 15 | * [kubernetes-sigs/metrics-server](https://github.com/kubernetes-sigs/metrics-server) 16 | 17 | **** 18 | 19 | ## Prometheus 20 | 21 | ### Usage 22 | ```javascript 23 | {{#include ../../../examples/extensions/vars-extensions-prometheus.auto.tfvars:4:}} 24 | ``` 25 | 26 | ### References 27 | * [prometheus.io](https://prometheus.io) 28 | * [prometheus-community/kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) 29 | 30 | **** 31 | 32 | ## DCGM Exporter 33 | 34 | ### Usage 35 | ```javascript 36 | {{#include ../../../examples/extensions/vars-extensions-dcgm-exporter.auto.tfvars:4:}} 37 | ``` 38 | 39 | ### References 40 | * [NVIDIA/dcgm-exporter](https://github.com/NVIDIA/dcgm-exporter) 41 | 42 | **** 43 | -------------------------------------------------------------------------------- /docs/src/guide/identity.md: -------------------------------------------------------------------------------- 1 | # Identity 2 | 3 | Optional creation of Identity Dynamic Groups, Policies, and Tags. 4 | -------------------------------------------------------------------------------- /docs/src/guide/identity_policies.md: -------------------------------------------------------------------------------- 1 | # Identity: Policies 2 | 3 | ## Usage 4 | 5 | ```javascript 6 | {{#include ../../../examples/iam/vars-iam-policies.auto.tfvars:4:}} 7 | ``` 8 | 9 | ## References 10 | 11 | * [Managing Dynamic Groups](https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingdynamicgroups.htm) 12 | * [Managing Policies](https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingpolicies.htm) 13 | * [Policy Configuration for Cluster Creation and Deployment](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm) 14 | * [About Access Control and OCI Kubernetes Engine](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengaboutaccesscontrol.htm) 15 | * [KMS](https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Concepts/keyoverview.htm) 16 | -------------------------------------------------------------------------------- /docs/src/guide/identity_tags.md: -------------------------------------------------------------------------------- 1 | # Identity: Tags 2 | 3 | ## Usage 4 | 5 | ```javascript 6 | {{#include ../../../examples/iam/vars-iam-tags.auto.tfvars:4:}} 7 | ``` 8 | 9 | ## References 10 | 11 | * [Tagging Overview](https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/taggingoverview.htm) 12 | * [Managing Tags and Tag Namespaces](https://docs.oracle.com/en-us/iaas/Content/Tagging/Tasks/managingtagsandtagnamespaces.htm#workdefined) 13 | -------------------------------------------------------------------------------- /docs/src/guide/loadbalancers.md: -------------------------------------------------------------------------------- 1 | # Load Balancers 2 | 3 | ## Using Dynamic and Flexible Load Balancers 4 | 5 | When you create a service of type LoadBalancer, by default, an OCI Load Balancer with dynamic shape 100Mbps will be created. 6 | 7 | .You can override this shape by using the {uri-oci-loadbalancer-annotations}[OCI Load Balancer Annotations]. In order to keep using the dynamic shape but change the available total bandwidth to 400Mbps, use the following annotation on your LoadBalancer service: 8 | ```json 9 | service.beta.kubernetes.io/oci-load-balancer-shape: "400Mbps" 10 | ``` 11 | 12 | Configure `flexible` shape with bandwidth: 13 | ```json 14 | service.beta.kubernetes.io/oci-load-balancer-shape: "flexible" 15 | service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: 50 16 | service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: 200 17 | ``` 18 | 19 | ## References 20 | 21 | * [Load Balancer Annotations](https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md) 22 | * [Specifying Alternative Load Balancer Shapes](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingloadbalancer.htm#Specifyi) 23 | * [Flexible Load Balancers](https://medium.com/@lmukadam/creating-flexible-oci-load-balancers-with-oke-bd98e0318976) 24 | -------------------------------------------------------------------------------- /docs/src/guide/network.md: -------------------------------------------------------------------------------- 1 | # Network 2 | 3 | Optional creation of VCN subnets, Network Security Groups, NSG Rules, and more. 4 | 5 | ## Examples 6 | 7 | ### Create Minimal Network Resources 8 | 9 | **TODO**: ../../../examples/network/vars-network-only-minimal.auto.tfvars 10 | 11 | ```javascript 12 | {{#include ../../../examples/network/vars-network.auto.tfvars:4:15:}} 13 | ``` 14 | 15 | ### Create Common Network Resources 16 | 17 | ```javascript 18 | {{#include ../../../examples/network/vars-network.auto.tfvars:4:}} 19 | ``` 20 | 21 | ## References 22 | 23 | * [Terraform VCN Module](https://github.com/oracle-terraform-modules/terraform-oci-vcn) 24 | * [VCNs and Subnets](https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/VCNs.htm) 25 | * [OCI Networking Overview](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm) 26 | * [Internet Gateways](https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingIGs.htm) 27 | * [NAT Gateways](https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/NATgateway.htm) 28 | -------------------------------------------------------------------------------- /docs/src/guide/network_nsgs.md: -------------------------------------------------------------------------------- 1 | # Network Security Groups 2 | 3 | Network Security Groups (NSGs) are used to permit network access between resources creation by the module, namely: 4 | * Bastion 5 | * Operator 6 | * Control plane (`cp`) 7 | * Workers 8 | * Pods 9 | * Internal load balancers (`int_lb`) 10 | * Public load balancers (`pub_lb`) 11 | 12 | ## Create new NSGs 13 | ```javascript 14 | {{#include ../../../examples/network/vars-network-nsgs-create.auto.tfvars:4:}} 15 | ``` 16 | 17 | ## Use existing NSGs 18 | ```javascript 19 | {{#include ../../../examples/network/vars-network-nsgs-existing.auto.tfvars:4:}} 20 | ``` 21 | 22 | ## References 23 | 24 | * [OCI Networking Overview](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm) 25 | * [Security Rule Configuration in Network Security Groups](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengnetworkconfig.htm#securitylistconfig) 26 | -------------------------------------------------------------------------------- /docs/src/guide/network_subnets.md: -------------------------------------------------------------------------------- 1 | # Subnets 2 | 3 | Subnets are created for core components managed within the module, namely: 4 | * Bastion 5 | * Operator 6 | * Control plane (`cp`) 7 | * Workers 8 | * Pods 9 | * Internal load balancers (`int_lb`) 10 | * Public load balancers (`pub_lb`) 11 | 12 | ## Create new subnets (automatic) 13 | 14 | ```javascript 15 | {{#include ../../../examples/network/vars-network-subnets-create.auto.tfvars:4:}} 16 | ``` 17 | 18 | ## Create new subnets (forced) 19 | 20 | ```javascript 21 | {{#include ../../../examples/network/vars-network-subnets-create-force.auto.tfvars:4:}} 22 | ``` 23 | 24 | ## Create new subnets (CIDR notation) 25 | 26 | ```javascript 27 | {{#include ../../../examples/network/vars-network-subnets-create-cidr.auto.tfvars:4:}} 28 | ``` 29 | 30 | ## Create new subnets with IPv4 and IPv6 (CIDR notation) 31 | 32 | ```javascript 33 | {{#include ../../../examples/network/vars-network-subnets-create-cidr-ipv4-and-ipv6.tfvars:4:}} 34 | ``` 35 | 36 | ## Use existing subnets 37 | 38 | ```javascript 39 | {{#include ../../../examples/network/vars-network-subnets-existing.auto.tfvars:4:}} 40 | ``` 41 | 42 | ## References 43 | 44 | * [OCI Networking Overview](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm) 45 | * [VCNs and Subnets](https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/VCNs.htm) 46 | * Terraform [cidrsubnets](https://developer.hashicorp.com/terraform/language/functions/cidrsubnets) function 47 | -------------------------------------------------------------------------------- /docs/src/guide/operator.md: -------------------------------------------------------------------------------- 1 | # Operator 2 | 3 | The operator instance provides an optional environment within the VCN from which the OKE cluster can be managed. 4 | 5 | The operator host parameters concern: 6 | 1. whether you want to enable the operator 7 | 1. from where you can access the operator 8 | 1. the different parameters about the operator host e.g. shape, image id etc. 9 | 10 | ### Example usage 11 | ```javascript 12 | {{#include ../../../examples/operator/vars-operator.auto.tfvars:4:}} 13 | ``` 14 | -------------------------------------------------------------------------------- /docs/src/guide/operator_cloudinit.md: -------------------------------------------------------------------------------- 1 | # Operator: Cloud-Init 2 | 3 | Custom actions may be configured on instance startup in an number of ways depending on the use-case and preferences. 4 | 5 | See also: 6 | * [`template_cloudinit_config`](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/cloudinit_config.html) 7 | * [User data formats](https://cloudinit.readthedocs.io/en/latest/explanation/format.html#mime-multi-part-archive) 8 | * [Module reference](https://cloudinit.readthedocs.io/en/latest/reference/modules.html) 9 | 10 | Cloud init configuration applied to the operator host: 11 | ```javascript 12 | {{#include ../../../examples/operator/vars-operator-cloudinit.auto.tfvars:4:}} 13 | ``` 14 | -------------------------------------------------------------------------------- /docs/src/guide/operator_ssh.md: -------------------------------------------------------------------------------- 1 | # Operator: SSH 2 | 3 | Command usage for `ssh` through the created bastion to the operator host is included in the module's output: 4 | ```shell 5 | $ terraform output 6 | cluster = { 7 | "bastion_public_ip" = "138.0.0.1" 8 | "ssh_to_operator" = "ssh -J opc@138.0.0.1 opc@10.0.0.16" 9 | ... 10 | } 11 | 12 | $ ssh -J opc@138.0.0.1 opc@10.0.0.16 kubectl get nodes 13 | NAME STATUS ROLES AGE VERSION 14 | 10.1.48.175 Ready node 7d10h v1.25.6 15 | 10.1.50.102 Ready node 3h12m v1.25.6 16 | 10.1.52.76 Ready node 7d10h v1.25.6 17 | 10.1.54.237 Ready node 5h41m v1.25.6 18 | 10.1.58.74 Ready node 5h22m v1.25.4 19 | 10.1.62.90 Ready node 3h12m v1.25.6 20 | ``` 21 | -------------------------------------------------------------------------------- /docs/src/guide/releases.md: -------------------------------------------------------------------------------- 1 | # Version 5.x 2 | 3 | ## Summary 4 | * Improved config flexibility, e.g.: 5 | * All resources in same tfstate 6 | * Identity resources only/enabled individually 7 | * Network resources only/enabled individually 8 | * Cluster with existing network VCN/subnets/NSGs 9 | * Cluster & isolated NSGs with existing network VCN/subnets 10 | * Workers with existing cluster/network 11 | * Workers with tag-based group/policy for Cluster Autoscaler, ... 12 | * Operator with existing cluster & group/policy for cluster access 13 | * **Workers:** resource type configuration (Self-Managed, Virtual) 14 | * `mode="node-pool"` 15 | * ***New*** `mode="virtual-node-pool"` 16 | * ***New*** `mode="instance"` 17 | * ***New*** `mode="instance-pool"` 18 | * ***New*** `mode="cluster-network"` 19 | * **Workers:** merge/override global & pool-specific for most inputs 20 | * **Network:** Referential NSG security rule definitions 21 | * Sub-module refactor 22 | * `iam`: Dynamic groups, policies, defined tags 23 | * `network`: VCN, subnets, NSGs, DRGs 24 | * `bastion`: Bastion host for external VCN access 25 | * `cluster`: OKE managed Kubernetes cluster 26 | * `workers`: Compute pools for cluster workloads with configurable resource types 27 | * `operator`: Operator instance with access to the OKE cluster endpoint 28 | * `utilities`: Additional automation for cluster operations performed by the module 29 | * `extensions`: Optional cluster software for evaluation 30 | 31 | ## Status 32 | 33 | `Pre-release / Beta` 34 | 35 | Core features of the module are working. 36 | 37 | Some features under `utilities` need re-implementation/testing: 38 | * OCIR 39 | * Worker pool `drain` 40 | 41 | Documentation in progress. 42 | 43 | ## Breaking changes 44 | * Input variables 45 | * **Pending** 46 | 47 | ## Migration 48 | **Pending** 49 | 50 | # Version 4.x 51 | 52 | ## Summary 53 | * ...? 54 | 55 | ## Status 56 | 57 | `Released` 58 | 59 | This is the latest supported version of the module. 60 | 61 | ## Migration 62 | **Pending** 63 | 64 | # Version 3.x 65 | ## Summary 66 | 67 | ## Status 68 | `Maintenance` 69 | 70 | ## Migration 71 | **Pending** 72 | 73 | # Version 2.x 74 | ## Status 75 | `Maintenance` 76 | 77 | # Version 1.x 78 | ## Status 79 | `Unsupported` 80 | -------------------------------------------------------------------------------- /docs/src/guide/rms_cluster.md: -------------------------------------------------------------------------------- 1 | [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://objectstorage.ap-osaka-1.oraclecloud.com/p/Q6OAh5KR9V1vjHZpj0o_ZjI0nzcpejV5xYG_qwrv1F5Vx8EH6JlXtjiqjj3Bilow/n/hpc_limited_availability/b/tfoke/o/oke-cluster-only.zip&zipUrlVariables={"cluster_name":"oke-cluster","create_vcn":false,"create_nsgs":false,"create_bastion":false,"worker_subnet_create":"Never","control_plane_subnet_create":"Never","operator_subnet_create":"Never","bastion_subnet_create":"Never","pod_subnet_create":"Never","int_lb_subnet_create":"Never","pub_lb_subnet_create":"Never"}) 2 | 3 |

4 | An OKE-managed Kubernetes cluster. 5 |

6 | 7 | The following resources may be created depending on provided configuration: 8 | * core_network_security_group 9 | * core_network_security_group_security_rule 10 | * core_instance (operator) 11 | * containerengine_cluster 12 | -------------------------------------------------------------------------------- /docs/src/guide/rms_clusternetwork.md: -------------------------------------------------------------------------------- 1 | [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://objectstorage.ap-osaka-1.oraclecloud.com/p/Q6OAh5KR9V1vjHZpj0o_ZjI0nzcpejV5xYG_qwrv1F5Vx8EH6JlXtjiqjj3Bilow/n/hpc_limited_availability/b/tfoke/o/oke-workers-only.zip&zipUrlVariables={"worker_pool_mode":"Cluster%20Network","worker_pool_name":"oke-cluster-network","worker_shape":"BM.GPU.B4.8","worker_boot_volume_size":"200"}) 2 | 3 |

4 | A self-managed HPC Cluster Network. 5 | 6 | Configured with `mode = "cluster-network"` on a `worker_pools` entry, or with `worker_pool_mode = "cluster-network"` to use as the default for all pools unless otherwise specified. 7 |

8 | 9 | The following resources may be created depending on provided configuration: 10 | * identity_dynamic_group (workers) 11 | * identity_policy (JoinCluster) 12 | * core_instance_configuration 13 | * core_cluster_network 14 | -------------------------------------------------------------------------------- /docs/src/guide/rms_instance.md: -------------------------------------------------------------------------------- 1 | [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://objectstorage.ap-osaka-1.oraclecloud.com/p/Q6OAh5KR9V1vjHZpj0o_ZjI0nzcpejV5xYG_qwrv1F5Vx8EH6JlXtjiqjj3Bilow/n/hpc_limited_availability/b/tfoke/o/oke-workers-only.zip&zipUrlVariables={"worker_pool_mode":"Instances","worker_pool_name":"oke-instances"}) 2 | 3 |

4 | A set of self-managed Compute Instances for custom user-provisioned worker nodes not managed by an OCI pool, but individually by Terraform. 5 | 6 | Configured with `mode = "instance"` on a `worker_pools` entry, or with `worker_pool_mode = "instance"` to use as the default for all pools unless otherwise specified. 7 |

8 | 9 | The following resources may be created depending on provided configuration: 10 | * identity_dynamic_group (workers) 11 | * identity_policy (JoinCluster) 12 | * core_instance 13 | -------------------------------------------------------------------------------- /docs/src/guide/rms_instancepool.md: -------------------------------------------------------------------------------- 1 | [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://objectstorage.ap-osaka-1.oraclecloud.com/p/Q6OAh5KR9V1vjHZpj0o_ZjI0nzcpejV5xYG_qwrv1F5Vx8EH6JlXtjiqjj3Bilow/n/hpc_limited_availability/b/tfoke/o/oke-workers-only.zip&zipUrlVariables={"worker_pool_mode":"Instance%20Pool","worker_pool_name":"oke-instance-pool"}) 2 | 3 |

4 | A self-managed Compute Instance Pool for custom user-provisioned worker nodes. 5 | 6 | Configured with `mode = "instance-pool"` on a `worker_pools` entry, or with `worker_pool_mode = "instance-pool"` to use as the default for all pools unless otherwise specified. 7 |

8 | 9 | The following resources may be created depending on provided configuration: 10 | * identity_dynamic_group (workers) 11 | * identity_policy (JoinCluster) 12 | * core_instance_configuration 13 | * core_instance_pool 14 | -------------------------------------------------------------------------------- /docs/src/guide/rms_network.md: -------------------------------------------------------------------------------- 1 | [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://objectstorage.ap-osaka-1.oraclecloud.com/p/Q6OAh5KR9V1vjHZpj0o_ZjI0nzcpejV5xYG_qwrv1F5Vx8EH6JlXtjiqjj3Bilow/n/hpc_limited_availability/b/tfoke/o/oke-network-only.zip) 2 | 3 |

4 | Network resources configured for an OKE cluster. 5 |

6 | 7 | The following resources may be created depending on provided configuration: 8 | * core_vcn 9 | * core_nat_gateway 10 | * core_internet_gateway 11 | * core_subnet 12 | * core_instance (bastion) 13 | -------------------------------------------------------------------------------- /docs/src/guide/rms_nodepool.md: -------------------------------------------------------------------------------- 1 | [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://objectstorage.ap-osaka-1.oraclecloud.com/p/Q6OAh5KR9V1vjHZpj0o_ZjI0nzcpejV5xYG_qwrv1F5Vx8EH6JlXtjiqjj3Bilow/n/hpc_limited_availability/b/tfoke/o/oke-workers-only.zip&zipUrlVariables={"worker_pool_mode":"Node%20Pool","worker_pool_name":"oke-node-pool"}) 2 | 3 |

4 | A standard OKE-managed pool of worker nodes with enhanced feature support. 5 | 6 | Configured with `mode = "node-pool"` on a `worker_pools` entry, or with `worker_pool_mode = "node-pool"` to use as the default for all pools unless otherwise specified. 7 |

8 | 9 | You can set the `image_type` attribute to one of the following values: 10 | - `oke` (default) 11 | - `platform` 12 | - `custom`. 13 | 14 | When the `image_type` is equal to `oke` or `platform` there is a high risk for the node-pool image to be updated on subsequent `terraform apply` executions because the module is using a [datasource](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/containerengine_node_pool_option) to fetch the latest images available. 15 | 16 | To avoid this situation, you can set the `image_type` to `custom` and the `image_id` to the OCID of the image you want to use for the node-pool. 17 | 18 | The following resources may be created depending on provided configuration: 19 | * containerengine_node_pool 20 | -------------------------------------------------------------------------------- /docs/src/guide/rms_virtualnodepool.md: -------------------------------------------------------------------------------- 1 | [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://objectstorage.ap-osaka-1.oraclecloud.com/p/Q6OAh5KR9V1vjHZpj0o_ZjI0nzcpejV5xYG_qwrv1F5Vx8EH6JlXtjiqjj3Bilow/n/hpc_limited_availability/b/tfoke/o/oke-workers-only.zip&zipUrlVariables={"worker_pool_mode":"Virtual%20Node%20Pool","worker_pool_name":"oke-virtual-node-pool"}) 2 | 3 |

4 | An OKE-managed Virtual Node Pool. 5 | 6 | Configured with `mode = "virtual-node-pool"` on a `worker_pools` entry, or with `worker_pool_mode = "virtual-node-pool"` to use as the default for all pools unless otherwise specified. 7 |

8 | 9 | The following resources may be created depending on provided configuration: 10 | * containerengine_virtual_node_pool 11 | -------------------------------------------------------------------------------- /docs/src/guide/ssh.md: -------------------------------------------------------------------------------- 1 | # SSH 2 | 3 | See also: 4 | * [Connecting to Your Linux Instance Using SSH](https://docs.oracle.com/en-us/iaas/Content/GSG/Tasks/testingconnection.htm#connecting) 5 | * [Log In to a VM Using SSH](https://docs.oracle.com/en/cloud/cloud-at-customer/occ-get-started/log-vm-using-ssh.html) 6 | 7 | ## Configure SSH 8 | 9 | SSH keys must be configured for access to instances through the bastion host: 10 | ```properties 11 | ssh_private_key_path = "~/.ssh/id_rsa" 12 | ssh_public_key_path = "~/.ssh/id_rsa.pub" 13 | ``` 14 | 15 | Private keys may also be managed by the SSH agent: 16 | ```shell 17 | ssh-add -L # show current keys 18 | chmod 600 # ensure correct permissions on key 19 | ssh-add # add private key 20 | ssh -J opc@bastion opc@target # `-i ` not needed 21 | ``` 22 | 23 | **TODO:** Add content 24 | -------------------------------------------------------------------------------- /docs/src/guide/storage.md: -------------------------------------------------------------------------------- 1 | # Storage 2 | 3 | ## PVCs 4 | 5 | ## Local 6 | 7 | ## File Storage Service (FSS) 8 | 9 | **NOTE:** Pending validation for 5.x, CSI 10 | 11 | **Resources:** 12 | * [oci_file_storage_export](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/file_storage_export) 13 | * [oci_file_storage_export_set](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/file_storage_export_set) 14 | * [oci_file_storage_file_system](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/file_storage_file_system) 15 | * [oci_file_storage_mount_target](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/file_storage_mount_target) 16 | 17 | The File Storage service instance will be created in a separate subnet with access configured using a network security group. 18 | 19 | You can then review the following documentation for creating persistent volume claim and persistent volume using file storage 20 | 21 | Refer to [Provisioning PVCs on the File Storage Service](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingpersistentvolumeclaim_Provisioning_PVCs_on_FSS.htm) for more information. 22 | 23 | **CAUTION:** Running terraform destroy will remove the filesystem storage created using Terraform. Ensure you have taken the necessary backup if needed. 24 | -------------------------------------------------------------------------------- /docs/src/guide/ug.md: -------------------------------------------------------------------------------- 1 | # User Guide 2 | 3 | {{#include ../SUMMARY.md:6:42:}} 4 | -------------------------------------------------------------------------------- /docs/src/guide/workers.md: -------------------------------------------------------------------------------- 1 | # Workers 2 | 3 | The `worker_pools` input defines worker node configuration for the cluster. 4 | 5 | Many of the global configuration values below may be overridden on each pool definition or omitted for defaults, with the `worker_` or `worker_pool_` variable prefix removed, e.g. `worker_image_id` overridden with `image_id`. 6 | 7 | For example: 8 | ```javascript 9 | {{#include ../../../examples/workers/vars-workers-basic.auto.tfvars:4:}} 10 | ``` 11 | -------------------------------------------------------------------------------- /docs/src/guide/workers_cloudinit.md: -------------------------------------------------------------------------------- 1 | # Workers: Cloud-Init 2 | 3 | Custom actions may be configured on instance startup in an number of ways depending on the use-case and preferences. 4 | 5 | See also: 6 | * [`template_cloudinit_config`](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/cloudinit_config.html) 7 | * [User data formats](https://cloudinit.readthedocs.io/en/latest/explanation/format.html#mime-multi-part-archive) 8 | * [Module reference](https://cloudinit.readthedocs.io/en/latest/reference/modules.html) 9 | 10 | ## Global 11 | 12 | Cloud init configuration applied to all workers: 13 | ```javascript 14 | {{#include ../../../examples/workers/vars-workers-cloudinit-global.auto.tfvars:4:}} 15 | ``` 16 | 17 | ## Pool-specific 18 | 19 | Cloud init configuration applied to a specific worker pool: 20 | ```javascript 21 | {{#include ../../../examples/workers/vars-workers-cloudinit-pool.auto.tfvars:4:}} 22 | ``` 23 | 24 | ## Default Cloud-Init Disabled 25 | 26 | When providing a custom script that calls OKE initialization: 27 | ```properties 28 | worker_disable_default_cloud_init = true 29 | ``` 30 | -------------------------------------------------------------------------------- /docs/src/guide/workers_image.md: -------------------------------------------------------------------------------- 1 | # Workers: Image 2 | 3 | The operating system image for worker nodes may be defined both globally and on each worker pool. 4 | 5 | **Recommended base images:** 6 | * [OKE Oracle Linux 7](https://docs.oracle.com/en-us/iaas/images/oke-worker-node-oracle-linux-7.x) 7 | * [OKE Oracle Linux 8](https://docs.oracle.com/en-us/iaas/images/oke-worker-node-oracle-linux-8.x) 8 | -------------------------------------------------------------------------------- /docs/src/guide/workers_mode.md: -------------------------------------------------------------------------------- 1 | # Workers: Mode 2 | 3 | The `mode` parameter controls the type of resources provisioned in OCI for OKE worker nodes. 4 | -------------------------------------------------------------------------------- /docs/src/guide/workers_mode_clusternetwork.md: -------------------------------------------------------------------------------- 1 | # Workers / Mode: Cluster Network 2 | 3 | {{#include ./rms_clusternetwork.md}} 4 | 5 | ## Usage 6 | 7 | ```javascript 8 | {{#include ../../../examples/workers/vars-workers-clusternetwork.auto.tfvars:4:}} 9 | ``` 10 | 11 | Instance agent configuration: 12 | ```javascript 13 | {{#include ../../../examples/workers/vars-workers-agent.auto.tfvars:4:}} 14 | ``` 15 | 16 | ## References 17 | * [Cluster Networks with Instance Pools](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/managingclusternetworks.htm#Managing_Cluster_Networks) 18 | * [Large Clusters, Lowest Latency: Cluster Networking on Oracle Cloud Infrastructure](https://blogs.oracle.com/cloud-infrastructure/post/large-clusters-lowest-latency-cluster-networking-on-oracle-cloud-infrastructure) 19 | * [First principles: Building a high-performance network in the public cloud](https://blogs.oracle.com/cloud-infrastructure/post/building-high-performance-network-in-the-cloud) 20 | * [Running Applications on Oracle Cloud Using Cluster Networking](https://blogs.oracle.com/cloud-infrastructure/post/running-applications-on-oracle-cloud-using-cluster-networking) 21 | -------------------------------------------------------------------------------- /docs/src/guide/workers_mode_computecluster.md: -------------------------------------------------------------------------------- 1 | # Workers / Mode: Compute Clusters 2 | 3 |

4 | 5 | Create self-managed HPC Compute Clusters. 6 | 7 | A compute cluster is a group of high performance computing (HPC), GPU, or optimized instances that are connected with a high-bandwidth, ultra low-latency network. 8 | 9 | [Supported shapes](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/compute-clusters.htm#compute-cluster-shapes): 10 | * BM.GPU.A100-v2.8 11 | * BM.GPU.H100.8 12 | * BM.GPU4.8 13 | * BM.HPC2.36 14 | * BM.Optimized3.36 15 | 16 | Configured with `mode = "compute-cluster"` on a `worker_pools` entry, or with `worker_pool_mode = "compute-cluster"` to use as the default for all pools unless otherwise specified. 17 |

18 | 19 | Compute clusters shared by multiple worker groups must be created using the variable `worker_compute_clusters` and should be referenced by the key in the `compute_cluster` attribute of the worker group. 20 | If the `worker_compute_clusters` is not specified, the module will create a compute cluster per each worker group. 21 | 22 | ## Usage 23 | 24 | ```javascript 25 | {{#include ../../../examples/workers/vars-workers-computecluster.auto.tfvars:4:}} 26 | ``` 27 | 28 | Instance agent configuration: 29 | ```javascript 30 | {{#include ../../../examples/workers/vars-workers-agent.auto.tfvars:4:}} 31 | ``` 32 | 33 | ## References 34 | * [Compute Clusters](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/compute-clusters.htm) 35 | * [Large Clusters, Lowest Latency: Cluster Networking on Oracle Cloud Infrastructure](https://blogs.oracle.com/cloud-infrastructure/post/large-clusters-lowest-latency-cluster-networking-on-oracle-cloud-infrastructure) 36 | * [First principles: Building a high-performance network in the public cloud](https://blogs.oracle.com/cloud-infrastructure/post/building-high-performance-network-in-the-cloud) 37 | * [Running Applications on Oracle Cloud Using Cluster Networking](https://blogs.oracle.com/cloud-infrastructure/post/running-applications-on-oracle-cloud-using-cluster-networking) 38 | -------------------------------------------------------------------------------- /docs/src/guide/workers_mode_instance.md: -------------------------------------------------------------------------------- 1 | # Workers / Mode: Instance 2 | 3 | {{#include ./rms_instance.md}} 4 | 5 | ## Usage 6 | 7 | ```javascript 8 | {{#include ../../../examples/workers/vars-workers-instance.auto.tfvars:4:}} 9 | ``` 10 | 11 | Instance agent configuration: 12 | ```javascript 13 | {{#include ../../../examples/workers/vars-workers-agent.auto.tfvars:4:}} 14 | ``` 15 | 16 | ## References 17 | * [Creating an Instance](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/launchinginstance.htm) 18 | -------------------------------------------------------------------------------- /docs/src/guide/workers_mode_instancepool.md: -------------------------------------------------------------------------------- 1 | # Workers / Mode: Instance Pool 2 | 3 | {{#include ./rms_instancepool.md}} 4 | 5 | ## Usage 6 | 7 | ```javascript 8 | {{#include ../../../examples/workers/vars-workers-instancepool.auto.tfvars:4:}} 9 | ``` 10 | 11 | Instance agent configuration: 12 | ```javascript 13 | {{#include ../../../examples/workers/vars-workers-agent.auto.tfvars:4:}} 14 | ``` 15 | 16 | ## References 17 | * [Using Instance Configurations and Instance Pools](https://docs.oracle.com/en-us/iaas/Content/Compute/Concepts/instancemanagement.htm) 18 | -------------------------------------------------------------------------------- /docs/src/guide/workers_mode_nodepool.md: -------------------------------------------------------------------------------- 1 | # Workers / Mode: Node Pool 2 | 3 | {{#include ./rms_nodepool.md}} 4 | 5 | ## Usage 6 | 7 | ```javascript 8 | {{#include ../../../examples/workers/vars-workers-nodepool.auto.tfvars:4:}} 9 | ``` 10 | 11 | ## References 12 | * [oci_containerengine_node_pool](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/containerengine_node_pool) 13 | * [Modifying Node Pool and Worker Node Properties](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengmodifyingnodepool.htm) 14 | * [Adding and Removing Node Pools](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengscalingclusters.htm) 15 | -------------------------------------------------------------------------------- /docs/src/guide/workers_mode_virtualnodepool.md: -------------------------------------------------------------------------------- 1 | # Workers / Mode: Virtual Node Pool 2 | 3 | {{#include ./rms_virtualnodepool.md}} 4 | 5 | ## Usage 6 | 7 | ```javascript 8 | {{#include ../../../examples/workers/vars-workers-virtualnodepool.auto.tfvars:4:}} 9 | ``` 10 | 11 | ## References 12 | * [containerengine_virtual_node_pool](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/containerengine_virtual_node_pool) 13 | * [Working with Virtual Nodes](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengworkingwithvirtualnodes.htm) 14 | -------------------------------------------------------------------------------- /docs/src/guide/workers_network.md: -------------------------------------------------------------------------------- 1 | # Workers: Network 2 | 3 | ## Subnets 4 | ```javascript 5 | {{#include ../../../examples/workers/vars-workers-network-subnets.auto.tfvars:4:}} 6 | ``` 7 | 8 | ## Network Security Groups 9 | ```javascript 10 | {{#include ../../../examples/workers/vars-workers-network-nsgs.auto.tfvars:4:}} 11 | ``` 12 | 13 | ## Secondary VNICs 14 | On pools with a self-managed `mode`: 15 | ```javascript 16 | {{#include ../../../examples/workers/vars-workers-network-vnics.auto.tfvars:4:}} 17 | ``` 18 | -------------------------------------------------------------------------------- /docs/src/guide/workers_scaling.md: -------------------------------------------------------------------------------- 1 | # Workers: Scaling 2 | 3 | There are two easy ways to add worker nodes to a cluster: 4 | * Add entries to `worker_pools`. 5 | * Increase the `size` of a `worker_pools` entry. 6 | 7 | Worker pools can be added and removed, their size and boot volume size can be updated. After each change, run `terraform apply`. 8 | 9 | Scaling changes to the number and size of pools are immediate after changing the parameters and running `terraform apply`. The changes to boot volume size will only be effective in newly created nodes _after_ the change is completed. 10 | 11 | ## Autoscaling 12 | 13 | See [Extensions/Cluster Autoscaler](../guide/extensions_cluster_autoscaler.md). 14 | 15 | ## Examples 16 | 17 | -------------------------------------------------------------------------------- /docs/src/guide/workers_storage.md: -------------------------------------------------------------------------------- 1 | # Workers: Storage 2 | 3 | **TODO** 4 | -------------------------------------------------------------------------------- /docs/src/images/bastion.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/bastion.png -------------------------------------------------------------------------------- /docs/src/images/defaultmad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/defaultmad.png -------------------------------------------------------------------------------- /docs/src/images/defaultsad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/defaultsad.png -------------------------------------------------------------------------------- /docs/src/images/mixedarch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/mixedarch.png -------------------------------------------------------------------------------- /docs/src/images/mixedworkload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/mixedworkload.png -------------------------------------------------------------------------------- /docs/src/images/networking.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/networking.png -------------------------------------------------------------------------------- /docs/src/images/np311.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/np311.png -------------------------------------------------------------------------------- /docs/src/images/np312.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/np312.png -------------------------------------------------------------------------------- /docs/src/images/np351.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/np351.png -------------------------------------------------------------------------------- /docs/src/images/oidc-discovery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/oidc-discovery.png -------------------------------------------------------------------------------- /docs/src/images/privatecluster.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/privatecluster.png -------------------------------------------------------------------------------- /docs/src/images/privatelbs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/privatelbs.png -------------------------------------------------------------------------------- /docs/src/images/privateworkers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/privateworkers.png -------------------------------------------------------------------------------- /docs/src/images/publiccluster.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/publiccluster.png -------------------------------------------------------------------------------- /docs/src/images/publicworkers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/docs/src/images/publicworkers.png -------------------------------------------------------------------------------- /docs/src/intro.md: -------------------------------------------------------------------------------- 1 | # Reference 2 | -------------------------------------------------------------------------------- /docs/src/support.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | ## [Report an issue](https://github.com/oracle-terraform-modules/terraform-oci-oke/issues/new/choose) 4 | -------------------------------------------------------------------------------- /docs/tfdocs-all.yml: -------------------------------------------------------------------------------- 1 | sections: 2 | show: [all] 3 | 4 | output: 5 | file: "./README.md" 6 | mode: inject 7 | 8 | sort: 9 | enabled: true 10 | by: type 11 | 12 | settings: 13 | hide-empty: true 14 | indent: 2 15 | -------------------------------------------------------------------------------- /docs/tfdocs-inputs.yml: -------------------------------------------------------------------------------- 1 | sections: 2 | show: ["inputs"] 3 | 4 | content: |- 5 | | Name | Description | Type | Default | Required | 6 | |------|-------------|------|---------|:--------:| 7 | {{- range .Module.Inputs }} 8 | | {{ anchorNameMarkdown "input" .Name -}} 9 | | {{ tostring .Description | sanitizeMarkdownTbl -}} 10 | | {{ printf " " }}{{ printf "%s" (tostring .Type | sanitizeMarkdownTbl) -}} 11 | | {{ printf " " }}{{ printf "%s" (.GetValue | sanitizeMarkdownTbl) -}} 12 | | {{ printf " " }}{{ ternary .Required "yes" "no" -}} | 13 | {{- end }} 14 | 15 | sort: 16 | enabled: true 17 | by: type 18 | 19 | settings: 20 | hide-empty: true 21 | indent: 2 22 | -------------------------------------------------------------------------------- /docs/tfdocs-outputs.yml: -------------------------------------------------------------------------------- 1 | sections: 2 | show: ["outputs"] 3 | 4 | content: |- 5 | {{- range .Module.Outputs }} 6 | * **`{{ .Name }}`**   {{ .Description -}} 7 | {{- end }} 8 | -------------------------------------------------------------------------------- /docs/tfdocs-resources.yml: -------------------------------------------------------------------------------- 1 | sections: 2 | show: ["resources"] 3 | 4 | content: |- 5 | {{- range .Module.Resources }} 6 | {{- $isResource := and $.Config.Sections.Resources ( eq "resource" (printf "%s" .GetMode)) }} 7 | {{- $isDataResource := and $.Config.Sections.DataSources ( eq "data source" (printf "%s" .GetMode)) }} 8 | {{- if or $isResource $isDataResource }} 9 | {{- $fullspec := ternary .URL (printf "[%s](%s)" .Spec .URL) .Spec }} 10 | * {{ $fullspec }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /docs/theme/pagetoc.css: -------------------------------------------------------------------------------- 1 | @media only screen and (max-width:1439px) { 2 | .sidetoc { 3 | display: none; 4 | } 5 | } 6 | 7 | @media only screen and (min-width:1440px) { 8 | main { 9 | position: relative; 10 | } 11 | .sidetoc { 12 | margin-left: auto; 13 | margin-right: auto; 14 | left: calc(100% + (var(--content-max-width))/4 - 140px); 15 | position: absolute; 16 | } 17 | .pagetoc { 18 | position: fixed; 19 | width: 200px; 20 | height: calc(100vh - var(--menu-bar-height) - 0.67em * 4); 21 | overflow: auto; 22 | } 23 | .pagetoc a { 24 | border-left: 1px solid var(--sidebar-bg); 25 | color: var(--fg) !important; 26 | display: block; 27 | padding-bottom: 5px; 28 | padding-top: 5px; 29 | padding-left: 10px; 30 | text-align: left; 31 | text-decoration: none; 32 | } 33 | .pagetoc a:hover, 34 | .pagetoc a.active { 35 | background: var(--sidebar-bg); 36 | color: var(--sidebar-fg) !important; 37 | } 38 | .pagetoc .active { 39 | background: var(--sidebar-bg); 40 | color: var(--sidebar-fg); 41 | } 42 | .pagetoc .pagetoc-H2 { 43 | padding-left: 20px; 44 | } 45 | .pagetoc .pagetoc-H3 { 46 | padding-left: 40px; 47 | } 48 | .pagetoc .pagetoc-H4 { 49 | padding-left: 60px; 50 | } 51 | .pagetoc .pagetoc-H5 { 52 | display: none; 53 | } 54 | .pagetoc .pagetoc-H6 { 55 | display: none; 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /docs/theme/pagetoc.js: -------------------------------------------------------------------------------- 1 | // Un-active everything when you click it 2 | Array.prototype.forEach.call(document.getElementsByClassName("pagetoc")[0].children, function(el) { 3 | el.addEventHandler("click", function() { 4 | Array.prototype.forEach.call(document.getElementsByClassName("pagetoc")[0].children, function(el) { 5 | el.classList.remove("active"); 6 | }); 7 | el.classList.add("active"); 8 | }); 9 | }); 10 | 11 | var updateFunction = function() { 12 | 13 | var id; 14 | var elements = document.getElementsByClassName("header"); 15 | Array.prototype.forEach.call(elements, function(el) { 16 | if (window.pageYOffset >= el.offsetTop) { 17 | id = el; 18 | } 19 | }); 20 | 21 | Array.prototype.forEach.call(document.getElementsByClassName("pagetoc")[0].children, function(el) { 22 | el.classList.remove("active"); 23 | }); 24 | if (!id) return; 25 | Array.prototype.forEach.call(document.getElementsByClassName("pagetoc")[0].children, function(el) { 26 | if (id.href.localeCompare(el.href) == 0) { 27 | el.classList.add("active"); 28 | } 29 | }); 30 | }; 31 | 32 | // Populate sidebar on load 33 | window.addEventListener('load', function() { 34 | var pagetoc = document.getElementsByClassName("pagetoc")[0]; 35 | var elements = document.getElementsByClassName("header"); 36 | Array.prototype.forEach.call(elements, function (el) { 37 | var link = document.createElement("a"); 38 | link.appendChild(document.createTextNode(el.text)); 39 | link.href = el.href; 40 | link.classList.add("pagetoc-" + el.parentElement.tagName); 41 | pagetoc.appendChild(link); 42 | }); 43 | updateFunction.call(); 44 | }); 45 | 46 | 47 | 48 | // Handle active elements on scroll 49 | window.addEventListener("scroll", updateFunction); 50 | -------------------------------------------------------------------------------- /examples/bastion/vars-bastion.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright 2017, 2023 Oracle Corporation and/or affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | create_bastion = true # *true/false 5 | bastion_allowed_cidrs = [] # e.g. ["0.0.0.0/0"] to allow traffic from all sources 6 | bastion_availability_domain = null # Defaults to first available 7 | bastion_image_id = null # Ignored when bastion_image_type = "platform" 8 | bastion_image_os = "Oracle Linux" # Ignored when bastion_image_type = "custom" 9 | bastion_image_os_version = "8" # Ignored when bastion_image_type = "custom" 10 | bastion_image_type = "platform" # platform/custom 11 | bastion_nsg_ids = [] # Combined with created NSG when enabled in var.nsgs 12 | bastion_public_ip = null # Ignored when create_bastion = true 13 | bastion_type = "public" # *public/private 14 | bastion_upgrade = false # true/*false 15 | bastion_user = "opc" 16 | 17 | bastion_shape = { 18 | shape = "VM.Standard.E4.Flex", 19 | ocpus = 1, 20 | memory = 4, 21 | boot_volume_size = 50 22 | } 23 | -------------------------------------------------------------------------------- /examples/cluster-addons/vars-cluster-addons.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | cluster_addons = { 5 | "CertManager" = { 6 | remove_addon_resources_on_delete = true 7 | override_existing = true # Default is false if not specified 8 | # The list of supported configurations for the cluster addons is here: https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringclusteraddons-configurationarguments.htm#contengconfiguringclusteraddons-configurationarguments_CertificateManager 9 | configurations = [ 10 | { 11 | key = "numOfReplicas" 12 | value = "1" 13 | } 14 | ] 15 | } 16 | # The NvidiaGpuPlugin is disabled by default. To enable it, add the following block to the cluster_addons variable 17 | "NvidiaGpuPlugin" = { 18 | remove_addon_resources_on_delete = true 19 | }, 20 | # Prevent Flannel pods from being scheduled using a non-existing label as nodeSelector 21 | "Flannel" = { 22 | remove_addon_resources_on_delete = true 23 | override_existing = true # Override the existing configuration with this one, if Flannel addon in already enabled 24 | configurations = [ 25 | { 26 | key = "nodeSelectors" 27 | value = "{\"addon\":\"no-schedule\"}" 28 | } 29 | ], 30 | }, 31 | # Prevent Kube-Proxy pods from being scheduled using a non-existing label as nodeSelector 32 | "KubeProxy" = { 33 | remove_addon_resources_on_delete = true 34 | override_existing = true # Override the existing configuration with this one, if KubeProxy addon in already enabled 35 | configurations = [ 36 | { 37 | key = "nodeSelectors" 38 | value = "{\"addon\":\"no-schedule\"}" 39 | } 40 | ], 41 | } 42 | } 43 | 44 | cluster_addons_to_remove = { 45 | Flannel = { 46 | remove_k8s_resources = true 47 | } 48 | } -------------------------------------------------------------------------------- /examples/cluster/vars-cluster-basic.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2025 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | cluster_name = "oke-example" 5 | kubernetes_version = "v1.32.1" 6 | -------------------------------------------------------------------------------- /examples/cluster/vars-cluster-enhanced.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2025 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | create_cluster = true // *true/false 5 | cluster_dns = null 6 | cluster_kms_key_id = null 7 | cluster_name = "oke" 8 | cluster_type = "enhanced" // *basic/enhanced 9 | cni_type = "flannel" // *flannel/npn 10 | assign_public_ip_to_control_plane = true // true/*false 11 | image_signing_keys = [] 12 | kubernetes_version = "v1.32.1" 13 | pods_cidr = "10.244.0.0/16" 14 | services_cidr = "10.96.0.0/16" 15 | use_signed_images = false // true/*false 16 | enable_ipv6 = false //true/*false 17 | -------------------------------------------------------------------------------- /examples/cluster/vars-cluster-oidc-auth-multiple.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2025 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | create_cluster = true // *true/false 5 | cluster_dns = null 6 | cluster_kms_key_id = null 7 | cluster_name = "oke" 8 | cluster_type = "enhanced" // *basic/enhanced 9 | cni_type = "flannel" // *flannel/npn 10 | assign_public_ip_to_control_plane = true // true/*false 11 | image_signing_keys = [] 12 | kubernetes_version = "v1.32.1" 13 | pods_cidr = "10.244.0.0/16" 14 | services_cidr = "10.96.0.0/16" 15 | use_signed_images = false // true/*false 16 | 17 | # Enable OIDC token authentication for Github Actions using API server configuration file 18 | open_id_connect_token_auth_enabled = true 19 | open_id_connect_token_authentication_config = { 20 | configuration_file = base64encode(yamlencode( 21 | { 22 | "apiVersion" = "apiserver.config.k8s.io/v1beta1" 23 | "kind" = "AuthenticationConfiguration" 24 | "jwt" = [ 25 | { 26 | "issuer" = { 27 | "url" = "https://token.actions.githubusercontent.com", 28 | "audiences" = [ 29 | "oke-kubernetes-cluster" # Must match the audience in the GitHub Actions workflow. 30 | ], 31 | "audienceMatchPolicy" = "MatchAny" 32 | } 33 | "claimMappings" = { 34 | "username" = { 35 | "claim" = "sub" 36 | "prefix" = "" 37 | } 38 | } 39 | "claimValidationRules" = [ 40 | { 41 | "claim" = "repository" 42 | "requiredValue" = "GITHUB_ACCOUNT/GITHUB_REPOSITORY" 43 | }, 44 | { 45 | "claim" = "workflow" 46 | "requiredValue" = "oke-oidc" # Must match the workflow name. 47 | }, 48 | { 49 | "claim" = "ref" 50 | "requiredValue" = "refs/heads/main" 51 | }, 52 | ] 53 | } 54 | ] 55 | } 56 | )) 57 | } 58 | -------------------------------------------------------------------------------- /examples/cluster/vars-cluster-oidc-auth-single.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2025 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | create_cluster = true // *true/false 5 | cluster_dns = null 6 | cluster_kms_key_id = null 7 | cluster_name = "oke" 8 | cluster_type = "enhanced" // *basic/enhanced 9 | cni_type = "flannel" // *flannel/npn 10 | assign_public_ip_to_control_plane = true // true/*false 11 | image_signing_keys = [] 12 | kubernetes_version = "v1.32.1" 13 | pods_cidr = "10.244.0.0/16" 14 | services_cidr = "10.96.0.0/16" 15 | use_signed_images = false // true/*false 16 | 17 | # Enable OIDC token authentication for Github Actions using API server flags 18 | oidc_token_auth_enabled = true 19 | oidc_token_authentication_config = { 20 | client_id = "oke-kubernetes-cluster" # Must match the audience in the GitHub Actions workflow. 21 | issuer_url = "https://token.actions.githubusercontent.com", 22 | username_claim = "sub" 23 | required_claims = [ 24 | { 25 | key = "repository", 26 | value = "GITHUB_ACCOUNT/GITHUB_REPOSITORY" 27 | }, 28 | { 29 | key = "workflow", 30 | value = "oke-oidc" # Must match the workflow name. 31 | }, 32 | { 33 | key = "ref" 34 | value = "refs/heads/main" 35 | } 36 | ], 37 | } 38 | 39 | -------------------------------------------------------------------------------- /examples/cluster/vars-cluster-oidc-discovery.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2025 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | create_cluster = true // *true/false 5 | cluster_dns = null 6 | cluster_kms_key_id = null 7 | cluster_name = "oke" 8 | cluster_type = "enhanced" // *basic/enhanced 9 | cni_type = "flannel" // *flannel/npn 10 | assign_public_ip_to_control_plane = true // true/*false 11 | image_signing_keys = [] 12 | kubernetes_version = "v1.32.1" 13 | pods_cidr = "10.244.0.0/16" 14 | services_cidr = "10.96.0.0/16" 15 | use_signed_images = false // true/*false 16 | 17 | # Enable OIDC discovery 18 | oidc_discovery_enabled = true 19 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-calico.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | calico_install = true 5 | calico_version = "3.24.1" 6 | calico_mode = "policy-only" 7 | calico_mtu = 0 // determined automatically by default 8 | calico_url = "" // determined automatically by default 9 | calico_apiserver_install = false 10 | calico_typha_install = false 11 | calico_typha_replicas = 0 12 | calico_staging_dir = "/tmp/calico_install" 13 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-cilium.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | cilium_install = true 5 | cilium_reapply = false 6 | cilium_namespace = "kube-system" 7 | cilium_helm_version = "1.16.3" 8 | cilium_helm_values = {} 9 | cilium_helm_values_files = [] 10 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-cluster-autoscaler.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | cluster_autoscaler_install = true 5 | cluster_autoscaler_namespace = "kube-system" 6 | cluster_autoscaler_helm_version = "9.24.0" 7 | cluster_autoscaler_helm_values = {} 8 | cluster_autoscaler_helm_values_files = [] 9 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-dcgm-exporter.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | dcgm_exporter_install = true 5 | dcgm_exporter_reapply = false 6 | dcgm_exporter_namespace = "metrics" 7 | dcgm_exporter_helm_version = "3.1.5" 8 | dcgm_exporter_helm_values = {} 9 | dcgm_exporter_helm_values_files = [] 10 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-gatekeeper.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | gatekeeper_install = true 5 | gatekeeper_namespace = "kube-system" 6 | gatekeeper_helm_version = "3.11.0" 7 | gatekeeper_helm_values = {} 8 | gatekeeper_helm_values_files = [] 9 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-metrics-server.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | metrics_server_install = true 5 | metrics_server_namespace = "metrics" 6 | metrics_server_daemonset_url = null // determined automatically for version by default 7 | metrics_server_version = "master" 8 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-mpi-operator.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | mpi_operator_install = true 5 | mpi_operator_namespace = "default" 6 | mpi_operator_deployment = null // determined automatically for version by default 7 | mpi_operator_version = "0.4.0" 8 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-multus.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | multus_install = true 5 | multus_namespace = "network" 6 | multus_daemonset_url = null // determined automatically for version by default 7 | multus_version = "3.9.3" 8 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-prometheus.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | prometheus_install = true 5 | prometheus_reapply = false 6 | prometheus_namespace = "metrics" 7 | prometheus_helm_version = "45.2.0" 8 | prometheus_helm_values = {} 9 | prometheus_helm_values_files = [] 10 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-rdma-cni.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | rdma_cni_plugin_install = true 5 | rdma_cni_plugin_namespace = "network" 6 | rdma_cni_plugin_daemonset_url = null // determined automatically for version by default 7 | rdma_cni_plugin_version = "master" 8 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-service-account.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | create_service_account = true 5 | service_accounts = { 6 | # Example to create a cluster role binding using a cluster role. 7 | example_cluster_role_binding = { 8 | sa_name = "sa1" 9 | sa_namespace = "kube-system" 10 | sa_cluster_role = "cluster-admin" 11 | sa_cluster_role_binding = "sa1-crb" 12 | } 13 | # Example to create a role binding using a cluster role. 14 | example_role_binding = { 15 | sa_name = "sa2" 16 | sa_namespace = "default" 17 | sa_cluster_role = "cluster-admin" 18 | sa_role_binding = "sa1-rb" 19 | } 20 | # Example to create a role binding using a role, the role needs to exist within the namespace. 21 | example_role_binding = { 22 | sa_name = "sa3" 23 | sa_namespace = "kube-system" 24 | sa_role = "system:controller:token-cleaner" 25 | sa_role_binding = "sa3-rb" 26 | } 27 | } -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-sriov-cni.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | sriov_cni_plugin_install = true 5 | sriov_cni_plugin_namespace = "network" 6 | sriov_cni_plugin_daemonset_url = null // determined automatically for version by default 7 | sriov_cni_plugin_version = "master" 8 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-sriov-device.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | sriov_device_plugin_install = true 5 | sriov_device_plugin_namespace = "network" 6 | sriov_device_plugin_daemonset_url = null // determined automatically for version by default 7 | sriov_device_plugin_version = "master" 8 | -------------------------------------------------------------------------------- /examples/extensions/vars-extensions-whereabouts.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | whereabouts_install = true 5 | whereabouts_namespace = "network" 6 | whereabouts_daemonset_url = null // determined automatically for version by default 7 | whereabouts_version = "master" 8 | -------------------------------------------------------------------------------- /examples/iam/vars-iam-policies.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | create_iam_autoscaler_policy = "auto" // never/*auto/always 5 | create_iam_kms_policy = "auto" // never/*auto/always 6 | create_iam_operator_policy = "auto" // never/*auto/always 7 | create_iam_worker_policy = "auto" // never/*auto/always 8 | -------------------------------------------------------------------------------- /examples/iam/vars-iam-tags.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | create_iam_tag_namespace = false // true/*false 5 | create_iam_defined_tags = false // true/*false 6 | tag_namespace = "oke" 7 | use_defined_tags = false // true/*false 8 | -------------------------------------------------------------------------------- /examples/istio-mc/docs/assets/multi-primary multi-networks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracle-terraform-modules/terraform-oci-oke/1d24463695e7f6cc2e4a09882b55581bd1e69946/examples/istio-mc/docs/assets/multi-primary multi-networks.png -------------------------------------------------------------------------------- /examples/istio-mc/istio.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | istio_c1 = templatefile("${path.module}/resources/istio.template.yaml", 6 | { 7 | mesh_id = var.istio_mesh_id 8 | cluster = "c1" 9 | mesh_network = "c1" 10 | pub_nsg_id = one(element([module.c1[*].pub_lb_nsg_id], 0)) 11 | int_lb_subnet_id = one(element([module.c1[*].int_lb_subnet_id], 0)) 12 | int_nsg_id = one(element([module.c1[*].int_lb_nsg_id], 0)) 13 | } 14 | ) 15 | 16 | istio_c2 = templatefile("${path.module}/resources/istio.template.yaml", 17 | { 18 | mesh_id = var.istio_mesh_id 19 | cluster = "c2" 20 | mesh_network = "c2" 21 | pub_nsg_id = one(element([module.c2[*].pub_lb_nsg_id], 0)) 22 | int_lb_subnet_id = one(element([module.c2[*].int_lb_subnet_id], 0)) 23 | int_nsg_id = one(element([module.c2[*].int_lb_nsg_id], 0)) 24 | } 25 | ) 26 | } 27 | 28 | resource "null_resource" "istio" { 29 | depends_on = [module.c1, module.c2] 30 | 31 | connection { 32 | host = local.operator_ip 33 | private_key = file(var.ssh_private_key_path) 34 | timeout = "40m" 35 | type = "ssh" 36 | user = "opc" 37 | 38 | bastion_host = local.bastion_ip 39 | bastion_user = "opc" 40 | bastion_private_key = file(var.ssh_private_key_path) 41 | } 42 | 43 | provisioner "file" { 44 | content = local.istio_c1 45 | destination = "/home/opc/c1.yaml" 46 | } 47 | 48 | provisioner "file" { 49 | content = local.istio_c2 50 | destination = "/home/opc/c2.yaml" 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /examples/istio-mc/outputs.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | output "ssh_to_operator" { 5 | description = "convenient command to ssh to the Admin operator host" 6 | value = one(element([module.c1[*].ssh_to_operator], 0)) 7 | } -------------------------------------------------------------------------------- /examples/istio-mc/providers.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | provider "oci" { 5 | fingerprint = var.api_fingerprint 6 | private_key_path = var.api_private_key_path 7 | region = lookup(local.regions, var.home_region) 8 | tenancy_ocid = var.tenancy_id 9 | user_ocid = var.user_id 10 | alias = "home" 11 | ignore_defined_tags = ["Oracle-Tags.CreatedBy", "Oracle-Tags.CreatedOn"] 12 | } 13 | 14 | provider "oci" { 15 | fingerprint = var.api_fingerprint 16 | private_key_path = var.api_private_key_path 17 | region = lookup(local.regions, lookup(lookup(var.clusters, "c1"), "region")) 18 | tenancy_ocid = var.tenancy_id 19 | user_ocid = var.user_id 20 | alias = "c1" 21 | ignore_defined_tags = ["Oracle-Tags.CreatedBy", "Oracle-Tags.CreatedOn"] 22 | } 23 | 24 | provider "oci" { 25 | fingerprint = var.api_fingerprint 26 | private_key_path = var.api_private_key_path 27 | region = lookup(local.regions, lookup(lookup(var.clusters, "c2"), "region")) 28 | tenancy_ocid = var.tenancy_id 29 | user_ocid = var.user_id 30 | alias = "c2" 31 | ignore_defined_tags = ["Oracle-Tags.CreatedBy", "Oracle-Tags.CreatedOn"] 32 | } -------------------------------------------------------------------------------- /examples/istio-mc/scripts/cloud-init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | modprobe br_netfilter 4 | modprobe nf_nat 5 | modprobe xt_REDIRECT 6 | modprobe xt_owner 7 | modprobe iptable_nat 8 | modprobe iptable_mangle 9 | modprobe iptable_filter 10 | 11 | /usr/libexec/oci-growfs -y 12 | 13 | timedatectl set-timezone Australia/Sydney 14 | 15 | 'curl --fail -H "Authorization: Bearer Oracle" -L0 http://169.254.169.254/opc/v2/instance/metadata/oke_init_script | base64 --decode >/var/run/oke-init.sh' 16 | 17 | bash -x /var/run/oke-init.sh 18 | 19 | touch /var/log/oke.done -------------------------------------------------------------------------------- /examples/istio-mc/scripts/generate_kubeconfig.template.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 4 | 5 | oci ce cluster create-kubeconfig --cluster-id ${cluster_id} --file $HOME/.kube/config --region ${region} --token-version 2.0.0 --kube-endpoint ${endpoint} -------------------------------------------------------------------------------- /examples/istio-mc/scripts/istioctl.template.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | # Copyright (c) 2024 Oracle Corporation and/or its affiliates. 3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 4 | 5 | echo "Installing istioctl" 6 | curl -L curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${version} TARGET_ARCH=x86_64 sh - -------------------------------------------------------------------------------- /examples/istio-mc/scripts/kubeconfig_set_credentials.template.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 4 | 5 | kubectl config set-credentials "user-${cluster_id_11}" --exec-command="$HOME/bin/token_helper.sh" \ 6 | --exec-arg="ce" \ 7 | --exec-arg="cluster" \ 8 | --exec-arg="generate-token" \ 9 | --exec-arg="--cluster-id" \ 10 | --exec-arg="${cluster_id}" \ 11 | --exec-arg="--region" \ 12 | --exec-arg="${region}" -------------------------------------------------------------------------------- /examples/istio-mc/scripts/set_alias.template.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 4 | 5 | kubectx ${cluster}=context-${cluster_id_11} 6 | -------------------------------------------------------------------------------- /examples/istio-mc/scripts/token_helper.template.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2024 Oracle Corporation and/or affiliates. 3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 4 | 5 | CLUSTER=$5 6 | REGION=$7 7 | 8 | TOKEN_FILE=$HOME/.kube/TOKEN-$CLUSTER 9 | 10 | if ! test -f "$TOKEN_FILE" || test $(( `date +%s` - `stat -L -c %Y $TOKEN_FILE` )) -gt 240; then 11 | umask 022 12 | oci ce cluster generate-token --cluster-id "$CLUSTER" --region "$REGION" > $TOKEN_FILE 13 | fi 14 | 15 | cat $TOKEN_FILE -------------------------------------------------------------------------------- /examples/istio-mc/templates.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | 6 | all_cluster_ids = merge( 7 | { c1 = one(element([module.c1[*].cluster_id], 0)) }, 8 | { c2 = one(element([module.c2[*].cluster_id], 0)) } 9 | ) 10 | 11 | kubeconfig_templates = { 12 | for cluster_name, cluster_id in local.all_cluster_ids : 13 | cluster_name => templatefile("${path.module}/scripts/generate_kubeconfig.template.sh", 14 | { 15 | cluster_id = cluster_id 16 | endpoint = var.oke_control_plane == "public" ? "PUBLIC_ENDPOINT" : "PRIVATE_ENDPOINT" 17 | region = lookup(local.regions, lookup(lookup(var.clusters, cluster_name), "region")) 18 | } 19 | ) 20 | } 21 | 22 | set_credentials_templates = { 23 | for cluster_name, cluster_id in local.all_cluster_ids : 24 | cluster_name => templatefile("${path.module}/scripts/kubeconfig_set_credentials.template.sh", 25 | { 26 | cluster_id = cluster_id 27 | cluster_id_11 = substr(cluster_id, (length(cluster_id) - 11), length(cluster_id)) 28 | region = lookup(local.regions, lookup(lookup(var.clusters, cluster_name), "region")) 29 | } 30 | ) 31 | } 32 | 33 | set_alias_templates = { 34 | for cluster_name, cluster_id in local.all_cluster_ids : 35 | cluster_name => templatefile("${path.module}/scripts/set_alias.template.sh", 36 | { 37 | cluster = cluster_name 38 | cluster_id_11 = substr(cluster_id, (length(cluster_id) - 11), length(cluster_id)) 39 | } 40 | ) 41 | } 42 | 43 | token_helper_template = templatefile("${path.module}/scripts/token_helper.template.sh", {}) 44 | 45 | istioctl_template = templatefile("${path.module}/scripts/istioctl.template.sh", { 46 | version = var.istio_version 47 | }) 48 | } 49 | -------------------------------------------------------------------------------- /examples/istio-mc/terraform.tfvars.example: -------------------------------------------------------------------------------- 1 | # provider 2 | api_fingerprint = "" 3 | 4 | api_private_key_path = "~/.oci/oci_rsa.pem" 5 | 6 | home_region = "ashburn" # Use short form e.g. ashburn from location column https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm 7 | 8 | tenancy_id = "ocid1.tenancy.oc1.." 9 | 10 | user_id = "ocid1.user.oc1.." 11 | 12 | compartment_id = "ocid1.compartment.oc1.." 13 | 14 | # ssh 15 | ssh_private_key_path = "~/.ssh/id_rsa" 16 | ssh_public_key_path = "~/.ssh/id_rsa.pub" 17 | 18 | # clusters 19 | ## For regions, # Use short form e.g. ashburn from location column https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm 20 | ## VCN, Pods and services clusters must not overlap with each other and with those of other clusters. 21 | clusters = { 22 | c1 = { region = "sydney", vcn = "10.1.0.0/16", pods = "10.201.0.0/16", services = "10.101.0.0/16", enabled = true } 23 | c2 = { region = "melbourne", vcn = "10.2.0.0/16", pods = "10.202.0.0/16", services = "10.102.0.0/16", enabled = true } 24 | } 25 | 26 | kubernetes_version = "v1.32.1" 27 | 28 | cluster_type = "basic" 29 | 30 | oke_control_plane = "private" 31 | 32 | nodepools = { 33 | np1 = { 34 | shape = "VM.Standard.E4.Flex", 35 | ocpus = 2, 36 | memory = 64, 37 | size = 2, 38 | boot_volume_size = 150, 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /examples/istio-mc/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | #Terraform and provider version to use 5 | terraform { 6 | required_providers { 7 | oci = { 8 | source = "oracle/oci" 9 | } 10 | } 11 | required_version = ">= 1.0.0" 12 | } 13 | -------------------------------------------------------------------------------- /examples/network/vars-network-drg-create.auto.tfvars.example: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # to reuse an existing drg, set to false 5 | create_drg = true 6 | 7 | drg_display_name = "drg" 8 | 9 | # to reuse an existing drg, provide the drg ocid 10 | drg_id = null 11 | 12 | # 13 | remote_peering_connections = { 14 | # unpeered rpc 15 | rpc1 = {} 16 | 17 | # peered rpc 18 | rpc2 : { 19 | "rpc_acceptor_id" : "ocid1.remotepeeringconnection.oc1.aaaaaa" 20 | "rpc_acceptor_region" : "us-ashburn-1" 21 | } 22 | } -------------------------------------------------------------------------------- /examples/network/vars-network-nsgs-create.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | nsgs = { 5 | bastion = {} 6 | operator = {} 7 | cp = {} 8 | int_lb = {} 9 | pub_lb = {} 10 | workers = {} 11 | pods = {} 12 | } 13 | -------------------------------------------------------------------------------- /examples/network/vars-network-nsgs-existing.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | nsgs = { 5 | bastion = { id = "ocid1.networksecuritygroup..." } 6 | operator = { id = "ocid1.networksecuritygroup..." } 7 | cp = { id = "ocid1.networksecuritygroup..." } 8 | int_lb = { id = "ocid1.networksecuritygroup..." } 9 | pub_lb = { id = "ocid1.networksecuritygroup..." } 10 | workers = { id = "ocid1.networksecuritygroup..." } 11 | pods = { id = "ocid1.networksecuritygroup..." } 12 | } 13 | -------------------------------------------------------------------------------- /examples/network/vars-network-subnets-create-cidr-ipv4-and-ipv6.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | subnets = { 5 | bastion = { cidr = "10.0.0.0/29", ipv6_cidr = "8, 0" } 6 | operator = { cidr = "10.0.0.64/29", ipv6_cidr = "8, 1" } 7 | cp = { cidr = "10.0.0.8/29", ipv6_cidr = "8, 2" } 8 | int_lb = { cidr = "10.0.0.32/27", ipv6_cidr = "8, 3" } 9 | pub_lb = { cidr = "10.0.128.0/27", ipv6_cidr = "8, 4" } 10 | workers = { cidr = "10.0.144.0/20", ipv6_cidr = "2603:c020:8010:f002::/64" } 11 | pods = { cidr = "10.0.64.0/18", ipv6_cidr = "2603:c020:8010:f003::/64" } 12 | } 13 | -------------------------------------------------------------------------------- /examples/network/vars-network-subnets-create-cidr.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | subnets = { 5 | bastion = { cidr = "10.0.0.0/29" } 6 | operator = { cidr = "10.0.0.64/29" } 7 | cp = { cidr = "10.0.0.8/29" } 8 | int_lb = { cidr = "10.0.0.32/27" } 9 | pub_lb = { cidr = "10.0.128.0/27" } 10 | workers = { cidr = "10.0.144.0/20" } 11 | pods = { cidr = "10.0.64.0/18" } 12 | } 13 | -------------------------------------------------------------------------------- /examples/network/vars-network-subnets-create-force.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | subnets = { 5 | bastion = { 6 | create = "always", 7 | netnum = 0, 8 | newbits = 13 9 | } 10 | 11 | operator = { 12 | create = "always", 13 | netnum = 1, 14 | newbits = 13 15 | } 16 | 17 | cp = { 18 | create = "always", 19 | netnum = 2, 20 | newbits = 13 21 | } 22 | 23 | int_lb = { 24 | create = "always", 25 | netnum = 16, 26 | newbits = 11 27 | } 28 | 29 | pub_lb = { 30 | create = "always", 31 | netnum = 17, 32 | newbits = 11 33 | } 34 | 35 | workers = { 36 | create = "always", 37 | netnum = 1, 38 | newbits = 2 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /examples/network/vars-network-subnets-create.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | subnets = { 5 | bastion = { newbits = 13 } 6 | operator = { newbits = 13 } 7 | cp = { newbits = 13 } 8 | int_lb = { newbits = 11 } 9 | pub_lb = { newbits = 11 } 10 | workers = { newbits = 2 } 11 | pods = { newbits = 2 } 12 | } 13 | -------------------------------------------------------------------------------- /examples/network/vars-network-subnets-existing.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | subnets = { 5 | operator = { id = "ocid1.subnet..." } 6 | cp = { id = "ocid1.subnet..." } 7 | int_lb = { id = "ocid1.subnet..." } 8 | pub_lb = { id = "ocid1.subnet..." } 9 | workers = { id = "ocid1.subnet..." } 10 | pods = { id = "ocid1.subnet..." } 11 | } 12 | -------------------------------------------------------------------------------- /examples/operator/vars-operator-cloudinit.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | operator_cloud_init = [ 5 | { 6 | content = <<-EOT 7 | runcmd: 8 | - echo "Operator cloud_init using cloud-config" 9 | EOT 10 | content_type = "text/cloud-config", 11 | }, 12 | { 13 | content = "/path/to/file" 14 | content_type = "text/cloud-boothook", 15 | }, 16 | { 17 | content = "" 18 | content_type = "text/x-shellscript", 19 | }, 20 | ] 21 | -------------------------------------------------------------------------------- /examples/operator/vars-operator.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright 2017, 2021 Oracle Corporation and/or affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | create_operator = true # *true/false 5 | operator_availability_domain = null 6 | operator_cloud_init = [] 7 | operator_image_id = null # Ignored when operator_image_type = "platform" 8 | operator_image_os = "Oracle Linux" # Ignored when operator_image_type = "custom" 9 | operator_image_os_version = "8" # Ignored when operator_image_type = "custom" 10 | operator_image_type = "platform" 11 | operator_nsg_ids = [] 12 | operator_private_ip = null 13 | operator_pv_transit_encryption = false # true/*false 14 | operator_upgrade = false # true/*false 15 | operator_user = "opc" 16 | operator_volume_kms_key_id = null 17 | 18 | operator_shape = { 19 | shape = "VM.Standard.E4.Flex", 20 | ocpus = 1, 21 | memory = 4, 22 | boot_volume_size = 50 23 | } 24 | -------------------------------------------------------------------------------- /examples/profiles/cluster-workers-only/main.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | provider "oci" { 5 | config_file_profile = var.config_file_profile 6 | tenancy_ocid = var.tenancy_id 7 | region = var.region 8 | } 9 | 10 | module "cluster_workers_only" { 11 | source = "../../../" 12 | providers = { oci.home = oci } 13 | tenancy_id = var.tenancy_id 14 | compartment_id = var.compartment_id 15 | ssh_public_key = var.ssh_public_key_path 16 | 17 | create_vcn = false // *true/false; vcn_id required if false 18 | vcn_id = var.vcn_id 19 | subnets = var.subnets 20 | nsgs = var.nsgs 21 | 22 | create_bastion = false // *true/false 23 | bastion_public_ip = var.bastion_public_ip 24 | 25 | create_operator = true // *true/false 26 | create_cluster = true // *true/false 27 | cluster_type = "enhanced" // *basic/enhanced 28 | cni_type = "flannel" // *flannel/npn 29 | 30 | worker_pool_size = 1 31 | worker_pools = { 32 | oke-pool = {} 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /examples/profiles/cluster-workers-only/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "tenancy_id" { type = string } 5 | variable "compartment_id" { type = string } 6 | variable "region" { type = string } 7 | 8 | variable "config_file_profile" { 9 | default = "DEFAULT" 10 | type = string 11 | } 12 | 13 | variable "ssh_public_key_path" { 14 | default = null 15 | type = string 16 | } 17 | 18 | variable "subnets" { 19 | type = map(object({ 20 | create = optional(string) 21 | id = optional(string) 22 | newbits = optional(string) 23 | netnum = optional(string) 24 | cidr = optional(string) 25 | dns_label = optional(string) 26 | })) 27 | } 28 | 29 | variable "nsgs" { 30 | type = map(object({ 31 | create = optional(string) 32 | id = optional(string) 33 | })) 34 | } 35 | -------------------------------------------------------------------------------- /examples/profiles/cluster-workers-only/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.3.0" 6 | 7 | required_providers { 8 | oci = { 9 | source = "oracle/oci" 10 | version = ">= 4.119.0" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /examples/profiles/network-cluster-workers/main.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | provider "oci" { 5 | config_file_profile = var.config_file_profile 6 | tenancy_ocid = var.tenancy_id 7 | region = var.region 8 | } 9 | 10 | module "network_cluster_workers" { 11 | source = "../../../" 12 | providers = { oci.home = oci } 13 | tenancy_id = var.tenancy_id 14 | compartment_id = var.compartment_id 15 | ssh_public_key = var.ssh_public_key_path 16 | 17 | worker_pool_size = 1 18 | worker_pools = { 19 | oke-pool = {} 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /examples/profiles/network-cluster-workers/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "tenancy_id" { type = string } 5 | variable "compartment_id" { type = string } 6 | variable "region" { type = string } 7 | 8 | variable "config_file_profile" { 9 | default = "DEFAULT" 10 | type = string 11 | } 12 | 13 | variable "ssh_public_key_path" { 14 | default = null 15 | type = string 16 | } 17 | -------------------------------------------------------------------------------- /examples/profiles/network-cluster-workers/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.3.0" 6 | 7 | required_providers { 8 | oci = { 9 | source = "oracle/oci" 10 | version = ">= 4.119.0" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /examples/profiles/network-only/main.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | provider "oci" { 5 | config_file_profile = var.config_file_profile 6 | tenancy_ocid = var.tenancy_id 7 | region = var.region 8 | } 9 | 10 | module "network_only" { 11 | source = "../../../" 12 | providers = { oci.home = oci } 13 | tenancy_id = var.tenancy_id 14 | compartment_id = var.compartment_id 15 | 16 | create_bastion = false // *true/false 17 | create_cluster = false // *true/false 18 | create_operator = false // *true/false 19 | 20 | # Force creation of NSGs with associated components disabled 21 | nsgs = { 22 | bastion = { create = "always" } 23 | operator = { create = "always" } 24 | cp = { create = "always" } 25 | int_lb = { create = "always" } 26 | pub_lb = { create = "always" } 27 | workers = { create = "always" } 28 | pods = { create = "always" } 29 | } 30 | 31 | # Force creation of subnets with associated components disabled 32 | subnets = { 33 | bastion = { 34 | create = "always", 35 | newbits = 13 36 | } 37 | 38 | operator = { 39 | create = "always", 40 | newbits = 13 41 | } 42 | 43 | cp = { 44 | create = "always", 45 | newbits = 13 46 | } 47 | 48 | int_lb = { 49 | create = "always", 50 | newbits = 11 51 | } 52 | 53 | pub_lb = { 54 | create = "always", 55 | newbits = 11 56 | } 57 | 58 | workers = { 59 | create = "always", 60 | newbits = 4 61 | } 62 | 63 | pods = { 64 | create = "always", 65 | newbits = 2 66 | } 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /examples/profiles/network-only/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "tenancy_id" { type = string } 5 | variable "compartment_id" { type = string } 6 | variable "region" { type = string } 7 | 8 | variable "config_file_profile" { 9 | default = "DEFAULT" 10 | type = string 11 | } 12 | 13 | variable "ssh_public_key_path" { 14 | default = null 15 | type = string 16 | } 17 | -------------------------------------------------------------------------------- /examples/profiles/network-only/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.3.0" 6 | 7 | required_providers { 8 | oci = { 9 | source = "oracle/oci" 10 | version = ">= 4.119.0" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /examples/profiles/workers-only/main.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | provider "oci" { 5 | config_file_profile = var.config_file_profile 6 | tenancy_ocid = var.tenancy_id 7 | region = var.region 8 | } 9 | 10 | module "workers_only" { 11 | source = "../../../" 12 | providers = { oci.home = oci } 13 | tenancy_id = var.tenancy_id 14 | compartment_id = var.compartment_id 15 | vcn_id = var.vcn_id 16 | bastion_public_ip = var.bastion_public_ip 17 | cluster_id = var.cluster_id 18 | operator_private_ip = var.operator_private_ip 19 | ssh_public_key_path = var.ssh_public_key_path 20 | 21 | create_vcn = false 22 | create_bastion = false 23 | create_cluster = false 24 | create_operator = false 25 | 26 | subnets = { 27 | workers = { id = var.worker_subnet_id } 28 | } 29 | 30 | nsgs = {} 31 | worker_nsg_ids = var.worker_nsg_ids 32 | 33 | worker_pool_size = 1 34 | worker_pools = { 35 | oke-pool = {} 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /examples/profiles/workers-only/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "tenancy_id" { type = string } 5 | variable "compartment_id" { type = string } 6 | variable "region" { type = string } 7 | variable "vcn_id" { type = string } 8 | variable "bastion_public_ip" { type = string } 9 | variable "cluster_id" { type = string } 10 | variable "worker_subnet_id" { type = string } 11 | 12 | variable "config_file_profile" { 13 | default = "DEFAULT" 14 | type = string 15 | } 16 | 17 | variable "operator_private_ip" { 18 | default = null 19 | type = string 20 | } 21 | 22 | variable "worker_nsg_ids" { 23 | default = [] 24 | type = list(string) 25 | } 26 | 27 | variable "ssh_public_key_path" { 28 | default = null 29 | type = string 30 | } 31 | -------------------------------------------------------------------------------- /examples/profiles/workers-only/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.3.0" 6 | 7 | required_providers { 8 | oci = { 9 | source = "oracle/oci" 10 | version = ">= 4.119.0" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /examples/provider-basic.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2017, 2023 Oracle Corporation and/or affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | provider "oci" { 5 | alias = "home" 6 | region = "us-ashburn-1" 7 | tenancy_ocid = "ocid1.tenancy..." 8 | } 9 | 10 | provider "oci" { 11 | region = "ap-osaka-1" 12 | tenancy_ocid = "ocid1.tenancy..." 13 | } 14 | -------------------------------------------------------------------------------- /examples/provider.tf: -------------------------------------------------------------------------------- 1 | # Copyright 2017, 2023 Oracle Corporation and/or affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # Provider configurations for resource + home regions w/ some automatically derived values 5 | 6 | # tflint-ignore: terraform_required_providers 7 | provider "oci" { 8 | config_file_profile = var.config_file_profile 9 | fingerprint = var.api_fingerprint 10 | private_key = local.api_private_key 11 | private_key_password = var.api_private_key_password 12 | region = var.region 13 | tenancy_ocid = local.tenancy_id 14 | user_ocid = local.user_id 15 | } 16 | 17 | # tflint-ignore: terraform_required_providers 18 | provider "oci" { 19 | alias = "home" 20 | config_file_profile = var.config_file_profile 21 | fingerprint = var.api_fingerprint 22 | private_key = local.api_private_key 23 | private_key_password = var.api_private_key_password 24 | region = local.home_region 25 | tenancy_ocid = local.tenancy_id 26 | user_ocid = local.user_id 27 | } 28 | -------------------------------------------------------------------------------- /examples/rms/oke-cluster-only/data.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "ssh_public_key" { 5 | default = null 6 | type = string 7 | } 8 | variable "ssh_kms_vault_id" { 9 | default = null 10 | type = string 11 | } 12 | variable "ssh_kms_secret_id" { 13 | default = null 14 | type = string 15 | } 16 | 17 | data "oci_identity_region_subscriptions" "home" { 18 | tenancy_id = var.tenancy_ocid 19 | filter { 20 | name = "is_home_region" 21 | values = [true] 22 | } 23 | } 24 | 25 | data "oci_secrets_secretbundle" "ssh_key" { 26 | secret_id = var.ssh_kms_secret_id 27 | } 28 | 29 | locals { 30 | ssh_public_key = try(base64decode(var.ssh_public_key), var.ssh_public_key) 31 | ssh_key_bundle = sensitive(one(data.oci_secrets_secretbundle.ssh_key.secret_bundle_content)) 32 | ssh_key_bundle_content = sensitive(lookup(local.ssh_key_bundle, "content", null)) 33 | } 34 | -------------------------------------------------------------------------------- /examples/rms/oke-cluster-only/output.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # Terraform 5 | output "state_id" { value = module.oke.state_id } 6 | 7 | # Identity 8 | output "dynamic_group_ids" { value = module.oke.dynamic_group_ids } 9 | output "policy_statements" { value = module.oke.policy_statements } 10 | 11 | # Cluster 12 | output "cluster_id" { value = module.oke.cluster_id } 13 | output "cluster_endpoints" { value = module.oke.cluster_endpoints } 14 | output "cluster_kubeconfig" { value = module.oke.cluster_kubeconfig } 15 | output "cluster_ca_cert" { value = module.oke.cluster_ca_cert } 16 | 17 | # Network 18 | output "vcn_id" { value = module.oke.vcn_id } 19 | output "bastion_public_ip" { value = module.oke.bastion_public_ip } 20 | output "bastion_ssh_command" { value = module.oke.ssh_to_bastion } 21 | output "bastion_ssh_secret_id" { value = var.ssh_kms_secret_id } 22 | 23 | # Operator 24 | output "operator_id" { value = module.oke.operator_id } 25 | output "operator_private_ip" { value = module.oke.operator_private_ip } 26 | output "operator_ssh_command" { value = module.oke.ssh_to_operator } 27 | output "operator_ssh_secret_id" { value = var.ssh_kms_secret_id } 28 | output "operator_subnet_id" { value = module.oke.operator_subnet_id } 29 | output "operator_nsg_id" { value = var.operator_nsg_id } 30 | 31 | # Cluster 32 | output "control_plane_subnet_id" { value = module.oke.control_plane_subnet_id } 33 | output "control_plane_nsg_id" { value = var.control_plane_nsg_id } 34 | output "int_lb_subnet_id" { value = module.oke.int_lb_subnet_id } 35 | output "pub_lb_subnet_id" { value = module.oke.pub_lb_subnet_id } 36 | -------------------------------------------------------------------------------- /examples/rms/oke-cluster-only/provider.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | provider "oci" { 5 | alias = "home" 6 | region = one(data.oci_identity_region_subscriptions.home.region_subscriptions[*].region_name) 7 | tenancy_ocid = var.tenancy_ocid 8 | user_ocid = var.current_user_ocid 9 | } 10 | 11 | provider "oci" { 12 | region = var.region 13 | tenancy_ocid = var.tenancy_ocid 14 | user_ocid = var.current_user_ocid 15 | retry_duration_seconds = 1800 16 | } 17 | -------------------------------------------------------------------------------- /examples/rms/oke-cluster-only/variables-cluster.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # General 5 | 6 | variable "output_detail" { default = false } 7 | variable "timezone" { default = "Etc/UTC" } 8 | 9 | # Cluster 10 | 11 | variable "cluster_type" { 12 | description = "The cluster type. See Working with Enhanced Clusters and Basic Clusters for more information. NOTE: An Enhanced cluster is required for self-managed worker pools (mode != Node Pool)." 13 | type = string 14 | } 15 | variable "cluster_name" { 16 | default = null 17 | type = string 18 | } 19 | variable "cni_type" { type = string } 20 | variable "pods_cidr" { 21 | default = "10.244.0.0/16" 22 | type = string 23 | } 24 | variable "services_cidr" { 25 | default = "10.96.0.0/16" 26 | type = string 27 | } 28 | variable "kubernetes_version" { default = "v1.32.1" } 29 | 30 | variable "cluster_kms_vault_id" { 31 | default = null 32 | type = string 33 | } 34 | variable "cluster_kms_key_id" { 35 | default = "" 36 | type = string 37 | } 38 | 39 | variable "use_signed_images" { 40 | default = false 41 | type = bool 42 | } 43 | variable "image_signing_keys" { 44 | default = [] 45 | type = set(string) 46 | } 47 | 48 | variable "load_balancers" { 49 | default = "Public" 50 | type = string 51 | } 52 | variable "preferred_load_balancer" { 53 | default = "Public" 54 | type = string 55 | } 56 | 57 | variable "cluster_tags" { 58 | default = {} 59 | type = map(any) 60 | } 61 | 62 | # Oracle Container Image Registry (OCIR) 63 | 64 | variable "ocir_email_address" { 65 | default = null 66 | type = string 67 | } 68 | variable "ocir_secret_name" { default = "ocirsecret" } 69 | variable "ocir_secret_namespace" { default = "default" } 70 | variable "ocir_username" { 71 | default = null 72 | type = string 73 | } 74 | variable "ocir_kms_vault_id" { 75 | default = null 76 | type = string 77 | } 78 | variable "ocir_kms_secret_id" { 79 | default = null 80 | type = string 81 | } 82 | -------------------------------------------------------------------------------- /examples/rms/oke-cluster-only/variables-iam.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "tenancy_ocid" { 5 | default = null 6 | type = string 7 | } 8 | 9 | variable "current_user_ocid" { 10 | default = null 11 | type = string 12 | } 13 | 14 | variable "compartment_ocid" { 15 | default = null 16 | type = string 17 | } 18 | 19 | variable "region" { 20 | default = null 21 | type = string 22 | } 23 | 24 | variable "create_iam_autoscaler_policy" { 25 | default = "Auto" 26 | type = string 27 | } 28 | 29 | variable "create_iam_kms_policy" { 30 | default = "Auto" 31 | type = string 32 | } 33 | 34 | variable "create_iam_operator_policy" { 35 | default = "Auto" 36 | type = string 37 | } 38 | 39 | variable "create_iam_worker_policy" { 40 | default = "Auto" 41 | type = string 42 | } 43 | 44 | variable "create_iam_resources" { default = false } 45 | variable "create_iam_tag_namespace" { default = false } 46 | variable "create_iam_defined_tags" { default = false } 47 | variable "use_defined_tags" { 48 | default = false 49 | description = "Add existing tags in the configured namespace to created resources when applicable." 50 | type = bool 51 | } 52 | 53 | variable "tag_namespace" { 54 | default = "oke" 55 | description = "Tag namespace containing standard tags for resources created by the module: [state_id, role, pool, cluster_autoscaler]." 56 | type = string 57 | } 58 | 59 | variable "freeform_tags" { 60 | default = { 61 | cluster = {} 62 | persistent_volume = {} 63 | service_lb = {} 64 | workers = {} 65 | bastion = {} 66 | operator = {} 67 | vcn = {} 68 | } 69 | type = any 70 | } 71 | 72 | variable "defined_tags" { 73 | default = { 74 | cluster = {} 75 | persistent_volume = {} 76 | service_lb = {} 77 | workers = {} 78 | bastion = {} 79 | operator = {} 80 | vcn = {} 81 | } 82 | type = any 83 | } 84 | -------------------------------------------------------------------------------- /examples/rms/oke-cluster-only/variables-network.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "vcn_id" { type = string } 5 | variable "ig_route_table_id" { 6 | default = null 7 | type = string 8 | } 9 | variable "service_gateway_id" { 10 | default = null 11 | type = string 12 | } 13 | variable "nat_gateway_id" { 14 | default = null 15 | type = string 16 | } 17 | variable "assign_dns" { default = true } 18 | variable "control_plane_is_public" { default = false } 19 | variable "control_plane_nsg_id" { default = "" } 20 | variable "operator_nsg_id" { default = "" } 21 | 22 | variable "control_plane_subnet_id" { 23 | type = string 24 | } 25 | variable "int_lb_subnet_id" { 26 | type = string 27 | default = null 28 | } 29 | variable "operator_subnet_id" { 30 | type = string 31 | default = null 32 | } 33 | variable "pub_lb_subnet_id" { 34 | type = string 35 | default = null 36 | } 37 | 38 | variable "bastion_public_ip" { 39 | default = null 40 | type = string 41 | } 42 | -------------------------------------------------------------------------------- /examples/rms/oke-cluster-only/variables-operator.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "create_operator" { default = true } 5 | variable "operator_install_helm" { default = true } 6 | variable "operator_install_k9s" { default = false } 7 | variable "operator_install_kubectx" { default = true } 8 | variable "operator_pv_transit_encryption" { default = false } 9 | variable "operator_upgrade" { default = false } 10 | variable "operator_availability_domain" { 11 | default = null 12 | type = string 13 | } 14 | variable "operator_cloud_init" { 15 | default = [] 16 | type = list(map(string)) 17 | } 18 | 19 | variable "operator_user" { default = "opc" } 20 | variable "operator_image_id" { 21 | default = null 22 | type = string 23 | } 24 | variable "operator_image_os" { default = "Oracle Linux" } 25 | variable "operator_image_os_version" { default = "8" } 26 | variable "operator_image_type" { 27 | default = "Platform" 28 | type = string 29 | validation { 30 | condition = contains(["custom", "platform"], lower(var.operator_image_type)) 31 | error_message = "Accepted values are custom or platform" 32 | } 33 | } 34 | variable "operator_shape" { 35 | default = { 36 | shape = "VM.Standard.E4.Flex", 37 | ocpus = 1, 38 | memory = 4, 39 | boot_volume_size = 50 40 | } 41 | type = map(any) 42 | } 43 | variable "operator_volume_kms_vault_id" { 44 | default = null 45 | type = string 46 | } 47 | variable "operator_volume_kms_key_id" { 48 | default = null 49 | type = string 50 | } 51 | variable "operator_private_ip" { 52 | default = null 53 | type = string 54 | } 55 | variable "operator_tags" { 56 | default = {} 57 | type = map(any) 58 | } 59 | -------------------------------------------------------------------------------- /examples/rms/oke-cluster-only/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | experiments = [module_variable_optional_attrs] 6 | required_version = ">= 1.2.0" 7 | 8 | required_providers { 9 | oci = { 10 | configuration_aliases = [oci.home] 11 | source = "oracle/oci" 12 | version = ">= 4.119.0" 13 | } 14 | } 15 | } 16 | 17 | -------------------------------------------------------------------------------- /examples/rms/oke-network-only/data.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "ssh_public_key" { 5 | default = null 6 | type = string 7 | } 8 | variable "ssh_kms_vault_id" { 9 | default = null 10 | type = string 11 | } 12 | variable "ssh_kms_secret_id" { 13 | default = null 14 | type = string 15 | } 16 | 17 | data "oci_identity_region_subscriptions" "home" { 18 | tenancy_id = var.tenancy_ocid 19 | filter { 20 | name = "is_home_region" 21 | values = [true] 22 | } 23 | } 24 | 25 | data "oci_secrets_secretbundle" "ssh_key" { 26 | secret_id = var.ssh_kms_secret_id 27 | } 28 | 29 | locals { 30 | ssh_public_key = try(base64decode(var.ssh_public_key), var.ssh_public_key) 31 | ssh_key_bundle = sensitive(one(data.oci_secrets_secretbundle.ssh_key.secret_bundle_content)) 32 | ssh_key_bundle_content = sensitive(lookup(local.ssh_key_bundle, "content", null)) 33 | } 34 | -------------------------------------------------------------------------------- /examples/rms/oke-network-only/output.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # Terraform 5 | output "state_id" { value = module.oke.state_id } 6 | 7 | # Network 8 | output "vcn_id" { value = module.oke.vcn_id } 9 | output "drg_id" { value = module.oke.drg_id } 10 | output "ig_route_table_id" { value = module.oke.ig_route_table_id } 11 | output "nat_route_table_id" { value = module.oke.nat_route_table_id } 12 | 13 | # Bastion 14 | output "bastion_id" { value = module.oke.bastion_id } 15 | output "bastion_public_ip" { value = module.oke.bastion_public_ip } 16 | output "bastion_subnet_id" { value = module.oke.bastion_subnet_id } 17 | output "bastion_subnet_cidr" { value = module.oke.bastion_subnet_cidr } 18 | output "bastion_nsg_id" { value = module.oke.bastion_nsg_id } 19 | output "bastion_ssh_command" { value = module.oke.ssh_to_bastion } 20 | output "bastion_ssh_secret_id" { value = var.ssh_kms_secret_id } 21 | 22 | # Operator 23 | output "operator_subnet_id" { value = module.oke.operator_subnet_id } 24 | output "operator_subnet_cidr" { value = module.oke.operator_subnet_cidr } 25 | output "operator_nsg_id" { value = module.oke.operator_nsg_id } 26 | 27 | # Cluster 28 | output "control_plane_subnet_id" { value = module.oke.control_plane_subnet_id } 29 | output "control_plane_subnet_cidr" { value = module.oke.control_plane_subnet_cidr } 30 | output "control_plane_nsg_id" { value = module.oke.control_plane_nsg_id } 31 | output "int_lb_subnet_id" { value = module.oke.int_lb_subnet_id } 32 | output "pub_lb_subnet_id" { value = module.oke.pub_lb_subnet_id } 33 | output "int_lb_nsg_id" { value = module.oke.int_lb_nsg_id } 34 | output "int_lb_subnet_cidr" { value = module.oke.int_lb_subnet_cidr } 35 | output "pub_lb_nsg_id" { value = module.oke.pub_lb_nsg_id } 36 | output "pub_lb_subnet_cidr" { value = module.oke.pub_lb_subnet_cidr } 37 | 38 | # Workers 39 | output "worker_subnet_id" { value = module.oke.worker_subnet_id } 40 | output "worker_subnet_cidr" { value = module.oke.worker_subnet_cidr } 41 | output "worker_nsg_id" { value = module.oke.worker_nsg_id } 42 | output "pod_subnet_id" { value = module.oke.pod_subnet_id } 43 | output "pod_subnet_cidr" { value = module.oke.pod_subnet_cidr } 44 | output "pod_nsg_id" { value = module.oke.pod_nsg_id } 45 | -------------------------------------------------------------------------------- /examples/rms/oke-network-only/provider.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | provider "oci" { 5 | alias = "home" 6 | region = one(data.oci_identity_region_subscriptions.home.region_subscriptions[*].region_name) 7 | tenancy_ocid = var.tenancy_ocid 8 | user_ocid = var.current_user_ocid 9 | } 10 | 11 | provider "oci" { 12 | region = var.region 13 | tenancy_ocid = var.tenancy_ocid 14 | user_ocid = var.current_user_ocid 15 | retry_duration_seconds = 1800 16 | } 17 | -------------------------------------------------------------------------------- /examples/rms/oke-network-only/variables-bastion.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "create_bastion" { default = true } 5 | variable "bastion_is_public" { default = true } 6 | variable "bastion_upgrade" { default = false } 7 | 8 | variable "bastion_allowed_cidrs" { 9 | default = "0.0.0.0/0" 10 | type = string 11 | } 12 | 13 | variable "bastion_availability_domain" { 14 | default = null 15 | type = string 16 | } 17 | 18 | variable "bastion_user" { 19 | default = "opc" 20 | type = string 21 | } 22 | 23 | variable "bastion_image_id" { 24 | default = null 25 | type = string 26 | } 27 | 28 | variable "bastion_image_type" { 29 | default = "platform" 30 | type = string 31 | validation { 32 | condition = contains(["custom", "platform"], lower(var.bastion_image_type)) 33 | error_message = "Accepted values are custom or platform" 34 | } 35 | } 36 | 37 | variable "bastion_image_os" { 38 | default = "Oracle Autonomous Linux" 39 | type = string 40 | } 41 | 42 | variable "bastion_image_os_version" { 43 | default = "8.7" 44 | type = string 45 | } 46 | 47 | variable "bastion_shape" { 48 | default = { 49 | shape = "VM.Standard.E4.Flex", 50 | ocpus = 1, 51 | memory = 4, 52 | boot_volume_size = 50 53 | } 54 | type = map(any) 55 | } 56 | 57 | variable "bastion_tags" { 58 | default = {} 59 | type = map(any) 60 | } 61 | -------------------------------------------------------------------------------- /examples/rms/oke-network-only/variables-iam.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "tenancy_ocid" { 5 | default = null 6 | type = string 7 | } 8 | 9 | variable "current_user_ocid" { 10 | default = null 11 | type = string 12 | } 13 | 14 | variable "compartment_ocid" { 15 | default = null 16 | type = string 17 | } 18 | 19 | variable "region" { 20 | default = null 21 | type = string 22 | } 23 | 24 | variable "api_fingerprint" { 25 | default = null 26 | type = string 27 | } 28 | 29 | variable "create_iam_tag_namespace" { default = false } 30 | variable "create_iam_defined_tags" { default = false } 31 | variable "use_defined_tags" { 32 | default = false 33 | description = "Add existing tags in the configured namespace to created resources when applicable." 34 | type = bool 35 | } 36 | 37 | variable "tag_namespace" { 38 | default = "oke" 39 | description = "Tag namespace containing standard tags for resources created by the module: [state_id, role, pool, cluster_autoscaler]." 40 | type = string 41 | } 42 | 43 | variable "freeform_tags" { 44 | default = { 45 | cluster = {} 46 | persistent_volume = {} 47 | service_lb = {} 48 | workers = {} 49 | bastion = {} 50 | operator = {} 51 | vcn = {} 52 | } 53 | type = any 54 | } 55 | 56 | variable "defined_tags" { 57 | default = { 58 | cluster = {} 59 | persistent_volume = {} 60 | service_lb = {} 61 | workers = {} 62 | bastion = {} 63 | operator = {} 64 | vcn = {} 65 | } 66 | type = any 67 | } 68 | -------------------------------------------------------------------------------- /examples/rms/oke-network-only/variables-subnets.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "bastion_subnet_create" { default = true } 5 | variable "control_plane_subnet_create" { default = true } 6 | variable "int_lb_subnet_create" { default = true } 7 | variable "operator_subnet_create" { default = true } 8 | variable "pod_subnet_create" { default = true } 9 | variable "pub_lb_subnet_create" { default = true } 10 | variable "worker_subnet_create" { default = true } 11 | 12 | variable "bastion_subnet_newbits" { default = 13 } 13 | variable "control_plane_subnet_newbits" { default = 13 } 14 | variable "int_lb_subnet_newbits" { default = 11 } 15 | variable "operator_subnet_newbits" { default = 13 } 16 | variable "pod_subnet_newbits" { default = 2 } 17 | variable "pub_lb_subnet_newbits" { default = 11 } 18 | variable "worker_subnet_newbits" { default = 2 } 19 | 20 | variable "bastion_subnet_id" { 21 | type = string 22 | default = null 23 | } 24 | variable "control_plane_subnet_id" { 25 | type = string 26 | default = null 27 | } 28 | variable "int_lb_subnet_id" { 29 | type = string 30 | default = null 31 | } 32 | variable "operator_subnet_id" { 33 | type = string 34 | default = null 35 | } 36 | variable "pod_subnet_id" { 37 | type = string 38 | default = null 39 | } 40 | variable "pub_lb_subnet_id" { 41 | type = string 42 | default = null 43 | } 44 | variable "worker_subnet_id" { 45 | type = string 46 | default = null 47 | } 48 | -------------------------------------------------------------------------------- /examples/rms/oke-network-only/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | experiments = [module_variable_optional_attrs] 6 | required_version = ">= 1.2.0" 7 | 8 | required_providers { 9 | oci = { 10 | configuration_aliases = [oci.home] 11 | source = "oracle/oci" 12 | version = ">= 4.119.0" 13 | } 14 | } 15 | } 16 | 17 | -------------------------------------------------------------------------------- /examples/rms/oke-workers-only/data.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "ssh_public_key" { 5 | default = null 6 | type = string 7 | } 8 | variable "ssh_kms_vault_id" { 9 | default = null 10 | type = string 11 | } 12 | variable "ssh_kms_secret_id" { 13 | default = null 14 | type = string 15 | } 16 | 17 | data "oci_identity_region_subscriptions" "home" { 18 | tenancy_id = var.tenancy_ocid 19 | filter { 20 | name = "is_home_region" 21 | values = [true] 22 | } 23 | } 24 | 25 | data "oci_secrets_secretbundle" "ssh_key" { 26 | secret_id = var.ssh_kms_secret_id 27 | } 28 | 29 | locals { 30 | ssh_public_key = try(base64decode(var.ssh_public_key), var.ssh_public_key) 31 | ssh_key_bundle = sensitive(one(data.oci_secrets_secretbundle.ssh_key.secret_bundle_content)) 32 | ssh_key_bundle_content = sensitive(lookup(local.ssh_key_bundle, "content", null)) 33 | } 34 | -------------------------------------------------------------------------------- /examples/rms/oke-workers-only/output.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # Terraform 5 | output "state_id" { value = module.oke.state_id } 6 | 7 | # Network 8 | output "worker_subnet_id" { value = var.worker_subnet_id } 9 | output "worker_nsg_id" { value = var.worker_nsg_id } 10 | 11 | # Identity 12 | output "dynamic_group_ids" { value = module.oke.dynamic_group_ids } 13 | output "policy_statements" { value = module.oke.policy_statements } 14 | output "create_iam_autoscaler_policy" { value = var.create_iam_autoscaler_policy } 15 | output "create_iam_worker_policy" { value = var.create_iam_worker_policy } 16 | 17 | # Cluster 18 | output "cluster_id" { value = var.cluster_id } 19 | output "apiserver_private_host" { value = module.oke.apiserver_private_host } 20 | 21 | # Workers 22 | output "worker_pool_name" { value = var.worker_pool_name } 23 | output "worker_pool_mode" { value = var.worker_pool_mode } 24 | output "worker_shape" { value = var.worker_shape } 25 | output "worker_pool_size" { value = var.worker_pool_size } 26 | output "worker_image_id" { value = local.worker_image_id } 27 | output "autoscale" { value = var.autoscale } 28 | 29 | output "worker_pool_ids" { 30 | value = concat( 31 | values(coalesce(module.oke.worker_pool_ids, {})), 32 | values(coalesce(module.oke.worker_instance_ids, {})), 33 | ) 34 | } 35 | -------------------------------------------------------------------------------- /examples/rms/oke-workers-only/provider.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | provider "oci" { 5 | alias = "home" 6 | region = one(data.oci_identity_region_subscriptions.home.region_subscriptions[*].region_name) 7 | tenancy_ocid = var.tenancy_ocid 8 | user_ocid = var.current_user_ocid 9 | } 10 | 11 | provider "oci" { 12 | region = var.region 13 | tenancy_ocid = var.tenancy_ocid 14 | user_ocid = var.current_user_ocid 15 | retry_duration_seconds = 1800 16 | } 17 | -------------------------------------------------------------------------------- /examples/rms/oke-workers-only/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | experiments = [module_variable_optional_attrs] 6 | required_version = ">= 1.2.0" 7 | 8 | required_providers { 9 | oci = { 10 | configuration_aliases = [oci.home] 11 | source = "oracle/oci" 12 | version = ">= 4.119.0" 13 | } 14 | } 15 | } 16 | 17 | -------------------------------------------------------------------------------- /examples/utilities/vars-utilities-drain.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | -------------------------------------------------------------------------------- /examples/utilities/vars-utilities-ocir.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | email_address = "" 5 | secret_id = "none" 6 | secret_name = "ocirsecret" 7 | secret_namespace = "default" 8 | username = "" 9 | create_service_account = false # true/*false 10 | service_account_name = "" 11 | service_account_namespace = "" 12 | service_account_cluster_role_binding = "" 13 | -------------------------------------------------------------------------------- /examples/utilities/vars-utilities-serviceaccount.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | create_service_account = false # true/*false 5 | service_account_name = "" 6 | service_account_namespace = "" 7 | service_account_cluster_role_binding = "" 8 | -------------------------------------------------------------------------------- /examples/vars-common.auto.tfvars: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | output_detail = false 5 | timezone = "Etc/UTC" 6 | ssh_public_key_path = "~/path/to/key.pub" 7 | ssh_public_key = < /dev/null"] 56 | } 57 | } -------------------------------------------------------------------------------- /modules/bastion/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # Common 5 | variable "compartment_id" { type = string } 6 | variable "state_id" { type = string } 7 | 8 | # Bastion 9 | variable "await_cloudinit" { type = string } 10 | variable "assign_dns" { type = bool } 11 | variable "availability_domain" { type = string } 12 | variable "bastion_image_os_version" { type = string } 13 | variable "image_id" { type = string } 14 | variable "is_public" { type = bool } 15 | variable "nsg_ids" { type = list(string) } 16 | variable "shape" { type = map(any) } 17 | variable "ssh_private_key" { 18 | type = string 19 | sensitive = true 20 | } 21 | variable "ssh_public_key" { type = string } 22 | variable "subnet_id" { type = string } 23 | variable "timezone" { type = string } 24 | variable "upgrade" { type = bool } 25 | variable "user" { type = string } 26 | 27 | # Tags 28 | variable "defined_tags" { type = map(string) } 29 | variable "freeform_tags" { type = map(string) } 30 | variable "tag_namespace" { type = string } 31 | variable "use_defined_tags" { type = bool } -------------------------------------------------------------------------------- /modules/bastion/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.2.0" 6 | 7 | required_providers { 8 | cloudinit = { 9 | source = "hashicorp/cloudinit" 10 | version = ">= 2.2.0" 11 | } 12 | 13 | null = { 14 | source = "hashicorp/null" 15 | version = ">= 3.2.1" 16 | } 17 | 18 | oci = { 19 | source = "oracle/oci" 20 | version = ">= 4.119.0" 21 | } 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /modules/cluster-addons/delete_addons.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | remove_addon_command = "oci ce cluster disable-addon --addon-name %s --cluster-id %s --is-remove-existing-add-on %t --force" 6 | remove_addons_defaults = { 7 | custom_commands = [] 8 | remove_k8s_resources = true 9 | } 10 | remove_addons_with_defaults = { for addon_name, addon_value in var.cluster_addons_to_remove : 11 | addon_name => merge(local.remove_addons_defaults, addon_value) 12 | } 13 | } 14 | 15 | resource "null_resource" "remove_addons" { 16 | for_each = var.operator_enabled ? local.remove_addons_with_defaults : {} 17 | depends_on = [oci_containerengine_addon.primary_addon, oci_containerengine_addon.secondary_addon] 18 | 19 | connection { 20 | bastion_host = var.bastion_host 21 | bastion_user = var.bastion_user 22 | bastion_private_key = var.ssh_private_key 23 | host = var.operator_host 24 | user = var.operator_user 25 | private_key = var.ssh_private_key 26 | timeout = "40m" 27 | type = "ssh" 28 | } 29 | 30 | provisioner "remote-exec" { 31 | inline = concat( 32 | [ 33 | "echo 'Removing ${each.key} addon'", 34 | format(local.remove_addon_command, each.key, var.cluster_id, lookup(each.value, "remove_k8s_resources")) 35 | ], 36 | lookup(each.value, "custom_commands") 37 | ) 38 | } 39 | 40 | lifecycle { 41 | precondition { 42 | condition = contains(local.supported_addons, each.key) 43 | error_message = <<-EOT 44 | The addon ${each.key} is not supported. 45 | The list of supported addons is: ${join(", ", local.supported_addons)}. 46 | EOT 47 | } 48 | } 49 | } -------------------------------------------------------------------------------- /modules/cluster-addons/outputs.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | output "supported_addons" { 5 | value = data.oci_containerengine_addon_options.k8s_addon_options.addon_options 6 | } 7 | -------------------------------------------------------------------------------- /modules/cluster-addons/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # General variables 5 | variable "cluster_id" { type = string } 6 | variable "cluster_addons" { type = any } 7 | variable "cluster_addons_to_remove" { type = any } 8 | variable "kubernetes_version" { type = string } 9 | 10 | # Variables required to access the operator host 11 | variable "bastion_host" { type = string } 12 | variable "bastion_user" { type = string } 13 | variable "operator_enabled" { type = bool } 14 | variable "operator_host" { type = string } 15 | variable "operator_user" { type = string } 16 | variable "ssh_private_key" { type = string } 17 | 18 | -------------------------------------------------------------------------------- /modules/cluster-addons/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.2.0" 6 | 7 | required_providers { 8 | oci = { 9 | source = "oracle/oci" 10 | version = ">= 6.37.0" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /modules/cluster/outputs.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | output "cluster_id" { 5 | value = oci_containerengine_cluster.k8s_cluster.id 6 | } 7 | 8 | output "endpoints" { 9 | value = one(oci_containerengine_cluster.k8s_cluster.endpoints) 10 | } 11 | 12 | output "oidc_discovery_endpoint" { 13 | value = oci_containerengine_cluster.k8s_cluster.open_id_connect_discovery_endpoint 14 | } -------------------------------------------------------------------------------- /modules/cluster/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # Common 5 | variable "compartment_id" { type = string } 6 | variable "state_id" { type = string } 7 | 8 | # Cluster 9 | variable "cluster_kms_key_id" { type = string } 10 | variable "cluster_name" { type = string } 11 | variable "cluster_type" { type = string } 12 | variable "cni_type" { type = string } 13 | variable "enable_ipv6" { type = bool } 14 | variable "control_plane_is_public" { type = bool } 15 | variable "control_plane_nsg_ids" { type = set(string) } 16 | variable "assign_public_ip_to_control_plane" { type = bool } 17 | variable "control_plane_subnet_id" { type = string } 18 | variable "image_signing_keys" { type = set(string) } 19 | variable "kubernetes_version" { type = string } 20 | variable "pods_cidr" { type = string } 21 | variable "service_lb_subnet_id" { type = string } 22 | variable "services_cidr" { type = string } 23 | variable "tag_namespace" { type = string } 24 | variable "use_defined_tags" { type = string } 25 | variable "use_signed_images" { type = bool } 26 | variable "vcn_id" { type = string } 27 | 28 | # Tagging 29 | variable "cluster_defined_tags" { type = map(string) } 30 | variable "cluster_freeform_tags" { type = map(string) } 31 | variable "persistent_volume_defined_tags" { type = map(string) } 32 | variable "persistent_volume_freeform_tags" { type = map(string) } 33 | variable "service_lb_defined_tags" { type = map(string) } 34 | variable "service_lb_freeform_tags" { type = map(string) } 35 | 36 | # OIDC 37 | variable "oidc_discovery_enabled" { type = bool } 38 | variable "oidc_token_auth_enabled" { type = bool } 39 | variable "oidc_token_authentication_config" { type = any } -------------------------------------------------------------------------------- /modules/cluster/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.2.0" 6 | 7 | required_providers { 8 | oci = { 9 | source = "oracle/oci" 10 | version = ">= 6.37.0" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /modules/extensions/locals.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | yaml_manifest_path = "/home/${var.operator_user}/yaml" 6 | kubectl = "set -o pipefail; kubectl" 7 | helm = "set -o pipefail; helm" 8 | kubectl_apply_ns_file = "${local.kubectl} apply -n %s -f %s" 9 | kubectl_apply_file = "${local.kubectl} apply -f %s" 10 | kubectl_apply_server_file = "${local.kubectl} apply --force-conflicts=true --server-side -f %s" 11 | kubectl_apply_server_ns_file = "${local.kubectl} apply -n %s --force-conflicts=true --server-side -f %s" 12 | kubectl_create_missing_ns = "${local.kubectl} create ns %s --dry-run=client -o yaml | kubectl apply -f -" 13 | selector_linux = { "kubernetes.io/os" = "linux" } 14 | output_log = "bash -c \"%s | tee >(systemd-cat -t %s -p info)\"" 15 | helm_upgrade_install = "${local.helm} upgrade --install %s %s --repo %s --version %s --namespace %s --create-namespace --skip-crds -f %s" 16 | } 17 | -------------------------------------------------------------------------------- /modules/extensions/mpi_operator.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | mpi_operator_url = "https://raw.githubusercontent.com/kubeflow/mpi-operator/v${var.mpi_operator_version}/deploy/v2beta1" 6 | mpi_operator_deployment_url = coalesce( 7 | var.mpi_operator_deployment_url, 8 | "${local.mpi_operator_url}/mpi-operator.yaml" 9 | ) 10 | mpi_operator_manifest_path = join("/", [local.yaml_manifest_path, "mpi-operator.manifest.yaml"]) 11 | mpi_operator_manifest_status_code = one(data.http.mpi_operator[*].status_code) 12 | mpi_operator_manifest_content = sensitive(one(data.http.mpi_operator[*].response_body)) 13 | } 14 | 15 | data "http" "mpi_operator" { 16 | count = var.mpi_operator_install ? 1 : 0 17 | url = local.mpi_operator_deployment_url 18 | } 19 | 20 | resource "null_resource" "mpi_operator" { 21 | count = var.mpi_operator_install ? 1 : 0 22 | 23 | triggers = { 24 | mpi_operator_deployment_url = local.mpi_operator_deployment_url 25 | mpi_operator_deployment_md5 = md5(local.mpi_operator_manifest_content) 26 | } 27 | 28 | connection { 29 | bastion_host = var.bastion_host 30 | bastion_user = var.bastion_user 31 | bastion_private_key = var.ssh_private_key 32 | host = var.operator_host 33 | user = var.operator_user 34 | private_key = var.ssh_private_key 35 | timeout = "40m" 36 | type = "ssh" 37 | } 38 | 39 | provisioner "remote-exec" { 40 | inline = ["mkdir -p ${local.yaml_manifest_path}"] 41 | } 42 | 43 | provisioner "file" { 44 | content = local.mpi_operator_manifest_content 45 | destination = local.mpi_operator_manifest_path 46 | } 47 | 48 | provisioner "remote-exec" { 49 | inline = [ 50 | format(local.kubectl_apply_file, local.mpi_operator_manifest_path), 51 | ] 52 | } 53 | 54 | lifecycle { 55 | precondition { 56 | condition = local.mpi_operator_manifest_status_code == 200 57 | error_message = <<-EOT 58 | Error retrieving MPI Operator manifest 59 | URL: ${local.mpi_operator_deployment_url} 60 | Status code: ${local.mpi_operator_manifest_status_code} 61 | Response: ${local.mpi_operator_manifest_content} 62 | EOT 63 | } 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /modules/extensions/multus.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | multus_url = "https://raw.githubusercontent.com/k8snetworkplumbingwg/multus-cni" 6 | multus_daemonset_url = coalesce( 7 | var.multus_daemonset_url, 8 | "${local.multus_url}/v${var.multus_version}/deployments/multus-daemonset.yml" 9 | ) 10 | multus_manifest_path = join("/", [local.yaml_manifest_path, "multus.manifest.yaml"]) 11 | multus_manifest_status_code = one(data.http.multus[*].status_code) 12 | multus_manifest_content = sensitive(one(data.http.multus[*].response_body)) 13 | } 14 | 15 | data "http" "multus" { 16 | count = var.multus_install ? 1 : 0 17 | url = local.multus_daemonset_url 18 | } 19 | 20 | resource "null_resource" "multus" { 21 | count = var.multus_install ? 1 : 0 22 | 23 | triggers = { 24 | multus_daemonset_url = local.multus_daemonset_url 25 | multus_daemonset_md5 = md5(local.multus_manifest_content) 26 | } 27 | 28 | connection { 29 | bastion_host = var.bastion_host 30 | bastion_user = var.bastion_user 31 | bastion_private_key = var.ssh_private_key 32 | host = var.operator_host 33 | user = var.operator_user 34 | private_key = var.ssh_private_key 35 | timeout = "40m" 36 | type = "ssh" 37 | } 38 | 39 | provisioner "remote-exec" { 40 | inline = ["mkdir -p ${local.yaml_manifest_path}"] 41 | } 42 | 43 | provisioner "file" { 44 | content = local.multus_manifest_content 45 | destination = local.multus_manifest_path 46 | } 47 | 48 | provisioner "remote-exec" { 49 | inline = [ 50 | format(local.kubectl_apply_file, local.multus_manifest_path), 51 | ] 52 | } 53 | 54 | lifecycle { 55 | precondition { 56 | condition = local.multus_manifest_status_code == 200 57 | error_message = <<-EOT 58 | Error retrieving Multus Daemonset manifest 59 | Status code: ${local.multus_manifest_status_code} 60 | Response: ${local.multus_manifest_content} 61 | EOT 62 | } 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /modules/extensions/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.2.0" 6 | 7 | required_providers { 8 | helm = { 9 | source = "hashicorp/helm" 10 | version = ">= 2.9.0" 11 | } 12 | 13 | http = { 14 | source = "hashicorp/http" 15 | version = ">= 3.2.1" 16 | } 17 | 18 | null = { 19 | source = "hashicorp/null" 20 | version = ">= 3.2.1" 21 | } 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /modules/iam/await.tf: -------------------------------------------------------------------------------- 1 | resource "time_sleep" "await_iam_resources" { 2 | count = anytrue([ 3 | local.has_policy_statements, 4 | local.create_iam_tag_namespace, 5 | ]) ? 1 : 0 6 | create_duration = "30s" 7 | destroy_duration = "0s" 8 | } 9 | -------------------------------------------------------------------------------- /modules/iam/group-cluster.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | cluster_group_name = format("oke-cluster-%v", var.state_id) 6 | cluster_rule = format("ALL {%v}", join(", ", compact([ 7 | "resource.type = 'cluster'", 8 | format("resource.compartment.id = '%v'", var.compartment_id), 9 | var.use_defined_tags ? format("tag.%v.state_id.value='%v'", 10 | var.tag_namespace, var.state_id) : null, 11 | ]))) 12 | 13 | # Cluster secrets encryption using OCI Key Management System (KMS) 14 | cluster_policy_statements = coalesce(var.cluster_kms_key_id, "none") != "none" ? tolist([format( 15 | "Allow dynamic-group %v to use keys in compartment id %v where target.key.id = '%v'", 16 | local.cluster_group_name, var.compartment_id, var.cluster_kms_key_id, 17 | ), format("Allow dynamic-group %v to read instance-images in compartment id %v", 18 | local.cluster_group_name, var.compartment_id) 19 | ]) : [] 20 | } 21 | 22 | resource "oci_identity_dynamic_group" "cluster" { 23 | provider = oci.home 24 | count = var.create_iam_resources && var.create_iam_kms_policy ? 1 : 0 25 | compartment_id = var.tenancy_id # dynamic groups exist in root compartment (tenancy) 26 | description = format("Dynamic group with cluster for OKE Terraform state %v", var.state_id) 27 | matching_rule = local.cluster_rule 28 | name = local.cluster_group_name 29 | defined_tags = local.defined_tags 30 | freeform_tags = local.freeform_tags 31 | lifecycle { 32 | ignore_changes = [defined_tags, freeform_tags] 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /modules/iam/group-operator.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | operator_group_name = format("oke-operator-%v", var.state_id) 6 | operator_group_rules = var.use_defined_tags ? format("ALL {%v}", join(", ", [ 7 | format("tag.%v.role.value='operator'", var.tag_namespace), 8 | format("tag.%v.state_id.value='%v'", var.tag_namespace, var.state_id), 9 | ])) : "ALL {instance.compartment.id = '${var.compartment_id}'}" 10 | 11 | cluster_manage_statement = format( 12 | "Allow dynamic-group %v to MANAGE clusters in compartment id %v", 13 | local.operator_group_name, var.compartment_id, 14 | ) 15 | 16 | # TODO support keys defined at worker group level 17 | operator_kms_volume_templates = [ 18 | "Allow service blockstorage to USE keys in compartment id %v where target.key.id = '%v'", 19 | "Allow dynamic-group ${local.operator_group_name} to USE key-delegates in compartment id %v where target.key.id = '%v'" 20 | ] 21 | 22 | # Block volume encryption using OCI Key Management System (KMS) 23 | operator_kms_volume_statements = coalesce(var.operator_volume_kms_key_id, "none") != "none" ? tolist([ 24 | for statement in local.operator_kms_volume_templates : 25 | format(statement, var.compartment_id, var.operator_volume_kms_key_id) 26 | ]) : [] 27 | 28 | operator_policy_statements = var.create_iam_operator_policy ? concat( 29 | [local.cluster_manage_statement], 30 | local.operator_kms_volume_statements, 31 | ) : [] 32 | } 33 | 34 | resource "oci_identity_dynamic_group" "operator" { 35 | provider = oci.home 36 | count = var.create_iam_resources && var.create_iam_operator_policy ? 1 : 0 37 | compartment_id = var.tenancy_id # dynamic groups exist in root compartment (tenancy) 38 | description = format("Dynamic group of operator instance(s) for OKE Terraform state %v", var.state_id) 39 | matching_rule = local.operator_group_rules 40 | name = local.operator_group_name 41 | defined_tags = local.defined_tags 42 | freeform_tags = local.freeform_tags 43 | lifecycle { 44 | ignore_changes = [defined_tags, freeform_tags] 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /modules/iam/outputs.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | output "dynamic_group_ids" { 5 | description = "Cluster IAM dynamic group IDs" 6 | value = local.has_policy_statements ? compact([ 7 | one(oci_identity_dynamic_group.cluster[*].id), 8 | one(oci_identity_dynamic_group.workers[*].id), 9 | one(oci_identity_dynamic_group.autoscaling[*].id), 10 | one(oci_identity_dynamic_group.operator[*].id), 11 | ]) : null 12 | } 13 | 14 | output "policy_statements" { 15 | description = "Cluster IAM policy statements" 16 | value = local.has_policy_statements ? local.policy_statements : null 17 | } 18 | -------------------------------------------------------------------------------- /modules/iam/policy.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | policy_statements = distinct(compact(flatten([ 6 | local.cluster_policy_statements, 7 | local.worker_policy_statements, 8 | local.operator_policy_statements, 9 | local.autoscaler_policy_statements, 10 | ]))) 11 | 12 | has_policy_statements = var.create_iam_resources && anytrue([ 13 | var.create_iam_autoscaler_policy, 14 | var.create_iam_kms_policy, 15 | var.create_iam_operator_policy, 16 | var.create_iam_worker_policy, 17 | ]) 18 | } 19 | 20 | resource "oci_identity_policy" "cluster" { 21 | provider = oci.home 22 | count = local.has_policy_statements ? 1 : 0 23 | compartment_id = var.compartment_id 24 | description = format("Policies for OKE Terraform state %v", var.state_id) 25 | name = var.policy_name 26 | statements = local.policy_statements 27 | defined_tags = local.defined_tags 28 | freeform_tags = local.freeform_tags 29 | lifecycle { 30 | ignore_changes = [defined_tags, freeform_tags] 31 | } 32 | } 33 | 34 | resource "oci_identity_policy" "cluster_ipv6" { 35 | provider = oci.home 36 | count = var.enable_ipv6 && var.create_iam_resources ? 1 : 0 37 | compartment_id = var.network_compartment_id != null ? var.network_compartment_id : var.compartment_id 38 | description = format("Policies for OKE Terraform state %v", var.state_id) 39 | name = var.policy_name 40 | statements = [format("Allow any-user to use ipv6s in compartment %s where all { request.principal.type = 'cluster' }", var.network_compartment_id != null ? var.network_compartment_id : var.compartment_id )] 41 | defined_tags = local.defined_tags 42 | freeform_tags = local.freeform_tags 43 | lifecycle { 44 | ignore_changes = [defined_tags, freeform_tags] 45 | } 46 | } -------------------------------------------------------------------------------- /modules/iam/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # Common 5 | variable "cluster_id" { type = string } 6 | variable "compartment_id" { type = string } 7 | variable "network_compartment_id" { type = string } 8 | variable "state_id" { type = string } 9 | variable "tenancy_id" { type = string } 10 | variable "worker_compartments" { type = list(string) } 11 | variable "enable_ipv6" { type = bool } 12 | # Tags 13 | variable "create_iam_defined_tags" { type = bool } 14 | variable "create_iam_tag_namespace" { type = bool } 15 | variable "defined_tags" { type = map(string) } 16 | variable "freeform_tags" { type = map(string) } 17 | variable "tag_namespace" { type = string } 18 | variable "use_defined_tags" { type = bool } 19 | 20 | # Policy 21 | variable "autoscaler_compartments" { type = list(string) } 22 | variable "create_iam_resources" { type = bool } 23 | variable "create_iam_autoscaler_policy" { type = bool } 24 | variable "create_iam_kms_policy" { type = bool } 25 | variable "create_iam_operator_policy" { type = bool } 26 | variable "create_iam_worker_policy" { type = bool } 27 | variable "policy_name" { type = string } 28 | 29 | # KMS 30 | variable "cluster_kms_key_id" { type = string } 31 | variable "operator_volume_kms_key_id" { type = string } 32 | variable "worker_volume_kms_key_id" { type = string } 33 | -------------------------------------------------------------------------------- /modules/iam/versions.tf: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2024 Oracle and/or its affiliates 2 | 3 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 4 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 5 | 6 | terraform { 7 | required_version = ">= 1.2.0" 8 | 9 | required_providers { 10 | oci = { 11 | configuration_aliases = [oci.home] 12 | source = "oracle/oci" 13 | version = ">= 4.119.0" 14 | } 15 | } 16 | } -------------------------------------------------------------------------------- /modules/network/datasources.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | data "oci_core_services" "all_oci_services" { 5 | filter { 6 | name = "name" 7 | values = ["All .* Services In Oracle Services Network"] 8 | regex = true 9 | } 10 | } 11 | 12 | data "oci_waas_edge_subnets" "waf_cidr_blocks" { 13 | count = var.enable_waf ? 1 : 0 14 | } 15 | -------------------------------------------------------------------------------- /modules/network/drgs.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | drg_attachments = (var.drg_attachments == null ? {} 6 | : { for k, v in var.drg_attachments : k => v if tobool(lookup(v, "create", true)) } 7 | ) 8 | } 9 | 10 | // Create a DRG if any attachments are defined 11 | resource "oci_core_drg" "oke" { 12 | count = length(local.drg_attachments) > 0 ? 1 : 0 13 | compartment_id = var.compartment_id 14 | display_name = "oke-${var.state_id}" 15 | defined_tags = var.defined_tags 16 | freeform_tags = var.freeform_tags 17 | lifecycle { 18 | ignore_changes = [freeform_tags, defined_tags] 19 | } 20 | } 21 | 22 | // Attach the current VCN to the DRG 23 | resource "oci_core_drg_attachment" "oke" { 24 | count = length(local.drg_attachments) > 0 && length(oci_core_drg.oke[*]) > 0 ? 1 : 0 25 | drg_id = one(oci_core_drg.oke[*].id) 26 | display_name = "drg-oke-${var.state_id}" 27 | defined_tags = var.defined_tags 28 | freeform_tags = var.freeform_tags 29 | 30 | network_details { 31 | id = var.vcn_id 32 | type = "VCN" 33 | } 34 | 35 | lifecycle { 36 | ignore_changes = [freeform_tags, defined_tags] 37 | } 38 | } 39 | 40 | // Attach configured VCNs to the DRG 41 | resource "oci_core_drg_attachment" "extra" { 42 | for_each = local.drg_attachments 43 | drg_id = one(oci_core_drg.oke[*].id) 44 | display_name = format("%v-%v", each.key, var.state_id) 45 | defined_tags = var.defined_tags 46 | freeform_tags = var.freeform_tags 47 | 48 | network_details { 49 | id = lookup(each.value, "vcn_id") 50 | type = "VCN" 51 | } 52 | 53 | lifecycle { 54 | precondition { 55 | condition = alltrue([for k, v in local.drg_attachments : contains(keys(v), "vcn_id")]) 56 | error_message = "DRG attachments must specify a 'vcn_id'." 57 | } 58 | ignore_changes = [freeform_tags, defined_tags] 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /modules/network/locals.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | # Port numbers 6 | all_ports = -1 7 | apiserver_port = 6443 8 | fss_nfs_portmapper_port = 111 9 | fss_nfs_port_min = 2048 10 | fss_nfs_port_max = 2050 11 | health_check_port = 10256 12 | kubelet_api_port = 10250 13 | oke_port = 12250 14 | node_port_min = 30000 15 | node_port_max = 32767 16 | ssh_port = 22 17 | 18 | # Protocols 19 | # See https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml 20 | all_protocols = "all" 21 | icmp_protocol = 1 22 | icmpv6_protocol = 58 23 | tcp_protocol = 6 24 | udp_protocol = 17 25 | 26 | 27 | anywhere = "0.0.0.0/0" 28 | anywhere_ipv6 = "::/0" 29 | rule_type_nsg = "NETWORK_SECURITY_GROUP" 30 | rule_type_cidr = "CIDR_BLOCK" 31 | rule_type_service = "SERVICE_CIDR_BLOCK" 32 | 33 | # Oracle Services Network (OSN) 34 | osn = one(data.oci_core_services.all_oci_services.services[*].cidr_block) 35 | } 36 | -------------------------------------------------------------------------------- /modules/network/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.2.0" 6 | 7 | required_providers { 8 | oci = { 9 | source = "oracle/oci" 10 | version = ">= 4.119.0" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /modules/operator/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2019, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # Common 5 | variable "compartment_id" { type = string } 6 | variable "state_id" { type = string } 7 | 8 | # Bastion (to await cloud-init completion) 9 | variable "bastion_host" { type = string } 10 | variable "bastion_user" { type = string } 11 | 12 | # Operator 13 | variable "await_cloudinit" { type = string } 14 | variable "assign_dns" { type = bool } 15 | variable "availability_domain" { type = string } 16 | variable "cloud_init" { type = list(map(string)) } 17 | variable "image_id" { type = string } 18 | variable "install_cilium" { type = bool } 19 | variable "install_oci_cli_from_repo" { type = bool } 20 | variable "install_helm" { type = bool } 21 | variable "install_helm_from_repo" { type = bool } 22 | variable "install_istioctl" { type = bool } 23 | variable "install_k8sgpt" { type = bool } 24 | variable "install_k9s" { type = bool } 25 | variable "install_kubectl_from_repo" { 26 | type = bool 27 | default = true 28 | } 29 | variable "install_kubectx" { type = bool } 30 | variable "install_stern" { type = bool } 31 | variable "kubeconfig" { type = string } 32 | variable "kubernetes_version" { type = string } 33 | variable "nsg_ids" { type = list(string) } 34 | variable "operator_image_os_version" { type = string } 35 | variable "pv_transit_encryption" { type = bool } 36 | variable "shape" { type = map(any) } 37 | variable "ssh_private_key" { 38 | type = string 39 | sensitive = true 40 | } 41 | variable "ssh_public_key" { type = string } 42 | variable "subnet_id" { type = string } 43 | variable "timezone" { type = string } 44 | variable "upgrade" { type = bool } 45 | variable "user" { type = string } 46 | variable "volume_kms_key_id" { type = string } 47 | 48 | # Tags 49 | variable "defined_tags" { type = map(string) } 50 | variable "freeform_tags" { type = map(string) } 51 | variable "tag_namespace" { type = string } 52 | variable "use_defined_tags" { type = bool } -------------------------------------------------------------------------------- /modules/operator/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.2.0" 6 | 7 | required_providers { 8 | cloudinit = { 9 | source = "hashicorp/cloudinit" 10 | version = ">= 2.2.0" 11 | } 12 | 13 | null = { 14 | source = "hashicorp/null" 15 | version = ">= 3.2.1" 16 | } 17 | 18 | oci = { 19 | source = "oracle/oci" 20 | version = ">= 4.119.0" 21 | } 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /modules/utilities/drain.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | drain_enabled = var.expected_drain_count > 0 6 | drain_pools = (local.drain_enabled 7 | ? tolist([for k, v in var.worker_pools : k if tobool(lookup(v, "drain", false))]) : [] 8 | ) 9 | 10 | drain_commands = formatlist( 11 | format( 12 | "kubectl drain %v %v %v %v", 13 | format("--timeout=%vs", var.worker_drain_timeout_seconds), 14 | format("--ignore-daemonsets=%v", var.worker_drain_ignore_daemonsets), 15 | format("--delete-emptydir-data=%v", var.worker_drain_delete_local_data), 16 | "-l oke.oraclecloud.com/pool.name=%v" # interpolation deferred to formatlist 17 | ), 18 | local.drain_pools 19 | ) 20 | } 21 | 22 | resource "null_resource" "drain_workers" { 23 | count = local.drain_enabled ? 1 : 0 24 | triggers = { 25 | drain_pools = jsonencode(sort(local.drain_pools)) 26 | drain_commands = jsonencode(local.drain_commands) 27 | } 28 | 29 | connection { 30 | bastion_host = var.bastion_host 31 | bastion_user = var.bastion_user 32 | bastion_private_key = var.ssh_private_key 33 | host = var.operator_host 34 | user = var.operator_user 35 | private_key = var.ssh_private_key 36 | timeout = "40m" 37 | type = "ssh" 38 | } 39 | 40 | provisioner "remote-exec" { 41 | inline = local.drain_commands 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /modules/utilities/nodeready.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | locals { 5 | node_ready_script = "/home/${var.operator_user}/await_node_ready.sh" 6 | node_ready_template = templatefile("${path.module}/resources/await_node_readiness.tpl.sh", 7 | { 8 | await_node_readiness = var.await_node_readiness 9 | expected_node_count = var.expected_node_count 10 | } 11 | ) 12 | } 13 | 14 | resource "null_resource" "await_node_readiness" { 15 | count = var.await_node_readiness != "none" && var.expected_node_count > 0 ? 1 : 0 16 | triggers = { expected_node_count = var.expected_node_count } 17 | 18 | connection { 19 | bastion_host = var.bastion_host 20 | bastion_user = var.bastion_user 21 | bastion_private_key = var.ssh_private_key 22 | host = var.operator_host 23 | user = var.operator_user 24 | private_key = var.ssh_private_key 25 | timeout = "40m" 26 | type = "ssh" 27 | } 28 | 29 | provisioner "file" { 30 | content = local.node_ready_template 31 | destination = local.node_ready_script 32 | } 33 | 34 | provisioner "remote-exec" { 35 | inline = ["bash ${local.node_ready_script}"] 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /modules/utilities/resources/await_node_readiness.tpl.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 3 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 4 | # shellcheck disable=SC1083,SC2309,SC2154,SC2157,SC2034 # Ignore templated/escaped/unused file variables 5 | export ALL_FILE=~/all_node.active ONE_FILE=~/one_node.active 6 | 7 | function clean_node_active() { 8 | rm -f "$${ALL_FILE}" "$${ONE_FILE}" 9 | } 10 | 11 | function get_actual_node_count() ( 12 | (kubectl get --no-headers nodes | grep -v NotReady | awk '{print $1}' | wc -l) 2>/dev/null || echo '0' 13 | ) 14 | 15 | function wait_for_active() { 16 | clean_node_active 17 | 18 | while true; do 19 | local actual_node_count 20 | actual_node_count=$(get_actual_node_count) 21 | if [[ $${actual_node_count} -ge ${expected_node_count} ]]; then touch all_node.active; fi 22 | if [[ $${actual_node_count} -ge 1 ]]; then touch one_node.active; fi 23 | 24 | if [[ -f "$${ONE_FILE}" ]] && [[ "${await_node_readiness}" == 'one' ]]; then 25 | echo "$(date): Ready with $${actual_node_count} node(s)" >&2 26 | break 27 | fi 28 | 29 | if [[ -f "$${ALL_FILE}" ]] && [[ "${await_node_readiness}" == 'all' ]]; then 30 | echo "$(date): Ready with $${actual_node_count} node(s)" >&2 31 | break 32 | fi 33 | 34 | echo "$(date): Waiting for ${await_node_readiness} of ${expected_node_count} node(s) to become ready ($${actual_node_count} found)" >&2 35 | sleep 30 36 | done 37 | } 38 | 39 | if [[ ${expected_node_count} -ge 1 ]]; then time wait_for_active; fi -------------------------------------------------------------------------------- /modules/utilities/variables.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # Common 5 | variable "region" { type = string } 6 | variable "worker_pools" { type = any } 7 | 8 | # Connection 9 | variable "bastion_host" { type = string } 10 | variable "bastion_user" { type = string } 11 | variable "operator_host" { type = string } 12 | variable "operator_user" { type = string } 13 | variable "ssh_private_key" { 14 | type = string 15 | sensitive = true 16 | } 17 | 18 | # OCIR 19 | variable "ocir_email_address" { type = string } 20 | variable "ocir_secret_id" { type = string } 21 | variable "ocir_secret_name" { type = string } 22 | variable "ocir_secret_namespace" { type = string } 23 | variable "ocir_username" { type = string } 24 | 25 | # Node readiness check, drain 26 | variable "await_node_readiness" { type = string } 27 | variable "expected_drain_count" { type = number } 28 | variable "expected_node_count" { type = number } 29 | variable "worker_drain_ignore_daemonsets" { type = bool } 30 | variable "worker_drain_delete_local_data" { type = bool } 31 | variable "worker_drain_timeout_seconds" { type = number } 32 | -------------------------------------------------------------------------------- /modules/utilities/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.2.0" 6 | 7 | required_providers { 8 | null = { 9 | source = "hashicorp/null" 10 | version = ">= 3.2.1" 11 | } 12 | 13 | oci = { 14 | source = "oracle/oci" 15 | version = ">= 4.119.0" 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /modules/workers/README.md: -------------------------------------------------------------------------------- 1 | # Worker pools 2 | 3 | This sub-module supports different modes of OKE worker node management with advanced configuration. 4 | 5 | ## Usage 6 | 7 | Refer to the [Workers](https://oracle-terraform-modules.github.io/terraform-oci-oke/guide/workers.html) section of the user guide. 8 | -------------------------------------------------------------------------------- /modules/workers/clusternetworks.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | # Dynamic resource block for Cluster Network groups defined in worker_pools 5 | resource "oci_core_cluster_network" "workers" { 6 | # Create an OCI Cluster Network resource for each enabled entry of the worker_pools map with that mode. 7 | for_each = local.enabled_cluster_networks 8 | compartment_id = each.value.compartment_id 9 | display_name = each.key 10 | defined_tags = each.value.defined_tags 11 | freeform_tags = each.value.freeform_tags 12 | 13 | instance_pools { 14 | instance_configuration_id = oci_core_instance_configuration.workers[each.key].id 15 | display_name = each.key 16 | size = each.value.size 17 | defined_tags = each.value.defined_tags 18 | freeform_tags = each.value.freeform_tags 19 | } 20 | 21 | placement_configuration { 22 | availability_domain = element(each.value.availability_domains, 1) 23 | primary_subnet_id = each.value.subnet_id 24 | 25 | dynamic "secondary_vnic_subnets" { 26 | for_each = lookup(each.value, "secondary_vnics", {}) 27 | iterator = vnic 28 | content { 29 | display_name = vnic.key 30 | subnet_id = lookup(vnic.value, "subnet_id", each.value.subnet_id) 31 | } 32 | } 33 | } 34 | 35 | lifecycle { 36 | ignore_changes = [ 37 | display_name, defined_tags, freeform_tags, 38 | instance_pools[0].defined_tags, 39 | instance_pools[0].freeform_tags, 40 | ] 41 | 42 | precondition { 43 | condition = coalesce(each.value.image_id, "none") != "none" 44 | error_message = "Missing image_id for pool ${each.key}. Check provided value for image_id if image_type is 'custom', or image_os/image_os_version if image_type is 'oke' or 'platform'." 45 | } 46 | 47 | precondition { 48 | condition = each.value.autoscale == false 49 | error_message = "Cluster Networks do not support cluster autoscaler management." 50 | } 51 | } 52 | 53 | # First-boot hardware config for bare metal instances takes extra time 54 | timeouts { 55 | create = "2h" 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /modules/workers/data-faultdomains.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | data "oci_identity_fault_domains" "all" { 5 | for_each = var.ad_numbers_to_names 6 | availability_domain = each.value 7 | compartment_id = var.compartment_id 8 | } 9 | -------------------------------------------------------------------------------- /modules/workers/data-shapes.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | data "oci_core_shapes" "oke" { 5 | compartment_id = var.compartment_id 6 | } 7 | 8 | locals { 9 | shapes_by_name = { 10 | # Group by shape name, yielding a list of objects for each 11 | for shape in data.oci_core_shapes.oke.shapes : 12 | lookup(shape, "name") => shape... if contains(keys(shape), "name") 13 | } 14 | 15 | platform_config_by_shape = { 16 | # Merge objects for each shape; we only need the consistent 'type' 17 | for k, v in local.shapes_by_name : 18 | k => merge(lookup(merge(v...), "platform_config_options", [])...) 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /modules/workers/outputs.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | output "worker_pools" { 5 | description = "Created worker pools (mode != 'instance')" 6 | value = local.worker_pools_output 7 | } 8 | 9 | output "worker_instances" { 10 | description = "Created worker pools (mode == 'instance')" 11 | value = local.worker_instances 12 | } 13 | 14 | output "worker_pool_ids" { 15 | description = "Created worker pool IDs" 16 | value = local.worker_pool_ids 17 | } 18 | 19 | output "worker_pool_ips" { 20 | description = "Created worker instance private IPs by pool for available modes ('node-pool', 'instance')." 21 | value = local.worker_pool_ips 22 | } 23 | 24 | output "worker_count_expected" { 25 | description = "# of nodes expected from created worker pools" 26 | value = local.expected_node_count 27 | } 28 | 29 | output "worker_drain_expected" { 30 | description = "# of nodes expected to be draining in worker pools" 31 | value = local.expected_drain_count 32 | } 33 | 34 | output "worker_pool_autoscale_expected" { 35 | description = "# of worker pools expected with autoscale enabled from created worker pools" 36 | value = local.expected_autoscale_worker_pools 37 | } -------------------------------------------------------------------------------- /modules/workers/versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.2.0" 6 | 7 | required_providers { 8 | cloudinit = { 9 | source = "hashicorp/cloudinit" 10 | version = ">= 2.2.0" 11 | } 12 | 13 | oci = { 14 | source = "oracle/oci" 15 | version = ">= 6.37.0" 16 | } 17 | } 18 | } 19 | 20 | -------------------------------------------------------------------------------- /variables-cluster-addons.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2024 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | variable "cluster_addons" { 5 | description = "Map with cluster addons that should be enabled. See ClusterAddon documentation for the supported configuration of each addon." 6 | type = any 7 | default = {} 8 | } 9 | 10 | variable "cluster_addons_to_remove" { 11 | description = "Map with cluster addons not created by Terraform that should be removed. This operation is performed using oci-cli and requires the operator host to be deployed." 12 | type = any 13 | default = {} 14 | } -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates. 2 | # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl 3 | 4 | terraform { 5 | required_version = ">= 1.3.0" 6 | 7 | required_providers { 8 | cloudinit = { 9 | source = "hashicorp/cloudinit" 10 | version = ">= 2.2.0" 11 | } 12 | 13 | helm = { 14 | source = "hashicorp/helm" 15 | version = ">= 2.9.0" 16 | } 17 | 18 | null = { 19 | source = "hashicorp/null" 20 | version = ">= 3.2.1" 21 | } 22 | 23 | oci = { 24 | configuration_aliases = [oci.home] 25 | source = "oracle/oci" 26 | version = ">= 6.37.0" 27 | } 28 | 29 | random = { 30 | source = "hashicorp/random" 31 | version = ">= 3.4.3" 32 | } 33 | 34 | time = { 35 | source = "hashicorp/time" 36 | version = ">= 0.9.1" 37 | } 38 | } 39 | } 40 | --------------------------------------------------------------------------------