oracle-terraform-modules
diff --git a/‎.gitignore‎
Lines changed: 14 additions & 0 deletions b/‎.gitignore‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎CHANGELOG.adoc‎
Lines changed: 12 additions & 0 deletions b/‎CHANGELOG.adoc‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎CONTRIBUTING.adoc‎
Lines changed: 47 additions & 0 deletions b/‎CONTRIBUTING.adoc‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎CONTRIBUTORS.adoc‎
Lines changed: 8 additions & 0 deletions b/‎CONTRIBUTORS.adoc‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎LICENSE‎
Lines changed: 35 additions & 0 deletions b/‎LICENSE‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎README.adoc‎
Lines changed: 268 additions & 0 deletions b/‎README.adoc‎
Lines changed: 268 additions & 0 deletions
diff --git a/‎docs/images/infrastructure.png‎
90.2 KB b/‎docs/images/infrastructure.png‎
90.2 KB
@@ -0,0 +1,14 @@
+#  Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# .tfvars files
+*.tfvars
+
+generated/**
+
+# visual code
+ **/.vscode/*
@@ -0,0 +1,12 @@
+= CHANGELOG
+:idprefix:
+:idseparator: *
+
+:uri-changelog: http://keepachangelog.com/
+All notable changes to this project are documented in this file.
+
+The format is based on {uri-changelog}[Keep a Changelog].
+
+== v0.1.0 (May 14, 2020)
+
+* First public release
@@ -0,0 +1,47 @@
+= CONTRIBUTING
+
+:uri-oracle-oca: https://www.oracle.com/technetwork/community/oca-486395.html
+
+Oracle welcomes contributions to this repository from anyone.
+
+If you want to submit a pull request to fix a bug or enhance an existing
+feature, please first open an issue and link to that issue when you
+submit your pull request.
+
+If you have any questions about a possible submission, feel free to open
+an issue too.
+
+== Contributing to the terraform-oci-oke repository
+
+Pull requests can be made under
+{uri-oracle-oca}[The Oracle Contributor Agreement](OCA).
+
+For pull requests to be accepted, the bottom of your commit message must have
+the following line using your name and e-mail address as it appears in the
+OCA Signatories list.
+
+----
+Signed-off-by: Your Name <you@example.org>
+----
+
+This can be automatically added to pull requests by committing with:
+
+----
+  git commit --signoff
+----
+
+Only pull requests from committers that can be verified as having
+signed the OCA can be accepted.
+
+=== Pull request process
+
+. Fork this repository
+. Create a branch in your fork to implement the changes. We recommend using
+the issue number as part of your branch name, e.g. `1234-fixes`
+. Ensure that any documentation is updated with the changes that are required
+by your fix.
+. Ensure that any samples are updated if the base image has been changed.
+. Submit the pull request. *Do not leave the pull request blank*. Explain exactly
+what your changes are meant to do and provide simple steps on how to validate
+your changes. Ensure that you reference the issue you created as well.
+We will assign the pull request to 2-3 people for review before it is merged.
@@ -0,0 +1,8 @@
+== GitHub userids of contributors
+
+OWNERS # have admin access and can merge code to master:
+
+- @hyder
+- @markxnelson
+
+CONTRIBUTORS
@@ -0,0 +1,35 @@
+Copyright (c) 2020 Oracle and/or its affiliates. 
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any
+person obtaining a copy of this software, associated documentation and/or data
+(collectively the "Software"), free of charge and under any and all copyright
+rights in the Software, and any and all patent rights owned or freely
+licensable by each licensor hereunder covering either (i) the unmodified
+Software as contributed to or provided by such licensor, or (ii) the Larger
+Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+one is included with the Software (each a "Larger Work" to which the Software
+is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create
+derivative works of, display, perform, and distribute the Software and make,
+use, sell, offer for sale, import, export, have made, and have sold the
+Software and the Larger Work(s), and to sublicense the foregoing rights on
+either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at
+a minimum a reference to the UPL must be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,268 @@
+= Terraform for Oracle Linux Cloud Native Environment
+
+:idprefix:
+:idseparator: -
+:sectlinks:
+
+:uri-repo: https://github.com/oracle-terraform-modules/terraform-oci-olcne
+
+:uri-rel-file-base: link:{uri-repo}/blob/master
+:uri-rel-tree-base: link:{uri-repo}/tree/master
+
+:uri-docs: {uri-rel-file-base}/docs
+:uri-changelog: {uri-rel-file-base}/CHANGELOG.adoc
+:uri-oci: https://cloud.oracle.com/cloud-infrastructure
+:uri-olcne: https://docs.oracle.com/en/operating-systems/olcne/
+:uri-terraform-oke: https://github.com/oracle-terraform-modules/terraform-oci-oke
+:uri-oke: https://www.oracle.com/cloud/compute/container-engine-kubernetes.html
+:uri-oci-key: https://docs.cloud.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingkeys.htm
+:uri-oci-bmshapes: https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/References/computeshapes.htm#bmshapes
+:uri-oci-vault: https://docs.cloud.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingvaults.htm
+:uri-terraform-oci-base: https://github.com/oracle-terraform-modules/terraform-oci-base
+:uri-docs: {uri-rel-file-base}/docs
+:uri-medium-dns: https://medium.com/oracledevs/loadbalancer-service-oracle-container-engine-oke-and-oci-dns-d7b1f7b4f9bd
+
+
+__Current version: 0.1__
+
+The {uri-repo}[Terraform OCI OLCNE module] for {uri-oci}[Oracle Cloud Infrastructure] (OCI) provides a reusable and extensible Terraform module that provisions {uri-olcne}[Oracle Linux Cloud Native Environment] on OCI. It is developed as a tool for developers as a technical preview.  It simplifies the setup needed to quickly deploy using Oracle Cloud compute infrastructure.
+
+This _Technical Preview_ is not intended for production use, and has the following limitations:
+
+* OLCNE is currently supported on Bare Metal shapes only.  You can use this module to install on Virtual Machine shapes,
+  but you should be aware that while that may work, it is not a supported configuration.
+* Multi-master clusters are not supported. 
+* The OLCNE nodes must opt out of OS Management Service to prevent RPM conflicts.
+
+If you are deploying a production Kubernetes cluster on OCI, you should consider using {uri-oke}[Oracle Cloud Infrastructure
+Container Engine for Kubernetes] (OKE). You can use {uri-terraform-oke}[terraform-oci-oke] to provision an OKE cluster.
+
+
+== What this module will create
+
+This module will create the following resources:
+
+image::docs/images/infrastructure.png[align="Infrastructure"]
+
+. Base module:
+
+** A VCN with internet, service and NAT gateways, and route tables.
+** A security list, subnet and a bastion host (using Oracle Autonomous Linux).
+** An optional notification topic and subscription.
+
+. Network module:
+
+** Network security groups for operator, master and worker nodes as well as a public load balancer.
+** Separate subnets for operator, master, worker and load balancer.
+
+. Operator module:
+
+** An operator node to perform installation of OLCNE on the master and worker nodes.
+** An ingress controller of type `NodePort`.
+** An optional Kata container runtime class.
+
+. Master:
+
+** Single master node. Multi-master is not supported yet.
+** Instance pools to manage the master nodes.
+
+. Worker:
+
+** A configurable number of worker nodes.
+** Instance pools to manage to worker nodes.
+
+. Load balancer:
+
+* A public load balancer with automatic backend creation.
+
+
+= Instructions
+
+To use this module to create an OLCNE environment:
+
+== Vault
+
+Create a vault to store the SSH keys securely.
+
+=== Create a key
+
+. In the OCI Console, create a vault by navigating to Security > Vault. See {uri-oci-vault}[Managing Vaults] for more details.
+. Click on the vault and click 'Create Key'. See {uri-oci-key}[Managing Keys] for more details.
+
+=== Creating a secret for private ssh key
+
+. Click on Secrets and click 'Create Secret'.
+. Select compartment where you want to create the secret, enter a name and description.
+. Select the encryption key you created previously.
+. Set the secret type template as `plain-text`.
+. Paste the contents of your private SSH key in secret contents.
+. After the secret is created, click on the secret name and note down the OCID of the secret as you will need it later.
+
+== Create the base infrastructure
+
+The base infrastructure consists of the bastion and the admin server. It reuses the {uri-terraform-oci-base}[terraform-oci-base] module to create a VCN, a bastion host and an admin host with `instance_principal` enabled. You only need the bastion host; the `admin_host` is not needed.
+
+. Copy `terraform.tfvars.example`:
+
++
+----
+cp terraform.tfvars.example terraform.tfvars
+----
+
+. Edit `terraform.tfvars` and set the following parameters to the correct values for your environment:
+
++
+----
+api_fingerprint = ""
+api_private_key_path = ""
+compartment_id = ""
+tenancy_id = ""
+user_id = ""
+ssh_private_key_path = "/path/to/ssh_private_key"
+ssh_public_key_path = "/path/to/ssh_public_key"
+----
+
+. In terraform.tfvars, enable only the bastion host:
+
++
+----
+bastion_enabled = true
+admin_enabled = false
+admin_instance_principal = false
+----
+
+. Run Terraform and create the base module:
+
++
+----
+terraform apply --target=module.base -auto-approve
+----
+
+. SSH to the bastion to check whether you can proceed:
+
++
+----
+ssh opc@xxx.xxx.xxx
+----
+
+If you are not able to ssh to the bastion host, you will not be able to proceed any further.
+
+== Complete the rest of the OLCNE infrastructure
+
+. Update your `terraform.tfvars` and enter the values for the `secret_id` and certificate information to create private CA certificates.
+
++
+----
+secret_id = "ocid1.vaultsecret....."
+org_unit = "my org unit"
+org = "my org"
+city = "Sydney"
+state = "NSW"
+country = "au"
+common_name = "common name"
+----
+
+. Run `terraform apply` again:
+
++
+----
+terraform apply -auto-approve
+----
+
+When complete, Terraform will output details of how to connect to the bastion, master and operator, for example:
+
+----
+Outputs:
+
+ssh_to_bastion = ssh -i /path/to/ssh/key opc@123.45.67.209
+ssh_to_master = ssh -i /path/to/ssh/key -J opc@123.45.67.209 opc@10.0.3.2
+ssh_to_operator = ssh -i /path/to/ssh/key -J opc@123.45.67.209 opc@10.0.0.146
+----
+
+You can SSH to the operator and access the cluster, for example: 
+
+----
+[opc@cne-operator ~]$ kubectl get nodes
+NAME                STATUS   ROLES    AGE   VERSION
+cne-master          Ready    master   22m   v1.17.4+1.0.1.el7
+cne-worker          Ready    <none>   21m   v1.17.4+1.0.1.el7
+cne-worker-550781   Ready    <none>   21m   v1.17.4+1.0.1.el7
+cne-worker-585063   Ready    <none>   21m   v1.17.4+1.0.1.el7
+----
+
+== Controlling the cluster size
+
+=== Master nodes
+
+Only one master node is created. 
+
+=== Worker nodes
+
+By default, three worker nodes are created. You can change this by setting _worker_size = 5_.
+
+== Using Kata Containers
+
+If you want to use Kata containers, you must:
+
+. Select one of the {uri-oci-bmshapes}[Bare Metal shapes] for your worker nodes.
+. Enable the creation of kata runtime class in `terraform.tfvars`.
+
++
+----
+create_kata_runtime = true
+----
+
+By default, the name of the kata runtime class is 'kata'. You can configure that with the _kata_runtime_class_name_ parameter.
+
+When deploying kata containers, set the runtimeClassName accordingly:
+
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kata-nginx
+spec:
+  runtimeClassName: kata
+  containers:
+    - name: nginx
+      image: nginx
+      ports:
+      - containerPort: 80
+----
+
+== Testing a deployment
+
+. Print out the output to access the operator:
+
++
+----
+terraform output
+ssh_to_operator = ssh -i ~/.ssh/id_rsa -J opc@XXX.XXX.XXX.XXX opc@10.0.0.146
+----
+
+. Copy the ssh_to_operator command and run:
+
++
+----
+ssh -i ~/.ssh/id_rsa -J opc@XXX.XXX.XXX.XXX 
+----
+
+. Deploy an application
+
++
+----
+git clone https://github.com/hyder/okesamples/
+cd okesamples
+kubectl apply -f  ingresscontrollers/acme/
+----
+
+. Edit the ingresses in `ingresscontrollers/nginx` and replace `www.acme.com` with a domain within your control
+
+. Create the ingresses:
+
++
+----
+kubectl apply -f  ingresscontrollers/nginx/
+----
+
+. Follow the steps towards the end of this article to {uri-medium-dns}[configure DNS in OCI] and use the domain you set in the ingress above.