Merge pull request #2609 from oracle-devrel/oke-rm

oke-rm-1.3.2

Author: martatolosa

app-dev/devops-and-containers/oke/oke-rm/README.md

@@ -17,13 +17,13 @@ This stack is used to create the initial network infrastructure for OKE. When co
 * You can apply this stack even on an existing VCN, so that only the NSGs for OKE will be created
 * The default CNI is the VCN Native CNI, and it is the recommended one
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.3.1/infra.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.3.2/infra.zip)
 
 ## Step 2: Create the OKE control plane
 
 This stack is used to create the OKE control plane ONLY.
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.3.1/oke.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.3.2/oke.zip)
 
 Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI,
 you must add these policies:

app-dev/devops-and-containers/oke/oke-rm/images/architecture.png

@@ -56,6 +56,12 @@ module "network" {
   db_subnet_name      = var.db_subnet_name
   db_service_list     = local.db_service_list
   separate_db_nsg     = var.separate_db_nsg
+  # MESSAGING
+  create_msg_subnet    = var.create_msg_subnet
+  msg_subnet_cidr      = local.subnets.cidr.msg
+  msg_subnet_dns_label = local.subnets.dns.msg
+  msg_subnet_name      = var.msg_subnet_name
+  create_streaming_nsg = var.create_streaming_nsg
   # GATEWAYS
   create_gateways         = var.create_gateways
   create_internet_gateway = var.create_internet_gateway

app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip

@@ -48,7 +48,7 @@ resource "oci_core_network_security_group_security_rule" "postgres_db_egress" {
   destination_type          = "NETWORK_SECURITY_GROUP"
   destination               = local.create_app_db_nsg ? local.app_nsg.nsg_db[local.postgres_service].id : local.app_nsg.nsg_id
   stateless                 = true
-  description               = "Allow communication from applications to pods"
+  description               = "Allow communication from postgres to applications"
   tcp_options {
     source_port_range {
       max = 5432

app-dev/devops-and-containers/oke/oke-rm/infra/main.tf

@@ -101,3 +101,16 @@ resource "oci_core_dhcp_options" "db_dhcp" {
   }
   count = local.create_db_subnet ? 1 : 0
 }
+
+resource "oci_core_dhcp_options" "msg_dhcp" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.msg_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
+  options {
+    type        = "DomainNameServer"
+    server_type = "VcnLocalPlusInternet"
+  }
+  count = local.create_msg_subnet ? 1 : 0
+}

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/db-nsg.tf

@@ -25,13 +25,14 @@ locals {
   create_db_subnet  = var.create_db_subnet && var.create_vcn && length(var.db_service_list) > 0
   create_app_db_nsg = length(var.db_service_list) > 0 && var.separate_db_nsg
 
+  create_msg_subnet = var.create_msg_subnet && var.create_vcn
 
   tcp_protocol       = "6"
   icmp_protocol      = "1"
   udp_protocol       = "17"
   postgres_service   = "postgres"
   cache_service      = "cache"
   oracledb_service   = "oracledb"
-  mysql_service = "mysql"
+  mysql_service      = "mysql"
   service_cidr_block = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
 }

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/dhcp.tf

@@ -404,3 +404,73 @@ resource "oci_core_network_security_group_security_rule" "mysql_x_pod_ingress" {
   }
   count = local.is_npn && !var.separate_db_nsg && local.create_db_nsg && contains(var.db_service_list, local.mysql_service) ? 1 : 0
 }
+
+# OCI Streaming
+
+resource "oci_core_network_security_group_security_rule" "streaming_kafka_pod_ingress" {
+  direction                 = "EGRESS"
+  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
+  protocol                  = local.tcp_protocol
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.streaming.0.id
+  stateless                 = true
+  description               = "Allow communication from pods to OCI Streaming Kafka API"
+  tcp_options {
+    destination_port_range {
+      max = 9092
+      min = 9092
+    }
+  }
+  count = local.is_npn && var.create_streaming_nsg ? 1 : 0
+}
+
+resource "oci_core_network_security_group_security_rule" "streaming_kafka_pod_egress" {
+  direction                 = "INGRESS"
+  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
+  protocol                  = local.tcp_protocol
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.streaming.0.id
+  stateless                 = true
+  description               = "Allow communication from OCI Streaming Kafka API to pods"
+  tcp_options {
+    source_port_range {
+      max = 9092
+      min = 9092
+    }
+  }
+  count = local.is_npn && var.create_streaming_nsg ? 1 : 0
+}
+
+resource "oci_core_network_security_group_security_rule" "streaming_rest_pod_ingress" {
+  direction                 = "EGRESS"
+  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
+  protocol                  = local.tcp_protocol
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = oci_core_network_security_group.streaming.0.id
+  stateless                 = true
+  description               = "Allow communication from pods to OCI Streaming REST API (SDK)"
+  tcp_options {
+    destination_port_range {
+      max = 443
+      min = 443
+    }
+  }
+  count = local.is_npn && var.create_streaming_nsg ? 1 : 0
+}
+
+resource "oci_core_network_security_group_security_rule" "streaming_rest_pod_egress" {
+  direction                 = "INGRESS"
+  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
+  protocol                  = local.tcp_protocol
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = oci_core_network_security_group.streaming.0.id
+  stateless                 = true
+  description               = "Allow communication from OCI Streaming REST API (SDK) to pods"
+  tcp_options {
+    source_port_range {
+      max = 443
+      min = 443
+    }
+  }
+  count = local.is_npn && var.create_streaming_nsg ? 1 : 0
+}

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf

@@ -221,4 +221,19 @@ resource "oci_core_route_table" "db_route_table" {
     description       = "Route for all internal OCI services in the region"
   }
   count = local.create_db_subnet ? 1 : 0
+}
+
+resource "oci_core_route_table" "msg_route_table" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.msg_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
+  route_rules {
+    network_entity_id = local.service_gateway_id
+    destination_type  = "SERVICE_CIDR_BLOCK"
+    destination       = local.service_cidr_block
+    description       = "Route for all internal OCI services in the region"
+  }
+  count = local.create_msg_subnet ? 1 : 0
 }

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf

@@ -462,3 +462,60 @@ resource "oci_core_security_list" "db_sl" {
 
   count = local.create_db_subnet ? 1 : 0
 }
+
+resource "oci_core_security_list" "msg_sl" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.msg_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
+
+  # Ingress rules and their corresponding egress
+  ingress_security_rules {
+    description = "Required to enable Path MTU Discovery to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = "0.0.0.0/0"
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication"
+    icmp_options {
+      code = "4"
+      type = "3"
+    }
+    protocol         = local.icmp_protocol
+    destination      = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    stateless        = "true"
+  }
+
+  ingress_security_rules {
+    description = "Required to allow application within VCN to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol    = local.icmp_protocol
+    source      = oci_core_vcn.spoke_vcn[0].cidr_block
+    source_type = "CIDR_BLOCK"
+    stateless   = "true"
+  }
+
+  egress_security_rules {
+    description = "Required to allow application within VCN responses to fail fast"
+    icmp_options {
+      type = "3"
+    }
+    protocol         = local.icmp_protocol
+    destination      = oci_core_vcn.spoke_vcn[0].cidr_block
+    destination_type = "CIDR_BLOCK"
+    stateless        = "true"
+  }
+
+  count = local.create_msg_subnet ? 1 : 0
+}