Merge pull request #2828 from oracle-devrel/oke-gitops

oke-gitops update

Author: martatolosa

app-dev/devops-and-containers/oke/oke-gitops/flux-solution.md

@@ -55,6 +55,23 @@ Open the created OCI DevOps project and confirm:
 4. OKE environment exists and points to the expected cluster.
 
 ### 3. Run Mirror Build Pipeline
+Before running build pipeline `mirror-gitops-agent`, create these Kubernetes prerequisites in the target cluster:
+
+1. Namespace `flux-system`.
+2. Image pull secret `ocirsecret` in namespace `flux-system` with OCIR credentials.
+
+Example:
+
+```bash
+kubectl create namespace flux-system
+kubectl create secret docker-registry ocirsecret \
+  --namespace flux-system \
+  --docker-server=<region-key>.ocir.io \
+  --docker-username='<tenancy-namespace>/<identity-domain/<username>' \
+  --docker-password='<auth-token>' \
+  --docker-email='<email>'
+```
+
 Run build pipeline `mirror-gitops-agent`:
 
 1. Trigger pipeline run on `main`.

app-dev/devops-and-containers/oke/oke-gitops/main.tf

@@ -1,43 +1,42 @@
 module "devops" {
-  source = "./modules/devops"
-  compartment_id = var.devops_compartment_id # Both DevOps project and OCIR will be here
-  region = var.region
-  tenancy_id = var.tenancy_ocid
-  create_notification_topic = var.create_notification_topic
-  notification_topic_id = var.notification_topic_id
-  notification_topic_name = var.notification_topic_name
-  notification_topic_description = var.notification_topic_description
-  devops_project_name = var.devops_project_name
-  devops_project_description = var.devops_project_description
-  devops_log_group_name = var.devops_log_group_name
-  devops_log_group_description = var.devops_log_group_description
+  source                              = "./modules/devops"
+  compartment_id                      = var.devops_compartment_id # Both DevOps project and OCIR will be here
+  region                              = var.region
+  tenancy_id                          = var.tenancy_ocid
+  create_notification_topic           = var.create_notification_topic
+  notification_topic_id               = var.notification_topic_id
+  notification_topic_name             = var.notification_topic_name
+  notification_topic_description      = var.notification_topic_description
+  devops_project_name                 = var.devops_project_name
+  devops_project_description          = var.devops_project_description
+  devops_log_group_name               = var.devops_log_group_name
+  devops_log_group_description        = var.devops_log_group_description
   devops_log_retention_period_in_days = var.devops_log_retention_period_in_days
-  gitops_agent = var.gitops_agent
+  gitops_agent                        = var.gitops_agent
 
-  git_username = local.git_username
-  git_password = var.auth_token
+  git_username          = local.git_username
+  git_password          = var.auth_token
   ocir_repo_path_prefix = var.ocir_repo_path_prefix
-  flux_agent_chart_version = var.flux_agent_chart_version
 
   # OKE ENVIRONMENT
-  oke_cluster_id = var.oke_cluster_id
-  oke_environment_name = var.oke_environment_name
+  oke_cluster_id              = var.oke_cluster_id
+  oke_environment_name        = var.oke_environment_name
   oke_environment_description = var.oke_environment_description
-  is_oke_cluster_private = var.is_oke_cluster_private
-  oke_worker_subnet_id = var.oke_worker_subnet_id
-  oke_worker_nsg_id = var.oke_worker_nsg_id
+  is_oke_cluster_private      = var.is_oke_cluster_private
+  oke_worker_subnet_id        = var.oke_worker_subnet_id
+  oke_worker_nsg_id           = var.oke_worker_nsg_id
 }
 
 module "iam" {
-  source = "./modules/iam"
-  tenancy_id = var.tenancy_ocid
-  compartment_id = var.devops_compartment_id
+  source                 = "./modules/iam"
+  compartment_id         = var.devops_compartment_id
+  iam_domain_id          = var.devops_iam_domain_id
+  kms_compartment_id     = var.kms_compartment_id
   network_compartment_id = var.network_compartment_id
-  oke_compartment_id = var.oke_compartment_id
-  devops_policy_name = var.devops_policy_name
-  domain_name = var.identity_domain_name
-  dynamic_group_name = var.devops_dynamic_group_name
+  oke_compartment_id     = var.oke_compartment_id
+  devops_policy_name     = var.devops_policy_name
+  dynamic_group_name     = var.devops_dynamic_group_name
   is_oke_cluster_private = var.is_oke_cluster_private
-  count = var.create_iam ? 1 : 0
-  providers = {oci = oci.home}
+  count                  = var.create_iam ? 1 : 0
+  providers              = { oci = oci.home }
 }

app-dev/devops-and-containers/oke/oke-gitops/modules/devops/artifact.tf

@@ -1,7 +1,7 @@
-resource oci_devops_deploy_artifact flux_operator_chart {
+resource "oci_devops_deploy_artifact" "flux_operator_chart" {
   argument_substitution_mode = "NONE"
   deploy_artifact_source {
-    chart_url = "oci://${local.region_key}.ocir.io/${local.namespace}/${var.ocir_repo_path_prefix}/helm/flux-operator"
+    chart_url                   = "oci://${local.region_key}.ocir.io/${local.namespace}/${var.ocir_repo_path_prefix}/charts/flux-operator"
     deploy_artifact_source_type = "HELM_CHART"
     deploy_artifact_version     = "$${chart_version}"
     helm_verification_key_source {
@@ -11,17 +11,17 @@ resource oci_devops_deploy_artifact flux_operator_chart {
   deploy_artifact_type = "HELM_CHART"
   description          = "Location to the internal flux-operator chart generated by the build pipeline"
   display_name         = "flux-operator-chart"
-  project_id = oci_devops_project.devops_project.id
+  project_id           = oci_devops_project.devops_project.id
 }
 
-resource oci_devops_deploy_artifact flux_operator_values {
+resource "oci_devops_deploy_artifact" "flux_operator_values" {
   argument_substitution_mode = "SUBSTITUTE_PLACEHOLDERS"
   deploy_artifact_source {
-    base64encoded_content = filebase64("${path.root}/templates/flux-operator-values.yaml")
+    base64encoded_content       = filebase64("${path.root}/templates/flux-operator-values.yaml")
     deploy_artifact_source_type = "INLINE"
   }
   deploy_artifact_type = "GENERIC_FILE"
   description          = "Values of the flux-operator Helm Chart"
   display_name         = "flux-operator-chart-values"
-  project_id = oci_devops_project.devops_project.id
+  project_id           = oci_devops_project.devops_project.id
 }

app-dev/devops-and-containers/oke/oke-gitops/modules/devops/build_pipeline.tf

@@ -1,7 +1,7 @@
 resource "oci_devops_build_pipeline" "mirror_gitops_agent" {
-  project_id = oci_devops_project.devops_project.id
+  project_id   = oci_devops_project.devops_project.id
   display_name = "mirror-gitops-agent"
-  description = "Pipeline to mirror the public Helm Chart of the GitOps Agent into OCIR"
+  description  = "Pipeline to mirror the public Helm Chart of the GitOps Agent into OCIR"
 }
 
 resource "oci_devops_build_pipeline_stage" "mirror_gitops_agent_stage" {
@@ -15,17 +15,17 @@ resource "oci_devops_build_pipeline_stage" "mirror_gitops_agent_stage" {
   build_source_collection {
     items {
       connection_type = "DEVOPS_CODE_REPOSITORY"
-      branch = "main"
-      name = "pipelines"
-      repository_id = oci_devops_repository.devops_pipelines_repo_flux.0.id
-      repository_url = oci_devops_repository.devops_pipelines_repo_flux.0.http_url
+      branch          = "main"
+      name            = "pipelines"
+      repository_id   = oci_devops_repository.devops_pipelines_repo_flux.0.id
+      repository_url  = oci_devops_repository.devops_pipelines_repo_flux.0.http_url
     }
   }
-  build_spec_file = "mirror_flux_operator.yaml"
-  display_name = "Mirror GitOps Agent Helm Chart"
-  description = "Stage to import a public Helm Chart into the tenancy Oracle Container Registry"
-  primary_build_source = "pipelines"
-  image = "OL8_X86_64_STANDARD_10"
+  build_spec_file                    = "mirror_flux_operator.yaml"
+  display_name                       = "Mirror GitOps Agent Helm Chart"
+  description                        = "Stage to import a public Helm Chart into the tenancy Oracle Container Registry"
+  primary_build_source               = "pipelines"
+  image                              = "OL8_X86_64_STANDARD_10"
   stage_execution_timeout_in_seconds = 36000
 }
 
@@ -37,8 +37,8 @@ resource "oci_devops_build_pipeline_stage" "trigger_helm_deploy" {
       id = oci_devops_build_pipeline_stage.mirror_gitops_agent_stage.id
     }
   }
-  deploy_pipeline_id = oci_devops_deploy_pipeline.deploy_pipeline_helm.id
-  description = "Trigger CD pipeline to deploy on OKE"
-  display_name = "Trigger Helm Deployment pipeline"
+  deploy_pipeline_id             = oci_devops_deploy_pipeline.deploy_pipeline_helm.id
+  description                    = "Trigger CD pipeline to deploy on OKE"
+  display_name                   = "Trigger Helm Deployment pipeline"
   is_pass_all_parameters_enabled = true
 }

app-dev/devops-and-containers/oke/oke-gitops/modules/devops/deployment.tf

@@ -1,33 +1,33 @@
 
 resource "oci_devops_deploy_pipeline" "deploy_pipeline_helm" {
-  project_id = oci_devops_project.devops_project.id
+  project_id   = oci_devops_project.devops_project.id
   display_name = "helm-install-pipeline"
-  description = "Deployment pipeline to install Helm charts on a OKE cluster"
+  description  = "Deployment pipeline to install Helm charts on a OKE cluster"
 }
 
 
 
-resource oci_devops_deploy_stage deploy_helm_stage {
-  are_hooks_enabled = true
+resource "oci_devops_deploy_stage" "deploy_helm_stage" {
+  are_hooks_enabled  = true
   deploy_pipeline_id = oci_devops_deploy_pipeline.deploy_pipeline_helm.id
   deploy_stage_predecessor_collection {
     items {
       id = oci_devops_deploy_pipeline.deploy_pipeline_helm.id
     }
   }
-  deploy_stage_type = "OKE_HELM_CHART_DEPLOYMENT"
-  description  = "Install the Helm chart on the specified OKE environment"
-  display_name = "deploy-helm"
-  helm_chart_deploy_artifact_id = oci_devops_deploy_artifact.flux_operator_chart.id
-  max_history = 5
-  namespace = "$${namespace}"
+  deploy_stage_type                 = "OKE_HELM_CHART_DEPLOYMENT"
+  description                       = "Install the Helm chart on the specified OKE environment"
+  display_name                      = "deploy-helm"
+  helm_chart_deploy_artifact_id     = oci_devops_deploy_artifact.flux_operator_chart.id
+  max_history                       = 5
+  namespace                         = "$${namespace}"
   oke_cluster_deploy_environment_id = var.is_oke_cluster_private ? oci_devops_deploy_environment.oke_environment_private.0.id : oci_devops_deploy_environment.oke_environment_public.0.id
-  purpose      = "EXECUTE_HELM_UPGRADE"
-  release_name = "$${chart_name}"
+  purpose                           = "EXECUTE_HELM_UPGRADE"
+  release_name                      = "$${chart_name}"
   rollback_policy {
     policy_type = "AUTOMATED_STAGE_ROLLBACK_POLICY"
   }
-  should_skip_crds = false
-  timeout_in_seconds = "300"
+  should_skip_crds    = false
+  timeout_in_seconds  = "300"
   values_artifact_ids = [oci_devops_deploy_artifact.flux_operator_values.id]
 }

app-dev/devops-and-containers/oke/oke-gitops/modules/devops/environment.tf

@@ -1,22 +1,22 @@
 resource "oci_devops_deploy_environment" "oke_environment_private" {
   deploy_environment_type = "OKE_CLUSTER"
   project_id              = oci_devops_project.devops_project.id
-  cluster_id = var.oke_cluster_id
-  display_name = var.oke_environment_name
-  description = var.oke_environment_description
+  cluster_id              = var.oke_cluster_id
+  display_name            = var.oke_environment_name
+  description             = var.oke_environment_description
   network_channel {
     network_channel_type = "PRIVATE_ENDPOINT_CHANNEL"
     subnet_id            = var.oke_worker_subnet_id
-    nsg_ids = var.oke_worker_nsg_id != null ? [var.oke_worker_nsg_id] : []
+    nsg_ids              = var.oke_worker_nsg_id != null ? [var.oke_worker_nsg_id] : []
   }
   count = var.is_oke_cluster_private ? 1 : 0
 }
 
 resource "oci_devops_deploy_environment" "oke_environment_public" {
   deploy_environment_type = "OKE_CLUSTER"
   project_id              = oci_devops_project.devops_project.id
-  cluster_id = var.oke_cluster_id
-  display_name = var.oke_environment_name
-  description = var.oke_environment_description
-  count = var.is_oke_cluster_private ? 0 : 1
+  cluster_id              = var.oke_cluster_id
+  display_name            = var.oke_environment_name
+  description             = var.oke_environment_description
+  count                   = var.is_oke_cluster_private ? 0 : 1
 }

app-dev/devops-and-containers/oke/oke-gitops/modules/devops/local.tf

@@ -1,5 +1,5 @@
 locals {
-  region_key = lower([for s in data.oci_identity_region_subscriptions.oci_region_subscriptions.region_subscriptions : s if s.region_name == var.region][0].region_key)
-  namespace = data.oci_artifacts_container_configuration.ocir_config.namespace
+  region_key     = lower([for s in data.oci_identity_region_subscriptions.oci_region_subscriptions.region_subscriptions : s if s.region_name == var.region][0].region_key)
+  namespace      = data.oci_artifacts_container_configuration.ocir_config.namespace
   base_repo_path = "repos/${var.gitops_agent}"
 }

app-dev/devops-and-containers/oke/oke-gitops/modules/devops/project.tf

@@ -1,23 +1,23 @@
 resource "oci_ons_notification_topic" "devops_notification_topic" {
   compartment_id = var.compartment_id
   name           = var.notification_topic_name
-  description = var.notification_topic_description
-  count = var.create_notification_topic ? 1 : 0
+  description    = var.notification_topic_description
+  count          = var.create_notification_topic ? 1 : 0
 }
 
 resource "oci_devops_project" "devops_project" {
   compartment_id = var.compartment_id
   name           = var.devops_project_name
-  description = var.devops_project_description
+  description    = var.devops_project_description
   notification_config {
-    topic_id = var.create_notification_topic? oci_ons_notification_topic.devops_notification_topic.0.id : var.notification_topic_id
+    topic_id = var.create_notification_topic ? oci_ons_notification_topic.devops_notification_topic.0.id : var.notification_topic_id
   }
 }
 
 resource "oci_logging_log_group" "devops_log_group" {
   compartment_id = var.compartment_id
   display_name   = var.devops_log_group_name
-  description = var.devops_log_group_description
+  description    = var.devops_log_group_description
 }
 
 resource "oci_logging_log" "devops_log" {