Merge pull request #2569 from oracle-devrel/oke-rm

Oke rm 1.3.0

Author: martatolosa

app-dev/devops-and-containers/oke/oke-rm/README.md

@@ -17,13 +17,13 @@ This stack is used to create the initial network infrastructure for OKE. When co
 * You can apply this stack even on an existing VCN, so that only the NSGs for OKE will be created
 * The default CNI is the VCN Native CNI, and it is the recommended one
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.2.1/infra.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.3.0/infra.zip)
 
 ## Step 2: Create the OKE control plane
 
 This stack is used to create the OKE control plane ONLY.
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.2.1/oke.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.3.0/oke.zip)
 
 Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI,
 you must add these policies:

app-dev/devops-and-containers/oke/oke-rm/images/architecture.png

@@ -2,22 +2,27 @@ locals {
   # VCN_NATIVE_CNI internally it is mapped as npn
   cni             = var.cni_type == "vcn_native" ? "npn" : var.cni_type
   vcn_cidr_blocks = [var.vcn_cidr_block]
+  tag_value       = var.tag_value == null ? { "freeformTags" = {}, "definedTags" = {} } : var.tag_value
   subnets = {
     cidr = {
-      pod         = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 1, 0) : null     # e.g., "10.1.0.0/17"
-      worker      = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 3, 4) : null     # e.g., "10.1.128.0/19"
-      lb_external = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 160) : null   # e.g., "10.1.160.0/24"
-      lb_internal = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 161) : null   # e.g., "10.1.161.0/24"
-      fss         = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 162) : null   # e.g., "10.1.162.0/24"
-      bastion     = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 13, 5216) : null # e.g., "10.1.163.0/29"
-      cp          = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 13, 5217) : null # e.g., "10.1.163.8/29"
+      pod         = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 1, 0) : null     # e.g., "10.0.0.0/17"
+      worker      = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 3, 4) : null     # e.g., "10.0.128.0/19"
+      lb_external = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 160) : null   # e.g., "10.0.160.0/24"
+      lb_internal = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 161) : null   # e.g., "10.0.161.0/24"
+      fss         = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 162) : null   # e.g., "10.0.162.0/24"
+      db          = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 164) : null   # e.g., "10.0.164.0/24"
+      msg         = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 165) : null   # e.g., "10.0.165.0/24"
+      bastion     = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 13, 5216) : null # e.g., "10.0.163.0/29"
+      cp          = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 13, 5217) : null # e.g., "10.0.163.8/29"
     }
     dns = {
       pod         = "pod"
       worker      = "worker"
       lb_external = "lbext"
       lb_internal = "lbint"
       fss         = "fss"
+      db          = "db"
+      msg         = "msg"
       bastion     = "bastion"
       cp          = "cp"
     }

app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip

@@ -31,11 +31,13 @@ module "network" {
   worker_subnet_cidr      = local.subnets.cidr.worker
   worker_subnet_dns_label = local.subnets.dns.worker
   worker_subnet_name      = var.worker_subnet_name
+  allow_worker_nat_egress = var.allow_worker_nat_egress
   # POD SUBNET
   create_pod_subnet    = var.create_pod_subnet
   pod_subnet_cidr      = local.subnets.cidr.pod
   pod_subnet_dns_label = local.subnets.dns.pod
   pod_subnet_name      = var.pod_subnet_name
+  allow_pod_nat_egress = var.allow_pod_nat_egress
   # BASTION SUBNET
   create_bastion_subnet    = var.create_bastion_subnet
   bastion_subnet_cidr      = local.subnets.cidr.bastion
@@ -47,6 +49,13 @@ module "network" {
   fss_subnet_cidr      = local.subnets.cidr.fss
   fss_subnet_dns_label = local.subnets.dns.fss
   fss_subnet_name      = var.fss_subnet_name
+  # DB SUBNET
+  create_db_subnet    = var.create_db_subnet
+  db_subnet_cidr      = local.subnets.cidr.db
+  db_subnet_dns_label = local.subnets.dns.db
+  db_subnet_name      = var.db_subnet_name
+  db_service_list     = var.db_service_list
+  separate_db_nsg     = var.separate_db_nsg
   # GATEWAYS
   create_gateways         = var.create_gateways
   create_internet_gateway = var.create_internet_gateway
@@ -61,4 +70,6 @@ module "network" {
   drg_name              = var.drg_name
   create_drg_attachment = var.create_drg_attachment
   peer_vcns             = var.peer_vcns
+  # Tagging
+  tag_value = local.tag_value
 }

app-dev/devops-and-containers/oke/oke-rm/infra/local.tf

@@ -2,6 +2,8 @@ resource "oci_core_network_security_group" "cp_nsg" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name   = "cp"
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
 }
 
 # Worker nodes to control plane - Kubelet communication (port 12250)

app-dev/devops-and-containers/oke/oke-rm/infra/main.tf

@@ -0,0 +1,131 @@
+locals {
+  create_db_nsg = local.create_db_subnet || ! var.create_vcn
+  app_nsg_lookup = {
+    npn = {
+      nsg_id = local.is_npn ? oci_core_network_security_group.pod_nsg.0.id : null
+      nsg_db = oci_core_network_security_group.pod_db
+    }
+    flannel = {
+      nsg_id = oci_core_network_security_group.worker_nsg.id
+      nsg_db = oci_core_network_security_group.worker_db
+    }
+  }
+  app_nsg = local.is_npn ? local.app_nsg_lookup.npn : local.app_nsg_lookup.flannel
+}
+
+resource "oci_core_network_security_group" "db" {
+  for_each       = local.create_db_nsg ? toset(var.db_service_list) : []
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
+  display_name   = each.value
+}
+
+# POSTGRES
+
+resource "oci_core_network_security_group_security_rule" "postgres_db_ingress" {
+  direction                 = "INGRESS"
+  network_security_group_id = oci_core_network_security_group.db[local.postgres_service].id
+  protocol                  = local.tcp_protocol
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = local.create_app_db_nsg ? local.app_nsg.nsg_db[local.postgres_service].id : local.app_nsg.nsg_id
+  stateless                 = true
+  description               = "Allow communication from applications to postgres"
+  tcp_options {
+    destination_port_range {
+      max = 5432
+      min = 5432
+    }
+  }
+  count = local.create_db_nsg && contains(var.db_service_list, local.postgres_service) ? 1 : 0
+}
+
+resource "oci_core_network_security_group_security_rule" "postgres_db_egress" {
+  direction                 = "EGRESS"
+  network_security_group_id = oci_core_network_security_group.db[local.postgres_service].id
+  protocol                  = local.tcp_protocol
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = local.create_app_db_nsg ? local.app_nsg.nsg_db[local.postgres_service].id : local.app_nsg.nsg_id
+  stateless                 = true
+  description               = "Allow communication from applications to pods"
+  tcp_options {
+    source_port_range {
+      max = 5432
+      min = 5432
+    }
+  }
+  count = local.create_db_nsg && contains(var.db_service_list, local.postgres_service) ? 1 : 0
+}
+
+# OCI Cache
+
+resource "oci_core_network_security_group_security_rule" "cache_db_ingress" {
+  direction                 = "INGRESS"
+  network_security_group_id = oci_core_network_security_group.db[local.cache_service].id
+  protocol                  = local.tcp_protocol
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = local.create_app_db_nsg ? local.app_nsg.nsg_db[local.cache_service].id : local.app_nsg.nsg_id
+  stateless                 = true
+  description               = "Allow communication from pods to oci cache"
+  tcp_options {
+    destination_port_range {
+      max = 6379
+      min = 6379
+    }
+  }
+  count = local.create_db_nsg && contains(var.db_service_list, local.cache_service) ? 1 : 0
+}
+
+resource "oci_core_network_security_group_security_rule" "cache_db_egress" {
+  direction                 = "EGRESS"
+  network_security_group_id = oci_core_network_security_group.db[local.cache_service].id
+  protocol                  = local.tcp_protocol
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = local.create_app_db_nsg ? local.app_nsg.nsg_db[local.cache_service].id : local.app_nsg.nsg_id
+  stateless                 = true
+  description               = "Allow communication from oci cache to pods"
+  tcp_options {
+    source_port_range {
+      max = 6379
+      min = 6379
+    }
+  }
+  count = local.create_db_nsg && contains(var.db_service_list, local.cache_service) ? 1 : 0
+}
+
+# Oracle Database
+
+resource "oci_core_network_security_group_security_rule" "oracle_db_ingress" {
+  direction                 = "INGRESS"
+  network_security_group_id = oci_core_network_security_group.db[local.oracledb_service].id
+  protocol                  = local.tcp_protocol
+  source_type               = "NETWORK_SECURITY_GROUP"
+  source                    = local.create_app_db_nsg ? local.app_nsg.nsg_db[local.oracledb_service].id : local.app_nsg.nsg_id
+  stateless                 = true
+  description               = "Allow communication from pods to oracle database"
+  tcp_options {
+    destination_port_range {
+      max = 1522
+      min = 1521
+    }
+  }
+  count = local.create_db_nsg && contains(var.db_service_list, local.oracledb_service) ? 1 : 0
+}
+
+resource "oci_core_network_security_group_security_rule" "oracle_db_egress" {
+  direction                 = "EGRESS"
+  network_security_group_id = oci_core_network_security_group.db[local.oracledb_service].id
+  protocol                  = local.tcp_protocol
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  destination               = local.create_app_db_nsg ? local.app_nsg.nsg_db[local.oracledb_service].id : local.app_nsg.nsg_id
+  stateless                 = true
+  description               = "Allow communication from oracle database to pods"
+  tcp_options {
+    source_port_range {
+      max = 1522
+      min = 1521
+    }
+  }
+  count = local.create_db_nsg && contains(var.db_service_list, local.oracledb_service) ? 1 : 0
+}

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf

@@ -2,6 +2,8 @@ resource "oci_core_dhcp_options" "external_lb_dhcp" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name   = var.external_lb_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
   options {
     type        = "DomainNameServer"
     server_type = "VcnLocalPlusInternet"
@@ -13,6 +15,8 @@ resource "oci_core_dhcp_options" "internal_lb_dhcp" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name   = var.internal_lb_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
   options {
     type        = "DomainNameServer"
     server_type = "VcnLocalPlusInternet"
@@ -24,6 +28,8 @@ resource "oci_core_dhcp_options" "oke_cp_dhcp" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name   = var.cp_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
   options {
     type        = "DomainNameServer"
     server_type = "VcnLocalPlusInternet"
@@ -35,6 +41,8 @@ resource "oci_core_dhcp_options" "worker_dhcp" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name   = var.worker_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
   options {
     type        = "DomainNameServer"
     server_type = "VcnLocalPlusInternet"
@@ -46,6 +54,8 @@ resource "oci_core_dhcp_options" "pods_dhcp" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name   = var.pod_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
   options {
     type        = "DomainNameServer"
     server_type = "VcnLocalPlusInternet"
@@ -57,6 +67,8 @@ resource "oci_core_dhcp_options" "bastion_dhcp" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name   = var.bastion_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
   options {
     type        = "DomainNameServer"
     server_type = "VcnLocalPlusInternet"
@@ -68,9 +80,24 @@ resource "oci_core_dhcp_options" "fss_dhcp" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name   = var.fss_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
   options {
     type        = "DomainNameServer"
     server_type = "VcnLocalPlusInternet"
   }
   count = local.create_fss_subnet ? 1 : 0
 }
+
+resource "oci_core_dhcp_options" "db_dhcp" {
+  compartment_id = var.network_compartment_id
+  vcn_id         = local.vcn_id
+  display_name   = var.db_subnet_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
+  options {
+    type        = "DomainNameServer"
+    server_type = "VcnLocalPlusInternet"
+  }
+  count = local.create_db_subnet ? 1 : 0
+}

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/db-nsg.tf

@@ -1,13 +1,17 @@
 resource "oci_core_drg" "vcn_drg" {
   compartment_id = var.network_compartment_id
   display_name   = var.drg_name
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
 
   count = local.create_drg ? 1 : 0
 }
 
 resource "oci_core_drg_attachment" "oke_drg_attachment" {
-  drg_id       = local.drg_id
-  display_name = var.vcn_name
+  drg_id        = local.drg_id
+  display_name  = var.vcn_name
+  freeform_tags = var.tag_value.freeformTags
+  defined_tags  = var.tag_value.definedTags
 
   network_details {
     id   = local.vcn_id

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/dhcp.tf

@@ -2,6 +2,8 @@ resource "oci_core_network_security_group" "fss_nsg" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name   = "fss"
+  freeform_tags  = var.tag_value.freeformTags
+  defined_tags   = var.tag_value.definedTags
 }
 
 # NFS Portmapper - UDP (port 111)