From 2c7037a41cc4bea47e648e2f622d22bae2db9f40 Mon Sep 17 00:00:00 2001 From: Ali Mukadam Date: Tue, 10 Dec 2024 01:04:11 +1100 Subject: [PATCH] feat: added stern, update istio-mc examples module (#967) * feat: added stern, update istio-mc examples module Signed-off-by: Ali * chore: formatting of istio examples fix: set default install_stern value to false Signed-off-by: Ali --------- Signed-off-by: Ali --- examples/istio-mc/c1.tf | 61 +++++++++++++++------- examples/istio-mc/c2.tf | 58 +++++++++++++------- examples/istio-mc/istio.tf | 40 +++++++------- examples/istio-mc/locals.tf | 2 +- examples/istio-mc/outputs.tf | 2 +- examples/istio-mc/providers.tf | 6 +-- examples/istio-mc/terraform.tfvars.example | 2 +- examples/istio-mc/variables.tf | 2 +- module-operator.tf | 1 + modules/operator/cloudinit.tf | 18 +++++++ modules/operator/variables.tf | 1 + variables-operator.tf | 6 +++ 12 files changed, 133 insertions(+), 66 deletions(-) diff --git a/examples/istio-mc/c1.tf b/examples/istio-mc/c1.tf index 9b229ead..d85f06f9 100644 --- a/examples/istio-mc/c1.tf +++ b/examples/istio-mc/c1.tf @@ -4,13 +4,13 @@ module "c1" { source = "oracle-terraform-modules/oke/oci" - version = "5.1.1" + version = "5.2.2" count = lookup(lookup(var.clusters, "c1"), "enabled") ? 1 : 0 home_region = lookup(local.regions, var.home_region) - - region = lookup(local.regions, lookup(lookup(var.clusters, "c1"), "region")) + + region = lookup(local.regions, lookup(lookup(var.clusters, "c1"), "region")) tenancy_id = var.tenancy_id @@ -23,7 +23,7 @@ module "c1" { # networking create_drg = var.oke_control_plane == "private" ? true : false - drg_display_name = "c1" + drg_display_name = "c1-drg" remote_peering_connections = var.oke_control_plane == "private" ? { for k, v in var.clusters : "rpc-to-${k}" => {} if k != "c1" @@ -51,7 +51,6 @@ module "c1" { int_lb = { newbits = 11, netnum = 16, dns_label = "ilb" } pub_lb = { newbits = 11, netnum = 17, dns_label = "plb" } workers = { newbits = 2, netnum = 1, dns_label = "workers" } - pods = { newbits = 2, netnum = 2, dns_label = "pods" } } # bastion host @@ -78,32 +77,54 @@ module "c1" { # node pools - allow_worker_ssh_access = true - kubeproxy_mode = "iptables" - worker_pool_mode = "node-pool" - worker_pools = var.nodepools - worker_cloud_init = local.worker_cloud_init - worker_image_type = "oke" + allow_worker_ssh_access = true + kubeproxy_mode = "iptables" + worker_pool_mode = "node-pool" + worker_pools = var.nodepools + worker_cloud_init = local.worker_cloud_init + worker_image_type = "oke" # oke load balancers load_balancers = "both" preferred_load_balancer = "public" - allow_rules_internal_lb = { + allow_rules_internal_lb = merge({ for p in local.service_mesh_ports : - - format("Allow ingress to port %v", p) => { - protocol = local.tcp_protocol, port = p, source = lookup(lookup(var.clusters, "c2"), "vcn"), source_type = local.rule_type_cidr, + format("Allow ingress to port %v from cluster c2 for Istio", p) => { + protocol = local.tcp_protocol, port = p, source = lookup(lookup(var.clusters, "c2"), "vcn"), + source_type = local.rule_type_cidr, } - } - - allow_rules_public_lb = { + }, + { + for c in var.clusters : format("Allow TCP ingress from cluster %v for Cilium clustermesh", lookup(c, "name")) => { + protocol = local.tcp_protocol, port = 2379, source = lookup(c, "vcn"), source_type = local.rule_type_cidr, + } if lookup(c, "name") != "c1" + }, + { + for c in var.clusters : + format("Allow UDP ingress from cluster %v for cross-cluster DNS lookup via NLB for Coherence WKA", lookup(c, "name")) + => { + protocol = local.udp_protocol, port = 53, source = lookup(c, "vcn"), source_type = local.rule_type_cidr, + } if lookup(c, "name") != "c1" + }, + ) + + allow_rules_public_lb = merge({ for p in local.public_lb_allowed_ports : - format("Allow ingress to port %v", p) => { protocol = local.tcp_protocol, port = p, source = "0.0.0.0/0", source_type = local.rule_type_cidr, } - } + }, + ) + + allow_rules_workers = merge( + { + for c in var.clusters : + format("Allow UDP ingress to workers from cluster %v for default VXLAN", lookup(c, "name")) => { + protocol = local.udp_protocol, port = 8472, source = lookup(c, "vcn"), source_type = local.rule_type_cidr, + } if lookup(c, "name") != "c1" + }, + ) user_id = var.user_id diff --git a/examples/istio-mc/c2.tf b/examples/istio-mc/c2.tf index ba2f288d..bf09e082 100644 --- a/examples/istio-mc/c2.tf +++ b/examples/istio-mc/c2.tf @@ -4,13 +4,13 @@ module "c2" { source = "oracle-terraform-modules/oke/oci" - version = "5.1.1" + version = "5.2.2" count = lookup(lookup(var.clusters, "c2"), "enabled") ? 1 : 0 home_region = lookup(local.regions, var.home_region) - - region = lookup(local.regions, lookup(lookup(var.clusters, "c2"), "region")) + + region = lookup(local.regions, lookup(lookup(var.clusters, "c2"), "region")) tenancy_id = var.tenancy_id @@ -49,7 +49,6 @@ module "c2" { int_lb = { newbits = 11, netnum = 16, dns_label = "ilb" } pub_lb = { newbits = 11, netnum = 17, dns_label = "plb" } workers = { newbits = 2, netnum = 1, dns_label = "workers" } - pods = { newbits = 2, netnum = 2, dns_label = "pods" } } # bastion host @@ -76,32 +75,53 @@ module "c2" { # node pools - kubeproxy_mode = "iptables" - worker_pool_mode = "node-pool" - worker_pools = var.nodepools - worker_cloud_init = local.worker_cloud_init - worker_image_type = "oke" + kubeproxy_mode = "iptables" + worker_pool_mode = "node-pool" + worker_pools = var.nodepools + worker_cloud_init = local.worker_cloud_init + worker_image_type = "oke" # oke load balancers load_balancers = "both" preferred_load_balancer = "public" - allow_rules_internal_lb = { + allow_rules_internal_lb = merge({ for p in local.service_mesh_ports : - - format("Allow ingress to port %v", p) => { - protocol = local.tcp_protocol, port = p, source = lookup(lookup(var.clusters, "c1"), "vcn"), source_type = local.rule_type_cidr, + format("Allow ingress to port %v from cluster c1", p) => { + protocol = local.tcp_protocol, port = p, source = lookup(lookup(var.clusters, "c1"), "vcn"), + source_type = local.rule_type_cidr, } - } - - allow_rules_public_lb = { - + }, + { + for c in var.clusters : format("Allow TCP ingress from cluster %v for Cilium clustermesh", lookup(c, "name")) => { + protocol = local.tcp_protocol, port = 2379, source = lookup(c, "vcn"), source_type = local.rule_type_cidr, + } if lookup(c, "name") != "c2" + }, + { + for c in var.clusters : + format("Allow UDP ingress from cluster %v for cross-cluster DNS lookup via NLB for Coherence WKA", lookup(c, "name")) + => { + protocol = local.udp_protocol, port = 53, source = lookup(c, "vcn"), source_type = local.rule_type_cidr, + } if lookup(c, "name") != "c2" + }, + ) + + allow_rules_public_lb = merge({ for p in local.public_lb_allowed_ports : - format("Allow ingress to port %v", p) => { protocol = local.tcp_protocol, port = p, source = "0.0.0.0/0", source_type = local.rule_type_cidr, } - } + }, + ) + + allow_rules_workers = merge( + { + for c in var.clusters : + format("Allow UDP ingress to workers from cluster %v for default VXLAN", lookup(c, "name")) => { + protocol = local.udp_protocol, port = 8472, source = lookup(c, "vcn"), source_type = local.rule_type_cidr + } if lookup(c, "name") != "c2" + }, + ) user_id = var.user_id diff --git a/examples/istio-mc/istio.tf b/examples/istio-mc/istio.tf index 6f83476d..a5aff087 100644 --- a/examples/istio-mc/istio.tf +++ b/examples/istio-mc/istio.tf @@ -2,27 +2,27 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl locals { - istio_c1 = templatefile("${path.module}/resources/istio.template.yaml", - { - mesh_id = var.istio_mesh_id - cluster = "c1" - mesh_network = "c1" - pub_nsg_id = one(element([module.c1[*].pub_lb_nsg_id], 0)) - int_lb_subnet_id = one(element([module.c1[*].int_lb_subnet_id], 0)) - int_nsg_id = one(element([module.c1[*].int_lb_nsg_id], 0)) - } - ) + istio_c1 = templatefile("${path.module}/resources/istio.template.yaml", + { + mesh_id = var.istio_mesh_id + cluster = "c1" + mesh_network = "c1" + pub_nsg_id = one(element([module.c1[*].pub_lb_nsg_id], 0)) + int_lb_subnet_id = one(element([module.c1[*].int_lb_subnet_id], 0)) + int_nsg_id = one(element([module.c1[*].int_lb_nsg_id], 0)) + } + ) - istio_c2 = templatefile("${path.module}/resources/istio.template.yaml", - { - mesh_id = var.istio_mesh_id - cluster = "c2" - mesh_network = "c2" - pub_nsg_id = one(element([module.c2[*].pub_lb_nsg_id], 0)) - int_lb_subnet_id = one(element([module.c2[*].int_lb_subnet_id], 0)) - int_nsg_id = one(element([module.c2[*].int_lb_nsg_id], 0)) - } - ) + istio_c2 = templatefile("${path.module}/resources/istio.template.yaml", + { + mesh_id = var.istio_mesh_id + cluster = "c2" + mesh_network = "c2" + pub_nsg_id = one(element([module.c2[*].pub_lb_nsg_id], 0)) + int_lb_subnet_id = one(element([module.c2[*].int_lb_subnet_id], 0)) + int_nsg_id = one(element([module.c2[*].int_lb_nsg_id], 0)) + } + ) } resource "null_resource" "istio" { diff --git a/examples/istio-mc/locals.tf b/examples/istio-mc/locals.tf index 22e9a483..5ee9d9e3 100644 --- a/examples/istio-mc/locals.tf +++ b/examples/istio-mc/locals.tf @@ -20,7 +20,7 @@ locals { bastion_ip = one(element([module.c1[*].bastion_public_ip], 0)) operator_ip = one(element([module.c1[*].operator_private_ip], 0)) - + # TODO: check when is 15021 required for public public_lb_allowed_ports = [80, 443, 15021] diff --git a/examples/istio-mc/outputs.tf b/examples/istio-mc/outputs.tf index 3cf40878..68e4dd0a 100644 --- a/examples/istio-mc/outputs.tf +++ b/examples/istio-mc/outputs.tf @@ -3,5 +3,5 @@ output "ssh_to_operator" { description = "convenient command to ssh to the Admin operator host" - value = one(element([module.c1[*].ssh_to_operator],0)) + value = one(element([module.c1[*].ssh_to_operator], 0)) } \ No newline at end of file diff --git a/examples/istio-mc/providers.tf b/examples/istio-mc/providers.tf index d690651a..3da303d2 100644 --- a/examples/istio-mc/providers.tf +++ b/examples/istio-mc/providers.tf @@ -4,7 +4,7 @@ provider "oci" { fingerprint = var.api_fingerprint private_key_path = var.api_private_key_path - region = lookup(local.regions,var.home_region) + region = lookup(local.regions, var.home_region) tenancy_ocid = var.tenancy_id user_ocid = var.user_id alias = "home" @@ -14,7 +14,7 @@ provider "oci" { provider "oci" { fingerprint = var.api_fingerprint private_key_path = var.api_private_key_path - region = lookup(local.regions,lookup(lookup(var.clusters,"c1"),"region")) + region = lookup(local.regions, lookup(lookup(var.clusters, "c1"), "region")) tenancy_ocid = var.tenancy_id user_ocid = var.user_id alias = "c1" @@ -24,7 +24,7 @@ provider "oci" { provider "oci" { fingerprint = var.api_fingerprint private_key_path = var.api_private_key_path - region = lookup(local.regions,lookup(lookup(var.clusters,"c2"),"region")) + region = lookup(local.regions, lookup(lookup(var.clusters, "c2"), "region")) tenancy_ocid = var.tenancy_id user_ocid = var.user_id alias = "c2" diff --git a/examples/istio-mc/terraform.tfvars.example b/examples/istio-mc/terraform.tfvars.example index 4d70a6de..363bbc36 100755 --- a/examples/istio-mc/terraform.tfvars.example +++ b/examples/istio-mc/terraform.tfvars.example @@ -1,4 +1,4 @@ -# provider + # provider api_fingerprint = "" api_private_key_path = "~/.oci/oci_rsa.pem" diff --git a/examples/istio-mc/variables.tf b/examples/istio-mc/variables.tf index 4cd77aff..0ed7d8cb 100644 --- a/examples/istio-mc/variables.tf +++ b/examples/istio-mc/variables.tf @@ -61,7 +61,7 @@ variable "clusters" { } variable "kubernetes_version" { - default = "v1.28.2" + default = "v1.30.1" description = "The version of Kubernetes to use." type = string } diff --git a/module-operator.tf b/module-operator.tf index cb4d12de..89a30111 100644 --- a/module-operator.tf +++ b/module-operator.tf @@ -64,6 +64,7 @@ module "operator" { install_k9s = var.operator_install_k9s install_kubectx = var.operator_install_kubectx install_kubectl_from_repo = var.operator_install_kubectl_from_repo + install_stern = var.operator_install_stern kubeconfig = yamlencode(local.kubeconfig_private) kubernetes_version = var.kubernetes_version nsg_ids = compact(flatten([var.operator_nsg_ids, try(module.network.operator_nsg_id, null)])) diff --git a/modules/operator/cloudinit.tf b/modules/operator/cloudinit.tf index 2e269d86..33ad6df4 100644 --- a/modules/operator/cloudinit.tf +++ b/modules/operator/cloudinit.tf @@ -32,6 +32,7 @@ data "cloudinit_config" "operator" { "git", "jq", "python3-oci-cli", + "golang", var.install_helm ? "helm" : null, var.install_istioctl ? "istio-istioctl" : null, var.install_kubectl_from_repo ? "kubectl": null, @@ -193,6 +194,23 @@ data "cloudinit_config" "operator" { } } + # stern installation + dynamic "part" { + for_each = var.install_kubectx ? [1] : [] + content { + content_type = "text/cloud-config" + content = jsonencode({ + runcmd = [ + "go install github.com/stern/stern@v1.30", + "mv $HOME/go/bin/stern /usr/local/bin/", + "ln -s /usr/local/bin/stern /usr/bin/stern" + ] + }) + filename = "20-stern.yml" + merge_type = local.default_cloud_init_merge_type + } + } + # Write user bashrc to filesystem part { content_type = "text/cloud-config" diff --git a/modules/operator/variables.tf b/modules/operator/variables.tf index c503c13b..f4b7663f 100644 --- a/modules/operator/variables.tf +++ b/modules/operator/variables.tf @@ -23,6 +23,7 @@ variable "install_kubectl_from_repo" { default = true } variable "install_kubectx" { type = bool } +variable "install_stern" { type = bool } variable "kubeconfig" { type = string } variable "kubernetes_version" { type = string } variable "nsg_ids" { type = list(string) } diff --git a/variables-operator.tf b/variables-operator.tf index d65cc615..f2e47585 100644 --- a/variables-operator.tf +++ b/variables-operator.tf @@ -89,6 +89,12 @@ variable "operator_install_kubectx" { type = bool } +variable "operator_install_stern" { + default = false + description = "Whether to install stern on the created operator host. NOTE: Provided only as a convenience and not supported by or sourced from Oracle - use at your own risk." + type = bool +} + variable "operator_shape" { default = { shape = "VM.Standard.E4.Flex",