feat: add terraform for oci oke

terraform to provision an OKE cluster on OCI

Author: BobyMCbobs

terraform/oci-oke-cluster/data.tf

@@ -0,0 +1,18 @@
+data "oci_identity_availability_domains" "availability_domains" {
+  #Required
+  compartment_id = var.tenancy_ocid
+}
+
+data "oci_core_images" "node_pool_images" {
+  compartment_id           = var.compartment_ocid
+  operating_system         = "Oracle Linux"
+  operating_system_version = "8"
+  shape                    = var.node_shape
+  sort_by                  = "TIMECREATED"
+  sort_order               = "DESC"
+}
+
+data "oci_containerengine_cluster_kube_config" "cluster_kube_config" {
+  #Required
+  cluster_id = oci_containerengine_cluster.cluster.id
+}

terraform/oci-oke-cluster/locals.tf

@@ -0,0 +1,5 @@
+locals {
+  common_labels = {
+    "TalosCluster" = var.cluster_name
+  }
+}

terraform/oci-oke-cluster/main.tf

@@ -0,0 +1,82 @@
+resource "oci_containerengine_cluster" "cluster" {
+  #Required
+  compartment_id     = var.compartment_ocid
+  kubernetes_version = var.cluster_kubernetes_version
+  name               = var.cluster_name
+  vcn_id             = oci_core_vcn.vcn.id
+
+  endpoint_config {
+
+    #Optional
+    is_public_ip_enabled = true
+    nsg_ids              = [oci_core_network_security_group.network_security_group.id]
+    subnet_id            = oci_core_subnet.subnet.id
+  }
+  options {
+
+    #Optional
+    add_ons {
+
+      #Optional
+      is_kubernetes_dashboard_enabled = false
+      is_tiller_enabled               = false
+    }
+    admission_controller_options {
+
+      #Optional
+      is_pod_security_policy_enabled = false
+    }
+    kubernetes_network_config {
+
+      #Optional
+      pods_cidr     = var.pod_subnet_block
+      services_cidr = var.service_subnet_block
+    }
+    persistent_volume_config {
+
+      #Optional
+      freeform_tags = local.common_labels
+    }
+    service_lb_config {
+
+      #Optional
+      freeform_tags = local.common_labels
+    }
+    service_lb_subnet_ids = [oci_core_subnet.subnet.id]
+  }
+  type = "ENHANCED_CLUSTER"
+}
+
+resource "oci_containerengine_node_pool" "node_pool" {
+  #Required
+  cluster_id     = oci_containerengine_cluster.cluster.id
+  compartment_id = var.compartment_ocid
+  name           = "${var.cluster_name}-primary"
+  node_shape     = var.node_shape
+
+  #Optional
+  freeform_tags      = local.common_labels
+  kubernetes_version = var.cluster_kubernetes_version
+  node_config_details {
+    #Required
+    placement_configs {
+      #Required
+      availability_domain = data.oci_identity_availability_domains.availability_domains.availability_domains[0].name
+      subnet_id           = oci_core_subnet.node_subnet.id
+    }
+    size = var.node_pool_count
+
+    freeform_tags = local.common_labels
+    nsg_ids       = [oci_core_network_security_group.network_security_group.id]
+  }
+  node_shape_config {
+    #Optional
+    memory_in_gbs = var.node_memory_in_gbs
+    ocpus         = var.node_ocpus
+  }
+  node_source_details {
+    #Required
+    image_id    = data.oci_core_images.node_pool_images.images[0].id
+    source_type = "IMAGE"
+  }
+}

terraform/oci-oke-cluster/network.tf

@@ -0,0 +1,108 @@
+resource "oci_core_vcn" "vcn" {
+  #Required
+  compartment_id = var.compartment_ocid
+
+  #Optional
+  cidr_blocks    = var.cidr_blocks
+  display_name   = "${var.cluster_name}-vcn"
+  freeform_tags  = local.common_labels
+  is_ipv6enabled = true
+}
+resource "oci_core_subnet" "subnet" {
+  #Required
+  cidr_block                 = var.subnet_block
+  compartment_id             = var.compartment_ocid
+  vcn_id                     = oci_core_vcn.vcn.id
+  prohibit_internet_ingress  = false
+  prohibit_public_ip_on_vnic = false
+
+  #Optional
+  display_name      = "${var.cluster_name}-subnet"
+  freeform_tags     = local.common_labels
+  security_list_ids = [oci_core_security_list.security_list.id]
+  route_table_id    = oci_core_route_table.route_table.id
+}
+resource "oci_core_subnet" "node_subnet" {
+  #Required
+  cidr_block                 = var.node_subnet_block
+  compartment_id             = var.compartment_ocid
+  vcn_id                     = oci_core_vcn.vcn.id
+  prohibit_internet_ingress  = false
+  prohibit_public_ip_on_vnic = false
+
+  #Optional
+  display_name      = "${var.cluster_name}-subnet"
+  freeform_tags     = local.common_labels
+  security_list_ids = [oci_core_security_list.security_list.id]
+  route_table_id    = oci_core_route_table.route_table.id
+}
+resource "oci_core_route_table" "route_table" {
+  #Required
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.vcn.id
+
+  #Optional
+  display_name  = "${var.cluster_name}-route-table"
+  freeform_tags = local.common_labels
+  route_rules {
+    #Required
+    network_entity_id = oci_core_internet_gateway.internet_gateway.id
+
+    #Optional
+    destination_type = "CIDR_BLOCK"
+    destination      = "0.0.0.0/0"
+  }
+}
+
+resource "oci_core_internet_gateway" "internet_gateway" {
+  #Required
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.vcn.id
+
+  #Optional
+  enabled       = true
+  display_name  = "${var.cluster_name}-internet-gateway"
+  freeform_tags = local.common_labels
+}
+
+resource "oci_core_network_security_group" "network_security_group" {
+  #Required
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.vcn.id
+
+  #Optional
+  display_name  = "${var.cluster_name}-security-group"
+  freeform_tags = local.common_labels
+}
+resource "oci_core_network_security_group_security_rule" "allow_all" {
+  network_security_group_id = oci_core_network_security_group.network_security_group.id
+  destination_type          = "CIDR_BLOCK"
+  destination               = "0.0.0.0/0"
+  protocol                  = "all"
+  direction                 = "EGRESS"
+  stateless                 = false
+}
+
+resource "oci_core_security_list" "security_list" {
+  #Required
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.vcn.id
+
+  #Optional
+  display_name = "${var.cluster_name}-security-list"
+  egress_security_rules {
+    #Required
+    destination = "0.0.0.0/0"
+    protocol    = "all"
+
+    stateless = true
+  }
+  freeform_tags = local.common_labels
+  ingress_security_rules {
+    #Required
+    source   = "0.0.0.0/0"
+    protocol = "all"
+
+    stateless = true
+  }
+}

terraform/oci-oke-cluster/output.tf

@@ -0,0 +1,4 @@
+output "kubeconfig" {
+  value     = data.oci_containerengine_cluster_kube_config.cluster_kube_config.content
+  sensitive = true
+}

terraform/oci-oke-cluster/variables.tf

@@ -0,0 +1,70 @@
+variable "compartment_ocid" {
+  type      = string
+  sensitive = true
+}
+variable "tenancy_ocid" {
+  type      = string
+  sensitive = true
+}
+variable "user_ocid" {
+  type      = string
+  sensitive = true
+}
+variable "fingerprint" {
+  type      = string
+  sensitive = true
+}
+variable "private_key_path" {
+  type      = string
+  default   = "~/.oci/oci_main_terraform.pem"
+  sensitive = true
+}
+variable "region" {
+  description = "the OCI region where resources will be created"
+  type        = string
+  default     = null
+}
+variable "cluster_name" {
+  type    = string
+  default = "cncfoke"
+}
+variable "cluster_kubernetes_version" {
+  type    = string
+  default = "v1.30.1"
+}
+variable "cidr_blocks" {
+  type    = set(string)
+  default = ["10.0.0.0/16"]
+}
+variable "subnet_block" {
+  type    = string
+  default = "10.0.0.0/24"
+}
+variable "pod_subnet_block" {
+  type    = string
+  default = "10.32.0.0/12"
+}
+variable "service_subnet_block" {
+  type    = string
+  default = "10.200.0.0/21"
+}
+variable "node_subnet_block" {
+  type    = string
+  default = "10.0.7.0/24"
+}
+variable "node_shape" {
+  type    = string
+  default = "VM.Standard.A1.Flex"
+}
+variable "node_memory_in_gbs" {
+  type    = number
+  default = 128
+}
+variable "node_ocpus" {
+  type    = number
+  default = 8
+}
+variable "node_pool_count" {
+  type    = number
+  default = 3
+}

terraform/oci-oke-cluster/versions.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_providers {
+    oci = {
+      source  = "oracle/oci"
+      version = "6.7.0" # TODO include version in project root providers
+    }
+  }
+  required_version = ">= 1.2"
+}
+
+provider "oci" {
+  tenancy_ocid     = var.tenancy_ocid
+  user_ocid        = var.user_ocid
+  private_key_path = var.private_key_path
+  fingerprint      = var.fingerprint
+  region           = var.region
+}