feat: added support for Thanos and Cluster API

Signed-off-by: Ali Mukadam <ali.mukadam@oracle.com>

Author: hyder

admin.tf

@@ -95,3 +95,13 @@ module "admin" {
     oci.home = oci.home
   }
 }
+
+resource "oci_objectstorage_bucket" "thanos_admin" {
+  compartment_id = var.compartment_id
+  name           = "${lookup(var.admin_region, "admin_name")}-${lookup(var.thanos, "bucket_name", "thanos")}"
+  namespace      = lookup(var.thanos, "bucket_namespace")
+
+  provider = oci.sydney
+
+  count = lookup(var.thanos, "enabled", "false") ? 1 : 0
+}

docs/src/SUMMARY.md

@@ -16,4 +16,7 @@
   - [Control plane](./advanced/controlplane.md)
   - [Data plane](./advanced/dataplane.md)
   - [DNS](./advanced/dns.md)
+  - [Observability]()
+    - [Prometheus]()
+    - [Thanos](./advanced/thanos.md)
 - [Terraform Options](./terraformoptions.md)

docs/src/advanced/dataplane.md

@@ -1,11 +1,11 @@
 # Data plane
 
-The data plane is where the workload are run. This is usually done as part of the service mesh (Istio). 
+The data plane is where the workloads are run. This is usually done as part of the service mesh (Istio). 
 
 Istio usually has an ingress gateway that allows incoming traffic into the mesh.
 
 On OCI, the service mesh is front-ended by an OCI Load Balancer and Istio's ingress gateway.
-the ingress gateway is front-ended by an OCI Load Balancer. As such a number of configuration options are possible depending on the use case:
+As such a number of configuration options are possible depending on the use case:
 
 1. access: the control plane can be made public or private. By default, it is public.
 2. shape: the load balancer shape can be configured including the bandwidth, security posture

docs/src/advanced/thanos.md

@@ -0,0 +1,62 @@
+# Thanos
+
+Verrazzano includes Thanos, an open source CNCF-projet that provides the following features:
+
+- Global Query across multiple clusters
+- Cheap, long time metrics storage using Object Storage
+- Downsampling and compaction
+- A Prometheus-compatible API
+
+## Configuring Thanos
+
+Configure the following parameters to use Thanos:
+
+``` yaml, editable
+prometheus            = true
+
+prometheus_operator   = true
+
+thanos = {
+  bucket           = "vzthanos"
+  bucket_namespace = "<replace-me>" 
+  enabled          = "true"
+  integration      = "sidecar"
+  storage_gateway  = "true"
+}  
+```
+
+When the above is configured, they will be generated and added to the Custom Resource of each Verrazzano instance.
+
+## Configuring OCI Authentication
+
+### User principal
+
+1. For each cluster, use the following to configure your user principal authentication for Thanos:
+
+``` yaml, editable
+{{#include ../../../modules/verrazzano/resources/thanos-storage.yaml.example:4:}}
+```
+2. Save the file as storage.yaml
+
+```admonish important
+If you are using multiple clusters and your clusters are in different regions, ensure:
+
+1. each cluster has its own storage configuration
+2. you replace the region value in the region parameter above
+```
+
+### Instance principal
+
+TODO
+
+## Create the secret
+
+Before enabling Thanos, ensure the following secret is created:
+
+``` bash
+
+kubectl create namespace verrazzano-monitoring
+kubectl create secret generic objstore-config -n verrazzano-monitoring --from-file=objstore.yml=storage.yaml
+```
+
+You can now enable Thanos.

main.tf

@@ -31,6 +31,8 @@ module "clusters" {
 
   nodepools = var.nodepools
 
+  thanos = var.thanos
+
   providers = {
     oci.home         = oci.home,
     oci.johannesburg = oci.johannesburg,
@@ -92,13 +94,14 @@ module "verrazzano" {
   verrazzano_control_plane = var.verrazzano_control_plane
   verrazzano_data_plane    = var.verrazzano_data_plane
   verrazzano_load_balancer = var.verrazzano_load_balancer
-  cluster_ids              = merge({ "admin" = module.admin.cluster_id }, module.clusters.cluster_ids)
-  int_nsg_ids              = merge({ "admin" = lookup(module.admin.nsg_ids, "int_lb") }, module.clusters.int_nsg_ids)
-  int_lb_subnet_ids        = merge({ "admin" = lookup(module.admin.subnet_ids, "int_lb") }, module.clusters.int_lb_subnet_ids)
-  pub_nsg_ids              = merge({ "admin" = lookup(module.admin.nsg_ids, "pub_lb") }, module.clusters.pub_nsg_ids)
+  cluster_ids              = merge({ lookup(var.admin_region, "admin_name", "admin") = module.admin.cluster_id }, module.clusters.cluster_ids)
+  int_nsg_ids              = merge({ lookup(var.admin_region, "admin_name", "admin") = lookup(module.admin.nsg_ids, "int_lb") }, module.clusters.int_nsg_ids)
+  int_lb_subnet_ids        = merge({ lookup(var.admin_region, "admin_name", "admin") = lookup(module.admin.subnet_ids, "int_lb") }, module.clusters.int_lb_subnet_ids)
+  pub_nsg_ids              = merge({ lookup(var.admin_region, "admin_name", "admin") = lookup(module.admin.nsg_ids, "pub_lb") }, module.clusters.pub_nsg_ids)
 
   # verrazzano components
   argocd                = var.argocd
+  cluster_api           = var.cluster_api
   coherence             = var.coherence
   configure_dns         = var.configure_dns
   console               = var.console
@@ -112,6 +115,7 @@ module "verrazzano" {
   prometheus            = var.prometheus
   prometheus_operator   = var.prometheus_operator
   rancher               = var.rancher
+  thanos                = var.thanos
   velero                = var.velero
   weblogic_operator     = var.weblogic_operator
 

modules/clusters/australia.tf

@@ -87,6 +87,16 @@ module "melbourne" {
 
 }
 
+resource "oci_objectstorage_bucket" "thanos_melbourne" {
+  compartment_id = var.compartment_id
+  name           = "mel-${lookup(var.thanos, "bucket_name", "thanos")}"
+  namespace      = lookup(var.thanos, "bucket_namespace")
+
+  provider = oci.melbourne
+
+  count = tobool(lookup(var.clusters, "melbourne")) && lookup(var.thanos, "enabled", "false") ? 1 : 0
+}
+
 module "sydney" {
   source  = "oracle-terraform-modules/oke/oci"
   version = "4.5.9"
@@ -152,9 +162,9 @@ module "sydney" {
 
 
   # node pools
-  kubeproxy_mode = "ipvs"  
-  node_pools = local.managed_nodepools
-  cloudinit_nodepool_common = var.cloudinit_nodepool_common  
+  kubeproxy_mode            = "ipvs"
+  node_pools                = local.managed_nodepools
+  cloudinit_nodepool_common = var.cloudinit_nodepool_common
 
   node_pool_image_type = "oke"
 

modules/clusters/outputs.tf

@@ -143,7 +143,7 @@ output "int_lb_subnet_ids" {
     # "jeddah"       = coalesce(lookup(module.jeddah[0].subnet_ids,"int_lb"))
     # "jerusalem"    = coalesce(lookup(module.jerusalem[0].subnet_ids,"int_lb"))
     "melbourne"    = coalesce(lookup(module.melbourne[0].subnet_ids,"int_lb"))
-    "sydney"       = coalesce(lookup(module.sydney[0].subnet_ids,"int_lb"))
+    # "sydney"       = coalesce(lookup(module.sydney[0].subnet_ids,"int_lb"))
     # "santiago"     = coalesce(lookup(module.santiago[0].subnet_ids,"int_lb"))
     # "saupaulo"     = coalesce(lookup(module.saupaulo[0].subnet_ids,"int_lb"))
     # "vinhedo"      = coalesce(lookup(module.vinhedo[0].subnet_ids,"int_lb"))

modules/clusters/variables.tf

@@ -61,4 +61,8 @@ variable "nodepools" {
 
 variable "cloudinit_nodepool_common" {
   type        = string
+}
+
+variable "thanos" {
+  type        = map(string)
 }

modules/verrazzano/install_vz.tf

@@ -16,12 +16,12 @@ resource "null_resource" "install_vz_admin" {
 
   provisioner "file" {
     content     = local.vz_admin_template
-    destination = "/home/opc/vz/clusters/vz_admin.yaml"
+    destination = "/home/opc/vz/clusters/vz_${local.admin_region_name}.yaml"
   }
 
   provisioner "file" {
     content     = local.install_admin_script
-    destination = "/home/opc/vz/clusters/install_vz_cluster_admin.sh"
+    destination = "/home/opc/vz/clusters/install_vz_cluster_${local.admin_region_name}.sh"
   }
 
   provisioner "file" {

modules/verrazzano/resources/thanos-storage.yaml.example

@@ -0,0 +1,13 @@
+type: OCI
+config:
+  provider: "raw"
+  bucket: "thanos"
+  compartment_ocid: "ocid1.compartment.oc1....."
+  region: "us-ashburn-1"
+  tenancy_ocid: "ocid1.tenancy.oc1....."
+  user_ocid: "ocid1.user.oc1....."
+  fingerprint: "12:d3:4c:..."
+  privatekey: |
+    -----BEGIN RSA PRIVATE KEY-----
+    ...
+    -----END RSA PRIVATE KEY-----