feat: upgrade oke module to 5.x branch

Added DRG and bucket for Thanos for each enabled region.
Separated each region into their respective files. Updated docs.

Signed-off-by: Ali Mukadam <ali.mukadam@oracle.com>

Author: hyder

README.md

@@ -1,10 +1,9 @@
 [uri-changelog]: https://github.com/oracle-terraform-modules/terraform-oci-verrazzano/blob/main/docs/CHANGELOG.md
 [uri-docs]: https://github.com/oracle-terraform-modules/terraform-oci-verrazzano/blob/main/docs/content/docs
-[uri-multi-cluster]: https://github.com/oracle-terraform-modules/terraform-oci-verrazzano/blob/main/docs/content/docs/3.-multi-cluster.md
-[uri-single-cluster-dev]: https://github.com/oracle-terraform-modules/terraform-oci-verrazzano/blob/main/docs/content/docs/1.-single-cluster-dev.md
-[uri-single-cluster-prod]: https://github.com/oracle-terraform-modules/terraform-oci-verrazzano/blob/main/docs/content/docs/2.-single-cluster-prod.md
+[uri-single-cluster-dev]: https://github.com/oracle-terraform-modules/terraform-oci-verrazzano/blob/main/docs/src/single/dev.md
+[uri-single-cluster-prod]: https://github.com/oracle-terraform-modules/terraform-oci-verrazzano/blob/main/docs/src/single/production.md
 [uri-terraform-oci-oke]: https://github.com/oracle-terraform-modules/terraform-oci-oke
-[uri-terraform-options]: https://github.com/oracle-terraform-modules/terraform-oci-verrazzano/blob/main/docs/content/docs/5.-terraform-options.md
+[uri-terraform-options]: https://github.com/oracle-terraform-modules/terraform-oci-verrazzano/blob/main/docs/src/terraformoptions.md
 [uri-verrazzano]: https://verrazzano.io
 [uri-verrazzano-medium]: https://medium.com/verrazzano
 [uri-verrazzano-slack]: https://bit.ly/3gOeRJn
@@ -18,7 +17,6 @@ This module automates the installation of [Verrazzano Container Platform][uri-ve
 
 * [Create a single cluster with dev profile][uri-single-cluster-dev]
 * [Create a single cluster with production profile][uri-single-cluster-prod]
-* [Create a multi-cluster][uri-multi-cluster]
 * [Terraform Options][uri-terraform-options]
 
 

admin.tf

@@ -1,9 +1,35 @@
 # Copyright (c) 2023 Oracle Corporation and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
+locals {
+  all_ports = -1
+
+  # keep as reference
+  # apiserver_port          = 6443
+
+  # Protocols
+  # See https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
+  all_protocols = "all"
+  icmp_protocol = 1
+  tcp_protocol  = 6
+  udp_protocol  = 17
+
+  anywhere          = "0.0.0.0/0"
+  rule_type_nsg     = "NETWORK_SECURITY_GROUP"
+  rule_type_cidr    = "CIDR_BLOCK"
+  rule_type_service = "SERVICE_CIDR_BLOCK"
+
+  service_mesh_ports = [80, 443, 15012, 15017, 15021, 15443]
+
+  # Todo verify if we need 15021 open for public
+  public_lb_allowed_ports = [80, 443, 15021]
+}
+
 module "admin" {
-  source  = "oracle-terraform-modules/oke/oci"
-  version = "4.5.9"
+  # source  = "oracle-terraform-modules/oke/oci"
+  # version = "4.5.9"
+
+  source = "github.com/oracle-terraform-modules/terraform-oci-oke?ref=5.x&depth=1"
 
   home_region = local.admin_region
   region      = local.admin_region
@@ -12,28 +38,21 @@ module "admin" {
 
   # general oci parameters
   compartment_id = var.compartment_id
-  label_prefix   = var.label_prefix
 
   # ssh keys
   ssh_private_key_path = var.ssh_private_key_path
   ssh_public_key_path  = var.ssh_public_key_path
 
   # networking
-  create_drg       = true
+  # create_drg       = true
   drg_display_name = lookup(var.admin_region, "admin_name")
 
-  # admin is always connected to everybody
-  remote_peering_connections = {
-    for k, v in var.managed_clusters : "rpc-to-${k}" => {} if tobool(v)
-  }
-
-
   internet_gateway_route_rules = [
     for c in keys(var.managed_clusters) :
     {
       destination       = lookup(lookup(var.cidrs, c), "vcn")
       destination_type  = "CIDR_BLOCK"
-      network_entity_id = "drg"
+      network_entity_id = module.admin_drg.drg_id
       description       = "Routing to allow ssh to ${title(c)}"
     } if tobool(lookup(var.managed_clusters, c))
   ]
@@ -43,7 +62,7 @@ module "admin" {
     {
       destination       = lookup(lookup(var.cidrs, c), "vcn")
       destination_type  = "CIDR_BLOCK"
-      network_entity_id = "drg"
+      network_entity_id = module.admin_drg.drg_id
       description       = "Routing to allow connectivity to ${title(c)} cluster"
     } if tobool(lookup(var.managed_clusters, c))
   ]
@@ -52,41 +71,68 @@ module "admin" {
   vcn_dns_label = lookup(var.admin_region, "admin_name")
   vcn_name      = lookup(var.admin_region, "admin_name")
 
-
+  #subnets
+  subnets = {
+    bastion  = { newbits = 13, dns_label = "bastion" }
+    operator = { newbits = 13, dns_label = "operator" }
+    cp       = { newbits = 13, dns_label = "cp" }
+    int_lb   = { newbits = 11, dns_label = "ilb" }
+    pub_lb   = { newbits = 11, dns_label = "plb" }
+    workers  = { newbits = 2, dns_label = "workers" }
+    pods     = { newbits = 2, dns_label = "pods" }
+  }
   # bastion host
-  create_bastion_host = true
-  upgrade_bastion     = false
+  create_bastion        = true
+  bastion_upgrade       = false
+  bastion_allowed_cidrs = ["0.0.0.0/0"]
+
 
   # operator host
-  create_operator                    = true
-  upgrade_operator                   = false
-  enable_operator_instance_principal = true
+  create_operator            = true
+  operator_upgrade           = false
+  create_iam_operator_policy = "auto"
 
   # oke cluster options
   cluster_name                = lookup(var.admin_region, "admin_name")
   cni_type                    = var.preferred_cni
-  control_plane_type          = var.oke_control_plane
-  control_plane_allowed_cidrs = ["0.0.0.0/0"]
+  control_plane_is_public     = var.oke_control_plane == "public"
+  control_plane_allowed_cidrs = [local.anywhere]
   kubernetes_version          = var.kubernetes_version
   pods_cidr                   = lookup(var.admin_region, "pods")
   services_cidr               = lookup(var.admin_region, "services")
 
 
   # node pools
-  kubeproxy_mode = "ipvs"
-  node_pools     = var.nodepools
+  kubeproxy_mode   = "ipvs"
+  worker_pool_mode = "node-pool"
+
+  worker_pools = var.nodepools
 
-  cloudinit_nodepool_common = var.cloudinit_nodepool_common
+  worker_cloud_init = var.worker_cloud_init
 
-  node_pool_image_type = "oke"
+  worker_image_type = "oke"
 
   # oke load balancers
-  load_balancers            = "both"
-  preferred_load_balancer   = "public"
-  internal_lb_allowed_cidrs = ["0.0.0.0/0"]
-  internal_lb_allowed_ports = var.connectivity_mode == "mesh" ? [80, 443, 15012, 15017, 15021, 15443] : [80, 443]
-  public_lb_allowed_cidrs   = ["0.0.0.0/0"]
-  public_lb_allowed_ports   = [80, 443, 15021]
+  load_balancers          = "both"
+  preferred_load_balancer = "public"
+
+  allow_rules_internal_lb = {
+    for p in local.service_mesh_ports :
+
+    format("Allow ingress to port %v", p) => {
+      protocol = local.tcp_protocol, port = p, source = "10.0.0.0/16", source_type = local.rule_type_cidr,
+    }
+  }
+  # internal_lb_allowed_ports = var.connectivity_mode == "mesh" ? [80, 443, 15012, 15017, 15021, 15443] : [80, 443]
+  # TODO: allow configuration of source cidr
+  allow_rules_public_lb = {
+
+    for p in local.public_lb_allowed_ports :
+
+    format("Allow ingress to port %v", p) => {
+      protocol = local.tcp_protocol, port = p, source = "10.0.0.0/16", source_type = local.rule_type_cidr,
+    }
+  }
 
   user_id = var.user_id
 
@@ -105,3 +151,37 @@ resource "oci_objectstorage_bucket" "thanos_admin" {
 
   count = tobool(lookup(var.thanos, "enabled", "false")) ? 1 : 0
 }
+
+
+module "admin_drg" {
+  source  = "oracle-terraform-modules/drg/oci"
+  version = "1.0.5"
+
+  # general oci parameters
+  compartment_id = var.compartment_id
+  label_prefix   = var.label_prefix
+
+  # drg parameters
+  drg_display_name = "${lookup(var.admin_region, "admin_name")}-drg"
+
+  drg_vcn_attachments = {
+    drg = {
+      vcn_id                    = module.admin.vcn_id
+      vcn_transit_routing_rt_id = null
+      drg_route_table_id        = null
+    }
+  }
+
+  # var.drg_id can either contain an existing DRG ID or be null. 
+  drg_id = null
+
+  # admin is always connected to everybody
+  remote_peering_connections = {
+    for k, v in var.managed_clusters : "rpc-to-${k}" => {} if tobool(v)
+  }
+
+  # count = var.create_drg || var.drg_id != null ? 1 : 0
+  providers = {
+    oci = oci.sydney
+  }
+}

docs/src/multi/pri-ep.md

@@ -125,40 +125,42 @@ Do not remove those that you are not using.
 ```terraform,editable
 output "cluster_ids" {
   value = {
-    # "johannesburg" = join(",", module.johannesburg[*].cluster_id)
-    # "chuncheon"    = join(",", module.chuncheon[*].cluster_id)
-    # "hyderabad"    = join(",", module.hyderabad[*].cluster_id)
-    # "mumbai"       = join(",", module.mumbai[*].cluster_id)
-    # "osaka"        = join(",", module.osaka[*].cluster_id)
-    # "seoul"        = join(",", module.seoul[*].cluster_id)
-    # "singapore"    = join(",", module.singapore[*].cluster_id)
-    # "tokyo"        = join(",", module.tokyo[*].cluster_id)
-    # "amsterdam"    = join(",", module.amsterdam[*].cluster_id)
-    # "frankfurt"    = join(",", module.frankfurt[*].cluster_id)
-    # "london"       = join(",", module.london[*].cluster_id)
-    # "madrid"       = join(",", module.madrid[*].cluster_id)
-    # "marseille"    = join(",", module.marseille[*].cluster_id)
-    # "milan"        = join(",", module.milan[*].cluster_id)
-    # "newport"      = join(",", module.newport[*].cluster_id)
-    # "paris"        = join(",", module.paris[*].cluster_id)
-    # "stockholm"    = join(",", module.stockholm[*].cluster_id)
-    # "zurich"       = join(",", module.zurich[*].cluster_id)
-    # "abudhabi"     = join(",", module.abudhabi[*].cluster_id)
-    # "dubai"        = join(",", module.dubai[*].cluster_id)
-    # "jeddah"       = join(",", module.jeddah[*].cluster_id)
-    # "jerusalem"    = join(",", module.jerusalem[*].cluster_id)
-    #"melbourne"    = join(",", module.melbourne[*].cluster_id)
-    # "sydney"       = join(",", module.sydney[*].cluster_id)
-    # "santiago"     = join(",", module.santiago[*].cluster_id)
-    # "saupaulo"     = join(",", module.saupaulo[*].cluster_id)
-    # "vinhedo"      = join(",", module.vinhedo[*].cluster_id)
-    # "ashburn"      = join(",", module.ashburn[*].cluster_id)
-    # "chicago"      = join(",", module.chicago[*].cluster_id)
-    # "montreal"     = join(",", module.montreal[*].cluster_id)
-    "phoenix"      = join(",", module.phoenix[*].cluster_id)
-    # "queretaro"    = join(",", module.queretaro[*].cluster_id)
-    # "sanjose"      = join(",", module.sanjose[*].cluster_id)
-    # "toronto"      = join(",", module.toronto[*].cluster_id)
+    # "johannesburg" = one(module.johannesburg[*].cluster_id)
+    # "chuncheon"    = one(module.chuncheon[*].cluster_id)
+    # "hyderabad"    = one(module.hyderabad[*].cluster_id)
+    # "mumbai"       = one(module.mumbai[*].cluster_id)
+    # "osaka"        = one(module.osaka[*].cluster_id)
+    # "seoul"        = one(module.seoul[*].cluster_id)
+    # "singapore"    = one(module.singapore[*].cluster_id)
+    # "tokyo"        = one(module.tokyo[*].cluster_id)
+    # "amsterdam"    = one(module.amsterdam[*].cluster_id)
+    # "frankfurt"    = one(module.frankfurt[*].cluster_id)
+    # "london"       = one(module.london[*].cluster_id)
+    # "madrid"       = one(module.madrid[*].cluster_id)
+    # "marseille"    = one(module.marseille[*].cluster_id)
+    # "milan"        = one(module.milan[*].cluster_id)
+    # "newport"      = one(module.newport[*].cluster_id)
+    # "paris"        = one(module.paris[*].cluster_id)
+    # "stockholm"    = one(module.stockholm[*].cluster_id)
+    # "zurich"       = one(module.zurich[*].cluster_id)
+    # "abudhabi"     = one(module.abudhabi[*].cluster_id)
+    # "dubai"        = one(module.dubai[*].cluster_id)
+    # "jeddah"       = one(module.jeddah[*].cluster_id)
+    # "jerusalem"    = one(module.jerusalem[*].cluster_id)
+    # "melbourne"    = one(module.melbourne[*].cluster_id)
+    # "sydney"       = one(module.sydney[*].cluster_id)
+    "melbourne" = one(module.melbourne[*].cluster_id)
+    # "sydney"    = one(module.sydney[*].cluster_id)
+    # "santiago"     = one(module.santiago[*].cluster_id)
+    # "saupaulo"     = one(module.saupaulo[*].cluster_id)
+    # "vinhedo"      = one(module.vinhedo[*].cluster_id)
+    # "ashburn"      = one(module.ashburn[*].cluster_id)
+    # "chicago"      = one(module.chicago[*].cluster_id)
+    # "montreal"     = one(module.montreal[*].cluster_id)
+    # "phoenix"      = one(module.phoenix[*].cluster_id)
+    # "queretaro"    = one(module.queretaro[*].cluster_id)
+    # "sanjose"      = one(module.sanjose[*].cluster_id)
+    # "toronto"      = one(module.toronto[*].cluster_id)
   }
 }
 ```
@@ -344,7 +346,7 @@ done
   - fingerprint
   - and the private key
 
-```
+```bash,editable
 cd /home/opc/vz/clusters
 for cluster in admin phoenix; do
   kubectx $cluster

docs/src/multi/pub-ep.md

@@ -124,40 +124,42 @@ Do not remove those that you are not using.
 ```terraform,editable
 output "cluster_ids" {
   value = {
-    # "johannesburg" = join(",", module.johannesburg[*].cluster_id)
-    # "chuncheon"    = join(",", module.chuncheon[*].cluster_id)
-    # "hyderabad"    = join(",", module.hyderabad[*].cluster_id)
-    # "mumbai"       = join(",", module.mumbai[*].cluster_id)
-    # "osaka"        = join(",", module.osaka[*].cluster_id)
-    # "seoul"        = join(",", module.seoul[*].cluster_id)
-    # "singapore"    = join(",", module.singapore[*].cluster_id)
-    # "tokyo"        = join(",", module.tokyo[*].cluster_id)
-    # "amsterdam"    = join(",", module.amsterdam[*].cluster_id)
-    # "frankfurt"    = join(",", module.frankfurt[*].cluster_id)
-    # "london"       = join(",", module.london[*].cluster_id)
-    # "madrid"       = join(",", module.madrid[*].cluster_id)
-    # "marseille"    = join(",", module.marseille[*].cluster_id)
-    # "milan"        = join(",", module.milan[*].cluster_id)
-    # "newport"      = join(",", module.newport[*].cluster_id)
-    # "paris"        = join(",", module.paris[*].cluster_id)
-    # "stockholm"    = join(",", module.stockholm[*].cluster_id)
-    # "zurich"       = join(",", module.zurich[*].cluster_id)
-    # "abudhabi"     = join(",", module.abudhabi[*].cluster_id)
-    # "dubai"        = join(",", module.dubai[*].cluster_id)
-    # "jeddah"       = join(",", module.jeddah[*].cluster_id)
-    # "jerusalem"    = join(",", module.jerusalem[*].cluster_id)
-    #"melbourne"    = join(",", module.melbourne[*].cluster_id)
-    # "sydney"       = join(",", module.sydney[*].cluster_id)
-    # "santiago"     = join(",", module.santiago[*].cluster_id)
-    # "saupaulo"     = join(",", module.saupaulo[*].cluster_id)
-    # "vinhedo"      = join(",", module.vinhedo[*].cluster_id)
-    # "ashburn"      = join(",", module.ashburn[*].cluster_id)
-    # "chicago"      = join(",", module.chicago[*].cluster_id)
-    # "montreal"     = join(",", module.montreal[*].cluster_id)
-    "phoenix"      = join(",", module.phoenix[*].cluster_id)
-    # "queretaro"    = join(",", module.queretaro[*].cluster_id)
-    # "sanjose"      = join(",", module.sanjose[*].cluster_id)
-    # "toronto"      = join(",", module.toronto[*].cluster_id)
+    # "johannesburg" = one(module.johannesburg[*].cluster_id)
+    # "chuncheon"    = one(module.chuncheon[*].cluster_id)
+    # "hyderabad"    = one(module.hyderabad[*].cluster_id)
+    # "mumbai"       = one(module.mumbai[*].cluster_id)
+    # "osaka"        = one(module.osaka[*].cluster_id)
+    # "seoul"        = one(module.seoul[*].cluster_id)
+    # "singapore"    = one(module.singapore[*].cluster_id)
+    # "tokyo"        = one(module.tokyo[*].cluster_id)
+    # "amsterdam"    = one(module.amsterdam[*].cluster_id)
+    # "frankfurt"    = one(module.frankfurt[*].cluster_id)
+    # "london"       = one(module.london[*].cluster_id)
+    # "madrid"       = one(module.madrid[*].cluster_id)
+    # "marseille"    = one(module.marseille[*].cluster_id)
+    # "milan"        = one(module.milan[*].cluster_id)
+    # "newport"      = one(module.newport[*].cluster_id)
+    # "paris"        = one(module.paris[*].cluster_id)
+    # "stockholm"    = one(module.stockholm[*].cluster_id)
+    # "zurich"       = one(module.zurich[*].cluster_id)
+    # "abudhabi"     = one(module.abudhabi[*].cluster_id)
+    # "dubai"        = one(module.dubai[*].cluster_id)
+    # "jeddah"       = one(module.jeddah[*].cluster_id)
+    # "jerusalem"    = one(module.jerusalem[*].cluster_id)
+    # "melbourne"    = one(module.melbourne[*].cluster_id)
+    # "sydney"       = one(module.sydney[*].cluster_id)
+    "melbourne" = one(module.melbourne[*].cluster_id)
+    # "sydney"    = one(module.sydney[*].cluster_id)
+    # "santiago"     = one(module.santiago[*].cluster_id)
+    # "saupaulo"     = one(module.saupaulo[*].cluster_id)
+    # "vinhedo"      = one(module.vinhedo[*].cluster_id)
+    # "ashburn"      = one(module.ashburn[*].cluster_id)
+    # "chicago"      = one(module.chicago[*].cluster_id)
+    # "montreal"     = one(module.montreal[*].cluster_id)
+    # "phoenix"      = one(module.phoenix[*].cluster_id)
+    # "queretaro"    = one(module.queretaro[*].cluster_id)
+    # "sanjose"      = one(module.sanjose[*].cluster_id)
+    # "toronto"      = one(module.toronto[*].cluster_id)
   }
 }
 ```
@@ -328,7 +330,7 @@ done
   - fingerprint
   - and the private key
 
-```
+```bash,editable
 cd /home/opc/vz/clusters
 for cluster in admin phoenix; do
   kubectx $cluster