Skip to content

Commit

Permalink
Merge pull request #4 from oracle-quickstart/bugfix/autoscaler-nsg
Browse files Browse the repository at this point in the history 
bugfix + update
  • Loading branch information
@streamnsight
streamnsight authored Mar 16, 2023
2 parents 30f5ac3 + d436603 commit cf0e1f9
Show file tree
Hide file tree
Showing 5 changed files with 38 additions and 15 deletions.
3 changes: 2 additions & 1 deletion helm_cert_manager.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ resource "helm_release" "cert_manager" {
}
depends_on = [
data.oci_containerengine_cluster_kube_config.oke,
oci_containerengine_cluster.oci_oke_cluster
oci_containerengine_cluster.oci_oke_cluster,
oci_containerengine_node_pool.oci_oke_node_pool,
]
}
4 changes: 2 additions & 2 deletions helm_metrics.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ resource "helm_release" "metrics_server" {
wait = false

set {
name = "replicas"
value = "3"
name = "addonResizer.enabled"
value = "true"
}
depends_on = [
data.oci_containerengine_cluster_kube_config.oke,
Expand Down
12 changes: 10 additions & 2 deletions k8s_autoscaler.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ locals {
k8s_minor_version = regex("^\\d+", replace(local.kubernetes_version, "v1.", ""))
}

resource "kubernetes_service_account" "cluster_autoscaler_sa" {
resource "kubernetes_service_account_v1" "cluster_autoscaler_sa" {
count = local.cluster_autoscaler_enabled ? 1 : 0

metadata {
Expand Down Expand Up @@ -48,7 +48,7 @@ resource "kubernetes_secret" "cluster_autoscaler_sa_token" {
type = "kubernetes.io/service-account-token"

depends_on = [
kubernetes_service_account.cluster_autoscaler_sa,
kubernetes_service_account_v1.cluster_autoscaler_sa,
oci_containerengine_node_pool.oci_oke_node_pool]
}

Expand Down Expand Up @@ -304,6 +304,14 @@ resource "kubernetes_deployment" "cluster_autoscaler_deployment" {
oci_containerengine_node_pool.oci_oke_node_pool,
helm_release.metrics_server
]

lifecycle {
ignore_changes = [
spec[0].template[0].spec[0].container[0].env
]
}


}

resource "kubernetes_pod_disruption_budget_v1" "core_dns_pod_disruption_budget" {
Expand Down
32 changes: 24 additions & 8 deletions policies.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
## Copyright © 2022, Oracle and/or its affiliates.
## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl

# Cluster dynamic group policy needed for nodes to access the encryption key if it was defined
# Policy needed for nodes to access the encryption key if it was defined
resource "oci_identity_policy" "oke_key_access_policy" {
count = (var.enable_secret_encryption && var.secrets_key_id != null) || (var.enable_image_validation && var.image_validation_key_id != null) ? 1 : 0
#Required
Expand All @@ -13,6 +13,22 @@ resource "oci_identity_policy" "oke_key_access_policy" {
var.enable_image_validation && var.image_validation_key_id != null ? "Allow any-user to use keys in tenancy where ALL {request.principal.type = 'cluster', target.key.id='${var.image_validation_key_id}'}" : ""
])
}
locals {
nsg_name = "cluster_${random_string.deploy_id.result}"
}

resource "oci_identity_network_source" "node_pool_network_source" {
provider = oci.home_region
#Required
compartment_id = var.tenancy_ocid
description = "NSG for ${local.nsg_name} autoscaler"
name = local.nsg_name

virtual_source_list {
vcn_id = var.use_existing_vcn ? var.vcn_id : oci_core_vcn.oke_vcn[0].id
ip_ranges = local.node_pool_subnets_cidrs
}
}

resource "oci_identity_policy" "autoscaler_policy" {
count = (var.np1_enable_autoscaler || var.np2_enable_autoscaler || var.np3_enable_autoscaler) ? 1 : 0
Expand All @@ -22,12 +38,12 @@ resource "oci_identity_policy" "autoscaler_policy" {
name = "cluster_autoscaler_${random_string.deploy_id.result}"
provider = oci.home_region
statements = compact([
"Allow any-user to manage cluster-node-pools in compartment id ${var.cluster_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
"Allow any-user to manage instance-family in compartment id ${var.cluster_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
"Allow any-user to use subnets in compartment id ${var.vcn_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
"Allow any-user to read virtual-network-family in compartment id ${var.vcn_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
"Allow any-user to use vnics in compartment id ${var.vcn_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
"Allow any-user to inspect compartments in compartment id ${var.cluster_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
"Allow any-user to inspect compartments in compartment id ${var.vcn_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}"
"Allow any-user to manage cluster-node-pools in compartment id ${var.cluster_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
"Allow any-user to manage instance-family in compartment id ${var.cluster_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
"Allow any-user to use subnets in compartment id ${var.vcn_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
"Allow any-user to read virtual-network-family in compartment id ${var.vcn_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
"Allow any-user to use vnics in compartment id ${var.vcn_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
"Allow any-user to inspect compartments in compartment id ${var.cluster_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
"Allow any-user to inspect compartments in compartment id ${var.vcn_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
])
}
2 changes: 0 additions & 2 deletions schema.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,8 +272,6 @@ variables:
- "v1.25.4"
- "v1.24.1"
- "v1.23.4"
- "v1.22.5"
- "v1.21.5"
required: true
default: "v1.25.4"
description: The Kubernetes version for the cluster.
Expand Down

0 comments on commit cf0e1f9

Please sign in to comment.