diff --git a/terraform/oci-oke-cluster/data.tf b/terraform/oci-oke-cluster/data.tf new file mode 100644 index 0000000..97e3f5d --- /dev/null +++ b/terraform/oci-oke-cluster/data.tf @@ -0,0 +1,22 @@ +data "oci_identity_compartment" "this" { + id = var.compartment_ocid +} + +data "oci_identity_availability_domains" "availability_domains" { + #Required + compartment_id = var.tenancy_ocid +} + +data "oci_core_images" "node_pool_images" { + compartment_id = var.compartment_ocid + operating_system = "Oracle Linux" + operating_system_version = "8" + shape = var.node_shape + sort_by = "TIMECREATED" + sort_order = "DESC" +} + +data "oci_containerengine_cluster_kube_config" "cluster_kube_config" { + #Required + cluster_id = oci_containerengine_cluster.cluster.id +} diff --git a/terraform/oci-oke-cluster/locals.tf b/terraform/oci-oke-cluster/locals.tf new file mode 100644 index 0000000..7e7373c --- /dev/null +++ b/terraform/oci-oke-cluster/locals.tf @@ -0,0 +1,5 @@ +locals { + common_labels = { + "TalosCluster" = var.cluster_name + } +} diff --git a/terraform/oci-oke-cluster/main.tf b/terraform/oci-oke-cluster/main.tf new file mode 100644 index 0000000..95de8f1 --- /dev/null +++ b/terraform/oci-oke-cluster/main.tf @@ -0,0 +1,82 @@ +resource "oci_containerengine_cluster" "cluster" { + #Required + compartment_id = var.compartment_ocid + kubernetes_version = var.cluster_kubernetes_version + name = var.cluster_name + vcn_id = oci_core_vcn.vcn.id + + endpoint_config { + + #Optional + is_public_ip_enabled = true + nsg_ids = [oci_core_network_security_group.network_security_group.id] + subnet_id = oci_core_subnet.subnet.id + } + options { + + #Optional + add_ons { + + #Optional + is_kubernetes_dashboard_enabled = false + is_tiller_enabled = false + } + admission_controller_options { + + #Optional + is_pod_security_policy_enabled = false + } + kubernetes_network_config { + + #Optional + pods_cidr = var.pod_subnet_block + services_cidr = var.service_subnet_block + } + persistent_volume_config { + + #Optional + freeform_tags = local.common_labels + } + service_lb_config { + + #Optional + freeform_tags = local.common_labels + } + service_lb_subnet_ids = [oci_core_subnet.subnet.id] + } + type = "ENHANCED_CLUSTER" +} + +resource "oci_containerengine_node_pool" "node_pool" { + #Required + cluster_id = oci_containerengine_cluster.cluster.id + compartment_id = var.compartment_ocid + name = "${var.cluster_name}-primary" + node_shape = var.node_shape + + #Optional + freeform_tags = local.common_labels + kubernetes_version = var.cluster_kubernetes_version + node_config_details { + #Required + placement_configs { + #Required + availability_domain = data.oci_identity_availability_domains.availability_domains.availability_domains[0].name + subnet_id = oci_core_subnet.node_subnet.id + } + size = var.node_pool_count + + freeform_tags = local.common_labels + nsg_ids = [oci_core_network_security_group.network_security_group.id] + } + node_shape_config { + #Optional + memory_in_gbs = var.node_memory_in_gbs + ocpus = var.node_ocpus + } + node_source_details { + #Required + image_id = lookup(data.oci_core_images.node_pool_images.images[0], "id") + source_type = "IMAGE" + } +} diff --git a/terraform/oci-oke-cluster/network.tf b/terraform/oci-oke-cluster/network.tf new file mode 100644 index 0000000..32a82d3 --- /dev/null +++ b/terraform/oci-oke-cluster/network.tf @@ -0,0 +1,108 @@ +resource "oci_core_vcn" "vcn" { + #Required + compartment_id = var.compartment_ocid + + #Optional + cidr_blocks = var.cidr_blocks + display_name = "${var.cluster_name}-vcn" + freeform_tags = local.common_labels + is_ipv6enabled = true +} +resource "oci_core_subnet" "subnet" { + #Required + cidr_block = var.subnet_block + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + prohibit_internet_ingress = false + prohibit_public_ip_on_vnic = false + + #Optional + display_name = "${var.cluster_name}-subnet" + freeform_tags = local.common_labels + security_list_ids = [oci_core_security_list.security_list.id] + route_table_id = oci_core_route_table.route_table.id +} +resource "oci_core_subnet" "node_subnet" { + #Required + cidr_block = var.node_subnet_block + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + prohibit_internet_ingress = false + prohibit_public_ip_on_vnic = false + + #Optional + display_name = "${var.cluster_name}-subnet" + freeform_tags = local.common_labels + security_list_ids = [oci_core_security_list.security_list.id] + route_table_id = oci_core_route_table.route_table.id +} +resource "oci_core_route_table" "route_table" { + #Required + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + + #Optional + display_name = "${var.cluster_name}-route-table" + freeform_tags = local.common_labels + route_rules { + #Required + network_entity_id = oci_core_internet_gateway.internet_gateway.id + + #Optional + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + } +} + +resource "oci_core_internet_gateway" "internet_gateway" { + #Required + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + + #Optional + enabled = true + display_name = "${var.cluster_name}-internet-gateway" + freeform_tags = local.common_labels +} + +resource "oci_core_network_security_group" "network_security_group" { + #Required + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + + #Optional + display_name = "${var.cluster_name}-security-group" + freeform_tags = local.common_labels +} +resource "oci_core_network_security_group_security_rule" "allow_all" { + network_security_group_id = oci_core_network_security_group.network_security_group.id + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + protocol = "all" + direction = "EGRESS" + stateless = false +} + +resource "oci_core_security_list" "security_list" { + #Required + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + + #Optional + display_name = "${var.cluster_name}-security-list" + egress_security_rules { + #Required + destination = "0.0.0.0/0" + protocol = "all" + + stateless = true + } + freeform_tags = local.common_labels + ingress_security_rules { + #Required + source = "0.0.0.0/0" + protocol = "all" + + stateless = true + } +} diff --git a/terraform/oci-oke-cluster/output.tf b/terraform/oci-oke-cluster/output.tf new file mode 100644 index 0000000..f2f2ae2 --- /dev/null +++ b/terraform/oci-oke-cluster/output.tf @@ -0,0 +1,4 @@ +output "kubeconfig" { + value = data.oci_containerengine_cluster_kube_config.cluster_kube_config.content + sensitive = true +} diff --git a/terraform/oci-oke-cluster/variables.tf b/terraform/oci-oke-cluster/variables.tf new file mode 100644 index 0000000..7417ef0 --- /dev/null +++ b/terraform/oci-oke-cluster/variables.tf @@ -0,0 +1,68 @@ +variable "compartment_ocid" { + sensitive = true +} +variable "tenancy_ocid" { + sensitive = true +} +variable "user_ocid" { + sensitive = true +} +variable "fingerprint" { + sensitive = true +} +variable "private_key_path" { + default = "~/.oci/oci_main_terraform.pem" + sensitive = true +} +variable "instance_availability_domain" { + default = null +} +variable "region" { + description = "the OCI region where resources will be created" + type = string + default = null +} +variable "cluster_name" { + type = string + default = "cncfoke" +} +variable "cluster_kubernetes_version" { + type = string + default = "v1.30.1" +} +variable "cidr_blocks" { + type = set(string) + default = ["10.0.0.0/16"] +} +variable "subnet_block" { + type = string + default = "10.0.0.0/24" +} +variable "pod_subnet_block" { + type = string + default = "10.32.0.0/12" +} +variable "service_subnet_block" { + type = string + default = "10.200.0.0/21" +} +variable "node_subnet_block" { + type = string + default = "10.0.7.0/24" +} +variable "node_shape" { + type = string + default = "VM.Standard.A1.Flex" +} +variable "node_memory_in_gbs" { + type = number + default = 128 +} +variable "node_ocpus" { + type = number + default = 8 +} +variable "node_pool_count" { + type = number + default = 3 +} diff --git a/terraform/oci-oke-cluster/versions.tf b/terraform/oci-oke-cluster/versions.tf new file mode 100644 index 0000000..c056b79 --- /dev/null +++ b/terraform/oci-oke-cluster/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_providers { + oci = { + source = "oracle/oci" + version = "6.7.0" # TODO include version in project root providers + } + } + required_version = ">= 1.2" +} + +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + private_key_path = var.private_key_path + fingerprint = var.fingerprint + region = var.region +}