feat: added stern, update istio-mc examples module (#967)

* feat: added stern, update istio-mc examples module

Signed-off-by: Ali <[email protected]>

* chore: formatting of istio examples
fix: set default install_stern value to false

Signed-off-by: Ali <[email protected]>

---------

Signed-off-by: Ali <[email protected]>

Author: hyder

examples/istio-mc/c1.tf

@@ -4,13 +4,13 @@
 module "c1" {
 
   source  = "oracle-terraform-modules/oke/oci"
-  version = "5.1.1"
+  version = "5.2.2"
 
   count = lookup(lookup(var.clusters, "c1"), "enabled") ? 1 : 0
 
   home_region = lookup(local.regions, var.home_region)
-  
-  region      = lookup(local.regions, lookup(lookup(var.clusters, "c1"), "region"))
+
+  region = lookup(local.regions, lookup(lookup(var.clusters, "c1"), "region"))
 
   tenancy_id = var.tenancy_id
 
@@ -23,7 +23,7 @@ module "c1" {
 
   # networking
   create_drg       = var.oke_control_plane == "private" ? true : false
-  drg_display_name = "c1"
+  drg_display_name = "c1-drg"
 
   remote_peering_connections = var.oke_control_plane == "private" ? {
     for k, v in var.clusters : "rpc-to-${k}" => {} if k != "c1"
@@ -51,7 +51,6 @@ module "c1" {
     int_lb   = { newbits = 11, netnum = 16, dns_label = "ilb" }
     pub_lb   = { newbits = 11, netnum = 17, dns_label = "plb" }
     workers  = { newbits = 2, netnum = 1, dns_label = "workers" }
-    pods     = { newbits = 2, netnum = 2, dns_label = "pods" }
   }
 
   # bastion host
@@ -78,32 +77,54 @@ module "c1" {
 
 
   # node pools
-  allow_worker_ssh_access           = true
-  kubeproxy_mode                    = "iptables"
-  worker_pool_mode                  = "node-pool"
-  worker_pools                      = var.nodepools
-  worker_cloud_init                 = local.worker_cloud_init
-  worker_image_type                 = "oke"
+  allow_worker_ssh_access = true
+  kubeproxy_mode          = "iptables"
+  worker_pool_mode        = "node-pool"
+  worker_pools            = var.nodepools
+  worker_cloud_init       = local.worker_cloud_init
+  worker_image_type       = "oke"
 
   # oke load balancers
   load_balancers          = "both"
   preferred_load_balancer = "public"
 
-  allow_rules_internal_lb = {
+  allow_rules_internal_lb = merge({
     for p in local.service_mesh_ports :
-
-    format("Allow ingress to port %v", p) => {
-      protocol = local.tcp_protocol, port = p, source = lookup(lookup(var.clusters, "c2"), "vcn"), source_type = local.rule_type_cidr,
+    format("Allow ingress to port %v from cluster c2 for Istio", p) => {
+      protocol    = local.tcp_protocol, port = p, source = lookup(lookup(var.clusters, "c2"), "vcn"),
+      source_type = local.rule_type_cidr,
     }
-  }
-
-  allow_rules_public_lb = {
+    },
+    {
+      for c in var.clusters : format("Allow TCP ingress from cluster %v for Cilium clustermesh", lookup(c, "name")) => {
+        protocol = local.tcp_protocol, port = 2379, source = lookup(c, "vcn"), source_type = local.rule_type_cidr,
+      } if lookup(c, "name") != "c1"
+    },
+    {
+      for c in var.clusters :
+      format("Allow UDP ingress from cluster %v for cross-cluster DNS lookup via NLB for Coherence WKA", lookup(c, "name"))
+      => {
+        protocol = local.udp_protocol, port = 53, source = lookup(c, "vcn"), source_type = local.rule_type_cidr,
+      } if lookup(c, "name") != "c1"
+    },
+  )
+
+  allow_rules_public_lb = merge({
     for p in local.public_lb_allowed_ports :
-
     format("Allow ingress to port %v", p) => {
       protocol = local.tcp_protocol, port = p, source = "0.0.0.0/0", source_type = local.rule_type_cidr,
     }
-  }
+    },
+  )
+
+  allow_rules_workers = merge(
+    {
+      for c in var.clusters :
+      format("Allow UDP ingress to workers from cluster %v for default VXLAN", lookup(c, "name")) => {
+        protocol = local.udp_protocol, port = 8472, source = lookup(c, "vcn"), source_type = local.rule_type_cidr,
+      } if lookup(c, "name") != "c1"
+    },
+  )
 
   user_id = var.user_id
 

examples/istio-mc/c2.tf

@@ -4,13 +4,13 @@
 module "c2" {
 
   source  = "oracle-terraform-modules/oke/oci"
-  version = "5.1.1"
+  version = "5.2.2"
 
   count = lookup(lookup(var.clusters, "c2"), "enabled") ? 1 : 0
 
   home_region = lookup(local.regions, var.home_region)
-  
-  region      = lookup(local.regions, lookup(lookup(var.clusters, "c2"), "region"))
+
+  region = lookup(local.regions, lookup(lookup(var.clusters, "c2"), "region"))
 
   tenancy_id = var.tenancy_id
 
@@ -49,7 +49,6 @@ module "c2" {
     int_lb  = { newbits = 11, netnum = 16, dns_label = "ilb" }
     pub_lb  = { newbits = 11, netnum = 17, dns_label = "plb" }
     workers = { newbits = 2, netnum = 1, dns_label = "workers" }
-    pods    = { newbits = 2, netnum = 2, dns_label = "pods" }
   }
 
   # bastion host
@@ -76,32 +75,53 @@ module "c2" {
 
 
   # node pools
-  kubeproxy_mode                    = "iptables"
-  worker_pool_mode                  = "node-pool"
-  worker_pools                      = var.nodepools
-  worker_cloud_init                 = local.worker_cloud_init
-  worker_image_type                 = "oke"
+  kubeproxy_mode    = "iptables"
+  worker_pool_mode  = "node-pool"
+  worker_pools      = var.nodepools
+  worker_cloud_init = local.worker_cloud_init
+  worker_image_type = "oke"
 
   # oke load balancers
   load_balancers          = "both"
   preferred_load_balancer = "public"
 
-  allow_rules_internal_lb = {
+  allow_rules_internal_lb = merge({
     for p in local.service_mesh_ports :
-
-    format("Allow ingress to port %v", p) => {
-      protocol = local.tcp_protocol, port = p, source = lookup(lookup(var.clusters, "c1"), "vcn"), source_type = local.rule_type_cidr,
+    format("Allow ingress to port %v  from cluster c1", p) => {
+      protocol    = local.tcp_protocol, port = p, source = lookup(lookup(var.clusters, "c1"), "vcn"),
+      source_type = local.rule_type_cidr,
     }
-  }
-
-  allow_rules_public_lb = {
-
+    },
+    {
+      for c in var.clusters : format("Allow TCP ingress from cluster %v for Cilium clustermesh", lookup(c, "name")) => {
+        protocol = local.tcp_protocol, port = 2379, source = lookup(c, "vcn"), source_type = local.rule_type_cidr,
+      } if lookup(c, "name") != "c2"
+    },
+    {
+      for c in var.clusters :
+      format("Allow UDP ingress from cluster %v for cross-cluster DNS lookup via NLB for Coherence WKA", lookup(c, "name"))
+      => {
+        protocol = local.udp_protocol, port = 53, source = lookup(c, "vcn"), source_type = local.rule_type_cidr,
+      } if lookup(c, "name") != "c2"
+    },
+  )
+
+  allow_rules_public_lb = merge({
     for p in local.public_lb_allowed_ports :
-
     format("Allow ingress to port %v", p) => {
       protocol = local.tcp_protocol, port = p, source = "0.0.0.0/0", source_type = local.rule_type_cidr,
     }
-  }
+    },
+  )
+
+  allow_rules_workers = merge(
+    {
+      for c in var.clusters :
+      format("Allow UDP ingress to workers from cluster %v for default VXLAN", lookup(c, "name")) => {
+        protocol = local.udp_protocol, port = 8472, source = lookup(c, "vcn"), source_type = local.rule_type_cidr
+      } if lookup(c, "name") != "c2"
+    },
+  )
 
   user_id = var.user_id
 

examples/istio-mc/istio.tf

@@ -2,27 +2,27 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 locals {
-    istio_c1 = templatefile("${path.module}/resources/istio.template.yaml",
-      {
-        mesh_id          = var.istio_mesh_id
-        cluster          = "c1"
-        mesh_network     = "c1"
-        pub_nsg_id       = one(element([module.c1[*].pub_lb_nsg_id], 0))
-        int_lb_subnet_id = one(element([module.c1[*].int_lb_subnet_id], 0))
-        int_nsg_id       = one(element([module.c1[*].int_lb_nsg_id], 0))
-      }
-    )
+  istio_c1 = templatefile("${path.module}/resources/istio.template.yaml",
+    {
+      mesh_id          = var.istio_mesh_id
+      cluster          = "c1"
+      mesh_network     = "c1"
+      pub_nsg_id       = one(element([module.c1[*].pub_lb_nsg_id], 0))
+      int_lb_subnet_id = one(element([module.c1[*].int_lb_subnet_id], 0))
+      int_nsg_id       = one(element([module.c1[*].int_lb_nsg_id], 0))
+    }
+  )
 
-    istio_c2 = templatefile("${path.module}/resources/istio.template.yaml",
-      {
-        mesh_id          = var.istio_mesh_id
-        cluster          = "c2"
-        mesh_network     = "c2"
-        pub_nsg_id       = one(element([module.c2[*].pub_lb_nsg_id], 0))
-        int_lb_subnet_id = one(element([module.c2[*].int_lb_subnet_id], 0))
-        int_nsg_id       = one(element([module.c2[*].int_lb_nsg_id], 0))
-      }
-    )
+  istio_c2 = templatefile("${path.module}/resources/istio.template.yaml",
+    {
+      mesh_id          = var.istio_mesh_id
+      cluster          = "c2"
+      mesh_network     = "c2"
+      pub_nsg_id       = one(element([module.c2[*].pub_lb_nsg_id], 0))
+      int_lb_subnet_id = one(element([module.c2[*].int_lb_subnet_id], 0))
+      int_nsg_id       = one(element([module.c2[*].int_lb_nsg_id], 0))
+    }
+  )
 }
 
 resource "null_resource" "istio" {

examples/istio-mc/locals.tf

@@ -20,7 +20,7 @@ locals {
   bastion_ip = one(element([module.c1[*].bastion_public_ip], 0))
 
   operator_ip = one(element([module.c1[*].operator_private_ip], 0))
-  
+
   # TODO: check when is 15021 required for public
   public_lb_allowed_ports = [80, 443, 15021]
 

examples/istio-mc/outputs.tf

@@ -3,5 +3,5 @@
 
 output "ssh_to_operator" {
   description = "convenient command to ssh to the Admin operator host"
-  value       = one(element([module.c1[*].ssh_to_operator],0))
+  value       = one(element([module.c1[*].ssh_to_operator], 0))
 }

examples/istio-mc/providers.tf

@@ -4,7 +4,7 @@
 provider "oci" {
   fingerprint         = var.api_fingerprint
   private_key_path    = var.api_private_key_path
-  region              = lookup(local.regions,var.home_region)
+  region              = lookup(local.regions, var.home_region)
   tenancy_ocid        = var.tenancy_id
   user_ocid           = var.user_id
   alias               = "home"
@@ -14,7 +14,7 @@ provider "oci" {
 provider "oci" {
   fingerprint         = var.api_fingerprint
   private_key_path    = var.api_private_key_path
-  region              = lookup(local.regions,lookup(lookup(var.clusters,"c1"),"region"))
+  region              = lookup(local.regions, lookup(lookup(var.clusters, "c1"), "region"))
   tenancy_ocid        = var.tenancy_id
   user_ocid           = var.user_id
   alias               = "c1"
@@ -24,7 +24,7 @@ provider "oci" {
 provider "oci" {
   fingerprint         = var.api_fingerprint
   private_key_path    = var.api_private_key_path
-  region              = lookup(local.regions,lookup(lookup(var.clusters,"c2"),"region"))
+  region              = lookup(local.regions, lookup(lookup(var.clusters, "c2"), "region"))
   tenancy_ocid        = var.tenancy_id
   user_ocid           = var.user_id
   alias               = "c2"

examples/istio-mc/terraform.tfvars.example

@@ -1,4 +1,4 @@
-# provider
+    # provider
 api_fingerprint = ""
 
 api_private_key_path = "~/.oci/oci_rsa.pem"

examples/istio-mc/variables.tf

@@ -61,7 +61,7 @@ variable "clusters" {
 }
 
 variable "kubernetes_version" {
-  default     = "v1.28.2"
+  default     = "v1.30.1"
   description = "The version of Kubernetes to use."
   type        = string
 }

module-operator.tf

@@ -64,6 +64,7 @@ module "operator" {
   install_k9s               = var.operator_install_k9s
   install_kubectx           = var.operator_install_kubectx
   install_kubectl_from_repo = var.operator_install_kubectl_from_repo
+  install_stern             = var.operator_install_stern
   kubeconfig                = yamlencode(local.kubeconfig_private)
   kubernetes_version        = var.kubernetes_version
   nsg_ids                   = compact(flatten([var.operator_nsg_ids, try(module.network.operator_nsg_id, null)]))

modules/operator/cloudinit.tf

@@ -32,6 +32,7 @@ data "cloudinit_config" "operator" {
         "git",
         "jq",
         "python3-oci-cli",
+        "golang",
         var.install_helm ? "helm" : null,
         var.install_istioctl ? "istio-istioctl" : null,
         var.install_kubectl_from_repo ? "kubectl": null,
@@ -193,6 +194,23 @@ data "cloudinit_config" "operator" {
     }
   }
 
+  # stern installation
+  dynamic "part" {
+    for_each = var.install_kubectx ? [1] : []
+    content {
+      content_type = "text/cloud-config"
+      content = jsonencode({
+        runcmd = [
+          "go install github.com/stern/[email protected]",
+          "mv $HOME/go/bin/stern /usr/local/bin/",
+          "ln -s /usr/local/bin/stern /usr/bin/stern"
+        ]
+      })
+      filename   = "20-stern.yml"
+      merge_type = local.default_cloud_init_merge_type
+    }
+  }
+
   # Write user bashrc to filesystem
   part {
     content_type = "text/cloud-config"

modules/operator/variables.tf

@@ -23,6 +23,7 @@ variable "install_kubectl_from_repo" {
   default = true
 }
 variable "install_kubectx" { type = bool }
+variable "install_stern" { type = bool }
 variable "kubeconfig" { type = string }
 variable "kubernetes_version" { type = string }
 variable "nsg_ids" { type = list(string) }

variables-operator.tf

@@ -89,6 +89,12 @@ variable "operator_install_kubectx" {
   type        = bool
 }
 
+variable "operator_install_stern" {
+  default = false
+  description = "Whether to install stern on the created operator host. NOTE: Provided only as a convenience and not supported by or sourced from Oracle - use at your own risk."
+  type = bool
+}
+
 variable "operator_shape" {
   default = {
     shape            = "VM.Standard.E4.Flex",