Merge branch 'karthicgit-master'

CHANGELOG.adoc

@@ -7,6 +7,10 @@ All notable changes to this project are documented in this file.
 
 The format is based on {uri-changelog}[Keep a Changelog].
 
+== 2.2.0 (May 4, 2020)
+* Use OCI Secret in Vault to retrieve Auth Token for creating Kubernetes secret for OCIR. This allows reuse of existing Auth Tokens (#153)
+* Added Montreal as supported region (#160)
+
 == 2.1.6 (April 13, 2020)
 * Fixed issue with admin host ordering of oci-cli installation, instance_principal creation and kubeconfig generation (#143)
 * Upgraded base module to 1.1.3 to be able to detect when admin instance_principal is ready

docs/configuration.adoc

@@ -24,6 +24,7 @@
 :uri-metrics-server: https://github.com/kubernetes-incubator/metrics-server
 :uri-networks-subnets-cidr: https://erikberg.com/notes/networks.html
 :uri-oci-authtoken: https://docs.cloud.oracle.com/iaas/Content/Registry/Tasks/registrygettingauthtoken.htm
+:uri-oci-secret: https://docs.cloud.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingsecrets.htm
 :uri-oci: https://cloud.oracle.com/cloud-infrastructure
 :uri-oci-documentation: https://docs.cloud.oracle.com/iaas/Content/home.htm
 :uri-oci-instance-principal: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm
@@ -188,7 +189,7 @@ Refer to {uri-topology}[topology] for more thorough examples.
 
 === Configure OCIR parameters
 
-The {uri-oci-ocir}[OCIR] parameters control the creation of an {uri-oci-authtoken}[Auth Token] for the user in OCI. The Auth Token is then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment.
+The {uri-oci-authtoken}#[Auth Token] must first be manually created and stored in {uri-oci-secret}#[OCI Secret in Vault]. It will subsequently be used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment. If you do not need to use private OCIR repositories, then leave the *secret_id* parameter empty. Refer to the {uri-instructions}#creating-a-secret-for-ocir[instructions] for how to create the Auth Token and the Secret in Vault.
 
 The secret is created in the kube-system namespace. To copy it to your namespace, use the following command:
 

docs/dependencies.adoc

@@ -40,7 +40,7 @@ The following table documents the {uri-terraform-options}[Terraform Options] dep
 
 |ocir secret
 |Whether to create an authentication secret for OCIR
-|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true, create_auth_token = true
+|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true, secret_id = secret ocid
 
 |use_encryption
 |Uses OCI KMS to encrypt data in OKE's underlying etcd

docs/instructions.adoc

@@ -28,6 +28,8 @@
 :uri-oci-manage-dynamic-groups: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingdynamicgroups.htm
 :uri-oci-manage-policies: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingpolicies.htm
 :uri-oci-ocir: https://docs.cloud.oracle.com/iaas/Content/Registry/Concepts/registryoverview.htm
+:uri-oci-secret: https://docs.cloud.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingsecrets.htm
+:uri-oci-authtoken: https://docs.cloud.oracle.com/iaas/Content/Registry/Tasks/registrygettingauthtoken.htm
 :uri-oke: https://docs.cloud.oracle.com/iaas/Content/ContEng/Concepts/contengoverview.htm
 :uri-oracle: https://www.oracle.com
 :uri-prereqs: {uri-docs}/prerequisites.adoc
@@ -55,7 +57,7 @@
 .. link:#disabling-instance_principal-on-the-admin-host[Disabling instance_principal on the admin host]
 .. link:#recommendations-for-using-instance_principal[Recommendations for using instance_principal]
 . link:#interacting-with-the-oke-cluster[Interacting with the OKE Cluster locally]
-. link:#creating-an-auth-token-for-ocir[Creating an auth token for OCIR]
+. link:#creating-a-secret-for-ocir[Creating a Secret for OCIR]
 . link:#installing-helm[Installing helm]
 . link:#installing-calico[Installing Calico]
 . link:#installing-kubernetes-metrics-server[Installing Kubernetes Metrics Server]
@@ -218,9 +220,18 @@ export KUBECONFIG=generated/kubeconfig
 *Ensure you install the same kubectl version as the OKE Kubernetes version for compatibility.*
 ****
 
-=== Creating an auth token for OCIR
+=== Creating a Secret for OCIR
 
-{uri-oci-ocir}[Oracle Cloud Infrastructure Registry] is a highly available private container registry service for storing and sharing container images within the same regions as the OKE Cluster. To pull images from OCIR, set the parameter *create_auth_token = true* in terraform.tfvars. Refer to {uri-terraform-options}#ocir[OCIR parameters] for other parameters to be set.
+{uri-oci-ocir}[Oracle Cloud Infrastructure Registry] is a highly available private container registry service for storing and sharing container images within the same regions as the OKE Cluster. Use the following rules to determine if you need to create a Kubernetes Secret for OCIR:
+
+* If your container repository is public, you do not need to create a secret. 
+* If your container repository is private, you need to create a secret before OKE can pull your images from the private repository. 
+
+If you plan on creating a Kubernetes Secret for OCIR, you must first {uri-oci-authtoken}[create an Auth Token]. Copy and temporarily save the value of the Auth Token.
+
+You must then {uri-oci-secret}[create a Secret in OCI Vault to store] the value of the Auth Token in it. 
+
+Finally, assign the Secret OCID to *secret_id* in terraform.tfvars. Refer to {uri-terraform-options}#ocir[OCIR parameters] for other parameters to be set.
 
 === Installing helm
 

docs/terraformoptions.adoc

@@ -510,23 +510,24 @@ Refer to {uri-topology}[topology] for more thorough examples.
 |Values
 |Default
 
-|create_auth_token
-|Whether to create an Auth Token. The Auth Token is then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment.
-|true/false
-|false
+|secret_id
+|The id of the Secret in Vault where the Auth Token is stored.
+|
+|null
+
 
 |email_address
-|The email address to be used when creating the Docker secret. *Required* if _create_auth_token_ is set to *true*.
+|The email address to be used when creating the Docker secret. *Required* if secret_id is set.
 |
 |None
 
 |tenancy_name
-|The *_name_* of the tenancy to be used when creating the Docker secret.  This is different from tenancy_id. *Required* if _create_auth_token_ is set to *true*.
+|The *_name_* of the tenancy to be used when creating the Docker secret.  This is different from tenancy_id. *Required* if secret_id is set.
 |
 |None
 
 |username
-|The username that can login to the selected tenancy. This is different from tenancy_id. *Required* if _create_auth_token_ is set to *true*.
+|The username that can login to the selected tenancy. This is different from tenancy_id. *Required* if secret_id is set.
 |
 |None
 
@@ -637,4 +638,4 @@ Refer to {uri-topology}[topology] for more thorough examples.
 |
 |
 
-|===
+|===

locals.tf

@@ -72,10 +72,10 @@ locals {
     api_fingerprint      = var.api_fingerprint
     api_private_key_path = var.api_private_key_path
     compartment_id       = var.compartment_id
-    create_auth_token    = var.create_auth_token
     home_region          = module.base.home_region
     tenancy_id           = var.tenancy_id
     user_id              = var.user_id
+
   }
 
   oke_general = {
@@ -138,13 +138,11 @@ locals {
   }
 
   oke_ocir = {
-    auth_token        = module.auth.ocirtoken
-    create_auth_token = var.create_auth_token
     email_address     = var.email_address
-    ocirtoken_id      = module.auth.ocirtoken_id
     ocir_urls         = var.ocir_urls
     tenancy_name      = var.tenancy_name
     username          = var.username
+    secret_id         = var.secret_id
   }
 
   helm = {

main.tf

@@ -48,13 +48,6 @@ module "policies" {
   cluster_id = module.oke.cluster_id
 }
 
-module "auth" {
-  source = "./modules/auth"
-
-  # ocir parameters
-  ocir = local.ocir
-}
-
 # additional networking for oke
 module "network" {
   source = "./modules/okenetwork"
@@ -114,4 +107,5 @@ module "oke" {
 
   # service account
   service_account = local.service_account
+
 }

modules/oke/scripts/secret.py

@@ -0,0 +1,46 @@
+#!/usr/bin/python3
+# Copyright 2017, 2019, Oracle Corporation and/or affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+# Derived and adapted from https://www.ateam-oracle.com/secure-way-of-managing-secrets-in-oci
+
+import os,sys,base64,subprocess,re
+
+import oci
+
+compartment_id  = '${compartment_id}'
+region          = '${region}'
+secret_id       = '${secret_id}'
+email_address   = '${email_address}'
+region_registry = '${region_registry}'
+tenancy_name    = '${tenancy_name}'
+username        = '${username}'
+
+signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner()
+
+identity_client = oci.identity.IdentityClient(config={}, signer=signer)
+
+secret_client = oci.secrets.SecretsClient(config={'region': region}, signer=signer)
+
+def read_secret_value(secret_client, secret_id):
+    response = secret_client.get_secret_bundle(secret_id)
+
+    base64_Secret_content = response.data.secret_bundle_content.content
+    base64_secret_bytes = base64_Secret_content.encode('ascii')
+    base64_message_bytes = base64.b64decode(base64_secret_bytes)
+    secret_content = base64_message_bytes.decode('ascii')
+
+    return secret_content
+
+try:
+    secret_content = read_secret_value(secret_client, secret_id=secret_id)
+    secret_content = re.escape(secret_content)
+    delsecret = "kubectl -n default delete secret ocirsecret"
+    os.system(delsecret)
+
+    crtsecret = ("kubectl create secret docker-registry ocirsecret -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content)
+
+    subprocess.call(["/bin/bash" , "-c" , crtsecret])
+
+except Exception as e:
+    print(e.message)
+    print("Please check Secret OCID assigned to secret_id variable")

modules/oke/secrets.tf

@@ -0,0 +1,53 @@
+# # Copyright 2017, 2019, Oracle Corporation and/or affiliates.  All rights reserved.
+# # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+ data "template_file" "secret" {
+   template = file("${path.module}/scripts/secret.py")
+
+   vars = {
+     compartment_id  = var.oke_identity.compartment_id
+     region          = var.oke_general.region
+     secret_id       = var.oke_ocir.secret_id
+     email_address   = var.oke_ocir.email_address
+     region_registry = var.oke_ocir.ocir_urls[var.oke_general.region]
+     tenancy_name    = var.oke_ocir.tenancy_name
+     username        = var.oke_ocir.username
+
+   }
+   count = var.oke_admin.admin_enabled == true && var.oke_admin.admin_instance_principal == true && var.oke_ocir.secret_id != null ? 1 : 0
+ }
+
+ resource null_resource "secret" {
+   triggers = {
+    secret_id = var.oke_ocir.secret_id
+  }
+   connection {
+     host        = var.oke_admin.admin_private_ip
+     private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+     timeout     = "40m"
+     type        = "ssh"
+     user        = "opc"
+
+     bastion_host        = var.oke_admin.bastion_public_ip
+     bastion_user        = "opc"
+     bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+   }
+
+   depends_on = [null_resource.write_kubeconfig_on_admin]
+
+   provisioner "file" {
+     content     = data.template_file.secret[0].rendered
+     destination = "~/secret.py"
+   }
+
+   provisioner "remote-exec" {
+     inline = [
+       "chmod +x $HOME/secret.py",
+       "$HOME/secret.py",
+       "sleep 10",
+       "rm -f $HOME/secret.py"
+     ]
+   }
+
+   count = var.oke_admin.admin_enabled == true && var.oke_admin.admin_instance_principal == true && var.oke_ocir.secret_id != null ? 1 : 0
+ }