From ed499795fd0ad55d28f4a946bfb64b1e127cefaa Mon Sep 17 00:00:00 2001 From: Karthic Ravindran Date: Sat, 25 Apr 2020 20:34:29 +0530 Subject: [PATCH 1/7] Changes for Oracle Vault Secret Signed-off-by: Karthic Ravindran --- docs/dependencies.adoc | 2 +- docs/instructions.adoc | 2 +- docs/terraformoptions.adoc | 14 +++---- locals.tf | 6 +-- main.tf | 8 +--- modules/auth/authtoken.tf | 9 ----- modules/auth/outputs.tf | 10 ----- modules/auth/provider.tf | 12 ------ modules/auth/variables.tf | 14 ------- modules/oke/ocir.tf | 73 ----------------------------------- modules/oke/scripts/secret.py | 43 +++++++++++++++++++++ modules/oke/secrets.tf | 53 +++++++++++++++++++++++++ modules/oke/serviceaccount.tf | 2 +- modules/oke/variables.tf | 6 +-- outputs.tf | 10 ++--- terraform.tfvars.example | 3 +- variables.tf | 9 +++-- 17 files changed, 124 insertions(+), 152 deletions(-) delete mode 100644 modules/auth/authtoken.tf delete mode 100644 modules/auth/outputs.tf delete mode 100644 modules/auth/provider.tf delete mode 100644 modules/auth/variables.tf delete mode 100644 modules/oke/ocir.tf create mode 100644 modules/oke/scripts/secret.py create mode 100644 modules/oke/secrets.tf diff --git a/docs/dependencies.adoc b/docs/dependencies.adoc index d4012760..ff344647 100644 --- a/docs/dependencies.adoc +++ b/docs/dependencies.adoc @@ -40,7 +40,7 @@ The following table documents the {uri-terraform-options}[Terraform Options] dep |ocir secret |Whether to create an authentication secret for OCIR -|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true, create_auth_token = true +|bastion_enabled = true, admin_enabled = true, admin_instance_principal = true, secret_id = secret ocid |use_encryption |Uses OCI KMS to encrypt data in OKE's underlying etcd diff --git a/docs/instructions.adoc b/docs/instructions.adoc index 6d4f89f3..856ca07b 100644 --- a/docs/instructions.adoc +++ b/docs/instructions.adoc @@ -220,7 +220,7 @@ export KUBECONFIG=generated/kubeconfig === Creating an auth token for OCIR -{uri-oci-ocir}[Oracle Cloud Infrastructure Registry] is a highly available private container registry service for storing and sharing container images within the same regions as the OKE Cluster. To pull images from OCIR, set the parameter *create_auth_token = true* in terraform.tfvars. Refer to {uri-terraform-options}#ocir[OCIR parameters] for other parameters to be set. +{uri-oci-ocir}[Oracle Cloud Infrastructure Registry] is a highly available private container registry service for storing and sharing container images within the same regions as the OKE Cluster. To pull images from OCIR, set the parameter *secret_id = * in terraform.tfvars. Refer to {uri-terraform-options}#ocir[OCIR parameters] for other parameters to be set. === Installing helm diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc index ba9d249b..3cae2d08 100644 --- a/docs/terraformoptions.adoc +++ b/docs/terraformoptions.adoc @@ -510,23 +510,23 @@ Refer to {uri-topology}[topology] for more thorough examples. |Values |Default -|create_auth_token -|Whether to create an Auth Token. The Auth Token is then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment. -|true/false -|false +|secret_id +|The Auth Token is stored in Oracle Vault Secret and then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment. +|secret ocid + |email_address -|The email address to be used when creating the Docker secret. *Required* if _create_auth_token_ is set to *true*. +|The email address to be used when creating the Docker secret. *Required* if secret_id is set. | |None |tenancy_name -|The *_name_* of the tenancy to be used when creating the Docker secret. This is different from tenancy_id. *Required* if _create_auth_token_ is set to *true*. +|The *_name_* of the tenancy to be used when creating the Docker secret. This is different from tenancy_id. *Required* if secret_id is set. | |None |username -|The username that can login to the selected tenancy. This is different from tenancy_id. *Required* if _create_auth_token_ is set to *true*. +|The username that can login to the selected tenancy. This is different from tenancy_id. *Required* if secret_id is set. | |None diff --git a/locals.tf b/locals.tf index 4ea69398..868bce56 100644 --- a/locals.tf +++ b/locals.tf @@ -72,10 +72,10 @@ locals { api_fingerprint = var.api_fingerprint api_private_key_path = var.api_private_key_path compartment_id = var.compartment_id - create_auth_token = var.create_auth_token home_region = module.base.home_region tenancy_id = var.tenancy_id user_id = var.user_id + } oke_general = { @@ -138,13 +138,11 @@ locals { } oke_ocir = { - auth_token = module.auth.ocirtoken - create_auth_token = var.create_auth_token email_address = var.email_address - ocirtoken_id = module.auth.ocirtoken_id ocir_urls = var.ocir_urls tenancy_name = var.tenancy_name username = var.username + secret_id = var.secret_id } helm = { diff --git a/main.tf b/main.tf index 03ba01c6..b8a9e767 100644 --- a/main.tf +++ b/main.tf @@ -48,13 +48,6 @@ module "policies" { cluster_id = module.oke.cluster_id } -module "auth" { - source = "./modules/auth" - - # ocir parameters - ocir = local.ocir -} - # additional networking for oke module "network" { source = "./modules/okenetwork" @@ -114,4 +107,5 @@ module "oke" { # service account service_account = local.service_account + } diff --git a/modules/auth/authtoken.tf b/modules/auth/authtoken.tf deleted file mode 100644 index 4e477faa..00000000 --- a/modules/auth/authtoken.tf +++ /dev/null @@ -1,9 +0,0 @@ -# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl - -resource "oci_identity_auth_token" "ocirtoken" { - provider = oci.home - description = "ocir auth token" - user_id = var.ocir.user_id - count = var.ocir.create_auth_token == true ? 1 : 0 -} diff --git a/modules/auth/outputs.tf b/modules/auth/outputs.tf deleted file mode 100644 index 6b01597a..00000000 --- a/modules/auth/outputs.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Copyright 2017, 2019 Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl - -output "ocirtoken" { - value = var.ocir.create_auth_token == true ? element(oci_identity_auth_token.ocirtoken.*.token, 0) : "none" -} - -output "ocirtoken_id" { - value = var.ocir.create_auth_token == true ? element(oci_identity_auth_token.ocirtoken.*.id, 0) : "none" -} diff --git a/modules/auth/provider.tf b/modules/auth/provider.tf deleted file mode 100644 index 0df41649..00000000 --- a/modules/auth/provider.tf +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl - -# create a home region provider for identity operations -provider "oci" { - alias = "home" - fingerprint = var.ocir.api_fingerprint - private_key_path = var.ocir.api_private_key_path - region = var.ocir.home_region - tenancy_ocid = var.ocir.tenancy_id - user_ocid = var.ocir.user_id -} diff --git a/modules/auth/variables.tf b/modules/auth/variables.tf deleted file mode 100644 index 2d7dad7f..00000000 --- a/modules/auth/variables.tf +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl - -variable "ocir" { - type = object({ - api_fingerprint = string - api_private_key_path = string - compartment_id = string - create_auth_token = bool - home_region = string - tenancy_id = string - user_id = string - }) -} diff --git a/modules/oke/ocir.tf b/modules/oke/ocir.tf deleted file mode 100644 index 16d514b2..00000000 --- a/modules/oke/ocir.tf +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -data "template_file" "create_ocir_script" { - template = file("${path.module}/scripts/create_ocir_secret.template.sh") - - vars = { - authtoken = var.oke_ocir.auth_token - email_address = var.oke_ocir.email_address - region_registry = var.oke_ocir.ocir_urls[var.oke_general.region] - tenancy_name = var.oke_ocir.tenancy_name - username = var.oke_ocir.username - } - - count = var.oke_ocir.create_auth_token == true ? 1 : 0 -} - -resource null_resource "create_ocir_secret" { - triggers = { - ocirtoken = var.oke_ocir.ocirtoken_id - } - - connection { - host = var.oke_admin.admin_private_ip - private_key = file(var.oke_ssh_keys.ssh_private_key_path) - timeout = "40m" - type = "ssh" - user = "opc" - - bastion_host = var.oke_admin.bastion_public_ip - bastion_user = "opc" - bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) - } - - depends_on = [null_resource.install_kubectl_admin, null_resource.write_kubeconfig_on_admin] - - provisioner "file" { - content = data.template_file.create_ocir_script[0].rendered - destination = "~/create_ocir_secret.sh" - } - - provisioner "remote-exec" { - inline = [ - "chmod +x $HOME/create_ocir_secret.sh", - "$HOME/create_ocir_secret.sh", - ] - } - - count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true && var.oke_ocir.create_auth_token == true ? 1 : 0 -} - -resource null_resource "delete_ocir_script" { - connection { - host = var.oke_admin.admin_private_ip - private_key = file(var.oke_ssh_keys.ssh_private_key_path) - timeout = "40m" - type = "ssh" - user = "opc" - - bastion_host = var.oke_admin.bastion_public_ip - bastion_user = "opc" - bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) - } - - depends_on = [null_resource.create_ocir_secret] - - provisioner "remote-exec" { - inline = [ - "rm -f $HOME/create_ocir_secret.sh", - ] - } - - count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true && var.oke_ocir.create_auth_token == true ? 1 : 0 -} diff --git a/modules/oke/scripts/secret.py b/modules/oke/scripts/secret.py new file mode 100644 index 00000000..04d68eba --- /dev/null +++ b/modules/oke/scripts/secret.py @@ -0,0 +1,43 @@ +#!/usr/bin/python3 +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +import os,sys,base64,subprocess,re + +import oci + +compartment_id = '${compartment_id}' +region = '${region}' +secret_id = '${secret_id}' +email_address = '${email_address}' +region_registry = '${region_registry}' +tenancy_name = '${tenancy_name}' +username = '${username}' + +signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner() + +identity_client = oci.identity.IdentityClient(config={}, signer=signer) + +secret_client = oci.secrets.SecretsClient(config={'region': region}, signer=signer) + +def read_secret_value(secret_client, secret_id): + response = secret_client.get_secret_bundle(secret_id) + + base64_Secret_content = response.data.secret_bundle_content.content + base64_secret_bytes = base64_Secret_content.encode('ascii') + base64_message_bytes = base64.b64decode(base64_secret_bytes) + secret_content = base64_message_bytes.decode('ascii') + + return secret_content + + +secret_content = read_secret_value(secret_client, secret_id=secret_id) +secret_content = re.escape(secret_content) + + +command = "kubectl -n default delete secret ocirsecret" +os.system(command) + +command1 = ("kubectl create secret docker-registry ocirsecret -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content) + +subprocess.call(["/bin/bash" , "-c" , command1]) diff --git a/modules/oke/secrets.tf b/modules/oke/secrets.tf new file mode 100644 index 00000000..609b0c4c --- /dev/null +++ b/modules/oke/secrets.tf @@ -0,0 +1,53 @@ +# # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + + data "template_file" "secret" { + template = file("${path.module}/scripts/secret.py") + + vars = { + compartment_id = var.oke_identity.compartment_id + region = var.oke_general.region + secret_id = var.oke_ocir.secret_id + email_address = var.oke_ocir.email_address + region_registry = var.oke_ocir.ocir_urls[var.oke_general.region] + tenancy_name = var.oke_ocir.tenancy_name + username = var.oke_ocir.username + + } + count = var.oke_admin.admin_enabled == true && var.oke_admin.admin_instance_principal == true && var.oke_ocir.secret_id != null ? 1 : 0 + } + + resource null_resource "secret" { + triggers = { + secret_id = var.oke_ocir.secret_id + } + connection { + host = var.oke_admin.admin_private_ip + private_key = file(var.oke_ssh_keys.ssh_private_key_path) + timeout = "40m" + type = "ssh" + user = "opc" + + bastion_host = var.oke_admin.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) + } + + depends_on = [null_resource.write_kubeconfig_on_admin] + + provisioner "file" { + content = data.template_file.secret[0].rendered + destination = "~/secret.py" + } + + provisioner "remote-exec" { + inline = [ + "chmod +x $HOME/secret.py", + "$HOME/secret.py", + "sleep 10", + "rm -f $HOME/secret.py" + ] + } + + count = var.oke_admin.admin_enabled == true && var.oke_admin.admin_instance_principal == true && var.oke_ocir.secret_id != null ? 1 : 0 + } diff --git a/modules/oke/serviceaccount.tf b/modules/oke/serviceaccount.tf index 79621602..6adf4c4f 100644 --- a/modules/oke/serviceaccount.tf +++ b/modules/oke/serviceaccount.tf @@ -37,7 +37,7 @@ resource null_resource "create_service_account" { inline = [ "chmod +x $HOME/create_service_account.sh", "$HOME/create_service_account.sh", - # "rm -f $HOME/create_service_account.sh" + "rm -f $HOME/create_service_account.sh" ] } diff --git a/modules/oke/variables.tf b/modules/oke/variables.tf index 145f7469..515095c1 100644 --- a/modules/oke/variables.tf +++ b/modules/oke/variables.tf @@ -78,16 +78,15 @@ variable "lbs" { # ocir variable "oke_ocir" { type = object({ - auth_token = string - create_auth_token = bool + secret_id = string email_address = string - ocirtoken_id = string ocir_urls = map(string) tenancy_name = string username = string }) } + # helm variable "helm" { type = object({ @@ -120,3 +119,4 @@ variable "service_account" { service_account_cluster_role_binding = string }) } + diff --git a/outputs.tf b/outputs.tf index d949ec4e..9e3ad1b5 100644 --- a/outputs.tf +++ b/outputs.tf @@ -50,8 +50,8 @@ output "kubeconfig" { value = "export KUBECONFIG=generated/kubeconfig" } -output "ocirtoken" { - description = "authentication token for ocir" - sensitive = true - value = module.auth.ocirtoken -} +# output "ocirtoken" { +# description = "authentication token for ocir" +# sensitive = true +# value = module.auth.ocirtoken +# } diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 6674b91a..dd105fc6 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -139,7 +139,8 @@ lb_subnet_type = "public" preferred_lb_subnets = "public" # ocir -create_auth_token = false + +secret_id = "" email_address = "" diff --git a/variables.tf b/variables.tf index 54de1d38..4de4a545 100644 --- a/variables.tf +++ b/variables.tf @@ -346,10 +346,10 @@ variable "preferred_lb_subnets" { # ocir -variable "create_auth_token" { - description = "whether to create an auth token to use with OCIR" - default = false - type = bool +variable "secret_id" { + description = "OCID of Oracle Vault Secret" + type = string + default = null } variable "email_address" { @@ -459,3 +459,4 @@ variable "service_account_cluster_role_binding" { description = "cluster role binding name" type = string } + From ab4b26f819438a3a05383ae2efeb9fcfaaa53260 Mon Sep 17 00:00:00 2001 From: Karthic Ravindran Date: Sun, 26 Apr 2020 12:40:32 +0530 Subject: [PATCH 2/7] deleted ocir secret bash script --- modules/oke/scripts/create_ocir_secret.template.sh | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 modules/oke/scripts/create_ocir_secret.template.sh diff --git a/modules/oke/scripts/create_ocir_secret.template.sh b/modules/oke/scripts/create_ocir_secret.template.sh deleted file mode 100644 index 45ad8a83..00000000 --- a/modules/oke/scripts/create_ocir_secret.template.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl - -kubectl -n default delete secret ocirsecret -kubectl create secret docker-registry ocirsecret -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password='${authtoken}' From 27831e345f7a2315c75aec5b172c4c5036b8cc5d Mon Sep 17 00:00:00 2001 From: Karthic Ravindran Date: Sun, 26 Apr 2020 12:44:45 +0530 Subject: [PATCH 3/7] changed variable name from command to delsecret and crtsecret. --- modules/oke/scripts/secret.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/oke/scripts/secret.py b/modules/oke/scripts/secret.py index 04d68eba..fcb7690b 100644 --- a/modules/oke/scripts/secret.py +++ b/modules/oke/scripts/secret.py @@ -35,9 +35,9 @@ def read_secret_value(secret_client, secret_id): secret_content = re.escape(secret_content) -command = "kubectl -n default delete secret ocirsecret" -os.system(command) +delsecret = "kubectl -n default delete secret ocirsecret" +os.system(delsecret) -command1 = ("kubectl create secret docker-registry ocirsecret -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content) +crtsecret = ("kubectl create secret docker-registry ocirsecret -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content) -subprocess.call(["/bin/bash" , "-c" , command1]) +subprocess.call(["/bin/bash" , "-c" , crtsecret]) From 491b09b4e186ba55e9b94f35a3f765e2cc015f28 Mon Sep 17 00:00:00 2001 From: Karthic Ravindran Date: Sun, 26 Apr 2020 13:03:24 +0530 Subject: [PATCH 4/7] Secret_id column corrected --- docs/terraformoptions.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc index 3cae2d08..223dfff2 100644 --- a/docs/terraformoptions.adoc +++ b/docs/terraformoptions.adoc @@ -512,7 +512,8 @@ Refer to {uri-topology}[topology] for more thorough examples. |secret_id |The Auth Token is stored in Oracle Vault Secret and then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment. -|secret ocid +|Secret ocid +|null |email_address @@ -637,4 +638,4 @@ Refer to {uri-topology}[topology] for more thorough examples. | | -|=== \ No newline at end of file +|=== From 45d47f814c16e0b0960e2eb5e960f058c7252ff5 Mon Sep 17 00:00:00 2001 From: Karthic Ravindran Date: Tue, 28 Apr 2020 10:44:27 +0530 Subject: [PATCH 5/7] montreal OCIR,Doc changes and Exception handling Signed-off-by: Karthic Ravindran --- docs/configuration.adoc | 3 ++- docs/instructions.adoc | 8 +++++--- modules/oke/scripts/secret.py | 19 +++++++++++-------- variables.tf | 1 + 4 files changed, 19 insertions(+), 12 deletions(-) diff --git a/docs/configuration.adoc b/docs/configuration.adoc index 69637ac2..d2844438 100644 --- a/docs/configuration.adoc +++ b/docs/configuration.adoc @@ -24,6 +24,7 @@ :uri-metrics-server: https://github.com/kubernetes-incubator/metrics-server :uri-networks-subnets-cidr: https://erikberg.com/notes/networks.html :uri-oci-authtoken: https://docs.cloud.oracle.com/iaas/Content/Registry/Tasks/registrygettingauthtoken.htm +:uri-oci-secret: https://docs.cloud.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingsecrets.htm :uri-oci: https://cloud.oracle.com/cloud-infrastructure :uri-oci-documentation: https://docs.cloud.oracle.com/iaas/Content/home.htm :uri-oci-instance-principal: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm @@ -188,7 +189,7 @@ Refer to {uri-topology}[topology] for more thorough examples. === Configure OCIR parameters -The {uri-oci-ocir}[OCIR] parameters control the creation of an {uri-oci-authtoken}[Auth Token] for the user in OCI. The Auth Token is then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment. +The {uri-oci-ocir}[OCIR] parameters is used to create a Kubernetes secret to pull image from OCIR. The {uri-oci-authtoken}#[Auth Token] needs to be manually created and stored in {uri-oci-secret}#[Oracle Vault Secret] then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment.If you dont want to use OCIR then leave the *secret_id* parameter empty. The secret is created in the kube-system namespace. To copy it to your namespace, use the following command: diff --git a/docs/instructions.adoc b/docs/instructions.adoc index 856ca07b..7bc2cf77 100644 --- a/docs/instructions.adoc +++ b/docs/instructions.adoc @@ -28,6 +28,8 @@ :uri-oci-manage-dynamic-groups: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingdynamicgroups.htm :uri-oci-manage-policies: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingpolicies.htm :uri-oci-ocir: https://docs.cloud.oracle.com/iaas/Content/Registry/Concepts/registryoverview.htm +:uri-oci-secret: https://docs.cloud.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingsecrets.htm +:uri-oci-authtoken: https://docs.cloud.oracle.com/iaas/Content/Registry/Tasks/registrygettingauthtoken.htm :uri-oke: https://docs.cloud.oracle.com/iaas/Content/ContEng/Concepts/contengoverview.htm :uri-oracle: https://www.oracle.com :uri-prereqs: {uri-docs}/prerequisites.adoc @@ -55,7 +57,7 @@ .. link:#disabling-instance_principal-on-the-admin-host[Disabling instance_principal on the admin host] .. link:#recommendations-for-using-instance_principal[Recommendations for using instance_principal] . link:#interacting-with-the-oke-cluster[Interacting with the OKE Cluster locally] -. link:#creating-an-auth-token-for-ocir[Creating an auth token for OCIR] +. link:#creating-secret-for-ocir[Creating Secret for OCIR] . link:#installing-helm[Installing helm] . link:#installing-calico[Installing Calico] . link:#installing-kubernetes-metrics-server[Installing Kubernetes Metrics Server] @@ -218,9 +220,9 @@ export KUBECONFIG=generated/kubeconfig *Ensure you install the same kubectl version as the OKE Kubernetes version for compatibility.* **** -=== Creating an auth token for OCIR +=== Creating Secret for OCIR -{uri-oci-ocir}[Oracle Cloud Infrastructure Registry] is a highly available private container registry service for storing and sharing container images within the same regions as the OKE Cluster. To pull images from OCIR, set the parameter *secret_id = * in terraform.tfvars. Refer to {uri-terraform-options}#ocir[OCIR parameters] for other parameters to be set. +{uri-oci-ocir}[Oracle Cloud Infrastructure Registry] is a highly available private container registry service for storing and sharing container images within the same regions as the OKE Cluster. To pull images from OCIR, you need to create a a {uri-oci-authtoken}[authtoken] .You will store that securely in {uri-oci-secret}[Oracle Vault Secret]. Assign the Secret OCID to *secret_id* in terraform.tfvars. Refer to {uri-terraform-options}#ocir[OCIR parameters] for other parameters to be set. === Installing helm diff --git a/modules/oke/scripts/secret.py b/modules/oke/scripts/secret.py index fcb7690b..b1ea13e5 100644 --- a/modules/oke/scripts/secret.py +++ b/modules/oke/scripts/secret.py @@ -30,14 +30,17 @@ def read_secret_value(secret_client, secret_id): return secret_content +try: + secret_content = read_secret_value(secret_client, secret_id=secret_id) + secret_content = re.escape(secret_content) + delsecret = "kubectl -n default delete secret ocirsecret" + os.system(delsecret) -secret_content = read_secret_value(secret_client, secret_id=secret_id) -secret_content = re.escape(secret_content) + crtsecret = ("kubectl create secret docker-registry ocirsecret -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content) + subprocess.call(["/bin/bash" , "-c" , crtsecret]) + +except Exception as e: + print(e.message) + print("Please check Secret OCID assigned to secret_id variable") -delsecret = "kubectl -n default delete secret ocirsecret" -os.system(delsecret) - -crtsecret = ("kubectl create secret docker-registry ocirsecret -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content) - -subprocess.call(["/bin/bash" , "-c" , crtsecret]) diff --git a/variables.tf b/variables.tf index 4de4a545..fb3450fa 100644 --- a/variables.tf +++ b/variables.tf @@ -368,6 +368,7 @@ variable "ocir_urls" { ap-seoul-1 = "icn.ocir.io" ap-tokyo-1 = "nrt.ocir.io" ca-toronto-1 = "yyz.ocir.io" + ca-montreal-1 = "yul.ocir.io" eu-amsterdam-1 = "ams.ocir.io" eu-frankfurt-1 = "fra.ocir.io" eu-zurich-1 = "zrh.ocir.io" From 1786a9bbd7c72aa1f697d8bcbf01e194c265c31d Mon Sep 17 00:00:00 2001 From: Karthic Ravindran Date: Tue, 28 Apr 2020 10:53:12 +0530 Subject: [PATCH 6/7] configuration doc changes Signed-off-by: Karthic Ravindran --- docs/configuration.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration.adoc b/docs/configuration.adoc index d2844438..fab804fe 100644 --- a/docs/configuration.adoc +++ b/docs/configuration.adoc @@ -189,7 +189,7 @@ Refer to {uri-topology}[topology] for more thorough examples. === Configure OCIR parameters -The {uri-oci-ocir}[OCIR] parameters is used to create a Kubernetes secret to pull image from OCIR. The {uri-oci-authtoken}#[Auth Token] needs to be manually created and stored in {uri-oci-secret}#[Oracle Vault Secret] then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment.If you dont want to use OCIR then leave the *secret_id* parameter empty. +The {uri-oci-authtoken}#[Auth Token] needs to be manually created and stored in {uri-oci-secret}#[Oracle Vault Secret] then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment.If you dont want to use OCIR then leave the *secret_id* parameter empty. The secret is created in the kube-system namespace. To copy it to your namespace, use the following command: From f81f00cb372eb90abb7573d74356c392c40ca3e9 Mon Sep 17 00:00:00 2001 From: Ali Mukadam Date: Mon, 4 May 2020 11:41:29 +1000 Subject: [PATCH 7/7] updated documentation, added link to Oracle A-Team blog Signed-off-by: Ali Mukadam --- CHANGELOG.adoc | 4 ++++ docs/configuration.adoc | 2 +- docs/instructions.adoc | 15 ++++++++++++--- docs/terraformoptions.adoc | 4 ++-- modules/oke/scripts/secret.py | 2 +- variables.tf | 2 +- 6 files changed, 21 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index ae3f599e..e4a97054 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -7,6 +7,10 @@ All notable changes to this project are documented in this file. The format is based on {uri-changelog}[Keep a Changelog]. +== 2.2.0 (May 4, 2020) +* Use OCI Secret in Vault to retrieve Auth Token for creating Kubernetes secret for OCIR. This allows reuse of existing Auth Tokens (#153) +* Added Montreal as supported region (#160) + == 2.1.6 (April 13, 2020) * Fixed issue with admin host ordering of oci-cli installation, instance_principal creation and kubeconfig generation (#143) * Upgraded base module to 1.1.3 to be able to detect when admin instance_principal is ready diff --git a/docs/configuration.adoc b/docs/configuration.adoc index fab804fe..4a1bf266 100644 --- a/docs/configuration.adoc +++ b/docs/configuration.adoc @@ -189,7 +189,7 @@ Refer to {uri-topology}[topology] for more thorough examples. === Configure OCIR parameters -The {uri-oci-authtoken}#[Auth Token] needs to be manually created and stored in {uri-oci-secret}#[Oracle Vault Secret] then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment.If you dont want to use OCIR then leave the *secret_id* parameter empty. +The {uri-oci-authtoken}#[Auth Token] must first be manually created and stored in {uri-oci-secret}#[OCI Secret in Vault]. It will subsequently be used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment. If you do not need to use private OCIR repositories, then leave the *secret_id* parameter empty. Refer to the {uri-instructions}#creating-a-secret-for-ocir[instructions] for how to create the Auth Token and the Secret in Vault. The secret is created in the kube-system namespace. To copy it to your namespace, use the following command: diff --git a/docs/instructions.adoc b/docs/instructions.adoc index 7bc2cf77..4d516ca2 100644 --- a/docs/instructions.adoc +++ b/docs/instructions.adoc @@ -57,7 +57,7 @@ .. link:#disabling-instance_principal-on-the-admin-host[Disabling instance_principal on the admin host] .. link:#recommendations-for-using-instance_principal[Recommendations for using instance_principal] . link:#interacting-with-the-oke-cluster[Interacting with the OKE Cluster locally] -. link:#creating-secret-for-ocir[Creating Secret for OCIR] +. link:#creating-a-secret-for-ocir[Creating a Secret for OCIR] . link:#installing-helm[Installing helm] . link:#installing-calico[Installing Calico] . link:#installing-kubernetes-metrics-server[Installing Kubernetes Metrics Server] @@ -220,9 +220,18 @@ export KUBECONFIG=generated/kubeconfig *Ensure you install the same kubectl version as the OKE Kubernetes version for compatibility.* **** -=== Creating Secret for OCIR +=== Creating a Secret for OCIR -{uri-oci-ocir}[Oracle Cloud Infrastructure Registry] is a highly available private container registry service for storing and sharing container images within the same regions as the OKE Cluster. To pull images from OCIR, you need to create a a {uri-oci-authtoken}[authtoken] .You will store that securely in {uri-oci-secret}[Oracle Vault Secret]. Assign the Secret OCID to *secret_id* in terraform.tfvars. Refer to {uri-terraform-options}#ocir[OCIR parameters] for other parameters to be set. +{uri-oci-ocir}[Oracle Cloud Infrastructure Registry] is a highly available private container registry service for storing and sharing container images within the same regions as the OKE Cluster. Use the following rules to determine if you need to create a Kubernetes Secret for OCIR: + +* If your container repository is public, you do not need to create a secret. +* If your container repository is private, you need to create a secret before OKE can pull your images from the private repository. + +If you plan on creating a Kubernetes Secret for OCIR, you must first {uri-oci-authtoken}[create an Auth Token]. Copy and temporarily save the value of the Auth Token. + +You must then {uri-oci-secret}[create a Secret in OCI Vault to store] the value of the Auth Token in it. + +Finally, assign the Secret OCID to *secret_id* in terraform.tfvars. Refer to {uri-terraform-options}#ocir[OCIR parameters] for other parameters to be set. === Installing helm diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc index 223dfff2..b4e2b7c9 100644 --- a/docs/terraformoptions.adoc +++ b/docs/terraformoptions.adoc @@ -511,8 +511,8 @@ Refer to {uri-topology}[topology] for more thorough examples. |Default |secret_id -|The Auth Token is stored in Oracle Vault Secret and then subsequently used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment. -|Secret ocid +|The id of the Secret in Vault where the Auth Token is stored. +| |null diff --git a/modules/oke/scripts/secret.py b/modules/oke/scripts/secret.py index b1ea13e5..ad191b9a 100644 --- a/modules/oke/scripts/secret.py +++ b/modules/oke/scripts/secret.py @@ -1,6 +1,7 @@ #!/usr/bin/python3 # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl +# Derived and adapted from https://www.ateam-oracle.com/secure-way-of-managing-secrets-in-oci import os,sys,base64,subprocess,re @@ -43,4 +44,3 @@ def read_secret_value(secret_client, secret_id): except Exception as e: print(e.message) print("Please check Secret OCID assigned to secret_id variable") - diff --git a/variables.tf b/variables.tf index fb3450fa..7c4eaf22 100644 --- a/variables.tf +++ b/variables.tf @@ -367,8 +367,8 @@ variable "ocir_urls" { ap-osaka-1 = "kix.ocir.io" ap-seoul-1 = "icn.ocir.io" ap-tokyo-1 = "nrt.ocir.io" - ca-toronto-1 = "yyz.ocir.io" ca-montreal-1 = "yul.ocir.io" + ca-toronto-1 = "yyz.ocir.io" eu-amsterdam-1 = "ams.ocir.io" eu-frankfurt-1 = "fra.ocir.io" eu-zurich-1 = "zrh.ocir.io"