With Public Endpoints
Use this configuration when you want the API endpoints of your OKE clusters to be public.
Create the clusters
- Copy terraform.tfvars.example to terraform.tfvars:
cp terraform.tfvars.example terraform.tfvars
Provider
-
Provide values for the following input variables in terraform.tfvars:
api_fingerprintapi_private_key_pathtenancy_iduser_idcompartment_idssh_public_key_pathssh_private_key_path
-
Set your tenancy's home region using
home_regionin terraform.tfvars e.g.
home_region = "us-ashburn-1"
Admin Cluster
-
Set the Admin region for where you want to place the Verrazzano Admin cluster. This should be the region name only e.g.
Sydney. This should not be the region identifierap-sydney-1e.g.admin_region = { admin_name = "admin" region = "Sydney" # must match the provider's region in step 4 vcn_cidr = "10.0.0.0/16" pods = "10.200.0.0/16" services = "10.100.0.0/16" }
If you change the CIDR values above, it is your responsibility to ensure they do not overlap:
- with each other
- with other clusters' CIDRs
- with existing network in your environment if you are establishing connectivity
- Change the provider of the Admin cluster to its corresponding alias. The aliases can be found in providers.tf e.g. if you want to place your Admin cluster in Ashburn, you must change the provider from
oci.sydneytooci.ashburn. This should be configured inadmin.tfin the root module e.g.
providers = {
oci = oci.ashburn
oci.home = oci.home
}
Managed Clusters
- To create managed clusters in your preferred regions, set your preferred regions' values to
truee.g.ashburn=truein theclustersparameter. Leave those that you do not use tofalsee.g.
clusters = {
# Africa
johannesburg = false
# Asia
chuncheon = false
hyderabad = false
mumbai = false
osaka = false
seoul = false
singapore = false
tokyo = false
# Europe
amsterdam = false
frankfurt = false
london = false
madrid = false
marseille = false
milan = false
newport = false
paris = false
stockholm = false
zurich = false
# Middle East
abudhabi = false
dubai = false
jeddah = false
jerusalem = false
# Oceania
melbourne = false
sydney = false
# South America
santiago = false
saupaulo = false
vinhedo = false
# North America
ashburn = false
chicago = false
montreal = false
phoenix = true
queretaro = false
sanjose = false
toronto = false
}
- For the managed clusters you enable, uncomment them in
modules\clusters\outputs.tfforcluster_ids,int_nsg_idsandpub_nsg_ids. For the clusters that you do not use, leave them commented e.g.
output "cluster_ids" {
value = {
# "johannesburg" = one(module.johannesburg[*].cluster_id)
# "chuncheon" = one(module.chuncheon[*].cluster_id)
# "hyderabad" = one(module.hyderabad[*].cluster_id)
# "mumbai" = one(module.mumbai[*].cluster_id)
# "osaka" = one(module.osaka[*].cluster_id)
# "seoul" = one(module.seoul[*].cluster_id)
# "singapore" = one(module.singapore[*].cluster_id)
# "tokyo" = one(module.tokyo[*].cluster_id)
# "amsterdam" = one(module.amsterdam[*].cluster_id)
# "frankfurt" = one(module.frankfurt[*].cluster_id)
# "london" = one(module.london[*].cluster_id)
# "madrid" = one(module.madrid[*].cluster_id)
# "marseille" = one(module.marseille[*].cluster_id)
# "milan" = one(module.milan[*].cluster_id)
# "newport" = one(module.newport[*].cluster_id)
# "paris" = one(module.paris[*].cluster_id)
# "stockholm" = one(module.stockholm[*].cluster_id)
# "zurich" = one(module.zurich[*].cluster_id)
# "abudhabi" = one(module.abudhabi[*].cluster_id)
# "dubai" = one(module.dubai[*].cluster_id)
# "jeddah" = one(module.jeddah[*].cluster_id)
# "jerusalem" = one(module.jerusalem[*].cluster_id)
# "melbourne" = one(module.melbourne[*].cluster_id)
# "sydney" = one(module.sydney[*].cluster_id)
"melbourne" = one(module.melbourne[*].cluster_id)
# "sydney" = one(module.sydney[*].cluster_id)
# "santiago" = one(module.santiago[*].cluster_id)
# "saupaulo" = one(module.saupaulo[*].cluster_id)
# "vinhedo" = one(module.vinhedo[*].cluster_id)
# "ashburn" = one(module.ashburn[*].cluster_id)
# "chicago" = one(module.chicago[*].cluster_id)
# "montreal" = one(module.montreal[*].cluster_id)
# "phoenix" = one(module.phoenix[*].cluster_id)
# "queretaro" = one(module.queretaro[*].cluster_id)
# "sanjose" = one(module.sanjose[*].cluster_id)
# "toronto" = one(module.toronto[*].cluster_id)
}
}
In the outputs.tf, you must uncomment only the regions where you are running the managed clusters, not your the region where your admin cluster is running.
Only uncomment the admin region in outputs if you happen to also run a managed cluster in the same region as your admin cluster.
- Uncomment the respective clusters that you have enabled. The clusters are created in either {country, continent,region}.tf. e.g. Ashburn will be found in
usa.tfundermodules\clusters. Leave the clusters that you do not use as commented.
We pre-create aliased providers. But in doing so, Terraform then wants to check all configured regions and this can take some time. Instead, we want Terraform apply to happen as quickly as possible. That's why the need to comment/uncomment. We will look for a way to improve this in the future.
- Configure the API endpoints for public access in terraform.tfvars:
oke_control_plane = "public"
- When initially creating the clusters, configure the following input variables to be
false:
get_kubeconfigs = false
install_verrazzano = false
- Create the clusters by running Terraform:
terraform init
terraform plan
terraform apply
- After Terraform has finished the apply operation, it will output a convenient SSH command you can copy. This command will allow you to ssh to the operator host.
Set up kubeconfig
You will now generate the installation script.
- Configure the following input variables:
get_kubeconfigs = true
install_verrazzano = true
- Configure the Verrazzano profile:
verrazzano_profile = "prod"
Regardless of what you set the profile value to be, the profile of managed servers will always be managed-cluster.
-
If you need to use your own DNS, you need to configure DNS before you run Terraform and the installation scripts. Else, the installation scripts will use nip.io.
-
If you want to configure additional Verrazzano components, you can still do so now.
-
Run Terraform again:
terraform init
terraform plan
terraform apply
Running terraform apply again will configure access to the clusters, give them a friendly name and upload the installation scripts to the operator host.
- ssh to the operator host using the convenience command printed by Terraform.
ssh -i /path/to/ssh_private_key -J opc@xyz.xyz.xyz.xyz opc@abc.abc.abc.abc"
- Verify you can reach the clusters e.g.
for cluster in admin phoenix ; do
kubectx $cluster
kubectl get nodes
done
Each cluster's context are renamed to a friendlier format, usually the name of the region except for the Admin cluster which is "admin".
To change context to your desired cluster, use the kubectx command e.g.
kubectx phoenix
- You should be able to see something like the following:
✔ Switched to context "admin".
NAME STATUS ROLES AGE VERSION
10.0.123.29 Ready node 91m v1.24.1
✔ Switched to context "phoenix".
NAME STATUS ROLES AGE VERSION
10.31.101.163 Ready node 89m v1.24.1
10.31.84.171 Ready node 89m v1.24.1
Install Verrrazzano
You will now install Verrazzano in all clusters and register the managed clusters with the Admin cluster.
- Install the Verrazzano Platform Operator:
cd /home/opc/vz/operator
for cluster in admin phoenix ; do
bash install_vz_operator_$cluster.sh
done
- Check if the operator has installed successfully in all clusters:
for cluster in admin phoenix; do
bash check_vz_operator_$cluster.sh
done
- Obtain the manifest for DNS. Follow the instructions to configure a secret for DNS.
cd /home/opc/vz/oci
bash get_oci_secret.sh
echo >> oci.yaml
- Create the secret in each cluster:
for cluster in admin phoenix ; do
bash create_oci_secret_$cluster.sh
done
- If you are using Thanos, configure your secret for OCI Object Storage now. For each enabled cluster, a storage file is created. Edit them and enter the following and create a secret:
- compartment_ocid
- region
- tenancy_ocid
- user_ocid
- fingerprint
- and the private key
cd /home/opc/vz/clusters
for cluster in admin phoenix; do
kubectx $cluster
kubectl create namespace verrazzano-monitoring
kubectl create secret generic objstore-config -n verrazzano-monitoring --from-file=objstore.yml=thanos_${cluster}_storage.yaml
done
- Install the Verrazzano Admin cluster:
cd /home/opc/vz/clusters
bash install_vz_cluster_admin.sh
The Admin cluster has more components to install and takes longer, so we install it separately. This allows us to install the managed clusters in parallel.
- While the Admin cluster is being installed in the background, you can install the managed clusters in parallel:
cd /home/opc/vz/clusters
for cluster in phoenix ; do
bash install_vz_cluster_$cluster.sh
done
- Wait for Verrazzano to be installed in all clusters:
# check managed clusters' status
bash vz_status.sh
# Admin cluster takes longer, check separately
kubectx admin
kubectl wait --timeout=20m --for=condition=InstallComplete verrazzano/admin
- Create the certificates secrets for each managed cluster:
cd /home/opc/vz/certs
for cluster in phoenix; do
bash create_cert_secret_$cluster.sh
done
- Create the ConfigMap for the API Server:
cd /home/opc/vz/cm
bash create_api_cm.sh
- Create the Verrazzano managed cluster objects for each managed cluster:
cd /home/opc/vz/clusters
for cluster in phoenix; do
bash create_vmc_$cluster.sh
done
- Register all the managed clusters:
for cluster in phoenix; do
bash register_vmc_$cluster.sh
done