Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New or Affected Resource(s)

variable "helm_version" {
description = "version of helm to install"
default = "3.1.1"
type = string
}

Potential Terraform Configuration

# Copy-paste any Terraform configurations for how the requested feature may be used. 

References

I get the following error after enabling calico

calico_version = "3.9"

install_calico = true

==========Error=============
module.oke.null_resource.install_calico[0] (remote-exec): unable to recognize "calico-policy-only.yaml": Get http://localhost:8080/api?timeout=32s: dial tcp 127.0.0.1:8080: connect: connection refused
==========Error=============

I do not see calico; Here is the get pods output.

NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system kube-dns-autoscaler-7c97bb6dfb-w9tpd 1/1 Running 0 24m
kube-system kube-dns-bdb5cb4bd-9rfdk 3/3 Running 0 17m
kube-system kube-dns-bdb5cb4bd-gjg75 3/3 Running 0 17m
kube-system kube-dns-bdb5cb4bd-t9nml 3/3 Running 0 24m
kube-system kube-flannel-ds-2hzcr 1/1 Running 1 17m
kube-system kube-flannel-ds-bscwq 1/1 Running 1 17m
kube-system kube-flannel-ds-tntk4 1/1 Running 1 17m
kube-system kube-proxy-58s86 1/1 Running 0 17m
kube-system kube-proxy-cx86z 1/1 Running 0 17m
kube-system kube-proxy-dblh4 1/1 Running 0 17m
kube-system kubernetes-dashboard-768d48d6c9-xfjjr 1/1 Running 0 24m
kube-system proxymux-client-10.0.64.2 1/1 Running 0 17m
kube-system proxymux-client-10.0.64.3 1/1 Running 0 17m
kube-system proxymux-client-10.0.64.4 1/1 Running 0 17m

I cloned this repo this morn, set the variables in tfvars, and got a few Invalid index errors when I ran terraform plan.

My TF version is 0.12.13.

I hadn't seen these errors last week with the same repo and TF version! What might the issue be?

Error: Invalid index

  on modules\oke\nodepools.tf line 26, in resource "oci_containerengine_node_pool" "nodepools":
  26:   node_image_id = var.node_pools.node_pool_image_id == "NONE" ? data.oci_core_images.latest_images[count.index].images[0].id : var.node_pools.node_pool_image_id
    |----------------
    | count.index is 0
    | data.oci_core_images.latest_images is tuple with 1 element

The given key does not identify an element in this collection value.


Error: Invalid index

  on modules\policies\locals.tf line 10, in locals:
  10:   policy_statement = "Allow dynamic-group ${oci_identity_dynamic_group.oke-kms-cluster[0].name} to use keys in compartment ${var.oci_identity.compartment_name} where target.key.id = '${var.oke_kms.key_id}'"
    |----------------
    | oci_identity_dynamic_group.oke-kms-cluster is empty tuple

The given key does not identify an element in this collection value.


Error: Invalid index

  on modules\base\bastion\outputs.tf line 9, in output "bastion_instance_principal_group_name":
   9:   value = oci_identity_dynamic_group.bastion_instance_principal[0].name
    |----------------
    | oci_identity_dynamic_group.bastion_instance_principal is empty tuple

The given key does not identify an element in this collection value.

This is my terraform version:
Terraform v0.12.23

• provider.local v1.4.0
• provider.null v2.1.2
• provider.oci v3.67.0
• provider.template v2.1.2

1. copied terraform.tfvars.example to terraform.tfvars. Filled all mandatory details in terraform.tfvars
2. terraform init
3. terraform plan, which results in below error message-
   module.policies.data.oci_identity_regions.home_region: Refreshing state...
   module.base.data.oci_identity_regions.home_region: Refreshing state...

Error: Invalid index
on .terraform/modules/base/oracle-terraform-modules-terraform-oci-base-963da7b/modules/admin/instance_principal.tf line 42, in resource "oci_identity_policy" "admin_instance_principal":
42: statements = ["Allow dynamic-group ${oci_identity_dynamic_group.admin_instance_principal[0].name} to manage all-resources in compartment id ${data.oci_identity_compartments.compartments_id.compartments.0.id}"]
|----------------
| data.oci_identity_compartments.compartments_id.compartments is empty list of object
The given key does not identify an element in this collection value.
Error: Invalid index
on .terraform/modules/base/oracle-terraform-modules-terraform-oci-base-963da7b/modules/bastion/ons.tf line 61, in resource "oci_identity_policy" "bastion_notification":
61: statements = ["Allow dynamic-group ${oci_identity_dynamic_group.bastion_notification[0].name} to use ons-topic in compartment id ${data.oci_identity_compartments.compartments_id[0].compartments.0.id} where request.permission='ONS_TOPIC_PUBLISH'"]
|----------------
| data.oci_identity_compartments.compartments_id[0].compartments is empty list of object

The given key does not identify an element in this collection value.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Affected Resource(s)

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. 
# Please remove any sensitive information from configuration files before sharing them. 

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When you consume this module in your terraform script by referencing it like this:

module "oke" {
  source  = "oracle-terraform-modules/oke/oci"
  version = "2.1.4"
  # insert the 23 required variables here
}

you do not have access vcn_id created by oracle-terraform-modules/base/oci module. This makes it hard to add new respources to the same VCN.
Adding vcn_id to output variables will help anybody who needs to augment OKE deployment with additional resources provisioned in the same VCN (e.g. autonomous database).

New or Affected Resource(s)

the feature can be implemented by adding following code to outputs.tf:

output "vcn_id" {
  description = "VCN OCID"
  value       = module.base.vcn_id
}

Potential Terraform Configuration

Parrent module can then access vcn_id value like this:

vcn_id = module.oke.vcn_id 

References

In your latest commit you seem to have broken the helm dependency.

I have no intentions of using Helm and am using the default of install_helm=false but the binary itself is now needed since the ~/.helm dir needs to exist in order for your TF code to execute.

[opc@console-1 oke-terraform]$ terraform init
Initializing modules...

• auth in modules/auth
• base in modules/base
• base.bastion in modules/base/bastion
• base.vcn in modules/base/vcn
• network in modules/okenetwork
• oke in modules/oke
  There are some problems with the configuration, described below.

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.

Error: Missing key/value separator

on modules/okenetwork/security.tf line 57, in resource "oci_core_security_list" "workers_seclist":
51:
52:
53:
54:
55:
57: tcp_options {

Expected an equals sign ("=") to mark the beginning of the attribute value.

Team,

I have assigned enable_instance_principal as false and use_encryption as false in terraform.tfvars, still it is trying to create dynamic policy

few lines from terraform.tfvars

create_bastion = true
bastion_access = "ANYWHERE"
enable_instance_principal = false
use_encryption = false

rror: Invalid index

on modules/policies/locals.tf line 10, in locals:
10: policy_statement = "Allow dynamic-group ${oci_identity_dynamic_group.oke-kms-cluster[0].name} to use keys in compartment ${var.oci_identity.compartment_name} where target.key.id = '${var.oke_kms.key_id}'"
|----------------
| oci_identity_dynamic_group.oke-kms-cluster is empty tuple

The given key does not identify an element in this collection value.

Error: Invalid index

on modules/base/bastion/outputs.tf line 9, in output "bastion_instance_principal_group_name":
9: value = oci_identity_dynamic_group.bastion_instance_principal[0].name
|----------------
| oci_identity_dynamic_group.bastion_instance_principal is empty tuple

The given key does not identify an element in this collection value.

I feel most of the people who just want to spin up a kubernetes cluster using terraform would like to have a UI , where they can input all the OCI values and terraform will run and display the results.
So a simple web application with fields from the tfvars file which will be filled by the user and on clicking create terraform init, plan and apply will run and the results or the logs will be outputed to the user.
user will just run the run the docker-image and they will run the application locally , fill in the fields and the OKE cluster gets created. It will also eliminate any errors related to missing tfvars variables by the user.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The base module has been updated to use Autonomous Linux for bastion host. Upgrade the base module to use it. oracle-terraform-modules/terraform-oci-base#28

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Now that the base module has been published on hashicorp's registry, we should point the base module to that instead of github.

New or Affected Resource(s)

module "base" {
source = "oracle-terraform-modules/base/oci"
version = "1.1.1"
oci_base_identity = var.oci_base_identity
oci_base_general = var.oci_base_general
oci_base_vcn = var.oci_base_vcn
oci_base_bastion = var.oci_base_bastion
oci_base_admin = var.oci_base_admin
}

Potential Terraform Configuration

# Copy-paste any Terraform configurations for how the requested feature may be used. 

References

Error: Invalid index

on .terraform/modules/base/modules/bastion/datasources.tf line 40, in data "template_cloudinit_config" "bastion":
40: content = data.template_file.autonomous_cloud_init_file[0].rendered
|----------------
| data.template_file.autonomous_cloud_init_file is empty tuple

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Pod security policy is now supported on OKE: https://docs.cloud.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengusingpspswithoke.htm.

To do:

1. Add an option to enable the admission controller and pod security policy
2. Research whether this is mutually exclusive wrt using calico

New or Affected Resource(s)

Potential Terraform Configuration

# Copy-paste any Terraform configurations for how the requested feature may be used. 

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The resource types for kms has changed to keys. Need to update the policy statement so that OKE can use KMS.

New or Affected Resource(s)

oci_identity_policy.oke-kms

Potential Terraform Configuration

# Copy-paste any Terraform configurations for how the requested feature may be used. 

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New or Affected Resource(s)

Potential Terraform Configuration

# Copy-paste any Terraform configurations for how the requested feature may be used. 

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Document all OCI IAM requirements:

1. on a separate page
2. in the form of a table

Things to document:

1. Dynamic group
2. Policies
3. Notifications
4. OKE
5. KMS
6. ...

Also, review the above in the light of these policy changes: https://docs.cloud.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Until recently, CI/CD tools have been using the default secret token to authenticate to OKE for deployment purposes. Now that OKE uses Kubeconfig v2, this approach will not work anymore.

Solution: create a service account that CI/CD tools can use to authenticate for deployment purposes.
https://docs.cloud.oracle.com/iaas/Content/ContEng/Tasks/contengaddingserviceaccttoken.htm

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In Kubernetes 1.16, some APIs have been deprecated. Verify whether these are used anywhere and adjust accordingly.

See https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/

New or Affected Resource(s)

Potential Terraform Configuration

# Copy-paste any Terraform configurations for how the requested feature may be used. 

References

Admin node does not have kube config file and causing several other issues pertaining to install additional tools such as calico and metrics server.

see issue #109

[opc@admin .kube]$ ls -ltra
total 4
drwxrwxr-x. 2 opc opc 6 Dec 13 08:50 .
drwx------. 8 opc opc 4096 Dec 13 08:51 ..
[opc@admin .kube]$

Can we use same pods_cidr(10.244.0.0/16) and services_cidr(10.96.0.0/16) while creating OKE cluster for multiple environments keeping same VCN CIDR(10.0.0.0/16). Will their be any conflict in any of the services.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

https://github.com/oracle-terraform-modules/terraform-oci-oke/blob/master/docs/terraformoptions.adoc#oke

It seems odd to me (and certainly not in keeping with other cloud providers) that SSH keys would need to be provided in the form of static files to spin up a k8s cluster.

If the keys cannot be generated in the cloud itself then it would make sense (in my opinion) to generate them using the tls_private_key terraform resource so they can be stored along with everything else in the TF statefile (and Consul if required.)

This Github template is intended for questions regarding the Terraform Oracle Cloud Infrastructure OKE module.

If you have a support request or question related to core Terraform functionality or the OCI provider, please submit them to one of these resources:

• Terraform OCI provider
• Terraform community resources
• HashiCorp support (Terraform Enterprise customers)

...
module.oke.local_file.kube_config_file: Creation complete after 0s [id=0073ab2f827a123dada44eff4abfda89e673ebd5]
module.oke.null_resource.write_kubeconfig_on_admin[0]: Provisioning with 'remote-exec'...
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Connecting to remote host via SSH...
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Host: 10.0.1.10
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): User: opc
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Password: false
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Private key: true
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Certificate: false
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): SSH Agent: true
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Checking Host Key: false
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Using configured bastion host...
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Host: 132.145.98.142
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): User: opc
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Password: false
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Private key: true
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Certificate: false
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): SSH Agent: true
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Checking Host Key: false
module.oke.oci_containerengine_node_pool.nodepools[0]: Creation complete after 1s [id=ocid1.nodepool.oc1.ca-toronto-1.aaaaaaaaafrdcmrvgjrwcn3bgmydmzrrg42daobtheztoyrugnrgeztggjrw]
module.oke.data.oci_containerengine_node_pools.all_node_pools: Refreshing state...
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): Connected!
module.oke.null_resource.write_kubeconfig_on_admin[0] (remote-exec): /home/opc/generate_kubeconfig.sh: line 5: oci: command not found
module.oke.null_resource.write_kubeconfig_on_admin[0]: Creation complete after 2s [id=3895753161101986324]
module.oke.null_resource.create_service_account[0]: Creating...
module.oke.null_resource.create_service_account[0]: Provisioning with 'file'...
module.oke.null_resource.create_service_account[0]: Provisioning with 'remote-exec'...
module.oke.null_resource.create_service_account[0] (remote-exec): Connecting to remote host via SSH...
module.oke.null_resource.create_service_account[0] (remote-exec): Host: 10.0.1.10
module.oke.null_resource.create_service_account[0] (remote-exec): User: opc
module.oke.null_resource.create_service_account[0] (remote-exec): Password: false
module.oke.null_resource.create_service_account[0] (remote-exec): Private key: true
module.oke.null_resource.create_service_account[0] (remote-exec): Certificate: false
module.oke.null_resource.create_service_account[0] (remote-exec): SSH Agent: true
module.oke.null_resource.create_service_account[0] (remote-exec): Checking Host Key: false
module.oke.null_resource.create_service_account[0] (remote-exec): Using configured bastion host...
module.oke.null_resource.create_service_account[0] (remote-exec): Host: 132.145.98.142
module.oke.null_resource.create_service_account[0] (remote-exec): User: opc
module.oke.null_resource.create_service_account[0] (remote-exec): Password: false
module.oke.null_resource.create_service_account[0] (remote-exec): Private key: true
module.oke.null_resource.create_service_account[0] (remote-exec): Certificate: false
module.oke.null_resource.create_service_account[0] (remote-exec): SSH Agent: true
module.oke.null_resource.create_service_account[0] (remote-exec): Checking Host Key: false
module.oke.null_resource.create_service_account[0] (remote-exec): Connected!
module.oke.null_resource.create_service_account[0] (remote-exec): The connection to the server localhost:8080 was refused - did you specify the right host or port?
module.oke.null_resource.create_service_account[0] (remote-exec): The connection to the server localhost:8080 was refused - did you specify the right host or port?

Error: error executing "/tmp/terraform_1823839862.sh": Process exited with status 1

ludovicdessemon@ludovicdessemon-mac terraform-oci-oke %

module.oke.null_resource.install_kubectl_bastion (remote-exec): Connected!
module.base.oci_identity_policy.instance_principal: Creation complete after 1s (ID: ocid1.policy.oc1..aaaaaaaauur7c5xmfg4vpbhdmwprqkpkblom6lyoajhpbe3lyvrrvy7zfuaq)
module.oke.null_resource.install_kubectl_bastion (remote-exec): /home/opc/install_kubectl.sh: line 4: $'\r': command not found
module.oke.null_resource.install_kubectl_bastion (remote-exec): /home/opc/install_kubectl.sh: line 15: syntax error: unexpected end of file
module.oke.oci_containerengine_cluster.k8s_cluster: Still creating... (2m0s elapsed)
module.oke.null_resource.install_kubectl_bastion: Still creating... (10s elapsed)
module.oke.oci_containerengine_cluster.k8s_cluster: Still creating... (2m10s elapsed)
module.oke.null_resource.install_kubectl_bastion: Still creating... (20s elapsed)
module.oke.oci_containerengine_cluster.k8s_cluster: Still creating... (2m20s elapsed)
module.oke.null_resource.install_kubectl_bastion: Still creating... (30s elapsed)
module.oke.oci_containerengine_cluster.k8s_cluster: Still creating... (2m30s elapsed)
module.oke.null_resource.install_kubectl_bastion: Still creating... (40s elapsed)

Followed the https://docs.cloud.oracle.com/iaas/Content/ContEng/Tasks/contengencryptingdata.htm

Created dynamic group and policies as per above link

Below attributes are set as per documentation.

**use_encryption = true

existing_key_id = "ocid1.keyxxxxxxxxxxxxxxxxxxxxxxxx"**

==================
Error: Unsupported attribute

on modules/policies/locals.tf line 10, in locals:
10: policy_statement = (var.oke_kms.use_encryption == true) ? "Allow dynamic-group ${oci_identity_dynamic_group.oke-kms-cluster[0].name} to use keys in compartment ${var.oci_identity.compartment_name} where target.key.id = '${var.oke_kms.key_id}'" : ""
|----------------
| var.oci_identity is object with 5 attributes

This object does not have an attribute named "compartment_name".

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add an internal admin host instead of using the bastion host for installing stuff on the cluster.

New or Affected Resource(s)

• in base module, add a 3rd submodule for the admin host. create security list, subnet, compute. publish the private ip of admin host in base.

• enable instance_principal on admin host.

• this is required to support #98

• do all other cluster operations e.g. metricserver, calico installations from adminhost. terraform code must be updated to use adminhost instead of bastion

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

5 new regions are now available. Add support for OCIR.

New or Affected Resource(s)

variable "ocir_urls" {
description = "urls of ocir"
default = {
ap-sydney-1 = "syd.ocir.io"
ap-melbourne-1 = "mel.ocir.io"
ap-mumbai-1 = "bom.ocir.io"
ap-osaka-1 = "kix.ocir.io"
ap-seoul-1 = "icn.ocir.io"
ap-tokyo-1 = "nrt.ocir.io"
ca-toronto-1 = "yyz.ocir.io"
eu-amsterdam-1 = "ams.ocir.io"
eu-frankfurt-1 = "fra.ocir.io"
eu-zurich-1 = "zrh.ocir.io"
me-jeddah-1 = "jed.ocir.io"
sa-saopaulo-1 = "gru.ocir.io"
uk-london-1 = "lhr.ocir.io"
us-ashburn-1 = "iad.ocir.io"
us-phoenix-1 = "phx.ocir.io"
}
type = map(string)
}

Potential Terraform Configuration

# Copy-paste any Terraform configurations for how the requested feature may be used. 

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

As recommended here: https://docs.cloud.oracle.com/iaas/Content/Security/Reference/oke_security.htm#DisablingtheKubernetesDashboardAddon

New or Affected Resource(s)

variable "dashboard_enabled" {
description = "whether to enable kubernetes dashboard"
default = false
type = bool
}

Potential Terraform Configuration

# Copy-paste any Terraform configurations for how the requested feature may be used. 

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Quoted references are now deprecated. Remove them where necessary

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

0.12.16

Affected Resource(s)

autonomous_image_id = lookup(data.oci_core_app_catalog_subscriptions.autonomous_linux[0].app_catalog_subscriptions[0], "listing_resource_id")
oracle_image_id = data.oci_core_images.oracle_images[0].images.0.id

Terraform Configuration Files

bastion/locals.tf

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. 
# Please remove any sensitive information from configuration files before sharing them. 

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Error: Invalid index on modules\base\bastion\locals.tf line 13, in locals: 13: oracle_image_id = data.oci_core_images.oracle_images[0].images.0.id

data.oci_core_images.oracle_images is empty tuple
The given key does not identify an element in this collection value.

Steps to Reproduce

1. terraform plan

Important Factoids

References

module.oke.null_resource.install_calico[0] (remote-exec): unable to recognize "calico-policy-only.yaml": Get http://localhost:8080/api?timeout=32s: dial tcp 127.0.0.1:8080: connect: connection refused
module.oke.null_resource.install_calico[0]: Creation complete after 14s [id=310330431674851063]

Error: error executing "/tmp/terraform_812903520.sh": Process exited with status 1

Error: error executing "/tmp/terraform_1105940682.sh": Process exited with status 1

================================================

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Affected Resource(s)

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. 
# Please remove any sensitive information from configuration files before sharing them. 

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In the following policy statement in modules/policies/locals.tf:

policy_statement = "Allow dynamic-group ${oci_identity_dynamic_group.oke-kms-cluster[0].name} to use keys in compartment ${var.oci_identity.compartment_name} where target.key.id = '${var.oke_kms.key_id}'"

... consider using the compartment id instead of the name. That way, we can remove the need for users to enter the compartment name in tfvars. Similar to the implementation in https://github.com/oracle-terraform-modules/terraform-oci-base/blob/master/modules/bastion/iam.tf

kubectl client version installed is 1.12 .It should be equal to kubernetes version .

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

As OKE will be moving to Kubeconfig v2, we need to support this.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Affected Resource(s)

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. 
# Please remove any sensitive information from configuration files before sharing them. 

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

The "is_worker_active" resource is able to login to the bastion successfully after creation but fails
at the remote_exec step mentioned below:

resource null_resource "is_worker_active" {
................
provisioner "remote-exec" {
inline = [
"chmod +x $HOME/is_worker_active.py",
"while [ ! -f $HOME/node.active ]; do $HOME/is_worker_active.py; sleep 10; done",
]

count = "1"
}

The failure says:
ServiceError:
{
"code": "NotAuthorizedOrNotFound",
"message": "Authorization failed or requested resource not found.",
"opc-request-id": "7989A2AF3D324AE58BB7E991CEC19D8B/34FEA76D72131B65E6833EF2E40764CC/335199A4F1B9BC0F9CD5BE38F7DCEA1E",
"status": 404
}

Anything needed at the bastion host for this to succeed? kubectl works fine from the bastion for the 'opc' user.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Affected Resource(s)

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. 
# Please remove any sensitive information from configuration files before sharing them. 

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

Issue with the following script
https://github.com/oracle-terraform-modules/terraform-oci-oke/blob/master/modules/oke/scripts/install_metricserver.template.sh

replace the following line

kubectl create -f deploy/1.8+/

with

kubectl create -f deploy/kubernetes/

as the dependent github folder has changed
https://github.com/kubernetes-sigs/metrics-server/tree/master/deploy/kubernetes

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Configure public load balancer ingress rules to accept connections only from the WAF cidr ranges as listed in https://docs.cloud.oracle.com/en-us/iaas/Content/WAF/Concepts/gettingstarted.htm

New or Affected Resource(s)

Potential Terraform Configuration

# Copy-paste any Terraform configurations for how the requested feature may be used. 

References

Hi, I have a simple question:

Is it possible within this module to use existing resources when creating an infrastructure? The main use case is to be able to add a regional subnet into an existing vcn?

The module works great out of the box, but I am trying to understand how granular I can get with controlling which resources to create and which resources not to create when using the module.

In .tfvars/vars files, I did not see any options to determine any existing vcn, but rather the name etc of the vcns to be created. This works great out of the box, but not when you already have existing resources and want to utilize those.

Is this possible? if not, is there any suggestion on how we can get around this ?

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

The topology documentation mentions tools and configuration installed on the bastion. This is no longer so as they are now installed on the admin server.

References

This module appears to ignore any and all values set on the OCI provider before this module is executed and overwrites them with local variables.

This means that in order to use this module in an existing script you have to setup the OCI provider twice - once before the module (to perform other OCI tasks) and then again within the module - for example:

• api_fingerprint (or as OCI refers to it - fingerprint)
• private_key_path
• tenancy_ocid
• user_ocid

fresh install
setting bastion_enabled = false

Error: Invalid index

on .terraform\modules\base\modules\bastion\datasources.tf line 69, in data "oci_ons_notification_topic" "bastion_notification":
69: topic_id = oci_ons_notification_topic.bastion_notification[0].topic_id
|----------------
| oci_ons_notification_topic.bastion_notification is empty tuple

The given key does not identify an element in this collection value.

should not continue the bastion notification setup if no bastion

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Affected Resource(s)

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. 
# Please remove any sensitive information from configuration files before sharing them. 

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

When using the terraform provider on an OKE cluster using the generated Kubeconfig file I am informed of the following issue:

x509: certificate signed by unknown authority

It looks like the CA data being provided in the kubeconfig file is invalid / incorrect and thus I am unable to connect to the k8s API endpoint over HTTPS.

Update: After further analysis it seems that the problem originates from the usage of contexts. This can be worked around by specifying config_conext = "context-[first-part-of-cluster-url]" but this is rather cumbersome and doesn't really seem necessary.

Would it be possible to use well documented default contexts for k8s in future Kubeconfig files since using contexts is a bit redundant when you have one file per cluster anyway.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add support for Helm v3, disable tiller, remove jetstack and incubator repos - use hub instead

New or Affected Resource(s)

install_helm.template.sh
null_resource.install_helm_bastion
template_file.install_helm

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New or Affected Resource(s)

oci_containerengine_node_pool still uses node_image_id. This argument is deprecated. The new argument to use is

node_source_details {
#Required
image_id = "${oci_core_image.test_image.id}"
source_type = "${var.node_pool_node_source_details_source_type}"
}

Potential Terraform Configuration

# Copy-paste any Terraform configurations for how the requested feature may be used. 

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Some features have dependencies e.g. to install calico, the bastion host, the admin server and the instance_principal needs to be enabled on the admin server. However, these are not well documented and sometimes leads to errors during execution.

We need to document dependencies in instructions and terraform options pages.

References

#110

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v0.12.23

Affected Resource(s)

data "template_file" "create_service_account"
resource null_resource "create_service_account"
scripts/create_service_account.template.sh

Debug Output

Github Gist: https://gist.github.com/redscaresu/8fccaaff9666194e698e3c28615953f7

Expected Behavior

run create_service_account.sh successfully

Actual Behavior

The script create_service_account.sh is successfully copied to the admin server however it does not run and errors out. commenting out the script in its entirety results in the successful completion of the terraform apply however when the script is not uncommented the following error is received

Error: error executing "/tmp/terraform_156019056.sh": Process exited with status 1

If I ssh to the admin host and run the script manually I receive the following error.

[xxxx@admin ~]$ ./create_service_account.sh
The connection to the server localhost:8080 was refused - did you specify the right host or port?
The connection to the server localhost:8080 was refused - did you specify the right host or port?

Steps to Reproduce

1. terraform apply

The README.md link 'Example VCN Configuration' is broken.

I'm running into a strange issue, which I'm discussing with @hyder. It appears to be an issue with the service or tenancy, not the TF code per se. I'm posting here just in case any of the other contributors/users have seen this issue -- either when using this repo or any other.

I cloned this repo, set the variables, and tried applying the configuration....

The bastion & network resources were created alright.

But the k8s cluster resources weren't created. Here's the error:

Error: Post https://containerengine.us-phoenix-1.oraclecloud.com/20180222/clusters: net/http: TLS handshake timeout
  on modules/oke/cluster.tf line 4, in resource "oci_containerengine_cluster" "k8s_cluster":
   4: resource "oci_containerengine_cluster" "k8s_cluster" {

Ali and I suspected a proxy issue initially . But then why would the API request to the OKE service alone time out when the calls to the other services work fine? I get the same error when I change the region to Ashburn.