Deploy high available and secure Kubernetes cluster virtual cloud network on OCI (Oracle Cloud Infrastructure) by Terraform

The Microservices architect is a popular design pattern. There are many cloud company already provide cloud infrastructure that user can quickly build up their dedicate network environment, instance resource and computing power. You can choose different provider to create your first hands on cloud workload. like AWS, Azure, Google and Oracle cloud. Today, we will leverage Terraform to automatically create virtual isolate network environment and quick Kubernetes cluster. Let’s go!

I will split two sections to describe the whole flow. The first part is focus on using Terraform to create network and Kubernetes cluster, and the second part will talk about how to use GitHub action to deployment your first API service.

Before you try this code, you have to apply the OCI account first. You can find more instruction from here. After you get the free tier account and login success, you also need to install some of tools on your local development environment.

You may follow the below step to setting up your environment:

1. Login OCI console and download your personal key.

Add a new API Key for local client use

Download your personal private/public PEM key, we will use it later.

Copy the configuration content to your local oci config file. (~/.oci/config)

Don’t forget to store your private/public key is your local ssh path. For example: “~/.ssh/oci_private.pem” and “~/.ssh/oci_public.pem”. We will use the keys to invoke OCI API by terraform.

2. Prepare your ssh key by command “ssh-keygen -t rsa -b 4096”. It will generate the pairing RSA keys for your ssh remote connection. The default private key path will be “~/.ssh/id_rsa”, public key will be “~/.ssh/id_rsa.pub”

Create your ssh key

3. Install OCI CLI tools on your local device. You can refer here to install it. Past previous step content into the “~/.oci/config” when you complete the install script.

Update the step 1 download private key path

4. Install the Terraform on your local device. If you use Mac as your development platform, you can use the Homebrew to install your Terraform. the detail install script please refer here.

5. Clone the testing repository from https://github.com/Eric6986/oci-oke-demonstration. The Terraform code will automatically create the resource that cluster, bastion, network and all in this architecture will use. Since the Terraform will get the local environment variable and use it to replace the script variable. The variable named start from “TF_VAR_”. I also prepare a shell script in repository names “tf_vars_setting.sh” to help you setting environment variable. Once you update your OCI configuration file in ~/.oci/config, the script will auto retrieve the necessary variable and replace the TF variable from it.

You can use the -h parameter to see how to use.

If you don’t want to use the default value as your variable, please use -f, -c and -p parameter to setup it.

1. -f : The shell script will retrieve the default OCI configuration file from “~/.oci/config”. If your OCI config file in other path, just replace in parameter -f {your OCI configuration file path}
2. -p: If your ssh public key is not exists in ~/.ssh/id_rsa.pub, just update your actual key path from -p {your public key path}
3. -c : If you don’t create new compartment, the root compartment ID will same as your tenancy ID. But if you create a new compartment in OCI, please follow below steps to get your compartment id from OCI console. You also can use the -c {your specific compartment ID} command to replace the variable.

OCI console to get the Compartment.

Retrieve your compartment ID

6. Run the Terraform command, you can observe the Terraform script progress and see what will resource be created. Once all resource be created, some of command will pop up in the console. Typically, use the command Terraform init, Terraform plan, and Terraform apply to create all resources. You can read the README to get more detail information of deployment steps.

Create resource completed.

7. You can follow the console output step to initial your private ssh tunnel from your local device to OKE private API endpoint. It will update your Kubernetes access endpoint as 127.0.0.1:6443 in $HOME/.kube/config.

Use the output command to setup your local ssh tunnel and Kubernetes config

Congratulation! we completed the Kubernetes virtual network setting on OCI, the setting is almost same with wizard build up your cluster in console. I suggest you can understand the network detail setting from the Terraform script also. I will to describe more detail of Kubernetes pod, service and ingress deployment concept in next page!

Reference A: https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengsettingupbastion.htm

Reference B: https://www.ateam-oracle.com/post/using-oci-bastion-service-to-manage-private-oke-kubernetes-clusters