From 337882b6f18d0fbb07be2f24afdcdecee4abb390 Mon Sep 17 00:00:00 2001 From: paliwalparitosh Date: Mon, 13 Jan 2025 22:39:13 +0530 Subject: [PATCH] feature: OKE infra and service discovery --- charts/logan/templates/discovery-cronjob.yaml | 36 ++++++-- charts/logan/values.yaml | 60 +++++--------- docs/FAQ.md | 23 ++++++ terraform/modules/helm/helm-inputs.tf | 36 ++++---- terraform/modules/helm/helm-outputs.tf | 4 +- terraform/modules/helm/helm.tf | 42 +++++----- terraform/modules/helm/mushop_values.yaml | 61 -------------- terraform/modules/iam/iam-inputs.tf | 10 +++ terraform/modules/iam/iam.tf | 82 ++++++++++++++++--- terraform/modules/livelab/inputs.tf | 12 --- terraform/modules/livelab/livelab.tf | 13 --- terraform/modules/livelab/outputs.tf | 10 --- terraform/modules/livelab/provider.tf | 12 --- terraform/modules/main/main-inputs.tf | 12 +++ terraform/modules/main/main.tf | 17 ++-- terraform/oke/schema.yaml | 34 +++++++- terraform/oke/stack-inputs.tf | 16 +++- terraform/oke/stack.tf | 4 +- terraform/oke/version.auto.tfvars | 2 +- util/build_stack.sh | 31 ++----- 20 files changed, 278 insertions(+), 239 deletions(-) delete mode 100644 terraform/modules/helm/mushop_values.yaml delete mode 100644 terraform/modules/livelab/inputs.tf delete mode 100644 terraform/modules/livelab/livelab.tf delete mode 100644 terraform/modules/livelab/outputs.tf delete mode 100644 terraform/modules/livelab/provider.tf diff --git a/charts/logan/templates/discovery-cronjob.yaml b/charts/logan/templates/discovery-cronjob.yaml index 85969fc..5b6444f 100644 --- a/charts/logan/templates/discovery-cronjob.yaml +++ b/charts/logan/templates/discovery-cronjob.yaml @@ -12,12 +12,13 @@ metadata: spec: schedule: {{ .Values.k8sDiscovery.objects.cronSchedule | quote }} startingDeadlineSeconds: 120 - concurrencyPolicy: Replace + concurrencyPolicy: Forbid successfulJobsHistoryLimit: {{ .Values.k8sDiscovery.objects.successfulJobsHistoryLimit }} failedJobsHistoryLimit: {{ .Values.k8sDiscovery.objects.failedJobsHistoryLimit }} jobTemplate: spec: backoffLimit: {{ .Values.k8sDiscovery.objects.backoffLimit }} + activeDeadlineSeconds: 600 template: spec: restartPolicy: {{ .Values.k8sDiscovery.objects.restartPolicy }} @@ -83,10 +84,6 @@ spec: - --oci_domain - {{ .Values.ociDomain }} {{- end }} - {{- if .Values.k8sDiscovery.objects.discoveryMode }} - - --discovery - - {{ .Values.k8sDiscovery.objects.discoveryMode }} - {{- end }} {{- if .Values.k8sDiscovery.objects.log_format }} - --log_format - {{ .Values.k8sDiscovery.objects.log_format }} @@ -107,6 +104,33 @@ spec: {{- if .Values.k8sDiscovery.objects.collect_warning_events_only }} - --collect_warning_events_only {{- end }} + {{- /* Infra Discovery */}} + {{- if eq .Values.k8sDiscovery.infra.enable_service_log true }} + - --enable_service_log + {{- if eq .Values.k8sDiscovery.infra.probe_all_compartments true }} + {{- if .Values.k8sDiscovery.infra.tenancy_ocid }} + - --probe_all_compartments + - --tenancy_ocid + - {{ .Values.k8sDiscovery.infra.tenancy_ocid | quote }} + {{- else -}} + {{- required "tenancy ocid must be set when probe_all_compartments is set as true" .Values.k8sDiscovery.infra.tenancy_ocid }} + {{- end }} + {{- end }} + {{- if .Values.k8sDiscovery.infra.oci_tags_base64 }} + - --oci_tags_base64 + - {{ .Values.k8sDiscovery.infra.oci_tags_base64 }} + {{- end }} + {{- if .Values.k8sDiscovery.infra.rms_template_base64_encoded }} + - --rms_template_base64_encoded + - {{ .Values.k8sDiscovery.infra.rms_template_base64_encoded }} + {{- else }} + {{- required "rms_template_base64_encoded is required" .Values.k8sDiscovery.infra.rms_template_base64_encoded }} + {{- end }} + {{- if .Values.k8sDiscovery.infra.stack_operation_timeout }} + - --stack_operation_timeout + - {{ .Values.k8sDiscovery.infra.stack_operation_timeout | quote }} + {{- end }} + {{- end }} {{- /* optional kubernetes cluster configuration */}} {{- if .Values.k8sDiscovery.kubeClientOptions.kubernetes_url }} - --kubernetes_url @@ -150,4 +174,4 @@ spec: sources: - secret: name: {{ $resourceNamePrefix }}-oci-config - {{- end }} + {{- end }} \ No newline at end of file diff --git a/charts/logan/values.yaml b/charts/logan/values.yaml index 8da87c0..7e3870a 100644 --- a/charts/logan/values.yaml +++ b/charts/logan/values.yaml @@ -647,45 +647,6 @@ fluentd: # In case of container log (/var/log/containers/*.log), exclude the corresponding log path in "genericContainerLogs" section. customFluentdConf: | - # -- Configuration for collecting Kubernetes Object information. - # Supported objects are Node, Pod, Namespace, Event, DaemonSet, ReplicaSet, Deployment, StatefulSet, Job, CronJob - kubernetesObjects: - #metadata: - #"Client Host Region": "America" - #"Environment": "Production" - #"Third Key": "Third Value" - #ociLALogGroupID: - objectsList: - nodes: - #api_version: v1 - api_endpoint: "" - pods: - api_endpoint: "" - namespaces: - api_endpoint: "" - services: - api_endpoint: "" - events: - api_endpoint: "" - persistent_volumes: - api_endpoint: "" - persistent_volume_claims: - api_endpoint: "" - daemon_sets: - api_endpoint: apis/apps - replica_sets: - api_endpoint: apis/apps - deployments: - api_endpoint: apis/apps - stateful_sets: - api_endpoint: apis/apps - jobs: - api_endpoint: apis/batch - cron_jobs: - api_endpoint: apis/batch - endpoint_slices: - api_endpoint: apis/discovery.k8s.io - # k8sDiscovery: defines properties that affect kubernetes objects discovery k8sDiscovery: # objects: defines inputs for K8s objects discovery @@ -720,8 +681,25 @@ k8sDiscovery: # Default: All logs are collected and sent to OCI logging analytics for processing collect_warning_events_only: false # backoffLimit: Specify the number of retries before considering a Job as failed - backoffLimit: 2 - # kubernetes: kubernetes cluster related inputs for kubernetes disocvery job + backoffLimit: 0 + infra: + # Enable Logs collection for OKE's OCI infra components - LB, OKE Cluster control plane, Subnet logs etc + # Not supported for Non OKE clusters + enable_service_log: false + # Discovers OKE Node Pools in all compartments of tenant + # when false, Node Pools present in OKE's compartment are discovered + probe_all_compartments: false + # tenancy ocid - must be provided if probe_all_compartments is set as true + tenancy_ocid: + # Base64 encoded string of OCI freeform and defined tags + # expected/example format: {"definedTags":{"Oracle-Recommended-Tags.ResourceOwner":"testOwner","Oracle-Recommended-Tags.ResourceUsage":"testUsage","test.key":"testOwner"},"freeformTags":{"project":"logan","test_number":"1"}} + oci_tags_base64: + # This is a helper stack which is used to enable service logs collection by creating a Service connector and Enable Logging for discovered OCI service components + # [Users are usually not expected to alter this] + rms_template_base64_encoded: UEsDBBQAAAAIAMqxLVojhoC8mw4AAEI3AAAOABwAZmlsdGVyLWxvZ3MucHlVVAkAA+RChWfmQoVndXgLAAEE9QEAAAQUAAAA1Vttc9s2Ev6uX4HK0yM1J8muk9y1vtF0HFtJfXVijyV3pud6OBQJSYwpkgeQcjQ+//fbxQsJUJRs2emH8oNiEovFYrH77AuZve/2C872J1GyT5MlyVb5PE3etFp75CzJivyIwF+EXFGeFiygJI54TtIpOX/fJbyYJDQnfhKSi1+H5CQueE4Z0F8UOU4VM0/mNLgj0ZTE6YwTn1Hix4z64YrQxJ/ENCTTlJEI1yJMrcLFzLNpnVRy7FU88zldCZ6a12RFMkaXUVrw/aBgjCYg7R0lizSJ8pRFyYzwNC7yKE2IW3C8nzJKUYYFyf0Z77T21IbzgiWchH7ug3Tk36OLz4LKz/9F8pRMKAnShBcLuSjsm/k4jIp7X0Rx3oNJcTRhPotgP9EiSxmIUv71haeJ/hs0MwNJWlOWLkiWgZQ5UUPqbo+ML04vQKhFuoQz8FHNsNB4HrGwl/ksXxlrtST1ETmlGU1CmgQrAtuVJ0syP7jzZ5TDpnjux6i0IE6LsMfnNI5h7mkKg+IREY9AoekyCikcdyZkwvMCxXPUaljEQO1zgkKgXUS5A6wXYoWfgduJweg+gh8/vvdX5erk4uRMSzY6/bVLAj8h95QUwN1HA+NUsC2l1hZRSQ/aRyYwW+uT0f8WlOdcKlTf9f3Qz0BxXOv2l/H48lg+k5QFi0GLb/pgHrEmAjtgq5YcT7MctgmSqbGLDO3oEh+xLhldX15eDUcj75fh+aWeEUR9MJNpNNNz8LE3jWJaEfBollCmCUbirhr1i3yuSErJz3DzSUAvwTiCKPNjfkpjOvNRnDGYe1JjQkrFzIACLOTD2fl4eOWdX3z0rq/OvfHw0+X58XhIBsSZ53nGj/b3lVH2H+Skxz4K88ApbCf0YrqksRemCz9KHvcPDw4PDt69+WHfD1ACvg/7A6Weg8P/HKQLNI0FOOJZOHgwbr0ofPyb9PcRZcsooIMHeetxea+HNfgMHkCG8NFpjYbHVye/PEf8XpDttANOfRbM/zzJW1fD8dXv3mh8BfJ+/B0kFgbmtgByAFbApAeHXQL+vvC/RotiQZJiMQHjABdgQIjujZQTcId0OvWmoPGUqSn0a5YmIF7kx5qASAIxB0wmL7gH3htQRPHBzduDt13y9vCnLnl3cIA/h/jzBn/e3gqW4ObCTdRkgLwQfBDgD4VBVGl1EG4C8MkcHDaRxMrRwN/zuWAhqXnOgGq2EgFjkRaIcjkyQxJOOYdDaum5A9M9XdCGp/Y/sDVorU8Seq85kXTyhQZ5S98OKiAYyUduRw/2hTRuG40HbKfd1VtopOA1klZIEaAABTwwkoWP1hUl1PPZrEBz4W7nSJyAoMGtmcABUlRjgFGhl4pR1+kxp0tA3znaNdiPJ+0YHuarjOJD0CjYODwAeM3wAQKhotrMNqyxlU7QxBY25hdxPnA+g2HVllGz5DJ75H5OMbZwTsMuUZA38eGOIIChVQYCnkjEEdxD8j+wnnhFFtRPZEgJ6RLCKM8xEkqeZwnGnrAQqIJRQcUODA5rENi4mmIkBJZCFUyKgRAslj3ZLKuzUYVBTYWS9w4qtIJFZ7OYsP9nSUo2iprVRFUct8p6OvxwfH0+3ipu01rcWEsmhx4izTaLPVf5pCTnW8w2NpjHqR96Ez9GC2DPXgNnET1r21J3xlKBzGq9kOZ+FPPnrPPrj0TN2rZIbipLRg9IQLfx/+wvqNBV7mP6myzTO0xg8zn4FA9YlOVqOfHjypU4IBWDvBYYKCkkVOFDwB5BCpl0kuZETehXWCNxy9gBpLkpc9tjQOweUxPQpRFbI0bDfrvTxNEwhq0s+fNZrpvAVs7x8znXTnwr22AHHZRnvJVjvoGjmMNEVVI/WgyBHyAZ5iLsY0Rtp8wPYiqyeEhAF20sYQIADhUdkDnKBh4PkSrEUcyf98g1BigYhFwCgieMADOd/0vEl0gP1GU9oHiVU9wztRaYKgZklXXuQ5COFyAthktI672GTMyVtF21loqbsziFgyaj4cnF51PvfPjb8Nw7vfh0fPZZ61mJ9t2AtBFn25WGGyaBJ0h6QURjTityIaPIFYTM/RnIKZ55InGXj5WUnScW0Tyuhsfnn0Y3gs2tyhYYhaOHdFHk6W4VQmAabqBLDKhWz5QyIEysxT5HxAeMHlefRmSE8KA1Y7KWfAiQ2k9lbKqUAMladYNXOkm9HOsKECXlfZosIwY5ESjHxZjlleNOx5oXKUG9TEuqdgx8nlnDuGH5VC4xKBer1qJfA5rlZCj+QfOGgpTaW9DlDNU0bvta9AykhYvjIEo42Re4eH9BxDr9ivER+Z73IfcDaHZpx94s/Rrl7g8dw5SEr27UQYP17W2L8ehnImUS6VNYiGZGiM6TZphmGlwuq6ypSpl4Q85UW2EZ+dW2DX6gTiPI1PGBFQn2F4wuAvntE0fvR2tUFdFm4yoNvyyNXfzx4lRJNTDMtaszIi/BYDgw/aTTwNbDHVZGp2zKIhRC0QQUsxrISTeOunduu2ukoElW0uFNExGg6owy0bspaY1nTVNgYAlFjHdHV561/5KBHmmcDZm3l80Z2E1Jbzxzbq0Zf7LnqBNFWV/nO+tn2JL4GcQR1uGqonNpEmYp6NUrWNyFkiKfp6GHaVRXCaawE/DQGBTQd3kxGjsm/nMoojlalq78snRtBRRooDgrN25g/XH4BGfEzycZm/ggjMd1rhMVesH/5KIiZ3TKJEGu1Gd+BIkehAZPlu+q1FTKxQ6kyKK4W87I6dccuKgOYgvbECtsdULthY05yF+hyM4j8DxZcodEtnqI6rSpJjFMdJDqRBI5R8Q5PDh81zv4oXdwOD74x9G7n44Of+z/9M+3/3GQGEJ3ykJgAxblL9MoxJXQkhCbgKtkrxu7Kv/1swzA8Es64XZMhTls5WpZuhqAumjIyigi7uGNahqDxfiJP6OQTq48wbur+8mCTOWBdhiW87GtMSAP5QE5iEqwXb36jXxgOCzWYKFFIR6YFEpgINKiV2N2F8riUxsyOeqdA32phGrU1gbQ1NRTUdb1BLT1R4L4UXtbkxq/k3qsrLpU5Y0QdMbSIhM7ANU2MKhTNfHZNruco/ygnIZmL94scBTdei1A3Cp772D8A2PjGHMFGKUJsE44Dhp0XcECOXjixYLcMPyJEA/CtZXq3q/aZRWmRzGfBqewGBzV0RFSfk7LqdXCfSwcM7eDIGRxuFHsbzXFGssxK6hVaag1ZMqOrVGhywD7eCl4mf6jW4JOhbQl4IG67AO3eOMD8SNeA+V0gRvXc6s50VQMopkb/RHn9kbVzviXlgbPfkD0nR3NdFYGvKql1zerwUQFP08bSUR5E7SotWBUVKLwQL57wnncw3dIXeOAKggpeYvXTANyc1uqQosvKzeLvaEVy1OBQaVTvOrOCQTihE2PsdHNGoLY4ivBth/+2m475rmZrOzDsKwTVjEpIWFSo2MYrCUwDRt7phfa9UldfbYAER8qTLRXR1u0Ztq7Wtfsw9o4XjaOHdUWh7uPOHYWNuV7Yn7DrKguK16PVbqnIlZzrBQ1q7LtxhWrS1m+sIxajGq+dNwhlWM+NWXtdOph+4n5DUayFuifYNGcBhh3T8zvmP5kOXsf0hfI/VxxAlZeVqeUgCS6IzZw9KNkmrrOWRLlkZ+LV9vqVICASAHBLeKYylIQUUV26KsX7X2dNG7oFm58o9GyJAnppJi5zokkJkhMSmLJKSyX2tT7WW8/dq2WpOoJKSa6pKu3UowJumQ0n1m1Yk18bKAovoprJXQqPmmQEC1buiwF/cG+PNW6ruC7GrKalI0UulFscN4jx6RIIihtROpxP4+CuZFzEFHVx9UZEtcwmU6ZmeNXCfhiTZg+RK4ZVJ9lu1i9cofsWWqzxEssqdcallou8cZKcNWfgVRCMBrQaIkVAebqQZMlyATIjMhGXxgWNiqShsZxH44k9gPqtv/4A8rIdrtjele9GdzMbp1uG9daI7iZZY1oE78nCu3tRbZQO7M+wVFN2VD0bLSCiSs+U9HNmc4zqm9deesTloapP+3BpcqMRD2DfKSxnW9WspiJNH9i0Jff0KgWqmFtptc/gaqbrgZQwZ7PenP2xSvYNRZGP6GJhuLrxXuwviPAtz7TOL3HxMp5MU+sMA1ZZcFZmcBaR86GxbbzQdb45+nMIceXZ/pFOprmlOYATlW84aalON9zp93duC5eMjR4RnNka2tHtmvKrs4r21gbNzaFnYBrAfLiq1fcooiuyieqze7Y3VqDPUyXtbN6eepNqJHt3DiA8s5ty3Aw2QwZbK1OJO+nEpv61dZW1t515tN72ZVjzSZ2Fqiqs8qZ5R8qjP99oLVZBz7rHbGNf1bwQBjc9gqyhoYbvlh6Dhq+yOmfD4UvYr+Gg5YqvhkcroFhG9fRy+xsqvJSaFiTWILTixjugKQjUUbvgKTmfjWeNkr+OljFVvU6quK1pz5BdWssX429m1TRjL01t3w9BMeTp+E3QEQAvTji/fzuUGwd1M6I/CpT3769vxQiqwSbmBW3aJBZibdok236cOPbpaZ/emb6rRJTWxfb3g7suJO1/DS9o727H3kvyHr4tZ7zUs4Kl+uCvwKYd4LmnZNcbZcKlZvl/utmu3p73wBrtWqeAty7YkJ7fhahcVH8+NWR3xRga5dhH4v1ZANPjAnqLUM8mFP87wkvAG77LHdG7ppH7Azez9DXXwTB5ccBqgeJX63g2wTsC/E8hYFIvuXC/w0h9q3p9OuQB0cUvkd6iUfJWY8+rjeURBe8bTNq3+rOTVgsMjhda7TakMxzDMIHZ+nHBb41bWb72DGMHL/dWYgmjMzbAj8uP2kme+J1ekWqcqomSV7VKFIKF10g3MOuDSC7s3xuIF51hhvbyK1oSjzxXY7niQ8gPA8DneepryCsg9or15r4PArkd0/iwx9kMGjL7wp6eP59+MG0F4PnQM86Hb6//ljtQrbHX6jAijQNxKus8FnKEjcHndb/AVBLAwQUAAAACACYgy9a7w4W3ZYFAAAtEgAABwAcAG1haW4udGZVVAkAA+eUh2fplIdndXgLAAEE9QEAAAQUAAAAzVfbbhs3EH3XVwzoFJEASYnRtwBOkSZ+SBvEQRL0xRAIane0YrQiVZLrZGHo3zu87E1eu07QADUMy8sdnhmemTlDncEHgwdhEEppHegNGLS6MhlamEoFf3y6eg8bbfbCzcBpOAhrwW1x7x8+1G6rFdjMyIOblDoTpYXbCYDeIdeZzOECrmkz7OZwA4R2I8wyKyvr0MAL2K2un6+SNdkCWdtqbZ2ZBqhlgzKHxfn5HM7PZ5PjpO/mEPzz6B/izwWwjSzJwaLUhV0eatYZHoTbAnSGcflXBmchzIXZW3iaFp8Cxf30WWXNs7VUz5rVEO8BjXCSAKWSTgpHloRGoS521RqNQod2sdf0UhupCjahTXQyWueB5TaCSOyUXf9iV2wOX7RUU/qk30gb1kScKCtsyIsolsj7YrVClekcp8FitprNyE2pRc7XohQqQxO9/YCbAcoD3lIueY5OSErKjx2qq4hRN+RnYxA9LN8LJQrMf6+5EwX5ugXWLjECSIUzkqDjAId2W9q+R1N4V2bpF5bN68/0ME9Y46794XPcSIV5xCKwFia98Cje6Rl8RJFDpssSM4c55MIJmG7QZVt6WtfDPvLQVEqcyreg4vGfPOy4CPTkGOjxK0v8RrQpClKqG98sRnzlBv+u0LrUFEvq5qp0y8jmJBRIYZuz8HXNrRPZzjM58dnzCZLk49u81QGfpUTrSFTXzAOyFbwI+9mT22afN8+PvLfg97j6gEcGFy9b/LBPdrqzvBvcBThTecOjF4AzeBuOeyI/gSPWUMKA3UsKi+JhdGHE3ktUPF5PJJrkDwRmHk+4ML6Yn9z6dHtGDBZUaUfWvLbxdQTodX1nUfYt7jZsZ7jrG570Wmfl+lYjpd9Z5sPIc70XMkXOFtnwZabVRhactBR9AlRVlvAbsPfUoL7RRsyObBXT01YOc3KPPolOZpQQi646cL9GGRgq+WlpFUaTqRJ79MravKHCKGvCslxUjoKnf3kubaZv0NS8pSCMkyOPQbAY0ztdQAANJX71+i0kULBobiQFO32cl4g6m3SHHI2dPTbqFGVgIdOVaqeDl5QSVeG206ZSRjp3Bi/hOSXmnHLyPEDsaZq7PSrHw/wNiVJ7Pnzh5UvaQynqSHJwNtrkXSYmQfNiL1CB+cR83krriUzUfhUW2jOKsqwhMyi85H3dooJaVxDrpTK01g3ImJM/L5t5AgvoJzMICRvT7xOJ9qsjwhyt+qtBCOUGszqj8o7SJwulDfJsK1SBHvy6z9B86Hs+cLJqpOlfKzpdih6f1+l9UMvvKS+6Zy1lPqMa8X3cjgFUYl2S0xspujkA7ZD2iSXxP3Ef4vW3N6y9jHujY4soSkp4XjfIo3iPHCZB0op2iiTPvQES4Db+YyltwGi9xoER4wozPud6/YWmb3QVFZQ4P7R3gF4q7rDSTIOxE86ivFyGpxBSmvPUIfZ+kYjyYGPbE0EcRbZtS3W0IianPXsRpy0tZDj1++OUX8ZyZf7CxTibHfm7V8Rfz6CjMaYt1WaszAdEwKci7fDbm1v0p8uPf719fRkatGnvMIJSYyUK4gOZkCAU2tRx90hYya7l7tQuhRGgk3bfsUkvGrMAFIOmgEn925j961Am3yOdo3fJ/5sWncGnxM5rrRRVJLXhyIwLF4FGLk7Hms22PFHpJ31EGR1tA5jHTLMH2/I/nGpjsdJMuffawE6mXAQJg66ptpaJnz/wzuDz1ZurF/CmOpTSd06QmPQFfXLSWzu6ufdOHIs7r4kKmYXVNA2S7KT7/lB6HkxL2iSdv2OGL72dQdPdWjlKRuvge3IXfwaCBAMfPaFoLAbbwoa22k63tcbHSfM3NLITdGTX57ADabh81RRPJPVENONX5n6JtQY/Qy1yPKDKqY79Hex6bDyvfo6o/ANQSwMEFAAAAAgAmIMvWt5I6DVOAQAAwAIAAAsAHABwcm92aWRlci50ZlVUCQAD55SHZ+mUh2d1eAsAAQT1AQAABBQAAACFUt1qwjAUvu9THPR6yVTYQNhA9EZ2I+wBSpae2jCbdCdpmRvds++YGu1A2E0J39/J+dKARKp0VMN3BkD40RrCIm/IdaZA8hEGcNrA0/kM4F1LGoGRiSOlDyiZn5zJjl3G2RP58wwP4nEg+vjFz4Bk1eF2WKV8ZbSjRibd7dC5WIjFODaYGv+LPGlux92L2VzMrnl91mdZaoBX5N1i9BQ2Trc12qACu5dQhdD4pZSF014MTQjtaon2rvXSKOXl2tnABrnabeXr5oUDvAyp8zRDO1uafUsxVlShzuK0rfVBWV5kR8Zq03BtqzZUjsxXVMYH2w97dIoEXzQfgMG/jrFQmgPCm/JYgGI738bo5Oe78YRjztZilDKGWdV6pEECMFJdYJY0ZDoVMH/HY5KMoLxRoWJVaeweiQkbkmoE/a398gtw90xM4UrFp2R4Cv0vUEsDBBQAAAAIALOzLVpj23A1hwAAAMUAAAAKABwAb3V0cHV0cy50ZlVUCQADekaFZ3tGhWd1eAsAAQT1AQAABBQAAAB1jsEKAjEMRO/9itCTgvQDhOKnlLgbSrU2a5qsgvjvdsGLB08Dw8y8YdPFFHxpK18pCT6S0N2oa+qTlEU9vBzAitUI4lAJM50tQ4ygMrwTXLi0nQd/gBkVAz2VpGENfyfDIpwFb3s4QrNa3ds5/v6onFNXVOu/4MrTmOSppJHIpeVN0wYc7Q9QSwMEFAAAAAgAmIMvWlk6oj2EAQAAGwUAAAkAHABpbnB1dHMudGZVVAkAA+eUh2fplIdndXgLAAEE9QEAAAQUAAAAxVM9b9swEN31Kw7yEgN2gK4BumXo1CzZiRN5otlSPII8GhUC/fdQdtpKCoIWXnKDAN3H07undzugXw9Q8hHzqSspHL80Z0wOO0/QsnYqkXUcWnhpAGSMBF8hS3LBNlPT7C7TnFB70p6Ludc8bAAMD+iWADX+YAAY6rF4qan2OwdqYQffMBnQbMjAGX0h6DlBHOXEAbJOLsoBeueF0tGzzfdxnLn8/apnNKpDj0FTyivqA8Y77n6Qlrs5CxBwuDB6iwUxgMrefFSre0ZMMlAQVbsWtWm/X9PJpQskn89D+5KrZp/Og8Og1u0fuGv5R63CgH4Up7Oa32ziEv85J2jz1nm/14U+EVVnDc+16U2KK8b+MLvSBTLvS3WdlWlfoF3itHNqOkC7ALjmYLoczBz1CU/BjxdfP9IZninLzP1a3dyPUKhGHtWs/n9cUSjeb/SuICVTuh0hJndGIfWTRhVRTjeBVD0spQoV5OY1NIfeWVWPn27CMNQVu53smP1qrkefqZleAVBLAwQUAAAACAArlnpZogqurvoAAABjAQAACAAcAGRlYnVnLnRmVVQJAAPaykVnW39NZ3V4CwABBPUBAAAEFAAAAG2OMU/DQAyF9/yKp5ShlapLWpgqVQysSLAwR+biJgeXczjfpUJV/ztJERsebFn+3nte4UnG7+i6PmFtN9jX+/vt0h+2eIlkPYNCW0mESwo6nZx3lFhNscKzsxyUW+TQckTqGW/BTRyVPF45Dk51Xv84TDtTgxTayzmAEvqURj1UlagauYUZK0Plf3mt8uhNUURWydEySi+WfDO/wCVKFyb55CbSuYn8lVlToza6MZW4FICVHBLmOmKiaFp+zx0escMB9e0cEi/AER8qgYOVlte3ACPWNV66zoVumU1LiTazZgkONPCsKe8uI6XeDNJmz9fqP4lZjMvi+gNQSwECHgMUAAAACADKsS1aI4aAvJsOAABCNwAADgAYAAAAAAABAAAApIEAAAAAZmlsdGVyLWxvZ3MucHlVVAUAA+RChWd1eAsAAQT1AQAABBQAAABQSwECHgMUAAAACACYgy9a7w4W3ZYFAAAtEgAABwAYAAAAAAABAAAApIHjDgAAbWFpbi50ZlVUBQAD55SHZ3V4CwABBPUBAAAEFAAAAFBLAQIeAxQAAAAIAJiDL1reSOg1TgEAAMACAAALABgAAAAAAAEAAACkgboUAABwcm92aWRlci50ZlVUBQAD55SHZ3V4CwABBPUBAAAEFAAAAFBLAQIeAxQAAAAIALOzLVpj23A1hwAAAMUAAAAKABgAAAAAAAEAAACkgU0WAABvdXRwdXRzLnRmVVQFAAN6RoVndXgLAAEE9QEAAAQUAAAAUEsBAh4DFAAAAAgAmIMvWlk6oj2EAQAAGwUAAAkAGAAAAAAAAQAAAKSBGBcAAGlucHV0cy50ZlVUBQAD55SHZ3V4CwABBPUBAAAEFAAAAFBLAQIeAxQAAAAIACuWelmiCq6u+gAAAGMBAAAIABgAAAAAAAEAAACkgd8YAABkZWJ1Zy50ZlVUBQAD2spFZ3V4CwABBPUBAAAEFAAAAFBLBQYAAAAABgAGAN8BAAAbGgAAAAA= + # Maximum amount of time (in seconds) the job should wait while checking the status of stack APPLY operation. Default: 300 + stack_operation_timeout: 300 + # kubernetes: kubernetes cluster related inputs for kubernetes discovery job kubeClientOptions: # kubernetes_url: Kubernetes API server URL. kubernetes_url: diff --git a/docs/FAQ.md b/docs/FAQ.md index d329cba..834de5d 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -606,3 +606,26 @@ oci-onm-logan: awsStsRoleArn: s3Bucket: ``` + + +### Service Logs Collection + +#### How to Collect Logs for Node Pools in Different Compartments than the OKE Cluster's Compartment? +By default, the discovery job only collects information from node pools that are in the same compartment as the OKE cluster. + +To enable node pool discovery across all compartments in the tenancy, customers can set the following property in the Helm chart: + +```yaml +oci-onm-logan.k8sDiscovery.infra.probe_all_compartments = true +``` + +#### Policies Required + +In addition to the configuration above, a few additional policies must be added. Validate if the following policy statements are sufficient: + +```plaintext +Allow dynamic-group ${OKE_DYNAMIC_GROUP} to inspect compartments in tenancy +Allow dynamic-group ${OKE_DYNAMIC_GROUP} to read cluster-node-pools in tenancy +``` + +**TODO**: Confirm if these policy statements are adequate or if further policies are required. \ No newline at end of file diff --git a/terraform/modules/helm/helm-inputs.tf b/terraform/modules/helm/helm-inputs.tf index 0b1097a..7a94e29 100644 --- a/terraform/modules/helm/helm-inputs.tf +++ b/terraform/modules/helm/helm-inputs.tf @@ -94,35 +94,41 @@ variable "opt_deploy_metric_server" { } #### -## livelab +## OCI Client Config #### -# Option to deploy mushop specific values.yaml (inputs) -variable "deploy_mushop_config" { - type = bool - default = false -} - -# Service Account to be used when working on livelab cluster -variable "livelab_service_account" { +# OCI domain +variable "oci_domain" { type = string - default = "" + default = null } #### -## OCI Client Config +## Discovery Configuration #### -# OCI domain -variable "oci_domain" { - type = string - default = null +# Enable service logs collection for OKE infra components +variable "enable_service_log" { + type = bool + default = false +} + +# OCI Tags +variable "tags" { + type = object({ freeformTags = map(string), definedTags = map(string) }) + default = { "freeformTags" = {}, "definedTags" = {} } } #### ## Others #### +variable "LOGAN_ENDPOINT" { + description = "Logging Analytics Endpoint." + type = string + default = null +} + # Save data resources in local_file for debug purposes variable "debug" { type = bool diff --git a/terraform/modules/helm/helm-outputs.tf b/terraform/modules/helm/helm-outputs.tf index ccfdeb7..1277fec 100644 --- a/terraform/modules/helm/helm-outputs.tf +++ b/terraform/modules/helm/helm-outputs.tf @@ -14,7 +14,9 @@ locals { "--set oci-onm-logan.ociLANamespace=${var.oci_la_namespace}", "--set oci-onm-logan.ociLAClusterEntityID=${var.oci_la_cluster_entity_ocid}", "--set oci-onm-mgmt-agent.deployMetricServer=${var.opt_deploy_metric_server}", - "--set oci-onm-mgmt-agent.mgmtagent.installKeyFileContent=${var.mgmt_agent_install_key_content}" + "--set oci-onm-mgmt-agent.mgmtagent.installKeyFileContent=${var.mgmt_agent_install_key_content}", + "--set oci-onm-logan.k8sDiscovery.infra.enable_service_log=${var.enable_service_log}", + "--set oci-onm-logan.k8sDiscovery.infra.oci_tags_base64=${base64encode(jsonencode(var.tags))}" ]) cmd_3_layer_1 = var.oci_domain == null ? local.cmd_3_layer_0 : "${local.cmd_3_layer_0} --set oci-onm-logan.ociDomain=${var.oci_domain}" diff --git a/terraform/modules/helm/helm.tf b/terraform/modules/helm/helm.tf index bf35a51..f775ac4 100644 --- a/terraform/modules/helm/helm.tf +++ b/terraform/modules/helm/helm.tf @@ -13,7 +13,10 @@ locals { kubernetes_cluster_name = var.kubernetes_cluster_name - helm_inputs = { + # freeformTags_as_String = "join(",", [for key, value in var.tags.freeformTags : "\"${key}\" = \"${value}\""])" + # tags_as_string = "{${join(",", [for key, value in var.tags : "\"${key}\" = \"${value}\""])}}" + + helm_inputs_base = { # global "global.namespace" = var.kubernetes_namespace "global.kubernetesClusterID" = var.kubernetes_cluster_id @@ -25,10 +28,21 @@ locals { "oci-onm-logan.fluentd.baseDir" = var.fluentd_base_dir_path "oci-onm-logan.ociLAClusterEntityID" = var.oci_la_cluster_entity_ocid + # discovery + "oci-onm-logan.k8sDiscovery.infra.enable_service_log" = var.enable_service_log + "oci-onm-logan.k8sDiscovery.infra.oci_tags_base64" = base64encode(jsonencode(var.tags)) + # Note - we do not support probe all compartment input via stack + # oci-onm-mgmt-agent "oci-onm-mgmt-agent.mgmtagent.installKeyFileContent" = var.mgmt_agent_install_key_content "oci-onm-mgmt-agent.deployMetricServer" = var.opt_deploy_metric_server } + + helm_input_domain = var.oci_domain == null ? {} : { "oci-onm-logan.ociDomain" = var.oci_domain } + discovery_la_endpoint = var.LOGAN_ENDPOINT == null ? {} : { "oci-onm-logan.ociLAEndpoint" = "${var.LOGAN_ENDPOINT}" } + fluentd_la_endpoint = var.LOGAN_ENDPOINT == null ? {} : { "oci-onm-logan.fluentd.ociLoggingAnalyticsOutputPlugin.endpoint" = "${var.LOGAN_ENDPOINT}" } + + helm_inputs = merge(local.helm_inputs_base, local.helm_input_domain, local.discovery_la_endpoint, local.fluentd_la_endpoint) } # Create helm release @@ -42,8 +56,6 @@ resource "helm_release" "oci-kubernetes-monitoring" { cleanup_on_fail = true atomic = true - values = var.deploy_mushop_config ? ["${file("${path.module}/mushop_values.yaml")}"] : null - dynamic "set" { for_each = local.helm_inputs content { @@ -52,13 +64,13 @@ resource "helm_release" "oci-kubernetes-monitoring" { } } - dynamic "set" { - for_each = var.oci_domain == null ? {} : { "oci-onm-logan.ociDomain" = var.oci_domain } - content { - name = set.key - value = set.value - } - } + # To be released in future; if required + # Run Helm Apply every time terraform apply job is executed + # Check if this will pick up the latest helm chart as well + # set { + # name = "HelmApplyOnEveryTerraformApply" + # value = timestamp() + # } count = var.install_helm_chart ? 1 : 0 } @@ -73,8 +85,6 @@ data "helm_template" "oci-kubernetes-monitoring" { version = local.version dependency_update = true - values = var.deploy_mushop_config ? ["${file("${path.module}/mushop_values.yaml")}"] : null - dynamic "set" { for_each = local.helm_inputs content { @@ -83,14 +93,6 @@ data "helm_template" "oci-kubernetes-monitoring" { } } - dynamic "set" { - for_each = var.oci_domain == null ? {} : { "oci-onm-logan.ociDomain" = var.oci_domain } - content { - name = set.key - value = set.value - } - } - count = var.generate_helm_template ? 1 : 0 } diff --git a/terraform/modules/helm/mushop_values.yaml b/terraform/modules/helm/mushop_values.yaml deleted file mode 100644 index 9be4643..0000000 --- a/terraform/modules/helm/mushop_values.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright (c) 2023, 2024, Oracle and/or its affiliates. -# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. -oci-onm-common: - fluentd: - customLogs: - mushop-orders: - path: /var/log/containers/mushop-orders-*.log - ociLALogSourceName: "mushop-orders-app" - multilineStartRegExp: /^\d{4}-\d{2}-\d{2}\s*\d{2}:\d{2}:\d{2}.\d{3}/ - isContainerLog: true - mushop-api: - path: /var/log/containers/mushop-api-*.log - ociLALogSourceName: "mushop api logs" - multilineStartRegExp: /^::\w{4}:\d{2}.\d{3}.\d{1}.\d{1}\s*-\s*-\s*\[\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2}\s*\+\d{4}\]/ - isContainerLog: true - mushop-assets: - path: /var/log/containers/mushop-assets-*.log - ociLALogSourceName: "mushop-assets logs" - isContainerLog: true - mushop-carts: - path: /var/log/containers/mushop-carts-*.log - ociLALogSourceName: "mushop-carts logs" - multilineStartRegExp: /^\w+\s*\d{2}\,\s*\d{4}\s\d{1,2}:\d{2}:\d{2}/ - isContainerLog: true - mushop-catalogue: - path: /var/log/containers/mushop-catalogue-*.log - ociLALogSourceName: "mushop-catalogue logs" - isContainerLog: true - mushop-edge: - path: /var/log/containers/mushop-edge-*.log - ociLALogSourceName: "mushop-edge logs" - isContainerLog: true - mushop-nats: - path: /var/log/containers/mushop-nats-*.log - ociLALogSourceName: "mushop-nats logs" - isContainerLog: true - mushop-payment: - path: /var/log/containers/mushop-payment-*.log - ociLALogSourceName: "mushop-payment logs" - isContainerLog: true - mushop-session: - path: /var/log/containers/mushop-session-*.log - ociLALogSourceName: "mushop-session logs" - multilineStartRegExp: /^\d+:\w\s*\d{2}\s*\w{3}\s*\d{4}\s*\d{2}:\d{2}:\d{2}.\d{3}/ - isContainerLog: true - mushop-storefront: - path: /var/log/containers/mushop-storefront-*.log - ociLALogSourceName: "mushop-storefront logs" - isContainerLog: true - mushop-user: - path: /var/log/containers/mushop-user-*.log - ociLALogSourceName: "mushop-user logs" - isContainerLog: true - mushop-utils: - path: /var/log/containers/mushop-utils-*.log - ociLALogSourceName: "mushop-utils-ingress-nginx-controller logs" - isContainerLog: true - wordpress-access: - path: /var/log/containers/wordpress-*.log - ociLALogSourceName: "WordPress Access Logs" - isContainerLog: true \ No newline at end of file diff --git a/terraform/modules/iam/iam-inputs.tf b/terraform/modules/iam/iam-inputs.tf index 4c1661d..dba1509 100644 --- a/terraform/modules/iam/iam-inputs.tf +++ b/terraform/modules/iam/iam-inputs.tf @@ -21,6 +21,16 @@ variable "oke_cluster_ocid" { type = string } +# OCI Logging Analytics LogGroup OCID +variable "oci_la_log_group_ocid" { + type = string +} + +# Create policies for service logs discovery +variable "create_service_discovery_policies" { + type = string +} + # Save data resources in local_file for debug purposes variable "debug" { type = bool diff --git a/terraform/modules/iam/iam.tf b/terraform/modules/iam/iam.tf index 343c0ad..5eeea43 100644 --- a/terraform/modules/iam/iam.tf +++ b/terraform/modules/iam/iam.tf @@ -9,20 +9,77 @@ locals { dynamic_group_desc = "Auto generated by Resource Manager Stack - oci-kubernetes-monitoring. Required for monitoring OKE Cluster - ${var.oke_cluster_ocid}" instances_in_compartment_rule = ["ALL {instance.compartment.id = '${var.oke_compartment_ocid}'}"] management_agent_rule = ["ALL {resource.type='managementagent', resource.compartment.id='${var.oci_onm_compartment_ocid}'}"] - dynamic_group_matching_rules = concat(local.instances_in_compartment_rule, local.management_agent_rule) + service_connector_rule = [] #["ALL {resource.type='serviceconnector', resource.compartment.id='${var.oci_onm_compartment_ocid}'}"] + dynamic_group_matching_rules = concat(local.instances_in_compartment_rule, local.management_agent_rule, local.service_connector_rule) complied_dynamic_group_rules = "ANY {${join(",", local.dynamic_group_matching_rules)}}" defined_namespaces = join(",", [for namespace in module.tag_namespaces.namespaces : "target.tag-namespace.name='${namespace}'"]) - tags_policy_where_clause = length(var.tags.definedTags) == 0 ? "" : " where any {${local.defined_namespaces}}" + tags_policy_where_clause = length(var.tags.definedTags) == 0 ? "" : "where any {${local.defined_namespaces}}" # Policy - policy_name = "oci-kubernetes-monitoring-${local.cluster_ocid_md5}" - policy_scope = var.root_compartment_ocid == var.oci_onm_compartment_ocid ? "tenancy" : "compartment id ${var.oci_onm_compartment_ocid}" - policy_desc = "Auto generated by Resource Manager Stack - oci-kubernetes-monitoring. Allows Fluentd and MgmtAgent Pods running inside Kubernetes Cluster to send the data to OCI Logging Analytics and OCI Monitoring respectively." - mgmt_agent_stmt = ["Allow dynamic-group ${local.dynamic_group_name} to use METRICS in ${local.policy_scope} WHERE target.metrics.namespace = 'mgmtagent_kubernetes_metrics'"] - fluentd_agent_stmt = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in ${local.policy_scope}"] - discovery_api_stmt = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_DISCOVERY_UPLOAD} in tenancy"] - tag_namespace_stmt = ["Allow dynamic-group ${local.dynamic_group_name} to use tag-namespaces in tenancy${local.tags_policy_where_clause}"] - compiled_policy_statements = concat(local.fluentd_agent_stmt, local.mgmt_agent_stmt, local.tag_namespace_stmt, local.discovery_api_stmt) + policy_name = "oci-kubernetes-monitoring-${local.cluster_ocid_md5}" + policy_desc = "Auto generated by Resource Manager Stack - oci-kubernetes-monitoring. Allows Fluentd and MgmtAgent Pods running inside Kubernetes Cluster to send the data to OCI Logging Analytics and OCI Monitoring respectively." + + onm_compartment_scope = var.root_compartment_ocid == var.oci_onm_compartment_ocid ? "tenancy" : "compartment id ${var.oci_onm_compartment_ocid}" + oke_compartment_scope = var.root_compartment_ocid == var.oke_compartment_ocid ? "tenancy" : "compartment id ${var.oke_compartment_ocid}" + + # Conditions: https://docs.oracle.com/en-us/iaas/Content/Identity/policysyntax/conditions.htm#top + # https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/Identity/policyreference/policyreference_topic-General_Variables_for_All_Requests.htm + # service_connector_where_clause = "where all {request.principal.type='serviceconnector', target.resource.compartment.id='${local.onm_compartment_scope}'}" + + policy_stmts = { + metric_upload = ["Allow dynamic-group ${local.dynamic_group_name} to use METRICS in ${local.onm_compartment_scope} WHERE target.metrics.namespace = 'mgmtagent_kubernetes_metrics'"], + log_upload = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in ${local.onm_compartment_scope}"], + discovery_api = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_DISCOVERY_UPLOAD} in tenancy"], + tag_namespace = ["Allow dynamic-group ${local.dynamic_group_name} to use tag-namespaces in tenancy ${local.tags_policy_where_clause}"] + infra_discovery_stmt = [ + # Allows log analytics service to query OKE infra resources + "Allow service loganalytics to {VCN_READ,SUBNET_READ,LOAD_BALANCER_READ} in ${local.oke_compartment_scope}", + # "Allow dynamic-group ${local.dynamic_group_name} to inspect compartments in tenancy", + # https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/contengpolicyreference.htm + "Allow dynamic-group ${local.dynamic_group_name} to read clusters in tenancy where target.cluster.id=${var.oke_cluster_ocid}", + "Allow dynamic-group ${local.dynamic_group_name} to read cluster-node-pools in ${local.oke_compartment_scope}", + # https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/corepolicyreference.htm + # Note: Customers will need to create additional policies to support VCN and subnets in non-OKE compartments + "Allow dynamic-group ${local.dynamic_group_name} to inspect vcns in ${local.oke_compartment_scope}", + "Allow dynamic-group ${local.dynamic_group_name} to inspect subnets in ${local.oke_compartment_scope}", + "Allow dynamic-group ${local.dynamic_group_name} to read load-balancers in ${local.oke_compartment_scope}" + ], + # Note: + # In Order to read data from an existing log-group (which can we part of any compartment), + # We must allow read access in, at least, both ONM and OKE compartments + # Compartment of Logging LogGroup is not known at the time of policy creation via stack + # We assume that Logging Log Groups are only created in either OKE or ONM compartments + service_discovery_stmt = var.create_service_discovery_policies ? distinct([ + # Required to trigger service discovery + "Allow dynamic-group ${local.dynamic_group_name} to read loganalytics-entity in ${local.onm_compartment_scope}", + + # Required to create logging log-group + "Allow dynamic-group ${local.dynamic_group_name} to manage log-groups in ${local.onm_compartment_scope}", + # Use is sufficient in case log-group us already created and part of OKE compartment + "Allow dynamic-group ${local.dynamic_group_name} to use log-groups in ${local.oke_compartment_scope}", + + # Required for RMS resources + "Allow dynamic-group ${local.dynamic_group_name} to manage orm-stacks in ${local.onm_compartment_scope}", + "Allow dynamic-group ${local.dynamic_group_name} to manage orm-jobs in ${local.onm_compartment_scope}", + + # Required to create enable logging + "Allow dynamic-group ${local.dynamic_group_name} to {SUBNET_UPDATE} in ${local.onm_compartment_scope}", + "Allow dynamic-group ${local.dynamic_group_name} to {SUBNET_UPDATE} in ${local.oke_compartment_scope}", + "Allow dynamic-group ${local.dynamic_group_name} to use load-balancers in ${local.onm_compartment_scope}", + "Allow dynamic-group ${local.dynamic_group_name} to use load-balancers in ${local.oke_compartment_scope}", + + # Required to create service connector + "Allow dynamic-group ${local.dynamic_group_name} to manage serviceconnectors in ${local.onm_compartment_scope}", + "Allow dynamic-group ${local.dynamic_group_name} to read log-content in ${local.onm_compartment_scope}", + "Allow dynamic-group ${local.dynamic_group_name} to read log-content in ${local.oke_compartment_scope}", + + # Required configure service connector + # https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/lbpolicyreference.htm + "Allow any-user to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in ${local.onm_compartment_scope} where all {request.principal.type='serviceconnector', request.principal.compartment.id='${var.oci_onm_compartment_ocid}'}" + ]) : [] + } + + combined_policy_statements = distinct(flatten([for policy, stmt in local.policy_stmts : stmt])) } # https://docs.oracle.com/en-us/iaas/api/#/en/identity/20160918/DynamicGroup/ @@ -46,7 +103,7 @@ resource "oci_identity_policy" "oke_monitoring_policy" { name = local.policy_name description = local.policy_desc compartment_id = var.root_compartment_ocid - statements = local.compiled_policy_statements + statements = local.combined_policy_statements #tags defined_tags = var.tags.definedTags @@ -63,5 +120,4 @@ resource "oci_identity_policy" "oke_monitoring_policy" { module "tag_namespaces" { source = "./parse_namespaces" definedTags = var.tags.definedTags -} - +} \ No newline at end of file diff --git a/terraform/modules/livelab/inputs.tf b/terraform/modules/livelab/inputs.tf deleted file mode 100644 index 856e421..0000000 --- a/terraform/modules/livelab/inputs.tf +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright (c) 2023, 2024, Oracle and/or its affiliates. -# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. - -# OCID of user running the marketplace app / Resource Manager stack -variable "current_user_ocid" { - type = string -} - -variable "debug" { - type = bool - default = false -} \ No newline at end of file diff --git a/terraform/modules/livelab/livelab.tf b/terraform/modules/livelab/livelab.tf deleted file mode 100644 index e3c73e3..0000000 --- a/terraform/modules/livelab/livelab.tf +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright (c) 2023, 2024, Oracle and/or its affiliates. -# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. - -locals { - oci_username = data.oci_identity_user.livelab_user.name - livelab_res_num = trimprefix(trimsuffix(lower(local.oci_username), "-user"), "ll") - livelab_reservationId = "resr${local.livelab_res_num}" - livelab_fluentd_base_dir_path = "/var/log/${local.livelab_reservationId}" -} - -data "oci_identity_user" "livelab_user" { - user_id = var.current_user_ocid -} \ No newline at end of file diff --git a/terraform/modules/livelab/outputs.tf b/terraform/modules/livelab/outputs.tf deleted file mode 100644 index aacb036..0000000 --- a/terraform/modules/livelab/outputs.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Copyright (c) 2023, 2024, Oracle and/or its affiliates. -# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. - -output "service_account" { - value = local.livelab_reservationId -} - -output "fluentd_base_dir_path" { - value = local.livelab_fluentd_base_dir_path -} \ No newline at end of file diff --git a/terraform/modules/livelab/provider.tf b/terraform/modules/livelab/provider.tf deleted file mode 100644 index 72a223c..0000000 --- a/terraform/modules/livelab/provider.tf +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright (c) 2023, 2024, Oracle and/or its affiliates. -# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. - -terraform { - required_version = ">= 1.2" - required_providers { - oci = { - source = "oracle/oci" - version = "~> 5.46" - } - } -} \ No newline at end of file diff --git a/terraform/modules/main/main-inputs.tf b/terraform/modules/main/main-inputs.tf index d1e1345..5e75564 100644 --- a/terraform/modules/main/main-inputs.tf +++ b/terraform/modules/main/main-inputs.tf @@ -166,10 +166,22 @@ variable "log_group_ocid" { type = string } +# Enable service logs collection for OKE infra components +variable "enable_service_log" { + type = bool + default = false +} + #### ## Developer Options #### +variable "LOGAN_ENDPOINT" { + description = "Logging Analytics Endpoint." + type = string + default = null +} + # Save data resources in local_file for debug purposes variable "debug" { type = bool diff --git a/terraform/modules/main/main.tf b/terraform/modules/main/main.tf index 68a4491..22325ff 100644 --- a/terraform/modules/main/main.tf +++ b/terraform/modules/main/main.tf @@ -59,11 +59,13 @@ module "iam" { source = "../iam" count = local.module_controls_enable_iam_module ? 1 : 0 - root_compartment_ocid = var.tenancy_ocid - oci_onm_compartment_ocid = var.oci_onm_compartment_ocid - oke_compartment_ocid = var.oke_compartment_ocid - oke_cluster_ocid = var.oke_cluster_ocid - tags = var.tags + root_compartment_ocid = var.tenancy_ocid + oci_onm_compartment_ocid = var.oci_onm_compartment_ocid + oke_compartment_ocid = var.oke_compartment_ocid + oke_cluster_ocid = var.oke_cluster_ocid + create_service_discovery_policies = var.enable_service_log + oci_la_log_group_ocid = module.logan[0].log_group_ocid + tags = var.tags providers = { oci = oci.home_region @@ -112,8 +114,6 @@ module "helm_release" { generate_helm_template = var.toggle_generate_helm_template debug = var.debug - deploy_mushop_config = false #var.livelab_switch - # helm command local_helm_chart = local.local_helm_path helm_chart_version = var.helm_chart_version @@ -129,6 +129,9 @@ module "helm_release" { opt_deploy_metric_server = var.opt_deploy_metric_server fluentd_base_dir_path = var.fluentd_base_dir_path oci_domain = var.oci_domain + enable_service_log = var.enable_service_log + LOGAN_ENDPOINT = var.LOGAN_ENDPOINT + tags = var.tags } # Import Kubernetes Dashboards diff --git a/terraform/oke/schema.yaml b/terraform/oke/schema.yaml index 2d1bef8..f870cf4 100644 --- a/terraform/oke/schema.yaml +++ b/terraform/oke/schema.yaml @@ -33,10 +33,15 @@ variableGroups: - ${toggle_use_local_helm_chart} visible: false + - title: Dev configuration [ DO NOT USE IN PRODUCTION ] + variables: + - ${CLIENT_HOST_OVERRIDES} + - ${LOGAN_ENDPOINT} + visible: false + # These variables are utilized for QA validation and testing. They are not meant to be used in production. - title: "hidden dev inputs" variables: - - ${CLIENT_HOST_OVERRIDES} - ${debug} visible: false @@ -65,6 +70,7 @@ variableGroups: variables: - ${show_advanced_options} - ${stack_deployment_option} + - ${enable_service_log} - ${opt_deploy_metric_server} - ${helm_chart_version} - ${fluentd_base_dir_path} @@ -75,6 +81,22 @@ variableGroups: variables: + #### [Section] + ## Dev configuration [ DO NOT USE IN PRODUCTION ] + #### + + # Override terraform provider endpoint + CLIENT_HOST_OVERRIDES: + type: string + title: CLIENT_HOST_OVERRIDES [ Do not use in Production ] + # default: add default values here for env override + + # Override logan endpoint for discovery and fluentd collection + LOGAN_ENDPOINT: + type: string + title: Logging Analytics Endpoint. [ Do not use in Production ] + # default: add default values here for env override + #### [Section] ## Select an OKE cluster deployed in this region to start monitoring #### @@ -248,6 +270,16 @@ variables: and: - ${show_advanced_options} + # Option to enable/disable service logs collection for OKE infra components + enable_service_log: + type: boolean + title: Enable service logs collection + description: Clear this check box if do not want to collect logs from OKE infra components + default: false + visible: + and: + - ${show_advanced_options} + helm_chart_version: type: string maxLength: 15 diff --git a/terraform/oke/stack-inputs.tf b/terraform/oke/stack-inputs.tf index b6f2a29..d4eb2f5 100644 --- a/terraform/oke/stack-inputs.tf +++ b/terraform/oke/stack-inputs.tf @@ -198,6 +198,12 @@ variable "stack_deployment_option" { default = "Full" } +# Enable service logs collection for OKE infra components +variable "enable_service_log" { + type = bool + default = false +} + # Helm Chart version to deploy variable "helm_chart_version" { type = string @@ -241,13 +247,19 @@ variable "template_id" { variable "toggle_use_local_helm_chart" { type = string - default = false + default = true # #DO-NOT-MERGE: change to false before merging to master } # Ref - https://confluence.oci.oraclecorp.com/display/TERSI/FAQs#FAQs-Q.HowdoItestonPre-ProdenvironmentORHowdoImakeTerraformproviderpointtocustomControlPlane(CP)endpoint variable "CLIENT_HOST_OVERRIDES" { - description = "The client host overrides for the terraform provider with Object Storage endpoint overridden." + description = "The client host overrides for the terraform provider." + type = string + default = null +} + +variable "LOGAN_ENDPOINT" { + description = "Logging Analytics Endpoint." type = string default = null } diff --git a/terraform/oke/stack.tf b/terraform/oke/stack.tf index 11c8cef..25b0bd9 100644 --- a/terraform/oke/stack.tf +++ b/terraform/oke/stack.tf @@ -131,6 +131,8 @@ module "main" { path_to_local_onm_helm_chart = "${path.module}/charts/oci-onm/" oci_domain = local.oci_domain toggle_use_local_helm_chart = var.toggle_use_local_helm_chart + enable_service_log = var.enable_service_log + LOGAN_ENDPOINT = var.LOGAN_ENDPOINT # As two sets of OCI providers are required in child module (main), we must pass all providers explicitly # Ref - https://developer.hashicorp.com/terraform/language/modules/develop/providers#passing-providers-explicitly @@ -142,4 +144,4 @@ module "main" { } depends_on = [time_sleep.wait] -} +} \ No newline at end of file diff --git a/terraform/oke/version.auto.tfvars b/terraform/oke/version.auto.tfvars index d514ce9..6fe185b 100644 --- a/terraform/oke/version.auto.tfvars +++ b/terraform/oke/version.auto.tfvars @@ -4,4 +4,4 @@ # The "template_id" is only to identity the version of template in a particular production region. # This version does not control the version of the template to be used by the stack. # TODO: This must be incremented with every release of stack to OCI RMS template. -template_id = "0008" \ No newline at end of file +template_id = "2.2.0" \ No newline at end of file diff --git a/util/build_stack.sh b/util/build_stack.sh index 2c5ad90..d3a9a32 100755 --- a/util/build_stack.sh +++ b/util/build_stack.sh @@ -28,7 +28,7 @@ function abspath { pwd } -# define directoriews +# define dir UTIL_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) ROOT_DIR="$UTIL_DIR/.." ROOT_DIR=$(abspath "$ROOT_DIR") # Convert to absolute path @@ -47,29 +47,25 @@ MODULES_SYMLINK="$STACK_BUILD_PATH/modules" # Usage Instructions usage=" -$(basename "$0") [-h][-n name][-l][-d][-s][-b] -- program to build OCI RMS stack zip file using oracle-quickstart/oci-kubernetes-monitoring repo. +$(basename "$0") [-h][-n name][-d][-s][-b] -- program to build OCI RMS stack zip file using oracle-quickstart/oci-kubernetes-monitoring repo. where: -h show this help text -n name of output zip file without extention (Optional) - -l flag to generate livelab build; otherwise oke build is generated -d flag to generate dev build; contains local helm chart -s flag to turn-off output; only final build file path is printed to stdout -b flag to generate additional base64 string of stack The zip artifacts shall be stored at - - $RELEASE_PATH" + $RELEASE_PATH" # Parse inputs -while getopts "hn:ldsb" option; do +while getopts "hn:dsb" option; do case $option in h) # display Help echo "$usage" exit ;; - l) #livelab-build - LIVE_LAB_BUILD=true - ;; n) release_name=$OPTARG ;; @@ -95,11 +91,7 @@ done # Decide on final zip name if test -z "${release_name}"; then - if [ -n "$LIVE_LAB_BUILD" ]; then - PREFIX="livelab"; - else - PREFIX="oke"; - fi + PREFIX="oke"; if [ -n "$INCLUDE_LOCAL_HELM" ]; then HELM_MODE="local-helm" @@ -108,6 +100,8 @@ if test -z "${release_name}"; then fi BRANCH=$(git symbolic-ref --short HEAD) + # replace / in branch names; required for zip step further + BRANCH=$(echo "$BRANCH" | sed 's/\//_/g') COMMIT_HASH_SHORT=$(git rev-parse --short HEAD) COMMIT_COUNT=$(git rev-list --count HEAD) @@ -124,9 +118,6 @@ if [ -n "$INCLUDE_LOCAL_HELM" ]; then else log "\t-d option NOT passed - local helm-chart files will NOT be part of stack zip" fi -if [ -n "$LIVE_LAB_BUILD" ]; then - log "\t-l option passed - livelab specific zip will be created" -fi # Start log "\nBuilding -\n" @@ -155,7 +146,7 @@ log "Created git archive - $BUILD_ZIP" # Unzip the temp.zip file unzip -d "$BUILD_DIR" "$BUILD_ZIP" >/dev/null || error_and_exit "ERROR: unzip -d $BUILD_DIR $BUILD_ZIP" log "Unzipped git archive - $BUILD_DIR" - + # Remove the helm-chart symlink rm "$HELM_SYMLINK" || error_and_exit "ERROR: rm $HELM_SYMLINK" log "Removed helm-chart symlink - $HELM_SYMLINK" @@ -177,12 +168,6 @@ log "Copied terraform modules at - $STACK_BUILD_PATH" # Switch back to stack dir cd "$STACK_BUILD_PATH" || error_and_exit "ERROR: cd $STACK_BUILD_PATH" -# Update livelab switch input to true -if [ -n "$LIVE_LAB_BUILD" ]; then - sed "s/false/true/g" -i livelab_switch.tf || error_and_exit "ERROR: sed \"s/false/true/g\" -i livelab_switch.tf" - log "Enabled livelab switch in $STACK_BUILD_PATH/livelab_switch.tf" -fi - # Create final stack zip zip -r "${RELEASE_ZIP}" . >/dev/null || error_and_exit "ERROR: zip -r ${RELEASE_ZIP} ."