Merge pull request #4 from oracle-quickstart/bugfix/autoscaler-nsg

streamnsight · web-flow · commit cf0e1f93f392 · 2023-03-16T11:52:26.000-07:00
bugfix + update
diff --git a/helm_cert_manager.tf b/helm_cert_manager.tf
@@ -30,6 +30,7 @@ resource "helm_release" "cert_manager" {
   }
   depends_on = [
     data.oci_containerengine_cluster_kube_config.oke,
-    oci_containerengine_cluster.oci_oke_cluster
+    oci_containerengine_cluster.oci_oke_cluster,
+    oci_containerengine_node_pool.oci_oke_node_pool,
   ]
 }
diff --git a/helm_metrics.tf b/helm_metrics.tf
@@ -15,8 +15,8 @@ resource "helm_release" "metrics_server" {
   wait       = false
 
   set {
-    name  = "replicas"
-    value = "3"
+    name  = "addonResizer.enabled"
+    value = "true"
   }
   depends_on = [
     data.oci_containerengine_cluster_kube_config.oke,
diff --git a/k8s_autoscaler.tf b/k8s_autoscaler.tf
@@ -17,7 +17,7 @@ locals {
   k8s_minor_version                                   = regex("^\\d+", replace(local.kubernetes_version, "v1.", ""))
 }
 
-resource "kubernetes_service_account" "cluster_autoscaler_sa" {
+resource "kubernetes_service_account_v1" "cluster_autoscaler_sa" {
   count = local.cluster_autoscaler_enabled ? 1 : 0
 
   metadata {
@@ -48,7 +48,7 @@ resource "kubernetes_secret" "cluster_autoscaler_sa_token" {
   type = "kubernetes.io/service-account-token"
 
   depends_on = [
-    kubernetes_service_account.cluster_autoscaler_sa,
+    kubernetes_service_account_v1.cluster_autoscaler_sa,
   oci_containerengine_node_pool.oci_oke_node_pool]
 }
 
@@ -304,6 +304,14 @@ resource "kubernetes_deployment" "cluster_autoscaler_deployment" {
     oci_containerengine_node_pool.oci_oke_node_pool,
     helm_release.metrics_server
   ]
+
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].container[0].env
+    ]
+  }
+
+
 }
 
 resource "kubernetes_pod_disruption_budget_v1" "core_dns_pod_disruption_budget" {
diff --git a/policies.tf b/policies.tf
@@ -1,7 +1,7 @@
 ## Copyright © 2022, Oracle and/or its affiliates. 
 ## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl
 
-# Cluster dynamic group policy needed for nodes to access the encryption key if it was defined
+# Policy needed for nodes to access the encryption key if it was defined
 resource "oci_identity_policy" "oke_key_access_policy" {
   count = (var.enable_secret_encryption && var.secrets_key_id != null) || (var.enable_image_validation && var.image_validation_key_id != null) ? 1 : 0
   #Required
@@ -13,6 +13,22 @@ resource "oci_identity_policy" "oke_key_access_policy" {
     var.enable_image_validation && var.image_validation_key_id != null ? "Allow any-user to use keys in tenancy where ALL {request.principal.type = 'cluster', target.key.id='${var.image_validation_key_id}'}" : ""
   ])
 }
+locals {
+  nsg_name = "cluster_${random_string.deploy_id.result}"
+}
+
+resource "oci_identity_network_source" "node_pool_network_source" {
+  provider       = oci.home_region
+  #Required
+  compartment_id = var.tenancy_ocid
+  description    = "NSG for ${local.nsg_name} autoscaler"
+  name           = local.nsg_name
+
+  virtual_source_list {
+    vcn_id    = var.use_existing_vcn ? var.vcn_id : oci_core_vcn.oke_vcn[0].id
+    ip_ranges = local.node_pool_subnets_cidrs
+  }
+}
 
 resource "oci_identity_policy" "autoscaler_policy" {
   count = (var.np1_enable_autoscaler || var.np2_enable_autoscaler || var.np3_enable_autoscaler) ? 1 : 0
@@ -22,12 +38,12 @@ resource "oci_identity_policy" "autoscaler_policy" {
   name           = "cluster_autoscaler_${random_string.deploy_id.result}"
   provider       = oci.home_region
   statements = compact([
-    "Allow any-user to manage cluster-node-pools in compartment id ${var.cluster_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
-    "Allow any-user to manage instance-family in compartment id ${var.cluster_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
-    "Allow any-user to use subnets in compartment id ${var.vcn_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
-    "Allow any-user to read virtual-network-family in compartment id ${var.vcn_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
-    "Allow any-user to use vnics in compartment id ${var.vcn_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
-    "Allow any-user to inspect compartments in compartment id ${var.cluster_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}",
-    "Allow any-user to inspect compartments in compartment id ${var.vcn_compartment_id} where ALL {request.principal.type = 'cluster', request.principal.id = ${oci_containerengine_cluster.oci_oke_cluster.id}}"
+    "Allow any-user to manage cluster-node-pools in compartment id ${var.cluster_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
+    "Allow any-user to manage instance-family in compartment id ${var.cluster_compartment_id}  where ALL {request.networkSource.name='${local.nsg_name}'}",
+    "Allow any-user to use subnets in compartment id ${var.vcn_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
+    "Allow any-user to read virtual-network-family in compartment id ${var.vcn_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
+    "Allow any-user to use vnics in compartment id ${var.vcn_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
+    "Allow any-user to inspect compartments in compartment id ${var.cluster_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
+    "Allow any-user to inspect compartments in compartment id ${var.vcn_compartment_id} where ALL {request.networkSource.name='${local.nsg_name}'}",
   ])
 }
diff --git a/schema.yaml b/schema.yaml
@@ -272,8 +272,6 @@ variables:
     - "v1.25.4"
     - "v1.24.1"
     - "v1.23.4"
-    - "v1.22.5"
-    - "v1.21.5"
     required: true
     default: "v1.25.4"
     description: The Kubernetes version for the cluster.

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ resource "helm_release" "cert_manager" {`
`30`	`30`	`}`
`31`	`31`	`depends_on = [`
`32`	`32`	`data.oci_containerengine_cluster_kube_config.oke,`
`33`		`- oci_containerengine_cluster.oci_oke_cluster`
	`33`	`+ oci_containerengine_cluster.oci_oke_cluster,`
	`34`	`+ oci_containerengine_node_pool.oci_oke_node_pool,`
`34`	`35`	`]`
`35`	`36`	`}`