added nginx and cert-manager

Author: dranicu

datasources.tf

@@ -19,3 +19,19 @@ data "oci_identity_availability_domains" "ads" {
   compartment_id = var.tenancy_ocid
 }
 
+data "oci_load_balancer_load_balancers" "lbs" {
+
+  compartment_id = coalesce(var.compartment_id, var.compartment_ocid)
+
+  filter {
+    name   = "freeform_tags.state_id"
+    values = [local.state_id]
+  }
+
+  filter {
+    name   = "freeform_tags.application"
+    values = ["nginx"]
+  }
+
+  depends_on = [module.nginx]
+}

helm-deployments.tf

@@ -50,3 +50,92 @@ module "argo-workflows" {
   depends_on = [module.oke]
 }
 
+module "nginx" {
+  count  = var.deploy_nginx ? 1 : 0
+  source = "./helm-module"
+
+  bastion_host    = module.oke.bastion_public_ip
+  bastion_user    = var.bastion_user
+  operator_host   = module.oke.operator_private_ip
+  operator_user   = var.bastion_user
+  ssh_private_key = tls_private_key.stack_key.private_key_openssh
+
+  deploy_from_operator = local.deploy_from_operator
+  deploy_from_local    = local.deploy_from_local
+
+  deployment_name     = "ingress-nginx"
+  helm_chart_name     = "ingress-nginx"
+  namespace           = "nginx"
+  helm_repository_url = "https://kubernetes.github.io/ingress-nginx"
+
+  pre_deployment_commands  = []
+  post_deployment_commands = []
+
+  helm_template_values_override = templatefile(
+    "${path.root}/helm-values-templates/nginx-values.yaml.tpl",
+    {
+      min_bw        = 100,
+      max_bw        = 100,
+      pub_lb_nsg_id = module.oke.pub_lb_nsg_id
+      state_id      = local.state_id
+    }
+  )
+  helm_user_values_override = try(base64decode(var.nginx_user_values_override), var.nginx_user_values_override)
+
+  kube_config = one(data.oci_containerengine_cluster_kube_config.kube_config.*.content)
+  depends_on  = [module.oke]
+}
+
+module "cert-manager" {
+  count  = var.deploy_cert_manager ? 1 : 0
+  source = "./helm-module"
+
+  bastion_host    = module.oke.bastion_public_ip
+  bastion_user    = var.bastion_user
+  operator_host   = module.oke.operator_private_ip
+  operator_user   = var.bastion_user
+  ssh_private_key = tls_private_key.stack_key.private_key_openssh
+
+  deploy_from_operator = local.deploy_from_operator
+  deploy_from_local    = local.deploy_from_local
+
+  deployment_name     = "cert-manager"
+  helm_chart_name     = "cert-manager"
+  namespace           = "cert-manager"
+  helm_repository_url = "https://charts.jetstack.io"
+
+  pre_deployment_commands = []
+  post_deployment_commands = [
+    "cat <<'EOF' | kubectl apply -f -",
+    "apiVersion: cert-manager.io/v1",
+    "kind: ClusterIssuer",
+    "metadata:",
+    "  name: le-clusterissuer",
+    "spec:",
+    "  acme:",
+    "    # You must replace this email address with your own.",
+    "    # Let's Encrypt will use this to contact you about expiring",
+    "    # certificates, and issues related to your account.",
+    "    email: [email protected]",
+    "    server: https://acme-staging-v02.api.letsencrypt.org/directory",
+    "    privateKeySecretRef:",
+    "      # Secret resource that will be used to store the account's private key.",
+    "      name: le-clusterissuer-secret",
+    "    # Add a single challenge solver, HTTP01 using nginx",
+    "    solvers:",
+    "    - http01:",
+    "        ingress:",
+    "          ingressClassName: nginx",
+    "EOF"
+  ]
+
+  helm_template_values_override = templatefile(
+    "${path.root}/helm-values-templates/cert-manager-values.yaml.tpl",
+    {}
+  )
+  helm_user_values_override = try(base64decode(var.cert_manager_user_values_override), var.cert_manager_user_values_override)
+
+  kube_config = one(data.oci_containerengine_cluster_kube_config.kube_config.*.content)
+
+  depends_on = [module.oke]
+}

helm-values-templates/argo-workflows-values.yaml.tpl

@@ -1,3 +1,10 @@
 # List of all argo-workflow helm values https://github.com/argoproj/argo-helm/blob/main/charts/argo-workflows/values.yaml
 crds:
-  install: true
+  install: true
+
+server:
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      cert-manager.io/cluster-issuer: "le-clusterissuer"

helm-values-templates/cert-manager-values.yaml.tpl

@@ -0,0 +1,2 @@
+crds:
+  enabled: true

helm-values-templates/nginx-values.yaml.tpl

@@ -0,0 +1,13 @@
+controller:
+  service:
+    targetPorts:
+      http: http
+      https: https
+    annotations:
+      oci.oraclecloud.com/load-balancer-type: "lb"
+      service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
+      service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "${min_bw}"
+      service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "${max_bw}"
+      service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode: "None"
+      oci.oraclecloud.com/oci-network-security-groups: "${pub_lb_nsg_id}"
+      oci.oraclecloud.com/initial-freeform-tags-override: '{"state_id": "${state_id}", "application": "nginx", "role": "service_lb"}'

main.tf

@@ -137,3 +137,10 @@ output "operator" {
 output "ssh_to_operator" {
   value = "%{if var.create_operator_and_bastion}${module.oke.ssh_to_operator}%{else}bastion and operator hosts not created.%{endif}"
 }
+
+output "argo_url" {
+  value = (var.deploy_nginx && var.deploy_argo_workflows && length(coalesce(data.oci_load_balancer_load_balancers.lbs.load_balancers, [])) > 0 ?
+    "https://argo.${data.oci_load_balancer_load_balancers.lbs.load_balancers[0].ip_addresses[0]}.io" :
+    ""
+  )
+}

schema.yaml

@@ -101,6 +101,11 @@ variableGroups:
     visible: true
     variables:
       - deploy_argo_workflows
+      - argo_workflows_values_override
+      - deploy_nginx
+      - nginx_user_values_override
+      - deploy_cert_manager
+      - cert_manager_user_values_override
 
 variables:
   create_iam_resources:
@@ -344,6 +349,32 @@ variables:
     title: Helm | Argo Workflows helm chart values override
     description: Override the values for the <a href="https://github.com/argoproj/argo-helm/blob/main/charts/argo-workflows/values.yaml">Argo Workflows Helm chart</a> .
     visible: ${deploy_argo_workflows}
+  
+  deploy_nginx:
+    type: boolean
+    default: true
+    title: Helm | Deploy Nginx ingress controller
+    description: Nginx ingress controller is used to expose the OKE services to the user.
+    visible: true
+
+  nginx_user_values_override:
+    type: file
+    title: Helm | Nginx Ingress Controller helm chart values override
+    description: Override the values for the <a href="https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/README.md">Nginx Ingress Controller Helm chart</a> .
+    visible: ${deploy_nginx}
+  
+  deploy_cert_manager:
+    type: boolean
+    default: true
+    title: Helm | Deploy Cert-Manager
+    description: Cert-manager is used to generate TLS certificates for the ingress resources.
+    visible: true
+
+  cert_manager_user_values_override:
+    type: file
+    title: Helm | Cert-Manager helm chart values override
+    description: Override the values for the <a href="https://artifacthub.io/packages/helm/cert-manager/cert-manager">Cert-Manager chart</a> .
+    visible: ${deploy_cert_manager}
 
 outputs:
   bastion:

variables.tf

@@ -440,6 +440,7 @@ variable "simple_np_boot_volume_size" {
   description = "The boot volume size for the nodes in the non-GPU kubernetes nodepool."
 }
 
+### Helm chart deployments
 variable "deploy_argo_workflows" {
   type        = bool
   default     = true
@@ -450,4 +451,28 @@ variable "argo_workflows_user_values_override" {
   type        = string
   default     = ""
   description = "User provided values to override the Argo Workflows helm chart defaults and those generated by Terraform using the templates."
+}
+
+variable "deploy_nginx" {
+  type        = bool
+  default     = true
+  description = "Controls the deployment of the nginx helm chart."
+}
+
+variable "nginx_user_values_override" {
+  type        = string
+  default     = ""
+  description = "User provided values to override the Nginx helm chart defaults and those generated by Terraform using the templates."
+}
+
+variable "deploy_cert_manager" {
+  type        = bool
+  default     = true
+  description = "Controls the deployment of the cert-manager helm chart."
+}
+
+variable "cert_manager_user_values_override" {
+  type        = string
+  default     = ""
+  description = "User provided values to override the Cert-Manager helm chart defaults and those generated by Terraform using the templates."
 }