oracle
diff --git a/‎README.md
Lines changed: 26 additions & 396 deletions b/‎README.md
Lines changed: 26 additions & 396 deletions
diff --git a/‎docs/cluster-access.md
Lines changed: 123 additions & 0 deletions b/‎docs/cluster-access.md
Lines changed: 123 additions & 0 deletions
diff --git a/‎docs/examples.md
Lines changed: 130 additions & 0 deletions b/‎docs/examples.md
Lines changed: 130 additions & 0 deletions
diff --git a/‎docs/images/arch.jpg
-6.39 KB b/‎docs/images/arch.jpg
-6.39 KB
diff --git a/‎docs/images/private_cp_subnet_private_lb_access.jpg
153 KB b/‎docs/images/private_cp_subnet_private_lb_access.jpg
153 KB
diff --git a/‎docs/images/private_cp_subnet_public_lb_access.jpg
151 KB b/‎docs/images/private_cp_subnet_public_lb_access.jpg
151 KB
diff --git a/‎docs/images/private_cp_subnet_public_lb_failure.jpg
216 KB b/‎docs/images/private_cp_subnet_public_lb_failure.jpg
216 KB
diff --git a/‎docs/images/public_cp_subnet_access.jpg
104 KB b/‎docs/images/public_cp_subnet_access.jpg
104 KB
@@ -0,0 +1,123 @@
+# Accessing the Cluster
+
+## Access the cluster using kubectl, continuous build pipelines, or other clients
+
+If you've chosen to configure a _public_ Load Balancer for your Kubernetes Master(s) (i.e. `control_plane_subnet_access=public` or 
+`control_plane_subnet_access=private` _and_ `k8s_master_lb_access=public`), you can interact with your cluster using kubectl, continuous build 
+pipelines, or any other client over the Internet. A working kubeconfig can be found in the ./generated folder or generated on the fly using the `kubeconfig` Terraform output variable.
+
+```bash
+# warning: 0.0.0.0/0 is wide open. Consider limiting HTTPs ingress to smaller set of IPs.
+$ terraform plan -var master_https_ingress=0.0.0.0/0
+$ terraform apply -var master_https_ingress=0.0.0.0/0
+# consider closing access off again using terraform apply -var master_https_ingress=10.0.0.0/16
+```
+
+```bash
+$ export KUBECONFIG=`pwd`/generated/kubeconfig
+$ kubectl cluster-info
+$ kubectl get nodes
+```
+
+If you've chosen to configure a strictly _private_ cluster (i.e. `control_plane_subnet_access=private` _and_ `k8s_master_lb_access=private`), 
+access to the cluster will be limited to the NAT instance(s) similar to how you would use a bastion host e.g.
+
+```bash
+$ terraform plan -var public_subnet_ssh_ingress=0.0.0.0/0
+$ terraform apply -var public_subnet_ssh_ingress=0.0.0.0/0
+$ terraform output ssh_private_key > generated/instances_id_rsa
+$ chmod 600 generated/instances_id_rsa
+$ scp -i generated/instances_id_rsa generated/instances_id_rsa opc@NAT_INSTANCE_PUBLIC_IP:/home/opc/
+$ ssh -i generated/instances_id_rsa opc@NAT_INSTANCE_PUBLIC_IP
+nat$ ssh -i /home/opc/instances_id_rsa opc@K8SMASTER_INSTANCE_PRIVATE_IP
+master$ kubectl cluster-info
+master$ kubectl get nodes 
+```
+
+Note, for easier access, consider setting up an SSH tunnel between your local host and a NAT instance.
+
+## Access the cluster using Kubernetes Dashboard
+
+Assuming `kubectl` has access to the Kubernetes Master Load Balancer, you can use use `kubectl proxy` to access the 
+Dashboard:
+
+```
+kubectl proxy &
+open http://localhost:8001/ui
+```
+
+## Verifying your cluster:
+
+If you've chosen to configure a public cluster, you can do a quick and automated verification of your cluster from 
+your local machine by running the `cluster-check.sh` located in the `scripts` directory.  Note that this script requires your KUBECONFIG environment variable to be set (above), and SSH and HTTPs access to be open to etcd and worker nodes.
+
+To temporarily open access SSH and HTTPs access for `cluster-check.sh`, add the following to your `terraform.tfvars` file:
+
+```bash
+# warning: 0.0.0.0/0 is wide open. remember to undo this.
+etcd_ssh_ingress = "0.0.0.0/0"
+master_ssh_ingress = "0.0.0.0/0"
+worker_ssh_ingress = "0.0.0.0/0"
+master_https_ingress = "0.0.0.0/0"
+worker_nodeport_ingress = "0.0.0.0/0"
+```
+
+```bash
+$ scripts/cluster-check.sh
+```
+```
+[cluster-check.sh] Running some basic checks on Kubernetes cluster....
+[cluster-check.sh]   Checking ssh connectivity to each node...
+[cluster-check.sh]   Checking whether instance bootstrap has completed on each node...
+[cluster-check.sh]   Checking Flannel's etcd key from each node...
+[cluster-check.sh]   Checking whether expected system services are running on each node...
+[cluster-check.sh]   Checking status of /healthz endpoint at each k8s master node...
+[cluster-check.sh]   Checking status of /healthz endpoint at the LB...
+[cluster-check.sh]   Running 'kubectl get nodes' a number or times through the master LB...
+
+The Kubernetes cluster is up and appears to be healthy.
+Kubernetes master is running at https://129.146.22.175:443
+KubeDNS is running at https://129.146.22.175:443/api/v1/proxy/namespaces/kube-system/services/kube-dns
+kubernetes-dashboard is running at https://129.146.22.175:443/ui
+```
+
+## SSH into OCI Instances
+
+If you've chosen to launch your control plane instance in _public_ subnets (i.e. `control_plane_subnet_access=public`), you can open
+ access SSH access to your master nodes by adding the following to your `terraform.tfvars` file:
+
+```bash
+# warning: 0.0.0.0/0 is wide open. remember to undo this.
+etcd_ssh_ingress = "0.0.0.0/0"
+master_ssh_ingress = "0.0.0.0/0"
+worker_ssh_ingress = "0.0.0.0/0"
+```
+
+```bash
+# Create local SSH private key file logging into OCI instances
+$ terraform output ssh_private_key > generated/instances_id_rsa
+# Retrieve public IP for etcd nodes
+$ terraform output etcd_public_ips
+# Log in as user opc to the OEL OS
+$ ssh -i `pwd`/generated/instances_id_rsa opc@ETCD_INSTANCE_PUBLIC_IP
+# Retrieve public IP for k8s masters
+$ terraform output master_public_ips
+$ ssh -i `pwd`/generated/instances_id_rsa opc@K8SMASTER_INSTANCE_PUBLIC_IP
+# Retrieve public IP for k8s workers
+$ terraform output worker_public_ips
+$ ssh -i `pwd`/generated/instances_id_rsa opc@K8SWORKER_INSTANCE_PUBLIC_IP
+```
+
+If you've chosen to launch your control plane instance in _private_ subnets (i.e. `control_plane_subnet_access=private`), you'll 
+need to first SSH into a NAT instance, then to a worker, master, or etcd node:
+
+```bash
+$ terraform plan -var public_subnet_ssh_ingress=0.0.0.0/0
+$ terraform apply -var public_subnet_ssh_ingress=0.0.0.0/0
+$ terraform output ssh_private_key > generated/instances_id_rsa
+$ chmod 600 generated/instances_id_rsa
+$ terraform output nat_instance_public_ips
+$ scp -i generated/instances_id_rsa generated/instances_id_rsa opc@NAT_INSTANCE_PUBLIC_IP:/home/opc/
+$ ssh -i generated/instances_id_rsa opc@NAT_INSTANCE_PUBLIC_IP
+nat$ ssh -i /home/opc/instances_id_rsa opc@PRIVATE_IP
+```
@@ -0,0 +1,130 @@
+# Example Operations
+
+## Deploying a new cluster using terraform apply
+
+Override any of the above input variables in your terraform.vars and run the plan and apply commands:
+
+```bash
+# verify what will change
+$ terraform plan 
+
+# scale workers
+$ terraform apply
+```
+
+## Scaling k8s workers (in or out) using terraform apply
+
+To scale workers in or out, adjust the `k8sWorkerAd1Count`, `k8sWorkerAd2Count`, or `k8sWorkerAd3Count` input 
+variables in terraform.vars and run the plan and apply commands:
+
+```bash
+# verify changes
+$ terraform plan 
+
+# scale workers (use -target=module.instances-k8sworker-adX to only target workers in a particular AD)
+$ terraform apply
+```
+
+When scaling worker nodes _up_, you will need to wait for the node initialization to finish asynchronously before 
+the new nodes will be seen with `kubectl get nodes`
+
+When scaling worker nodes _down_, the instances/k8sworker module's user_data code will take care of running `kubectl drain` and `kubectl delete node` on the nodes being terminated.
+
+## Scaling k8s masters (in or out) using terraform apply 
+
+To scale the masters in or out, adjust the `k8sMasterAd1Count`, `k8sMasterAd2Count`, or `k8sMasterAd3Count` input variables in terraform.vars and run the plan and apply commands:
+
+```bash
+# verify changes
+$ terraform plan
+
+# scale master nodes
+$ terraform apply
+```
+
+Similar to the initial deployment, you will need to wait for the node initialization to finish asynchronously.
+
+## Scaling etcd nodes (in or out) using terraform apply
+
+Scaling the etcd nodes in or out after the initial deployment is not currently supported. Terminating all the nodes in the etcd cluster will result in data loss.
+
+## Replacing worker nodes using terraform taint 
+
+We can use `terraform taint` to worker instances in a particular AD as "tainted", which will cause
+ them to be destroyed and recreated on the next apply. This can be a useful strategy for reverting local changes or 
+ regenerating a misbehaving worker.
+
+```bash
+# taint all workers in AD1
+terraform taint -module=instances-k8sworker-ad1 oci_core_instance.TFInstanceK8sWorker
+# optionally taint workers in AD2 and AD3 or do so in a subsequent apply
+# terraform taint -module=instances-k8sworker-ad2 oci_core_instance.TFInstanceK8sWorker
+# terraform taint -module=instances-k8sworker-ad3 oci_core_instance.TFInstanceK8sWorker
+
+# preview changes
+$ terraform plan
+
+# replace workers
+$ terraform apply
+```
+
+## Replacing masters using terraform taint
+
+We can also use `terraform taint` to master instances in a particular AD as "tainted", which will cause
+ them to be destroyed and recreated on the next apply. This can be a useful strategy for reverting local 
+ changes or regenerating a misbehaving master.
+
+```bash
+# taint all masters in AD1
+terraform taint -module=instances-k8smaster-ad1 oci_core_instance.TFInstanceK8sMaster
+# optionally taint masters in AD2 and AD3 or do so in a subsequent apply
+# terraform taint -module=instances-k8smaster-ad2 oci_core_instance.TFInstanceK8sMaster
+# terraform taint -module=instances-k8smaster-ad3 oci_core_instance.TFInstanceK8sMaster
+
+# preview changes
+$ terraform plan 
+
+# replace workers
+$ terraform apply 
+```
+
+## Upgrading cluster using the k8s_ver input variable 
+
+One way to upgrade your cluster is by incrementally changing the value of the `k8s_ver` input variable on your master and then worker nodes.
+
+```bash
+# preview upgrade of all workers in AD1 to K8s 1.7.5
+$ terraform plan -var k8s_ver=1.7.5 -target=module.instances-k8sworker-ad1
+
+# perform upgrade/replace workers
+$ terraform apply -var k8s_ver=1.7.5 -target=module.instances-k8sworker-ad1
+```
+
+The above command will:
+
+1. drain all worker nodes in AD1 to your nodes in AD2 and AD3
+2. destroy all worker nodes in AD1
+3. re-create worker nodes in AD1 using Kubernetes 1.7.5
+
+If you have more than one worker in an AD, you can upgrade worker nodes individually using the subscript operator
+
+```bash
+# preview upgrade of a single worker in AD1 to K8s 1.7.5
+$ terraform plan -var k8s_ver=1.7.5 -target=module.instances-k8smaster-ad1.oci_core_instance.TFInstanceK8sMaster[1]
+
+# perform upgrade/replace of worker
+$ terraform apply -var k8s_ver=1.7.5 -target=module.instances-k8sworker-ad1
+```
+Be sure to smoke test this approach on a stand-by cluster to weed out pitfalls and ensure our scripts are compatible 
+with the version of Kubernetes you are trying to upgrade to. We have not tested other versions of Kubernetes other 
+than the current default version.
+
+## Replacing etcd cluster members using terraform taint
+
+Replacing etcd cluster members after the initial deployment is not currently supported.
+
+## Deleting a cluster using terraform destroy
+
+```bash
+$ terraform destroy
+```