OCI¶
OCI provider requires you to input privateKey, keyFingerprint, tenancyOcid, userOcid, and compartmentOcid.
Compute and DNS example¶
providers:
oci:
- name: oci-1
privateKey: private_key
keyFingerprint: fingerprint_placeholder
tenancyOcid: tenancy_ocid
userOcid: user_ocid
compartmentOcid: compartment_ocid
Create OCI credentials¶
Prerequisites¶
- Install OCI CLI by following this guide.
- Configure OCI CLI by following this guide.
Creating OCI credentials for Claudie¶
-
Export your tenant id:
export tenancy_ocid="ocid"Find your tenant id
You can find it under
Identity & Securitytab andCompartmentsoption. -
Create OCI compartment where Claudie deploys its resources:
{ oci iam compartment create --name claudie-compartment --description claudie-compartment --compartment-id $tenancy_ocid } -
Create the claudie user:
oci iam user create --name claudie-user --compartment-id $tenancy_ocid --description claudie-user --email <email address> -
Create a group that will hold permissions for the user:
oci iam group create --name claudie-group --compartment-id $tenancy_ocid --description claudie-group -
Generate policy file with necessary permissions:
{ cat > policy.txt <<EOF [ "Allow group claudie-group to manage instance-family in compartment claudie-compartment", "Allow group claudie-group to manage volume-family in compartment claudie-compartment", "Allow group claudie-group to manage virtual-network-family in tenancy", "Allow group claudie-group to manage dns-zones in compartment claudie-compartment", "Allow group claudie-group to manage dns-records in compartment claudie-compartment" ] EOF } -
Create a policy with required permissions:
oci iam policy create --name claudie-policy --statements file://policy.txt --compartment-id $tenancy_ocid --description claudie-policy -
Declare
user_ocidandgroup_ocid:{ group_ocid=$(oci iam group list | jq -r '.data[] | select(.name == "claudie-group") | .id') user_ocid=$(oci iam user list | jq -r '.data[] | select(.name == "claudie-user") | .id') } -
Attach claudie-user to claudie-group:
oci iam group add-user --group-id $group_ocid --user-id $user_ocid -
Generate key pair for claudie-user and enter
N/Afor no passphrase:oci setup keys --key-name claudie-user --output-dir . -
Upload the public key to use for the claudie-user:
oci iam user api-key upload --user-id $user_ocid --key-file claudie-user_public.pem -
You can either manually perform this step or use the following script with the provided template to safely replace the credentials field with your generated credentials:
{ compartment_ocid=$(oci iam compartment list | jq -r '.data[] | select(.name == "claudie-compartment") | .id') fingerprint=$(oci iam user api-key list --user-id $user_ocid | jq -r '.data[0].fingerprint') yq '.providers.oci[0].privateKey = load_str("claudie-user.pem")' template.yaml > oci.yaml sed -i "s/fingerprint_placeholder/$fingerprint/g" oci.yaml sed -i "s/tenancy_ocid/$tenancy_ocid/g" oci.yaml sed -i "s/user_ocid/$user_ocid/g" oci.yaml sed -i "s/compartment_ocid/$compartment_ocid/g" oci.yaml }
DNS setup¶
If you wish to use OCI as your DNS provider where Claudie creates DNS records pointing to Claudie managed clusters, you will need to create a public DNS zone by following this guide.
OCI is not my domain registrar
You cannot buy a domain from Oracle at this time so you can update nameservers of your OCI hosted zone by following this guide on changing nameservers. However, if you prefer not to use the entire domain, an alternative option is to delegate a subdomain to OCI.
IAM policies required by Claudie¶
"Allow group <GROUP_NAME> to manage instance-family in compartment <COMPARTMENT_NAME>"
"Allow group <GROUP_NAME> to manage volume-family in compartment <COMPARTMENT_NAME>"
"Allow group <GROUP_NAME> to manage virtual-network-family in tenancy"
"Allow group <GROUP_NAME> to manage dns-zones in compartment <COMPARTMENT_NAME>",
"Allow group <GROUP_NAME> to manage dns-records in compartment <COMPARTMENT_NAME>",
Input manifest examples¶
Single provider, multi region cluster example¶
name: OCIExampleManifest
providers:
oci:
- name: oci-1
# Private key to the user account.
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/==
-----END RSA PRIVATE KEY-----
# Fingerprint of the key pair.
keyFingerprint: ab:cd:3f:34:33:22:32:34:54:54:45:76:76:78:98:aa
# OCID of the tenancy.
tenancyOcid: ocid2.tenancy.oc2..aaaaaaaayrsfvlvxc34o060kfdygsds21nske76ksjkko21lpsdfsfsgbrtghs
# OCID of the user.
userOcid: ocid2.user.oc2..aaaaaaaaaanyrsfvlvxc34o060kfdygsds21nske76ksjkko21lpsdfsf
# OCID of the compartment.
compartmentOcid: ocid2.compartment.oc2..aaaaaaaaa2rsfvlvxc34o060kfdygsds21nske76ksjkko21lpsdfsf
nodePools:
dynamic:
- name: control-oci
providerSpec:
# Name of the provider instance.
name: oci-1
# Region of the nodepool.
region: eu-milan-1
# Availability domain of the nodepool.
zone: hsVQ:EU-MILAN-1-AD-1
count: 1
# VM shape name.
serverType: VM.Standard2.2
# OCID of the image.
# Make sure to update it according to the region.
image: ocid1.image.oc1.eu-frankfurt-1.aaaaaaaavvsjwcjstxt4sb25na65yx6i34bzdy5oess3pkgwyfa4hxmzpqeq
- name: compute-1-oci
providerSpec:
# Name of the provider instance.
name: oci-1
# Region of the nodepool.
region: eu-frankfurt-1
# Availability domain of the nodepool.
zone: hsVQ:EU-FRANKFURT-1-AD-1
count: 2
# VM shape name.
serverType: VM.Standard2.1
# OCID of the image.
# Make sure to update it according to the region.
image: ocid1.image.oc1.eu-frankfurt-1.aaaaaaaavvsjwcjstxt4sb25na65yx6i34bzdy5oess3pkgwyfa4hxmzpqeq
storageDiskSize: 50
- name: compute-2-oci
providerSpec:
# Name of the provider instance.
name: oci-1
# Region of the nodepool.
region: eu-frankfurt-1
# Availability domain of the nodepool.
zone: hsVQ:EU-FRANKFURT-1-AD-2
count: 2
# VM shape name.
serverType: VM.Standard2.1
# OCID of the image.
# Make sure to update it according to the region.
image: ocid1.image.oc1.eu-frankfurt-1.aaaaaaaavvsjwcjstxt4sb25na65yx6i34bzdy5oess3pkgwyfa4hxmzpqeq
storageDiskSize: 50
kubernetes:
clusters:
- name: oci-cluster
version: v1.24.0
network: 192.168.2.0/24
pools:
control:
- control-oci
compute:
- compute-1-oci
- compute-2-oci
Multi provider, multi region clusters example¶
name: OCIExampleManifest
providers:
oci:
- name: oci-1
# Private key to the user account.
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/askJSLosad
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/==
-----END RSA PRIVATE KEY-----
# Fingerprint of the key pair.
keyFingerprint: ab:cd:3f:34:33:22:32:34:54:54:45:76:76:78:98:aa
# OCID of the tenancy.
tenancyOcid: ocid2.tenancy.oc2..aaaaaaaayrsfvlvxc34o060kfdygsds21nske76ksjkko21lpsdfsfsgbrtghs
# OCID of the user.
userOcid: ocid2.user.oc2..aaaaaaaaaanyrsfvlvxc34o060kfdygsds21nske76ksjkko21lpsdfsf
# OCID of the compartment.
compartmentOcid: ocid2.compartment.oc2..aaaaaaaaa2rsfvlvxc34o060kfdygsds21nske76ksjkko21lpsdfsf
- name: oci-2
# Private key to the user account.
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
IUBJNINoisdncNIUBNNpniuniupNPIUNuipbnPIUNPIUBSNUPIbnui/OUINNPOIn
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCj2/==
-----END RSA PRIVATE KEY-----
# Fingerprint of the key pair.
keyFingerprint: 34:54:54:45:76:76:78:98:aa:ab:cd:3f:34:33:22:32
# OCID of the tenancy.
tenancyOcid: ocid2.tenancy.oc2..aaaaaaaayreragzafbdrfedbfdagagrgregagrrgaregfdgvrehdfsfsgbrtghs
# OCID of the user.
userOcid: ocid2.user.oc2..aaaaaaaaaanyrsfvlvxc3argaehgaergaregraregaregarsdfsfrgreg2ds
# OCID of the compartment.
compartmentOcid: ocid2.compartment.oc2..aaaaaaaaa2rsfvlvxc3argaregaregraegzfgragfksjkko21lpsdfsf
nodePools:
dynamic:
- name: control-oci-1
providerSpec:
# Name of the provider instance.
name: oci-1
# Region of the nodepool.
region: eu-milan-1
# Availability domain of the nodepool.
zone: hsVQ:EU-MILAN-1-AD-1
count: 1
# VM shape name.
serverType: VM.Standard2.2
# OCID of the image.
# Make sure to update it according to the region.
image: ocid1.image.oc1.eu-frankfurt-1.aaaaaaaavvsjwcjstxt4sb25na65yx6i34bzdy5oess3pkgwyfa4hxmzpqeq
- name: control-oci-2
providerSpec:
# Name of the provider instance.
name: oci-2
# Region of the nodepool.
region: eu-frankfurt-1
# Availability domain of the nodepool.
zone: hsVQ:EU-FRANKFURT-1-AD-3
count: 2
# VM shape name.
serverType: VM.Standard2.1
# OCID of the image.
# Make sure to update it according to the region.
image: ocid1.image.oc1.eu-frankfurt-1.aaaaaaaavvsjwcjstxt4sb25na65yx6i34bzdy5oess3pkgwyfa4hxmzpqeq
- name: compute-oci-1
providerSpec:
# Name of the provider instance.
name: oci-1
# Region of the nodepool.
region: eu-frankfurt-1
# Availability domain of the nodepool.
zone: hsVQ:EU-FRANKFURT-1-AD-1
count: 2
# VM shape name.
serverType: VM.Standard2.1
# OCID of the image.
# Make sure to update it according to the region.
image: ocid1.image.oc1.eu-frankfurt-1.aaaaaaaavvsjwcjstxt4sb25na65yx6i34bzdy5oess3pkgwyfa4hxmzpqeq
storageDiskSize: 50
- name: compute-oci-2
providerSpec:
# Name of the provider instance.
name: oci-2
# Region of the nodepool.
region: eu-milan-1
# Availability domain of the nodepool.
zone: hsVQ:EU-MILAN-1-AD-1
count: 2
# VM shape name.
serverType: VM.Standard2.1
# OCID of the image.
# Make sure to update it according to the region..
image: ocid1.image.oc1.eu-frankfurt-1.aaaaaaaavvsjwcjstxt4sb25na65yx6i34bzdy5oess3pkgwyfa4hxmzpqeq
storageDiskSize: 50
kubernetes:
clusters:
- name: oci-cluster
version: v1.24.0
network: 192.168.2.0/24
pools:
control:
- control-oci-1
- control-oci-2
compute:
- compute-oci-1
- compute-oci-2