From 6321522b2a5d9c80115f85e59778cc5d1e8f5e5d Mon Sep 17 00:00:00 2001 From: Paritosh Paliwal Date: Thu, 14 Mar 2024 16:45:25 +0530 Subject: [PATCH] Bug-Fix: Discovery policy placement & scope updated (#69) * policy scope bug fix --- .gitignore | 3 ++ terraform/modules/helm/helm.tf | 4 ++- terraform/modules/helm/outputs.tf | 31 +++++++++++++++++ terraform/modules/iam/iam.tf | 36 +++++++------------- terraform/oke/main.tf | 9 +++-- terraform/oke/outputs.tf | 55 +++---------------------------- 6 files changed, 56 insertions(+), 82 deletions(-) diff --git a/.gitignore b/.gitignore index 958b220a..7903a784 100644 --- a/.gitignore +++ b/.gitignore @@ -62,6 +62,9 @@ charts/tests/ charts/**/Chart.lock charts/**/charts/ +# RM Schema Validation +meta-schema.yaml + # zip artifacts releases/ diff --git a/terraform/modules/helm/helm.tf b/terraform/modules/helm/helm.tf index f0b0f3e4..a2b2b9be 100644 --- a/terraform/modules/helm/helm.tf +++ b/terraform/modules/helm/helm.tf @@ -5,9 +5,11 @@ locals { helm_repo_url = "https://oracle-quickstart.github.io/oci-kubernetes-monitoring" helm_repo_chart = "oci-onm" + k8s_namespace = var.deploy_mushop_config ? "livelab-test" : var.kubernetes_namespace + helm_inputs = { # global - "global.namespace" = var.deploy_mushop_config ? "livelab-test" : var.kubernetes_namespace + "global.namespace" = local.k8s_namespace "global.kubernetesClusterID" = var.oke_cluster_ocid "global.kubernetesClusterName" = var.oke_cluster_name diff --git a/terraform/modules/helm/outputs.tf b/terraform/modules/helm/outputs.tf index de072787..00e8298a 100644 --- a/terraform/modules/helm/outputs.tf +++ b/terraform/modules/helm/outputs.tf @@ -1,4 +1,35 @@ +locals { + cmd_1_helm_repo_add = "helm repo add oci-onm https://oracle-quickstart.github.io/oci-kubernetes-monitoring" + cmd_2_helm_repo_update = "helm repo update" + + helm_install_opt_entity_id = var.oke_cluster_entity_ocid == "DEFAULT" ? "" : "--set oci-onm-logan.ociLAClusterEntityID=${var.oke_cluster_entity_ocid}" + + cmd_3_helm_install = join(" ", [ + "helm install oci-kubernetes-monitoring oci-onm/oci-onm", + "--set global.namespace=${local.k8s_namespace}", + "--set global.kubernetesClusterID=${var.oke_cluster_ocid}", + "--set global.kubernetesClusterName=${var.oke_cluster_name}", + "--set oci-onm-logan.ociLALogGroupID=${var.oci_la_logGroup_id}", + "--set oci-onm-logan.ociLANamespace=${var.oci_la_namespace}", + local.helm_install_opt_entity_id, + "--set oci-onm-mgmt-agent.deployMetricServer=${var.opt_deploy_metric_server}", + "--set oci-onm-mgmt-agent.mgmtagent.installKeyFileContent=${var.mgmt_agent_install_key_content}" + ]) +} + # Helm release artifacts for local testing and validation. output "helm_template" { value = var.generate_helm_template ? data.helm_template.oci-kubernetes-monitoring[0].manifest : null +} + +output "cmd_1_helm_repo_add" { + value = local.cmd_1_helm_repo_add +} + +output "cmd_2_helm_repo_update" { + value = local.cmd_2_helm_repo_update +} + +output "cmd_3_helm_install" { + value = local.cmd_3_helm_install } \ No newline at end of file diff --git a/terraform/modules/iam/iam.tf b/terraform/modules/iam/iam.tf index e92ec1e9..ba2594a1 100644 --- a/terraform/modules/iam/iam.tf +++ b/terraform/modules/iam/iam.tf @@ -2,13 +2,10 @@ # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. locals { - # Compartments - oci_onm_compartment_name = data.oci_identity_compartment.oci_onm_compartment.name - oke_compartment_name = data.oci_identity_compartment.oke_compartment.name + cluster_ocid_md5 = md5(var.oke_cluster_ocid) # Dynmaic Group - uuid_dynamic_group = md5(var.oke_cluster_ocid) - dynamic_group_name = "oci-kubernetes-monitoring-${local.uuid_dynamic_group}" + dynamic_group_name = "oci-kubernetes-monitoring-${local.cluster_ocid_md5}" dynamic_group_desc = "Auto generated by Resource Manager Stack - oci-kubernetes-monitoring. Required for monitoring OKE Cluster - ${var.oke_cluster_ocid}" instances_in_compartment_rule = ["ALL {instance.compartment.id = '${var.oke_compartment_ocid}'}"] management_agent_rule = ["ALL {resource.type='managementagent', resource.compartment.id='${var.oci_onm_compartment_ocid}'}"] @@ -16,24 +13,13 @@ locals { complied_dynamic_group_rules = "ANY {${join(",", local.dynamic_group_matching_rules)}}" # Policy - uuid_policy = md5("${local.dynamic_group_name}${local.oci_onm_compartment_name}") - policy_name = "oci-kubernetes-monitoring-${local.uuid_policy}" - policy_desc = "Auto generated by Resource Manager Stack - oci-kubernetes-monitoring. Allows Fluentd and MgmtAgent Pods running inside Kubernetes Cluster to send the data to OCI Logging Analytics and OCI Monitoring respectively." - policy_scope = var.root_compartment_ocid == var.oci_onm_compartment_ocid ? "tenancy" : "compartment ${local.oci_onm_compartment_name}" - mgmt_agent_policy = ["Allow dynamic-group ${local.dynamic_group_name} to use METRICS in ${local.policy_scope} WHERE target.metrics.namespace = 'mgmtagent_kubernetes_metrics'"] - fluentd_agent_policy = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in ${local.policy_scope}"] - discovery_api_policy = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_DISCOVERY_UPLOAD} in ${local.policy_scope}"] - policy_statements = concat(local.fluentd_agent_policy, local.mgmt_agent_policy, local.discovery_api_policy) -} - -# Logging Analytics Compartment -data "oci_identity_compartment" "oci_onm_compartment" { - id = var.oci_onm_compartment_ocid -} - -# OKE Compartment -data "oci_identity_compartment" "oke_compartment" { - id = var.oke_compartment_ocid + policy_name = "oci-kubernetes-monitoring-${local.cluster_ocid_md5}" + policy_scope = var.root_compartment_ocid == var.oci_onm_compartment_ocid ? "tenancy" : "compartment id ${var.oci_onm_compartment_ocid}" + policy_desc = "Auto generated by Resource Manager Stack - oci-kubernetes-monitoring. Allows Fluentd and MgmtAgent Pods running inside Kubernetes Cluster to send the data to OCI Logging Analytics and OCI Monitoring respectively." + mgmt_agent_stmt = ["Allow dynamic-group ${local.dynamic_group_name} to use METRICS in ${local.policy_scope} WHERE target.metrics.namespace = 'mgmtagent_kubernetes_metrics'"] + fluentd_agent_stmt = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in ${local.policy_scope}"] + discovery_api_stmt = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_DISCOVERY_UPLOAD} in tenancy"] + compiled_policy_statements = concat(local.fluentd_agent_stmt, local.mgmt_agent_stmt, local.discovery_api_stmt) } # Dynmaic Group @@ -49,8 +35,8 @@ resource "oci_identity_dynamic_group" "oke_dynamic_group" { resource "oci_identity_policy" "oke_monitoring_policy" { name = local.policy_name description = local.policy_desc - compartment_id = var.oci_onm_compartment_ocid - statements = local.policy_statements + compartment_id = var.root_compartment_ocid + statements = local.compiled_policy_statements #provider = oci.home_region depends_on = [oci_identity_dynamic_group.oke_dynamic_group] diff --git a/terraform/oke/main.tf b/terraform/oke/main.tf index fb757b62..62e0667b 100644 --- a/terraform/oke/main.tf +++ b/terraform/oke/main.tf @@ -18,8 +18,7 @@ locals { module_controls_enable_iam_module = alltrue([var.toggle_iam_module, var.opt_create_dynamicGroup_and_policies, !var.livelab_switch]) module_controls_enable_logan_module = alltrue([var.toggle_logan_module]) module_controls_enable_mgmt_agent_module = alltrue([var.toggle_mgmt_agent_module]) - module_controls_enable_helm_module = alltrue([var.toggle_helm_module, local.deploy_helm, - local.module_controls_enable_mgmt_agent_module, local.module_controls_enable_logan_module]) + module_controls_enable_helm_module = alltrue([var.toggle_helm_module, local.module_controls_enable_mgmt_agent_module, local.module_controls_enable_logan_module]) } // Only execute for livelab stack @@ -78,7 +77,7 @@ module "helm_release" { source = "./modules/helm" helm_abs_path = abspath("./charts/oci-onm") use_local_helm_chart = var.toggle_use_local_helm_chart - install_helm = var.toggle_install_helm + install_helm = local.deploy_helm && var.toggle_install_helm generate_helm_template = var.toggle_generate_helm_template oke_compartment_ocid = var.oke_compartment_ocid oke_cluster_ocid = var.oke_cluster_ocid @@ -101,6 +100,6 @@ module "import_kubernetes_dashbords" { source = "./modules/dashboards" compartment_ocid = var.oci_onm_compartment_ocid - count = local.module_controls_enable_dashboards_module ? 1 : 0 - depends_on = [ module.helm_release ] + count = local.module_controls_enable_dashboards_module ? 1 : 0 + depends_on = [module.helm_release] } \ No newline at end of file diff --git a/terraform/oke/outputs.tf b/terraform/oke/outputs.tf index 58fecd0b..682e8092 100644 --- a/terraform/oke/outputs.tf +++ b/terraform/oke/outputs.tf @@ -1,69 +1,22 @@ # Copyright (c) 2023, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. -locals { - # generate_helm_output evaluates to true in production - generate_helm_output = alltrue([local.module_controls_enable_mgmt_agent_module, local.module_controls_enable_logan_module]) - - output_helm_external_values = local.generate_helm_output ? yamlencode({ - "global" = { - "kubernetesClusterID" = var.oke_cluster_ocid - "kubernetesClusterName" = local.oke_cluster_name - } - "oci-onm-logan" = { - "ociLANamespace" = module.loggingAnalytics[0].oci_la_namespace - "ociLALogGroupID" = module.loggingAnalytics[0].oci_la_logGroup_ocid - "ociLAClusterEntityID" = var.oke_cluster_entity_ocid == "DEFAULT" ? null : var.oke_cluster_entity_ocid - } - "oci-onm-mgmt-agent" = { - "mgmtagent" = { - "installKeyFileContent" = module.management_agent[0].mgmt_agent_install_key_content - } - } - }) : null - - - cmd_1_helm_repo_add = "helm repo add oci-onm https://oracle-quickstart.github.io/oci-kubernetes-monitoring" - - cmd_2_helm_repo_update = "helm repo update" - - helm_install_opt_entity_id = var.oke_cluster_entity_ocid == "DEFAULT" ? "" : "--set oci-onm-logan.ociLAClusterEntityID=${var.oke_cluster_entity_ocid}" - - cmd_3_helm_install = local.generate_helm_output ? join(" ", [ - "helm install oci-kubernetes-monitoring oci-onm/oci-onm", - "--set global.kubernetesClusterID=${var.oke_cluster_ocid}", - "--set global.kubernetesClusterName=${local.oke_cluster_name}", - "--set oci-onm-logan.ociLALogGroupID=${module.loggingAnalytics[0].oci_la_logGroup_ocid}", - "--set oci-onm-logan.ociLANamespace=${module.loggingAnalytics[0].oci_la_namespace}", - local.helm_install_opt_entity_id, - "--set oci-onm-mgmt-agent.mgmtagent.installKeyFileContent=${module.management_agent[0].mgmt_agent_install_key_content}" - ]) : null -} - ### -# helm outputs +# Module outputs ### output "cmd_1_helm_repo_add" { - value = local.generate_helm_output ? local.cmd_1_helm_repo_add : null + value = local.module_controls_enable_helm_module ? module.helm_release[0].cmd_1_helm_repo_add : null } output "cmd_2_helm_repo_update" { - value = local.generate_helm_output ? local.cmd_2_helm_repo_update : null + value = local.module_controls_enable_helm_module ? module.helm_release[0].cmd_2_helm_repo_update : null } output "cmd_3_helm_install" { - value = local.generate_helm_output ? local.cmd_3_helm_install : null + value = local.module_controls_enable_helm_module ? module.helm_release[0].cmd_3_helm_install : null } -/* output "external_values_yaml" { - value = local.output_helm_external_values -} */ - -### -# Module outputs -### - output "oke_cluster_name" { value = local.oke_cluster_name }