Merge pull request #113 from oci-landing-zones/oke

Add OKE Workload Extension

Author: hrvolapeter

CODEOWNERS

@@ -1,5 +1,6 @@
 /workload-extensions/ocvs/ @hrvolapeter
 /workload-extensions/ebs/ @rphibbert
+/workload-extensions/oke/ @paolajuarezgomez
 /addons/oci-hub-models/ @vavardan @paalonso
 /addons/oci-sovereign-controls/ @vavardan @hrvolapeter @paolajuarezgomez
 /addons/oci-lz-subnetting/ @paolajuarezgomez @paalonso

commons/images/icon_oke.jpg

@@ -0,0 +1,65 @@
+# Firewalls and RT updates <!-- omit from toc -->
+
+## **Routing**
+
+In all of our OCI Landing Zone models, we recommend implementing a Hub-and-Spoke network architecture. This approach enables you to deploy a firewall in the hub for traffic inspection, ensuring enhanced security. To save time in the design phase with our customers, we have included four hub models. You can choose to use either our OCI native firewall or a third-party solution, such as Fortinet or Palo Alto. Explore the four models [here](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/tree/master/addons/oci-hub-models).
+
+In this case we have selected model A that is equipped with two OCI Network Firewalls - a next-generation managed network firewall and an intrusion detection and prevention service. The first firewall is dedicated to inbound traffic, while the second is responsible for outbound and East-West traffic control and inspection.
+
+Model A offer two options: a **Light Version** (No Cost), where a virtual machine (VM) is deployed with a load balancer, and a **Complete Version** (With Cost), which includes the deployment of a firewalls.
+
+The next Diagram shows the routing included in the [ONE-OE Hub A Deployment (Light Version - No Cost)](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/blob/master/addons/oci-hub-models/hub_b/readme.md):
+<img src="../../content/Routing_ONE-OE_HubA.png" width="1000" height="auto">
+
+The next Diagram shows  rounting included in the OKE Ext LZ:
+<img src="../../content/Routing_OKE_ext.png" width="1000" height="auto">
+
+The next steps are to add the firewall and update the corresponding routes. To accomplish this, we need to follow the steps outlined in the [Hub A Deployment (Light Version - No Cost)](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/blob/master/addons/oci-hub-models/hub_a/readme.md)
+
+For demo purposes, we will deploy a dummy VM instead of a firewall. If needed, the steps to deploy the firewall are also provided on the previous page
+
+**a.** Deploy a dummy FW VM for the DMZ and INTERNAL FWs following these steps [How to create a dummy FW VM](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/blob/master/commons/content/howto_create_dummy_fw_vm.md)
+
+<img src="../../content/Instances.png" width="1000" height="auto">
+
+**b.** Identify the Private IP OCID of your firewalls following these [steps](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/blob/master/commons/content/howto_identify_private_ip_ocid_vm_vnic.md)
+
+**c.**
+You can find a generic JSON file for HUB A checking our [hub models asset](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/tree/master/addons/oci-hub-models/hub_a).
+For this OKE LZ EXT we provided a [customized Json file](../oci_oke_lz_ext_open_lz_post_hub_a_network_light.auto.tfvars.json).
+
+- Replace the "**DMZ FW PRIVATE IP OCID**" with the OCID of the Public DMZ Firewall Private IP OCID identified in the previous steps.
+- Replace the "**INT FW PRIVATE IP OCID**" with the OCID of the Private Internal Firewall Private IP OCID identified in the previous steps.
+- Replace the "**OCID VCN OKE PROD**" with the OCID for the Prod VCN.
+- Replace the "**OCID VCN OKE PREPROD**" with the OCID for the PreProd VCN.
+- Replace the "**OCID VCN OKE MGT**" with the OCID for the MGT VCN.
+
+You can use the find & replace of the IDE of your choice.
+
+**d.** Edit the ORM stack (STEP1) and replace the original Network JSON configuration file with the new **oci_oke_lz_ext_open_lz_post_hub_a_network_light.auto.tfvars** updated file.
+
+**e.** Run Plan & Apply to populate the new changes.
+
+This is the diagram that show the Network after adding the post STEP1 configuration:
+
+<img src="../../content/PostSTEP1.png" width="1000" height="auto">
+
+Now that the spokes are attached to the hub, you can update their routing by adding a rule to the DRG.
+
+**f.** Edit the ORM stack (STEP2) and replace the original Network JSON configuration file with the new **oci_oke_lz_ext_network_npn_post.auto.tfvars** updated file.
+
+**g.** Run Plan & Apply to populate the new changes.
+
+This is the diagram that show the final Network configuration:
+
+<img src="../../content/Final_Routing.png" width="1000" height="auto">
+
+&nbsp;
+
+# License <!-- omit from toc -->
+
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.

workload-extensions/oke/multi-stack/1_oke_extension/1.1_Network_post_updates/readme.md

@@ -0,0 +1,63 @@
+# STEP2. ORM OKE LZ EXT Deployment Steps <!-- omit from toc -->
+
+If you deployed the 'Core LZ' in the initial operation using ORM and following the ONE-OE LZ model with the output feature enabled, deploying and running a LZ extension will be straightforward and require no additional changes.
+
+When you press the provided magic button, a new ORM stack is created. Follow these steps:
+1. Accept terms, wait for the configuration to load.
+2. Set the working directory to “rms-facade”.
+3. Set the stack name you prefer.
+4. Set the terraform version to 1.5.x. Click Next.
+5. In our example, we include OKE LZ extension required JSON files stored in our open Landing Zone GitHub repository. Click next.
+6. Add the dependencies file created in OP1 as an output. We selected the **ocibucket** option, specifying our bucket name along with the compartments and network files
+7. Un-check run apply. Click Create.
+
+<img src="../content/ORMOKE.png" width="1000" height="auto">
+
+For standardization purposes and better control over the JSON files, we recommend following the same approach used in OP1 by uploading your own files to your OCI bucket.
+
+# Upload your customized OKE LZ EXT JSON files
+
+Click on each file to download it, and make any necessary changes if required.
+
+* IAM: 
+oci_oke_lz_ext_iam.auto.tfvars.json
+* Network: 
+oci_oke_lz_ext_network.auto.tfvars.json
+
+<img src="../content/UploadBucket.png" width="1000" height="auto">
+
+Upload the files to your new bucket or drag and drop them directly.
+
+<img src="../content/UploadObjects.png" width="1000" height="auto">
+
+<img src="../content/UploadBucketOKE.png" width="1000" height="auto">
+
+You can now view the uploaded files in your bucket, giving you full control over them.
+
+&nbsp; 
+# Update the ORM with your own JSON links
+
+In the configuration variables page:
+
+1. Review the region selected for the deployment.
+2.  Set the configuration source to OCI bucket.
+3.  Enter the name of the bucket created in the previous step.
+4.  Remove the default files in the Configuration Files section and upload the four new updated files to the bucket.
+5.  Add the dependencies file created in OP1 as an output. We selected the **ocibucket** option, specifying our bucket name along with the compartments and network files, Click next.
+6.  Un-check run apply. Click Create.
+
+<img src="../content/ORMUpdatedOKE.png" width="1000" height="auto">
+
+
+First, execute a plan job (1) to review all the resources that Terraform will create. Once verified, proceed to run the apply job (2) to initiate the deployment.
+
+<img src="../content/ORMJobsOKE.png" width="500" height="auto">
+
+
+# License <!-- omit from toc -->
+
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.

workload-extensions/oke/multi-stack/1_oke_extension/ORM_OKE-LZ-EXT_deployment_steps.md

@@ -0,0 +1,95 @@
+# STEP1. ORM ONE-OE Deployment Steps <!-- omit from toc -->
+
+
+## **Using Output and Dependencies features with ORM**
+
+Our Landing Zone extensions are designed to integrate seamlessly with our core Landing Zone models, such as ONE-OE or Multi-OE. We onboard a LZ extension as an additional operation performed after the initial deployment of the core Landing Zone.
+
+When you press the provided magic button, a new ORM stack is created. Follow these steps:
+1. Accept terms, wait for the configuration to load.
+2. Set the working directory to “rms-facade”.
+3. Set the stack name you prefer.
+4. Set the terraform version to 1.5.x. Click Next.
+5. In our example, we include the required JSON files stored in our open Landing Zone GitHub repository. Running it as-is will deploy the ONE-OE Landing Zone in your tenancy. However, if you want to use the **Dependencies** and **Output** features, some minor modifications will be necessary. Click next.
+6. Un-check run apply. Click Create.
+
+<img src="../content/MagicButton.png" width="1000" height="auto">
+
+To minimize customizations and leverage the provided extension templates, we highly recommend using the output feature. This feature automatically generates a file containing key-resource pairs, simplifying subsequent operational deployments.
+
+To store the Json files in a OCI bucket follow the next steps:
+
+# Create your own OCI Bucket <!-- omit from toc -->
+
+1. **Main Menu-> Storage -> Buckets**
+2. **Create a new Bucket**.
+
+<img src="../content/Bucket.png" width="1000" height="auto">
+
+&nbsp; 
+# Upload your customized JSON files
+
+Click on each file to download it, and make any necessary changes if required.
+
+* IAM: 
+[oci_open_lz_one-oe_iam.auto.tfvars.json](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/blob/v2.2.0-oneoe_v2/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_iam.auto.tfvars.json)
+* Security:
+[oci_open_lz_one-oe_security_cisl1.auto.tfvars.json](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/blob/v2.2.0-oneoe_v2/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl1.auto.tfvars.json)
+* Network: 
+[oci_open_lz_hub_a_network_light.auto.tfvars.json](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/blob/v2.2.0-oneoe_v2/blueprints/one-oe/runtime/one-stack/oci_open_lz_hub_a_network_light.auto.tfvars.json)
+* Observability:
+[oci_open_lz_one-oe_observability_cisl1.auto.tfvars.json](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/blob/v2.2.0-oneoe_v2/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl1.auto.tfvars.json)
+
+<img src="../content/UploadBucket.png" width="1000" height="auto">
+
+Upload the files to your new bucket or drag and drop them directly.
+
+<img src="../content/UploadObjects.png" width="1000" height="auto">
+
+You can now view the uploaded files in your bucket, giving you full control over them.
+
+<img src="../content/BucketFiles.png" width="1000" height="auto">
+
+
+&nbsp; 
+# Update the ORM with your own JSON links
+
+In the configuration variables page:
+
+1. Review the region selected for the deployment.
+2. Set the configuration source to OCI bucket.
+3. Enter the name of the bucket created in the previous step.
+4. Remove the default files in the Configuration Files section and upload the four new updated files to the bucket.
+5. In the Output Files section, click 'Save Output' and specify a folder where the output files will be saved.
+6. Click next.
+7. Un-check run apply. Click Create.
+
+<img src="../content/ORMUpdated.png" width="1000" height="auto">
+
+
+First, execute a plan job (1) to review all the resources that Terraform will create. Once verified, proceed to run the apply job (2) to initiate the deployment.
+
+<img src="../content/ORMJobs.png" width="500" height="auto">
+
+After deployment, you can visit your bucket to check the new files created using the output option.
+
+<img src="../content/output.png" width="1000" height="auto">
+
+Example of compartment_output.json
+
+```
+{"compartments":
+{
+"CMP-LANDINGZONE-P-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-NETWORK-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-P-NETWORK-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-P-PLATFORM-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-P-PROJ1-APP-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-P-PROJ1-DB-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-P-PROJ1-INFRA-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-P-PROJ1-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-P-PROJECTS-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-P-SECURITY-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-PLATFORM-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-PP-NETWORK-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-PP-PLATFORM-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-PP-PROJ1-APP-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-PP-PROJ1-DB-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-PP-PROJ1-INFRA-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-PP-PROJ1-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-PP-PROJECTS-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-PP-SECURITY-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-PREPROD-KEY":{"id":"ocid1.compartment.oc1..xxx"},
+"CMP-LZP-PROD-KEY":{"id":"ocid1.compartment.oc1..xxx"},"CMP-LZP-SECURITY-KEY":{"id":"ocid1.compartment.oc1..xxx"}
+}
+}
+```
+
+# License <!-- omit from toc -->
+
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.