Add IPv6 support

Author: robo-cap

docs/src/guide/cluster.md

@@ -12,6 +12,7 @@ The OKE parameters concern mainly the following:
 * number of node pools and their respective size of the cluster
 * services and pods cidr blocks
 * whether to use encryption
+* whether you want to enable [dual-stack](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/conteng_ipv4-and-ipv6.htm): IPv4 & IPv6 
 
 ```admonish notice
  If you need to change the default services and pods' CIDRs, note the following:

docs/src/guide/network_subnets.md

@@ -27,6 +27,12 @@ Subnets are created for core components managed within the module, namely:
 {{#include ../../../examples/network/vars-network-subnets-create-cidr.auto.tfvars:4:}}
 ```
 
+## Create new subnets with IPv4 and IPv6 (CIDR notation)
+
+```javascript
+{{#include ../../../examples/network/vars-network-subnets-create-cidr-ipv4-and-ipv6.tfvars:4:}}
+```
+
 ## Use existing subnets
 
 ```javascript

examples/cluster-addons/vars-cluster-addons.auto.tfvars

@@ -4,12 +4,12 @@
 cluster_addons = {
   "CertManager" = {
     remove_addon_resources_on_delete = true
-    override_existing = true           # Default is false if not specified
+    override_existing                = true # Default is false if not specified
     # The list of supported configurations for the cluster addons is here: https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringclusteraddons-configurationarguments.htm#contengconfiguringclusteraddons-configurationarguments_CertificateManager
     configurations = [
       {
-        key          = "numOfReplicas"
-        value        = "1"
+        key   = "numOfReplicas"
+        value = "1"
       }
     ]
   }
@@ -20,7 +20,7 @@ cluster_addons = {
   # Prevent Flannel pods from being scheduled using a non-existing label as nodeSelector
   "Flannel" = {
     remove_addon_resources_on_delete = true
-    override_existing = true # Override the existing configuration with this one, if Flannel addon in already enabled
+    override_existing                = true # Override the existing configuration with this one, if Flannel addon in already enabled
     configurations = [
       {
         key   = "nodeSelectors"
@@ -31,7 +31,7 @@ cluster_addons = {
   # Prevent Kube-Proxy pods from being scheduled using a non-existing label as nodeSelector
   "KubeProxy" = {
     remove_addon_resources_on_delete = true
-    override_existing = true # Override the existing configuration with this one, if KubeProxy addon in already enabled
+    override_existing                = true # Override the existing configuration with this one, if KubeProxy addon in already enabled
     configurations = [
       {
         key   = "nodeSelectors"

examples/cluster/vars-cluster-basic.auto.tfvars

@@ -1,5 +1,5 @@
-# Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates.
+# Copyright (c) 2017, 2025 Oracle Corporation and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 cluster_name       = "oke-example"
-kubernetes_version = "v1.31.1"
+kubernetes_version = "v1.32.1"

examples/cluster/vars-cluster-enhanced.auto.tfvars

@@ -1,4 +1,4 @@
-# Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates.
+# Copyright (c) 2017, 2025 Oracle Corporation and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 create_cluster                    = true // *true/false
@@ -7,9 +7,10 @@ cluster_kms_key_id                = null
 cluster_name                      = "oke"
 cluster_type                      = "enhanced" // *basic/enhanced
 cni_type                          = "flannel"  // *flannel/npn
-assign_public_ip_to_control_plane = true // true/*false
+assign_public_ip_to_control_plane = true       // true/*false
 image_signing_keys                = []
-kubernetes_version                = "v1.31.1"
+kubernetes_version                = "v1.32.1"
 pods_cidr                         = "10.244.0.0/16"
 services_cidr                     = "10.96.0.0/16"
 use_signed_images                 = false // true/*false
+enable_ipv6                       = false //true/*false

examples/cluster/vars-cluster-oidc-auth-multiple.auto.tfvars

@@ -0,0 +1,57 @@
+# Copyright (c) 2017, 2025 Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+create_cluster                    = true // *true/false
+cluster_dns                       = null
+cluster_kms_key_id                = null
+cluster_name                      = "oke"
+cluster_type                      = "enhanced" // *basic/enhanced
+cni_type                          = "flannel"  // *flannel/npn
+assign_public_ip_to_control_plane = true       // true/*false
+image_signing_keys                = []
+kubernetes_version                = "v1.32.1"
+pods_cidr                         = "10.244.0.0/16"
+services_cidr                     = "10.96.0.0/16"
+use_signed_images                 = false // true/*false
+
+# Enable OIDC token authentication for Github Actions using API server configuration file
+open_id_connect_token_auth_enabled = true
+open_id_connect_token_authentication_config = {
+  configuration_file = base64encode(yamlencode(
+    {
+      "apiVersion" = "apiserver.config.k8s.io/v1beta1"
+      "kind"       = "AuthenticationConfiguration"
+      "jwt" = [
+        {
+          "issuer" = {
+            "url" = "https://token.actions.githubusercontent.com",
+            "audiences" = [
+              "oke-kubernetes-cluster" # Must match the audience in the GitHub Actions workflow.
+            ],
+            "audienceMatchPolicy" = "MatchAny"
+          }
+          "claimMappings" = {
+            "username" = {
+              "claim"  = "sub"
+              "prefix" = ""
+            }
+          }
+          "claimValidationRules" = [
+            {
+              "claim"         = "repository"
+              "requiredValue" = "GITHUB_ACCOUNT/GITHUB_REPOSITORY"
+            },
+            {
+              "claim"         = "workflow"
+              "requiredValue" = "oke-oidc" # Must match the workflow name.
+            },
+            {
+              "claim"         = "ref"
+              "requiredValue" = "refs/heads/main"
+            },
+          ]
+        }
+      ]
+    }
+  ))
+}

examples/cluster/vars-cluster-oidc-auth-single.auto.tfvars

@@ -0,0 +1,38 @@
+# Copyright (c) 2017, 2025 Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+create_cluster                    = true // *true/false
+cluster_dns                       = null
+cluster_kms_key_id                = null
+cluster_name                      = "oke"
+cluster_type                      = "enhanced" // *basic/enhanced
+cni_type                          = "flannel"  // *flannel/npn
+assign_public_ip_to_control_plane = true       // true/*false
+image_signing_keys                = []
+kubernetes_version                = "v1.32.1"
+pods_cidr                         = "10.244.0.0/16"
+services_cidr                     = "10.96.0.0/16"
+use_signed_images                 = false // true/*false
+
+# Enable OIDC token authentication for Github Actions using API server flags
+oidc_token_auth_enabled = true
+oidc_token_authentication_config = {
+  client_id      = "oke-kubernetes-cluster" # Must match the audience in the GitHub Actions workflow.
+  issuer_url     = "https://token.actions.githubusercontent.com",
+  username_claim = "sub"
+  required_claims = [
+    {
+      key   = "repository",
+      value = "GITHUB_ACCOUNT/GITHUB_REPOSITORY"
+    },
+    {
+      key   = "workflow",
+      value = "oke-oidc" # Must match the workflow name.
+    },
+    {
+      key   = "ref"
+      value = "refs/heads/main"
+    }
+  ],
+}
+

examples/cluster/vars-cluster-oidc-discovery.auto.tfvars

@@ -0,0 +1,18 @@
+# Copyright (c) 2017, 2025 Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+create_cluster                    = true // *true/false
+cluster_dns                       = null
+cluster_kms_key_id                = null
+cluster_name                      = "oke"
+cluster_type                      = "enhanced" // *basic/enhanced
+cni_type                          = "flannel"  // *flannel/npn
+assign_public_ip_to_control_plane = true       // true/*false
+image_signing_keys                = []
+kubernetes_version                = "v1.32.1"
+pods_cidr                         = "10.244.0.0/16"
+services_cidr                     = "10.96.0.0/16"
+use_signed_images                 = false // true/*false
+
+# Enable OIDC discovery
+oidc_discovery_enabled = true

examples/extensions/vars-extensions-service-account.auto.tfvars

@@ -2,26 +2,26 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 create_service_account = true
-service_accounts       = {
+service_accounts = {
   # Example to create a cluster role binding using a cluster role.
   example_cluster_role_binding = {
-    sa_name = "sa1"
-    sa_namespace = "kube-system"
-    sa_cluster_role = "cluster-admin"
+    sa_name                 = "sa1"
+    sa_namespace            = "kube-system"
+    sa_cluster_role         = "cluster-admin"
     sa_cluster_role_binding = "sa1-crb"
   }
   # Example to create a role binding using a cluster role.
   example_role_binding = {
-    sa_name = "sa2"
-    sa_namespace = "default"
+    sa_name         = "sa2"
+    sa_namespace    = "default"
     sa_cluster_role = "cluster-admin"
     sa_role_binding = "sa1-rb"
   }
   # Example to create a role binding using a role, the role needs to exist within the namespace.
   example_role_binding = {
-    sa_name = "sa3"
-    sa_namespace = "kube-system"
-    sa_role = "system:controller:token-cleaner"
+    sa_name         = "sa3"
+    sa_namespace    = "kube-system"
+    sa_role         = "system:controller:token-cleaner"
     sa_role_binding = "sa3-rb"
   }
 }

examples/istio-mc/README.md

@@ -51,7 +51,7 @@ clusters = {
 5. Configure additional parameters if necessary:
 
 ```
-kubernetes_version = "v1.28.2"
+kubernetes_version = "v1.32.1"
 
 cluster_type = "basic"
 

examples/istio-mc/terraform.tfvars.example

@@ -23,7 +23,7 @@ clusters = {
   c2 = { region = "melbourne", vcn = "10.2.0.0/16", pods = "10.202.0.0/16", services = "10.102.0.0/16", enabled = true }
 }
 
-kubernetes_version = "v1.28.2"
+kubernetes_version = "v1.32.1"
 
 cluster_type = "basic"
 

examples/istio-mc/variables.tf

@@ -61,7 +61,7 @@ variable "clusters" {
 }
 
 variable "kubernetes_version" {
-  default     = "v1.30.1"
+  default     = "v1.32.1"
   description = "The version of Kubernetes to use."
   type        = string
 }

examples/network/vars-network-subnets-create-cidr-ipv4-and-ipv6.tfvars

@@ -0,0 +1,12 @@
+# Copyright (c) 2017, 2023 Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+subnets = {
+  bastion  = { cidr = "10.0.0.0/29", ipv6_cidr = "8, 0" }
+  operator = { cidr = "10.0.0.64/29", ipv6_cidr = "8, 1" }
+  cp       = { cidr = "10.0.0.8/29", ipv6_cidr = "8, 2" }
+  int_lb   = { cidr = "10.0.0.32/27", ipv6_cidr = "8, 3" }
+  pub_lb   = { cidr = "10.0.128.0/27", ipv6_cidr = "8, 4" }
+  workers  = { cidr = "10.0.144.0/20", ipv6_cidr = "2603:c020:8010:f002::/64" }
+  pods     = { cidr = "10.0.64.0/18", ipv6_cidr = "2603:c020:8010:f003::/64" }
+}

examples/network/vars-network.auto.tfvars

@@ -74,7 +74,8 @@ drg_display_name = "drg"
 drg_id           = null
 
 # Routing
-ig_route_table_id = null # Optional ID of existing internet gateway route table
+ig_route_table_id   = null # Optional ID of existing internet gateway route table
+internet_gateway_id = null # Optional ID of existing internet gateway
 internet_gateway_route_rules = [
   #   {
   #     destination       = "192.168.0.0/16" # Route Rule Destination CIDR
@@ -84,6 +85,9 @@ internet_gateway_route_rules = [
   #   },
 ]
 
+igw_ngw_mixed_route_id = null # Optional ID of existing mixed route table NAT GW for IPv4 and Internet GW for IPv6
+
+nat_gateway_id           = null # Optional ID of existing NAT gateway
 nat_gateway_public_ip_id = "none"
 nat_route_table_id       = null # Optional ID of existing NAT gateway route table
 nat_gateway_route_rules = [

examples/rms/oke-cluster-only/variables-cluster.tf

@@ -25,7 +25,7 @@ variable "services_cidr" {
   default = "10.96.0.0/16"
   type    = string
 }
-variable "kubernetes_version" { default = "v1.26.2" }
+variable "kubernetes_version" { default = "v1.32.1" }
 
 variable "cluster_kms_vault_id" {
   default = null

examples/rms/oke-workers-only/variables.tf

@@ -32,7 +32,7 @@ variable "cluster_id" {
 }
 variable "cni_type" { default = "Flannel" }
 variable "kubernetes_version" {
-  default = "v1.26.2"
+  default = "v1.32.1"
   type    = string
 }
 

examples/workers/vars-workers-instance.auto.tfvars

@@ -18,6 +18,6 @@ worker_pools = {
     description = "Self-managed Instance With Bursting",
     mode        = "instance",
     size        = 1,
-    burst       = "BASELINE_1_8",   # Valid values BASELINE_1_8,BASELINE_1_2
+    burst       = "BASELINE_1_8", # Valid values BASELINE_1_8,BASELINE_1_2
   },
 }

examples/workers/vars-workers-instancepool.auto.tfvars

@@ -18,19 +18,19 @@ worker_pools = {
     description = "Self-managed Instance Pool With Bursting",
     mode        = "instance-pool",
     size        = 1,
-    burst       = "BASELINE_1_8",   # Valid values BASELINE_1_8,BASELINE_1_2
+    burst       = "BASELINE_1_8", # Valid values BASELINE_1_8,BASELINE_1_2
   },
   oke-vm-instance-pool-with-block-volume = {
-    description = "Self-managed Instance Pool with block volume",
-    mode        = "instance-pool",
-    size        = 1,
-    disable_block_volume = false,
+    description              = "Self-managed Instance Pool with block volume",
+    mode                     = "instance-pool",
+    size                     = 1,
+    disable_block_volume     = false,
     block_volume_size_in_gbs = 60,
   },
   oke-vm-instance-pool-without-block-volume = {
-    description = "Self-managed Instance Pool without block volume",
-    mode        = "instance-pool",
-    size        = 1,
+    description          = "Self-managed Instance Pool without block volume",
+    mode                 = "instance-pool",
+    size                 = 1,
     disable_block_volume = true,
   },
 }

module-cluster.tf

@@ -60,6 +60,7 @@ module "cluster" {
   vcn_id                            = local.vcn_id
   cni_type                          = var.cni_type
   control_plane_is_public           = var.control_plane_is_public
+  enable_ipv6                       = var.enable_ipv6
   assign_public_ip_to_control_plane = var.assign_public_ip_to_control_plane
   control_plane_nsg_ids             = compact(flatten([var.control_plane_nsg_ids, try(module.network.control_plane_nsg_id, null)]))
   control_plane_subnet_id           = try(module.network.control_plane_subnet_id, "") # safe destroy; validated in submodule
@@ -70,6 +71,7 @@ module "cluster" {
     : try(module.network.int_lb_subnet_id, "")
   )
 
+
   # Cluster
   cluster_kms_key_id = var.cluster_kms_key_id
   cluster_name       = local.cluster_name