feat: Added fss storage module. (#491)

* feat: Add FSS provisioning

* FSS Storage module added

* enable_fss changed to create_fss

* changed enable_fss to create_fss in main.tf

* added worker nsg for fss

* FSS nsg rules moved to network module

* formatting and removing create_fss variable

Co-authored-by: Karthic Ravindran <karthic.ravindran@oracle.com>

Author: hyder

docs/codingconventions.adoc

@@ -85,7 +85,7 @@ Links that are used multiple times must be defined in the header using the `:uri
 
 - Use `snake_case` when naming Terraform files, variables and resources
 - If you need a new .tf file for better clarity, use this naming scheme: `<resources_group>`: e.g. `subnets.tf`, `nsgs.tf`
-- If your variable is controlling a behaviour, use imperative style to name it: e.g. `create_internet_gateway`, `use_encryption`
+- If your variable is controlling a behaviour, use imperative style to name it: e.g. `create_internet_gateway`, `use_cluster_encryption`
 
 === Variable blocks
 

docs/configuration.adoc

@@ -259,7 +259,7 @@ create_bastion_host = true
 OKE Variables:-
 
 ----
-use_encryption = true
+use_cluster_encryption = true
 cluster_kms_key_id = <cluster_kms_key_id>
 use_node_pool_volume_encryption = true
 node_pool_volume_kms_key_id = <node_pool_volume_kms_key_id>

docs/dependencies.adoc

@@ -46,7 +46,7 @@ The following table documents the {uri-terraform-options}[Terraform Options] dep
 |Whether to create an authentication secret for OCIR
 |create_bastion_host = true, create_operator = true, enable_operator_instance_principal = true, secret_id = secret ocid
 
-|use_encryption
+|use_cluster_encryption
 |Uses OCI KMS to encrypt data in OKE's underlying etcd
 |create_bastion_host = true, create_operator = true, enable_operator_instance_principal = true
 

docs/instructions.adoc

@@ -24,6 +24,7 @@
 :uri-networks-subnets-cidr: https://erikberg.com/notes/networks.html
 :uri-oci: https://cloud.oracle.com/cloud-infrastructure
 :uri-oci-documentation: https://docs.cloud.oracle.com/iaas/Content/home.htm
+:uri-oci-fss-pvc: https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingpersistentvolumeclaim.htm#Provisioning_Persistent_Volume_Claims_on_the_FileStorageService
 :uri-oci-instance-principal: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm
 :uri-oci-kms: https://docs.cloud.oracle.com/iaas/Content/KeyManagement/Concepts/keyoverview.htm
 :uri-oci-loadbalancer-annotations: https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md
@@ -74,7 +75,7 @@ If you wish to use {uri-oci-kms}[OCI KMS] to encrypt Kubernetes secrets, the fol
 * link:#adding-the-bastion-host[bastion must be enabled]
 * link:#enabling-instance_principal-on-the-operator-host[operator instance_principal must be enabled]
 
-* use_encryption must be set to _true_
+* use_cluster_encryption must be set to _true_
 * cluster_kms_key_id must be provided
 
 If you wish to use {uri-oci-kms}[OCI KMS] to encrypt OKE nodepool boot/block volume, the following is required:
@@ -461,3 +462,22 @@ Review the following documentation and articles on creating load balancers of di
 * {uri-oci-load-balancers}[Specifying Alternative Load Balancer Shapes]
 
 * {uri-oci-oke-flexible-loadbalancers}[Creating flexible OCI Load Balancers with OKE]
+
+== Provisioning PVCs on the File Storage Service
+
+. Set `create_fss` to true in terraform.tfvars
+
++
+----
+create_fss = false
+----
+
++
+It will create the File Storage service instance on a separate subnet with the network security group configured.
+
++
+You can then review the following documentation for creating persistent volume claim and persistent volume using file storage
+
+* {uri-oci-fss-pvc}[Provisioning PV and PVC using FSS]
+
+CAUTION: Running terraform destroy will remove the filesystem storage created using terraform. Ensure you have taken the necessary backup if needed.

docs/terraformoptions.adoc

@@ -611,13 +611,13 @@ EOT
 |Values
 |Default
 
-|use_encryption
+|use_cluster_encryption
 |Whether to use {uri-oci-kms}[OCI KMS] to encrypt secrets.
 |true/false
 |false
 
 |cluster_kms_key_id
-|The id of the OCI KMS key to be used as the master encryption key for encrypting Kubernetes' etcd . *Required* if _use_encryption_ is set to *true*
+|The id of the OCI KMS key to be used as the master encryption key for encrypting Kubernetes' etcd . *Required* if _use_cluster_encryption_ is set to *true*
 |`ocid1.key.oc1....`
 |
 
@@ -712,6 +712,37 @@ node_pools = {
 
 |===
 
+== File Storage
+
+[stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 
+|===
+|Parameter
+|Description
+|Values
+|Default
+
+|create_fss
+|Whether to create File storage or not.
+|true/false
+|false
+
+|fss_mount_path
+|File storage mount path to be associated.
+|/oke_fss
+|/oke_fss
+
+|max_fs_stat_bytes
+|Maximum tbytes, fbytes, and abytes, values reported by NFS FSSTAT calls through any associated mount targets.
+|23843202333
+|23843202333
+
+|max_fs_stat_files
+|Maximum tfiles, ffiles, and afiles values reported by NFS FSSTAT.
+|223442
+|223442
+|===
+
+
 == Upgrade cluster
 
 [stripes=odd,cols="1m,4d,2m,2m", options=header,width="100%"] 

main.tf

@@ -191,6 +191,9 @@ module "network" {
   # waf integration
   enable_waf = var.enable_waf
 
+  # fss integration
+  create_fss = var.create_fss
+
   depends_on = [
     module.vcn
   ]
@@ -221,7 +224,7 @@ module "oke" {
   cluster_options_kubernetes_network_config_services_cidr = var.services_cidr
   cluster_subnets                                         = module.network.subnet_ids
   vcn_id                                                  = module.vcn.vcn_id
-  use_encryption                                          = var.use_encryption
+  use_cluster_encryption                                  = var.use_cluster_encryption
   cluster_kms_key_id                                      = var.cluster_kms_key_id
   use_signed_images                                       = var.use_signed_images
   image_signing_keys                                      = var.image_signing_keys
@@ -244,6 +247,7 @@ module "oke" {
   # worker nsgs
   worker_nsgs = concat(var.worker_nsgs, [module.network.worker_nsg_id])
 
+
   # freeform_tags
   freeform_tags = var.freeform_tags["oke"]
 
@@ -256,6 +260,35 @@ module "oke" {
   }
 }
 
+#fss
+module "storage" {
+  source = "./modules/storage"
+
+  # general oci parameters
+  tenancy_id          = var.tenancy_id
+  compartment_id      = var.compartment_id
+  availability_domain = var.availability_domains["fss"]
+  label_prefix        = var.label_prefix
+
+  # FSS network information
+  subnets      = var.subnets
+  vcn_id       = module.vcn.vcn_id
+  nat_route_id = module.vcn.nat_route_id
+
+  fss_mount_path = var.fss_mount_path
+
+  # Export set configuration
+  max_fs_stat_bytes = var.max_fs_stat_bytes
+  max_fs_stat_files = var.max_fs_stat_files
+
+  providers = {
+    oci.home = oci.home
+  }
+
+  count = var.create_fss == true ? 1 : 0
+
+}
+
 # extensions to oke
 module "extensions" {
   source = "./modules/extensions"
@@ -292,7 +325,7 @@ module "extensions" {
   # oke cluster parameters
   cluster_id                   = module.oke.cluster_id
   pods_cidr                    = var.pods_cidr
-  use_encryption               = var.use_encryption
+  use_cluster_encryption       = var.use_cluster_encryption
   cluster_kms_key_id           = var.cluster_kms_key_id
   cluster_kms_dynamic_group_id = module.oke.cluster_kms_dynamic_group_id
 

modules/extensions/iam.tf

@@ -18,7 +18,7 @@ resource "oci_identity_policy" "operator_instance_principal_dynamic_group" {
   description    = "policy to allow operator host to manage dynamic group"
   name           = var.label_prefix == "none" ? "operator-instance-principal-dynamic-group-${substr(uuid(), 0, 8)}" : "${var.label_prefix}-operator-instance-principal-dynamic-group-${substr(uuid(), 0, 8)}"
   statements     = ["Allow dynamic-group ${var.operator_dynamic_group} to use dynamic-groups in tenancy"]
-  count          = (var.use_encryption == true && var.create_bastion_host == true && var.enable_operator_instance_principal == true) ? 1 : 0
+  count          = (var.use_cluster_encryption == true && var.create_bastion_host == true && var.enable_operator_instance_principal == true) ? 1 : 0
 }
 
 # 30s delay to allow policies to take effect globally
@@ -57,5 +57,5 @@ resource "null_resource" "update_dynamic_group" {
     ]
   }
 
-  count = (var.use_encryption == true && var.create_bastion_host == true && var.bastion_state == "RUNNING" && var.enable_operator_instance_principal == true) ? 1 : 0
+  count = (var.use_cluster_encryption == true && var.create_bastion_host == true && var.bastion_state == "RUNNING" && var.enable_operator_instance_principal == true) ? 1 : 0
 }

modules/extensions/locals.tf

@@ -27,5 +27,5 @@ locals {
 
   post_provisioning_ops = var.create_bastion_host == true && var.bastion_state == "RUNNING" && var.create_operator == true && var.operator_state == "RUNNING" && var.enable_operator_instance_principal == true ? true : false
 
-  dynamic_group_rule_this_cluster = (var.use_encryption == true) ? "ALL {resource.type = 'cluster', resource.id = '${var.cluster_id}'}" : "null"
+  dynamic_group_rule_this_cluster = (var.use_cluster_encryption == true) ? "ALL {resource.type = 'cluster', resource.id = '${var.cluster_id}'}" : "null"
 }

modules/extensions/templates.tf

@@ -100,7 +100,7 @@ locals {
 
   update_dynamic_group_template = templatefile("${path.module}/scripts/update_dynamic_group.template.sh",
     {
-      dynamic_group_id   = var.use_encryption == true ? var.cluster_kms_dynamic_group_id : "null"
+      dynamic_group_id   = var.use_cluster_encryption == true ? var.cluster_kms_dynamic_group_id : "null"
       dynamic_group_rule = local.dynamic_group_rule_this_cluster
       home_region        = data.oci_identity_regions.home_region.regions[0].name
     }

modules/extensions/variables.tf

@@ -54,7 +54,7 @@ variable "cluster_id" {}
 variable "pods_cidr" {}
 
 # encryption
-variable "use_encryption" {
+variable "use_cluster_encryption" {
   type = bool
 }