|
1 | | -# Using Private clusters |
| 1 | +# Using private clusters |
| 2 | + |
| 3 | +> Note: This section has to be used only if the CAPOCI manages the workload cluster VCN. If externally managed VCN is |
| 4 | +> used, this section is not applicable. |
| 5 | +
|
| 6 | +## Example Spec for private cluster |
| 7 | + |
| 8 | +CAPOCI supports private clusters where the Kubernetes API Server Endpoint is a private IP Address |
| 9 | +and is accessible only within the VCN or peered VCNs. In order to use private clusters, the control plane |
| 10 | +endpoint subnet has to be marked as private. An example spec is given below. |
| 11 | + |
| 12 | +```yaml |
| 13 | +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 |
| 14 | +kind: OCICluster |
| 15 | +metadata: |
| 16 | + labels: |
| 17 | + cluster.x-k8s.io/cluster-name: "${CLUSTER_NAME}" |
| 18 | + name: "${CLUSTER_NAME}" |
| 19 | +spec: |
| 20 | + compartmentId: "${OCI_COMPARTMENT_ID}" |
| 21 | + networkSpec: |
| 22 | + vcn: |
| 23 | + subnets: |
| 24 | + - cidr: 10.1.0.8/29 |
| 25 | + name: control-plane-endpoint |
| 26 | + role: control-plane-endpoint |
| 27 | + type: private |
| 28 | + - cidr: 10.1.0.0/29 |
| 29 | + name: control-plane |
| 30 | + role: control-plane |
| 31 | + type: private |
| 32 | + - cidr: 10.1.0.32/27 |
| 33 | + name: service-lb |
| 34 | + role: service-lb |
| 35 | + type: public |
| 36 | + - cidr: 10.1.64.0/20 |
| 37 | + name: worker |
| 38 | + role: worker |
| 39 | + type: private |
| 40 | +``` |
| 41 | +
|
| 42 | +## Example spec for VCN Peering using Dynamic Routing Gateway (Local) |
| 43 | +
|
| 44 | +While using private clusters, the management cluster needs to talk to the workload cluster. If the |
| 45 | +management cluster and workload cluster are in separate VCN, the VCN peering can be used to connect the management |
| 46 | +and workload cluster VCNS. CAPOCI supports peering of the workload cluster VCN with another VCN in the same region using |
| 47 | +[Dynamic Routing Gateway][drg]. |
| 48 | +
|
| 49 | +In case of local VCN peering, a DRG OCID has to be provided and CAPOCI will attach the workload cluster VCN to the |
| 50 | +provided DRG. The recommendation is to attach the management cluster VCN also to the same DRG so that the VCNs are |
| 51 | +peered to each other. For more details see [Local VCN Peering using Local Peering Gateways][drg-local]. |
| 52 | +
|
| 53 | +An example template for this `cluster-template-local-vcn-peering.yaml` can be found in the Assets section under the |
| 54 | + [CAPOCI release page][capi-latest-release]. |
| 55 | + |
| 56 | +In order to use the template, the following Cluster API parameters have to be set in addition to the common parameters |
| 57 | +explained in the [Workload Cluster Parameters table][common]. |
| 58 | + |
| 59 | +| Parameter | Default Value | Description | |
| 60 | +|-----------|---------------|-----------------------------------------------------------------| |
| 61 | +| `DRG_ID` | | OCID of the DRG to which the worklaod cluster will be attached. | |
| 62 | + |
| 63 | + |
| 64 | +## Example spec for VCN Peering using Dynamic Routing Gateway (Remote) |
| 65 | + |
| 66 | +If the management cluster and workload cluster are in different OCI regions, then DRG can still be used. In this case, |
| 67 | +in addition to VCN attachment, [Remote Peering Connection (RPC) ][drg-rpc] has to be used. |
| 68 | + |
| 69 | +In case of remote VCN peering, a DRG will be created by CAPOCI, and the workload cluster VCN will be attached to the |
| 70 | +DRG. In addition, a remote DRG has to be provided. CAPOCI will create RPC in the local and remote VCN and |
| 71 | +connection will be established between the RPCs. |
| 72 | + |
| 73 | +An example template for this `cluster-template-remote-vcn-peering.yaml` can be found in the Assets section under the |
| 74 | +[CAPOCI release page][capi-latest-release]. |
| 75 | + |
| 76 | +In order to use the template, the following Cluster API parameters have to be set in addition to the common parameters |
| 77 | +explained in the [Workload Cluster Parameters table][common]. Typically, the peer DRG refers to the DRG to |
| 78 | +which the management cluster VCN is attached. |
| 79 | + |
| 80 | +| Parameter | Default Value | Description | |
| 81 | +|--------------------|---------------|-------------------------------------------------------------| |
| 82 | +| `PEER_DRG_ID` | | OCID of the peer DRG to which the local DRG will be peered. | |
| 83 | +| `PEER_REGION_NAME` | | The region to which the peer DRG belongs. | |
| 84 | + |
| 85 | +[common]: ../gs/create-workload-cluster.md#workload-cluster-parameters |
| 86 | +[drg]: https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm |
| 87 | +[drg-local]: https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/localVCNpeering.htm |
| 88 | +[drg-rpc]: https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/scenario_e.htm |
| 89 | +[capi-latest-release]: https://github.com/oracle/cluster-api-provider-oci/releases/latest |
0 commit comments