All notable changes to this project are documented in this file.
The format is based on Keep a Changelog.
-
feat: Support existing VCN in other compartment by @chrisbulgaria in #564
-
fix: Add missing NSG rules for VCN-Native Pod Networking by @devoncrouse in #563
-
fix: error referencing pod nsgs by @hyder in #567
-
fix: added lifecycle meta-argument on default security list by @hyder in #565
-
fix: handle pod nsg id/ids issue by @hyder in #570
-
feat: Added option to specify ADs in node pools by @12345ieee in #520
-
feat: added tagging using defined tags #560 by @valireds in #562
-
fix: Check for existing element in freeform and defined tags by @hyder in #574
-
fix: handle placement_ads for 1 AD regions. by @hyder in #581
-
create_policies variable to turn off any potential policy creation tempt (#325) by @slmjy in #442
-
fix: cloudinit changes to allow user to pass custom script by @karthicgit in #502
-
Optional VCN by @nlamirault in #467
-
fix: remove freeform tags iam.tf by @karthicgit in #523
-
feat: upgraded default Kubernetes version to v1.23.4 by @hyder in #526
-
feat: renamed kms_key_id to cluster_kms_key_id to avoid confusion. by @hyder in #487
-
feat: Added fss storage module. by @karthicgit in #491
-
fix: Added additional rule to workers nsg to allow ssh by @hyder in #498
-
removed null resource for localkubeconfig and helm by @karthicgit in #500
-
feat: upgrade VCN module to 3.4.0 by @snafuz in #486
-
changed provider to oracle/oci by @hyder in #506
-
feat: added OPA Gatekeeper by @karthicgit in #439
-
updated the operator version to 3.0.1 from 3.0.0 to disable OSMS by @KSN2510 in #444
-
feat: added support for new OCI regions: Milan, Stockholm, Abu Dhabi and Vinhedo by @snafuz in #441
-
feat: upgraded olcne package so we can have latest version of kubectl by @hyder in #446
-
others: added example for automated Verrazzano installation. Closes #435 by @hyder in https://github.com/oracle-terraform-modules/terraform-oci-oke/pull/437/files
-
feat: enhancements to token_helper for kubectl. Closes #429 by @hyder in #432
-
fix: Created bin directory in /home/opc before moving token_helper script there. by @hyder in #437
-
Set minimum version to Terraform 1.0.0
-
Removed base module and use vcn, bastion and operator modules directly
-
Renamed and standardized all control variables
-
Removed deprecated template provider dependencies
-
Made bastion and operator modules conditional
-
Removed identity parameters in between modules to improve reusability
-
Renamed okenetwork submodule to network
-
Created a new submodule (extensions) and moved all scripts and extra things there
-
Moved dynamic group and policy for kms into oke module
-
Added a 30s delay between policy creation for kms and cluster creation to allow for global propagation
-
Added a home provider in oke module for dynamic group and policy creation
-
Changed from security list to NSGs for better flexibility and security (#398)
-
Changed default Kubernetes version to v1.20.11 and removed v1.16.8, v1.17.9 from docs.
-
Added support for GPU and ARM shapes (#302)
-
VCN module upgraded to VCN 3.0.0. This allows supporting multiple cidr blocks (#360)
-
Bastion and operator sub-modules upgraded to 3.0.0 (#183)
-
kubeconfig on operator always uses PRIVATE_ENDPOINT (#358)
-
Documented providers in quickstart (#355)
-
Renamed tags to freeform_tags in line with other modules (#364)
-
Added validation on some variables (#370)
-
Added OCI Bastion Service as option to access operator or control plane
-
Added support for reserved public IP address for NAT gateway (#311)
-
Added LPGs for hub and spoke deployment model (#295)
-
Allow access to operator via OCI Bastion service (#352)
-
Added support for using NSGs for cluster endpoint (#343)
-
Added option to disable worker node access to Internet. Users can only pull images from OCIR (#331)
-
Added ability to specify api and private ssh keys using heredoc format with a variable (#375)
-
Added home region to update dynamic group script for cases when actual region is different from tenancy home region (#347)
-
Added 1 missing rule for operator to access control plane (#349)
-
Added security list for OCI Bastion service to access the control plane (#408)
-
Updated topology diagrams to show correct traffic flow (#412)
-
Changed bastion type to STANDARD to avoid destruction (#409)
-
Support for using reserved public IP address for NAT Gateway (#311) with new parameter nat_gateway_public_ip_id
-
Support for GPU and ARM Shapes (#302 )
-
Conditional checks for WAF CIDR block data source
-
Added faster kubectl script (Thanks @joelezell-conga, @rgmccaw, Richard Exley)
-
Added support for VCN native endpoint for Kubernetes
-
Added a subnet for control plane (#270)
-
Added 2 parameters (cluster_access and cluster_source) to control access to Kubernetes API endpoint (#270)
-
-
Added support for initial node labels (#265)
-
Node labels can now be specified in node pools
-
-
Added support for enforcing use of signed images from registry (#274)
-
Added ability to specify node_pool_os_version (#281)
-
Added cluster_id and nodepool_ids for improved reusability (Thanks @yasn77)
-
Updated permissions required in documentation (#292)
-
Made node pool image updatable (#286)
-
Changed deprecated map function (#283)
-
Changed base module version to 2.2.1. This allows controlling the state of the bastion (RUNNING or STOPPED), choosing between Oracle Linux 7.X or 8 for the operator host as well as supporting custom route rules on the NAT gateway route table (#279). Custom route rules will make hybrid deployment easier to manage.
-
Reworked the subnet boundaries for bastion and operator hosts (#270)
-
Updated and simplified OKE security lists to support VCN native endpoints (#270)
-
All port numbers and stateless are now in integer and boolean formats respectively (#270)
-
Updated default Kubernetes version to v 1.19.7
-
Updated documentation and topology diagrams
-
Fixed incorrect namespace issue when creating secret for OCIR (#267)
-
Narrow permissions for kubeconfig file
-
Added documentation for using flexible load balancer (#256)
-
Added ability to specify node_pool_os_version (#266)
-
Added egress as bugfix for issue #261
-
Allowed traffic from VCN to reach internal load balancer (#261) *Added ignore node pool image id to lifecycle_ignore change so the node pool is not destroyed
-
Added ability to specify node_pool_os_version (#266)
-
Used oci_containerengine_node_pool_option to look up images for node pool (#258)
-
Updated default kubernetes version to v1.19.7, fixed deprecated interpolation-only expressions
-
Updated description for tenancy id
-
Added support for Terraform 0.13 (#245 )
-
Added support for Flex shapes (#216)
-
Added support for custom boot volume size for node pool (#202)
-
Added support for custom memory for node pool (#234)
-
Added support for Cardiff (#230), Dubai (#220), San Jose (#219), and Santiago (#219) regions
-
Added dynamically generated suffix to dynamic group name to prevent dynamic group creation from failing (#231)
-
Added support for Vertical Pod Autoscaling (#254)
-
Allowed secret name for OCIR to be configurable (#218)
-
Changes in terraform.tfvars.example file to reflect added support for custom boot volume size and memory
-
OSMS disabled on operator to enable helm installation from yum olcne repo (#224)
-
Updated IAM requirements documentation (#108)
-
Upgrade base module to 2.0.0 (#252)
-
Updated default Kubernetes module to 1.18.10
-
Updated and simplified Calico installation (#253)
-
Unable to install kube in operator (#197)
-
node_pool_image_id value should be "none" in case no custom image is used. In previous versions, this was in upper case (#207)
-
Missing security rule when workers are in public mode (#183)
-
Updated docs for terraform options and for resetting nodepool_drain (#190)
-
Upgraded base module to 1.3.0 (#191)
-
Removed nat_gateway_enabled variable. Determination of whether the NAT gateway is needed is now done automatically (#192)
-
Removed "LATEST" from acceptable values for kubernetes_version so that upgrade can be performed (#193)
-
Internal load balancer subnet uses wrong routing table (#194)
-
Added option to enable admission controllers and PodSecurityPolicy (#150)
-
Added ability to upgrade OKE cluster and worker nodes using out-of-place method (#178)
-
Changed node pools specification from list to map so the specific node pool is deleted when removed from the variable (#179)
-
Made minimum worker node pool to 1 to allow experimentation on free tier ( #180 )
-
Made label_prefix optional (#181)
-
Added trigger for check_worker_node_active (#182)
-
Removed disable_auto_retries in quick start guide (#185)
-
Upgraded base module to 1.2.2 (#165)
-
Renamed all admin to operators
-
Standardized features with _enabled
-
Improved tagging
-
Use OCI Secret in Vault to retrieve Auth Token for creating Kubernetes secret for OCIR. This allows reuse of existing Auth Tokens (#153)
-
Added Montreal as supported region (#160)
-
Fixed issue with admin host ordering of oci-cli installation, instance_principal creation and kubeconfig generation (#143)
-
Upgraded base module to 1.1.3 to be able to detect when admin instance_principal is ready
-
Removed unnecessary token variable version and expiration
-
removed provider.tf so module can be used from hashicorp registry, added instructions for using this repo and hashicorp module (#130)
-
fixed incorrect part about bastion host and tools in topology (#141)
-
upgraded default helm version on admin host to 3.1.1 (#134)
-
fixed broken links in README.md (#132)
-
updated documentation in topology to use netnum instead of previous variable name
-
base module now points to the published base module on hashicorp registry
-
updated descriptions in variables, outputs and formatting to publish to hashicorp registry
-
added readme in markdown to publish to hashicorp registry
-
removed unused kms variables and module
-
updated documentation to indicated required values
-
Install latest version of kubectl into admin host (#119)
-
Added OCIR support for new regions (#122)
-
Changed nodepools image specs from node_image_id to node_source_details (#124)
-
Base module now pointing directly to https://github.com/oracle-terraform-modules/terraform-oci-base v1.1.0
-
Local copy of base module removed
-
Disabled Kubernetes dashboard by default (#117)
-
fixed issue with compartment id when using KMS #112
-
added ServiceAccount for CI/CD #113
-
Use compartment id instead of compartment name for policies #86
-
Updated available list of Kubernetes versions in Terraform options #90
-
Added admin host for operations instead of using the bastion server. This is required because of changing to kubeconfig v2 #91
-
Installed Python3, oci-cli on admin host. oci-cli will require Python3 after January 2020 #91
-
Switched all operations from bastion to admin host #91
-
Switched from kubeconfig v1 to v2, generated by oci-cli instead of uploading #98
-
Helm upgraded to version 3.0.0 #100
-
incubator and jetstack helm repos removed as they can now be searched from helm hub #100
-
tiller disabled and option to enable it is removed #100
-
Fixed bug for empty tuple in data.oci_core_images.oracle_images when use_autonomous=true #103
-
Set minimum version of Terraform to 0.12.16
-
Helm upgraded to version 3.0.0 #100
-
incubator and jetstack helm repos removed as they can now be searched from helm hub #100
-
tiller disabled and option to enable it is removed #100
-
Fixed bug for empty tuple in data.oci_core_images.oracle_images when use_autonomous=true #103
-
Set minimum version of Terraform to 0.12.16
-
Added admin host for operations instead of using the bastion server #91
-
Installed Python3, oci-cli #91
-
Switched from kubeconfig v1 to v2, generated by oci-cli instead of uploading #98
-
Switched all operations from bastion to admin host #91
-
Use compartment id instead of compartment name for policies #86
-
Updated available list of Kubernetes versions in Terraform options #90
-
Added integration with OCI KMS for encrypting K8s secrets
-
Added outputs for instance_principal dynamic group, enabled update_dynamic_group.sh
-
Updated documentation for KMS
-
New module for KMS usage policies
-
Networking
-
Worker and load balancer subnets now use regional subnets
-
Simplified network topology for both multi and single AD regions
-
-
Bastion
-
Changed default bastion shape to the smaller (and cheaper) VM.Standard.E2.1
-
-
Worker nodes
-
Added ability to support mixed Kubernetes workloads by choosing different shapes for each node pool
-
-
In order to use private load balancers, the necessary oci load balancer annotations must be used.
-
Bastion
-
Added ability to restrict access to bastion host to a CIDR block
-
Bash aliases for kubectl (k) and helm (h)
-
Generated script (tesseract.sh) to ssh to the bastion **Optional addition and initialization of incubator and jetstack repos on the bastion
-
-
Networking
-
Separate and simplified security lists for public and private workers
-
Added private subnets for internal load balancers
-
Improved subnet defaults:
-
Avoid potential overlapping subnets when creating or scaling large clusters to maximum cluster size
-
Bastion: maximum of 5
-
Load Balancers: maximum of 29 per subnet
-
Worker subnets: maximum of 16380 IPv4 addresses per subnet
-
-
Ability to choose load balancer types (public or internal)
-
Improved load balancer selection algorithm. There’s no need to toggle the load balancer code for single AD regions anymore
-
Added ability to specify preferred AD pair for load balancers in 3*AD regions
-
Minimum of 3 worker nodes per subnet to ensure adequate number of fault domains in single AD regions
-
Service Gateway routing is now automatically added when service gateway is enabled. Worker nodes can now use the service gateway to access Object Storage, Streaming and other OCI Services without manual configuration of routing and security lists
-
-
Worker nodes
-
Added ability to specify image OCID or choose OS version for worker nodes
-
*Improved documentation
===Changes * Completed upgrade of Terraform code to 0.12 * Documentation uses asciidoc * instance_principal is now disabled by default on the bastion * helm upgraded to version 2.14.3