K8s IaC (#204)

* ConfigManagement for k8s IaC
* Workload Principles for Image Push
* k8s image push using buildkit

Author: gotsysdba

.github/workflows/pytest.yml

@@ -50,7 +50,6 @@ jobs:
         run: |
           cd src/
           python -m pip install --upgrade pip wheel setuptools
-          pip install torch==2.7.0+cpu -f https://download.pytorch.org/whl/cpu/torch
           pip install -e ".[all-test]"
 
       - name: Run All Tests

.gitignore

@@ -46,8 +46,8 @@ __pycache__/
 **/.terraform*
 **/terraform.tfstate*
 **/*.pem
-opentofu/**/generated/*.*
-opentofu/**/generated/kubeconfig
+opentofu/**/stage/*.*
+opentofu/**/stage/kubeconfig
 
 ##############################################################################
 # Helm

helm/charts/server/templates/deployment.yaml

@@ -52,10 +52,10 @@ spec:
             httpGet:
               path: {{ include "getPath" . }}v1/liveness
               port: server-port
-            initialDelaySeconds: 15
+            initialDelaySeconds: 30
             periodSeconds: 30
-            timeoutSeconds: 15
-            failureThreshold: 6
+            timeoutSeconds: 30
+            failureThreshold: 10
           readinessProbe:
             httpGet:
               path: {{ include "getPath" . }}v1/readiness

opentofu/README.md

@@ -1 +1,8 @@
-zip -r ai-optimizer-stack.zip . -x "terraform*" ".terraform*" "*/terraform*" "*/.terraform*" "generated/*.*"
+# Packaging Stack
+
+The IaC is packaged and attached to each release using GitHub Actions.  Below is the manual procedure:
+
+1. Zip the Iac with Archives
+    ```bash
+    zip -r ai-optimizer-stack.zip . -x "terraform*" ".terraform*" "*/terraform*" "*/.terraform*" "generated/*.*"
+    ```

opentofu/cfgmgt/apply.py

@@ -0,0 +1,135 @@
+"""
+Copyright (c) 2025, Oracle and/or its affiliates.
+Licensed under the Universal Permissive License v1.0 as shown at http://oss.oracle.com/licenses/upl.
+"""
+# spell-checker:ignore kubeconfig
+
+import subprocess
+import argparse
+import os
+import sys
+import time
+
+# --- Constants ---
+HELM_NAME = "ai-optimizer"
+HELM_REPO = "https://oracle-samples.github.io/ai-optimizer/helm"
+STAGE_PATH = os.path.join(os.path.dirname(__file__), "stage")
+os.environ["KUBECONFIG"] = os.path.join(STAGE_PATH, "kubeconfig")
+
+
+# --- Utility Functions ---
+def run_cmd(cmd, capture_output=True):
+    """Generic subprocess execution"""
+    try:
+        result = subprocess.run(
+            cmd,
+            stdout=subprocess.PIPE if capture_output else None,
+            stderr=subprocess.PIPE if capture_output else None,
+            text=True,
+            check=False,
+        )
+        stdout = result.stdout.strip() if result.stdout else ""
+        stderr = result.stderr.strip() if result.stderr else ""
+        return stdout, stderr, result.returncode
+    except subprocess.SubprocessError as e:
+        return "", str(e), 1
+
+
+def retry(func, retries=3, delay=10):
+    """Retry a function with given arguments on failure."""
+    for attempt in range(1, retries + 1):
+        print(f"🔁 Attempt {attempt}/{retries}")
+        if func():
+            return True
+        if attempt < retries:
+            print(f"⏳ Retrying in {delay} seconds...")
+            time.sleep(delay)
+    print("🚨 Maximum retries reached. Exiting.")
+    sys.exit(1)
+
+
+# --- Core Functionalities ---
+def helm_repo_add_if_missing():
+    """Add/Update Helm Repo"""
+    print(f"➕ Adding Helm repo '{HELM_NAME}'...")
+    _, stderr, rc = run_cmd(["helm", "repo", "add", HELM_NAME, HELM_REPO], capture_output=False)
+    if rc != 0:
+        print(f"❌ Failed to add repo:\n{stderr}")
+        sys.exit(1)
+
+    print("⬆️ Checking for Helm updates...")
+    _, stderr, rc = run_cmd(["helm", "repo", "update"], capture_output=False)
+    if rc != 0:
+        print(f"❌ Failed to update repos:\n{stderr}")
+        sys.exit(1)
+    print(f"✅ Repo '{HELM_NAME}' added and updated.\n")
+
+
+def apply_helm_chart_inner(release_name, namespace):
+    """Apply Helm Chart"""
+    values_path = os.path.join(STAGE_PATH, "helm-values.yaml")
+    if not os.path.isfile(values_path):
+        print(f"⚠️ Values file not found: {values_path}")
+        return False
+
+    helm_repo_add_if_missing()
+
+    cmd = [
+        "helm",
+        "upgrade",
+        "--install",
+        release_name,
+        f"{HELM_NAME}/{HELM_NAME}",
+        "--namespace",
+        namespace,
+        "--values",
+        values_path,
+    ]
+
+    print(f"🚀 Applying Helm chart '{HELM_NAME}' to namespace '{namespace}'...")
+    stdout, stderr, rc = run_cmd(cmd)
+    if rc == 0:
+        print("✅ Helm chart applied:")
+        print(f"Apply Helm Chart: {stdout}")
+        return True
+    else:
+        print(f"❌ Failed to apply Helm chart:\n{stderr}")
+        return False
+
+
+def apply_helm_chart(release_name, namespace):
+    """Retry Enabled Add/Update Helm Chart"""
+    retry(lambda: apply_helm_chart_inner(release_name, namespace))
+
+
+def apply_manifest_inner():
+    """Apply Manifest"""
+    manifest_path = os.path.join(STAGE_PATH, "k8s-manifest.yaml")
+    if not os.path.isfile(manifest_path):
+        print(f"⚠️ Manifest not found: {manifest_path}")
+        return False
+
+    print("🚀 Applying Kubernetes manifest: k8s-manifest.yaml")
+    _, stderr, rc = run_cmd(["kubectl", "apply", "-f", manifest_path], capture_output=False)
+    if rc == 0:
+        print("✅ Manifest applied.\n")
+        return True
+    else:
+        print(f"❌ Failed to apply manifest:\n{stderr}")
+        return False
+
+
+def apply_manifest():
+    """Retry Enabled Add/Update Manifest"""
+    retry(apply_manifest_inner)
+
+
+# --- Entry Point ---
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Apply a Helm chart and a Kubernetes manifest.")
+    parser.add_argument("release_name", help="Helm release name")
+    parser.add_argument("namespace", help="Kubernetes namespace")
+    args = parser.parse_args()
+
+    apply_manifest()
+    apply_helm_chart(args.release_name, args.namespace)

opentofu/generated/.gitkeep renamed to opentofu/cfgmgt/stage/.gitkeep

@@ -0,0 +1,74 @@
+# Copyright (c) 2024, 2025, Oracle and/or its affiliates.
+# All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl
+# spell-checker: disable
+
+locals {
+  helm_values = templatefile("${path.module}/templates/helm_values.yaml", {
+    label                    = var.label_prefix
+    repository_server        = local.repository_server
+    repository_client        = local.repository_client
+    oci_tenancy              = var.tenancy_id
+    oci_region               = var.region
+    adb_ocid                 = var.adb_id
+    adb_name                 = lower(var.adb_name)
+    k8s_node_pool_gpu_deploy = var.k8s_node_pool_gpu_deploy
+    lb_ip                    = var.lb.ip_address_details[0].ip_address
+  })
+
+  k8s_manifest = templatefile("${path.module}/templates/k8s_manifest.yaml", {
+    label             = var.label_prefix
+    repository_host   = local.repository_host
+    repository_server = local.repository_server
+    repository_client = local.repository_client
+    compartment_ocid  = var.lb.compartment_id
+    lb_ocid           = var.lb.id
+    lb_subnet_ocid    = var.public_subnet_id
+    lb_ip_ocid        = var.lb.ip_address_details[0].ip_address
+    lb_nsgs           = var.lb_nsg_id
+    lb_min_shape      = var.lb.shape_details[0].minimum_bandwidth_in_mbps
+    lb_max_shape      = var.lb.shape_details[0].maximum_bandwidth_in_mbps
+    adb_name          = lower(var.adb_name)
+    adb_password      = var.adb_password
+    adb_service       = format("%s_TP", var.adb_name)
+    api_key           = random_string.api_key.result
+  })
+}
+
+resource "local_sensitive_file" "kubeconfig" {
+  content         = data.oci_containerengine_cluster_kube_config.default_cluster_kube_config.content
+  filename        = "${path.root}/cfgmgt/stage/kubeconfig"
+  file_permission = 0600
+}
+
+resource "local_sensitive_file" "helm_values" {
+  content         = local.helm_values
+  filename        = "${path.root}/cfgmgt/stage/helm-values.yaml"
+  file_permission = 0600
+}
+
+resource "local_sensitive_file" "k8s_manifest" {
+  content         = local.k8s_manifest
+  filename        = "${path.root}/cfgmgt/stage/k8s-manifest.yaml"
+  file_permission = 0600
+}
+
+resource "null_resource" "apply" {
+  triggers = {
+    always_run = "${timestamp()}"
+  }
+  provisioner "local-exec" {
+    command = <<EOT
+      python3 ${path.root}/cfgmgt/apply.py ${var.label_prefix} ${var.label_prefix}
+    EOT
+  }
+  depends_on = [
+    local_sensitive_file.kubeconfig,
+    local_sensitive_file.helm_values,
+    local_sensitive_file.k8s_manifest,
+    oci_containerengine_node_pool.default_node_pool_details,
+    oci_containerengine_node_pool.gpu_node_pool_details,
+    oci_containerengine_addon.oraoper_addon,
+    oci_containerengine_addon.certmgr_addon,
+    oci_containerengine_addon.ingress_addon
+  ]
+}

opentofu/modules/kubernetes/cfgmgt.tf

@@ -17,10 +17,9 @@ resource "oci_identity_policy" "workers_policies" {
   name           = format("%s-workers-policy", var.label_prefix)
   description    = format("%s - K8s Workers", var.label_prefix)
   statements = [
+    # Workload Principles specific to oracle-database-operator-system Namespace
     format("allow any-user to manage autonomous-database-family in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = 'oracle-database-operator-system', request.principal.service_account = 'default', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
-    format("allow any-user to read objectstorage-namespaces in compartment id %s where all {request.principal.type = 'workload', request.principal.service_account = 'default', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
-    format("allow any-user to inspect buckets in compartment id %s where all {request.principal.type = 'workload', request.principal.service_account = 'default', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
-    format("allow any-user to read objects in compartment id %s where all {request.principal.type = 'workload', request.principal.service_account = 'default', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
+    # Workload Principles specific to native-ingress-controller-system Namespace
     format("allow any-user to manage load-balancers in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = 'native-ingress-controller-system', request.principal.service_account = 'oci-native-ingress-controller', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
     format("allow any-user to use virtual-network-family in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = 'native-ingress-controller-system', request.principal.service_account = 'oci-native-ingress-controller', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
     format("allow any-user to manage cabundles in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = 'native-ingress-controller-system', request.principal.service_account = 'oci-native-ingress-controller', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
@@ -37,6 +36,12 @@ resource "oci_identity_policy" "workers_policies" {
     format("allow any-user to manage waf-family in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = 'native-ingress-controller-system', request.principal.service_account = 'oci-native-ingress-controller', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
     format("allow any-user to read cluster-family in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = 'native-ingress-controller-system', request.principal.service_account = 'oci-native-ingress-controller', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
     format("allow any-user to use tag-namespaces in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = 'native-ingress-controller-system', request.principal.service_account = 'oci-native-ingress-controller', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
+    # Workload Principles specific to Custom Namespace
+    format("allow any-user to read objectstorage-namespaces in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = '%s', request.principal.cluster_id = '%s'}", var.compartment_id, var.label_prefix, oci_containerengine_cluster.default_cluster.id),
+    format("allow any-user to inspect buckets in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = '%s', request.principal.cluster_id = '%s'}", var.compartment_id, var.label_prefix, oci_containerengine_cluster.default_cluster.id),
+    format("allow any-user to read objects in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = '%s', request.principal.cluster_id = '%s'}", var.compartment_id, var.label_prefix, oci_containerengine_cluster.default_cluster.id),
+    format("allow any-user to manage repos in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = '%s', request.principal.cluster_id = '%s'}", var.compartment_id, var.label_prefix, oci_containerengine_cluster.default_cluster.id),
+    # Instance Principles
     format("allow dynamic-group %s to use generative-ai-family in compartment id %s", oci_identity_dynamic_group.workers_dynamic_group.name, var.compartment_id),
     format("allow dynamic-group %s to manage repos in compartment id %s", oci_identity_dynamic_group.workers_dynamic_group.name, var.compartment_id),
   ]

opentofu/modules/kubernetes/iam.tf

@@ -11,36 +11,10 @@ locals {
     local.region_map,
     var.region
   )
-
-  server_repository = lower(format("%s.ocir.io/%s/%s", local.image_region, data.oci_objectstorage_namespace.objectstorage_namespace.namespace, oci_artifacts_container_repository.server_repository.display_name))
-  client_repository = lower(format("%s.ocir.io/%s/%s", local.image_region, data.oci_objectstorage_namespace.objectstorage_namespace.namespace, oci_artifacts_container_repository.client_repository.display_name))
+  repository_host   = lower(format("%s.ocir.io", local.image_region))
+  repository_server = lower(format("%s/%s/%s", local.repository_host, data.oci_objectstorage_namespace.objectstorage_namespace.namespace, oci_artifacts_container_repository.repository_server.display_name))
+  repository_client = lower(format("%s/%s/%s", local.repository_host, data.oci_objectstorage_namespace.objectstorage_namespace.namespace, oci_artifacts_container_repository.repository_client.display_name))
   k8s_cluster_name  = format("%s-k8s", var.label_prefix)
-  helm_values = templatefile("${path.module}/templates/helm_values.yaml", {
-    label                    = var.label_prefix
-    server_repository        = local.server_repository
-    client_repository        = local.client_repository
-    oci_tenancy              = var.tenancy_id
-    oci_region               = var.region
-    adb_ocid                 = var.adb_id
-    adb_name                 = lower(var.adb_name)
-    k8s_node_pool_gpu_deploy = var.k8s_node_pool_gpu_deploy
-    lb_ip                    = var.lb.ip_address_details[0].ip_address
-  })
-
-  k8s_manifest = templatefile("${path.module}/templates/k8s_manifest.yaml", {
-    label            = var.label_prefix
-    compartment_ocid = var.lb.compartment_id
-    lb_ocid          = var.lb.id
-    lb_subnet_ocid   = var.public_subnet_id
-    lb_ip_ocid       = var.lb.ip_address_details[0].ip_address
-    lb_nsgs          = var.lb_nsg_id
-    lb_min_shape     = var.lb.shape_details[0].minimum_bandwidth_in_mbps
-    lb_max_shape     = var.lb.shape_details[0].maximum_bandwidth_in_mbps
-    adb_name         = lower(var.adb_name)
-    adb_password     = var.adb_password
-    adb_service      = format("%s_TP", var.adb_name)
-    api_key          = random_string.api_key.result
-  })
 
   oke_worker_images = try({
     for k, v in data.oci_containerengine_node_pool_option.images.sources : v.image_id => merge(

opentofu/modules/kubernetes/locals.tf

@@ -9,38 +9,20 @@ resource "random_string" "api_key" {
 }
 
 // oci_artifacts_container_repository
-resource "oci_artifacts_container_repository" "server_repository" {
+resource "oci_artifacts_container_repository" "repository_server" {
   compartment_id = var.compartment_id
   display_name   = lower(format("%s/server", var.label_prefix))
   is_immutable   = false
   is_public      = false
 }
 
-resource "oci_artifacts_container_repository" "client_repository" {
+resource "oci_artifacts_container_repository" "repository_client" {
   compartment_id = var.compartment_id
   display_name   = lower(format("%s/client", var.label_prefix))
   is_immutable   = false
   is_public      = false
 }
 
-resource "local_sensitive_file" "kubeconfig" {
-  content         = data.oci_containerengine_cluster_kube_config.default_cluster_kube_config.content
-  filename        = "${path.root}/generated/kubeconfig"
-  file_permission = 0600
-}
-
-resource "local_sensitive_file" "helm_values" {
-  content         = local.helm_values
-  filename        = "${path.root}/generated/${var.label_prefix}-values.yaml"
-  file_permission = 0600
-}
-
-resource "local_sensitive_file" "k8s_manifest" {
-  content         = local.k8s_manifest
-  filename        = "${path.root}/generated/${var.label_prefix}-manifest.yaml"
-  file_permission = 0600
-}
-
 // Cluster
 resource "oci_containerengine_cluster" "default_cluster" {
   compartment_id     = var.compartment_id