Instantly share code, notes, and snippets.

Embed
What would you like to do?
This gist provides all OCI CLI calls to prepare the network resources in an OCI compartment that will then allow an OKE Cluster instance to be instantiated
Export the OCID of the root compartment:
export ROOT_COMPARTMENT_ID=ocid1.tenancy.oc1..aaaaaaaaot
Create a new OKE policy in the root compartment of your tenancy:
oci iam policy create --name oke-service --compartment-id $ROOT_COMPARTMENT_ID --statements '[ "allow service OKE to manage all-resources in tenancy"]' --description 'policy for granting rights on OKE to manage cluster resources'
List all policies, to verify the success of the creation:
oci iam policy list --compartment-id $ROOT_COMPARTMENT_ID --all
Now create a special compartment for all OKE resources
oci iam compartment create --compartment-id $ROOT_COMPARTMENT_ID --name oke-compartment --description "Compartment for OCI resources created for OKE Cluster"
From here on, work in the oke-compartment , set the COMPARTMENT_ID with the identifier returned by the previous command:
export COMPARTMENT_ID=ocid1.compartment.oc1..aaaaaaaaheaww5zcb
Create the Virtual Cloud Netwerk:
oci network vcn create --compartment-id $COMPARTMENT_ID --cidr-block '10.0.0.0/16' --display-name oke-vcn --dns-label oke1
Use the OCID returned from the previous command to set the value for environment variable VCN_ID
export VCN_ID=ocid1.vcn.oc1.iad.aaaaaaaadzp2obutldz2
The VCN in which you want to create and deploy clusters must have an internet gateway. The internet gateway must be specified as the target for the destination CIDR block 0.0.0.0/0 in a route rule in a route table.
oci network internet-gateway create --compartment-id $COMPARTMENT_ID --vcn-id $VCN_ID --is-enabled true --display-name internet-gateway-oke
Also export the OCID returned by this statement as INTERNET_GATEWAY_ID
export INTERNET_GATEWAY_ID=ocid1.internetgateway.oc1.iad.aaaaaaaavm
Create the route table in the VCN:
oci network route-table create --compartment-id $COMPARTMENT_ID --vcn-id $VCN_ID --display-name routing-table-oke --route-rules '[{"cidrBlock":"0.0.0.0/0","networkEntityId":'$INTERNET_GATEWAY_ID'}]'
Export the OCID of the route table like this:
export ROUTE_TABLE_OCID=ocid1.routetable.oc1.iad.aaaaaaaaqpm7i2kgps4
Create the DHCP Options
oci network dhcp-options create --compartment-id $COMPARTMENT_ID --vcn-id $VCN_ID --options '[{"type": "DomainNameServer", "customDnsServers": [], "serverType": "VcnLocalPlusInternet"}]'
Create two Security Lists, with the names workers and loadbalancers. These names are optional.
oci network security-list create --compartment-id $COMPARTMENT_ID --vcn-id $VCN_ID --display-name workers --ingress-security-rules '[
{
"icmp-options": null,
"is-stateless": true,
"protocol": "all",
"source": "10.0.10.0/24",
"source-type": "CIDR_BLOCK",
"tcp-options": null,
"udp-options": null
},
{
"icmp-options": null,
"is-stateless": true,
"protocol": "all",
"source": "10.0.11.0/24",
"source-type": "CIDR_BLOCK",
"tcp-options": null,
"udp-options": null
},
{
"icmp-options": null,
"is-stateless": true,
"protocol": "all",
"source": "10.0.12.0/24",
"source-type": "CIDR_BLOCK",
"tcp-options": null,
"udp-options": null
},
{
"icmp-options": {
"code": 4,
"type": 3
},
"is-stateless": false,
"protocol": "1",
"source": "0.0.0.0/0",
"source-type": "CIDR_BLOCK",
"tcp-options": null,
"udp-options": null
},
{
"icmp-options": null,
"is-stateless": false,
"protocol": "6",
"source": "130.35.0.0/16",
"source-type": "CIDR_BLOCK",
"tcp-options": {
"destination-port-range": {
"max": 22,
"min": 22
},
"source-port-range": null
},
"udp-options": null
},
{
"icmp-options": null,
"is-stateless": false,
"protocol": "6",
"source": "138.1.0.0/17",
"source-type": "CIDR_BLOCK",
"tcp-options": {
"destination-port-range": {
"max": 22,
"min": 22
},
"source-port-range": null
},
"udp-options": null
},
{
"icmp-options": null,
"is-stateless": false,
"protocol": "6",
"source": "0.0.0.0/0",
"source-type": "CIDR_BLOCK",
"tcp-options": {
"destination-port-range": {
"max": 22,
"min": 22
},
"source-port-range": null
},
"udp-options": null
},
{
"icmp-options": null,
"is-stateless": false,
"protocol": "6",
"source": "0.0.0.0/0",
"source-type": "CIDR_BLOCK",
"tcp-options": {
"destination-port-range": {
"max": 32767,
"min": 30000
},
"source-port-range": null
},
"udp-options": null
}
]' --egress-security-rules '[{
"destination": "10.0.10.0/24",
"destination-type": "CIDR_BLOCK",
"icmp-options": null,
"is-stateless": true,
"protocol": "all",
"tcp-options": null,
"udp-options": null
},
{
"destination": "10.0.11.0/24",
"destination-type": "CIDR_BLOCK",
"icmp-options": null,
"is-stateless": true,
"protocol": "all",
"tcp-options": null,
"udp-options": null
},
{
"destination": "10.0.12.0/24",
"destination-type": "CIDR_BLOCK",
"icmp-options": null,
"is-stateless": true,
"protocol": "all",
"tcp-options": null,
"udp-options": null
},
{
"destination": "0.0.0.0/0",
"destination-type": "CIDR_BLOCK",
"icmp-options": null,
"is-stateless": false,
"protocol": "all",
"tcp-options": null,
"udp-options": null
}]'
oci network security-list create --compartment-id $COMPARTMENT_ID --vcn-id $VCN_ID --display-name loadbalancers --ingress-security-rules '[{
"icmp-options": null,
"is-stateless": true,
"protocol": "6",
"source": "0.0.0.0/0",
"source-type": "CIDR_BLOCK",
"tcp-options": null,
"udp-options": null
} ]' --egress-security-rules '[{
"destination": "0.0.0.0/0",
"destination-type": "CIDR_BLOCK",
"icmp-options": null,
"is-stateless": true,
"protocol": "6",
"tcp-options": null,
"udp-options": null
}]'
Export the OCIDs for the two security lists:
export WORKERS_SECURITY_LIST_OCID=ocid1.securitylist.oc1.iad.aaaaaaaa6jn
export LOADBALANCERS_SECURITY_LIST_OCID=ocid1.securitylist.oc1.iad.aaaa
List the availability domains:
oci iam availability-domain list --compartment-id $COMPARTMENT_ID
Using the OCID values for the Availability Domains, create subnets
oci network subnet create --compartment-id $COMPARTMENT_ID --vcn-id $VCN_ID --display-name workers-1 --availability-domain <OCID AD-1> --cidr-block 10.0.10.0/24 --route-table-id $ROUTE_TABLE_OCID --security-list-ids "[$WORKERS_SECURITY_LIST_OCID]"
oci network subnet create --compartment-id $COMPARTMENT_ID --vcn-id $VCN_ID --display-name workers-2 --availability-domain <OCID AD-2> --cidr-block 10.0.11.0/24 --route-table-id $ROUTE_TABLE_OCID --security-list-ids "[$WORKERS_SECURITY_LIST_OCID]"
oci network subnet create --compartment-id $COMPARTMENT_ID --vcn-id $VCN_ID --display-name workers-3 --availability-domain <OCID AD-3> --cidr-block 10.0.12.0/24 --route-table-id $ROUTE_TABLE_OCID --security-list-ids "[$WORKERS_SECURITY_LIST_OCID]"
oci network subnet create --compartment-id $COMPARTMENT_ID --vcn-id $VCN_ID --display-name loadbalancers-1 --availability-domain <OCID AD-1> --cidr-block 10.0.20.0/24 --route-table-id $ROUTE_TABLE_OCID --security-list-ids '[$LOADBALANCERS_SECURITY_LIST_OCID]'
oci network subnet create --compartment-id $COMPARTMENT_ID --vcn-id $VCN_ID --display-name loadbalancers-2 --availability-domain <OCID AD-2> --cidr-block 10.0.21.0/24 --route-table-id $ROUTE_TABLE_OCID --security-list-ids '[$LOADBALANCERS_SECURITY_LIST_OCID]'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment