Added - Support for OIDC Discovery in OKE

Author: Mark Mudimba

examples/container_engine/oidc_discovery/main.tf

@@ -0,0 +1,229 @@
+// Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+variable "tenancy_ocid" {
+}
+
+variable "user_ocid" {
+}
+
+variable "compartment_ocid" {
+}
+
+variable "region" {
+  default = "us-ashburn-1"
+}
+
+variable "kms_vault_id" {
+}
+
+variable "compartment_id" {
+}
+
+variable "cluster_cluster_pod_network_options_cni_type" {
+  default = "OCI_VCN_IP_NATIVE"
+}
+
+variable "cluster_defined_tags_value" {
+  default = "value"
+}
+
+variable "cluster_endpoint_config_is_public_ip_enabled" {
+  default = false
+}
+
+variable "cluster_endpoint_config_nsg_ids" {
+  default = []
+}
+
+variable "cluster_freeform_tags" {
+  default = { "Department" = "Finance" }
+}
+
+variable "cluster_image_policy_config_is_policy_enabled" {
+  default = false
+}
+
+variable "cluster_kubernetes_version" {
+  default = "v1.30.1"
+}
+
+variable "cluster_name" {
+  default = "oidc-discovery-example"
+}
+
+variable "cluster_options_add_ons_is_kubernetes_dashboard_enabled" {
+  default = false
+}
+
+variable "cluster_options_add_ons_is_tiller_enabled" {
+  default = false
+}
+
+variable "cluster_options_admission_controller_options_is_pod_security_policy_enabled" {
+  default = false
+}
+
+variable "cluster_options_open_id_connect_discovery_is_open_id_connect_discovery_enabled" {
+  default = false
+}
+
+variable "cluster_options_kubernetes_network_config_pods_cidr" {
+  default = "10.1.0.0/16"
+}
+
+variable "cluster_options_kubernetes_network_config_services_cidr" {
+  default = "10.2.0.0/16"
+}
+
+variable "cluster_options_persistent_volume_config_defined_tags_value" {
+  default = "value"
+}
+
+variable "cluster_options_persistent_volume_config_freeform_tags" {
+  default = { "Department" = "Finance" }
+}
+
+variable "cluster_options_service_lb_config_defined_tags_value" {
+  default = "value"
+}
+
+variable "cluster_options_service_lb_config_freeform_tags" {
+  default = { "Department" = "Finance" }
+}
+
+variable "cluster_options_service_lb_subnet_ids" {
+  default = []
+}
+
+variable "cluster_state" {
+  default = []
+}
+
+// enhanced cluster is required for OIDC Discovery to be enabled
+variable "cluster_type" {
+  default = "ENHANCED_CLUSTER"
+}
+
+
+
+provider "oci" {
+  region           = var.region
+  auth = "SecurityToken"
+  config_file_profile = "terraform-federation-test"
+}
+
+variable defined_tag_namespace_name {
+  default = "test"
+}
+
+resource "oci_core_vcn" "test_vcn" {
+  cidr_block     = "10.0.0.0/16"
+  compartment_id = var.compartment_ocid
+  display_name   = "tfVcnForClusters"
+}
+
+resource "oci_core_internet_gateway" "test_ig" {
+  compartment_id = var.compartment_ocid
+  display_name   = "tfClusterInternetGateway"
+  vcn_id         = oci_core_vcn.test_vcn.id
+}
+
+resource "oci_identity_tag_namespace" "tag-namespace1" {
+  #Required
+  compartment_id = var.tenancy_ocid
+  description = "example tag namespace"
+  name = var.defined_tag_namespace_name != "" ? var.defined_tag_namespace_name : "example-tag-namespace-all"
+
+  is_retired = false
+}
+
+resource "oci_core_route_table" "test_route_table" {
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.test_vcn.id
+  display_name   = "tfClustersRouteTable"
+
+  route_rules {
+    destination       = "0.0.0.0/0"
+    destination_type  = "CIDR_BLOCK"
+    network_entity_id = oci_core_internet_gateway.test_ig.id
+  }
+}
+
+data "oci_identity_availability_domains" "test_availability_domains" {
+  compartment_id = var.tenancy_ocid
+}
+
+data "oci_identity_availability_domain" "ad1" {
+  compartment_id = var.tenancy_ocid
+  ad_number      = 1
+}
+
+data "oci_identity_availability_domain" "ad2" {
+  compartment_id = var.tenancy_ocid
+  ad_number      = 2
+}
+
+resource "oci_core_subnet" "clusterSubnet_2" {
+  #Required
+  availability_domain = data.oci_identity_availability_domain.ad2.name
+  cidr_block          = "10.0.21.0/24"
+  compartment_id      = var.compartment_ocid
+  vcn_id              = oci_core_vcn.test_vcn.id
+  display_name        = "tfSubNet1ForClusters"
+
+
+  # Provider code tries to maintain compatibility with old versions.
+  security_list_ids = [oci_core_vcn.test_vcn.default_security_list_id]
+  route_table_id    = oci_core_route_table.test_route_table.id
+}
+
+resource "oci_containerengine_cluster" "test_cluster" {
+  #Required
+  compartment_id     = var.compartment_ocid
+  kubernetes_version = var.cluster_kubernetes_version
+  name               = "tfTestCluster"
+  vcn_id             = oci_core_vcn.test_vcn.id
+  type               = var.cluster_type
+
+  #Optional
+  #   defined_tags = map(oci_identity_tag_namespace.tag-namespace1.name.oci_identity_tag.tag1.name, var.cluster_defined_tags_value)
+
+  freeform_tags = var.cluster_freeform_tags
+
+  options {
+
+    #Optional
+    add_ons {
+
+      #Optional
+      is_kubernetes_dashboard_enabled = var.cluster_options_add_ons_is_kubernetes_dashboard_enabled
+      is_tiller_enabled               = var.cluster_options_add_ons_is_tiller_enabled
+    }
+    admission_controller_options {
+
+      #Optional
+      is_pod_security_policy_enabled = var.cluster_options_admission_controller_options_is_pod_security_policy_enabled
+    }
+    kubernetes_network_config {
+
+      #Optional
+      pods_cidr     = var.cluster_options_kubernetes_network_config_pods_cidr
+      services_cidr = var.cluster_options_kubernetes_network_config_services_cidr
+    }
+
+    open_id_connect_discovery {
+      #Optional
+      is_open_id_connect_discovery_enabled = var.cluster_options_open_id_connect_discovery_is_open_id_connect_discovery_enabled
+    }
+  }
+}
+
+data "oci_containerengine_clusters" "test_clusters" {
+  #Required
+  compartment_id = var.compartment_id
+
+  #Optional
+  name  = var.cluster_name
+  state = var.cluster_state
+}

internal/integrationtest/containerengine_cluster_test.go

@@ -63,7 +63,7 @@ var (
 		"kubernetes_version":          acctest.Representation{RepType: acctest.Required, Create: `${data.oci_containerengine_cluster_option.test_cluster_option.kubernetes_versions[length(data.oci_containerengine_cluster_option.test_cluster_option.kubernetes_versions)-2]}`, Update: `${data.oci_containerengine_cluster_option.test_cluster_option.kubernetes_versions[length(data.oci_containerengine_cluster_option.test_cluster_option.kubernetes_versions)-1]}`},
 		"name":                        acctest.Representation{RepType: acctest.Required, Create: `name`, Update: `name2`},
 		"vcn_id":                      acctest.Representation{RepType: acctest.Required, Create: `${oci_core_vcn.test_vcn.id}`},
-		"cluster_pod_network_options": acctest.RepresentationGroup{RepType: acctest.Optional, Group: clusterClusterPodNetworkOptionsRepresentation},
+		"cluster_pod_network_options": acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterClusterPodNetworkOptionsRepresentation},
 		"defined_tags":                acctest.Representation{RepType: acctest.Optional, Create: `${map("${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}", "value")}`, Update: `${map("${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}", "updatedValue")}`},
 		"endpoint_config":             acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterEndpointConfigRepresentation},
 		"freeform_tags":               acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"Department": "Finance"}, Update: map[string]string{"Department": "Accounting"}},
@@ -72,7 +72,7 @@ var (
 		"type":                        acctest.Representation{RepType: acctest.Optional, Create: `ENHANCED_CLUSTER`, Update: `ENHANCED_CLUSTER`},
 		"options":                     acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterOptionsRepresentation},
 	}
-	clusterClusterPodNetworkOptionsRepresentation = map[string]interface{}{
+	ContainerengineClusterClusterPodNetworkOptionsRepresentation = map[string]interface{}{
 		"cni_type": acctest.Representation{RepType: acctest.Required, Create: `OCI_VCN_IP_NATIVE`},
 	}
 	ContainerengineClusterEndpointConfigRepresentation = map[string]interface{}{
@@ -84,9 +84,11 @@ var (
 		"key_details":       acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterImagePolicyConfigKeyDetailsRepresentation},
 	}
 	ContainerengineClusterOptionsRepresentation = map[string]interface{}{
-		"add_ons":                   acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterOptionsAddOnsRepresentation},
-		"kubernetes_network_config": acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterOptionsKubernetesNetworkConfigRepresentation},
+		"add_ons":                                     acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterOptionsAddOnsRepresentation},
+		"admission_controller_options":                acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterOptionsAdmissionControllerOptionsRepresentation},
+		"kubernetes_network_config":                   acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterOptionsKubernetesNetworkConfigRepresentation},
 		"open_id_connect_token_authentication_config": acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterOptionsOpenIdConnectTokenAuthenticationConfigRepresentation},
+		"open_id_connect_discovery":                   acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterOptionsOpenIdConnectDiscoveryRepresentation},
 		"persistent_volume_config":                    acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterOptionsPersistentVolumeConfigRepresentation},
 		"service_lb_config":                           acctest.RepresentationGroup{RepType: acctest.Optional, Group: ContainerengineClusterOptionsServiceLbConfigRepresentation},
 		"service_lb_subnet_ids":                       acctest.Representation{RepType: acctest.Optional, Create: []string{`${oci_core_subnet.clusterSubnet_1.id}`, `${oci_core_subnet.clusterSubnet_2.id}`}},
@@ -98,6 +100,9 @@ var (
 		"is_kubernetes_dashboard_enabled": acctest.Representation{RepType: acctest.Optional, Create: `true`},
 		"is_tiller_enabled":               acctest.Representation{RepType: acctest.Optional, Create: `true`},
 	}
+	ContainerengineClusterOptionsAdmissionControllerOptionsRepresentation = map[string]interface{}{
+		"is_pod_security_policy_enabled": acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `false`},
+	}
 	ContainerengineClusterOptionsKubernetesNetworkConfigRepresentation = map[string]interface{}{
 		"pods_cidr":     acctest.Representation{RepType: acctest.Optional, Create: `10.1.0.0/16`},
 		"services_cidr": acctest.Representation{RepType: acctest.Optional, Create: `10.2.0.0/16`},
@@ -114,6 +119,9 @@ var (
 		"username_claim":                  acctest.Representation{RepType: acctest.Optional, Create: `sub`},
 		"username_prefix":                 acctest.Representation{RepType: acctest.Optional, Create: `oidc:`},
 	}
+	ContainerengineClusterOptionsOpenIdConnectDiscoveryRepresentation = map[string]interface{}{
+		"is_open_id_connect_discovery_enabled": acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `true`},
+	}
 	ContainerengineClusterOptionsPersistentVolumeConfigRepresentation = map[string]interface{}{
 		"defined_tags":  acctest.Representation{RepType: acctest.Optional, Create: `${map("${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}", "value")}`, Update: `${map("${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}", "updatedValue")}`},
 		"freeform_tags": acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"Department": "Finance"}, Update: map[string]string{"Department": "Accounting"}},
@@ -201,8 +209,6 @@ func TestContainerengineClusterResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "options.0.add_ons.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.add_ons.0.is_kubernetes_dashboard_enabled", "true"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.add_ons.0.is_tiller_enabled", "true"),
-				resource.TestCheckResourceAttr(resourceName, "options.0.admission_controller_options.#", "1"),
-				resource.TestCheckResourceAttr(resourceName, "options.0.admission_controller_options.0.is_pod_security_policy_enabled", "false"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.kubernetes_network_config.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.kubernetes_network_config.0.pods_cidr", "10.1.0.0/16"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.kubernetes_network_config.0.services_cidr", "10.2.0.0/16"),
@@ -219,6 +225,9 @@ func TestContainerengineClusterResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "options.0.open_id_connect_token_authentication_config.0.signing_algorithms.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.open_id_connect_token_authentication_config.0.username_claim", "RS256"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.open_id_connect_token_authentication_config.0.username_prefix", "oidc:"),
+				resource.TestCheckResourceAttr(resourceName, "options.0.admission_controller_options.0.is_pod_security_policy_enabled", "false"),
+				resource.TestCheckResourceAttr(resourceName, "options.0.open_id_connect_discovery.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "options.0.open_id_connect_discovery.0.is_open_id_connect_discovery_enabled", "false"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.persistent_volume_config.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.persistent_volume_config.0.freeform_tags.%", "1"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.service_lb_config.#", "1"),
@@ -263,12 +272,13 @@ func TestContainerengineClusterResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(resourceName, "options.0.add_ons.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.add_ons.0.is_kubernetes_dashboard_enabled", "true"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.add_ons.0.is_tiller_enabled", "true"),
-				resource.TestCheckResourceAttr(resourceName, "options.0.admission_controller_options.#", "1"),
-				resource.TestCheckResourceAttr(resourceName, "options.0.admission_controller_options.0.is_pod_security_policy_enabled", "false"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.kubernetes_network_config.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.kubernetes_network_config.0.pods_cidr", "10.1.0.0/16"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.kubernetes_network_config.0.services_cidr", "10.2.0.0/16"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.open_id_connect_token_authentication_config.#", "0"),
+				resource.TestCheckResourceAttr(resourceName, "options.0.admission_controller_options.0.is_pod_security_policy_enabled", "false"),
+				resource.TestCheckResourceAttr(resourceName, "options.0.open_id_connect_discovery.#", "1"),
+				resource.TestCheckResourceAttr(resourceName, "options.0.open_id_connect_discovery.0.is_open_id_connect_discovery_enabled", "true"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.persistent_volume_config.#", "1"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.persistent_volume_config.0.freeform_tags.%", "1"),
 				resource.TestCheckResourceAttr(resourceName, "options.0.service_lb_config.#", "1"),
@@ -317,8 +327,6 @@ func TestContainerengineClusterResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.add_ons.#", "1"),
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.add_ons.0.is_kubernetes_dashboard_enabled", "true"),
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.add_ons.0.is_tiller_enabled", "true"),
-				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.admission_controller_options.#", "1"),
-				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.admission_controller_options.0.is_pod_security_policy_enabled", "false"),
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.kubernetes_network_config.#", "1"),
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.kubernetes_network_config.0.pods_cidr", "10.1.0.0/16"),
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.kubernetes_network_config.0.services_cidr", "10.2.0.0/16"),
@@ -335,6 +343,9 @@ func TestContainerengineClusterResource_basic(t *testing.T) {
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.open_id_connect_token_authentication_config.0.signing_algorithms.#", "1"),
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.open_id_connect_token_authentication_config.0.username_claim", "usernameClaim2"),
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.open_id_connect_token_authentication_config.0.username_prefix", "usernamePrefix2"),
+				resource.TestCheckResourceAttr(resourceName, "options.0.admission_controller_options.0.is_pod_security_policy_enabled", "false"),
+				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.open_id_connect_discovery.#", "1"),
+				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.open_id_connect_discovery.0.is_open_id_connect_discovery_enabled", "true"),
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.persistent_volume_config.#", "1"),
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.persistent_volume_config.0.freeform_tags.%", "1"),
 				resource.TestCheckResourceAttr(datasourceName, "clusters.0.options.0.service_lb_config.#", "1"),