search

oracle-quickstart / oci-kubernetes-monitoring

Kubernetes Monitoring with OCI Observability & Management Platform
https://www.oracle.com/manageability/logging-analytics/
Universal Permissive License v1.0
43 stars 33 forks source link

How to use this code with private endpoints #43

Open rhegde2 opened 1 year ago

rhegde2 commented 1 year ago

Hi, We tried to deploy it against an OKE running on private endpoint. We can't create public endpoint because of our company policies.

So, Resource manager stack is failing with the below error:

Error: Kubernetes cluster unreachable: Get "https://<PRIVATE_IP>:6443/version": dial tcp <PRIVATE_IP>:6443: i/o timeout

We tried with creating a reachable IP and no luck.

Kindly suggest.

santhoshkvuda commented 1 year ago

The private endpoint support for installation through Resource Manager is not yet available, it would come in upcoming releases. You may try using the helm chart based installation as an alternative.

rhegde2 commented 1 year ago

hi @santhoshkvuda Thanks a lot for your inputs.

Any tentative date for the upcoming release?

consiahras commented 1 year ago

One more thing to add is that even you create an oci_resourcemanager_private_endpoint and then use , and use it on your Help configuration for example like:

resource "oci_resourcemanager_private_endpoint" "rms_pe" {
  compartment_id = var.compartment_ocid
  display_name   = var. display_name
  description       =  var. description
  vcn_id              = var.vcn_id
  subnet_id        = var.subnet_id
}

And then get the Reachable IP from the datasource

data "oci_resourcemanager_private_endpoint_reachable_ip" "rms_pe_reachable_ip_address" {
  private_endpoint_id = oci_resourcemanager_private_endpoint.rms_pe.id
  private_ip          = "<OKE_API_endpoint>"
}
provider "helm" {
  kubernetes {
    host                   = "https://${data.oci_resourcemanager_private_endpoint_reachable_ip.rms_pe_reachable_ip_address.ip_address}:6443"
    cluster_ca_certificate = local.cluster_ca_certificate
    exec {
      api_version = "client.authentication.k8s.io/v1beta1"
      args        = ["ce", "cluster", "generate-token", "--cluster-id", local.cluster_id, "--region", local.cluster_region]
      command     = "oci"
    }
  }
}

You are able to reach out to the Cluster the OKE is still unreachable with the error:

Error: Kubernetes cluster unreachable: Get "https://<REACHABLE_IP>:6443/version": x509: certificate is valid for ...... 168.254.5.1, 127.0.0.1, not <REACHABLE_IP>

Tyson1986 commented 6 months ago

I believe this article describes the fix https://docs.oracle.com/en/learn/logging-for-private-oke-cluster/index.html It didn't worked for me, but I believe it is my Private Endpoint setup issues. In general seem to be the fix for your problem.