Updated Terraform, Linted, Standardised

Author: gotsysdba

docs/content/advanced/microservices.md

@@ -61,6 +61,17 @@ You will need to build the {{< short_app_ref >}} container images and stage them
     podman push <server_repository>:latest
     ```
 
+### Namespace
+
+Create a Kubernetes namespace to logically isolate the {{< short_app_ref >}} resources.  For demonstration purposes, the `ai-optimizer` namespace will be created and used throughout this documentation.
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ai-optimizer
+```
+
 ### Ingress
 
 To access the {{< short_app_ref >}} GUI and API Server, you can either use a port-forward or an Ingress service.  For demonstration purposes, the [OCI Native Ingress Controller](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengsettingupnativeingresscontroller.htm), which was enabled on the **OKE** cluster as part of the **IaC**, will be used to for public Ingress access.
@@ -81,30 +92,25 @@ These will be output as part of the **IaC** but can be removed from the code if
 
 1. Create a `native_ingress.yaml`:
     ```yaml
-    apiVersion: v1
-    kind: Namespace
-    metadata:
-      name: hologram
-    ---
     apiVersion: "ingress.oraclecloud.com/v1beta1"
     kind: IngressClassParameters
     metadata:
       name: native-ic-params
       namespace: ai-optimizer
     spec:
-      compartmentId: <compartment_ocid>
+      compartmentId: <lb_compartment_ocid>
       subnetId: <lb_subnet_ocid>
       loadBalancerName: "ai-optimizer-lb"
       reservedPublicAddressId: <lb_reserved_ip_ocid>
       isPrivate: false
-      maxBandwidthMbps: 1250
+      maxBandwidthMbps: 100
       minBandwidthMbps: 10
     ---
     apiVersion: networking.k8s.io/v1
     kind: IngressClass
     metadata:
       name: native-ic
-      namespace: hologram
+      namespace: ai-optimizer
       annotations:
         ingressclass.kubernetes.io/is-default-class: "true"
         oci-native-ingress.oraclecloud.com/network-security-group-ids: <lb_nsg_ocid>
@@ -114,7 +120,7 @@ These will be output as part of the **IaC** but can be removed from the code if
       controller: oci.oraclecloud.com/native-ingress-controller
       parameters:
         scope: Namespace
-        namespace: hologram
+        namespace: ai-optimizer
         apiGroup: ingress.oraclecloud.com
         kind: IngressClassParameters
         name: native-ic-params
@@ -125,20 +131,13 @@ These will be output as part of the **IaC** but can be removed from the code if
 The {{< short_app_ref >}} can be deployed using the [Helm](https://helm.sh/) chart provided with the source:
 [{{< short_app_ref >}} Helm Chart](https://github.com/oracle-samples/ai-optimizer/tree/main/helm).  A list of all values can be found in [values_summary.md](https://github.com/oracle-samples/ai-optimizer/tree/main/helm/values_summary.md).
 
-If you deployed a GPU node pool as part of the **IaC**, you can deploy Ollama and enable a Large Language and Embedding Model out-of-the-box.
-
-1. Create the `ai-optimizer` namespace:
-    
-    ```bash
-    kubectl create namespace ai-optimizer
-    ```
+If you deployed a GPU node pool as part of the **IaC**, [Ollama](https://ollama.com/) will be deployed automatically and a Large Language and Embedding Model will be available out-of-the-box.
 
 1. Create a secret to hold the API Key:
 
     ```bash
-    kubectl create secret generic api-key \
-      --from-literal=apiKey=$(openssl rand -hex 32) \
-      --namespace=ai-optimizer
+    kubectl -n ai-optimizer create secret generic api-key \
+      --from-literal=apiKey=$(openssl rand -hex 32)
     ```
 
 1. Create a secret to hold the Database Authentication:
@@ -149,11 +148,10 @@ If you deployed a GPU node pool as part of the **IaC**, you can deploy Ollama an
     - `<adb_service>` - The Service Name (i.e. ADBDB_TP)
 
     ```bash
-    kubectl create secret generic db-authn \
+    kubectl -n ai-optimizer create secret generic db-authn \
       --from-literal=username='ADMIN' \
       --from-literal=password='<adb_password>' \
-      --from-literal=service='<adb_service>' \
-      --namespace=ai-optimizer
+      --from-literal=service='<adb_service>'
     ```
 
     These will be output as part of the **IaC**.
@@ -172,7 +170,7 @@ If you deployed a GPU node pool as part of the **IaC**, you can deploy Ollama an
 
     These will be output as part of the **IaC**.
 
-    {{< icon "star" >}} If using the **IaC** for **OCI**, it is not required to specify an ImagePullSecret as the cluster nodes are configured with the [Image Credential Provider for OKE](https://github.com/oracle-devrel/oke-credential-provider-for-ocir).
+    {{< icon "star" >}} If using the **IaC** for **OCI**, it is not required to specify an ImagePullSecret as the cluster nodes are configured with the [Image Credential Provider for OKE](https://github.com/oracle-devrel/oke-credential-provider-for-ocir).  It may take up to 5 minutes for the policy allowing for the image pull to be recognized.
 
     ```yaml
     global:
@@ -185,6 +183,7 @@ If you deployed a GPU node pool as part of the **IaC**, you can deploy Ollama an
       image:
         repository: <server_repository>
         tag: "latest"
+      imagePullPolicy: Always
 
       ingress:
         enabled: true
@@ -198,20 +197,33 @@ If you deployed a GPU node pool as part of the **IaC**, you can deploy Ollama an
         http:
           type: "NodePort"
 
+      # -- Oracle Cloud Infrastructure Configuration
+      oci:
+        tenancy: "<tenancy_ocid>"
+        region: "<oci_region>"
+
       # -- Oracle Autonomous Database Configuration
       adb:
         enabled: true
         ocid: "<adb_ocid>"
         mtls:
-          enabled: false
+          enabled: true
         authN:
           secretName: "db-authn"
+          usernameKey: "username"
+          passwordKey: "password"
+          serviceKey: "service"
+
+      models:
+        ollama:
+          enabled: false
 
     client:
       enabled: true
       image:
         repository: <client_repository>
         tag: "latest"
+      imagePullPolicy: Always
 
       ingress:
         enabled: true
@@ -229,10 +241,10 @@ If you deployed a GPU node pool as part of the **IaC**, you can deploy Ollama an
         disableTestbed: "false"
         disableApi: "false"
         disableTools: "false"
-        disableDbCfg: "true"
+        disableDbCfg: "false"
         disableModelCfg: "false"
-        disableOciCfg: "true"
-        disableSettings: "true"
+        disableOciCfg: "false"
+        disableSettings: "false"
 
     ollama:
       enabled: true
@@ -250,8 +262,8 @@ If you deployed a GPU node pool as part of the **IaC**, you can deploy Ollama an
 
     ```bash
     helm upgrade \
-      --install ai-optimizer . \
       --namespace ai-optimizer \
+      --install ai-optimizer . \
       -f values.yaml
     ```
 

helm/charts/server/templates/adb.yaml

@@ -33,16 +33,17 @@ metadata:
   labels: 
     {{- include "app.labels" . | nindent 4 }}
 spec:
+  action: "Sync"
   details:
-    autonomousDatabaseOCID: {{ .Values.adb.ocid }}
+    id: {{ .Values.adb.ocid }}
     adminPassword:
       k8sSecret:
         name: place-holder
-    wallet:
-      name: {{ include "app.fullname" . }}-adb-tns-admin-{{ .Release.Revision }}
-      password:
-        k8sSecret:
-          name: {{ include "app.fullname" . }}-adb-wallet-pass-{{ .Release.Revision }}
+  wallet:
+    name: {{ include "app.fullname" . }}-adb-tns-admin-{{ .Release.Revision }}
+    password:
+      k8sSecret:
+        name: {{ include "app.fullname" . }}-adb-wallet-pass-{{ .Release.Revision }}
   {{- if .Values.oci.region }}
   ociConfig: 
     configMapName: {{ include "app.fullname" . }}-oci-cred

opentofu/iam.tf

@@ -6,7 +6,6 @@
 locals {
   compartment_ocid = var.compartment_ocid != "" ? var.compartment_ocid : var.tenancy_ocid
   label_prefix     = var.label_prefix != "" ? lower(var.label_prefix) : lower(random_pet.label.id)
-  identity_tag_key = format("%s.%s", oci_identity_tag_namespace.tag_namespace.name, oci_identity_tag.identity_tag.name)
 }
 
 // Autonomous Database

opentofu/locals.tf

@@ -74,7 +74,6 @@ resource "oci_database_autonomous_database" "default_adb" {
   license_model                        = var.adb_license_model
   is_mtls_connection_required          = true
   whitelisted_ips                      = local.adb_whitelist_cidrs
-  defined_tags                         = { (local.identity_tag_key) = local.label_prefix }
 }
 
 // Virtual Machine
@@ -113,7 +112,6 @@ module "kubernetes" {
   compartment_id                 = local.compartment_ocid
   vcn_id                         = module.network.vcn_ocid
   region                         = var.region
-  dynamic_group                  = oci_identity_dynamic_group.resource_dynamic_group.name
   lb                             = oci_load_balancer_load_balancer.lb
   adb_id                         = oci_database_autonomous_database.default_adb.id
   adb_name                       = local.adb_name
@@ -132,7 +130,6 @@ module "kubernetes" {
   public_subnet_id               = module.network.public_subnet_ocid
   private_subnet_id              = module.network.private_subnet_ocid
   lb_nsg_id                      = oci_core_network_security_group.lb.id
-  identity_tag_key               = local.identity_tag_key
   providers = {
     oci.home_region = oci.home_region
   }

opentofu/main.tf

@@ -2,6 +2,16 @@
 # All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl
 # spell-checker: disable
 
+resource "oci_identity_dynamic_group" "workers_dynamic_group" {
+  compartment_id = var.tenancy_id
+  name           = format("%s-worker-dyngrp", var.label_prefix)
+  description    = format("%s Workers Dynamic Group", var.label_prefix)
+  matching_rule = format(
+    "ALL {instance.compartment.id = '%s', tag.Oracle-Tags.CreatedBy.value = '%s'}",
+  var.compartment_id, oci_containerengine_node_pool.default_node_pool_details.id)
+  provider = oci.home_region
+}
+
 resource "oci_identity_policy" "workers_policies" {
   compartment_id = var.tenancy_id
   name           = format("%s-workers-policy", var.label_prefix)
@@ -27,7 +37,8 @@ resource "oci_identity_policy" "workers_policies" {
     format("allow any-user to manage waf-family in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = 'native-ingress-controller-system', request.principal.service_account = 'oci-native-ingress-controller', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
     format("allow any-user to read cluster-family in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = 'native-ingress-controller-system', request.principal.service_account = 'oci-native-ingress-controller', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
     format("allow any-user to use tag-namespaces in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = 'native-ingress-controller-system', request.principal.service_account = 'oci-native-ingress-controller', request.principal.cluster_id = '%s'}", var.compartment_id, oci_containerengine_cluster.default_cluster.id),
-    format("allow dynamic-group %s to manage repos in compartment id %s", var.dynamic_group, var.compartment_id),
+    format("allow dynamic-group %s to use generative-ai-family in compartment id %s", oci_identity_dynamic_group.workers_dynamic_group.name, var.compartment_id),
+    format("allow dynamic-group %s to manage repos in compartment id %s", oci_identity_dynamic_group.workers_dynamic_group.name, var.compartment_id),
   ]
   provider = oci.home_region
 }

opentofu/modules/kubernetes/iam.tf

@@ -84,7 +84,6 @@ resource "oci_containerengine_cluster" "default_cluster" {
     }
     service_lb_subnet_ids = [var.public_subnet_id]
   }
-  defined_tags = { (var.identity_tag_key) = var.label_prefix }
   freeform_tags = {
     "clusterName" = local.k8s_cluster_name
   }
@@ -146,8 +145,6 @@ resource "oci_containerengine_node_pool" "default_node_pool_details" {
     }
     size    = var.k8s_cpu_node_pool_size
     nsg_ids = [oci_core_network_security_group.k8s_workers.id]
-    // Used for Instance Principles
-    defined_tags = { (var.identity_tag_key) = var.label_prefix }
   }
   node_eviction_node_pool_settings {
     eviction_grace_duration              = "PT5M"
@@ -176,6 +173,7 @@ resource "oci_containerengine_node_pool" "default_node_pool_details" {
 }
 
 resource "oci_containerengine_node_pool" "gpu_node_pool_details" {
+  count              = var.k8s_node_pool_gpu_deploy ? 1 : 0
   cluster_id         = oci_containerengine_cluster.default_cluster.id
   compartment_id     = var.compartment_id
   kubernetes_version = format("v%s", var.k8s_version)
@@ -198,8 +196,6 @@ resource "oci_containerengine_node_pool" "gpu_node_pool_details" {
     }
     size    = var.k8s_gpu_node_pool_size
     nsg_ids = [oci_core_network_security_group.k8s_workers.id]
-    // Used for Instance Principles
-    defined_tags = { (var.identity_tag_key) = var.label_prefix }
   }
   node_eviction_node_pool_settings {
     eviction_grace_duration              = "PT5M"

opentofu/modules/kubernetes/main.tf

@@ -47,10 +47,6 @@ variable "label_prefix" {
   type = string
 }
 
-variable "dynamic_group" {
-  type = string
-}
-
 variable "adb_id" {
   type = string
 }
@@ -105,7 +101,3 @@ variable "k8s_api_endpoint_allowed_cidrs" {
   type    = string
   default = ""
 }
-
-variable "identity_tag_key" {
-  type = string
-}

opentofu/modules/kubernetes/variables.tf

@@ -28,17 +28,16 @@ RUN microdnf -y update && \
     install -d -m 0700 -o $RUNUSER -g $RUNUSER /app/.oci
 
 COPY pyproject.toml /opt/package/pyproject.toml
-COPY --chown=$RUNUSER:$RUNUSER . /app
+# Use the virtual environment for pip installations (Client Specific)
+RUN source /opt/.venv/bin/activate && \
+    pip install "/opt/package[client]"
 
 ##################################################
 # Clint Application
 ##################################################
 FROM optimizer_base AS client
 
-# Use the virtual environment for pip installations (Client Specific)
-RUN source /opt/.venv/bin/activate && \
-    pip install "/opt/package[client]"
-
+COPY --chown=$RUNUSER:$RUNUSER . /app
 RUN rm -rf /app/server /app/.oci /app/launch_server.py
 
 # Set user and working directory

src/client/Dockerfile

@@ -110,7 +110,7 @@ async def main() -> None:
     if "server_client" not in state:
         state.server_client = client.Client(
             server=state.server,
-            settings=state["server_settings"],
+            settings=state.server_settings,
             timeout=10,
         )
     server_client: client.Client = state.server_client