Cluster Deployment

Standalone example single-<region>.tfvars

shell
workspace_name     = "primary"
dr                 = ""
region             = "<your-region>"
cluster_name       = "logscale-prod"

# Security allowlists (examples) - replace with your real office/VPN IPs
public_lb_cidrs           = ["YOUR.PUBLIC.IP/32"]
control_plane_allowed_cidrs = ["YOUR.PUBLIC.IP/32"]

Deployment steps:

Step ModulePurpose
1module.oci-coreVCN, subnets, NSGs
2module.oci-logscale-storageObject Storage bucket, S3-compatible credentials
3module.oci-bastionBastion Service (optional, when provision_bastion=true)
4module.okeOKE cluster and node pools
5module.pre-installNamespace, encryption key secret
6module.logscale.module.crdsCRDs (cert-manager, strimzi, humio-operator)
7module.logscaleLogScale application stack (nginx-ingress, operators, HumioCluster)
8module.cert-manager-oci-webhookDNS-01 certificate webhook (when HTTP-01 blocked)

Commands:

shell
# Select the workspace (terraform init already completed in Section 3.3)
terraform workspace select primary

# 1. Core networking (VCN, subnets, NSGs)
terraform apply -var-file=single-<region>.tfvars \
  -target="module.oci-core"

# 2. Object Storage bucket and S3-compatible credentials
terraform apply -var-file=single-<region>.tfvars \
  -target="module.oci-logscale-storage"

# 3. Bastion Service (optional - skip if endpoint_public_access=true)
terraform apply -var-file=single-<region>.tfvars \
  -target="module.oci-bastion"

# 4. OKE cluster and node pools
terraform apply -var-file=single-<region>.tfvars \
  -target="module.oke"

# --- Kubernetes API access required from this point ---
# If using bastion: start tunnel in a separate terminal
#   LOCAL_PORT=16443 ./scripts/setup-bastion-tunnel.sh --workspace primary kubectl
#   export K8S_API="https://127.0.0.1:16443"
#   Add -var="kubernetes_api_host=$K8S_API" to all commands below
# If endpoint_public_access=true: no tunnel or extra var needed

# 5. Pre-install module (namespace + encryption key secret)
terraform apply -var-file=single-<region>.tfvars \
  -target="module.pre-install"

# 6. CRDs (cert-manager, strimzi, humio-operator CRDs must exist before LogScale resources)
terraform apply -var-file=single-<region>.tfvars \
  -target="module.logscale.module.crds"

# 7. LogScale application stack
terraform apply -var-file=single-<region>.tfvars \
  -target="module.logscale"

# 8. DNS-01 webhook (REQUIRED when HTTP-01 is likely blocked by public_lb_cidrs)
terraform apply -var-file=single-<region>.tfvars \
  -target="module.cert-manager-oci-webhook"

# Final: full apply to ensure all resources are in sync
terraform apply -var-file=single-<region>.tfvars

Verify:

shell
terraform output
# Key outputs: storage_bucket_name, storage_encryption_key_value (sensitive)
# Check OKE cluster
kubectl --context <cluster_name> get nodes
# Check LogScale pods
kubectl --context <cluster_name> -n logging get pods

Certificate issuance requirements:

  • When public_lb_cidrs restricts load balancer access (recommended for security), Let's Encrypt HTTP-01 validation is blocked

  • You must apply module.cert-manager-oci-webhook to enable DNS-01 validation

  • Set cert_dns01_provider = "oci" and cert_dns01_webhook_enabled = true in your tfvars

  • Without the webhook, the global FQDN certificate will remain in READY: False state