Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Create an OCI DevOps project, set up permissions and code repository for microservices

Introduction

This is part three of a six-part tutorial series that shows you how to deploy a temporary set of resources on an OKE cluster using Golang microservices representing the usage of OCI SDK, OCI-CLI, Resource Manager, OCI DevOps and Helm to deploy and destroy Apache Airflow.

Objective

In this tutorial you will learn how to create OCI DevOps project, setup permissions and code repository for microservices.

Prerequisites

• Completion of the previous tutorial in this learning path, Part 2/6 - Prepare and configure OCI Resource Manager Stack for creating extra nodes on OKE

Task 1: Create dynamic groups and policies

1. Create dynamic groups needed for DevOps services. For more information, see dynamic groups.

   • Create the following dynamic groups using these matching rules:

     Dynamic group	Matching rule
     DevOpsDynamicGroup	Any {resource.type = ‘devopsdeploypipeline’, resource.type = ‘devopsbuildpipeline’, resource.type = ‘devopsrepository’, resource.type = ‘devopsconnection’}
     DeployDynamicGroup	All {resource.type = ‘devopsdeploypipeline’}
     BuildPipelineDynamicGroup	ALL {resource.type = ‘devopsbuildpipeline’}
     ConnectionDynamicGroup	ALL {resource.type = ‘devopsconnection’}

2. Create an user group for your DevOps users. For more information, see user groups.

   • Create a group named: oci-devops-users.

   • Add the user you used to set up your OCI CLI, this user will be used to interact with OCI from the microservice “go-microservice”. The microservice will call OCI resources to trigger build pipelines and kubeconfig creation.

   • In this tutorial, we use “devmaster” added to “oci-devops-users” group.

     

3. Create policies for DevOps services. For more information, see IAM Policies.

   • Create a policy named: OCILabDeployPolicy.

     Allow dynamic-group DeployDynamicGroup to manage all-resources in oci-resource-manager-lab
     Allow dynamic-group BuildPipelineDynamicGroup to use devops-family in oci-resource-manager-lab
     Allow dynamic-group BuildPipelineDynamicGroup to manage repos in oci-resource-manager-lab
     Allow dynamic-group BuildPipelineDynamicGroup to manage all-artifacts in oci-resource-manager-lab
     

   • Create a policy named: OCILabBuildPolicy.

     Allow dynamic-group BuildPipelineDynamicGroup to manage repos in compartment oci-resource-manager-lab  
     Allow dynamic-group BuildPipelineDynamicGroup to read secret-family in tenancy
     Allow dynamic-group BuildPipelineDynamicGroup to manage devops-family in compartment oci-resource-manager-lab
     Allow dynamic-group BuildPipelineDynamicGroup to manage all-artifacts in tenancy
     Allow dynamic-group BuildPipelineDynamicGroup to use ons-topics in compartment oci-resource-manager-lab
     Allow dynamic-group BuildPipelineDynamicGroup to read cluster-node-pools in compartment oci-resource-manager-lab
     Allow dynamic-group BuildPipelineDynamicGroup to use clusters in compartment oci-resource-manager-lab
     Allow dynamic-group BuildPipelineDynamicGroup to manage virtual-network-family in tenancy
     Allow group oci-devops-users to manage devops-family in compartment oci-resource-manager-lab
     Allow group oci-devops-users to manage repos in compartment oci-resource-manager-lab
     

   • Create a policy named: ConnectionsPolicy.

     Allow dynamic-group ConnectionDynamicGroup to read secret-family in oci-resource-manager-lab
     

Task 2: Set up the Vault and Registry

1. Create the following OCI Registry for Docker images and Helm charts. For more information, see OCI Registry.

   Repo Name
   go-login (private)
   go-microservice (private)
   airflow-helm/airflow (private)
   helm-go-login/chart-go-login (private)
   helm-go-microservices/chart-go-microservice (private)

   

   • Take note of your registry namespace, this will be required later.

     

2. Create the AUTH TOKEN on your user to be able to pull/push Helm charts on the OCI Registry.

   Note: We already provided the IAM policy for group oci-devops-users to manage repo in compartment oci-resource-manager-lab. Make sure you get a user that belongs to the group oci-devops-user.

   • Go to your user page on the Oracle Cloud console.

     

   • Create an AUTH token and take note. The token is showed only once. We will safely store this token in the vault for future use on the DevOps build pipeline.

     

3. Create vault and store auth token and other secrets. For more information, see OCI Vault.

   

   • After creation is completed, click on the vault and create the master encryption keys.

     

   • Click on secrets and add the following secrets.

     Secret Name	Value
     OCIRUser	registrynamespace/username
     OCIRToken	auth_token_you_just_created

   Tip: You need to get the namespace from your OCI registry repo.

   

Task 3: Prepare the OCI DevOps project

1. Notification Topic is needed for any OCI DevOps project, so we must create it first. To create a notification topic, click here.

   

2. Create a new DevOps Project. To create a DevOps project, click here.

   

   Note: Remember to click Enable log in order to run build pipelines.

   

3. Create and set up the code repository for microservices. There are two microservices we will use for this tutorial.

   Repo Name	Info
   go-login	Golang project to generate a JWT token
   go-microservice	Golang code to call resources on OCI using SDK

   • The code ready and available for download in the next steps below.

   • Go to DevOps service home page, select Developer Services, and then select Projects.

     

   • Select the DevOps project you created earlier and click Code Repositories.

     

   • Click Create repository and create the repo for go-login.

     

   Note: Repeat Step 3 and create the go-microservice repository.

4. Setup GIT credentials on your bastion jump-box. You need to setup the SSH configuration file on your bastion virtual machine to be able to clone git repositories. Go to your bastion jump-box shell and proceed with the instructions below.

   • Check if your keys are there (you created them during OCI CLI setup).

     ls -lrt ~/.oci
     

     

     Note:You should have it if you’ve completed the previous steps on this tutorial series, in case you don’t have it, follow the instructions to set up your OCI CLI.

   • Create a file ~/.ssh/config and include the contents by setting your user name and key location.

     Host devops.scmservice.*.oci.oraclecloud.com
     User your_devops_user@your_tenant_name
     IdentityFile ~/.oci/oci_api_key.pem
     PubkeyAcceptedKeyTypes=+ssh-rsa
     

   • Fix permission for your ~/.ssh/config.

     chmod 600 ~/.ssh/config
     

     

5. Populate your OCI repository with the lab go-login code.

   • Get the URL from the repository you created by clicking on the “clone” option.

     

   • Get the go-login-package.zip file and unzip it inside your OCI go-login cloned repository location.
     You must replace the string YOUR_SSH_CLONE_URL with the URL you got from the clone option in the previous step.

     cd $HOME
     git clone <YOUR_SSH_CLONE_URL>
     cd go-login  
     wget https://docs.us.oracle.com/en/learn/resource-manager-airflow-oke-part3/files/go-login-package.zip
     unzip go-login-package.zip
     rm go-login-package.zip
     git add .
     git commit -m "initial load" 
     git push 
     

     
     

     This will upload go-login code to your own repository in OCI.

6. Populate your OCI repository with the lab go-microservices code.

   • Get the URL from the repository you created by clicking on the “clone” option.

     

   • Get the go-microservice-package.zip file and unzip it inside your OCI go-microservice cloned repository location.
     You must replace the string YOUR_SSH_CLONE_URL with the URL you got from the clone option in the previous step.

     cd $HOME
     git clone <YOUR_SSH_CLONE_URL>
     cd go-microservice  
     wget https://docs.us.oracle.com/en/learn/resource-manager-airflow-oke-part3/files/go-microservice-package.zip
     unzip go-microservice-package.zip
     rm go-microservice-package.zip
     git add .
     git commit -m "initial load" 
     git push 
     

     
     
     

     This will upload go-microservice code to your own repository in OCI.

     

Next Step

To proceed to the next tutorial in this learning path, click here.

Related Links

• OCI Resource Manager documentation

• Container Engine for Kubernetes

• Apache Airflow

Acknowledgments

• Author - Joao Tarla (Oracle LAD A-Team Solution Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Create an OCI Devops project, set up permissions and code repository for microservices

F79750-01

April 2023

Copyright © 2023, Oracle and/or its affiliates.