Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - Cloud Operations on OCI (July 2020)
Download as PPTX, PDF0 likes233 views
This document announces six virtual developer meetups on cloud native application development on Oracle Cloud Platform. The meetups will cover topics including cloud operations, monitoring, infrastructure as code using Terraform, and native application development. All sessions will include introductions, demonstrations, hands-on labs, and Q&A. Recordings of the sessions will be made available on YouTube. The document provides details on preparing an Oracle Cloud Infrastructure tenancy for the hands-on labs and signing up for a cloud trial.
Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - Cloud Operations on OCI (July 2020)
- 1. Six Virtual Developer Meetups Cloud Native Application Development on Oracle Cloud Platform Recordings are on YouTube: bit.ly/real-utube http://bit.ly/real-oci Wednesday July 8th – Cloud Operations Monitoring | Vault | Infrastructure as Code | Terraform | Resource Manager | Logging
- 3. Touring Oracle Cloud services for cloud native application development Introduction Demonstration Guided Handson Labs Q&A All sessions are recorded and will be available for replay
- 5. Preparation for the Katacoda Hands-On Labs • Arrange access to Oracle Cloud Infrastructure Tenancy • Existing or new OCI Cloud Trial • Existing OCI tenancy • Go to http://bit.ly/real-oci home of the REAL Katacoda scenarios for OCI • Run First Scenario to prepare the OCI tenancy for REAL Katacoda OCI Scenarios • Provision an OCI compartment and some resources • Prepare auth token, key pair and config file for using the OCI CLI in other scenarios Go http://bit.ly/real-oci
- 6. Cloud Trial as Registered Webinar Attendee • Signup for Cloud Trial with same email address as used for webinar registration • Use a company email address (not gmail or hotmail); do not use an address already used for an Oracle Cloud Trial • Do not use credit card – because email is whitelisted (as of tomorrow, June 11th) • You will get • $500 credits on (discounted) Oacle cloud services • Access to always Free Tier cloud.oracle.com/tryit
- 7. The Prepared Tenancy Compartment – lab-compartment VCN vcn-lab API Gateway lab-apigw Stream lab-stream Public Subnet- vcn-lab Private Subnet- vcn-lab IGW Dynamic Group lab-apigw- dynamic-group policies Security Group Tag Namespace lab-tags
- 8. OKE – Managed Kubernetes Functions API Gate way Digital Assistant Object Storage NoSQL Database Streaming Health Check Monitoring Alarms Notifi- cations Container Container ID & Access Management Compartments API/ServiceTagging Search Resource Manager Logging Compute Events OCIR Notifications AlarmingLogging Telemetry/ MonitoringHealthcheck Streaming Object Storage Vault
- 9. OKE – Managed Kubernetes Functions API Gate way Digital Assistant Object Storage NoSQL Database Streaming Health Check Monitoring Alarms Notifi- cations Container Container ID & Access Management Compartments API/ServiceTagging SearchResource Manager Logging Compute Events OCIR Notifications Alarming Logging Telemetry/ Monitoring Healthcheck Streaming Object Storage Vault
- 10. Focus on • Monitoring • Healthcheck • Metrics Collection, Reporting and Exploring • Alarms (& Notifications) • Logging • Audit • Vault – Management of Keys and Secrets • OCI SDK for TypeScript/JavaScript/Node • Infrastructure as Code • OCI Terraform Provider • Resource Manager Vault Telemetry/ Monitoring Healthcheck Notifications Logging Alarming Resource Manager
- 14. Monitoring • Aggregated Metrics • Analyze number and performance of actions • Alarms • Trigger notification when condition is observed • Notifications • Send email or call WebHook, Slack, PagerDuty or Function • Triggered by Alarm or by direct API call
- 15. Monitoring – Health Checks • Verify through the eyes of an external client if endpoints are available and respond quick and well • Periodic or Adhoc call to an endpoint • HTTP(S) or Ping • Specify Headers • Specify Interval (30 secs minimum) • From selected Vantage Points • 3rd party clouds, geographic location • Health Check results can be inspected through Service Explorer and analyzed by Alarms
- 18. Healthcheck on “healthprobe” script that tries to connect to Database when HTTP invoked
- 19. Monitoring – Health Checks – as crude function scheduler • OCI does not currently have a way to schedule jobs • Health Checks are scheduled HTTP(S) requests • Available intervals: 30 secs, 1, 5, 10 and 15 minutes Oracle Cloud Infrastructure API Gateway /fn Function hello API deployment /hello OCI Monitoring Healthcheck Check Hello
- 20. Health Checks on (hot) Functions • Health Checks can regularly check on Functions • And in doing so keep them ‘hot’ API Gateway /hello1 /hello2 Function hello1 OCI Monitoring Healthcheck Check Hello1 Function hello2 OCI Monitoring Healthcheck Check Hello2 5 min 15 min
- 21. Scenario: Alarms on Health Checks on Functions API Gateway /hello1 /hello2 Function hello1 OCI Monitoring Healthcheck Check Hello1 Function hello2 OCI Monitoring Healthcheck Check Hello2 5 min 15 min metrics Alarm on HTTP.TotalDuration metrics Alarm on HTTP.TotalDuration Notification Topic
- 22. Logging • Currently in Preview • All OCI Log Files are collected and retained • At least 90 days • Log Files can be combined and searched • Similar to Elastic Search
- 25. Audit • All OCI REST API calls are recorded in audit logs • Each action on an OCI resource is described by an Audit Event (which is a CNCF Cloud Event): • What • On Which Resource and in which OCI context • Through which service • When • Who • Request • Result • Audit Logs can be explored • A bulk export of audit details can be requested from Oracle • Retention time (default) 90 days • Can be extended up to 365 days • Note: Audit logs of OCI API calls can be used as a developer tool of if and what calls were made
- 28. Why and What a Katacoda Scenario for Healthchecks Metrics Monitoring, Alarms and Notifications • In order to ensure successful operation of cloud native applications – production, collection and analysis of metrics is needed (technical as well as custom functional metrics) • Automated interpretation of critical metrics resulting in automated notifications and/or actions is desired • Check health of endpoints and resources – to make sure they can handle real workloads – from real user’s vantage point • Perform actions on OCI and collect corresponding metrics • Explore metrics • Define Alarm, have it publish to Notification Topic & send email • Raise alarm with exception activities • Publish, Explore, Alarm Custom (functional?) Metrics
- 30. Vault – Manage Keys and Secrets • Vault • Imports or generates and manages Keys • Encrypts and Decrypts data using the Keys • Vault succeeds/includes OCI Key Management Service
- 31. Share Very Private Details in quite Public Way Very Private Details Encrypt using Key Hand over (in insecure way) Have Vault decrypt very private details (and make great is of them) Decrypted, readable text is available in component that has access to OCI Key API
- 32. Vault – Manage Keys and Secrets • Vault • Imports or generates and manages Keys • Encrypts and Decrypts data using the Keys • Vault succeeds/includes OCI Key Management Service • Secrets • Secrets can be credentials such as passwords, certificates, SSH keys, or authentication tokens for third-party cloud services that you use with Oracle Cloud Infrastructure services • Or anything that you want safely stored and accessible in a central location • Secret management includes expiry date, version control, access management
- 33. Vault • Vault can be default (free) or virtual private • A virtual private vault ($$$) is an isolated partition on a hardware security module (HSM) that ensures the security and integrity of the encryption keys and secrets that are stored in the vault. • Default Vaults share partitions on the HSM with other vaults.
- 34. OCI SDK for TypeScript | JavaScript | Node • Open source NPM module oci-sdk • Source on GitHub • Require the libraries needed • Configure AuthenticationProvider • Create Service Client and Invoke operations OCI REST APIs Resource Resource Resource API/Service Virtual Machine Database System Buckets Object Storage DBaaS Compute Vault OCI CLI SDK Terraform Provider
- 35. Resource Principal • Define a Dynamic Group • Define Rules to select Resources that are to be included in the group • Define Policies to grant privileges to members of the group • When a Function is in a Dynamic Group, it inherits the privileges and becomes “Resource Principal enabled” • a series of environment variables is available from within the RP enabled function: • OCI_RESOURCE_PRINCIPAL_RPST: the path to a file containing the Remote Principal Session Token (RPST) - formatted as a JWT and with claims that identify the tenancy and compartment that the function resides within • OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM : the path to a private key that we'll also use to sign our request Dynamic Group Rule Policy
- 36. Function as Resource Principal that reads secrets within a compartment OCI REST APIs Resource Vault Secrets Function Dynamic Group Rule Policy pem rpst Secret
- 37. Why and What a Katacoda Scenario for Vault, Keys, Secrets and Resource Principal • Vault is a fairly new, widely usable service on OCI • Any application that requires strong encryption & decryption capabilities can benefit from Vault • Secrets are essential in all but the most trivial applications; Vault manages secrets in a convenient, safe manner • Credentials for databases and (3rd party) services can be safely managed outside code and configuration files • Create a Vault (of type Default) • Generate a Key and do some Encryption & Decryption • Store a Secret • Retrieve the Secret – through OCI CLI and from a Node app • Using the OCI SDK for TypeScript | Node | JavaScript • Create Resource Principal enabled Function that reads a secret
- 38. Infra as Code Resource definitions • Tool (editor, generator) Support • Reuse (modules/libraries) • Version Control (compare/merge) • Declarative language for describing resources in a structured way (evolving along with the resources supported by the platform)
- 39. Infra as Code Resource definitions Variables/Config Settings “engine” Cloud Resources • No manual changes • Automated (triggered, executed) • Fairly quick • Consistent (once correct, always correct) • Plus: • Detect Drift • Patch existing resources • Recover/fail over failed resource • Tool (editor, generator) Support • Reuse (modules/libraries) • Version Control (compare/merge) • Declarative language for describing resources in a structured way (evolving along with the resources supported by the platform)
- 40. Infra as Code: Terraform on OCI Resource definitions Variables/Config Settings Terraform plus OCI Provider Oracle Cloud Infrastructure Resources OCI config and Private Key Buckets 444 44 Environment Variables Namespace, Compartment Id, Bucket Name Run in Plan, Apply and Destroy mode
- 41. OCI Resource Manager, Stacks and Jobs • Stacks are Terraform configurations • Uploaded to OCI • Custom Stacks (user defined) and Sample Solution Stacks (Oracle defined) • Such as Autonomous Database, Compute Instance, … • Stacks can easily be edited, exported, shared, … • Use schema.yaml to define variable details – conditions, defaults, LOVs • A Stack is configured – all its input variables are set • Jobs can be ran on a Stack: to plan, apply and destroy • Jobs retain logs of Terraform activity • Resource Manager manages stacks and jobs • Support for Remote Exec(ute) to execute script(s) on a remote host such as on a VM that has been provisioned
- 42. Why and What a Katacoda Scenario for Automation: Infra as Code – Terraform Provider & Resource Manager • Automation is a crucial part of cloud native applications and of true agile DevOps • We want to treat both applications and platform/infra resources in the same code centric way (development, versioning, pipelines) • OCI Resources can be created and synchronized from declarative code based descriptions: Terraform templates • Prepare a Terraform environment with OCI provider and configuration for your OCI Tenancy • Create a simple Terraform configuration and use it to create, manage and finally destroy resources • Use Terraform to create and invoke a Function • Get introduced to OCI Resource Manager, Jobs and Stacks
- 43. Q&A and Live Handson Ask your questions in the Zoom Q&A Window Get your Cloud Trial: We will stay online for the next hour to help you out with handson challenges http://bit.ly/real-oci cloud.oracle.com/tryit Recordings are on YouTube: bit.ly/real-utube
Editor's Notes
- #37: https://github.com/oracle/oci-typescript-sdk https://www.npmjs.com/package/oci-sdk
- #38: When RP auth is enabled for a function, there will be a series of environment variables available from within the function. We're concerned with two of those variables to help us sign our request, the first of which is OCI_RESOURCE_PRINCIPAL_RPST which contains the path on the machine to a file containing the Remote Principal Session Token (RPST). This is token is formatted as a JWT and contains claims that identify the tenancy and compartment that the function resides within. We'll ultimately parse the RPST to retrieve those claims and use the RPST to sign the request later on, but for now, just read the token into a variable OCI_RESOURCE_PRINCIPAL_PRIVATE_PEM and it contains the path to a private key that we'll also use to sign our request https://blogs.oracle.com/developers/resource-principal-auth-with-nodejs-for-easy-oci-rest-api-access-from-your-oracle-functions