diff --git a/docs-source/spring/content/infrastructure/database/_index.md b/docs-source/spring/content/infrastructure/database/_index.md new file mode 100644 index 000000000..54b770638 --- /dev/null +++ b/docs-source/spring/content/infrastructure/database/_index.md @@ -0,0 +1,110 @@ +--- +title: "Database" +description: "Database Options and Configuration" +keywords: "database spring springboot microservices oracle" + +--- +The Oracle Backend for Spring Boot and Microservices uses the Oracle Database as a persistent data store for metadata and the Spring Cloud Config Server. This documentation will refer to this database as the **Metadata Database**. + +> **NOTE:** Oracle recommends that you install an addition Container Database (CDB) and Pluggable Databases (PDBs) for your production applications inline with the Database-Per-Service pattern. This document will refer to these databases as the [**Application Database**](#application-databases). + +By default, the Oracle Autonomous Database - Serverless (ADB-S) is used for the **Metadata Database**, however, there are other options including Bring Your Own (BYO). + +The following chart presents the options for the Metadata Database, based on the installation type: + +| Installation | ADB-S | BYO ADB-S | BYO BaseDB | BYO Containerized | BYO External | +|---------------|-------|------------|------------|-------------------|--------------| +| OCI Community | x | | | | | +| OCI Standard | x | x | x | | x | +| Custom | x | x | x | x | x | + +> For **custom installations**, including on-premises, it is the responsibility of the user to ensure network access controls to provide both operational access and security. The Oracle Cloud Infrastructure (OCI) [Networking](../networking) setup can be used as a general template. + +# Bring Your Own Database - Standard Edition + +If you select the **Standard Edition** during installation, you can use a pre-created Oracle Database for the Oracle Backend for Spring Boot and Microservices **Metadata Database**. + +The following are the minimum requirements for a BYO Oracle Database: + +* Version: 19c+ +* Bring Your Own Network with access to the Database Listener +* Database User with appropriate privileges (see below) + +## Database User Privileges + +The database user for the the Oracle Backend for Spring Boot and Microservices **Metadata Database** is used to create other users and allow them to proxy through this user for database access. While the `SYSTEM` or `ADMIN` (for ADB-S) will work, they are over-privileged and should not be used in production environments. + +It is recommended to create a user, in this example, named `OBAAS` with a default tablespace of `DATA`: + +```sql +CREATE USER OBAAS IDENTIFIED BY "Welcome_12345"; +ALTER USER OBAAS QUOTA UNLIMITED ON DATA; +GRANT ALTER USER TO OBAAS; +GRANT CREATE USER TO OBAAS; +GRANT CONNECT TO OBAAS WITH ADMIN OPTION; +GRANT CREATE SESSION TO OBAAS WITH ADMIN OPTION; +GRANT RESOURCE TO OBAAS WITH ADMIN OPTION; +GRANT SELECT ON DBA_USERS TO OBAAS; +GRANT CREATE ANY INDEX TO OBAAS; +GRANT ALTER ANY TABLE TO OBAAS; +GRANT COMMENT ANY TABLE TO OBAAS; +GRANT CREATE ANY TABLE TO OBAAS; +GRANT INSERT ANY TABLE TO OBAAS; +GRANT SELECT ANY TABLE TO OBAAS; +GRANT UPDATE ANY TABLE TO OBAAS; +GRANT CREATE ANY SEQUENCE TO OBAAS; +GRANT SELECT ANY SEQUENCE TO OBAAS; +GRANT CREATE ANY TRIGGER TO OBAAS; +-- Additional AQ perms +GRANT AQ_USER_ROLE TO OBAAS WITH ADMIN OPTION; +GRANT EXECUTE ON DBMS_AQ TO OBAAS WITH GRANT OPTION; +GRANT EXECUTE ON DBMS_AQADM TO OBAAS WITH GRANT OPTION; +GRANT EXECUTE ON DBMS_AQIN TO OBAAS WITH GRANT OPTION; +GRANT EXECUTE ON DBMS_AQJMS TO OBAAS WITH GRANT OPTION; +GRANT EXECUTE ON DBMS_AQJMS_INTERNAL TO OBAAS WITH GRANT OPTION; +-- Additional for PARSE +GRANT SODA_APP TO OBAAS WITH ADMIN OPTION; +GRANT CREATE TABLE TO OBAAS WITH ADMIN OPTION; +``` + +## Configuration + +1. During the configuration of the Oracle Backend for Spring Boot and Microservices, ensure that the **Edition** is set to **Standard**: + + ![Standard Edition](../images/standard_edition.png "Standard Edition") + +1. Enable and Configure *Bring Your Own Virtual Network* + +1. Tick the "Bring Your Own Database" checkbox and, depending on the *Bring Your Own Database - Type*, provide the appropriate values. + +### Autonomous Database - Serverless (ADB-S) + + - `BYO ADB-S Compartment` : The compartment of the existing ADB-S. + - `Bring Your Own Database - Autonomous Database` : The ADB-S name (this will automatically translate the name to an OCID). + - `Bring Your Own Database - Username` : The existing database user with the appropriate privileges. + - `Bring Your Own Database - Password` : The password for the existing database user. + + ![Bring Your Own Database - ADB-S](./images/byo-db-adb-s.png "Bring Your Own Database - ADB-S") + +### Other + + - `Bring Your Own Database - Connect String` : The connect string for the database (PDB) in Long Format. + - `Bring Your Own Database - Username` : The existing database user with the appropriate privileges. + - `Bring Your Own Database - Password` : The password for the existing database user. + + ![Bring Your Own Database - Other](./images/byo-db-other.png "Bring Your Own Database - Other") + + The *Connect String* should be in Long Format, for example: + ```bash + (DESCRIPTION=(ADDRESS=(host=oracle://somedb.example.com)(protocol=TCP)(port=1521)) + (CONNECT_DATA=(SERVICE_NAME=orclpdb))) + ``` + +# Application Databases + +Oracle recommends that additional pluggable databases are used for your applications, following the database-per-service microservice pattern. However, the **Metadata Database** can be used, especially for development purposes, with a schema-per-service model. + +The [Oracle Database Operator for Kubernetes](https://github.com/oracle/oracle-database-operator) is provided with the Oracle Backend for Spring Boot and Microservices and can be used: +* Bind to additional ADB-S +* Bind to an OCI BaseDB and create PDBs +* Create a Single Instance Container Database in the Kubernetes Cluster \ No newline at end of file diff --git a/docs-source/spring/content/infrastructure/database/images/byo-db-adb-s.png b/docs-source/spring/content/infrastructure/database/images/byo-db-adb-s.png new file mode 100644 index 000000000..5a7eedb04 Binary files /dev/null and b/docs-source/spring/content/infrastructure/database/images/byo-db-adb-s.png differ diff --git a/docs-source/spring/content/infrastructure/database/images/byo-db-other.png b/docs-source/spring/content/infrastructure/database/images/byo-db-other.png new file mode 100644 index 000000000..041bde170 Binary files /dev/null and b/docs-source/spring/content/infrastructure/database/images/byo-db-other.png differ diff --git a/docs-source/spring/content/infrastructure/images/standard_edition.png b/docs-source/spring/content/infrastructure/images/standard_edition.png new file mode 100644 index 000000000..8405262b9 Binary files /dev/null and b/docs-source/spring/content/infrastructure/images/standard_edition.png differ diff --git a/docs-source/spring/content/infrastructure/networking/_index.md b/docs-source/spring/content/infrastructure/networking/_index.md new file mode 100644 index 000000000..b5f73534f --- /dev/null +++ b/docs-source/spring/content/infrastructure/networking/_index.md @@ -0,0 +1,131 @@ +--- +title: "Networking" +description: "Networking Options and Configuration" +keywords: "network spring springboot microservices oracle" +--- +The Oracle Backend for Spring Boot and Microservices has specific networking requirements to ensure resource communication while providing security through isolation and networking rules. + +The **standard installation** will provision a new Virtual Cloud Network (VCN) with the required subnets and all networking rules to get you started using the Oracle Backend for Spring Boot and Microservices quickly. To use an existing VCN, please follow the [Bring Your Own VCN](#bring-your-own-oci-vcn) instructions. + +> For **custom installations**, including On-Premises, it is the responsibility of the customer to ensure network access controls to provide both operational access and security. The Oracle Cloud Infrastructure (OCI) **standard installation** setup can be used as a general template. + +# Network Infrastructure Overview + +![OCI Network Infrastructure](images/network_infra.png "OCI Network Infrastructure") + +## OCI Network Infrastructure + +All infrastructure resources are split between two subnets: one public and one private subnet with access restricted by Network Security Groups (Firewalls). All access is blocked by default with specific IP and port opened, as documented below, for proper operation. + +> Note minimum CIDRs are based on an Oracle Cloud Infrastructure (OCI) deployments. Other cloud vendors reserve usable IPs within a CIDR reducing the usable IPs that can be used by the infrastructure. + +### Public Subnet + +The public subnet allows external access to the Oracle Backend for Spring Boot and Microservices resources. Ingress/Egress to the public subnet and from the Internet is provided by an Internet Gateway. + +At a minimum, the public subnet requires two usable IP Addresses. In OCI this equates to a 30-bit network identifier (`/30`). + +ICMP traffic is allowed between the public and private Subnets for resource discovery. + +> **NOTE**: Resources within the public subnet are not inherently accessible from the internet. The public subnet *allows* the resources in it to obtain a public IP address, however assigning a public IP is not required. When a public IP is not assigned to the resource, it is only accessible from within the subnet itself. All access to resources in the public subnet are restricted by configurable Network Security Groups (Firewalls). + +#### Load Balancer + +An external Load Balancer is used in conjunction with Ingress resources to expose Services to the internet. Ingress to the Load Balancer should be restricted by CIDR and ports (default: `0.0.0.0/0`; `80`,`443`). All TLS communications terminate at the LoadBalancer. For more information on the certificate for TLS, please see [OCI Load Balancer TLS Certificate Setup](#oci-loadbalancer-tls-certificate-setup). + +#### Kubernetes API Endpoint + +The Kubernetes API Endpoint, within the Control Plane, is used to manage the Kubernetes Cluster as well as providing access to Kubernetes services that are not exposed to the Load Balancer via Port Forwarding. Ingress to the Endpoint is restricted to port `6443` and should be further restricted by CIDR (default: `0.0.0.0/0`). + +In Oracle Cloud Infrastructure (OCI), the Oracle Kubernetes Engine (OKE) Control Plane is allowed egress to OCI services via port `443`. Access to these services are required for the OKE Managed Control Plane. + +### Private Subnet + +The private subnet isolates its resources from direct external access by prohibiting the allocation of public IP address to those resources. Ingress to resources in the private subnet is restricted to the Load Balancer and Kubernetes API Endpoint via specific Network Security Group (Firewall) rules. Optionally, a Bastion Service, within the Private subnet, can provide additional non-restricted access to the resources in the private subnet. + +Egress to the Internet is provided by a NAT Gateway, while Egress to other Cloud Services (such as a Container Repository) is provided by a Service Gateway. + +The CIDR of the Private Subnet is dependent on the number of Kubernetes Work Nodes and other resources, such as databases. It is recommended to specify a CIDR providing at least six usable IP Addresses. In OCI, this equates to a 29-bit network identifier (`/29`). + +ICMP traffic is allowed between the public and private subnets for resource discovery. + +#### Kubernetes Worker Nodes + +The worker nodes are allowed to communicate with other worker nodes on all ports. + +#### Worker Nodes and Load Balancer + +The Worker Nodes and Load Balancer are allowed to communicate on port `10256` for Health Check/Availability purposes and ports `30000-32767` for forwarding external internet access to exposed services. + +#### Worker Nodes and Kubernetes API Endpoint + +Worker Nodes are allowed to communicate with the API Endpoint on port `6443`. + +#### Worker Nodes and Control Plane + +The Kubernetes Control Plane is allowed to communicate to Worker Nodes on all ports. The Worker Nodes are allowed to communicate with the Control Plane on port `12250`. + +#### Oracle Database + +It is recommended to place the Oracle Databases inside the Private Subnet. Worker Nodes and the Oracle Database will be allowed to communicate freely within the Private Subnet. + +When using the Oracle Autonomous Database (ADB), it can either be placed in the Private Subnet with a *Private Endpoint*, or outside the Virtual Cloud Network with *Secured Access*. When the ADB is configured for *Secured Access*, access is allowed from the Virtual Cloud Network and additional, configurable IPs. + +# Bring Your Own OCI VCN + +Using the **Standard Edition** you can use a pre-created VCN for the Oracle Backend for Spring Boot and Microservices resources. + +The following are minimum requirements for a BYO VCN: + +* *Public Subnet* + * Minimum CIDR: `/30` + * Route Table: + * Internet Gateway to `0.0.0.0/0` +* *Private Subnet* + * Minimum CIDR: `/29` + * Route Table: + * Service Gateway to "All `` Services in the Oracle Services Network" + * NAT Gateway to `0.0.0.0/0` + +## Configuration + +During the configuration of the Oracle Backend for Spring Boot and Microservices, ensure that the **Edition** is set to **Standard**: + +![Standard Edition](../images/standard_edition.png "Standard Edition") + +Tick the "Bring Your Own Virtual Network" checkbox and fill in the appropriate values for the VCN Compartment/Name, Public Subnet Compartment/Name, and Private Subnet Compartment/Name: + + - `Virtual Cloud Network Compartment` : The compartment of the existing VCN. + - `Virtual Cloud Network (VCN)` : The VCN name. + - `Private Subnet Compartment` : The compartment of the existing Private Subnet in the VCN. + - `Private Subnet` : The Private Subnet name (this will automatically translate the name to an OCID). + - `Public Subnet Compartment` : The compartment of the existing Public Subnet in the VCN. + - `Public Subnet` : The Public Subnet name (this will automatically translate the name to an OCID). + +![BYO VCN](images/byo_vcn.png "BYO VCN") + +# OCI LoadBalancer TLS Certificate Setup + +In OCI, example self-signed certificates are used for TLS communication to the Load Balancer. The self-signed certificates should be replaced with certificates signed by a publicly trusted certificate authority (CA). + +## Setup + +1. Ensure your Domain Name System (DNS) entry points to the public IP address associated with the `service/ingress-nginx-controller` in the `ingress-nginx` namespace: + + ![LoadBalancer IP](images/lb_ip.png "LoadBalancer IP") + +2. Obtain a new TLS certificate. In a production environment, the most common scenario is to use a public certificate that has been signed by a certificate authority. + +3. Create a new Kubernetes secret in the `ingress-nginx` namespace. For example: + + ```bash + kubectl -n ingress-nginx create secret tls my-tls-cert --key new-tls.key --cert new-tls.crt + ``` + +4. Modify the service definition to reference the new Kubernetes secret by changing the `service.beta.kubernetes.io/oci-load-balancer-tls-secret` annotation in the service configuration. For example: + + ```bash + kubectl patch service ingress-nginx-controller -n ingress-nginx \ + -p '{"metadata":{"annotations":{"service.beta.kubernetes.io/oci-load-balancer-tls-secret":"my-tls-cert"}}}' \ + --type=merge + ``` \ No newline at end of file diff --git a/docs-source/spring/content/infrastructure/networking/images/byo_vcn.png b/docs-source/spring/content/infrastructure/networking/images/byo_vcn.png new file mode 100644 index 000000000..d322c2867 Binary files /dev/null and b/docs-source/spring/content/infrastructure/networking/images/byo_vcn.png differ diff --git a/docs-source/spring/content/infrastructure/networking/images/lb_ip.png b/docs-source/spring/content/infrastructure/networking/images/lb_ip.png new file mode 100644 index 000000000..47d8d56b7 Binary files /dev/null and b/docs-source/spring/content/infrastructure/networking/images/lb_ip.png differ diff --git a/docs-source/spring/content/infrastructure/networking/images/network_infra.png b/docs-source/spring/content/infrastructure/networking/images/network_infra.png new file mode 100644 index 000000000..22817f9fa Binary files /dev/null and b/docs-source/spring/content/infrastructure/networking/images/network_infra.png differ diff --git a/docs-source/spring/content/setup/_index.md b/docs-source/spring/content/setup/_index.md index 7d9339eb8..c02b2f496 100644 --- a/docs-source/spring/content/setup/_index.md +++ b/docs-source/spring/content/setup/_index.md @@ -36,6 +36,12 @@ resources: - name: oci-stack-apply-logs src: "oci-stack-apply-logs.png" title: "Create Stack Apply Logs" + - name: oci-stack-additional-options + src: "oci-stack-additional-options.png" + title: "Create Stack Additional Options - Standard Edition" + - name: oci-stack-oke-options + src: "oci-stack-oke-options.png" + title: "Create Stack OKE Options" - name: oci-stack-outputs src: "oci-stack-outputs.png" title: "Create Stack Outputs" @@ -45,6 +51,9 @@ resources: - name: oci-stack-db-options src: "oci-stack-db-options.png" title: "Database Options" + - name: oci-stack-byodb-options + src: "oci-stack-byodb-options.png" + title: "Bring your Own Database Options - Standard Edition" - name: oci-stack-parse-options src: "oci-stack-parse-options.png" title: "Parse Server Options" @@ -60,24 +69,22 @@ resources: - name: oci-stack-passwords src: "oci-stack-passwords.png" title: "Administrator Passwords" - - name: oci-stack-control-plane - src: "oci-stack-control-plane.png" - title: "OKE Control Plane Access" - - name: oci-stack-node-pool - src: "oci-stack-node-pool.png" - title: "Node Pool Information" - name: oci-stack-lb-options src: "oci-stack-lb-options.png" title: "Load Balancer Options" - name: oci-stack-vault-options src: "oci-stack-vault-options.png" - title: "HashiCorp Vault Options" + title: "HashiCorp Vault Options - Standard Edition" - name: azn-stack-app-info src: "azn-stack-app-info.png" title: "Access Information" - name: oci-stack-app-info src: "oci-stack-app-information.png" title: "Detailed Access Information" + - name: oci-stack-network-options + src: "oci-stack-network-options.png" + title: "Network Options - Standard Edition" + --- Oracle Backend for Spring Boot and Microservices is available in the [OCI Marketplace](https://cloudmarketplace.oracle.com/marketplace/en_US/listing/138899911). @@ -168,56 +175,62 @@ To set up the OCI environment, process these steps: - `Compartment` : Select the compartment where you want to install Oracle Backend for Spring Boot and Microservices. - `Application Name` (optional) : A random pet name that will be used as the application name if left empty. - `Edition` : Select between *COMMUNITY* and *STANDARD* Edition. - - *COMMUNTIY* - for developers for quick start to testing Spring Boot Microservices with an integrated backend. Teams can start with the deployment and scale up as processing demand grows. Community support only. - - *STANDARD* - focused for pre-prod and production environments with an emphasis on deployment, scaling, and high availability. Oracle support is included with a Oracle Database support agreement. All features for developers are the same so start here if you’re porting an existing Spring Boot application stack and expect to get into production soon. - - - {{< img name="oci-stack-app-name" size="large" lazy=false >}} - - -1. If you check the checkbox *Set Administrator Passwords* in the **Administrator Passwords** section you have the option to fill in the following passwords (if not they are autogenerated): + - *COMMUNITY* - for developers for quick start to testing Spring Boot Microservices with an integrated backend. Teams can start with the deployment and scale up as processing demand grows. Community support only. + - *STANDARD* - focused for pre-prod and production environments with an emphasis on deployment, scaling, and high availability. Oracle support is included with a Oracle Database support agreement. All features for developers are the same so start here if you’re porting an existing Spring Boot application stack and expect to get into production soon. This edition allows for additional Bring Your Own (BYO) capabilities. - - `APISIX Administrator Password` (optional) : Leave blank to auto-generate. - - `Grafana Administrator Password` (optional) : Leave blank to auto-generate. - - `ORACTL Administrator Password` optional) : Leave blank to auto-generate. This is the password for the `obaas-admin` user. - - `ORACTL User Password` (optional) : Leave blank to auto-generate. This is the password for the `obaas-user` user. + | Edition | Parse Platform | BYO Network | BYO Database | Production Vault | Registry Scanning | + |-----------|----------------|--------------|------------------|------------------| ------------------| + | Community | x | | | | | + | Standard | x | x | x | x | x | - {{< img name="oci-stack-passwords" size="large" lazy=false >}} + {{< img name="oci-stack-app-name" size="large" lazy=false >}} 1. If you check the checkbox *Enable Parse Platform* in the **Parse Server** section a Parse Server will be installed. Fill in the following for the Parse Server: - `Application ID` (optional) : Leave blank to auto-generate. - `Server Master Key` (optional) : Leave blank to auto-generate. - - `Enable Parse S3 Storage` : Check the checkbox to enable Parse Server S3 Adaptor and create a S3 compatible Object Storage Bucket. - `Dashboard Username` : The user name of the user to whom access to the dashboard is granted. - `Dashboard Password` (optional) : The password of the dashboard user (a minimum of 12 characters). Leave blank to auto-generate. + - `Enable Parse S3 Storage` : Check the checkbox to enable Parse Server S3 Adaptor and create a S3 compatible Object Storage Bucket. {{< img name="oci-stack-parse-options" size="large" lazy=false >}} -1. If you check the checkbox *Public Control Plane* in the **Public Control Plane Options**, you are enabling access from the `public` to the Control Plane: - - - `Public Control Plane` : This option allows access to the OKE Control Plane from the internet (public IP). If not selected, access can only be from a private virtual cloud network (VCN). - - `Control Plane Access Control` : Enter the CIDR block you want to give access to the Control Plane. Default (and not recommended) is `0.0.0.0/0`. +1. If you check the checkbox *Set Administrator Passwords* in the **Administrator Passwords** section you have the option to fill in the following passwords (if not they are autogenerated): - > **NOTE:** Oracle recommends that you set `Control Plane Access Control` to be as restrictive as possible + - `APISIX Administrator Password` (optional) : Leave blank to auto-generate. + - `Grafana Administrator Password` (optional) : Leave blank to auto-generate. + - `ORACTL Administrator Password` optional) : Leave blank to auto-generate. This is the password for the `obaas-admin` user. + - `ORACTL User Password` (optional) : Leave blank to auto-generate. This is the password for the `obaas-user` user. - - {{< img name="oci-stack-control-plane" size="large" lazy=false >}} - + + {{< img name="oci-stack-passwords" size="large" lazy=false >}} + + +1. (*Standard Edition Only*) If you check the checkbox *Bring Your Own Virtual Cloud Network* in the **Network Options** section you can use an existing Virtual Cloud Network. This is required to Bring Your Own Database (*Standard Edition Only*). + + + {{< img name="oci-stack-network-options" size="large" lazy=false >}} + -1. In the **Node Pool** section, fill in the following for the OKE Node Pools: + > For more information on the network requirements and topology of the Oracle Backend for Spring Boot and Microservices including the options for *Bring Your Own Virtual Cloud Network*, please see the [Networking](../infrastructure/networking) documentation. +1. In the **Kubernetes Cluster Options** section, fill in the following for the OKE Cluster Options: + + - `Public API Endpoint?` : This option allows access to the OKE Control Plane API Endpoint from the internet (public IP). If not selected, access can only be from a private virtual cloud network (VCN). + - `API Endpoint Access Control` : Enter the CIDR block you want to give access to the Control Plane API. Default (and not recommended) is `0.0.0.0/0`. - `Node Pool Workers` : The number of Kubernetes worker nodes (virtual machines) attached to the OKE cluster. - `Node Pool Worker Shape` : The shape of the node pool workers. - `Node Workers OCPU` : The initial number of Oracle Compute Units (OCPUs) for the node pool workers. - - {{< img name="oci-stack-node-pool" size="large" lazy=false >}} - + > **NOTE:** Oracle recommends that you set `API Endpoint Access Control` to be as restrictive as possible + + + {{< img name="oci-stack-oke-options" size="large" lazy=false >}} + 1. In the **Load Balancers Options** section, fill in the following for the Load Balancers options: @@ -234,7 +247,35 @@ To set up the OCI environment, process these steps: {{< img name="oci-stack-lb-options" size="large" lazy=false >}} -1. If you check the checkbox *Enable Vault in Production Mode* in the section **Vault Options** you will be installing HashiCorp in **Production** mode otherwise the HashiCorp Vault be installed in **Development** mode. +1. In the **Database Options** section, you can modify the following Database options. + + - `Autonomous Database Compute Model` : Choose either ECPU (default) or OCPU compute model for the ADB. + - `Autonomous Database Network Access` : Choose the Autonomous Database network access. Choose between *SECURE_ACCESS* and *PRIVATE_ENDPOINT_ACCESS*. **NOTE:** This option currently cannot be changed later. + - *SECURE_ACCESS* - Accessible from outside the Kubernetes Cluster. Requires mTLS and can be restricted by IP or CIDR addresses. + - *PRIVATE_ENDPOINT_ACCESS* - Accessible only from inside the Kubernetes Cluster or via a Bastion service. Requires mTLS. + - `ADB Access Control` : Comma separated list of CIDR blocks from which the ADB can be accessed. This only applies if *SECURE_ACCESS* was chosen. Default (and not recommended) is `0.0.0.0/0`. + - `Autonomous Database CPU Core Count` : Choose how many CPU cores will be elastically allocated. + - `Allow Autonomous Database CPU Auto Scaling` : Enable auto scaling for the ADB CPU core count (x3 ADB CPU). + - `Autonomous Database Data Storage Size` : Choose ADB Database Data Storage Size in gigabytes (ECPU) or terabytes (OCPU). + - `Allow Autonomous Database Storage Auto Scaling` : Allow the ADB storage to automatically scale. + - `Autonomous Database License Model` : The Autonomous Database license model. + - `Create an Object Storage Bucket for ADB` : Create a Object Storage bucket, with the appropriate access policies, for the ADB. + + > **NOTE:** Oracle recommends that you restrict by IP or CIDR addresses to be as restrictive as possible. + + + {{< img name="oci-stack-db-options" size="large" lazy=false >}} + + +1. (*Standard Edition Only*) If *Bring Your Own Virtual Cloud Network* has been selected in the **Network Options** section, then you have the option to *Bring Your Own Database* in the section **Database Options**. + + + {{< img name="oci-stack-byodb-options" size="large" lazy=false >}} + + + > For more information on the *Bring Your Own Database* option for the Oracle Backend for Spring Boot and Microservices including the required values, please review the [Database](../infrastructure/database) documentation. + +1. (*Standard Edition Only*) If you check the checkbox *Enable Vault in Production Mode* in the section **Vault Options** you will be installing HashiCorp in **Production** mode otherwise the HashiCorp Vault be installed in **Development** mode. Fill in the following Vault options. You have the option of creating a new OCI Vault or using an existing OCI Vault. The OCI Vault is only used in **Production** mode to auto-unseal the HashiCorp Vault (see documentation ...) Fill in the following information if you want to use an existing OCI Vault: @@ -250,21 +291,10 @@ To set up the OCI environment, process these steps: **Never** run a **Development** mode HashiCorp Vault Server in a production environment. It is insecure and will lose data on every restart (since it stores data in-memory). It is only intended for development or experimentation. {{< /hint >}} -1. In the **Database Options** section, you can modify the following Database options. - - - `Autonomous Database Network Access` : Choose the Autonomous Database network access. Choose between *SECURE_ACCESS* and *PRIVATE_ENDPOINT_ACCESS*. **NOTE:** This option currently cannot be changed later. - - *SECURE_ACCESS* - Accessible from outside the Kubernetes Cluster. Requires mTLS and can be restricted by IP or CIDR addresses. - - *PRIVATE_ENDPOINT* - Accessible only from inside the Kubernetes Cluster or via a Bastion service. Requires mTLS. - - `ADB Access Control` : Comma separated list of CIDR blocks from which the ADB can be accessed. This only applies if *SECURE_ACCESS* was chosen. Default (and not recommended) is `0.0.0.0/0`. - - `Autonomous Database ECPU Core Count` : Choose how many ECPU cores will be elastically allocated. - - `Allow Autonomous Database OCPU Auto Scaling` : Enable auto scaling for the ADB ECPU core count (x3 ADB ECPU). - - `Autonomous Database Data Storage Size` : Choose ADB Database Data Storage Size in gigabytes. - - `Autonomous Database License Model` : The Autonomous Database license model. - - > **NOTE:** Oracle recommends that you restrict by IP or CIDR addresses to be as restrictive as possible. +1. (*Standard Edition Only*) If you check the checkbox *Enable Container Registry Vulnerability Scanning* in the section **Additional Options** you will enable the automatic Vulnerability Scanning on images stored in the Oracle Container Registry. - {{< img name="oci-stack-db-options" size="large" lazy=false >}} + {{< img name="oci-stack-additional-options" size="large" lazy=false >}} 1. Now you can review the stack configuration and save the changes. Oracle recommends that you do not check the **Run apply** option. This gives you the opportunity to run the "plan" first and check for issues. Click **Create** @@ -317,7 +347,7 @@ To set up the local machine, process these steps: 1. Set up cluster access. - To access a cluster, use the `kubectl` command-line interface that is installed (see the [Kubernetes access](./cluster-access)) locally. + To access a cluster, use the `kubectl` command-line interface that is installed (see the [Kubernetes access](../cluster-access)) locally. If you have not already done so, do the following: 1. Install the `kubectl` command-line interface (see the [kubectl documentation](https://kubernetes.io/docs/tasks/tools/install-kubectl/)). @@ -346,7 +376,7 @@ To set up the local machine, process these steps: 1. Install the Oracle Backend for Spring Boot and Microservices command-line. - The Oracle Backend for Spring Boot and Microservices command-line interface, `oractl`, is available for Linux and Mac systems. Download the binary that you want from the [Releases](https://github.com/oracle/microservices-datadriven/releases/tag/OBAAS-1.0.0) page and add it to your PATH environment variable. You can rename the binary to remove the suffix. + The Oracle Backend for Spring Boot and Microservices command-line interface, `oractl`, is available for Linux and Mac systems. Download the binary that you want from the [Releases](https://github.com/oracle/microservices-datadriven/releases/tag/OBAAS-1.1.1) page and add it to your PATH environment variable. You can rename the binary to remove the suffix. If your environment is a Linux or Mac machine, run `chmod +x` on the downloaded binary. Also, if your environment is a Mac, run the following command. Otherwise, you get a security warning and the CLI does not work: diff --git a/docs-source/spring/content/setup/oci-stack-additional-options.png b/docs-source/spring/content/setup/oci-stack-additional-options.png new file mode 100644 index 000000000..25992d0dc Binary files /dev/null and b/docs-source/spring/content/setup/oci-stack-additional-options.png differ diff --git a/docs-source/spring/content/setup/oci-stack-byodb-options.png b/docs-source/spring/content/setup/oci-stack-byodb-options.png new file mode 100644 index 000000000..844e71031 Binary files /dev/null and b/docs-source/spring/content/setup/oci-stack-byodb-options.png differ diff --git a/docs-source/spring/content/setup/oci-stack-control-plane.png b/docs-source/spring/content/setup/oci-stack-control-plane.png deleted file mode 100644 index 967fe49ac..000000000 Binary files a/docs-source/spring/content/setup/oci-stack-control-plane.png and /dev/null differ diff --git a/docs-source/spring/content/setup/oci-stack-db-options.png b/docs-source/spring/content/setup/oci-stack-db-options.png index 9214bef2c..fa33bbf3b 100644 Binary files a/docs-source/spring/content/setup/oci-stack-db-options.png and b/docs-source/spring/content/setup/oci-stack-db-options.png differ diff --git a/docs-source/spring/content/setup/oci-stack-network-options.png b/docs-source/spring/content/setup/oci-stack-network-options.png new file mode 100644 index 000000000..973702857 Binary files /dev/null and b/docs-source/spring/content/setup/oci-stack-network-options.png differ diff --git a/docs-source/spring/content/setup/oci-stack-node-pool.png b/docs-source/spring/content/setup/oci-stack-node-pool.png deleted file mode 100644 index c26fd8e18..000000000 Binary files a/docs-source/spring/content/setup/oci-stack-node-pool.png and /dev/null differ diff --git a/docs-source/spring/content/setup/oci-stack-oke-options.png b/docs-source/spring/content/setup/oci-stack-oke-options.png new file mode 100644 index 000000000..e5d202046 Binary files /dev/null and b/docs-source/spring/content/setup/oci-stack-oke-options.png differ diff --git a/docs-source/spring/content/setup/oci-stack-parse-options.png b/docs-source/spring/content/setup/oci-stack-parse-options.png index 828526b6f..e7fed6f3a 100644 Binary files a/docs-source/spring/content/setup/oci-stack-parse-options.png and b/docs-source/spring/content/setup/oci-stack-parse-options.png differ diff --git a/docs-source/spring/data/menu/main.yaml b/docs-source/spring/data/menu/main.yaml index ae7ec7a68..8218186a7 100644 --- a/docs-source/spring/data/menu/main.yaml +++ b/docs-source/spring/data/menu/main.yaml @@ -64,7 +64,13 @@ main: - name: "Wallet" ref: "/starters/wallet" - name: "AQ/JMS" - ref: "/starters/aqjms" + ref: "/starters/aqjms" + - name: Infrastructure + sub: + - name: "Networking" + ref: "/infrastructure/networking" + - name: "Database" + ref: "/infrastructure/database" - name: Database Access ref: "/database" - name: Kubernetes Access