- Cloud Native Fundamentals
- Oracle Functions Overview
- Oracle Functions Core Concept
- Oracle Functions - Use cases, References
- API Gateway
- Resource Manager Overview
- Advanced Terraform
- OCI Streaming Services
- Oracle Kubernetes Engine (OKE)
- Creating OKE Cluster
- Accessing OKE Cluster using kubectl
- OCI Service Broker
- OCI API, SDK, CLI
- Key Management Overview
- IAM Overview
- IAM Mangement - Compartments
- IAM Mangement - Policies
- IAM Mangement - Tags
- Testing Cloud Native Applications
- OCI Registry Service
- Managing Repos in OCIR
- Pulling an image from OCIR for Kubernetes
- Image Retention Policies
- Monitoring Service Overview
- Events - Overview and Key Features
- Events - Core concepts
- Events - Use cases, Reference Arch
Cloud Native Fundamentals
Cloud Native vs Traditional Arch
- Stateful vs Statelsss
- Service Orchestration vs Service Chroreography
- Dealing with failures
CAP Theorem
Distributed Database system
- reliable network
- zero latency
- infinite bandwidth
- secure network
- no change in topology
- one admin
- zero transport cost
- homogenrous network
Cloud Native Building Blocks
- Microservices
- service oriented arch
- Loosly coupled services
- organized around business capabilties
Defence in Depth Approach
- source code - track, audit, in repo
- Container image - include only bare minimum needed
- Container Registry - use private registry, vulnerability scanning (twistlock)
- pods - image from approved registry, use pod security policies, host ports, networking
- Cluster/Orchestrator - secure access, Enable RBAC, Enable Audit logs
- Containers
- Functions
Service Communication Patterns
- External Communication - to/from external services
-
Internal Communication - service to service (within cluster)
-
Sync vs Async Comm Protocols
- HTTP, HTTPv2, WebSocket, gRPC
Messaing Protcols
- MQTT (Message Que Telemetry Transport)
-
AMQP (Advance Message Queuing Protocol)
- Pub/Sub
-
Idempotency - multiple lines but single effect. message can process more than once
- Serialization
- JSON - readable, large memory footprint
- Protobuf - binary format, schema defined in .proto files
Oracle Functions Overview
fnproject.io
- Function as a Service
- Oracle Cloud integrated
- Container Native
- Opensource Engine
- Multi tenant
-
Secure
- run only when triggered
-
pay for code execution only
- Function Development kit - FDK - Python, Java,Go, node.js, ruby
Oracle Functions Core Concept
- grouped into applications
-
built as a docker image and pushed to a specified docker registry
- invoke on cli, SDK, HTTP Req, other OCI services
- docker will be pulled and run; after some idle perioed container will be removed.
- Also time based functions
- define policy for permissions
Function Metrics
- FunctionExecutionDuration
- FunctionInvocationCount
- FunctionResponseCount
Oracle Functions - Use cases, References
- Glue Cloud Services, Event Driven
- Web, Mobile, IoT backends
- Realtime file, stream process
- DevOps, Batch process
API Gateway
- single gateway to multiple API services
- Routing
- Rate limiting
- Cross region resource sharing (CORS)
- Metrics
Use cases
- RESTful API for functions
- Custom Development
- SaaS services
Resource Manager Overview
- Terraform as a service
- Stack - a set of OCI resources you want to create in a compartment
- job - a request to take a terraform action on a stack (plan, apply, destroy)
Advanced Terraform
- stores the state of managed ifnra from the last time terraform was run
- use this state to create plans and make changes to your infra terraform.tfstate
Terraform Local State File
- stored locally on local machine in JSON format
- small and individual team
- not to scale for large teams
- require a more mono-repo pattern
Terraform Remote State File
- write state to remote data store
-
can manage by large team
- use target flag to create only that resource
Terraform Modules
Terraform provisioners
- ansible, che, puppet, shell
Instance Principal Config
OCI Streaming Services
- logs, web/IoT/mobile data
- 99.95% SLA
- message - 64 bit encoded record or array of bytes
- key - and identifier
- stream - an append only log of messages
- topic - message category
- partitions - topic broken into partitions
- producer - create message
- consumer - subscribe and read
- consumer group - a group
Design Considerations
- retention max 7 days
- max message size 1 MB
- each partition 1000Emit API call per second, 5 Read API call per second
- each partition max total write rate 1 MB per second, read rate 2 MB per second
- each tenancy has a limit of 5 partitions
Oracle Kubernetes Engine (OKE)
- your own/DIY
- pre-built but managed by user
- managed service
Terraform Kubernetes Installation for OCI
Creating OKE Cluster
- monthly 3 cluster oer OCI regions, with 1000 nodes
- pay as you go model got only 1 cluster
Accessing OKE Cluster using kubectl
- need oci cli
- then setup kubeconfig in oci cli
- create serviceaccount with clusteradmin role to access dashboard
- use token to login
OCI Service Broker
- software to implement the Open service broker API
- enable cloud service lifecycle through devops tools (provision,bind,deprovision)
- specific to cloud vendor
- CI/CD -> OCI Registry -> OKE CLuster <- Service broker <- OCI Cloud services
OCI API, SDK, CLI
Diff ways to access OCI
- GUI Console
- REST API - References and end points
- Terraform
- SDK- custom solutions based on java, python, ruby, go; need OCI account, user ID, key paid
- ANsible
- CLI - required keys and OCID. oci setup to configure, bash or pip install oci
- Resource Manager
Key Management Overview
- managed service to encrypt data
- FIPS 140-2, Security level 3
- create keys, disable keys, re-enable keys with key vault
- rotate keys to meet your security governance and regulatory compliance needs; store in version
-
with IAM users and groups
- vaults - logical entities to store keys
- seperate compartment for keys
- users/groups need access to keys
Design Considerations
- regional service, repicate keys across 3 AD
- block volumes and object storage are integrated with key managedment
- rotaing key will not re-encrypt data that was previously encrypted with old key version; only when customer modify data
- no import or export of keys
- cannot delete keys, bud disabe. delete key vault
- schedule vault deletion - 7-30 days
- cannot recover once deleted
pricing on vault - per hour
IAM Overview
OCID - Oracle Cloud ID
Instance principal - for instance to make api calls
Authentication
- authenticate principal by
- username /password
- API Signining Key
- Auth Tokens - no expire
Autherization
- specified various actions an authenticated
IAM Mangement - Compartments
- sub compartments upto six level deep
- atleast one policy to access it
- subcompartments inherits access permisions from compartments higher up its hierarchy
Compartment Quotas
- similar to service limit but set by administrator using policies
- set, unset, zero
IAM Mangement - Policies
Verbs
- inspect - ability to list
- read - inspect + get user specified metadata
- use - read + ability to work with existing resources
- manage - include all permission for resource
Aggregated - all-resource, database-family, instance-family etc Individual - individual resource
Permissions
- VOLUME_INSPECT, READ, VOLUME_WRITE,
API Operation
- ListVolume, GetVolume,CreateVolume
Common Policies
IAM Mangement - Tags
Tag Namespace - a container for set of tag keys with tag key definitions
Testing Cloud Native Applications
- mock - for testing
- fake - with working implementation
- stub - some data returns
Building block of testing
- unit tests
- service test/component level
- user interface tests
OCI Registry Service
Oracle Cloud Infrastructure Registry - OCIR
- Fully managed
- HA Docker v2 registry
- private or public repo
-
full integration with OKE
- OCI Registry is FREE
- Only charges for OCI resources
Managing Repos in OCIR
- need proper permissions by policies
- users need username and auth token beore being able to push/pull image
- docker login
.ocir.io
Pulling an image from OCIR for Kubernetes
- create a secret and use it as
imagePullSecret
Image Retention Policies
- not tagged for a certain period
- not pulled for a certain period
-
not given particular tag
- Hourly process to reomve image
- policies to retain/remove images
Monitoring Service Overview
- monitor cloud resources
- supports metrics and alarms
- compite, VCN, LB, block, object storage, notification, streaming
-
health, capacity, performance
- email or pagerduty
-
metric query language (MQL)
-
metric is a measurement related to health, capacity or performance of a given resource
-
metric stream - aggregated data of multiple metric data
- internval 01,5,60 min etc
- dimension - name-value pairs
- Grouping - groupBy() aggregates results by groups
- statistics - count, max, mean, rat, min, sum , percetile
Alarms & States
- Firing - alarm triggered
- Reset - alarm not detecting the metric firing, metric no longer being emitted
- Suppress - avoid publishing messages during the specified time range eg maintenance
metric + alarm + topic
Events - Overview and Key Features
- fully managed event-routing platform
-
using CNCF’s
cloudevent(opensource) standard -
integration with oracle functons, streaming, notification
- Events - a structured and schematized message that denotes a change in resource
- Rule - the object where a user defines which event they care about and trgigger an actions an actions if it occurs
- Actions - the user-defined response to when an event occurs eg: triggering a functions or wrtingin to a stream, send notificaiton etc
Events - Core concepts
name & compartment -> trigger condition -> Action
-
max rules limit 50 / tenancy (can request more)
- user defined response to a rule being matched
- multiple actions can