How to use Oracle OCI with Juju

Juju already has knowledge of the OCI cloud (Oracle Cloud Infrastructure), which means adding your Oracle account to Juju is quick and easy.

Contents:

• Understand and prepare your OCI account
• Gather information about your OCI cloud
  • SSL keypair and fingerprint
  • OCI identifiers (OCIDs)
    • User OCID
    • Tenancy OCID
    • Compartment OCID
  • Provide the public SSL key to Oracle
• Add credentials
  • Use the interactive method
  • Define a YAML file
  • Confirm that you’ve added the credentials correctly
• Bootstrap a controller

Understand and prepare your OCI account

The instructions on this page refer to certain OCI concepts. Familiarise yourself with them by reading Oracle’s Concepts page. The key concepts for us here are “Tenancy”, “Compartment”, and “OCID”.

Your Tenancy can be designed according to how you intend to use your OCI account but there is no hard requirement to perform any configuration changes to it in order to use it with Juju. However, for enterprise rollouts you will most certainly need to do this for both organisational and security reasons.

To organise your Tenancy and its associated compartments read Oracle’s Setting up your Tenancy page.

Gather information about your OCI cloud

The following bits of information need to be gathered:

• SSL keypair and fingerprint
• Oracle Cloud Identifiers (OCIDs)

SSL keypair and fingerprint

An SSL keypair (private and public keys) needs to be generated on your local system. It will be used to contact Oracle’s API. A “fingerprint” of the private key will be needed to identify that key. The below list of Linux-based commands accomplish all this. For a full explanation of them, in addition to what to do on a non-Linux system, see Oracle’s Required Keys and OCIDs page.

mkdir ~/.oci
openssl genrsa -out ~/.oci/oci_ssl_key_private.pem -aes128 2048
chmod go-rwx ~/.oci/oci_ssl_key_private.pem
openssl rsa -pubout -in ~/.oci/oci_ssl_key_private.pem -out ~/.oci/oci_ssl_key_public.pem
openssl rsa -pubout -outform DER -in ~/.oci/oci_ssl_key_private.pem | openssl md5 -c

The first openssl invocation will create an encrypted private key and will therefore prompt you for a passphrase. You will need this for later. Omit option -aes128 to disable encryption.

The last command will output the fingerprint of the private key.

The private key is now in ~/.oci/oci_ssl_key_private.pem and the public key is in ~/.oci/oci_ssl_key_public.pem.

We’ll later make reference to the private key, the fingerprint, and the passphrase using these variables, respectively:

$SSL_PRIVATE_KEY $SSL_PRIVATE_KEY_FINGERPRINT $SSL_PRIVATE_KEY_PASSPHRASE

OCI identifiers (OCIDs)

OCIDs are required for the following objects:

• user
• tenancy
• compartment

They are all gathered through the Oracle Cloud Console.

User OCID

The User OCID is found by clicking in the top-left menu and choosing ‘Identity’ and then sub-menu ‘Users’. Here, we’ll assign this value to a variable so we can refer to it later:

OCID_USER=ocid1.user.oc1..aaaaaaaaizcm5ljvk624qa4ue1i8vx043brrs27656sztwqy5twrplckzghq

Tenancy OCID

The Tenancy OCID is found similarly but in the sub-menu ‘Compartments’. Again, we’ll assign this to a variable:

OCID_TENANCY=ocid1.tenancy.oc1..aaaaaaaanoslu5x9e50gvq3mdilr5lzjz4imiwj3ale4s3qyivi5liw6hcia

Compartment OCID

The Compartment OCID is found on the same page:

OCID_COMPARTMENT=ocid1.tenancy.oc1..aaaaaaaanoslu5x9e50gvq3mdilr5lzjz4imiwj3ale4s3qyivi5liw6hcia

In this example, for the Compartment OCID, we decided to use the compartment provided to us by default (the root Compartment). Notice how it’s the same as the Tenancy OCID.

Provide the SSL key to Oracle

In order for the SSL keypair to be of any use the public key must be placed on the remote end.

Within the ‘Users’ sub-menu, click on the user’s email address, and then on ‘Add Public Key’. Paste in the key generated earlier (stored in file ~/.oci/oci_ssl_key_public.pem) and click the ‘Add’ button.

Add credentials

In order to access Oracle OCI, you will need to add credentials to Juju. This can be done in one of two ways (as shown below):

• Use the interactive method
• Define a YAML file

Use the interactive method

Once you gathered the information from the previous sessions, credentials can be added interactively with the command juju add-credential oracle.

Define a YAML file

A YAML-formatted file mycreds.yaml, can be used to store credential information for any cloud. The file in this example would be based on the following:

credentials:
  oracle:
    $CREDENTIAL_NAME:
      auth-type: httpsig
      fingerprint: $SSL_PRIVATE_KEY_FINGERPRINT
      key: |
        $SSL_PRIVATE_KEY
      region: $CLOUD_REGION
      pass-phrase: $SSL_PRIVATE_KEY_PASSPHRASE
      tenancy: $OCID_TENANCY
      user: $OCID_USER

• $SSL_PRIVATE_KEY_PASSPHRASE is placed within double-quotes. If the key was not encrypted just use “”.
• $CLOUD_REGION is an Oracle region (juju regions oracle).
• $CREDENTIAL_NAME is an arbitrary label.

See section Adding credentials from a file for guidance on what such a file can look like.

This information is then added to Juju by referencing the file with the add-credential command:

juju add-credential oracle -f mycreds.yaml

Confirm that you’ve added the credentials correctly

To view the credentials that Juju knows about, use the credentials command and inspect both remote and locally stored credentials:

juju credentials
juju credentials --local

Bootstrap a controller

You are now ready to create a Juju controller for cloud ‘oracle’ (replace the variable with your own value):

juju bootstrap --config compartment-id=$OCID_COMPARTMENT oracle oracle-controller

Above, the name given to the new controller is ‘oracle-controller’. OCI will provision an instance to run the controller on.

You can optionally change the definition of cloud ‘oracle’ to avoid having to specify the compartment like this. See General cloud management for guidance.

For a detailed explanation and examples of the bootstrap command see the Creating a controller page.

Last updated 5 months ago.