How can I delete a pod via a Oracle Function?

Question

I have a cluster with some deployments / services / etc... inside an OKE, which I usually connect to via kubectl from my pc.

The question is: is it possible to delete a pod inside that cluster from a Oracle Function? What I want to do is build a CI/CD chain, triggering my function via a Gateway to execute my "ci-function", and this part works well.

I'm writing my functions in Go using oci-go-sdk , but here is the problem:

I can obtain the Kubeconfig file of my cluster with:

   resp, err := client.CreateKubeconfig(ctx, containerengine.CreateKubeconfigRequest{

  ClusterId: &cID,

  })

But this Kubeconfig file contains:

- name: user-**********
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - ce
      - cluster
      - generate-token
      - --cluster-id
      - ocid1.cluster.oc1.*************************
      - --region
      - eu-frankfurt-1
      command: oci
      env: []

which need oci installed inside the function env, which I am not able to install.

Also, oci-cli used there is opensource, here is the interesting part that generate the token used here: https://github.com/oracle/oci-cli/blob/cf04fa4f08238cb1ee4287f0354603ba92e60647/services/container_engine/src/oci_cli_co… But I wasn't able to recreate this part and use it inside kubeconfig directly.

Someone know any way to do this?

Thanks in advance

Answer 1

You should be able to use the Go SDK to update the Cluster and NodePool inside your OCI Function as mentioned in https://docs.cloud.oracle.com/en-us/iaas/Content/API/SDKDocs/gosdk.htm

Alternatively, you should also be able to spin up an HTTP client inside your Go code in your OCI Function and call OKE’s UpdateCluster and UpdateNodePool REST APIs, see e.g. https://docs.cloud.oracle.com/en-us/iaas/api/#/en/containerengine/20180222/NodePool/UpdateNodePool

Answer 2

I think that you've already figured this out but the best way to interact with other OCI services within your Function is to authenticate to that service using the Function's "Resource Principal". This is an identity given to your Function such that you can write policies to allow it to interact with other OCI resources. This saves you handling any credentials yourself since an ephemeral API key representing this identity is passed into your Function by the service.

To interact with a Kubernetes cluster you need a kubeconfig and as you can see this can be generated by the OKE API.

The returned kubeconfig uses ephemeral time based tokens to authenticated to the cluster and as you can see for interactive use cases there is an implementation of this token generation in the OCI CLI.

Unfortunately there is no implementation of this method in the SDKs so you need to one of the following.

• Copy the code from the CLI which generates the token into your function code, translating into your chosen language if necessary then pass this generated token into your kubeconfig instead

• Keep the configuration which execs the OCI CLI to get the token, install the OCI CLI and make the OCI CLI generate the token using the resource principal

Since you said you'd tried the first approach and not succeeded and since the first approach is somewhat fiddly I'll present how you'd achieve the second method.

To install the OCI CLI you need to take control of your docker build process so you can modify the contents of the generated function image. Each FDK has an "implicit" Dockerfile. You can find the boilerplate for these in the Fn CLI and you can then place that Dockerfile in your function directory and change the function type in func.yaml to "docker". There's a blog post about how to extract the implicit dockerfile here https://constructive-laziness.blogspot.com/2020/05/the-case-of-vanishing-dockerfile.html Now you can add to the Dockerfile steps to install the OCI CLI based on the instructions here: https://docs.cloud.oracle.com/en-us/iaas/Content/API/SDKDocs/climanualinst.htm Since the FDK base images for Go are alpine based the process may need some modifications to accomodate that.

To make the OCI CLI use the resource principal you need to set an environment variable OCI_CLI_AUTH to resource_principal This can be done in an ENV line in the last stage of your Dockerfile

You'll also need to make sure you have your functions in a dynamic group and an appropriate policy in place for your function per the docs here https://docs.cloud.oracle.com/en-us/iaas/Content/Functions/Tasks/functionsaccessingociresources.htm?Highlight=functions%20resource%20principal

(Disclaimer, I work for Oracle on the Functions team and the advice above is correct to the best of my knowledge but does not constitute official support)