- Cloud Native Fundamentals
- Oracle Functions Overview
- Oracle Functions Core Concept
- Oracle Functions - Use cases, References
- API Gateway
- Resource Manager Overview
- Advanced Terraform
- OCI Streaming Services
- Oracle Kubernetes Engine (OKE)
- Creating OKE Cluster
- Accessing OKE Cluster using kubectl
- OCI Service Broker
- OCI API, SDK, CLI
- Key Management Overview
- IAM Overview
- IAM Mangement - Compartments
- IAM Mangement - Policies
- IAM Mangement - Tags
- Testing Cloud Native Applications
- OCI Registry Service
- Managing Repos in OCIR
- Pulling an image from OCIR for Kubernetes
- Image Retention Policies
- Monitoring Service Overview
- Events - Overview and Key Features
- Events - Core concepts
- Events - Use cases, Reference Arch
Cloud Native Fundamentals
Cloud Native vs Traditional Arch
- Stateful vs Statelsss
- Service Orchestration vs Service Chroreography
- Dealing with failures
CAP Theorem
Distributed Database system
- reliable network
- zero latency
- infinite bandwidth
- secure network
- no change in topology
- one admin
- zero transport cost
- homogenrous network
Cloud Native Building Blocks
- Microservices
- service oriented arch
- Loosly coupled services
- organized around business capabilties
Defence in Depth Approach
- source code - track, audit, in repo
- Container image - include only bare minimum needed
- Container Registry - use private registry, vulnerability scanning (twistlock)
- pods - image from approved registry, use pod security policies, host ports, networking
- Cluster/Orchestrator - secure access, Enable RBAC, Enable Audit logs
- Containers
- Functions
Service Communication Patterns
External Communication - to/from external services
Internal Communication - service to service (within cluster)
Sync vs Async Comm Protocols
HTTP, HTTPv2, WebSocket, gRPC
Messaing Protcols
MQTT (Message Que Telemetry Transport)
AMQP (Advance Message Queuing Protocol)
Pub/Sub
Idempotency - multiple lines but single effect. message can process more than once
Serialization
- JSON - readable, large memory footprint
- Protobuf - binary format, schema defined in .proto files
Oracle Functions Overview
fnproject.io
Function as a Service
Oracle Cloud integrated
Container Native
Opensource Engine
Multi tenant
Secure
run only when triggered
pay for code execution only
Function Development kit - FDK - Python, Java,Go, node.js, ruby
Oracle Functions Core Concept
grouped into applications
built as a docker image and pushed to a specified docker registry
invoke on cli, SDK, HTTP Req, other OCI services
docker will be pulled and run; after some idle perioed container will be removed.
Also time based functions
define policy for permissions
Function Metrics
- FunctionExecutionDuration
- FunctionInvocationCount
- FunctionResponseCount
Oracle Functions - Use cases, References
- Glue Cloud Services, Event Driven
- Web, Mobile, IoT backends
- Realtime file, stream process
- DevOps, Batch process
API Gateway
- single gateway to multiple API services
- Routing
- Rate limiting
- Cross region resource sharing (CORS)
- Metrics
Use cases
- RESTful API for functions
- Custom Development
- SaaS services
Resource Manager Overview
- Terraform as a service
- Stack - a set of OCI resources you want to create in a compartment
- job - a request to take a terraform action on a stack (plan, apply, destroy)
Advanced Terraform
- stores the state of managed ifnra from the last time terraform was run
- use this state to create plans and make changes to your infra terraform.tfstate
Terraform Local State File
- stored locally on local machine in JSON format
- small and individual team
- not to scale for large teams
- require a more mono-repo pattern
Terraform Remote State File
write state to remote data store
can manage by large team
use target flag to create only that resource
Terraform Modules
Terraform provisioners
- ansible, che, puppet, shell
Instance Principal Config
OCI Streaming Services
- logs, web/IoT/mobile data
- 99.95% SLA
- message - 64 bit encoded record or array of bytes
- key - and identifier
- stream - an append only log of messages
- topic - message category
- partitions - topic broken into partitions
- producer - create message
- consumer - subscribe and read
- consumer group - a group
Design Considerations
- retention max 7 days
- max message size 1 MB
- each partition 1000Emit API call per second, 5 Read API call per second
- each partition max total write rate 1 MB per second, read rate 2 MB per second
- each tenancy has a limit of 5 partitions
Oracle Kubernetes Engine (OKE)
- your own/DIY
- pre-built but managed by user
- managed service
Terraform Kubernetes Installation for OCI
Creating OKE Cluster
- monthly 3 cluster oer OCI regions, with 1000 nodes
- pay as you go model got only 1 cluster
Accessing OKE Cluster using kubectl
need oci cli
then setup kubeconfig in oci cli
create serviceaccount with clusteradmin role to access dashboard
use token to login
OCI Service Broker
- software to implement the Open service broker API
- enable cloud service lifecycle through devops tools (provision,bind,deprovision)
- specific to cloud vendor
- CI/CD -> OCI Registry -> OKE CLuster <- Service broker <- OCI Cloud services
OCI API, SDK, CLI
Diff ways to access OCI
- GUI Console
- REST API - References and end points
- Terraform
- SDK- custom solutions based on java, python, ruby, go; need OCI account, user ID, key paid
- ANsible
- CLI - required keys and OCID. oci setup to configure, bash or pip install oci
- Resource Manager
Key Management Overview
managed service to encrypt data
FIPS 140-2, Security level 3
create keys, disable keys, re-enable keys with key vault
rotate keys to meet your security governance and regulatory compliance needs; store in version
with IAM users and groups
vaults - logical entities to store keys
seperate compartment for keys
users/groups need access to keys
Design Considerations
- regional service, repicate keys across 3 AD
- block volumes and object storage are integrated with key managedment
- rotaing key will not re-encrypt data that was previously encrypted with old key version; only when customer modify data
- no import or export of keys
- cannot delete keys, bud disabe. delete key vault
- schedule vault deletion - 7-30 days
- cannot recover once deleted
pricing on vault - per hour
IAM Overview
OCID - Oracle Cloud ID
Instance principal - for instance to make api calls
Authentication
- authenticate principal by
- username /password
- API Signining Key
- Auth Tokens - no expire
Autherization
- specified various actions an authenticated
IAM Mangement - Compartments
- sub compartments upto six level deep
- atleast one policy to access it
- subcompartments inherits access permisions from compartments higher up its hierarchy
Compartment Quotas
- similar to service limit but set by administrator using policies
- set, unset, zero
IAM Mangement - Policies
Verbs
- inspect - ability to list
- read - inspect + get user specified metadata
- use - read + ability to work with existing resources
- manage - include all permission for resource
Aggregated - all-resource, database-family, instance-family etc Individual - individual resource
Permissions
- VOLUME_INSPECT, READ, VOLUME_WRITE,
API Operation
- ListVolume, GetVolume,CreateVolume
Common Policies
IAM Mangement - Tags
Tag Namespace - a container for set of tag keys with tag key definitions
Testing Cloud Native Applications
- mock - for testing
- fake - with working implementation
- stub - some data returns
Building block of testing
- unit tests
- service test/component level
- user interface tests
OCI Registry Service
Oracle Cloud Infrastructure Registry - OCIR
Fully managed
HA Docker v2 registry
private or public repo
full integration with OKE
OCI Registry is FREE
Only charges for OCI resources
Managing Repos in OCIR
- need proper permissions by policies
- users need username and auth token beore being able to push/pull image
- docker login
.ocir.io
Pulling an image from OCIR for Kubernetes
- create a secret and use it as
imagePullSecret
Image Retention Policies
not tagged for a certain period
not pulled for a certain period
not given particular tag
Hourly process to reomve image
policies to retain/remove images
Monitoring Service Overview
monitor cloud resources
supports metrics and alarms
compite, VCN, LB, block, object storage, notification, streaming
health, capacity, performance
email or pagerduty
metric query language (MQL)
metric is a measurement related to health, capacity or performance of a given resource
metric stream - aggregated data of multiple metric data
internval 01,5,60 min etc
dimension - name-value pairs
Grouping - groupBy() aggregates results by groups
statistics - count, max, mean, rat, min, sum , percetile
Alarms & States
- Firing - alarm triggered
- Reset - alarm not detecting the metric firing, metric no longer being emitted
- Suppress - avoid publishing messages during the specified time range eg maintenance
metric + alarm + topic
Events - Overview and Key Features
fully managed event-routing platform
using CNCF’s
cloudevent(opensource) standardintegration with oracle functons, streaming, notification
Events - a structured and schematized message that denotes a change in resource
Rule - the object where a user defines which event they care about and trgigger an actions an actions if it occurs
Actions - the user-defined response to when an event occurs eg: triggering a functions or wrtingin to a stream, send notificaiton etc
Events - Core concepts
name & compartment -> trigger condition -> Action
max rules limit 50 / tenancy (can request more)
user defined response to a rule being matched
multiple actions can