0% found this document useful (0 votes)

2K views282 pages

TP Devops OCI Pro

Uploaded by

Meriem ABBOUD

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

2K views282 pages

TP Devops OCI Pro

Uploaded by

Meriem ABBOUD

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 282

Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Activity Guide
iss

S1106012GC10
RI
AN
E
(ri

Professional
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as

Learn more from Oracle University at education.oracle.com

ide a
. non
-tr
an
sfe
ra
bl e
lic
en
se

Oracle Cloud Infrastructure DevOps

Disclaimer

This document contains proprietary information and is protected by copyright and other intellectual property laws. The
document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you
may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute
this document in whole or in part without the express authorization of Oracle.

The information contained in this document is subject to change without notice and is not warranted to be error-free. If you

se
find any errors, please report them to us in writing.

en
Restricted Rights Notice

lic
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the

bl e
United States Government, the following notice is applicable:

ra
U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs
embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer

sfe
documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer
software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and

an
agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure,

-tr
modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system,
integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such

. non
programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in
the license contained in the applicable contract. The terms governing the U.S. Government's use of Oracle cloud services are

ide a
defined by the applicable contract for such services. No other rights are granted to the U.S. Government.
Gu as
Trademark Notice
is ) h

Oracle®, Java, MySQL, and NetSuite are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks
e om

of their respective owners.

us il.c

Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under
th

license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are
to gma

trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

Third-Party Content, Products, and Services Disclaimer

@
iss

This documentation may provide access to or information about content, products, and services from third parties. Oracle
Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-
r
.d

party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle
Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of
e
an

third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.
(ri

1111142023
E
AN
RI
iss
Dr
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Table of Contents

Configuration Management and Infrastructure as Code: Leverage Ansible Collection to Provision

and Manage Resources in Oracle Cloud ........................................................................................ 9

se
Get Started...................................................................................................................................................... 10

en
Install the Oracle Cloud Infrastructure Ansible Collection .................................................................... 12

lic
Launch and Terminate a Compute Instance Using Ansible Playbook ............................................... 13

bl e
Purge Instructions......................................................................................................................................... 18

ra
sfe
Configuration Management and Infrastructure as Code: Deploy a Web App to Multiple Compute
Instances ........................................................................................................................................... 19

an
Get Started...................................................................................................................................................... 20

-tr
Set Up the Lab Environment ...................................................................................................................... 22

. non
Configure Ansible Resources and Playbook ............................................................................................ 26

ide a
Execute Ansible Playbook to Install and Configure Apache Hosts ..................................................... 28
Gu as
Purge Instructions......................................................................................................................................... 32
is ) h

Configuration Management and Infrastructure as Code: Create a Reusable VCN Configuration with
e om

Terraform.......................................................................................................................................... 33
us il.c

Get Started...................................................................................................................................................... 34
th
to gma

Initialize Your Terraform Script .................................................................................................................. 36

Create and Destroy a VCN Using Terraform ........................................................................................... 38
@

Create and Destroy a VCN Using Resource Manager ............................................................................ 45

iss

Purge Instructions......................................................................................................................................... 48
r
.d

Configuration Management and Infrastructure as Code: Replicate an Existing Load Balancer Using
e
an

Terraform Configuration Scripts and OCI Resource Manager .................................................... 49

(ri

Get Started...................................................................................................................................................... 50
E

Set Up the Lab Environment ...................................................................................................................... 52

Generate Terraform Script with Resource Manager .............................................................................. 54

Edit Auto-Generated Terraform Script ..................................................................................................... 57

iss

Provision Infrastructure Based on the Auto-Generated Terraform Configuration ......................... 58

Purge Instructions......................................................................................................................................... 60

Configuration Management and Infrastructure as Code: Create a Custom Stack to Deploy a HA

Load Balanced Simple Web Application ........................................................................................ 63
Get Started...................................................................................................................................................... 64
Create SSH Keys Using Cloud Shell ........................................................................................................... 66

Copyright © 2023, Oracle and/or its affiliates.

Oracle Cloud Infrastructure DevOps Professional – Table of Contents iii

Create Custom Resource Manager Stack ................................................................................................. 68

Plan & Apply Jobs ......................................................................................................................................... 70
Destroy Job .................................................................................................................................................... 74
Purge Instructions......................................................................................................................................... 76

Microservice and Container Orchestration: Create Docker Image for a Web Application Using

se
Dockerfile.......................................................................................................................................... 77

en
Get Started...................................................................................................................................................... 78

lic
Access the Dockerfile ................................................................................................................................... 79

bl e
Build the Docker Image ............................................................................................................................... 80

ra
Run Your Docker Image as a Container ................................................................................................... 81

sfe
Access the Web Application Running Within the Container ................................................................ 82

an
Delete the Docker Container....................................................................................................................... 83

-tr
Microservices and Container Orchestration: Manage OCIR and Push and Pull Images Using Docker

. non
CLI ...................................................................................................................................................... 85
Get Started...................................................................................................................................................... 86
ide a
Gu as
Create an Auth Token .................................................................................................................................. 88
is ) h

Create a New Container Repository .......................................................................................................... 89

e om

Sign In to OCIR from the Cloud Shell ........................................................................................................ 90

Tag the Docker Image .................................................................................................................................. 92
us il.c
th

Push the Tagged Docker Image to OCIR Repository ............................................................................. 93

to gma

Verify if the Image Has Been Pushed ....................................................................................................... 94

Pull the Image from OCIR Repository ....................................................................................................... 95

iss

Microservices and Orchestration: Set Up OKE Cluster Access .................................................... 97

r
.d

Get Started...................................................................................................................................................... 98
e

Set Up the kubeconfig File .......................................................................................................................... 99

Run kubectl Commands Against Kubernetes Clusters.......................................................................... 100

(ri

Purge Instructions......................................................................................................................................... 104

E
AN

Microservice and Container Orchestration: Deploy a Sample Web Application on an OKE Cluster
Using kubectl .................................................................................................................................... 105
RI

Get Started...................................................................................................................................................... 106

iss

Create a Kubernetes (OKE) Secret ............................................................................................................. 108

Add the Secret and the Image Path to the Deployment Manifest ...................................................... 110
Deploy the Sample Web Application to OKE Cluster ............................................................................. 112
Verify if the Sample Web Application Is Accessible ............................................................................... 113
Clean Up the Resources Deployed Within OKE Cluster......................................................................... 115

Copyright © 2023, Oracle and/or its affiliates.

iv Oracle Cloud Infrastructure DevOps Professional – Table of Contents

Continuous Integration and Continuous Delivery: Work with Code Repositories in OCI DevOps
Project ............................................................................................................................................... 117
Get Started...................................................................................................................................................... 118
Create a Personal Access Token in GitHub.............................................................................................. 120
Create Keys and Vault Secrets.................................................................................................................... 121

se
Create a DevOps Project .............................................................................................................................. 123

en
Create an External Connection................................................................................................................... 125

lic
Mirror Your GitHub Repository .................................................................................................................. 126

bl e
Create an OCI Code Repository in Your DevOps Project ...................................................................... 128

ra
Clone OCI Code Repository in Your Cloud Shell Session ...................................................................... 129

sfe
Perform Basic Git Operations on the Code Repository ......................................................................... 132

an
Continuous Integration and Continuous Delivery: Create an Artifact Registry and Set Up Artifacts

-tr
and Environments in a DevOps Project ......................................................................................... 135

. non
Get Started...................................................................................................................................................... 136
Create a Repository to Store and Manage Artifacts............................................................................... 138
ide a
Add Container Image Repository Artifact to Store Docker Images .................................................... 139
Gu as
Create a Reference to Kubernetes Manifest ............................................................................................ 141
is ) h

Create a DevOps Environment ................................................................................................................... 142

e om

Continuous Integration and Continuous Delivery: Automate Web App Deployment to an OKE
us il.c
th

Cluster Using OCI DevOps CI CD Pipeline ...................................................................................... 143

to gma

Get Started...................................................................................................................................................... 144

Prepare the Kubernetes Deployment Manifest for Automated Deployment ................................... 147
@
iss

Create DevOps Build Pipeline and Build Stages ..................................................................................... 150

Create DevOps Deployment Pipeline and Deploy Stage ...................................................................... 154
r
.d

Create a Trigger Deployment Stage in Build Pipeline ........................................................................... 156

e
an

Automate Sample Web Application Deployment to OKE Cluster ....................................................... 157

(ri

View the Artifacts Generated as Part of the Automated Build............................................................. 159

E
AN

Monitoring - Notification: Configure Alarms with Notifications and Create Monitoring Queries
........................................................................................................................................................... 161
RI

Get Started...................................................................................................................................................... 162

iss

Validate Build Run and Deployment ......................................................................................................... 164

Configure Notifications ................................................................................................................................ 165

Monitor Build Execution Time .................................................................................................................... 167
Monitor Build Success.................................................................................................................................. 171
Monitor Deployment Failure....................................................................................................................... 174
Create Monitoring Queries.......................................................................................................................... 178

‘Copyright © 2023, Oracle and/or its affiliates.

Oracle Cloud Infrastructure DevOps Professional: Hands-on Workshop – Table of Contents v

Purge Resources ........................................................................................................................................... 182

Logging Services: Manage DevOps Project Log Using OCI Console ........................................... 183
Get Started...................................................................................................................................................... 184
Configure Logs for DevOps Project........................................................................................................... 186
Run the Build ................................................................................................................................................. 188

se
Search Your Logs .......................................................................................................................................... 189

en
Purge Instructions......................................................................................................................................... 193

lic
Event Service: Define Rules that Trigger a Specific Action When a DevOps Event Occurs ..... 195

bl e
Get Started...................................................................................................................................................... 196

ra
Configure a Notification .............................................................................................................................. 198

sfe
Create an Event Rule .................................................................................................................................... 200

an
Validate Event Rule by Running a Build ................................................................................................... 201

-tr
Purge Instructions......................................................................................................................................... 204

. non
Continuous Integration and Continuous Delivery: Deploy a Sample Web Application to an OKE

ide a
Cluster Using Helm Chart Deployment in OCI DevOps ................................................................ 205
Gu as
Get Started...................................................................................................................................................... 206
is ) h

Create a DevOps Project and Manage Code Repositories .................................................................... 208

e om

Create OCI Repositories for Container Image and Helm Chart ........................................................... 214
us il.c

Set Up Artifacts and Environments for Your DevOps Project.............................................................. 215

th
to gma

Create DevOps Build Pipeline and Build Stages ..................................................................................... 219

Create DevOps Deployment Pipeline and Deploy Stage ...................................................................... 224
@

Create a Trigger Deployment Stage in Build Pipeline ........................................................................... 226

iss

Set Up the kubeconfig File and Create a Kubernetes Namespace ................................................ 227
r
.d

Automate Sample Web Application Deployment to OKE Cluster Using Helm Chart ...................... 229
e

View the Artifacts Generated as Part of the Automated Build............................................................. 231

an
(ri

Purge Instructions......................................................................................................................................... 232

DevSecOps: Generate a Key Using OCI Vault Service to Perform Cryptographic Operations 237
AN

Get Started...................................................................................................................................................... 238

Prepare for Master Encryption Key ........................................................................................................... 239

iss

Create Master Encryption Key .................................................................................................................... 241

Prepare for Encryption and Decryption ................................................................................................... 242

Perform Encryption ...................................................................................................................................... 243
Perform Decryption ...................................................................................................................................... 244
Rotate the Master Encryption Key ............................................................................................................. 245
Purge Instructions......................................................................................................................................... 246

Copyright © 2023, Oracle and/or its affiliates.

vi Oracle Cloud Infrastructure DevOps Professional – Table of Contents

DevSecOps: Scan Container Image for Vulnerabilities ................................................................ 247

Get Started...................................................................................................................................................... 248
Create an Auth Token .................................................................................................................................. 250
Create a New Container Repository .......................................................................................................... 251
Enable Image Scanning ............................................................................................................................... 252

se
Sign In to OCIR from the Cloud Shell ........................................................................................................ 253

en
Pull the Docker Image .................................................................................................................................. 255

lic
Tag the Docker Image .................................................................................................................................. 256

bl e
Push the Tagged Docker Image to OCIR .................................................................................................. 257

ra
Verify If the Image Has Been Pushed ....................................................................................................... 258

sfe
View Scan Results ......................................................................................................................................... 259

an
View Vulnerability Reports .......................................................................................................................... 260

-tr
View Container Image Scans ...................................................................................................................... 261

. non
Export a Vulnerability Report ..................................................................................................................... 263
Purge Instructions......................................................................................................................................... 264
ide a
Gu as
DevSecOps: Sign and Verify Container Image in OCIR ................................................................ 267
is ) h

Get Started...................................................................................................................................................... 268

e om

Create an Auth Token .................................................................................................................................. 270

us il.c

Create a Container Registry ........................................................................................................................ 271

Pull a Sample Image from Docker Hub..................................................................................................... 272

to gma

Tag and Push the Image to Container Registry ...................................................................................... 273

Create a Master Encryption Key in OCI Vault .......................................................................................... 275

iss

Create an Image Signature using the OCI CLI ......................................................................................... 277

r
.d

View Signed Image and Verify Image Signature .................................................................................... 279

Purge Instructions......................................................................................................................................... 281

an
(ri
E
AN
RI
iss
Dr

‘Copyright © 2023, Oracle and/or its affiliates.

Oracle Cloud Infrastructure DevOps Professional: Hands-on Workshop – Table of Contents vii
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

viii
Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a

Copyright © 2023, Oracle and/or its affiliates.

. non
-tr
an
sfe
ra
bl e
lic
en
se

Oracle Cloud Infrastructure DevOps Professional – Table of Contents

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
-tr

Lab 01-1 Practices

an
sfe
ra
bl e
Estimated time: 30 minutes lic
en
se
to Provision and Manage
Resources in Oracle Cloud
Configuration Management
and Infrastructure as Code:
Leverage Ansible Collection
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

Oracle Cloud Infrastructure Ansible Collection provides an easy way to provision and manage
resources in Oracle Cloud using Ansible. Ansible playbooks automate configuration,

se
deployment, and orchestration tasks. Ansible playbooks use a declarative language (YAML)

en
that allows you to describe infrastructure configuration, deployment policy, and the

lic
orchestration of complex process steps. The Ansible basic setup is very easy, and the Oracle
provided example playbooks in Git are a good base to start with your infrastructure

bl e
automation project. Oracle provides Ansible example playbooks for Compute, Block Volumes,

ra
Database, File Storage, IAM, Load Balancer, Private Subnets with VPN, Delete Objects, and so

sfe
on. In this lab, you will learn how easy it is to bring Ansible and Oracle Cloud Infrastructure

an
together.

-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d

In this lab, you’ll:

an
(ri

a. Install the Oracle Cloud Infrastructure Ansible Collection

E
AN

b. Launch and terminate a compute instance using Ansible Playbook

For more information on OCI Ansible Collection, see the OCI Ansible Collection
iss

Documentation.
Dr

Copyright © 2023, Oracle and/or its affiliates.

10 Leverage Ansible Collection to provision and manage resources in Oracle Cloud

Prerequisites
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

• You must have an Oracle Cloud Infrastructure account.

• You have basic know-how of Linux commands.
• You must have the necessary credentials and OCID information:
− Image OCID to be used If this lab is being practiced in the US-ashburn-1 region:

se
ocid1.image.oc1.iad.aaaaaaaa33a3lofqhzh5wvpi34fnsqiwdwaytjls5
2pksm7r5kinnp6ew3na

en
lic
− Region-wise image OCID list:
https://docs.oracle.com/en-us/iaas/images/image/3baec0b4-4bac-4cb0-ac1d-

bl e
621846621396/

ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Leverage Ansible Collection to provision and manage resources in Oracle Cloud 11

Install the Oracle Cloud Infrastructure Ansible
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Collection
You will install the OCI Ansible collection from Ansible Galaxy.

Tasks

se
en
1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

lic
2. Open the Cloud Shell from the Developer tools listed in the OCI console header

bl e
ra
sfe
an
-tr
. non
ide a
Note: The OCI CLI running in the Cloud Shell will execute commands against the region
Gu as
selected in the Console's region selection menu when the Cloud Shell was started.
is ) h

3.
e om

Install the OCI Ansible collection from Ansible Galaxy.

$ ansible-galaxy collection install oracle.oci
us il.c
th
to gma

4. Test the installation.

$ ansible localhost -m
@

oracle.oci.oci_object_storage_namespace_facts
iss

On successful execution, this command will return your object storage namespace.
r
e .d

For example,
an

localhost | SUCCESS => {

(ri

"changed": false,
E

"namespace": "oracletenancy"
AN

}
RI

5. Clone the GitHub repository on Cloud Shell.

iss

$ git clone https://github.com/ou-

developers/launch_compute_instance

6. Switch to the cloned repository.

$ ls
$ cd launch_compute_instance

Copyright © 2023, Oracle and/or its affiliates.

12 Leverage Ansible Collection to provision and manage resources in Oracle Cloud

Launch and Terminate a Compute Instance Using
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Ansible Playbook
You will learn how to use Ansible playbook to automate launching a compute instance and
connect to it using SSH.

se
Tasks

en
lic
bl e
1. Open Code Editor from the Developer tools listed in the OCI console header.

ra
sfe
an
-tr
. non
2. The tool bar is on the left side of the Code Editor window. Click the Explorer (top) icon
ide a
Gu as
from the left side menu within the Code Editor window.
is ) h
e om
us il.c
th
to gma
@
iss
r
.d

Browse to the launch_compute_instance directory to view the various files you have
e
an

in the directory including the sample.yaml, setup.yaml and teardown.yaml

(ri
E

• The sample.yaml file is the main Playbook which consists of tasks required to
AN

set up a compute instance using Infrastructure as a code(IaC).

• The setup.yaml file contains tasks to perform pre-checks for environment

iss

variables and setting up of other networking resources required for the launch of
Dr

compute instance. This is imported in the sample.yaml file at the start.

• The teardown.yaml file contains tasks to terminate all the resources created in
this lab. The sample.yaml file imports the teardown.yaml file and executes it
as part of play towards the end.

Copyright © 2023, Oracle and/or its affiliates.

Leverage Ansible Collection to provision and manage resources in Oracle Cloud 13

3. Now switch to the Cloud Shell window. Set the environment variables.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

a. Set Image OCID

$ export SAMPLE_IMAGE_OCID=<IMAGE_OCID>

Where,
• The <IMAGE_OCID> is the OCID of the image originally used to launch the instance.

se
For example,

en
$ export

lic
SAMPLE_IMAGE_OCID=ocid1.image.oc1.iad.aaaaaaaa33a3lofqhzh5wvpi34

bl e
fnsqiwdwaytjls52pksm7r5kinnp6ew3na

ra
sfe
Note: For the <IMAGE_OCID> use the Image OCID that is provided in the example if

an
the region you are working in is us-ashburn-1. If you are working in a different

-tr
region, then use the image OCID from this location.

. non
b. Set Compartment OCID

ide a
$ export SAMPLE_COMPARTMENT_OCID=<COMPARTMENT_OCID>
Gu as
Where,
is ) h

• The <COMPARTMENT_OCID> is the OCID of the compartment containing the instance

e om

you want to use as the basis for the image.

us il.c
th
to gma

Replace the <COMPARTMENT_OCID> with the OCID of the compartment assigned to

you.
@
iss

To get the OCID for the compartment where compute instance is to be launched:
r
.d

a) In the Console, open the navigation menu and click Identity & Security.
e
an

Under Identity, click Compartments.

(ri

b) A list of the compartments in your tenancy is displayed.

E
AN

c) A shortened version of the OCID is displayed next to each compartment.

d) Search for your <assigned compartment> and click the shortened OCID
iss

string to view the entire value in a pop-up. Click Copy to copy and save the
Dr

OCID.

For example,
$ export
SAMPLE_COMPARTMENT_OCID=ocid1.compartment.oc1..xxxxxxxxycxxxxxx0
347034703470347000000o3hx2exkz5pzi6kt4xxxxxx

Copyright © 2023, Oracle and/or its affiliates.

14 Leverage Ansible Collection to provision and manage resources in Oracle Cloud

c. Set Availability Domain name
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

$ export SAMPLE_AD_NAME=<SAMPLE_AD_NAME>

Where,
• The <SAMPLE_AD_NAME> is the availability domains in your tenancy you want the
instance to be hosted in.

se
To get the Availability domain names in your tenancy where the compute instance is to be

en
launched:

lic
bl e
a) Open the navigation menu and click Compute. Under Compute, click
Instances.

ra
sfe
b) Click Create instance.

an
-tr
c) Locate the Placement section on the page, and under the Availability

. non
domain, copy the complete name from any one of the availability domains
listed. Refer to the screenshot given below.
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
.d

d) Set the SAMPLE_AD_NAME environment variable to the name copied above.

e
an

For example,
(ri

$ export SAMPLE_AD_NAME=yQUJ:US-ASHBURN-AD-1
E
AN

4. Check if the environment variables are set.

$ echo $SAMPLE_IMAGE_OCID
iss

$ echo $SAMPLE_COMPARTMENT_OCID
$ echo $SAMPLE_AD_NAME
Dr

The output of these commands will return the OCIDs and name set in the previous step.

Copyright © 2023, Oracle and/or its affiliates.

Leverage Ansible Collection to provision and manage resources in Oracle Cloud 15

5. When you execute the ansible-playbook command, the infrastructure is created; key
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

generation, network configuration, firewall rule setup, instance creation, etc. are all
automated.

Run the following command:

$ ansible-playbook sample.yaml

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri

After a few minutes, the complete infrastructure for an OCI compute instance is created, and
E
AN

the instance is connected using SSH, whose response is shown on the screen.
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

16 Leverage Ansible Collection to provision and manage resources in Oracle Cloud

se
en
Note: Since the teardown.yaml file is called within the sample.yaml file the termination of

lic
the resources will take place immediately.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th

View the Provisioned Compute Instance

to gma

You can also view the compute instance which was provisioned by the ansible playbook.
@
iss

a. Open the navigation menu. Under Compute, click Instances and select your
r

<assigned compartment> from List scope on the left menu.

e .d
an

You will see the compute instance provisioned by the Ansible playbook with the name
(ri

my_test_instance in Terminating/Terminated state.

E
AN

Congratulations! You were able to install the OCI Ansible collection to launch and later
RI

terminate a compute instance using the Ansible playbook.

iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Leverage Ansible Collection to provision and manage resources in Oracle Cloud 17

Purge Instructions
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Unset the Exported Variables

1. In the Cloud Shell, run the following commands:

$ unset SAMPLE_IMAGE_OCID
$ unset SAMPLE_COMPARTMENT_OCID

se
$ unset SAMPLE_AD_NAME

en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

18 Leverage Ansible Collection to provision and manage resources in Oracle Cloud

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
-tr
Lab 02-1 Practices
an
sfe
ra
Estimated Time: 30 minutes bl e
lic
Deploy a Web App to

en
se
Configuration Management
and Infrastructure as Code:

Multiple Compute Instances

Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

Ansible Playbooks automate configuration, deployment, and orchestration tasks. Ansible

Playbooks use a declarative language (YAML) that allows you to describe infrastructure

se
configuration, deployment policy, and the orchestration of complex process

en
steps. OCI provides a set of example playbooks for you to use.

lic
In this lab, you will learn how to install and configure an Apache webserver using an Ansible

bl e
Playbook. Additionally, you will learn how to spin up the Apache applications and deploy that

ra
to two compute instances.

sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@

In this lab, you’ll:

iss

a. Set up the lab environment.

r
.d
e

b. Configure Ansible resources and playbook.

an
(ri

c. Execute Ansible playbook to install and configure Apache hosts.

E
AN

For more information on OCI Ansible Collection, see the OCI Ansible Collection
RI

Documentation.
iss

Assumptions
Dr

• You are signed in to your Oracle Cloud Infrastructure (OCI) account using your
credentials.
• You are familiar with basic Linux commands.

Copyright © 2023, Oracle and/or its affiliates.

20 Deploy a web app to multiple compute instances

• This lab assumes you’re working in the Ashburn region. The resource naming
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

convention (iad) used in this lab is according to Ashburn.

If you’re working in a different region, change the resource names accordingly. For
example, for Phoenix, use phx.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Deploy a web app to multiple compute instances 21

Set Up the Lab Environment
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will create a VCN with two compute instances in a public subnet and a SSH key pair to
establish secure client/server connections via SSH to running instances in the cloud.

Create a VCN

se
1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.

en
lic
2. Select your <assigned compartment> from List scope on the left menu.

bl e
3. Click Start VCN Wizard.

ra
sfe
a. Select Create VCN with Internet Connectivity, and then click Start VCN Wizard.

an
-tr
b. Enter the following values in the form:

. non
• VCN Name: IAD-DOP-LAB02-1-VCN-01
• Compartment: Select your <assigned compartment>.
ide a
Gu as
• Configure VCN and Subnets: Leave the CIDR blocks as their defaults.
is ) h

• Accept the defaults for all other fields.

e om

4. Click Next.
us il.c
th
to gma

5. Review the list of resources that the wizard will create for you. Notice that the wizard will
set up security list rules and route table rules to enable basic access for the VCN.
@
iss

6. Click Create to create the components.

r
.d

7. After the components are created, click View Virtual Cloud Network.
e
an

8. On the left menu under Resources click Security Lists to view the VCN’s security lists.
(ri
E

9. Click the Default Security List for IAD-DOP-LAB02-1-VCN-01 to view its details. By
AN

default, you land on the Ingress Rules page.

10. Click Add Ingress Rules.

iss
Dr

11. Enter the following values in the form to enable traffic from any source IP address
(represented as 0.0.0.0/0) to destination port 80 only (TCP protocol):
• Stateless: Deselect the box (this is a stateful rule).
• Source Type: Select CIDR.
• Source CIDR: 0.0.0.0/0

Copyright © 2023, Oracle and/or its affiliates.

22 Deploy a web app to multiple compute instances

• IP Protocol: Select TCP
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

• Source Port Range: All

• Destination Port Range: 80

12. Click Add Ingress Rules.

se
Create SSH Keys in Cloud Shell

en
You will create an SSH key pair to connect to your environment.

lic
bl e
1. Open Cloud Shell.

ra
sfe
2. Once the Cloud Shell session is initiated, create and then move to .ssh directory.
$ mkdir ~/.ssh (skip this step if the directory already exists)

an
$ cd ~/.ssh

-tr
. non
3. Create a new public and private key pair.
$ ssh-keygen -b 2048 -o -t rsa -f key-lab02-<userID>
ide a
Gu as
Where,
is ) h
e om

key-lab02-<userID> is the key name. Replace <userID> with your user ID. You will
use this key name to connect to the compute instances you create.
us il.c
th
to gma

For example,
$ ssh-keygen -b 2048 -o -t rsa -f key-lab02-user22
@
iss

4. Press Enter twice on your keyboard to skip entering the passphrase.

r
.d

Note: A passphrase is an additional layer of security. It protects your private

e
an

key from being used by someone who doesn’t know the passphrase.
(ri

5. List the two key files (public and private key) that you just created.
E
AN

$ ls
RI

You will observe two files listed in the output. One is the private key (key-lab02-
iss

user22), and the other is the public key (key-lab02-user22.pub). Your files will
Dr

have your user ID in place of user22.

Note: You must never share the private key with anyone.

6. Run the following command to view the contents of the public key:
$ cat key-lab02-<userID>.pub

Copyright © 2023, Oracle and/or its affiliates.

Deploy a web app to multiple compute instances 23

For example,
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

$ cat key-lab02-user22.pub

You will see a random string like the one below as the output:
ssh-rsa
XXXXB3NzaC1yc2EAAAADAQABAAABAQCdQ9+4JM9GxCWPIDGFjO1tk4jkumO2zbhA
1ZaePxEGKwSFDEw/De7HU6wRh+Jbutkw9tOzlUr8FgAGNRgyWgaHbj5YX0h+LXWl

se
rIiTtBFpZkMYlMwJUAFTmMwWy12rGYeUD/Ba+KVlEYaMT1XY0DCa+SFyq48uWQwg
Qns8654UycwFzFsXvZvA1i48Mk63vuSTAw15vGLXXXXXX0jegHOhMGrNMRuE4eMK

en
SECP+CDFFgKb2oCzFz8KwywFuDciHAbMZru5qkiFGomeBvClDEU2BfMOV7k69kfi

lic
voxHHlnwxwgJulMeXrMLsE1/osZcy5s2Eon3WmxJqo1wAAAAAA

bl e
user22_E@3c15a0xxxxxx

ra
7. Copy the contents of the public key and save it to your notepad. Later, when pasting the

sfe
key into the compute instance, make sure you remove any extra lines/characters that

an
may have been added while copying.

-tr
. non
Create Compute Instances

1.
ide a
Open the navigation menu and click Compute. Under Compute, click Instances.
Gu as
is ) h

2. Click Create instance and enter the following details:

e om

a. Name: IAD-DOP-LAB02-1-VM-01
us il.c
th

b. Create in compartment: Select your <assigned compartment>.

to gma

c. Placement: Select AD1

@
iss

d. Image and Shape:

r
.d

1)
e

Image: Oracle Linux 8.x (latest version)

an
(ri

2) Click Change shape.

E
AN

Select Ampere in Shape series and select VM. Standard.A1.Flex shape name
with 1 OCPU and change Amount of memory(GB) to 2GB memory. Click Select
RI

shape.
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

24 Deploy a web app to multiple compute instances

e. In the Networking section:
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1) Primary network: Select existing virtual cloud network option

2) Virtual cloud network in <assigned compartment>: Select your existing VCN, that
is, IAD-DOP-LAB02-1-VCN-01.

se
3) Subnet: Choose Select existing subnet option.

en
4) Subnet in <assigned compartment>: Select your existing public subnet, that is,

lic
Public Subnet-IAD-DOP-LAB02-1-VCN-01.

bl e
ra
5) Check the Assign a public IPv4 address option.

sfe
f. Under Add SSH keys: Select Paste public keys and paste the public key key-

an
lab02-user22.pub contents from your notepad that you copied earlier.

-tr
. non
g. In the Boot volume section, leave all options as default.

3. Click Create. ide a

Gu as
is ) h

4. Repeat Steps 1 to 3 again to create a new instance with the name as IAD-DOP-LAB02-1-
e om

VM-02.
us il.c
th

5. Wait for both the instances to transition to the RUNNING state.

to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Deploy a web app to multiple compute instances 25

Configure Ansible Resources and Playbook
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will set up Ansible clients to install and configure the web server.

Tasks

1. Within Cloud Shell, clone the GitHub repository to access the Ansible Playbook and the

se
host file to install and configure the Apache webserver.

en
$ cd ~

lic
$ git clone https://github.com/ou-developers/devops-lab02-

bl e
ansible.git

ra
2. Navigate to the cloned directory.

sfe
$ cd ~/devops-lab02-ansible

an
-tr
3. Open Code Editor. The tool bar is on the left side of the Code Editor window. Click

. non
the Explorer (top) icon from the left-side menu within the Code Editor window.

ide a
Browse to the cloned Git directory to view the various files you have in the directory
Gu as
including index.html, hosts.yaml, and playbook.yaml for configuring Apache
is ) h

webserver.
e om

4. The hosts.yaml file contains a list of hosts which Ansible will be interacting with. In the
us il.c
th

hosts.yaml file, you will add the Public IP Addresses of the compute instances you
to gma

created earlier.
@

a. Open hosts.yaml file to edit by clicking it.

iss
r

b. Replace <public-ip-vm1> and <public-ip-vm2> placeholders in the file with

your compute instances public IP address you created earlier.

e
an
(ri
E
AN
RI
iss
Dr

Note: YAML files are sensitive to code indentation. Make sure you follow the indentation
properly.

Copyright © 2023, Oracle and/or its affiliates.

26 Deploy a web app to multiple compute instances

c. To get the Public IP Address for compute instances:
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1) Open the navigation menu and click Compute. Under Compute, click Instances.

2) Copy the Public IP Address from the instance table for both the instances.
• IAD-DOP-LAB02-1-VM-01
• IAD-DOP-LAB02-1-VM-02

se
en
Your hosts.yaml file will look like this:

lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h

Note: You must insert a colon (:) at the end of each IP.
e om

5. Save the changes by clicking File and Save.

us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Deploy a web app to multiple compute instances 27

Execute Ansible Playbook to Install and Configure
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Apache Hosts
You will review the Ansible Playbook code piece by piece and will execute it to install and
configure the Apache webserver in the two compute instances you created earlier in this lab.

se
Tasks

en
lic
1. Open the Playbook.yaml file in the Code Editor and review the code.

bl e
The code snippet should look like this:

ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Where,
• name tag at the beginning of the playbook specifies the play name.
• hosts tag specifies the lists of hosts. The hosts tag is mandatory. It tells Ansible on
which hosts to run the listed tasks.
• remote_user tag specifies the user used to log in to the target hosts.

Copyright © 2023, Oracle and/or its affiliates.

28 Deploy a web app to multiple compute instances

• become: true denotes the privilege escalation to sudo.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

• tasks field contains the names and list of tasks to be performed. Tasks are the
actions to be performed on the hosts.

Your code has four tasks:

se
1) Ensure Apache is at the latest version.

en
This task uses the ansible.builtin.yum module which installs, removes,

lic
upgrades, downgrades packages using yum.

bl e
• name tag specifies the rpm to be installed. Here httpd will be installed.

ra
sfe
• state tag specifies the rpm version to be installed. latest denotes that the
latest available httpd version will be installed.

an
-tr
2) Ensure Apache is running.

. non
This task uses the ansible.builtin.service module which controls services
on remote hosts. ide a
Gu as
• name tag specifies the service to be controlled. It’s httpd in this case.
is ) h

• state tag specifies the state in which the service should be. started
e om

ensures that the HTTP service is always operational.

us il.c
th
to gma

3) Copying file with playbook.

This task uses ansible ansible.builtin.copy module which is used to copy a

iss

file.
r

• src tag specifies the source file ~/devops-lab02-ansible/index.html.

e.d

• dest tag specifies the destination directory /var/www/html.

• owner tag specifies the user ownership for the copied file. Here the owner is
(ri

user apache.
E
AN

• group tag specifies the group ownership for copied file. Here the group
RI

owner is user apache.

iss

• mode tag specifies the permissions 0644 for the copied file.
Dr

4) Permit traffic in default zone for http service.

This task uses the Ansible ansible.posix.firewalld module which is used

add or remove services and ports in firewall rules.

Copyright © 2023, Oracle and/or its affiliates.

Deploy a web app to multiple compute instances 29

• service tag specifies the service to be added or removed from firewall.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Here http is to be added.

• permanent tag specifies if the service configuration will be persistent across
reboots. Set it to true to make httpd service persistent.
• state tag specifies the service state. Set it to enabled to enable httpd
service.

se
• immediate tag applies the configuration immediately if the value is set to

en
true.

lic
bl e
2. To launch a terminal panel in Code Editor, right-click the devops-lab02-ansible
directory and click Open in terminal.

ra
sfe
3. Close the code editor and in the Cloud Shell, execute the Ansible Playbook:

an
$ ansible-playbook -i hosts.yaml playbook.yaml --key-file

-tr
"~/.ssh/key-lab02-<userID>"

. non
Replace <userID> with your user ID.
For example, ide a
Gu as
$ ansible-playbook -i hosts.yaml playbook.yaml --key-file
is ) h

"~/.ssh/key-lab02-user22"
e om
us il.c
th

4. After the playbook execution completes, both compute instances will have Apache installed
to gma

with incoming HTTP traffic allowed by the firewall.

The output should look like this (IP addresses have been censored):
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

30 Deploy a web app to multiple compute instances

5. To test whether the web server is running, enter the Public IP Addresses of the two
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Ansible clients “IAD-DOP-LAB02-1-VM-01 and IAD-DOP-LAB02-1-VM-02” into a

Web browser’s address bar and press Enter.

You will see a webpage that looks like this:

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Deploy a web app to multiple compute instances 31

Purge Instructions
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

There are no purge instructions for this practice.

The resources created in this Lab must be retained as they will be used in the
Configuration Management and Infrastructure as Code: Replicate an existing Load
Balancer using terraform configuration scripts and OCI Resource manager (Lab 04-1) Lab.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

32 Deploy a web app to multiple compute instances

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
Terraform
-tr

Lab 03-1 Practices

an
sfe
ra
bl e
Configuration with

Estimated time: 30 minutes lic

en
Create a Reusable VCN

se
Configuration Management
and Infrastructure as Code:
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

There are multiple ways to create a VCN and subnet in the Oracle Cloud Console. Particularly if
you want to launch several VCNs with the same configuration, it’s beneficial to use Terraform

se
or Resource Manager to streamline and automate that process. Terraform can manage low-

en
level components such as compute, storage, and networking resources, as well as high-level

lic
components such as DNS entries and SaaS features.

bl e
You’ll launch and destroy a VCN and subnet by creating Terraform automation scripts and

ra
issuing commands in Code Editor. Thereafter, you’ll download those Terraform scripts and

sfe
create a stack by uploading them into Oracle Cloud Infrastructure Resource Manager. You’ll

an
then use that service to launch and destroy the same VCN and subnet.

-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss

In this lab, you’ll:

r
e.d

a. Initialize your Terraform script.

an
(ri

b. Create and destroy a VCN using Terraform.

E
AN

c. Create and destroy a VCN using Resource Manager.

For more information on Terraform Provider, see the OCI Terraform Provider
iss

Documentation and for OCI Resource Manager, see the OCI Resource Manager
Dr

Documentation.

Copyright © 2023, Oracle and/or its affiliates.

34 Create a reusable VCN configuration with Terraform

Assumptions
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

• You are signed in to your Oracle Cloud Infrastructure (OCI) account using your
credentials.
• You are familiar with basic Linux commands.
• This lab assumes you’re working in the Ashburn region. The resource naming

se
convention (iad) used in this lab is according to Ashburn.

en
If you’re working in a different region, change the resource names accordingly. For

lic
example, for Phoenix, use phx.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create a reusable VCN configuration with Terraform 35

Initialize Your Terraform Script
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You’ll review and initialize your Terraform script.

Tasks

1. Click the Cloud Shell icon at the right of the OCI Console header.

se
en
Note: The OCI CLI running in the Cloud Shell will execute commands against the region

lic
selected in the Console's region selection menu when the Cloud Shell was started.

bl e
2. Within Cloud Shell, clone the GitHub repository to access the Terraform scripts to launch

ra
sfe
and destroy a VCN and subnet.
$ cd ~

an
-tr
$ git clone https://github.com/ou-developers/devops-lab03-

. non
terraform.git

3. Navigate to the cloned directory.

ide a
Gu as
$ cd devops-lab03-terraform/
is ) h

4. Open Code Editor. Code Editor allows you to view the files and source codes present in
e om

the home directory within the Cloud Shell terminal.

us il.c
th
to gma

The tool bar is on the left side of the Code Editor window. Click the Explorer (top) icon
from the left-side menu within the Code Editor window.
@
iss

5. Browse to the cloned Git directory devops-lab03-terraform to view the various files
you have in the directory including vcn.tf, terraform.tfvars, and
r
.d

variables.tf files.
e
an

Review the vcn.tf file that contains code to configure OCI Terraform.
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

36 Create a reusable VCN configuration with Terraform

se
en
lic
bl e
ra
sfe
an
-tr
. non
6. Right-click the devops-lab03-terraform folder from the left menu in Code Editor and
open a new terminal by clicking Open in Terminal.
ide a
Gu as
7. A new terminal opens in the split window as shown:
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

8. Initialize this directory for Terraform by running the below given command in the new
terminal window.
$ terraform init

9. Use ls -a and you should see that Terraform has created a hidden directory and file.

Copyright © 2023, Oracle and/or its affiliates.

Create a reusable VCN configuration with Terraform 37

Create and Destroy a VCN Using Terraform
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Terraform uses providers to interface between the Terraform engine and the supported cloud
platform. The Oracle Cloud Infrastructure (OCI) Terraform provider is a component that
connects Terraform to the OCI services that you want to manage.

You’ll create a Terraform script that will launch a VCN and subnet. You’ll then alter your script

se
and create two additional files that will apply a compartment OCID variable to your Terraform

en
script.

lic
bl e
Tasks

ra
sfe
Edit Your Terraform Script

an
1. Open Code Editor and edit the vcn.tf in the cloned directory devops-lab03-

-tr
terraform file as follows:

. non
a. Uncomment the VCN declaration code block by deleting the # at the start of the
ide a
Gu as
following lines as marked using the arrows.
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

38 Create a reusable VCN configuration with Terraform

b. Your code block should look like this:
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

se
en
lic
bl e
ra
sfe
an
-tr
Note: Replace <your_assigned_compartment_ocid> with your assigned

. non
compartment OCID.

ide a
Gu as
To get your Compartment OCID:
is ) h

1) Navigate to Identity & Security, and click Compartments.

e om
us il.c

2) Find your compartment name, hover the cursor over the OCID, and click
th

Copy. Make sure you save the Compartment OCID in a notepad for later
to gma

use.
@

This snippet declares a resource block of type oci_core_vcn. The label that
iss

Terraform uses for this resource is example_vcn.

r
e .d

c. In the terminal within code editor, run the below command,

an
(ri

$ terraform plan
E
AN

Upon execution of this command, Terraform would create a VCN. Because most of
the parameters were unspecified, Terraform will list their values as “(known after
RI

apply).” You’ll see the compartment_id reflected in Terraform plan.

iss
Dr

Note: You can ignore the “-out option to save this plan” warning for this
lab.

Note that terraform plan parses your Terraform configuration and creates an
execution plan for the associated stack, while terraform apply applies the
execution plan to create (or modify) your resources.

Copyright © 2023, Oracle and/or its affiliates.

Create a reusable VCN configuration with Terraform 39

d. In the vcn.tf file, add a display name and CIDR block to the code by uncommenting
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

the lines highlighted using arrows (Delete the # character at the start of the line.).

Note that we want to set the cidr_blocks parameter, rather than cidr_block
(which is deprecated). The region code IAD is used below, for the US East (Ashburn)
region.

se
en
lic
bl e
ra
sfe
an
-tr
. non
e. After uncommenting the code block, it’ll look like this.

ide a
Gu as
is ) h
e om
us il.c
th

f. Save the changes and run terraform plan again in the Code Editor terminal
to gma

window.
@

$ terraform plan
iss

You should see the display name IAD-DOP-LAB03-1-VCN-01 and CIDR block
r
.d

10.0.0.0/16 reflected in Terraforms plan.

e
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

40 Create a reusable VCN configuration with Terraform

g. Now add a subnet to this VCN by deleting the start and end delimiters for multiline
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

comments /*..*/ from the given code block in the vcn.tf file as highlighted using
arrows. Replace <your_assigned_compartment_ocid> with your assigned
compartment OCID.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c

Note that the line where you set the vcn_id. Here you reference the OCID of the
th

previously declared VCN, using the name given to Terraform: example_vcn. This
to gma

dependency makes Terraform provision the VCN and wait for OCI to return the OCID.
@

After the OCID is returned, provision the subnet.

iss

After editing the code block, it will look like this,

r
e .d
an
(ri
E
AN
RI
iss

h. Run terraform plan in the code editor window:

$terraform plan

You will notice that terraform has updated plan to create the subnet IAD-DOP-
LAB03-1-SNT-01.

Copyright © 2023, Oracle and/or its affiliates.

Create a reusable VCN configuration with Terraform 41

Add Variables
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1. Before moving on, there are a few ways to improve the existing code. Notice that the subnet
and VCN both need the compartment OCID. We can factor this out into a variable.

2. In the code editor window, review the variables.tf file in the cloned directory devops-
lab03-terraform.

se
en
lic
bl e
ra
sfe
variable.tf are files where all variables are declared.

an
-tr
Notice the variable compartment_id of type string is declared.

. non
3. Open vcn.tf file in code editor and replace all instances of the compartment OCID with
var.compartment_id as follows: ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

4. Save your changes in vcn.tf

5. If you were to run terraform plan or apply now, Terraform would see a variable and
provide you a prompt to input the compartment OCID. Instead, you’ll provide the variable
value in a dedicated file.

Copyright © 2023, Oracle and/or its affiliates.

42 Create a reusable VCN configuration with Terraform

6. In the Code Editor, edit the file named terraform.tfvars available in the cloned
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

directory devops-lab03-terraform.

Terraform will automatically load values provided in a file with this name. Add the value for
the compartment ID in this file.

Note: Replace <your_assigned_compartment_ocid> with your Compartment OCID

se
you saved earlier.

en
lic
bl e
ra
sfe
After editing the code block, it will look like this,

an
-tr
. non
Be sure to save the file. ide a
Gu as
is ) h

7. Run terraform plan in the Code Editor window:

e om

$terraform plan
us il.c
th

You’ll see the same output as before.

to gma

Provision the VCN

@
iss

1. Run terraform apply in the Code Editor terminal window and confirm that you want to
r

make the changes by entering yes at the prompt.

e .d

$terraform apply
an
(ri

Note: On successful execution of the terraform apply command, you’ll see the
following message:
E
AN

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

2. Verify the provision of VCN by navigating back to the OCI Console.

iss

a. Open the navigation menu, click Networking, and then click Virtual Cloud Network.
Dr

b. Ensure you have selected your assigned compartment.

You should see your VCN. Click on your VCN IAD-DOP-LAB03-1-VCN-01 to see the
details. You should see its subnet IAD-DOP-LAB03-1-SNT-01 listed.

Copyright © 2023, Oracle and/or its affiliates.

Create a reusable VCN configuration with Terraform 43

Terminate the VCN
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1. Navigate back to the Code Editor terminal, run terraform destroy.

$terraform destroy

2. Enter yes to confirm. You should see the VCN terminate. Refresh your browser if needed.

se
Note: On successful execution of terraform apply command, you’ll see the following

en
message:

lic
Destroy complete! Resources: 2 destroyed.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

44 Create a reusable VCN configuration with Terraform

Create and Destroy a VCN Using Resource Manager
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You can better manage the infrastructure provisioned through Terraform by migrating to
Resource Manager instead of running Terraform locally in Cloud Shell or Code Editor. In this
section, we will reuse the Terraform code but replace the CLI with Resource Manager.

Tasks

se
en
1. Create a folder terraform_vcn on your local machine. Download the vcn.tf,

lic
terraform.tfvars, and variables.tf files from Code Editor and move them to the

bl e
terraform_vcn folder to your local machine.

ra
sfe
To download from Code Editor, right-click the file name in the Explorer panel and select

an
Download.

-tr
Create a Stack

. non
1. Click the Navigation Menu in the upper-left corner and navigate to Developer Services.
ide a
Gu as
Under Resource Manager, click Stacks.
is ) h

2. Click Create stack.

e om

a.
us il.c

The first page of the form is for stack information.

th
to gma

1) For the origin of the Terraform configuration, keep My configuration selected.

2) Stack configuration: Upload the terraform_vcn folder present in your local

iss

machine.
r
.d

3) Custom providers: Use custom Terraform providers unchecked.

e
an
(ri

4) Name: IOD-DOP-LAB03-1-STK-01
E
AN

5) Description: This stack is created for Lab03.

6) Ensure that your assigned compartment is selected.

iss

7) Click Next.
Dr

b. The second page is for variables.

1) Because you uploaded a terraform.tfvars file, Resource Manager will auto-

populate the variable for compartment OCID.

Copyright © 2023, Oracle and/or its affiliates.

Create a reusable VCN configuration with Terraform 45

2) Click Next.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

c. The third page is for review

1) Keep Run apply deselected.

2) Click Create. This will take you to the stack’s details page.

se
en
Run a Plan Job

lic
1. The stack itself is only a bookkeeping resource, no infrastructure is provisioned yet. From

bl e
the stack’s page, click Plan. A form will pop up.

ra
sfe
a. Name the job RM-Plan-01.

an
b. Click Plan again at the bottom to submit a job for Resource Manager to run

-tr
terraform plan. This will take you to the job’s details page.

. non
2. Wait for the job to complete, and then view the logs. They should match what you saw when
you ran Terraform in Code Editor. ide a
Gu as
is ) h

Run an Apply Job

e om

1. Go back to the stack’s details page (use the breadcrumbs), and click Apply. A form will pop
us il.c
th

up.
to gma

a. Name the job RM-Apply-01.

@
iss

b. Under Apply job plan resolution, select the plan job we ran, that is RM-Plan-01
r

(instead of “Automatically approve”). This makes it execute based on the previous plan,
e .d

instead of running a new one.

an
(ri

c. Click Apply to submit a job for Resource Manager to run terraform apply. This will
E

take you the job’s details page.

2. Wait for the job to finish. View the logs and confirm that it was successful.
RI
iss

View the VCN

1. Navigate to VCNs in the Console through the navigation menu under Networking and
Virtual Cloud Networks.

2. You should see the VCN listed in the table with the name IAD-DOP-LAB03-1-VCN-01.
Click its name to go to its Details page.

Copyright © 2023, Oracle and/or its affiliates.

46 Create a reusable VCN configuration with Terraform

3. You should see the subnet listed with the name IAD-DOP-LAB03-1-SNT-01.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Run a Destroy Job

1. Go back to the stack’s details page in Resource Manager.

2. Click Destroy. Click Destroy again on the menu that pops up.

se
en
3. Wait for the job to finish. View the logs to see that it was completed successfully.

lic
4. Verify the termination of VCN by navigating back to the OCI Console.

bl e
ra
a. Open the navigation menu, click Networking, and then click Virtual Cloud Network.

sfe
b. Ensure you have selected your assigned compartment.

an
-tr
c. You will see your VCN IAD-DOP-LAB03-1-VCN-01 has been deleted by the

. non
destroyed job.

5. ide a
In the Console, open the navigation menu and click Developer Services. Under Resource
Gu as
Manager, select Stacks.
is ) h
e om

6. For the stack IOD-DOP-LAB03-1-STK-01, click the three dots on the right to open the
Actions menu. Select Delete and then click Delete to confirm.
us il.c
th
to gma

Congratulations! You’ve now created a Terraform configuration for a VCN, created and
destroyed the VCN through Terraform running locally in Cloud Shell/Code Editor, and created
@

and destroyed the VCN through managed Terraform in Resource Manager.

riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create a reusable VCN configuration with Terraform 47

48
Dr
iss
RI
AN
E
(ri
an
e
Purge Instructions

.d
riss
@
There is no purge instruction for this lab.

to gma
us il.c
e om
th
is ) h
Gu as
ide a

Copyright © 2023, Oracle and/or its affiliates.

. non
-tr
an
sfe
ra
bl e
lic
en
se

Create a reusable VCN configuration with Terraform

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h

Lab 04-1
Gu as
ide a
. non
-tr
an
sfe
ra
bl e

Estimated Time: 45 minutes

lic
en
OCI Resource Manager

se
Configuration Scripts and
Balancer Using Terraform
Replicate an Existing Load
Configuration Management
and Infrastructure as Code:
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

Resource Manager’s resource discovery allows you to generate Terraform based on existing
infrastructure. This allows use cases such as manually provisioning infrastructure during a

se
development cycle, then moving to Terraform for a deployment cycle. It also enables use

en
cases such as migrating environments between regions or replicating environments for

lic
different purposes (for example, development, QA, or production).

bl e
In this lab, you’ll first manually provision a Load Balancer, add backend servers to it, and verify

ra
if the webpage hosted on the backend servers is accessible using Load Balancer’s Public IP

sfe
Address. Then, you’ll use Resource Manager to generate Terraform configuration for the Load

an
Balancer. Finally, you’ll use that Terraform configuration to replicate the Load Balancer.

-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss

In this lab, you’ll:

r
e .d

a. Set up the lab environment.

an
(ri

b. Generate Terraform configuration using Resource Manager.

E
AN

c. Edit the auto-generated Terraform configuration.

d. Provision infrastructure using the auto-generated Terraform configuration.

iss

For more information on Terraform Provider, see the OCI Terraform Provider
Dr

Documentation and for OCI Resource Manager, see the OCI Resource Manager
Documentation.

Copyright © 2023, Oracle and/or its affiliates.

50 Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager
Prerequisites
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

• You must have completed the Configuration Management and Infrastructure as Code:
Deploy a web app to multiple compute instances (Lab02-1) lab.

Assumptions

se
• You are signed in to your Oracle Cloud Infrastructure (OCI) account using your

en
credentials.

lic
• You have the following resources available in your assigned compartment:

bl e
− Virtual Cloud Network: IAD-DOP-LAB02-1-VCN-01

ra
− Compute Instances: IAD-DOP-LAB02-1-VM-01 and IAD-DOP-LAB02-1-VM-02

sfe
• You are familiar with basic Linux commands.

an
• This lab assumes you’re working in the Ashburn region. The resource naming

-tr
convention (iad)used in this lab is according to Ashburn.

. non
If you’re working in a different region, change the resource names accordingly. For
example, for Phoenix, use phx.
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager 51
Set Up the Lab Environment
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will manually create a Load Balancer, add backend servers to it and verify if the webpage
hosted on the backend servers is accessible using Load Balancer’s Public IP Address.

Provision a Load Balancer

se
1. Open the navigation menu, click Networking, and then click Load Balancers.

en
lic
2. Select your <assigned compartment> from List scope on the left menu.

bl e
3. Click Create Load Balancer. Select Load Balancer as the Load Balancer Type and then

ra
sfe
click Create Load Balancer towards the bottom of the window.

an
4. In the Add Details section:

-tr
. non
a. Load Balancer Name: IAD-DOP-LAB04-1-LB-01

b. Choose Visibility type: Select Public.

ide a
Gu as
is ) h

c. Assign a public IP address: Select Ephemeral IP Address.

e om

d. Under Bandwidth Shapes: Select Flexible shapes. Choose 10Mbps as both the
us il.c

minimum and maximum bandwidth.

th
to gma

e. Leave Enable IPv6 Address Assignment box deselected.

f. Under Choose Networking section:

riss

1)
.d

Virtual cloud network in <assigned compartment>: Select your existing VCN,

that is, IAD-DOP-LAB02-1-VCN-01.

an
(ri

2) Subnet in <assigned compartment>: Select your existing public subnet, that

is, Public Subnet-IAD-DOP-LAB02-1-VCN-01 (regional).

AN
RI

3) Leave Use network security groups to control traffic box deselected.

iss

g. Click Next.
Dr

5. In the Choose Backends section:

a. Specify a Load Balancing Policy: Select Weighted Round Robin.

b. Under Select Backend Servers, click Add Backends.

Copyright © 2023, Oracle and/or its affiliates.

52 Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager
c. Select the servers created in the Configuration Management and Infrastructure as
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Code: Deploy a web app to multiple compute instances (Lab02-1) Lab as backends
and click Add Selected Backends:
• IAD-DOP-LAB02-1-VM-01
• IAD-DOP-LAB02-1-VM-02

se
d. Specify Health Check Policy: Leave the values as default.

en
e. Leave Use SSL option deselected.

lic
bl e
f. Click Next.

ra
6.

sfe
In the Configure Listener section:

an
a. Listener Name: IAD-DOP-LAB04-1-LST-01

-tr
. non
b. Specify the type of traffic your listener handles: Select HTTP

c.
ide a
Specify the port your listener monitors for ingress traffic: 80
Gu as
d.
is ) h

Click Next.
e om

7. In the Manage Logging section:

us il.c
th

a. Disable Error Logs

to gma

b. Disable Access Logs

@
iss

8. Click Submit.
r
.d

9. Once the Load Balancer is in Active state, copy its Public IP Address.
e
an
(ri

Launch a Web browser, paste the copied IP address in the address bar and press Enter.
E
AN

You will see a webpage that looks like this:

RI
iss
Dr

This verifies that load balancer is routing traffic to backends servers.

Copyright © 2023, Oracle and/or its affiliates.

Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager 53
Generate Terraform Script with Resource Manager
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will create a stack in Resource Manager based on your assigned compartment. You’ll use
this stack to generate a Terraform configuration that describes the compartment's resources
(Load Balancer). Finally, you’ll update the Terraform file to use it to replicate the Load
Balancer.

se
Create a Stack from Existing Infrastructure

en
lic
1. Open the navigation menu and click Developer Services. Under Resource Manager, click

bl e
Stacks.

ra
sfe
2. Select your <assigned compartment> from List scope on the left menu.

an
3. Click Create stack.

-tr
. non
a. Under Choose the origin of the Terraform configuration, select Existing
compartment.
ide a
Gu as
b. In the Stack configuration section:
is ) h
e om

1) Select your <assigned compartment>

us il.c

2)
th

Select the region you are working in.

to gma

For example, us-ashburn-1.

@
iss

3) Under Terraform provider services, click Selected option.

r
.d

4) For Services, select load_balancer.

e
an

c. Make sure that the Use custom Terraform provider option under Custom providers
(ri

is not selected.
E
AN

d. Enter a name for the stack: IAD-DOP-LAB04-1-STK-01

e. Add a description: This stack is created from manual LB for Lab04.

iss
Dr

f. Ensure that your <assigned compartment> is selected under Create in

compartment.

g. Click Next to progress from Stack information to Configure variables. There will be
no variables to configure.

Copyright © 2023, Oracle and/or its affiliates.

54 Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager
h. Click Next to progress from Configure variables to Review. Confirm that the only
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

service listed for Terraform provider services is load_balancer.

i. Click Create.

4. Wait for the stack to finish creating. It will query Load Balancer service in your assigned
compartment.

se
en
Download Terraform Configuration

lic
bl e
1. You are on the Stack details page of your Stack IAD-DOP-LAB04-1-STK-01.

ra
2. Under the Stack information tab, click the download link for the Terraform

sfe
configuration to download the configuration on your local machine.

an
3.

-tr
This will download a .ZIP file containing three files. Extract the .ZIP file.

. non
Note: For Mac users, use the command-line utility. For example,
% unzip filename.zip -d terraform-lb
ide a
Gu as
is ) h
e om
us il.c
th

4. There will be three files in the extracted folder:

to gma

• load_balancer.tf
@

• provider.tf
iss

• vars.tf
r
.d

5. Open load_balancer.tf. Scroll through the code and identify different resource
e
an

creation blocks.
(ri

The Load Balancer’s Terraform configuration should look like this:

E
AN

resource oci_load_balancer_load_balancer export_IAD-DOP-LAB04-1-

LB-01 {
RI

compartment_id = var.compartment_ocid
iss

defined_tags = {
Dr

"Oracle-Tags.CreatedBy" = "prateek_devops"
"Oracle-Tags.CreatedOn" = "2022-11-10T09:48:38.235Z"
}
display_name = "IAD-DOP-LAB04-1-LB-01"
freeform_tags = {
}

Copyright © 2023, Oracle and/or its affiliates.

Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager 55
ip_mode = "IPV4"
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

is_private = "false"
network_security_group_ids = [
]
#reserved_ips = <<Optional value not found in discovery>>
shape = "flexible"
shape_details {

se
maximum_bandwidth_in_mbps = "10"

en
minimum_bandwidth_in_mbps = "10"

lic
}

bl e
subnet_ids = [

ra
"ocid1.subnet.oc1.iad.aaaaaaaagzgdcge7ccqmjaiwyxxxxxxw65wmyy7lgr

sfe
3sdfhjysmjmz4xxxxx",

an
]
}

-tr
...

. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

56 Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager
Edit Auto-Generated Terraform Script
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Before you can reupload the Terraform configuration generated by resource discovery, there
are a few fields that you need to edit.

Tasks

se
1. In the load_balancer.tf file, find the resource block of type

en
oci_load_balancer_load_balancer.

lic
bl e
2. Locate and edit the value of display_name variable to IAD-DOP-LAB04-1-LB-02. This

ra
is the name for the new load balancer to be provisioned.

sfe
The file should look like this:

an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an

3. Save the load_balancer.tf file.

(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager 57
Provision Infrastructure Based on the Auto-Generated
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Terraform Configuration
You will provision the Load Balancer from your Terraform configuration.

Create a New Stack from the Terraform configuration

se
en
1. Open the navigation menu and click Developer Services. Under Resource Manager, click

lic
Stacks.

bl e
2. Select your <assigned compartment> from List scope on the left menu.

ra
sfe
3. Click Create stack.

an
a. Under Choose the origin of the Terraform configuration, select My configuration.

-tr
. non
b. In the Stack configuration section, select Folder as the source, and upload the
extracted folder containing vars.tf, provider.tf, and load_balancer.tf.
ide a
Gu as
c. Make sure that the Use custom Terraform provider option under Custom providers
is ) h

is not selected.
e om

d. Enter a name for the stack: IAD-DOP-LAB04-1-STK-02

us il.c
th
to gma

e. Add a description: This stack will replicate an existing load

balancer with backend sets for Lab04.
@
iss

f. Ensure that your <assigned compartment> is selected under Create in

compartment.
e .d
an

g. Click Next to progress from Stack information to Configure variables. Verify the
(ri

values for the following auto-populated variables:

E
AN

1) compartment_ocid: is the OCID of your <assigned compartment>.

2) region: The region you’re working in. Here we have assumed us-ashburn-1.
iss

h. Click Next to progress from Configure variables to Review. Check the Run apply
Dr

box.

i. Click Create. This will take you to the stack’s details page.

Copyright © 2023, Oracle and/or its affiliates.

58 Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager
4. After the Apply job finishes executing, open the navigation menu, click Networking, and
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

then click Load Balancers.

5. You will notice a new load balancer has been provisioned by the name IAD-DOP-LAB04-
1-LB-02.

6. Once the Load Balancer is in Active state, copy its Public IP Address.

se
en
Launch a Web browser, paste the copied IP address in the address bar and hit Enter.

lic
You will see a webpage that looks like this:

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th

Congratulations! You created a Load Balancer manually and added backend servers to it. You
to gma

then created a Terraform configuration stack for this load balancer using Resource Manager.
@

Further you reused the Terraform configuration stack to replicate the existing Load Balancer.
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager 59
Purge Instructions
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Purge Instructions for Stacks

1. Open the navigation menu and click Developer Services. Under Resource Manager, click
Stacks to go to the list of available stacks.

se
2. Select your <assigned compartment> from List scope on the left menu.

en
lic
3. Click the name of the first stack you created IAD-DOP-LAB04-1-STK-01 to go to its

bl e
details page.

ra
a. Click Destroy.

sfe
an
b. Wait for the destroy job to finish. Then click Stack details in the breadcrumbs menu

-tr
to go back.

. non
c. Click More actions, then click Delete stack. Click Delete to confirm. This will take you
back to the list of available stacks.
ide a
Gu as
is ) h

d. Open the navigation menu, click Networking, and then click Load Balancers. You will
e om

notice that the Load Balancer IAD-DOP-LAB04-1-LB-01 has been terminated.

us il.c

4. Click the name of the second stack you created IAD-DOP-LAB04-1-STK-02 to go to its
th
to gma

details page.
@

a. Click Destroy.
iss

b. Wait for the destroy job to finish. Then click Stack details in the breadcrumbs menu
r
.d

to go back.
e
an

c. Click More actions, then click Delete stack. Click Delete to confirm. This will take you
(ri

back to the table of stacks.

E
AN

d. Open the navigation menu, click Networking, and then click Load Balancers. You will
RI

notice that the Load Balancer IAD-DOP-LAB04-1-LB-02 has been terminated.

iss

Purge Instructions for Compute Instances

1. Open the navigation menu and click Compute. Under Compute, click Instances.

2. Select your <assigned compartment> from the List scope on the left menu.

Copyright © 2023, Oracle and/or its affiliates.

60 Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager
3. For each of the instances IAD-DOP-LAB02-1-VM-01 and IAD-DOP-LAB02-1-VM-02,
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

click the three dots on the right to open the Actions menu.

4. Click Terminate and select Permanently delete the attached boot volume.

5. Click Terminate instance.

se
Purge Instructions for Virtual Cloud Network

en
lic
1. Open the navigation menu, click Networking, and then click Virtual Cloud Networks.

bl e
2. Select your <assigned compartment> from List scope on the left menu.

ra
sfe
3. From the list of VCNs, select IAD-DOP-LAB02-1-VCN-01.

an
4. Click Delete.

-tr
. non
a. Keep Search compartments for resources associated with this VCN selected.

b. Select Specific Compartments. ide a

Gu as
is ) h

c. Select your <assigned compartment>

e om

d. Click Scan.
us il.c
th
to gma

e. Once the scan completes, click Delete All to terminate the VCN and related
resources.
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager 61
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

62
Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a

Copyright © 2023, Oracle and/or its affiliates.

. non
-tr
an
sfe
ra
bl e
lic
en
se

Replicate an existing Load Balancer using terraform configuration scripts and OCI Resource manager
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
-tr

Lab 05-1 Practices

an
sfe
ra
bl e
Estimated time: 45 minutes lic
en
se
Simple Web Application
Create a Custom Stack to
Configuration Management
and Infrastructure as Code:

Deploy a HA Load Balanced

Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

The Oracle Cloud Infrastructure (OCI) Resource Manager is a fully managed service that lets
you provision infrastructure resources on OCI using Terraform. You can bring in your

se
Terraform template definition and easily create and manage your infrastructure resources.

en
This allows you to automate provisioning and management of OCI resources such as

lic
Compute, Networking, Storage, IAM, and so on using infrastructure-as-code.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@

In this lab, you’ll:

iss

• Generate SSH keys using Cloud Shell.

r
.d

• Create custom Resource Manager stack.

e
an

• Plan and Apply jobs.

(ri

• Destroy job.
E
AN

For more information on OCI Resource Manager, see the OCI Resource Manager
RI

Documentation.
iss

Prerequisites
Dr

• You must have an Oracle Cloud Infrastructure account.

• Download the GitHub code (.zip) from the following link:
https://github.com/ou-developers/orm-lbcs-demo/archive/refs/heads/main.zip
• You have basic know-how of Linux commands.

Copyright © 2023, Oracle and/or its affiliates.

64 Create a custom stack to deploy a HA load balanced simple web application

Dr
iss
Assumptions

RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h

Create a custom stack to deploy a HA load balanced simple web application

Gu as
ide a

Copyright © 2023, Oracle and/or its affiliates.

. non
-tr
an
You will replace the <userID> placeholder with your user ID.

sfe
ra
bl e
lic
en
se

65
Create SSH Keys Using Cloud Shell
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Cloud Shell is a small virtual machine running a bash shell which you access from within the
OCI Console. In addition to a preauthenticated OCI CLI (Command Line Interface) set to the
Console tenancy home page region, Cloud Shell comes preinstalled with current versions of
many useful tools and utilities such as Git, Java, Python, kubectl, terraform, Docker engine,

se
and so on.

en
Task

lic
bl e
1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

ra
sfe
2. Open Cloud Shell.

an
3. Once the Cloud Shell session is initiated, move to the .ssh directory.

-tr
$ cd ~/.ssh

. non
4. Create new public and private keys.
ide a
$ ssh-keygen -b 2048 -o -t rsa -f key-lab05-<userID>
Gu as
is ) h

Where,
e om

key-lab05-<userID> is the keyname. Replace <userID> with your user ID. You will
us il.c

use this keyname to connect to any compute instances you create.

th
to gma

For example,
$ ssh-keygen -b 2048 -o -t rsa -f key-lab05-user22
@
iss

5. Press Enter twice on your keyboard to skip entering the passphrase.

r
.d

Note: A passphrase is an additional layer of security. It protects your private key from
e
an

being used by someone who doesn’t know the passphrase.

(ri

6. List the two key files (public and private key) that you just created.
E
AN

$ ls
RI

In the output, two files are listed, a private key: key-lab05-user22 and a public
iss

key: key-lab05-user22.pub. You will see these two files with your user ID in place of
Dr

user22.

You must keep the private key safe and never share it with anyone.

Copyright © 2023, Oracle and/or its affiliates.

66 Create a custom stack to deploy a HA load balanced simple web application

7. Run the following command to view the contents of the public key:
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

$ cat key-lab05-<userID>.pub

For example,
$ cat key-lab05-user22.pub

You will see a random string like the one below as the output:

se
ssh-rsa

en
XXXXB3NzaC1yc2EAAAADAQABAAABAQCdQ9+4JM9GxCWPIDGFjO1tk4jkumO2zbhA1Za

lic
ePxEGKwSFDEw/De7HU6wRh+Jbutkw9tOzlUr8FgAGNRgyWgaHbj5YX0h+LXWlrIiTtB
FpZkMYlMwJUAFTmMwWy12rGYeUD/Ba+KVlEYaMT1XY0DCa+SFyq48uWQwgQns8654Uy

bl e
cwFzFsXvZvA1i48Mk63vuSTAw15vGLXXXXXX0jegHOhMGrNMRuE4eMKSECP+CDFFgKb

ra
2oCzFz8KwywFuDciHAbMZru5qkiFGomeBvClDEU2BfMOV7k69kfivoxHHlnwxwgJulM

sfe
eXrMLsE1/osZcy5s2Eon3WmxJqo1wKYX5M5Z1 mahendra_E@3c15a0xxxxxx

an
8. Copy the contents of the public key and save it to your notepad. Later, when pasting the

-tr
key into the compute instance, make sure you remove any hard returns that may have

. non
been added when copying.

ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create a custom stack to deploy a HA load balanced simple web application 67

Create Custom Resource Manager Stack
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

A Stack represents the definitions for a collection of OCI resources within a specific
compartment.

You’re going to configure a new stack in your assigned compartment and name it "HA Load
Balanced Simple Web App". As the stack's name suggests, the configuration files define a load

se
balancer, network, and compute resources to deploy the target architecture along with a HTTP

en
server.

lic
bl e
Tasks

ra
sfe
1. Download HA Load Balanced Simple Web App and save to your local machine.

an
2. In the Console, open the navigation menu and click Developer Services. Under Resource

-tr
Manager, select Stacks.

. non
3. Select your <assigned compartment> from List scope on the left menu.
ide a
Gu as
4. Click Create Stack.
is ) h
e om

5. Select My Configuration. Under Stack configuration, select .Zip file.

us il.c

6. Click Browse and select the orm-lbcs-demo-main.zip file from your local machine to
th
to gma

upload.
@

7. Make sure that the Use custom Terraform provider option under Custom providers is
iss

not selected.
r
.d

8. Under Working directory, enter the following details in the form:

e
an

• Name: IAD-DOP-LAB05-1-STK-01
(ri

• Description: Provisions a primary load balancer and a failover

load balancer into public subnets distributing load across 2

compute instances hosting a simple web app application.

• Create in Compartment: Select your <assigned compartment>.

iss

• Terraform Version: Select 1.0.x

9. Click Next to configure variables for the infrastructure resources that this stack creates
when you run the apply job for this execution plan.

Copyright © 2023, Oracle and/or its affiliates.

68 Create a custom stack to deploy a HA load balanced simple web application

You will notice the variables values are auto-populated with following details:
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

• Select a Flex Load Balancer with Minimum and Maximum Bandwidth: 10Mbps for
both minimum and maximum bandwidth
• Select Compute Shape: VM.Standard.A1.Flex
• Select Availability Domain: 1
• SSH Key Configuration: Select Paste ssh keys and paste the public key key-

se
lab05-<userID>.pub contents copied earlier in your notepad.

en
lic
• Virtual Cloud Network Configuration:

bl e
− Enter your VCN Name: VCN01
− Enter your CIDR Block: 10.0.0.0/16

ra
sfe
− Enter your Subnet Name: Subnet

an
10. Click Next. Verify your configuration variables.

-tr
. non
11. Leave the Run apply deselected and click Create.

12. Review the newly configured stack details. ide a

Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create a custom stack to deploy a HA load balanced simple web application 69

Plan & Apply Jobs
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Jobs perform actions against the Terraform configuration files associated with a stack. You
can perform three actions: Plan, Apply and Destroy.

Since Terraform command execution is not atomic, it is crucial to prevent any race conditions
or state corruption from occurring due to parallel execution. To prevent this from happening,

se
the Resource Manager ensures only one job can run against a stack at a given time against a

en
single state file.

lic
bl e
You can completely manage the stack's configuration (that is, update, delete, add tags, edit

ra
variables), and download the zip archive containing the latest Terraform configuration from

sfe
the Stack details page.

an
Tasks

-tr
. non
Run a Plan Job

1. ide a
The stack itself is only a bookkeeping resource, no infrastructure is provisioned yet. From
Gu as
the stack’s page, click Plan. A form will pop up.
is ) h
e om

a. Name the job RM-Plan-01.

us il.c
th

b. Click Plan again at the bottom to submit a job for Resource Manager to run
to gma

terraform plan. This will take you to the job’s details page.
@

2. Wait for the job to complete, and then view the logs. They should match what you saw when
iss

you ran Terraform in Code Editor.

r
e .d

Run an Apply Job

an
(ri

1. Go back to the stack’s details page (use the breadcrumbs) and click Apply. A form will pop
E

up.
AN

a. Name the job RM-Apply-01.

RI
iss

b. Under Apply job plan resolution, select the plan job we ran, that is RM-Plan-01
Dr

(instead of “Automatically approve”). This makes it execute based on the previous plan,
instead of running a new one.

c. Click Apply to submit a job for Resource Manager to run terraform apply. This will
take you the job’s details page.

Copyright © 2023, Oracle and/or its affiliates.

70 Create a custom stack to deploy a HA load balanced simple web application

2. Wait for the job to finish. View the logs and confirm that it was successful.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Note: Once the window closes, notice the job's state appears as Accepted - which
indicates that the platform is spinning up resources needed for executing the command,
followed by In Progress and then finally either Succeeded or Failed.

3. Once the apply job succeeds, you can check the provisioned resources have been

se
provisioned by reading the Terraform output contained within the logs.

en
lic
View the Provisioned Resources

bl e
1. You can also view the provisioned resources by navigating to the services page.

ra
sfe
a. Open the navigation menu. Under Compute, click Instances and select your

an
<assigned compartment> from List scope on the left menu.

-tr
You will see the two instances provisioned by the apply job with the names IAD-DOP-

. non
LAB05-1-VM-01 and IAD-DOP-LAB05-1-VM-02.

ide a
Gu as
b. Open the navigation menu. Under Networking, click Virtual Cloud Networks and
is ) h

select your <assigned compartment> from List scope on the left menu.
e om

You will see the VCN IAD-DOP-LAB05-1-VCN-01 provisioned by the apply job. Click
us il.c

IAD-DOP-LAB05-1-VCN-01 to see resources created under this VCN.

th
to gma

c. Open the navigation menu. Under Networking, click Load Balancers and select your
@

<assigned compartment> from List scope on the left menu.

iss

You will see the Load Balancer IAD-DOP-LAB05-1-LB-01 provisioned by the apply
r
.d

job. The Health Status of the Load Balancer will need a few minutes to get into OK
e
an

status.
(ri

2. As the Load Balancer changes state to Active, copy it’s Public IP Address and paste it
E
AN

into the address bar in a web browser.

You will reach the sample webpage as shown below. The webpage body displays the
iss

private IP Address of the web server you are connected to. If you refresh the webpage a
Dr

few times, the web server IP changes, indicating that the Load Balancer is balancing the
traffic between the two web servers.

Copyright © 2023, Oracle and/or its affiliates.

Create a custom stack to deploy a HA load balanced simple web application 71

se
3. You can also see the Load Balancer in action using Cloud Shell. Run the following

en
command:

lic
$ for counter in {1..10}; do curl http://<LBPublicIPAddress>/;

bl e
done

ra
sfe
Here, replace <LBPublicIPAddress> with the IP Address you copied in the previous
step, for example,

an
$ for counter in {1..10}; do curl http://129.X.X.47/; done

-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma

You will notice the curl requests are served alternatively by two backend servers. Observe
@

the different private IPs of Web Server the page is being fetched from.
iss

4. Let’s test the SSH connection to the backend web servers using the private key key-
r
.d

lab05-<userID> available in the Cloud Shell.

e
an

a. Open Cloud Shell and move to the ~/.ssh directory

(ri

$ cd ~/.ssh
E
AN

b. Run the following command to connect to “IAD-DOP-LAB05-1-VM-01” compute

instance:
iss

$ ssh -i key-lab05-<userID> opc@<InstancePublicIPAddress>

Where,

 -i is the flag used to specify the private key.

 key-lab05-<userID> is the private key file name.

Copyright © 2023, Oracle and/or its affiliates.

72 Create a custom stack to deploy a HA load balanced simple web application

 opc is the default username used to log in to Linux instances on OCI.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

 Replace the <InstancePublicIPAddress> with the public IP of the “IAD-DOP-

LAB05-1-VM-01” from the Compute Instance page.

For example,
$ ssh -i key-lab05-user22 opc@140.x.10.x

se
en
When prompted type ‘yes’ and you should be able to SSH into the “IAD-DOP-LAB05-

lic
1-VM-01” compute instance.

bl e
c. To come out of the SSH session, type exit

ra
$ exit

sfe
an
You can repeat the above steps to test SSH connection for the “IAD-DOP-LAB05-1-VM-02”

-tr
compute instance.

. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create a custom stack to deploy a HA load balanced simple web application 73

Destroy Job
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You have successfully applied the Resource Manager Stack configuration to provision OCI
resources. Let's now revisit the Stack details page and use the destroy job to tear it all down.

Tasks

se
1. In the Console, open the navigation menu and click Developer Services. Under Resource

en
Manager, select Stacks.

lic
bl e
2. Select your <assigned compartment> from List scope on the left menu.

ra
sfe
3. On the Stacks page, click the stack you created IAD-DOP-LAB05-1-STK-01.

an
4. On the Stack details page, click Destroy to initiate a destroy job.

-tr
. non
5. Provide job name as RM-Destroy-01. Click Destroy.

ide a
Note: Once the window closes, notice the job's state appears as Accepted - which
Gu as
indicates that the platform-deleting resources needed for executing the command,
is ) h

followed by In Progress and then finally either Succeeded or Failed.

e om

6. Once the delete job succeeds, you can verify the resources provisioned by the apply job
us il.c
th

are deleted.
to gma

7. You can also check the resources are no longer available by navigating to the services
@

page.
iss

a. Open the navigation menu. Under Compute, click Instances and select your
r
.d

<assigned compartment> from List scope on the left menu.

e
an

You will see the two instances IAD-DOP-LAB05-1-VM-01 and IAD-DOP-LAB05-1-

(ri

VM-02 have been terminated by the Destroy job.

E
AN

b. Open the navigation menu. Under Networking, click Virtual Cloud Networks and
RI

select your <assigned compartment> from List scope on the left menu.
iss

You will see the VCN IAD-DOP-LAB05-1-VCN-01 has been deleted by the destroy
Dr

job.

Copyright © 2023, Oracle and/or its affiliates.

74 Create a custom stack to deploy a HA load balanced simple web application

c. Open the navigation menu. Under Networking, click Load Balancers and select your
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

<assigned compartment> from List scope on the left menu.

You will see the Load Balancer IAD-DOP-LAB05-1-LB-01 has been deleted by the
destroy job.

Congratulations! You have successfully provisioned a high availability load balanced sample

se
application using the Resource Manager Stack configuration and executed the destroy job to

en
terminate the OCI resources provisioned by the apply job.

lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create a custom stack to deploy a HA load balanced simple web application 75

Purge Instructions
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Purge instructions for Resource Manager Stack

1. In the Console, open the navigation menu and click Developer Services. Under Resource
Manager, select Stacks.

se
2. For the stack IAD-DOP-LAB05-1-STK-01, click the three dots on the right to open the

en
Actions menu. Select Delete and then click Delete to confirm.

lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

76 Create a custom stack to deploy a HA load balanced simple web application

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
-tr
Lab 06-1 Practices
an
sfe
ra
Using Dockerfile

Estimated Time: 30 minutes bl e

lic
en
se
Microservice and Container

Image for a Web Application

Orchestration: Create Docker
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

There are certain ways for creating, running, and deploying applications in containers using
Docker. A Docker image contains application code, libraries, tools, dependencies, and other files

se
needed to make that application run.

en
In this lab, you will create a Docker image using a Dockerfile, which will further be used to build a

lic
container that can run on the Docker platform.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om

In this lab, you’ll:

us il.c
th
to gma

a. Access the Dockerfile.

b.
@

Build the Docker image.

iss

c. Run your Docker image as a container.

r
.d
e

d. Access the web application running within the container.

an
(ri

e. Delete the Docker container.

E
AN

For more information on Docker, see the OCI Docker Documentation.

Assumptions
iss
Dr

• You are signed in to your Oracle Cloud Infrastructure (OCI) account using your
credentials.
• You have access to the Git repository link that contains the Dockerfile.
• You will replace the <userID> placeholder with your user ID.

Copyright © 2023, Oracle and/or its affiliates.

78 Create Docker image for a web application using Dockerfile

Access the Dockerfile
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Access the Dockerfile needed to generate the Docker image by cloning a Git repository.

Tasks

1. Open Cloud Shell.

se
en
2. Within Cloud Shell, clone the GitHub repository to access the sample Dockerfile which is a

lic
simple Nginx HelloWorld application that you will use to build the Docker image.

bl e
ra
$ cd ~

sfe
$ git clone https://github.com/ou-developers/docker-helloworld-demo

an
-tr
3. Navigate to the cloned directory.

. non
$ cd docker-helloworld-demo/

4. ide a
Open Code Editor. Code Editor allows you to view the files and source codes present in the
Gu as
home directory within the Cloud Shell terminal.
is ) h
e om

The tool bar is on the left side of the Code Editor window. Click the Explorer (top) icon from
the left-side menu within the Code Editor window.
us il.c
th
to gma

Browse to the cloned Git directory “docker-helloworld-demo” to view the various files
you have in the directory including application code and Dockerfile for creating the sample
@

Nginx application.
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create Docker image for a web application using Dockerfile 79

Build the Docker Image
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You’re using Cloud Shell as your development environment which comes preinstalled with
Docker.

Tasks

se
1. Check the Docker version using the following command in Cloud Shell. It will return a string

en
with the Docker version installed.

lic
$ docker -v

bl e
For example, Docker version 19.03.11-ol, build 9bb540d

ra
sfe
2. Check for existing Docker images in the Cloud Shell.
$ docker images

an
-tr
It will return an empty response because there are no docker images at present.

. non
3. Create a docker image for the sample Web Application using the docker build
ide a
command. This command needs Dockerfile as one of its parameters.
Gu as
$ docker build -t oci_sample_webapp_<userID>:<tag> .
is ) h
e om

For example,
$ docker build -t oci_sample_webapp_user22:1.0 .
us il.c
th
to gma

Where,
• -t is the switch used to specify the image name.
@

• Enter an image name using this format: oci_sample_webapp_<userID>.

iss

Replace <userID> with your user ID.

r
.d

For example, oci_sample_webapp_user22.

e
an

• A tag is used to give the image a version. In this lab, you will use 1.0 as tag.
(ri

• You are currently in the cloned directory which contains the Dockerfile. Use “.” as the
E

relative path at the end of the command.

AN
RI

4. Upon successful build of a Docker image, verify the image in the local repository using the
iss

following command:
$ docker images
Dr

You’ll see two entries in the output. One is the base image “nginx”, and the other is the
custom Docker image for the Web Application “oci_sample_webapp_<userID>”.

Copyright © 2023, Oracle and/or its affiliates.

80 Create Docker image for a web application using Dockerfile

Run Your Docker Image as a Container
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Your Docker image holds the application that you want Docker to run as a container.

Tasks

1. Use the docker run command to spin a container based on the image created.

se
$ docker run -d --name webapp-<userID> -p 80:80/tcp

en
oci_sample_webapp_<userID>:<tag>

lic
bl e
Where,

ra
• -d flag is used to run container in background and print CONTAINER_ID.

sfe
• --name flag is used to assign a name to the container.

an
• -p flag is used to publish container port 80 to the host machine port 80.

-tr
• Replace <userID> with your user ID.

. non
For example,
ide a
$ docker run -d --name webapp-user22 -p 80:80/tcp
Gu as
oci_sample_webapp_user22:1.0
is ) h

Note: This command returns the CONTAINER_ID of the container started in the
e om

background.
us il.c
th
to gma

2. Check the container that is currently running using the docker ps command.
$ docker ps
@
iss

You will see a container running with the name webapp-<userID> and a corresponding
CONTAINER_ID.
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create Docker image for a web application using Dockerfile 81

Access the Web Application Running Within the
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Container
Verify whether you can access the web application that is running in your container. Once you
have verified, stop the running container.

se
Tasks

en
lic
1. Use the curl command to connect to the local host on port 80 to access the web

bl e
application.
$ curl -k http://127.0.0.1:80

ra
sfe
The output must display the webpage code. This confirms that your web application is up

an
and running.

-tr
2. Get the CONTAINER_ID and copy it on a notepad to use it in your next step.

. non
$ docker ps -a

ide a
Gu as
3. Stop the running container.
is ) h

$ docker stop <CONTAINER_ID>

e om

For example,
us il.c

$ docker stop ffab54628f8f

th
to gma

4. Use the curl command to connect to the localhost on port 80 to access the web application.
$ curl -k http://127.0.0.1:80
@
iss

Output: curl: (7) Failed to connect to 127.0.0.1 port 80 after 0 ms:

Connection refused
e.d
an

This time output will return the above mentioned error, because the container running the
(ri

application is no longer active.

E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

82 Create Docker image for a web application using Dockerfile

Delete the Docker Container
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Clean up your resources by removing the container used in this lab.

Tasks

1. Check the status of all the containers in the system.

se
$ docker ps -a

en
lic
The status for the container must show exited which means the container is stopped.

bl e
2. Delete the existing container using the rm flag.

ra
$ docker rm webapp-<userID>

sfe
an
For example,

-tr
$ docker rm webapp-user22

. non
Output: webapp-user22

ide a
Gu as
Note: On successful deletion it’ll return the container name.
is ) h

3. Verify if the container is deleted.

e om

$ docker ps -a
us il.c
th

The container entry should be gone.

to gma

Important Note: Do not delete the Docker image created in this lab, because it will be used
@

as an artifact in the upcoming labs.

riss
e .d
an

Congratulations! You have successfully built and containerized a docker image.

(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create Docker image for a web application using Dockerfile 83

84
Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non

Copyright © 2023, Oracle and/or its affiliates.

-tr
an
sfe
ra
bl e
lic
en
se

Create Docker image for a web application using Dockerfile

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
-tr
Lab 07-1 Practices
an
sfe
ra
Using Docker CLI

Estimated Time: 30 minutes bl e

lic
en
se
and Push and Pull Images
Microservices and Container
Orchestration: Manage OCIR
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

The development to production workflow can be made simpler with the help of an Oracle-
managed registry. For developers, Container Registry makes it simple to store, share, and

se
manage container images (such as Docker images).

en
In this lab, you will create a Container Registry and will also perform some basic operations

lic
such as push and pull a Docker image.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma

In this lab, you’ll:

a. Create an Auth Token.

iss
r
.d

b. Create a new Container Repository.

e
an

c. Sign in to Oracle Cloud Infrastructure Registry (OCIR) from the Cloud Shell.
(ri
E

d. Tag the Docker image.

e. Push the tagged Docker image to OCIR Repository.

RI
iss

f. Verify if the image has been pushed.

g. Pull the image from OCIR Repository.

For more information on Oracle Cloud Infrastructure Registry (OCIR), see the OCI Container
Registry Documentation.

Copyright © 2023, Oracle and/or its affiliates.

86 Manage OCIR and push and pull images using Docker CLI
Prerequisites
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

• You must complete the following lab to use the same Docker image
“oci_sample_webapp_<userID>” to perform tasks for this practice:
− Microservice and Container Orchestration: Create Docker image for a web
application using Dockerfile (Lab06-1).

se
Assumptions

en
lic
• You are signed in to your Oracle Cloud Infrastructure account using your credentials.

bl e
• You will replace the <userID> placeholder with your user ID.

ra
• You will replace the <tenancy-namespace> and <username> values from the info

sfe
given in the Profile menu.

an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Manage OCIR and push and pull images using Docker CLI 87
Create an Auth Token
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Create an auth token to use with Oracle Cloud Infrastructure Registry (OCIR).

Tasks

1. In the top-right corner of the OCI Console, open the Profile menu, and then click User

se
Settings.

en
lic
2. On the Auth Tokens page, click Generate Token.

bl e
Note: Each user can only have two auth tokens at a time.

ra
sfe
3. Enter IAD-DOP-LAB07-1-AT-01, as a friendly description for the auth token.

an
-tr
4. Click Generate Token. The new auth token is displayed. Here’s a sample of how an auth

. non
token looks like: R5kwpS-xxxxx((]51r]]. It’ll be different in your case.

ide a
Note: Copy the auth token to a notepad because you won't see the auth token again in
Gu as
the Console. You’ll need this auth token later in this and other labs.
is ) h

For example,
e om

R5kwpS-xxxxx((]51r]]
us il.c
th

5.
to gma

Click Close.
@
riss
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

88 Manage OCIR and push and pull images using Docker CLI
Create a New Container Repository
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Create an empty repository in a compartment and give it a name that's unique across all
compartments in the tenancy. Having created the new repository, you can push an image to
the repository using the Docker CLI.

Tasks

se
en
1. Check if you can access Oracle Cloud Infrastructure Registry (OCIR):

lic
bl e
a. In the Console, open the navigation menu and click Developer Services. Under

ra
Containers & Artifacts, click Container Registry.

sfe
b. Select your <assigned compartment> from List scope on the left menu.

an
-tr
c. Review the repositories that already exist. This lab assumes that no repositories have

. non
been created yet.

2. Click Create Repository. ide a

Gu as
is ) h

3. Select your <assigned compartment> to create a new repository.

e om

4. Enter a name for the new repository: <region-key>-dop-lab07-1-ocir-

us il.c

1/oci_sample_webapp_<userID>
th
to gma

Where,
@

• <region-key> is the key for the Oracle Cloud Infrastructure Registry region you're
iss

using. For example, iad is the region key for US EAST (Ashburn) region. See the
r
.d

Availability by Region topic in the Oracle Cloud Infrastructure documentation.

e
an

• Replace <userID> with your user ID.

(ri

For example, iad-dop-lab07-1-ocir-1/oci_sample_webapp_user22

E
AN

5. Select the Private option to limit access to the new repository.

6. Click Create Repository.

iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Manage OCIR and push and pull images using Docker CLI 89
Sign In to OCIR from the Cloud Shell
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Once you have generated the auth token and created a new repository, sign in to Oracle Cloud
Infrastructure Registry (OCIR) from Docker CLI in the cloud shell.

Tasks

se
1. Open Cloud Shell.

en
lic
Note: The OCI CLI running in the Cloud Shell will execute commands against the region

bl e
selected in the Console's region selection menu when the Cloud Shell was started.

ra
2.

sfe
In the Cloud Shell, log in to OCIR by entering:
$ docker login <region-key>.ocir.io

an
-tr
For example,

. non
$ docker login iad.ocir.io

3.
ide a
When prompted, enter your username in the format given below.
Gu as
is ) h

<tenancy-namespace>/<username>.
e om

Replace the <tenancy-namespace> and <username> values from the information

us il.c

given in the Profile menu.

th
to gma

where <tenancy-namespace> is the auto-generated Object Storage namespace string of

the tenancy in which to create repositories (as shown on the Tenancy Information page).
@

And for username use the username as shown in the profile menu. For
iss

example, ansh81vru1zp/mahendra@acme.com. Or outenancy29/ 99239886-lab.user16

r
e.d

Note that for some older tenancies, the namespace string might be the same as the
an

tenancy name in all lower-case letters (for example, acme-dev).

(ri

If your tenancy is federated with Oracle Identity Cloud Service, use the format <tenancy-
E
AN

namespace>/oracleidentitycloudservice/<username>.
RI

Enter the auth token IAD-DOP-LAB07-1-AT-01 (random string) you copied earlier as the
iss

password.
Dr

For example,
R5kwpS-xxxxx((]51r]]

Copyright © 2023, Oracle and/or its affiliates.

90 Manage OCIR and push and pull images using Docker CLI
Note: When you enter or paste the password, you’ll not see masked characters. Press
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Enter on your keyboard to continue and you should see the “Login Succeeded”
message on the screen.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Manage OCIR and push and pull images using Docker CLI 91
Tag the Docker Image
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

A tag identifies the Oracle Cloud Infrastructure Registry (OCIR) region, tenancy, and repository
to which you want to push the image.

This task requires the Docker image oci_sample_webapp_<userID>:<tag>, which you

created earlier in the lab on Microservice and Container Orchestration: Create Docker image for

se
a web application using Dockerfile (Lab06-1).

en
lic
Tasks

bl e
ra
1. In the Cloud Shell, run the following command to attach a tag to the image that you're

sfe
going to push to OCIR repository:

an
$ docker tag oci_sample_webapp_user22:1.0
<region-key>.ocir.io/<tenancy-namespace>/<repo-name>:<tag>

-tr
. non
Where,
• <region-key> is the key for the Oracle Cloud Infrastructure Registry region you're
ide a
Gu as
using. For example, iad is the region key for US EAST (Ashburn) region. See the
is ) h

Availability by Region topic in the Oracle Cloud Infrastructure documentation.

e om

• ocir.io is the Oracle Cloud Infrastructure Registry name.

us il.c

• <tenancy-namespace> is the auto-generated Object Storage namespace string of

th
to gma

the tenancy (as shown on the Tenancy Information page) to which you want to push
the image, for example, oracletenancy.
@

• <repo-name> is the name of the target repository to which you want to push the
iss

image (for example, iad-dop-lab07-1-ocir-1/oci_sample_webapp_user22).

r
.d

• <tag> is an image tag you want to give the image in Oracle Cloud Infrastructure
e

Registry (for example, latest).

an
(ri

For example,
E

$ docker tag oci_sample_webapp_user22:1.0

iad.ocir.io/oracletenancy/iad-dop-lab07-1-ocir-
1/oci_sample_webapp_user22:latest
RI
iss

2. Validate if the new image with the tag is listed.

$ docker images

Note: Although two tagged images will be shown (1.0 and latest), both are based on
the same base image with the same IMAGE_ID.

Copyright © 2023, Oracle and/or its affiliates.

92 Manage OCIR and push and pull images using Docker CLI
Push the Tagged Docker Image to OCIR Repository
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

After assigning a tag to the image, you use the Docker CLI to push it to Oracle Cloud
Infrastructure Registry repository.

Tasks

se
1. In the Cloud Shell, run the following command to push the tagged Docker image to OCIR

en
repository:

lic
$ docker push <region-key>.ocir.io/<tenancy-namespace>/<repo-

bl e
name>:<tag>

ra
For example,

sfe
$ docker push iad.ocir.io/oracletenancy/iad-dop-lab07-1-ocir-

an
1/oci_sample_webapp_user22:latest

-tr
. non
You will see the different layers of the image are pushed in turn and it prints the sha256
digest along with the size of the image on the screen.
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Manage OCIR and push and pull images using Docker CLI 93
Verify if the Image Has Been Pushed
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Verify if the image has been pushed successfully to the OCIR repository.

Tasks

1. Go back to the OCIR Service page and select your <assigned compartment> from List

se
scope on the left menu.

en
lic
2. You’ll see the private repository iad-dop-lab07-1-ocir-

bl e
1/oci_sample_webapp_<userID> that you created.

ra
sfe
3. Click the name of the repository that contains the image you just pushed from the
dropdown menu under label Repositories and images. You’ll see:

an
• An image with the tag latest.

-tr
. non
• A summary page that shows you the details about the repository, including who
created it and when, its size, and whether it's a public or a private repository.
ide a
Gu as
4. Click the image tag latest from the dropdown menu
is ) h

On the Summary page, you’ll see the image size, when it was pushed and by which user,
e om

image sha256 digest, and the number of times the image has been pulled.
us il.c
th
to gma
@
r iss
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

94 Manage OCIR and push and pull images using Docker CLI
Pull the Image from OCIR Repository
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Perform pull operation after deleting the existing images from the local docker repository. You
will pull the same image that was previously pushed to the OCIR repository.

Tasks

se
1. Delete the existing images from the local docker repository.

en
lic
a. In the Cloud Shell, list all the images.

bl e
$ docker images

ra
sfe
b. Run docker rmi command to delete the tagged image and the original image you

an
created earlier.

-tr
$ docker rmi oci_sample_webapp_user22:1.0

. non
Output: Untagged: oci_sample_webapp_user22:1.0

ide a
Gu as
$ docker rmi iad.ocir.io/oracletenancy/iad-dop-lab07-1-ocir-
is ) h

1/oci_sample_webapp_user22:latest
e om

This command will first untag the image and delete the image by deleting all the
us il.c

associated layers.
th
to gma

2. Verify if the images are deleted.

$ docker images
iss

3. Switch to the OCI Console. From the OCIR page, select the repository and the image tag
r
.d

that needs to be pulled.

e
an

4. Click the Actions menu on the image summary page and select Copy pull command
(ri

from the drop-down list. The command you copy includes the fully qualified path to the
E

image's location in Container Registry in the following format:

AN
RI

<region-key>.ocir.io/<tenancy-namespace>/<repo-name>:<tag>
iss

5. Execute the copied command in the Cloud Shell to pull the image to the local repository.
Dr

For example,
$ docker pull iad.ocir.io/oracletenancy/iad-dop-lab07-1-ocir-
1/oci_sample_webapp_user22:latest

Copyright © 2023, Oracle and/or its affiliates.

Manage OCIR and push and pull images using Docker CLI 95
6. Verify the pulled image from OCIR repository.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

$ docker images

You should see the pulled image listed within the local repository.

se
Important Note: Do not delete any artifacts and resources created in this lab because

en
they will be required in the upcoming labs.

lic
Congratulations! you have successfully pushed and pulled an image from the OCIR repository.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

96 Manage OCIR and push and pull images using Docker CLI
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
Lab 08-1 Practices -tr
an
Cluster Access

sfe
ra
bl e
Microservices and

Estimated Time: 45 minutes

lic
en
se
Orchestration: Set Up OKE
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

A Kubernetes cluster is a group of nodes (machines running applications). Each node can be a
physical machine or a virtual machine.

se
You need to set up access to your Kubernetes cluster to deploy your application. The kubectl

en
command-line client is a versatile way to interact with a Kubernetes cluster, including

lic
managing multiple clusters.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c

In this lab, you’ll:

th
to gma

a. Set up the kubeconfig file.

Run kubectl commands against Kubernetes cluster.

iss

b.
r
.d

For more information on OCI Container Engine for Kubernetes (OKE), see the OCI Container
e

Engine Documentation.
an
(ri

Assumptions
E
AN

• You are signed in to your Oracle Cloud Infrastructure (OCI) account using your
RI

credentials.
A pre-created OKE cluster <EventID>-OCI-ELS-DEVOPS-OKE is available in the root
iss

•
compartment. <EventID> can be fetched from the Lab tab available in the course
Dr

page.
Example : If your User Name is 99241291-lab.user02, then EventID is 99241291.
The pre-created OKE cluster will be named as 99241291-OU-DEVELOPER-OKE.
• You will replace the <userID> placeholder with your user ID.

Copyright © 2023, Oracle and/or its affiliates.

98 Set up OKE cluster access

Set Up the kubeconfig File
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

To access a cluster using kubectl, you must set up a Kubernetes configuration file
(commonly known as the kubeconfig file) for the cluster. The kubeconfig file provides the
necessary details to access the cluster.

Tasks

se
en
In the Console, open the navigation menu and click Developer Services. Under

lic
1.
Containers and Artifacts, click Kubernetes Clusters (OKE).

bl e
ra
2. Select root compartment from List Scope on the left menu.

sfe
In the table listing Clusters, click the cluster <EventID>-OCI-ELS-DEVOPS-OKE to access

an
using kubectl. The Cluster details page shows information on the cluster.

-tr
. non
Note: <EventID> can be fetched from the Lab tab available in the course page.

ide a
Click Access Cluster to display the Access Your Cluster window.
Gu as
3.
is ) h

4. Click Cloud Shell Access and copy the command to access the kubeconfig for your
e om

cluster via the VCN-Native public endpoint and paste it on notepad.

us il.c
th

Launch Cloud Shell and run the copied command. On successful execution, it will return a
to gma

5.
new config written to kubeconfig file.
@

For example,
iss

$ oci ce cluster create-kubeconfig --cluster-id

r
.d

ocid1.cluster.oc1.iad.xxxxxaaaziwdigokvlwhuaeslgxi6tdk473xqgodcb
e

oc6nlgecsyudoxxxxx --file $HOME/.kube/config --region us-

ashburn-1 --token-version 2.0.0 --kube-endpoint PUBLIC_ENDPOINT

(ri

Note: This is just a representation of the command. Do not use this command to connect
E

with the cluster that’s created for this lab.

AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Set up OKE cluster access 99

Run kubectl Commands Against Kubernetes Clusters
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Having set up the kubeconfig file, you can start using kubectl to access the cluster by
creating a sample deployment in OKE cluster.

Tasks

se
Verify that kubectl can connect to the cluster.

en
1.

lic
$ kubectl get nodes

bl e
This will return the IP addresses of three worker nodes set up within this OKE cluster.

ra
Create namespace in your Kubernetes cluster to manage your resources.

sfe
2.
$ kubectl create ns ns-<userID>

an
-tr
Where,

. non
• ns-<userID> - is a unique namespace for your group of resources within a cluster.
• Replace <userID> with your user ID.
ide a
Gu as
For example.
is ) h

$ kubectl create ns ns-user22

e om
us il.c

3. View the cluster information.

th
to gma

$ kubectl cluster-info

It dumps relevant information regarding clusters for debugging and diagnosis.

@
iss

4. Create a sample deployment in OKE cluster.

r
.d

$ kubectl create deployment deploy-<userID> --

image=iad.ocir.io/ocuocictrng5/httpd:latest -n ns-<userID>
an
(ri

This command will return deployment.apps/deploy-<userID> created.

E
AN

Where,
• kubectl create deployment - is used to create a pod with a single running
RI

container.
iss

• deploy-<userID> - is a name for your deployment.

• image=iad.ocir.io/ocuocictrng5/httpd:latest
• -n ns-<userID> - is the namespace where your Kubernetes objects are created.

Copyright © 2023, Oracle and/or its affiliates.

100 Set up OKE cluster access

For example.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

$ kubectl create deployment deploy-user22 --

image=iad.ocir.io/ocuocictrng5/httpd:latest -n ns-user22

5. Expose your deployment using service of type load balancer by using the following
command.
$ kubectl expose deployment deploy-<userID> --type=LoadBalancer

se
--name=svc-<userID> --port=80 --target-port=80 -n ns-<userID>

en
Where,

lic
• deploy-<userID> - is a name for your deployment.

bl e
• --type=LoadBalancer - exposes the service externally using an OCI load

ra
sfe
balancer.
• svc-<userID> - is the name for your service.

an
-tr
• --port=80 --target-port=80 - is used to expose the application running within

. non
the cluster on port 80.
• ns-<userID> - is the namespace where your Kubernetes objects are created.
ide a
Gu as
For example,
is ) h

$ kubectl expose deployment deploy-user22 --type=LoadBalancer

e om

--name=svc-user22 --port=80 --target-port=80 -n ns-user22

us il.c

This command will return svc-<userID> exposed.

th
to gma

6. View all the deployments in your namespace.

$ kubectl get deploy -n ns-<userID>

iss

The output of this command will be a row with the deployment name and ready column
r
.d

set to 1/1. The age column determines the duration of the deployment created.
e
an

7. View all the pods in your namespace.

(ri

$ kubectl get pods -n ns-<userID>

E
AN

The output of this command will be a row with the pod name and ready column set to 1/1.
RI

The age column determines the duration of the pod created.

iss

8. View all the services in your namespace.

$ kubectl get svc -n ns-<userID>

The output of this command is a row with service name and type set to Load Balancer. It
shows you the details of CLUSTER-IP and EXTERNAL-IP.

Copyright © 2023, Oracle and/or its affiliates.

Set up OKE cluster access 101

9. Copy the IP address listed under the EXTERNAL-IP column and paste it in a browser to
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

access your httpd application that is deployed within OKE cluster.

The webpage will display:
“It Works!”

10. Check the number of instances of pods running in your deployment.

$ kubectl get replicaset -n ns-<userID>

se
en
The output of this command should display the replicaset name. The desired and current

lic
columns specify the number of replicas running. Age column determines the duration of

bl e
replica created.

ra
11. Scale up the current replicas by three so that Kubernetes can start new pods to scale up

sfe
your service.

an
$ kubectl scale --replicas=3 deployment/deploy-<userID> -n ns-

-tr
<userID>

. non
On successful execution, this command will return “deployment.apps/deploy-
<userID> scaled”.
ide a
Gu as
is ) h

12. Check if you have three replicas running.

e om

$ kubectl get replicaset -n ns-<userID>

us il.c

This shows that the Load Balancer service will now balance the incoming requests among
th
to gma

these three pods (replicaset).

13. View all the resources running in your namespace.

iss

$ kubectl get all -n ns-<userID>

r
.d

This command shows you all the pods, services, deployments, and replicaset running in
e

your namespace within the OKE cluster.

an
(ri

Notice that the pod count has changed to three after the previous scale-up instruction.
E
AN

14. View the pod logs. The kubectl logs command lets you inspect the logs for a particular
RI

pod.
iss

$ kubectl logs <podname> -n ns-<userID>

Where,

<podname> - is the complete pod name to be used from the output of kubectl get
all -n ns-<userID> command. For example, pod/deploy-user22-cd95b4455-
f8plr.

Copyright © 2023, Oracle and/or its affiliates.

102 Set up OKE cluster access

15. Delete your deployment.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

$ kubectl delete deploy deploy-<userID> -n ns-<userID>

On successful execution, this command will display “deployment.apps deploy-

<userID> deleted”.

16. Delete your service object.

se
$ kubectl delete svc svc-<userID> -n ns-<userID>

en
lic
On successful execution, this command will display “service svc-<userID> deleted”.

bl e
17. Run the following command and you’ll not find any resources in your namespace.

ra
$ kubectl get all -n ns-<userID>

sfe
Output: No resources found in ns-<userID> namespace.

an
-tr
18. Because all the resources are deleted, if you go back to your browser and hit refresh on

. non
the IP address you pasted earlier, the page will no longer respond.

ide a
Gu as
is ) h

Important Note: Do not delete the namespace and entry created in the kubeconfig
e om

file in this lab, because they will be required in the upcoming labs.
us il.c
th

Congratulations! You have successfully deployed a sample web application to the OKE cluster.
to gma
@
riss
.d
e
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Set up OKE cluster access 103

104
Dr
iss
RI
AN
E
(ri
an
e
Purge Instructions

.d
riss
@
to gma
us il.c
There are no purge instructions for this practice.

e om
th
is ) h
Gu as
ide a

Copyright © 2023, Oracle and/or its affiliates.

. non
-tr
an
sfe
ra
bl e
lic
en
se

Set up OKE cluster access

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as

kubectl
ide a
. non
-tr

Lab 09-1 Practices

an
sfe
ra
bl e
Estimated Time: 45 minutes lic
an OKE Cluster Using

en
se
Orchestration: Deploy a
Sample Web Application on
Microservice and Container
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

In this practice, you will create a named secret which contains your Oracle Cloud Infrastructure
(OCI) credentials and add them to a deployment manifest. You will then use this manifest to

se
deploy a sample Web application to an OKE cluster and later verify if the application is

en
accessible.

lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@

In this lab, you will:

iss

a. Create a Kubernetes (OKE) secret.

r
.d
e
an

b. Add the secret and the image path to the deployment manifest.
(ri

c. Deploy the sample Web Application to OKE cluster.

E
AN

d. Verify if the sample Web Application is accessible

e. Clean up the resources deployed within OKE cluster.

iss
Dr

For more information on OCI Container Engine for Kubernetes (OKE), see the OCI Container
Engine Documentation.

Copyright © 2023, Oracle and/or its affiliates.

106 Deploy a sample Web application on a cluster using kubectl

Prerequisites
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will use the existing Docker image, OCIR repository, Auth token and Kubernetes
namespace from the previous labs to perform tasks for this practice:
• Microservice and Container Orchestration: Create Docker image for a web application
using Dockerfile (Lab06-1)

se
• Microservices and Container Orchestration: Create and work with OCIR repository

en
(Lab07-1)

lic
• Microservices and Container Orchestration: Set up cluster access (Lab08-1)

bl e
Assumptions

ra
sfe
• You are signed into your Oracle Cloud Infrastructure (OCI) account using your

an
credentials.

-tr
• A pre-created OKE cluster <EventID>-OCI-ELS-DEVOPS-OKE is available in the root

. non
compartment. <EventID> can be fetched from the Lab tab available in the course
page.
ide a
Gu as
Example : If your User Name is 99241291-lab.user02, then EventID is 99241291.
is ) h

The pre-created OKE cluster will be named as 99241291-OU-DEVELOPER-OKE.

e om

• You will replace the <userID> placeholder with your user ID.
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Deploy a sample Web application on a cluster using kubectl 107

Create a Kubernetes (OKE) Secret
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

To enable Kubernetes to pull an image from OCIR repository when deploying an application,
you need to create a Kubernetes secret. The secret contains all the login details you would
provide while logging in to OCIR using the docker login command, including your auth
token.

se
Tasks

en
lic
1. Open Cloud Shell.

bl e
ra
2. Run the following command to create a secret:

sfe
$ kubectl create secret docker-registry <name-of-secret>-<userID> -
-docker-server=<region-key>.ocir.io --docker-username=’<tenancy-

an
name>/<oci-username>’ --docker-password=’<oci-auth-token>’ --

-tr
docker-email=’<email-address>’ -n ns-<userID>

. non
Where,
• <name-of-secret>-<userID>: A unique name for the secret, for example, ocir-
ide a
Gu as
secret-user22. Replace <userID> with your user ID.
is ) h

• <region-key>: The <region-key> is the key for the Oracle Cloud Infrastructure
e om

Registry region you're using; for example, iad is the region key for US EAST
(Ashburn) region. See the Availability by Region topic in the Oracle Cloud
us il.c
th

Infrastructure documentation.
to gma

• ocir.io is the Oracle Cloud Infrastructure Registry name.

• <tenancy-namespace> is the auto-generated Object Storage namespace string of

iss

the tenancy (as shown on the Tenancy Information page) to which you want to push
r

the image. For example, oracletenancy.

e.d

• <oci-auth-token>: Use the auth token (random string) created in the earlier lab
an

for IAD-DOP-LAB07-1-AT-01, which was saved in your notepad.

(ri

For example, R5kwpS-xxxxx((]51r]].

E
AN

Note: If you do not have an auth token, create a new one by referring to Microservices and
RI

Container Orchestration: Create and work with OCIR repository (Lab07-1).

iss

• <email-address>: Your email address.

For example,

$ kubectl create secret docker-registry ocir-secret-user22 --

docker-server=iad.ocir.io --docker-
username='oracletenancy/user22' --docker-password='R5kwpS-
xxxxx((]51r]]' --docker-email='user22@oracle.com' -n ns-user22

Copyright © 2023, Oracle and/or its affiliates.

108 Deploy a sample Web application on a cluster using kubectl

You will see this confirmation message “secret/ocir-secret-user22 created” for
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

secret creation on the screen.

3. Run the following command to verify if the secret has been created:
$ kubectl get secrets -n ns-<userID>

For example,

se
$ kubectl get secrets -n ns-user22

en
lic
You will see the secret details displayed with the name, age, and other attributes.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Deploy a sample Web application on a cluster using kubectl 109

Add the Secret and the Image Path to the Deployment
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Manifest
After the secret is created, you are required to include name of the secret (<name-of-
secret>-<userID>) and full path of the image (iad-dop-lab07-1-ocir-
1/oci_sample_webapp_<userID>:latest)pushed to OCIR repository in the deployment

se
manifest which is used for deploying the sample web application to an OKE cluster.

en
lic
Note: You pushed the image to OCIR repository in Microservices and Container Orchestration:

bl e
Create and work with OCIR repository (Lab07-1). That’s the image you’ll be using in this task.

ra
Tasks

sfe
an
1. Open Code Editor. Code Editor allows you to edit files and source codes present in the

-tr
cloned Git directory within the Cloud Shell.

. non
The Tool Bar is on the left side of the Code Editor window. Click the Explorer (top) icon
ide a
from the left side menu within the code editor window.
Gu as
is ) h

a. Within the Code Editor window, navigate to the cloned Git directory named docker-
e om

helloworld-demo, which is present in the user’s home directory.

us il.c
th

b. Browse to the file HelloWorld-lb.yaml in the cloned Git directory and replace the
to gma

placeholders with relevant values in the Deployment section:

1) name: helloworld-deployment-<userID>
iss
r

2) namespace: ns-<userID>
.d
e
an

3) image: <region-key>.ocir.io/<tenancy-namespace>/<repo-name>:<tag>
(ri

Where,
E

• <region-key>: The <region-key> is the key for the Oracle Cloud

Infrastructure Registry region you're using. For example, iad is the region
RI

key for US EAST (Ashburn) region. See the Availability by Region topic in the
iss

Oracle Cloud Infrastructure documentation.

• <tenancy-namespace>: The auto-generated Object Storage namespace

string of the tenancy (as shown on the Tenancy Information page) to which
you want to push the image. For example, oracletenancy.

Copyright © 2023, Oracle and/or its affiliates.

110 Deploy a sample Web application on a cluster using kubectl

• <repo-name>:<tag>: The repository name ‘iad-dop-lab07-1-ocir-
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1/oci_sample_webapp_<userID>:latest’ used to tag and push the

image.

4) replace <secret-name> with ocir-secret-<userID>

a) name : ocir-secret-<userID>

se
en
c. Also, replace the placeholders in the Service section:

lic
1) name: helloworld-service-<userID>

bl e
ra
2) namespace: ns-<userID>

sfe
an
The file will look similar after you’ve made all the changes:

-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss

Click Save from the File menu and exit the Code Editor.
Dr

Copyright © 2023, Oracle and/or its affiliates.

Deploy a sample Web application on a cluster using kubectl 111

Deploy the Sample Web Application to OKE Cluster
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

After making changes to manifest, you are ready to deploy the application to the OKE cluster.

Tasks

1. Open Cloud Shell and change to the docker-helloworld-demo directory.

se
$ cd ~/docker-helloworld-demo

en
lic
2. Run the following command:

bl e
$ kubectl create -f HelloWorld-lb.yaml

ra
sfe
A confirmation of deployment and service creation will be displayed.

an
Note: The HelloWorld Service Load Balancer is implemented as an OCI Load Balancer with

-tr
a backend set to route incoming traffic to the cluster nodes.

. non
The OKE service creates new Load Balancer in the root compartment. You can see the
ide a
new Load Balancer in the OCI Console by navigating to the Load Balancers page under
Gu as
Networking by selecting the root compartment from the List Scope menu from the left
is ) h

menu.
e om
us il.c

You will be working on a shared tenancy and might spot multiple entries. Choose the one
th

that is created recently.

to gma

Make a note of overall health and public IP address for the Load Balancer.
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

112 Deploy a sample Web application on a cluster using kubectl

Verify if the Sample Web Application Is Accessible
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Your deployment should now be running on an OKE cluster node.

Tasks

1. Open Cloud Shell and run the command:

se
$ kubectl get services -n ns-<userID>

en
lic
For example,

bl e
$ kubectl get services -n ns-user22

ra
Note: The status of the EXTERNAL-IP column will show <pending> initially. Re-run the

sfe
command at some interval until the IP is allotted.

an
-tr
You’ll observe details of the services running on cluster nodes. You’ll also observe

. non
HelloWorld-Service Load Balancer details such as External/Public IP and Port Number.

2.
ide a
Launch an Internet Browser and enter the HelloWorld-Service Load Balancer’s
Gu as
External/Public IP into the browser’s address bar to access the deployed application. The
is ) h

load balancer routes the request to available nodes in the cluster.

e om

In this lab, you’ll see one node as the replica count is set to 1 in the Kubernetes manifest.
us il.c
th

Once the request reaches the node, you’ll see the following webpage:
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss

Now comes the fun part! Let’s pretend your sample web application has suddenly gained
popularity and you are now required to allocate more resources to it.
Dr

The OKE cluster is running on a single node pool with three worker nodes, thus you can
easily scale your deployment.

Copyright © 2023, Oracle and/or its affiliates.

Deploy a sample Web application on a cluster using kubectl 113

a. To scale up twice as much and run an additional pod for your current single pod
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

deployment, run the command:

$ kubectl -n ns-<userID> scale --replicas=2
deployment/<deploymentname>

For example,
$ kubectl -n ns-user22 scale --replicas=2 deployment/helloworld-

se
deployment-user22

en
You will see a confirmation for deployment scaling on screen.

lic
bl e
b. Further, to see pod and deployment details, run the command:

ra
$ kubectl get all -n ns-<userID>

sfe
For example,

an
$ kubectl get all -n ns-user22

-tr
. non
Here, you will observe an additional row for the new pod that has spawned. You can
identify the new pod by comparing the Container ID or the value in Age column of the
output. ide a
Gu as
is ) h

Also, the Deployment row shows ‘2/2’ in the READY column, indicating the
e om

deployment is now hosted on two pods.

us il.c
th
to gma

If you refresh the webpage a few times, you will observe that the two Container IDs
alternatively serving your request. This is because the traffic can reach any of these
@

pods via the OCI Load Balancer.

iss
r
.d
e
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

114 Deploy a sample Web application on a cluster using kubectl

Clean Up the Resources Deployed Within OKE Cluster
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Clean up the resources deployed within OKE cluster.

Tasks

1. To delete the sample web application and all other resources you created on the cluster,

se
run the following command:

en
$ kubectl delete -f HelloWorld-lb.yaml -n ns-<userID>

lic
bl e
For example,
$ kubectl delete -f HelloWorld-lb.yaml -n ns-user22

ra
sfe
2. To confirm the resources are cleared, run the command:

an
$ kubectl get all -n ns-<userID>

-tr
. non
For example,
$ kubectl get all -n ns-user22
ide a
Gu as
You will observe that no resources are found in the namespace.
is ) h
e om
us il.c
th

Important Note: Do not delete the namespace and entry created in the kubeconfig
to gma

file in this lab, because they will be required in the upcoming labs.
@

Congratulations! You have successfully deployed a sample web application to the OKE cluster.
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Deploy a sample Web application on a cluster using kubectl 115

116
Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a

Copyright © 2023, Oracle and/or its affiliates.

. non
-tr
an
sfe
ra
bl e
lic
en
se

Deploy a sample Web application on a cluster using kubectl

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as

Project
ide a
. non
-tr

Lab 10-1 Practices

an
sfe
Work with Code

ra
bl e
Estimated Time: 45 minutes lic
Continuous Delivery:

en
se
Repositories in OCI DevOps
Continuous Integration and
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

There are many ways you can work with Git in the DevOps service. You can use GitHub,
GitLab, or Bitbucket or create an OCI Code repository inside your project and upload artifacts.

se
In this lab, you’ll create a sample repository and integrate your GitHub repository with OCI

en
DevOps service. You’ll also learn to test and validate your integration.

lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h

In this lab, you’ll:

e om
us il.c

a. Create a Personal Access Token in GitHub.

th
to gma

b. Create a Key and Vaults secret in OCI.

c. Create a DevOps project.

iss
r

d. Create an External Connection.

e.d
an

e. Mirror your GitHub repository.

(ri

f. Create an OCI Code Repository in your DevOps project.

E
AN

g. Clone OCI Code Repository in your Cloud shell session.

RI
iss

h. Perform basic Git operations on the Code Repository.

For more information on Code repositories in OCI DevOps project, see the OCI Code
Repositories Documentation.

Copyright © 2023, Oracle and/or its affiliates.

118 Work with code repositories in OCI DevOps project

Prerequisites
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

• You need to have a GitHub account.

Assumptions
• A pre-created OCI Vault OCI-ELS-DEVOPS-VAULT-1 is available in the root

se
compartment.

en
• This lab assumes you’re working in the Ashburn region. The resource naming

lic
convention (iad) used in this lab is according to Ashburn.

bl e
If you’re working in a different region, change the resource names accordingly. For

ra
example, for Phoenix, use phx.

sfe
• You will replace the <userID> placeholder with your user ID.

an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Work with code repositories in OCI DevOps project 119

Create a Personal Access Token in GitHub
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You’ll learn to fork a GitHub repository and create a Personal access token in your GitHub
account.

Tasks

se
1. Sign in to your GitHub account and go to the https://github.com/ou-

en
developers/docker-helloworld-demo repository.

lic
bl e
2. In the top-right corner, click Fork and then click Create fork at the bottom of Create a

ra
new fork page.

sfe
Note: By default, forks use the same name as their upstream repository.

an
-tr
3. In your GitHub account, click your profile icon on the top-right corner, and then go to

. non
Settings.

4. ide a
Navigate to Developer settings and find Personal access tokens > Token (classic) on
Gu as
the left menu and then click Generate new token > Generate new token (classic) for
is ) h

general use.
e om

5. On the New personal access token (classic) page.

us il.c
th
to gma

a. Provide a name as OCI-DevOps-ELS-LAB in Note.

b. Set the token Expiration to 30 days.

iss

c. In the Select scopes section, select repo (Full control of private repositories) as your
r
.d

scope.
e
an

6. Click Generate token and make a note of it in a notepad. You’ll need this token later when
(ri

you create secrets. Here’s an example how a token would look like:
E
AN

ghp_YnDABCDEPQRxzGZXXXXduoAZgrPemTj1xxXxx
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

120 Work with code repositories in OCI DevOps project

Create Keys and Vault Secrets
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You’ll use an existing Vault that is available in the root compartment to create keys and secrets
required to connect to an external repository.

Tasks

se
1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

en
lic
2. Open the navigation menu. Click Identity & Security and then select Vault.

bl e
3. Select root compartment from List Scope on the left menu.

ra
sfe
4. From the list of available vaults, click OCI-ELS-DEVOPS-VAULT-1

an
-tr
5. On the vault Details page, Click Create Key to create a Master Encryption key.

. non
6. Enter the following values for your key:
•
ide a
Create in Compartment: Select your <assigned compartment>.
Gu as
• Protection Mode: HSM
is ) h

• Name: iad-dop-lab10-1-vk-01
e om

• Leave everything else to default values and click Create Key. It will take about a
us il.c
th

minute to create the master encryption key. The keys will go through the Creating
to gma

state to the Active state.

7. On the Vault details page, select your <assigned compartment> from List scope on
iss

the left menu. You’ll see the key “iad-dop-lab10-1-vk-01” that you created which is
r

in Enabled state.
e .d
an

8. Now, in the Resources section on the left menu of the Vault details page, click Secrets.
(ri

9. Click Create secret and enter the following values for your secret:
E
AN

• Compartment: Select your <assigned compartment>.

• Name: iad-dop-lab10-1-vs-01-<userID>
iss

For example, iad-dop-lab10-1-vs-01-user22.

• Description: Secret to pull GitHub repositories.

• Encryption Key: iad-dop-lab10-1-vk-01
• Secret Type Template: Plain-Text

Copyright © 2023, Oracle and/or its affiliates.

Work with code repositories in OCI DevOps project 121

• Secret Contents: Add the personal access token you created in your GitHub account
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

and copied into a notepad in the previous task.

For example, ghp_YnDABCDEPQRxzGZXXXXduoAZgrPemTj1xxXxx
• Click the Create Secret button at the bottom to create the secret. It will take few
minutes to create the Vault Secret. The secret will go through the Creating state to
the Enabled state.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

122 Work with code repositories in OCI DevOps project

Create a DevOps Project
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You’ll create a topic and DevOps project.

Tasks

1. In the Console, open the navigation menu and click Developer Services. Under

se
Application Integration, click Notifications.

en
lic
2. Select your <assigned compartment> from List scope on the left menu. The page gets

bl e
updated to display only the resources in that compartment.

ra
sfe
3. Click Topics under the notification in the left menu. You need this topic when you create
your DevOps project. This topic will help you to send messages to its subscriptions.

an
-tr
4. Click Create Topic at the top of the topic list.

. non
5. In the Create Topic page, configure your topic and click Create.
• ide a
Name: iad-dop-lab10-1-nt-01-<userID>. It must be unique across the tenancy;
Gu as
validation is case-sensitive.
is ) h

• Description: This topic is for my DevOps lab.

e om
us il.c

6. Open the navigation menu and click Developer Services. Under DevOps, click Projects.
th
to gma

7. On the DevOps Projects page, select your <assigned compartment> from List scope
@

on the left menu.

iss

8. Click Create devops project.

r
.d

• Name: IAD-DOP-LAB10-1-DP-01-<userID>
e
an

• Description: This project is for working with OCI DevOps CI/CD.

(ri

• To set up project notifications, click Select Topic.

− In the Select topic window. Select the option “Select topic by name“
AN

− In the compartment field, select your <assigned compartment>

− In the Topic field, select the topic that you created earlier iad-dop-lab10-1-
iss

nt-01-<userID>.
Dr

for example, iad-dop-lab10-1-nt-01-user22. Project notifications keep you

informed of important events and the latest project status.
− Click Select Topic at the bottom.
• Click Create devops project.

Copyright © 2023, Oracle and/or its affiliates.

Work with code repositories in OCI DevOps project 123

9. You can use the OCI logging service to record the output it generates when the pipeline
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

runs. This will mean that the build logs are available for use in other tooling. On the page
of your newly created project, click Enable Log which takes you to the log management
page.

In the Logs table, toggle to enable the log. This will pop-up to Enable Log window. Leave
all the options as default and click Enable Log at the bottom. The logs will go through the

se
Creating state to the Active state. You have successfully created a DevOps project.

en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

124 Work with code repositories in OCI DevOps project

Create an External Connection
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You’ll create a connection to external repositories, such as GitHub.

Tasks

1. Open the navigation menu and click Developer Services. Under DevOps, click Projects.

se
en
2. Select the project IAD-DOP-LAB10-1-DP-01-<userID> and go to External Connections

lic
on the left menu.

bl e
3. Click on Create external connection. Create an external connection by entering these

ra
sfe
values.
• Name: IAD-DOP-LAB10-1-EC-01

an
-tr
• Description: Connecting to GitHub.

. non
• Select a type of external connection: GitHub
• In the Vault Secret section, Under Vault in <compartment_name> click Change
Compartment and select the root compartment.ide a
Gu as
is ) h

• Select the OCI-ELS-DEVOPS-VAULT-1 Vault from the drop-down list.

e om

• Under the Secret in <assigned compartment> field. Select the secret value iad-
dop-lab10-1-vs-01-<userID> within your compartment that contains your Personal
us il.c
th

access token (PAT) to connect to GitHub.

to gma

4. Click Create. The connection to the selected external repository is successfully created
@

and active.
iss
r

You can now mirror a code repository from GitHub.

e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Work with code repositories in OCI DevOps project 125

Mirror Your GitHub Repository
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You’ll learn to mirror repositories to and from external sources.

Tasks

1. Navigate to your DevOps project IAD-DOP-LAB10-1-DP-01-<userID> using the

se
breadcrumb.

en
lic
2. Click Code Repositories on the left menu of your project page.

bl e
3. Click Mirror Repository to mirror code repository from GitHub. Fill the details as given

ra
sfe
below:
• Connection: Select IAD-DOP-LAB10-1-EC-01 from the drop-down list. This is the

an
external connection you created earlier.

-tr
. non
• Repository: Select the docker-helloworld-demo repository from the drop-down
list which you had forked earlier.
• ide a
Mirroring Schedule: Select Custom from the drop-down list and set the minutes
Gu as
field to 1.
is ) h

• Name: IAD-DOP-LAB10-1-MR-01
e om

• Description: This is mirroring GitHub repository.

us il.c
th

• Click Mirror repository at the bottom.

to gma

After a while, the mirrored repository will be available in OCI Code Repository.
@
iss

4. Check if your files are getting updated from your Git Repository.
r
.d

a. Sign in to your GitHub account and navigate to the forked repository docker-
e
an

helloworld-demo.
(ri

b. Click Add File and select Create a New File. This opens a new file.
E
AN

c. Give a name to your file, for example, Mirror_test.txt.

Add a line in the file: This is a test file to check if mirroring is

iss

happening in the OCI Code Repository.

d. Scroll down the page and click Commit New File.

e. Switch to the OCI Console and go to your Mirrored Code Repository (IAD-DOP-
LAB10-1-MR-01). You’ll see a message “Mirroring is in Progress” at the top of the
page.

Copyright © 2023, Oracle and/or its affiliates.

126 Work with code repositories in OCI DevOps project

f. Click Files in the left menu. After one minute, scan through the files and check if
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Mirror_test.txt is present in that branch.

5. Clean up your mirrored repo.

a. Click Code Repositories on the left menu of your project page and locate your
mirrored repository IAD-DOP-LAB10-1-MR-01.

se
en
b. Click the three dots on the right to open the Actions menu. Select Delete.

lic
c. Type the repository name in the provided field to confirm the Delete action and then

bl e
click Delete.

ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Work with code repositories in OCI DevOps project 127

Create an OCI Code Repository in Your DevOps Project
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You’ll learn to create a code repository inside your DevOps project, which is very similar to
your Git repository.

Tasks

se
1. Navigate to your DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

en
lic
2. Click Code Repositories on the left menu of your project page.

bl e
3. Click Create Repository. Enter the following details:

ra
sfe
• Repository name: IAD-DOP-LAB10-1-CR-01

an
• Description: This code repository will be cloned with Git.

-tr
• Default branch: main

. non
4. Click Create Repository. An empty code repository is created with the main branch.
ide a
Gu as
You can perform the following actions on the repository: access your files, access all the
is ) h

commits pertaining to the code repository you just created, compare file changes, branch
e om

actions such as GitHub, view Git tags, and monitor the status of all the operations.
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

128 Work with code repositories in OCI DevOps project

Clone OCI Code Repository in Your Cloud Shell Session
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You’ll clone the code repository to create a local copy on your cloud shell session, add or
remove files, commit changes, and work on different branches by using Git operations. You
can use two methods to clone: HTTPS and SSH keys. In this lab, you’ll use HTTPS.

Tasks

se
en
1. Navigate to your DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

lic
bl e
2. Click Code Repositories on the left menu of your project page.

ra
3.

sfe
Click IAD-DOP-LAB10-1-CR-01 and click Clone in the Code Repository details page.

an
4. In the Clone window, to the right of the Clone with HTTPS field, click Copy to get the

-tr
path to access the repository using Git. Save this information in a notepad.

. non
5. Open Cloud Shell. In the Cloud Shell, navigate to the home directory and copy-paste the
URL to clone the public repository. ide a
Gu as
is ) h

a. Go to home directory.
e om

$ cd ~
us il.c

b. Clone by copy-pasting the URL.

th
to gma

$ git clone <paste the HTTPS URL copied in the Clone page.>
@

Sample code:
iss

$ git clone https://devops.scmservice.us-ashburn-

1.oci.oraclecloud.com/namespaces/oracletenancy/projects/IAD-DOP-
r
.d

LAB10-1-DP-01-<userID>/repositories/IAD-DOP-LAB10-1-CR-01
e
an

c. You must provide your username: <tenancy-namespace>/<username>. For

(ri

example, oracletenancy/user22.
E
AN

d. Your password is your auth token. When you enter or paste the password, you’ll not
RI

see masked characters. Press Enter on your keyboard to continue.

iss

Note: You need an Auth Token to clone the repository using HTTPS. Use the auth
Dr

token created in the earlier lab (IAD-DOP-LAB07-1-AT-1), that is saved in your

notepad. If you don’t have it, then create a new one by referring to the lab
Microservices and Container Orchestration: Create and work with OCIR repository
(Lab07-1).

Copyright © 2023, Oracle and/or its affiliates.

Work with code repositories in OCI DevOps project 129

6. Switch to your recently cloned directory and you’ll see that there are no files.
$ cd ~/IAD-DOP-LAB10-1-CR-01
$ ls

7. You can now add the files from your existing docker-helloworld-demo directory to

se
the IAD-DOP-LAB10-1-CR-01 directory you just cloned.

en
$ cd ~/docker-helloworld-demo

lic
$ cp * ~/IAD-DOP-LAB10-1-CR-01

bl e
8. Navigate to the cloned directory (IAD-DOP-LAB10-1-CR-01) in Cloud Shell. You should see

ra
all the files copied.

sfe
$ cd ~/IAD-DOP-LAB10-1-CR-01

an
$ ls

-tr
. non
9. Now check the current configuration of Git in your IAD-DOP-LAB10-1-CR-01 directory with
the following command:
$ git remote -v
ide a
Gu as
is ) h

Check if the configuration for the remote repository is pointing to your OCI Code
Repository. For example,
e om

origin https://devops.scmservice.us-ashburn-
us il.c

1.oci.oraclecloud.com/namespaces/oracletenancy/projects/IAD-DOP-
th

LAB10-1-DP-01-<userID>/repositories/IAD-DOP-LAB10-1-CR-01
to gma

(fetch)
origin https://devops.scmservice.us-ashburn-
@

1.oci.oraclecloud.com/namespaces/oracletenancy/projects/IAD-DOP-
iss

LAB10-1-DP-01-<userID>/repositories/IAD-DOP-LAB10-1-CR-01 (push)
r
.d

10. Every time you make changes to your files and save it, it will not automatically update the
e
an

OCI Code Repository (IAD-DOP-LAB10-1-CR-01) within the DevOps Project (IAD-DOP-

(ri

LAB10-1-DP-01-<userID>). All the changes you made in the file are updated only in your
local repository. To update the changes to the main branch in OCI Code Repository within
E
AN

the DevOps Project run the following commands:

$ git add .
RI

$ git config --global user.email "enter you email"

iss

$ git config --global user.name "Your Name"

$ git commit -m "first push into OCI Code Repository"

$ git push -u -f origin main

Copyright © 2023, Oracle and/or its affiliates.

130 Work with code repositories in OCI DevOps project

• When it prompts for your username: <tenancy-namespace>/<username>.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Replace the <tenancy-namespace> and <username> values from the info given in
the Profile menu.

For example, oracletenancy/user22.

Your password is the auth token, this is token created in the earlier lab (IAD-DOP-LAB07-

se
1-AT-01), that you saved in your notepad earlier.

en
lic
11. In the OCI Console, go to your DevOps project and then to the IAD-DOP-LAB10-1-CR-01

bl e
code repository you created. Click Files in the left menu and notice all the files are
available in the code repository.

ra
sfe
The initial push of all your code for a sample Web Application has taken place into your

an
OCI Code Repository. As you do further practices, you will make changes to the files in the

-tr
local repository in the Cloud Shell and push it into your OCI Code Repository.

. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Work with code repositories in OCI DevOps project 131

Perform Basic Git Operations on the Code Repository
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Learn to run some basic Git operations.

Tasks

1. In the Cloud Shell, go to the IAD-DOP-LAB10-1-CR-01 directory.

se
$ cd ~/IAD-DOP-LAB10-1-CR-01

en
lic
2. Create a new branch in the local repository.

bl e
$ git branch new_branch

ra
3. Move to the newly created branch.

sfe
$ git checkout new_branch

an
-tr
4. Create a sample file in the new branch.

. non
$ echo “OCI_GIT_TEST” >> test1.txt

5.
ide a
Use the ls command to verify the new file is now present in the directory.
Gu as
$ ls
is ) h

The test1.txt file must be present in the directory.

e om
us il.c

6. Now add the file to the git repository for commit.

th
to gma

$ git add test1.txt

Adds the file test1.txt in the local repository and stages them for commit.
@
iss

7. Before you commit, check what files are staged.

r
.d

$ git status
e
an

Lists all new or modified files to be committed.

(ri
E

8. Commit the changes you made to your Git Repository.

$ git commit -m "second commit- added file test1.txt in

new_branch"
RI
iss

9. Push the newly created branch to OCI Code Repository

$ git push -u origin new_branch

Copyright © 2023, Oracle and/or its affiliates.

132 Work with code repositories in OCI DevOps project

• When it prompts for your username: <tenancy-namespace>/<username>.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Replace the <tenancy-namespace> and <username> values from the info given in
the Profile menu.

For example, oracletenancy/user22.

Your password is the auth token, this is token created in the earlier lab (IAD-DOP-LAB07-

se
1-AT-01), that you saved in your notepad earlier.

en
lic
10. In the Console, navigate to the code repository IAD-DOP-LAB10-1-CR-01 within your

bl e
Devops project.

ra
11. Select Files in the left menu and click the drop-down list to select a branch. You should

sfe
see new_branch. Select the newly created branch and scan through the files and check if

an
test1.txt is present in that branch.

-tr
. non
ide a
Important Note: Do not delete any artifacts and resources created in this lab because
Gu as
they will be required in the upcoming labs.
is ) h

Congratulations! in this lab, you've learned to create a project, mirror a repository, and clone
e om

the code repository to create a local copy.

us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Work with code repositories in OCI DevOps project 133

134
Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a

Copyright © 2023, Oracle and/or its affiliates.

. non
-tr
an
sfe
ra
bl e
lic
en
se

Work with code repositories in OCI DevOps project

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as

Project
ide a
. non
-tr

Lab 11-1 Practices

an
sfe
ra
Up Artifacts and

bl e

Estimated Time: 30 minutes

lic
en
se
Environments in a DevOps
an Artifact Registry and Set
Continuous Integration and
Continuous Delivery: Create
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

Oracle Cloud Infrastructure (OCI) Artifact Registry is a repository service for storing, sharing,
and managing software development packages.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma

In this lab, you will:

@
iss

a. Create a repository to store and manage artifacts.

r
.d
e

b. Add a Container Image Repository artifact to store your Docker images.

an
(ri

c. Create a reference to Kubernetes manifest.

E
AN

d. Create a DevOps environment.

For more information on OCI Artifact Registry, see the OCI Artifact Registry Documentation.
iss

For more information on setting up artifacts and environments in a DevOps project, see the
Dr

OCI Environments Documentation and OCI Artifacts Documentation.

Copyright © 2023, Oracle and/or its affiliates.

136 Create an artifact registry and set up artifacts and environments in a DevOps project.
Prerequisites
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

• You must complete the Continuous Integration and Continuous Delivery: Work with
code repositories in OCI DevOps project (Lab10-1) to perform tasks for this practice.

Assumptions

se
• You are signed in to your Oracle Cloud Infrastructure (OCI) account using your

en
credentials.

lic
• A pre-created OKE cluster <EventID>-OCI-ELS-DEVOPS-OKE is available in the root

bl e
compartment. <EventID> can be fetched from the Lab tab available in the course
page.

ra
sfe
• This lab assumes you’re working in the Ashburn region. The resource naming
convention (iad)used in this lab is according to Ashburn.

an
-tr
If you’re working in a different region, change the resource names accordingly. For

. non
example, for Phoenix, use phx.
•
ide a
You will replace the <userID> placeholder with your user ID.
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create an artifact registry and set up artifacts and environments in a DevOps project. 137
Create a Repository to Store and Manage Artifacts
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

An artifact is a software package, library, or a zip file used for deploying your applications.
These artifacts are grouped into repositories, which are collections of related artifacts.

In this lab, you will create an Artifact Registry Repository to store your Kubernetes manifest.

se
Tasks

en
lic
1. In the Console, open the navigation menu and click Developer Services. Under

bl e
Containers & Artifacts, click Artifact Registry.

ra
2.

sfe
Select your <assigned compartment> from List scope on the left menu.

an
3. Click Create repository and fill the following values in the form:

-tr
. non
a. Name: IAD-DOP-LAB11-1-AR-01

b.
ide a
Compartment: Select your <assigned compartment>.
Gu as
is ) h

c. Select Immutable artifacts. Your new repository will make its artifacts immutable.
e om

d. Click Create.
us il.c
th

The IAD-DOP-LAB11-1-AR-01 repository is created and available.

to gma
@
iss
r
.d
e
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

138 Create an artifact registry and set up artifacts and environments in a DevOps project.
Add Container Image Repository Artifact to Store
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Docker Images
Artifacts are used to specify software package versions for deployment. DevOps artifacts can
be of following types:
• Container image repository

se
• Instance group deployment configuration

en
• Kubernetes manifest

lic
• General artifact

bl e
• Helm Chart

ra
sfe
You will add container image repository artifact to store your Docker images.

an
-tr
Tasks

. non
1. Open the navigation menu and click Developer Services. Under DevOps, click Projects.
ide a
Gu as
2. Select your <assigned compartment> from List scope on the left menu.
is ) h

3. Open the DevOps project IAD-DOP-LAB10-1-DP-01-<userID> created in Continuous

e om

Integration and Continuous Delivery: Work with code repositories in OCI DevOps project
us il.c

(Lab10-1).
th
to gma

4. Click Artifacts from the left menu to navigate to the artifacts page.
@

5.
iss

Click Add artifact to create an artifact and fill the form with the following values:
r
.d

a. Name: IAD-DOP-LAB11-1-AF-01
e
an

b. Type: Select Container image repository from the list of options.

(ri
E

c. Fully qualified path to the image in Container Registry:

<region-key>.ocir.io/<tenancy-namespace>/<repo-name>:<tag>
RI

For example,
iss

iad.ocir.io/oracletenancy/iad-dop-lab07-1-ocir-
Dr

1/oci_sample_webapp_<userID>:${BUILDRUN_HASH}

Replace <tenancy-namespace> with your tenancy name, <userID> with your user ID, and
<region-key> with the key for the Oracle Cloud Infrastructure Registry region you're using.
For example, iad is the region key for US EAST (Ashburn) region. See the Availability by
Region topic in the Oracle Cloud Infrastructure documentation.

Copyright © 2023, Oracle and/or its affiliates.

Create an artifact registry and set up artifacts and environments in a DevOps project. 139
Ensure that you append ${BUILDRUN_HASH} in the fully qualified image URL as the tag. This
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

dynamically updates the version of the pushed docker image.

d. Select Allow parameterization and click Add.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

140 Create an artifact registry and set up artifacts and environments in a DevOps project.
Create a Reference to Kubernetes Manifest
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will now create a DevOps artifact of type Kubernetes manifest.

Tasks

1. Open the DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

se
en
2. Click Artifacts from the left menu to navigate to the artifacts page.

lic
bl e
3. Click Add artifact to create an artifact and fill the form with the following values:

ra
a. Name: IAD-DOP-LAB11-1-AF-02

sfe
an
b. Type: Select Kubernetes Manifest from the list of options.

-tr
c.

. non
Artifact Source: Select Artifact Registry repository.’

d. Artifact Registry repository: Click Select and select your artifact registry IAD-DOP-
ide a
Gu as
LAB11-1-AR-01 created earlier.
is ) h

e. Artifact Location: Select Set Custom Location.

e om
us il.c

1) Artifact Path: lab11-1-<userID>-oke-manifest

For example,
to gma

lab11-1-user22-oke-manifest
@

2) Version: ${BUILDRUN_HASH}
riss

f. Select Allow parameterization and click Add.

e .d
an

You will now see both the artifacts IAD-DOP-LAB11-1-AF-01 and IAD-DOP-LAB11-1-AF-02,
(ri

listed in the artifacts page in your DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Create an artifact registry and set up artifacts and environments in a DevOps project. 141
Create a DevOps Environment
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

An environment is the target platform for your application. You will now create an
Environment to point to your OKE cluster.

Tasks

se
1. Open the DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

en
lic
2. Click Environments from the left menu to navigate to the environments page.

bl e
3. Click Create environment and select Oracle Kubernetes Engine as the Environment

ra
sfe
Type. Fill the rest of the form with the following values:

an
a. Name: IAD-DOP-LAB11-1-ENV-01

-tr
. non
b. Description: This environment is pointing to pre created OKE
cluster.
ide a
Gu as
c. Click Next.
is ) h

d. Region: The region you are working in. This is populated by default.
e om
us il.c

e. Compartment: Select the root compartment.

th
to gma

f. Cluster: Select <EventID>-OCI-ELS-DEVOPS-OKE from the list.

NOTE: <EventID> can be fetched from the Lab tab available in the course page.
iss
r
.d

g. Click Create environment.

e
an

You will now see the environment IAD-DOP-LAB11-1-ENV-01 in active state, listed on the
(ri

environment page in your DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

E
AN
RI

Important Note: Do not delete any artifacts and resources created in this lab because
iss

they will be required in the upcoming labs.

Congratulations! in this lab you learned to create a repository to store, share and manage your
artifacts. You added a container image repository artifact to store your Docker images and
created a reference to your manifest in the Artifact Registry repository.

Copyright © 2023, Oracle and/or its affiliates.

142 Create an artifact registry and set up artifacts and environments in a DevOps project.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
-tr

Lab 12-1 Practices

an
CI/CD Pipeline
sfe
ra
bl e
Automate Web App

Estimated Time: 120 minutes

lic
Continuous Delivery:

en
Deployment to an OKE

se
Cluster Using OCI DevOps
Continuous Integration and
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

The Oracle Cloud Infrastructure (OCI) DevOps service is an end-to-end, continuous integration
and continuous delivery (CI/CD) platform for developers.

se
You can use OCI DevOps service to easily build, test, and deploy software and applications on

en
Oracle Cloud. The DevOps build and deployment pipelines reduce change-driven errors and

lic
decrease the time customers spend on building and deploying releases.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
.d
e
an
(ri

In this lab, you will:

E
AN

a. Prepare the Kubernetes Deployment Manifest for automated deployment.

b. Create DevOps build pipeline and build stages.

iss
Dr

c. Create DevOps deployment pipeline and deploy stage.

d. Create Trigger Deployment Stage in build pipeline.

Copyright © 2023, Oracle and/or its affiliates.

144 Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps
e. Automate Sample Web Application deployment to OKE cluster.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

f. View the artifacts generated as part of the automated build.

For more information on OCI DevOps project, see the OCI DevOps Documentation.

Prerequisites

se
• You are signed into your Oracle Cloud Infrastructure (OCI) account using your

en
credentials.

lic
• You must complete the following labs before you perform tasks for this practice:

bl e
− Microservices and Container Orchestration: Create Docker image for a web

ra
application using Dockerfile (Lab 06-1).

sfe
− Microservices and Container Orchestration: Create and work with OCIR repository

an
(Lab 07-1).

-tr
. non
− Microservices and Orchestration: Set up cluster access (Lab 08-1).
− Microservice and Container Orchestration: Deploy a sample Web application on a
cluster using kubectl (Lab 09-1). ide a
Gu as
− Continuous Integration and Continuous Delivery: Work with code repositories in OCI
is ) h

DevOps project (Lab10-1).

e om

− Continuous Integration and Continuous Delivery: Create and set up artifacts and
us il.c

environments in DevOps project (Lab11-1).

th
to gma

Assumptions
@

• A pre-created OKE cluster <EventID>-OCI-ELS-DEVOPS-OKE is available in the root

iss

compartment. <EventID> can be fetched from the Lab tab available in the course
r
.d

page.
e
an

Example : If your User Name is 99241291-lab.user02, then EventID is 99241291.

(ri

The pre-created OKE cluster will be named as 99241291-OU-DEVELOPER-OKE.

• You have a OCIR repository <region-key>-dop-lab07-1-ocir-

1/oci_sample_webapp_<userID> created in Microservice and Container

Orchestration: Create and work with OCIR repository (Lab 07-1) available.
iss

• You have an auth token IAD-DOP-LAB07-1-AT-01 created in Microservice and

Container Orchestration: Create and work with OCIR repository (Lab 07-1) available.
• You have a namespace ns-<userID> created in Microservice and Container
Orchestration: Set up cluster access (Lab 08-1) available.

Copyright © 2023, Oracle and/or its affiliates.

Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps 145
• You have the Kubernetes Secret ocir-secret-<userID> created in Microservice
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

and Container Orchestration: Deploy a sample Web application on a cluster using

kubectl (Lab 09-1) available.
You will replace the <tenancy-namespace> and <username> values from the info
given in the Profile menu.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

146 Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps
Prepare the Kubernetes Deployment Manifest for
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Automated Deployment
The Manifest is a specification of a Kubernetes API object in JSON or YAML format. A manifest
specifies the desired state of an object that Kubernetes will maintain when you apply the
manifest.

se
en
In this lab, you will edit the Kubernetes Deployment Manifest HelloWorld-lb.yaml to

lic
prepare for an automated deployment.

bl e
Tasks

ra
sfe
1. Open Cloud Shell and go to the cloned OCI DevOps Code Repository created in lab10-1.

an
$ cd ~/IAD-DOP-LAB10-1-CR-01/

-tr
2.

. non
Make sure that you’re in the git main branch.
$ git checkout main

3. ide a
Gu as
Open Code Editor. Code Editor allows you to edit files and source codes present in the
is ) h

cloned Git directory within the cloud shell.

e om

The Tool Bar is on the left side of the Code Editor window. Click the Explorer (top) icon
us il.c

from the left-side menu within the Code Editor window.

th
to gma

a. From inside the Code Editor, navigate to the local code repository IAD-DOP-LAB10-1-
CR-01, which was cloned in the Continuous Integration and Continuous Delivery: Work
@
iss

with Code Repositories in OCI DevOps Project (Lab 10-1).

r
.d

b. Browse to the file HelloWorld-lb.yaml and replace the tag latest with
e

${BUILDRUN_HASH} in image name, as follows:

image: <region-key>.ocir.io/<tenancy-namespace>/<repo-
(ri

name>:${BUILDRUN_HASH}
E
AN

Where,
RI

• <region-key>: <region-key> is the key for the Oracle Cloud Infrastructure

iss

Registry region you're using, for example, iad is the region key for US EAST
Dr

(Ashburn) region. See the Availability by Region topic in the Oracle Cloud
Infrastructure documentation.
• <tenancy-namespace>: This is the auto-generated Object Storage namespace
string of the tenancy (as shown on the Tenancy Information page) to which you
want to push the image.

Copyright © 2023, Oracle and/or its affiliates.

Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps 147
• <repo-name>: The repository name iad-dop-lab07-1-ocir-
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1/oci_sample_webapp_<userID> used to tag and push the image

• ${BUILDRUN_HASH}: This dynamically updates the tag of a Docker image
pushed into OCIR to be used as a deployment artifact.

The file will look similar when you make the changes:

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h

Note: user22 is a sample reference in the above code snippet. Instead, your files must
e om

reflect your user ID.

us il.c
th

4. Click Save from the File menu and exit the Code Editor.
to gma

5. Run the following commands to commit and push your changes to code repository IAD-
@

DOP-LAB10-1-CR-01 created in Continuous Integration and Continuous Delivery: Work

iss

with code repositories in OCI DevOps project (Lab10-1).

r
e.d

a. Switch to the Cloud Shell and add the changes in the working directory to the staging
an

area:
(ri

$ git add .
E
AN

b. Check the status of working directory and staging area:

$ git status
iss

You will see the file HelloWorld-lb.yaml shown as modified and displayed in green
Dr

color.

c. Save the changes in the staging area with a relevant message:

$ git commit -m "HelloWorld-lb.yaml modified for Lab12"

Copyright © 2023, Oracle and/or its affiliates.

148 Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps
d. Push the changes to the upstream code repository:
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

$ git push -u -f origin main

When prompted, enter your username <tenancy-namespace>/<username>. For

example, oracletenancy/user22.

Replace the <tenancy-namespace> and <username> values from the information

se
given in the Profile menu.

en
lic
Enter the auth token IAD-DOP-LAB07-1-AT-01 (random string) you copied earlier as the

bl e
password.

ra
For example,

sfe
R5kwpS-xxxxx((]51r]]

an
-tr
Note: When you enter or paste the password, you’ll not see masked characters. Press

. non
Enter on your keyboard to continue and you should see the following message on the
screen.
Enumerating objects: 5, done. ide a
Gu as
Counting objects: 100% (5/5), done.
is ) h

Delta compression using up to 2 threads

e om

Compressing objects: 100% (3/3), done.

Writing objects: 100% (3/3), 332 bytes | 332.00 KiB/s, done.
us il.c
th
to gma

6. Verify if the changes have been pushed to the upstream code repository:
@

a. Open the DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

iss

b. Navigate to Code Repositories from the left menu and open the repository IAD-
r
.d

DOP-LAB10-1-CR-01.
e
an

c. Navigate to Files from the left menu on the code repository page and you will notice
(ri

the HelloWorld-lb.yaml present with:

E
AN

1) Commit message you used, “HelloWorld-lb.yaml modified for Lab12.”

RI
iss

2) Timestamp matching the time of the push.

3) ${BUILDRUN_HASH} in image name as tag.

Copyright © 2023, Oracle and/or its affiliates.

Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps 149
Create DevOps Build Pipeline and Build Stages
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

A build pipeline contains the stages that define the build process for successfully compiling,
testing, and running software applications before deployment.

A stage is an action in the build pipeline. The OCI DevOps service includes the following
predefined stages that you can use in a build pipeline:

se
en
• Managed Build: Build and test your software applications.

lic
• Deliver Artifacts: Store your software applications created from the Managed Build

bl e
stage in the OCI Artifact Registry or OCI Container Registry repositories.
• Trigger Deployment: Start a deployment pipeline to deploy the output from the

ra
sfe
build pipeline.

an
• Wait: Pause a specific duration for testing the build pipeline.

-tr
You can add multiple stages to a pipeline. Stages can be added in a sequence or in parallel.

. non
You can remove any stage from the pipeline. When you do, the stage and its associated
resources are deleted.
ide a
Gu as
In this lab, you will create DevOps build pipeline and build stages.
is ) h
e om

Tasks
us il.c
th

1. Open the navigation menu and click Developer Services. Under DevOps, click Projects.
to gma

2. Select your <assigned compartment> from the List scope on the left menu.
@
iss

3. Open the DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

r
.d

4.
e

Click Build Pipelines from the left menu to navigate to the Build Pipelines page.
an
(ri

5. Click Create build pipeline and fill the form with the following values:
E
AN

a. Name: IAD-DOP-LAB12-1-BPL-01
RI

b. Description: This is the Build pipeline for Lab12.

iss

c. Click Create. The Build pipeline tab will open.

Copyright © 2023, Oracle and/or its affiliates.

150 Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps
6. To add the first stage to the build pipeline, click the + icon and click Add stage.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

a. Select Managed Build as stage type and click Next. Fill the form with the following
values:

1) Stage name: Build-Demo-WebApp

se
2) Description: This stage executes the commands specified in

en
build_spec.yaml file.

lic
3) Default compute shape information is displayed for the OCI build agent.

bl e
Note: The Managed Build stage runs build instructions on a service managed

ra
build runner.

sfe
4)

an
Base container image: Default is Oracle Linux 7 x86 standard 1:0

-tr
5) Connect to your tenancy subnet: This is an optional field. Because there are no

. non
private resources in your compartment, you will leave this blank.

6) ide a
Build spec file path: The build specification contains build steps and settings
Gu as
that the build pipeline uses to run a build. The file build_spec.yaml is in the
is ) h

root directory, so you will leave this field blank.

e om
us il.c

7) Primary code repository: Click Select. This opens the window to select Primary
th

code repository:
to gma

a) Select the OCI Code Repository from the drop-down list for Source:
@

Connection type.
iss

This will populate the Code repositories available within your DevOps project.
r
e .d

b) Select the code repository IAD-DOP-LAB10-1-CR-01. The branch and Build

Source name will auto-populate.

(ri
E

c) Click Select.
AN
RI

8) Additional code repositories: You do not have any additional code repositories,
therefore, leave this field blank.
iss
Dr

9) Timeout (in seconds): This is an optional field. You will continue with the default
value of 36000.

10) Click Add. You will notice a stage with name Build-Demo-WebApp (Managed
Build) has been added.

Copyright © 2023, Oracle and/or its affiliates.

Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps 151
7. Add the second stage to the Build pipeline by clicking the + icon at the bottom of the
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Build-Demo-WebApp (Managed build) box and click Add stage.

a. Select Deliver Artifacts as stage type from the optional section and click Next. Fill
the form with the following values:

1) Stage name: Push WebApp Artifacts

se
en
2) Description: This stage uploads artifacts to registries.

lic
3) Click the Select Artifact(s) button. This opens the window to select artifacts

bl e
created in Continuous Integration and Continuous Delivery: Create and set up

ra
artifacts and environments in DevOps project (Lab11-1). Select the following

sfe
artifacts and click Add:

an
• IAD-DOP-LAB11-1-AF-01 Docker Image

-tr
• IAD-DOP-LAB11-1-AF-02 Kubernetes Manifest

. non
You will see both the artifacts now listed on the Add a stage page.
ide a
Gu as
b. Associate artifacts with build result: In this section, you will provide the output
is ) h

names used in the outputArtifacts section of the build_spec.yaml file

e om

corresponding to the artifact types in the build config/result artifact name field.
us il.c
th

A snippet of the build_spec.yaml file:

to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss

The build_spec.yaml is available in the root directory of your DevOps code

repository IAD-DOP-LAB10-1-CR-01.

Copyright © 2023, Oracle and/or its affiliates.

152 Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps
After reading through the file snippet, you will be able to identify the output names
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

used for different artifact types. Fill the fields appropriately as shown in the following
table:

Destination DevOps artifact Type Build config/result artifact

name name

IAD-DOP-LAB11-1-AF-01 Docker image oke_app_base

se
en
IAD-DOP-LAB11-1-AF-02 Kubernetes manifest oke_deploy_manifest

lic
c. Click Add. You will notice a stage with name Push WebApp Artifacts

bl e
(DeliverArtifacts) added.

ra
sfe
Note: At this point you have two stages in your Build pipeline IAD-DOP-LAB12-1-BPL-01.

an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps 153
Create DevOps Deployment Pipeline and Deploy Stage
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

A deployment pipeline holds the requirements that must be satisfied to deliver a set of
artifacts to the target environment. Deployment pipelines contain different stages for
automated deployment. Each stage is associated with certain actions in the pipeline.

se
DevOps service includes predefined stages, which could be readily used in a deployment

en
pipeline:

lic
• Deploy to a Kubernetes cluster: Uses the built-in Kubernetes rolling update strategy

bl e
ra
• Deploy to an instance group: Releases update incrementally to the instance group.

sfe
You can specify the maximum instances that can be offline at one time. This type

an
supports automatic rollbacks.

-tr
• Deploy to Functions: Uses the built-in Functions update strategy

. non
In this lab, you will create DevOps deployment pipeline and deploy stage.
ide a
Gu as
Tasks
is ) h
e om

1. Open the DevOps project IAD-DOP-LAB10-1-DP-01-<userID>. For example, IAD-DOP-

us il.c

LAB10-1-DP-01-user22.
th
to gma

2. Click Deployment Pipelines from the left menu to navigate to the Deployment Pipelines
page.
@
iss

3. Click Create pipeline and fill the form with the following values:
r
.d

a. Name: IAD-DOP-LAB12-1-DPL-01
e
an
(ri

b. Description: This is Deployment pipeline for Lab12.

E
AN

c. Click Create pipeline. The Pipeline tab will open.

4. To add a stage to the Deployment pipeline, click the + icon and click Add stage.
iss

a. Select Apply manifest to your kubernetes cluster as stage type and click Next. Fill
Dr

the form with the following values:

1) Stage name: OCI-WebApp-Deployment

2) Description: Deploys the sample WebApp to OKE cluster.

Copyright © 2023, Oracle and/or its affiliates.

154 Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps
3) Environment: Select the environment IAD-DOP-LAB11-1-ENV-01 you created in
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Continuous Integration and Continuous Delivery: Create and set up artifacts and
environments in DevOps project (Lab11-1).

4) Under Select one or more artifacts field, click Select Artifact. This opens the
window to add Kubernetes Manifest type artifacts.

se
• Select IAD-DOP-LAB11-1-AF-02 and click Save changes.

en
5) Override Kubernetes namespace: Leave this field blank.

lic
bl e
Note: The namespace to which the application will be deployed is specified in the
HelloWorld-lb.yaml file which is ns-<userID>.

ra
sfe
6) If validation fails, automatically roll back to the last successful version?:

an
Select Yes to automatically roll back to the last successful version.

-tr
. non
7) Click Add. You will notice a stage with name OCI-WebApp-Deployment (Deploy
OKE: Rolling) added.
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps 155
Create a Trigger Deployment Stage in Build Pipeline
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

In this lab, you will create a Trigger Deployment Stage within the build pipeline that triggers
the Deployment pipeline to deploy the application based on the output artifacts from the build
pipeline execution.

Tasks

se
en
1. Navigate to the Build pipeline IAD-DOP-LAB12-1-BPL-01 in your DevOps project.

lic
bl e
2. On the Build Pipeline tab, click the + icon at the bottom of the Push WebApp Artifacts

ra
(Deliver Artifacts) box and click Add stage.

sfe
a. Select Trigger Deployment as stage type from the optional section and click Next.

an
Fill the form with the following values:

-tr
. non
1) Stage name: Trigger OKE Deployment

2) ide a
Description: This triggers the IAD-DOP-LAB12-1-DPL-01 Deployment
Gu as
pipeline stages.
is ) h
e om

3) Click Select Deployment Pipeline. This opens the window to select the
deployment pipelines you have created.
us il.c
th

• Select IAD-DOP-LAB12-1-DPL-01 and click Save changes.

to gma

4) Enable the Send build pipelines Parameters option.

@
iss

5) Artifacts used in the deployment pipeline auto-populate with the Kubernetes

manifest type artifact IAD-DOP-LAB11-1-AF-02. This manifest will be applied to

.d
e

the OKE cluster every time a deployment is triggered.

an
(ri

6) Click Add. You will notice a stage with name Trigger OKE Deployment (Trigger
E

deployment) added.
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

156 Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps
Automate Sample Web Application Deployment to OKE
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Cluster
In this lab, you will run the Build pipeline to execute all its stages in sequence and populate the
artifact and container registry with the manifest and Docker image, respectively. The
successful execution of the Build pipeline will trigger the Deployment pipeline, which uses the

se
output artifacts and applies them to the target environment, which in this case is an OKE

en
cluster.

lic
Tasks

bl e
ra
1. On the Build Pipeline page IAD-DOP-LAB12-1-BPL-01. Click the Start Manual Run

sfe
button. The Start Manual Run page opens.

an
-tr
a. OCI assigns your build a Build run name.

. non
b. Click Start manual run at the bottom left.

ide a
Gu as
2. You will reach the Build pipeline tab. Observe that all the build stages are listed here.
is ) h

Build stages will execute sequentially. You can observe the logs for each stage in the right
window.
e om
us il.c

3. Once the Trigger OKE Deployment stage completes, click Deployments from the left
th
to gma

menu under your DevOps project IAD-DOP-LAB10-1-DP-01-<userID> to navigate to the

Deployments page.
@
iss

You will observe deployment listed here that got automatically kicked-off and is either in
r

an In-progress or Succeeded state.

e .d
an

Further, when you click the deployment name, you will reach the Deployments tab. Under
(ri

the Deployments tab, you can see the logs and additional details for the Deployment
E

pipeline run.
AN
RI

4. Because the deployment is successful, let’s now try to access the application using the
External (or Public) endpoint that is the HelloWorld Service Load Balancer IP.
iss
Dr

5. Open Cloud Shell

$ kubectl get svc -n ns-<userID>

Copyright © 2023, Oracle and/or its affiliates.

Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps 157
For example,
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

$ kubectl get svc -n ns-user22

You will observe the EXTERNAL-IP listed in the output.

6. Launch a Web browser and enter the EXTERNAL-IP address into the browser’s address
bar to access the application. Once the request is processed, you’ll see the following

se
webpage:

en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

158 Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps
View the Artifacts Generated as Part of the Automated
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Build
In this lab, you will view the artifacts generated as part of the Build pipeline execution.

Tasks

se
en
1. To view Container Image Repository Artifact:

lic
a. In the Console, open the navigation menu and click Developer Services. Under

bl e
Containers & Artifacts, click Container Registry.

ra
sfe
b. Select your <assigned compartment> from List scope on the left menu.

an
c. Select the container repository iad-dop-lab07-1-ocir-

-tr
1/oci_sample_webapp_<userID> you created as part of Microservices and

. non
Container Orchestration: Manage OCIR and Push and Pull Images Using Docker CLI

ide a
(Lab 07-1).
Gu as
d. You will notice a new image present in your repository with a random string like
is ) h

qm3pznq as tag. This random string is the BUILDRUN_HASH of the build that pushed
e om

the image in OCIR.

us il.c
th
to gma

2. To view Kubernetes manifest reference:

a. In the OCI Console, open the navigation menu and click Developer Services. Under
@

Containers & Artifacts, click Artifact Registry.

riss
.d

b. Select your <assigned compartment> from the List scope on the left menu.
e
an

c. Select the artifact registry IAD-DOP-LAB11-1-AR-01 you created in Continuous

(ri

Integration and Continuous Delivery: Create an Artifact Registry and Set Up Artifacts
E

and Environments in a DevOps Project (Lab11-1).

AN
RI

d. You will notice the Kubernetes manifest used by the Deployment pipeline listed here
with the same string qm3pznq as tag.
iss
Dr

Every time you run a build pipeline, these artifacts will be generated and stored in the
container and artifact registry with a unique string to identify them. In case of a build failure,
these artifacts are used to roll back to last successful version.

Copyright © 2023, Oracle and/or its affiliates.

Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps 159
Important Note: Do not delete any artifacts and resources created in this lab because
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

they will be required in the upcoming labs.

Congratulations! You have successfully deployed a Web Application to an OKE cluster using
OCI DevOps Build and Deployment pipelines.

Further, you also verified the artifacts generated as part of the successful Build pipeline run.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

160 Deploy a Web App with a CI/CD pipeline to an OKE cluster using OCI DevOps
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
-tr
Lab 13-1 Practices
an
sfe
ra
Estimated Time: 60 minutes bl e
Monitoring Queries

lic
en
Configure Alarms with

se
Notifications and Create
Monitoring - Notification:
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

The Oracle Cloud Infrastructure Monitoring service lets you actively and passively monitor
your cloud resources using metrics and alarms.

se
The Monitoring service uses metrics to monitor resources and alarms to notify you when

en
these measures respond to the triggers specified by the alarm.

lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss

In this lab, you will:

r
.d

a. Validate build run and deployment.

e
an

b. Configure notifications.
(ri
E

c. Monitor build execution time.

AN
RI

d. Monitor build success.

iss

e. Monitor deployment failure.

f. Create monitoring queries.

For more information on OCI Alarms and Notifications, see the OCI Notification
Documentation and for Monitoring Queries, see the OCI Monitoring Documentation.

Copyright © 2023, Oracle and/or its affiliates.

162 Configure alarms with notifications and create monitoring queries

Prerequisites
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

• You must complete the following labs before you perform tasks for this practice:
− Microservices and Container Orchestration: Create Docker image for a web
application using Dockerfile (Lab 06-1).
− Microservices and Container Orchestration: Create and work with OCIR repository

se
(Lab 07-1).

en
− Microservices and Orchestration: Set up cluster access (Lab 08-1).

lic
− Microservice and Container Orchestration: Deploy a sample Web application on a

bl e
cluster using kubectl (Lab 09-1).

ra
− Continuous Integration and Continuous Delivery: Work with code repositories in OCI

sfe
DevOps project (Lab10-1).

an
− Continuous Integration and Continuous Delivery: Create and set up artifacts and

-tr
environments in DevOps project (Lab11-1).

. non
− Continuous Integration and Continuous Delivery: Automate Web App deployment
to an OKE cluster using OCI DevOps CI/CD pipeline (Lab 12-1).
ide a
Gu as
Assumptions
is ) h

• This lab assumes you’re working in the Ashburn region. The resource naming
e om

convention (iad) used in this lab is according to Ashburn.

us il.c
th

If you’re working in a different region, change the resource names accordingly. For
to gma

example, for Phoenix, use phx.

• You will replace the <userID> placeholder with your user ID.
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Configure alarms with notifications and create monitoring queries 163

Validate Build Run and Deployment
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will execute build runs from DevOps Project to ensure build runs are successful, measure
the total time taken for execution and verify deployments are working.

Tasks

se
1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

en
lic
2. Open the navigation menu and select Developer Services. Under DevOps, select

bl e
Projects.

ra
3.

sfe
Select your <assigned compartment> from the List scope on the left menu.

an
4. Click to select your project IAD-DOP-LAB10-1-DP-01-<userID> under the Project name

-tr
column.

. non
5. From the left menu, click Build Pipelines and select IAD-DOP-LAB12-1-BPL-01 pipeline.
ide a
Gu as
6. Verify that there are three stages available in the Build pipeline: Build-Demo-WebApp,
is ) h

Push WebApp Artifacts, and Trigger OKE Deployment.

e om

7. Click Start manual run on the top-right corner of the page.

us il.c
th
to gma

8. Keep the Build run name as default and click Start manual run.

The status at the top-left corner will be shown In progress, and the execution will take
@
iss

approximately 5 minutes to complete.

r
.d

9. Upon completion, the Status at the top-left corner will be updated to Succeeded.
e
an

10. Also, convert the Total duration, mentioned at the top, into seconds.
(ri
E

For example, the build run of 3 minutes and 40 seconds will be equal to 220 seconds. You
AN

will use this value as threshold for BuildRunExecutionTime metric. Save this value on a
RI

notepad.
iss

11. Click your DevOps project IAD-DOP-LAB10-DP-01-<userID> using the breadcrumb list at
Dr

the top of the page and click Deployments from the left menu.

12. Verify if the status of the last deployment is Succeeded.

Copyright © 2023, Oracle and/or its affiliates.

164 Configure alarms with notifications and create monitoring queries

Configure Notifications
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Now that you have validated build run and deployment, you will configure Notifications to
notify of such events. Alarms is a feature in the Monitoring service which will trigger
notifications based on the monitoring query and trigger rule conditions defined.

To create an alarm, you must first create a notification topic and a subscription so that the

se
alarm has a way to notify the relevant parties; for example, an alarm can email an

en
administrator when a deployment has failed.

lic
bl e
Task

ra
sfe
1. Open the navigation menu and select Developer Services. Under Application Integration,

an
click Notifications.

-tr
2. Select your <assigned compartment> from the List scope on the left menu.

. non
3. Click Create Topic at the top of the topic list. Enter the following values to configure your
topic and click Create: ide a
Gu as
is ) h

• Name: iad-dop-lab13-1-nt-01-<userID>.It must be unique across the

tenancy; validation is case-sensitive.
e om

For Example, iad-dop-lab13-1-nt-01-user22

us il.c
th

• Description: This topic is for Lab 13.

to gma

Note: Topic name is case-sensitive and must be unique across the tenancy.
@
iss

4. Once the state of the topic changes to Active, click the topic name iad-dop-lab13-1-
r
.d

nt-01-<userID> to view the details.

e
an

5. Click Create Subscription and enter the following values to configure your subscription
(ri

and click Create:

• Protocol: Select Email from the drop-down list.

• Email: Enter your email address.

RI
iss

6. Click the subscription that you just created. The Subscription Information will be
Dr

displayed with the status as Pending Confirmation.

7. Check your email account for the confirmation email and click the Confirm subscription
verification link. A pop-up window will tell you that the subscription has been confirmed.

Copyright © 2023, Oracle and/or its affiliates.

Configure alarms with notifications and create monitoring queries 165

8. Switch back to the Subscriptions page, refresh the page and you will observe that the
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

subscription state has changed to Active.

Note: You may need to refresh your browser if the status is not updated.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

166 Configure alarms with notifications and create monitoring queries

Monitor Build Execution Time
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will now create an alarm that is triggered when the BuildRunExecutionTime metric
reaches a designated threshold.

Thereafter, you will execute a build run from the build pipeline of your DevOps project and
verify the alarm notifications.

se
en
Tasks

lic
bl e
Create an Alarm

ra
sfe
1. Open the navigation menu and select Observability & Management. Under Monitoring,

an
click Alarm Definitions.

-tr
2. Select your <assigned compartment> from the List scope on the left menu.

. non
3. Click Create Alarm and enter the following values:
ide a
Gu as
a. Define Alarm section:
is ) h

− Alarm name: IAD-DOP-LAB13-1-ALA-01

e om

− Alarm severity: Select Critical from drop-down list.

us il.c
th

− Alarm body: Build Execution Time is more than threshold.

to gma

Note: The Tags section is optional. Therefore, keep the default selections.
@
iss

b. Metric description section:

− Compartment: Select your <assigned compartment>.

e .d

− Metric namespace: Select oci_devops_build from drop-down list.

− Metric name: Select BuildRunExecutionTime from drop-down list.

(ri

− Interval: Select 1m from drop-down list.

E
AN

− Statistic: Select Max from drop-down list.

Note: The Resource Group field is optional, therefore, you can skip it for now. Keep the
iss

Metric dimensions section blank.

c. Trigger rule section:

− operator: Select greater than from the drop-down list.
− Value: 60
− Trigger delay minutes: 1

Copyright © 2023, Oracle and/or its affiliates.

Configure alarms with notifications and create monitoring queries 167

Note: The Trigger rule condition is defined to notify if the build execution time exceeds
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

more than 60 seconds, and an alarm should be triggered which will send an email
notification based on the notifications configured in the previous task.

d. Define alarm notifications section:

− Destination service: Select Notifications from the drop-down list.

se
− Compartment: Select your <assigned compartment>.

en
− Topic: Select iad-dop-lab13-1-nt-01-<userID> from the drop-down list.

lic
Note: You have created the topic earlier and recall that the topic is the communication

bl e
channel, such as email. When the alarm is triggered, a notification is sent to the

ra
subscribed email addresses.

sfe
an
4. Keep the default selection in the Message grouping section which is Group notifications

-tr
across metric streams.

. non
5. Keep default selection in the Message Format section which is Send formatted
messages.
ide a
Gu as
is ) h

Note:
e om

• You can also choose to have a notification repeated at certain frequencies if an alarm
continues. Keep the Repeat notification option deselected.
us il.c
th

• You have option to suppress (pause) the notification. Keep the Suppress notifications
to gma

option deselected.
@

6. Select Enable this alarm and click Save Alarm.

riss

You should now be able to see the alarm’s details and are ready to execute Build Run from
e.d

Build Pipeline.
an
(ri

7. Open your DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

E
AN

8. Click Build Pipelines from the left menu and click IAD-DOP-LAB12-1-BPL-01.
RI

9. Click Start manual run.

iss

10. Keep the Build run name as default and click Start manual run.
Dr

11. Wait until the Build run is finished. Verify that the status of build run is Succeeded.

12. Verify that the Total Duration mentioned on top is greater than 60 seconds which is the
trigger rule condition.

Copyright © 2023, Oracle and/or its affiliates.

168 Configure alarms with notifications and create monitoring queries

Trigger the Alarm
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1. Open the navigation menu and select Observability & Management. Under Monitoring,
click Alarm Definitions.

2. Click IAD-DOP-LAB13-1-ALA-01 alarm you created earlier.

se
3. The icon before IAD-DOP-LAB13-1-ALA-01 would have changed to Firing mode due to the

en
overall build execution time exceeding the threshold. Please wait for a minute if the status

lic
is not changed to Firing, and then refresh the page.

bl e
• Scroll down to the Alarm history graph which signifies that the execution time of the

ra
build has surpassed the set threshold.

sfe
• An email notification is sent to the configured subscription email of the notification’s

an
topic as alarm status changes from OK to Firing.

-tr
• The email provides details about alarm OCID, number of metrics breaching threshold,

. non
and dimensions as shown below in the screenshot.

ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

4. Navigate back to the Alarm Definitions page and select the check box against the IAD-
DOP-LAB13-1-ALA-01 alarm name.

5. Click Actions drop-down list and select Add suppressions.

Copyright © 2023, Oracle and/or its affiliates.

Configure alarms with notifications and create monitoring queries 169

6. In the Suppress Alarms window, keep the default Start time and End time.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

7. Click Apply suppressions to confirm.

8. Click Close and verify that the Suppressed column shows the alarm is suppressed for the
period.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

170 Configure alarms with notifications and create monitoring queries

Monitor Build Success
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will now create an alarm that is triggered when the build is succeeded.

Thereafter, you will execute a build run from the build pipeline of your DevOps project and
verify alarm notifications using the BuildSuccess metric.

se
Tasks

en
lic
Create an Alarm

bl e
ra
1. Open the navigation menu and select Observability & Management. Under Monitoring,

sfe
click Alarm Definitions.

an
2. Select your <assigned compartment> from the List scope on the left menu.

-tr
. non
3. Click Create Alarm and enter the following values:

a. Define alarm section: ide a

Gu as
− Alarm name: IAD-DOP-LAB13-1-ALA-02
is ) h

− Alarm severity: Select Info from drop-down list.

e om

− Alarm body: Build Run has succeeded.

us il.c
th
to gma

Note: The Tags section is optional. Therefore, keep the default selections.
@

b. Metric description section:

iss

− Compartment: Select your <assigned compartment>.

r
.d

− Metric namespace: Select oci_devops_build from drop-down list.

− Metric name: Select BuildSuccess from drop-down list.

an
(ri

− Interval: Select 1m from drop-down list.

− Statistic: Select Min from drop-down list.

Note: The Resource Group field is optional, therefore, you can skip it for now. Keep the
RI

Metric dimensions section blank.

iss
Dr

c. Trigger rule section:

− operator: Select equal to from the drop-down list.
− Value: 1
− Trigger delay minutes: 1

Copyright © 2023, Oracle and/or its affiliates.

Configure alarms with notifications and create monitoring queries 171

d. Define alarm notifications section:
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

− Destination service: Select Notifications from the drop-down list.

− Compartment: Select your <assigned compartment>.
− Topic: Select iad-dop-lab13-1-nt-01-<userID> from the drop-down list.

4. Keep the default selection in the Message grouping section which is Group notifications

se
across metric streams.

en
lic
5. Keep the default selection in the Message Format section which is Send formatted
messages.

bl e
ra
6. Select Enable this alarm and click Save Alarm.

sfe
You should now be able to see the alarm’s details and are ready to execute Build Run from

an
Build Pipeline.

-tr
. non
7. Open your DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

8. ide a
Select Build Pipelines from the left navigation panel and click IAD-DOP-LAB12-1-BPL-01
Gu as
pipeline.
is ) h
e om

9. Click Start manual run.

us il.c
th

10. Keep the Build run name as default and click Start manual run.
to gma

11. Wait until the Build run is finished. Verify that the Status of Build run is succeeded.
@
iss

Trigger the Alarm

r
.d

1. From the navigation menu, select Observability & Management. Under Monitoring, click
e
an

Alarm Definitions.
(ri

2. Click IAD-DOP-LAB13-1-ALA-02 alarm you created earlier.

E
AN

3. The icon before IAD-DOP-LAB13-1-ALA-02 would have changed to Firing mode as the
RI

build run has succeeded. Please wait for a minute if the status is not changed to Firing,
iss

and then refresh the page.

• Scroll down to the Alarm history graph which signifies that the build has succeeded.
• An email notification is sent to the configured subscription email of the notifications
topic as alarm status changes from OK to Firing.

Copyright © 2023, Oracle and/or its affiliates.

172 Configure alarms with notifications and create monitoring queries

• The email provides details about alarm OCID, number of metrics breaching threshold,
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

and dimensions as shown below in the screenshot.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c

4. Navigate back to the Alarm Definitions page and select the check box against the IAD-
th
to gma

DOP-LAB13-1-ALA-02 alarm.
@

5. Click Actions drop-down list and select Add suppressions.

iss

6. In the Suppress alarms window, keep the default Start time and End time and click
r
.d

Apply suppressions to confirm.

e
an

7. Click Close and verify that the column Suppressed shows the alarm is suppressed for the
(ri

period.
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Configure alarms with notifications and create monitoring queries 173

Monitor Deployment Failure
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will now create an alarm that is triggered when the Deployment gets Failed.

Thereafter, you will configure the Build run stage to fail the deployment, execute a build run
from the Build pipeline which will initiate the deployment and verify alarm notifications.

se
Tasks

en
lic
Create an Alarm

bl e
ra
You will now create an alarm for notifying Build Success Runs.

sfe
1. Open the navigation menu and select Observability & Management. Under Monitoring,

an
click Alarm Definitions.

-tr
. non
2. Select your <assigned compartment> from the List scope on the left menu.

3. ide a
Click Create Alarm and enter the following values:
Gu as
is ) h

a. Define alarm section:

e om

− Alarm name: IAD-DOP-LAB13-1-ALA-03

us il.c

− Alarm severity: Select Critical from drop-down list.

th
to gma

− Alarm body: Deployment has Failed.

Note: The Tags section is optional. Therefore, keep the default selections.
iss

b. Metric description section:

r
.d

− Compartment: Select your <assigned compartment>.

e
an

− Metric namespace: Select oci_devops_deployment from the drop-down list.

(ri

− Metric name: Select DeploymentFailure from the drop-down list.

E
AN

− Interval: Select 1m from the drop-down list.

− Statistic: Select Min from the drop-down list.
RI
iss

Note: The Resource Group field is optional, therefore, you can skip it for now. Keep the
Dr

Metric dimensions section blank.

Copyright © 2023, Oracle and/or its affiliates.

174 Configure alarms with notifications and create monitoring queries

c. Trigger rule section:
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

− operator: Select equal to from the drop-down list.

− Value: 1
− Trigger delay minutes: 1

d. Define alarm notifications section:

se
− Destination service: Select Notifications from the drop-down list.

en
− Compartment: Select your <assigned compartment>.

lic
− Topic: Select iad-dop-lab13-1-nt-01-<userID> from the drop-down list.

bl e
ra
4. Keep the default selection in the Message grouping section which is Group notifications

sfe
across metric streams.

an
5. Keep default selection in the Message Format section which is Send formatted

-tr
messages.

. non
6. Select Enable this alarm and click Save Alarm.
ide a
Gu as
You should now be able to see the alarm’s details.
is ) h
e om

Update Build Pipeline Stage and Execute Build Run

us il.c
th

You will disable the option to send build pipeline parameters so that the deployment task can
to gma

be failed which will trigger the alarm.

1. Open your DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

riss

2. Select Build Pipelines from the left menu and click IAD-DOP-LAB12-1-BPL-01.
e .d
an

3. Click the three dots on Trigger OKE Deployment and click View details.
(ri

4. Click Edit Stage and deselect the Send build pipelines Parameters box.
E
AN

Note: This will block the build pipeline parameters to be shared with deployment pipeline
RI

and thus trigger a failure in deployment.

iss
Dr

Note: Select the Send build pipelines Parameters box after the alarm has been tested at
the end of this lab.

5. Click Save changes.

6. Click Start manual run.

Copyright © 2023, Oracle and/or its affiliates.

Configure alarms with notifications and create monitoring queries 175

7. Keep the Build run name as default and click Start manual run.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

8. Wait until the Status of build run shows Succeeded.

9. Click Project using the breadcrumb list and click Deployments from the left menu.

10. Verify that the last deployment is shown as Failed.

se
en
Trigger the Alarm

lic
1. Open the navigation menu and select Observability & Management. Under Monitoring,

bl e
click Alarm Definitions.

ra
sfe
2. Click IAD-DOP-LAB13-1-ALA-03 alarm you created earlier.

an
3. The icon before IAD-DOP-LAB13-1-ALA-03 would have changed to Firing mode as the

-tr
deployment has Failed. Please wait for a minute if the status is not changed to Firing, and

. non
then refresh the page.
•
ide a
Scroll down to the Alarm history graph which signifies that the deployment has
Gu as
failed.
is ) h

• An email notification is sent to the configured subscription email of the notifications

e om

topic as alarm status changes from OK to Firing.

us il.c

• The email provides details about alarm OCID, Query, number of metrics breaching
th
to gma

threshold, and dimensions as shown below in the screenshot.

@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

176 Configure alarms with notifications and create monitoring queries

4. Navigate back to the Alarm Definitions page and select the check box against the IAD-
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

DOP-LAB13-1-ALA-03 alarm.

5. Click Actions drop-down list and select Add suppressions.

6. In the Suppress Alarms window, select the default Start time and End time and click
Apply suppressions to confirm.

se
en
7. Click Close and verify that the column Suppressed shows the alarm is suppressed for the

lic
period.

bl e
Update Build Pipeline Stage

ra
sfe
You will enable the option to send build pipeline parameters so that the deployment task can

an
run successfully.

-tr
. non
1. Open your DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

2. Select Build Pipelines from the left menu and click IAD-DOP-LAB12-1-BPL-01.
ide a
Gu as
3. Click the three dots on Trigger OKE Deployment and click View details.
is ) h
e om

4. Click Edit Stage and select the Send build pipelines Parameters checkbox.
us il.c
th

5. Click Save changes.

to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Configure alarms with notifications and create monitoring queries 177

Create Monitoring Queries
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will learn about query expressions and components, and you will execute sample queries
that can be used with the Monitoring. The Metrics Explorer creates queries that are used to
search and aggregate metric data points collected from resources.

A standard query includes a metric namespace (the source or application being measured), a

se
metric (what is being measured), an interval (over what period), and a statistic (how it’s being

en
measured, for example, a sum, rate, or max value).

lic
bl e
Tasks

ra
sfe
Create Standard Queries

an
1. Open the navigation menu and select Observability & Management. Under Monitoring,

-tr
. non
click Metrics Explorer.

2. To create a standard query, scroll down to the Query section and enter the following
ide a
Gu as
values:
is ) h

• Compartment: Select your <assigned compartment>.

e om

• Metric namespace: Select oci_devops_code_repos from the drop-down list.

us il.c

• Metric name: Select CodeRepositoriesPulls from the drop-down list.

th
to gma

• Interval: Select 1m from the drop-down list.

• Statistic: Select Mean from the drop-down list.
@
iss

3. Keep Metric dimensions section blank and click Update Chart.

r
.d

If the chart does not display the data, select Last 24 hours under Quick Selects on top of
e
an

the page. You can also toggle between Show Data Table and Show Graph option.
(ri

The chart generated is the output of the query. It represents the number of pulls done on the
E
AN

code repository in every 1-minute interval. The corresponding Monitoring Query Language
(MQL) is displayed under Query 1.
RI
iss

Create Standard Queries with a Filter

A filter condition is used along with a standard query to display graphs that satisfy specific
conditions. The filter condition is entered in the metric dimensions area which is optional and
includes a dimension name and a dimension value.

Copyright © 2023, Oracle and/or its affiliates.

178 Configure alarms with notifications and create monitoring queries

1. From the navigation menu, select Observability & Management. Under Monitoring,
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

click Metrics Explorer.

2. Enter the following values to create a grouping function using the Basic mode in the
Query section:
• Compartment: Select your <assigned compartment>.

se
• Metric namespace: Select oci_devops_build from the drop-down list.

en
• Metric name: Select StageExecutionTime from the drop-down list.

lic
• Interval: Select 1m from the drop-down list.

bl e
• Statistic: Select Mean from the drop-down list.

ra
sfe
3. In the Metric dimensions section, enter the following values:

an
• Dimension name: Select stageType from the drop-down list.

-tr
• Dimension value: Select BUILD from the drop-down list.

. non
• Do not enable the Aggregate metric streams.

4. Click Update Chart. ide a

Gu as
is ) h

The graph displays the time chart with time taken to execute the build stage. If the chart
e om

does not display data, select Last 24 hours under Quick Selects on top of the page. You
can also toggle between Show Data Table and Show Graph option.
us il.c
th
to gma

5. Scroll down to the Query section.

6. In the Metric dimensions section, update the following information:

iss

• Dimension name: Select stageType from the drop-down list.

r
.d

• Dimension value: Select TRIGGER_DEPLOYMENT_PIPELINE from the drop-down

list.
an

• Do not enable the Aggregate metric streams.

(ri
E

5. Click Update Chart.

AN
RI

The graph displays the time chart with time taken to complete trigger deployment pipeline
iss

stage.
Dr

Copyright © 2023, Oracle and/or its affiliates.

Configure alarms with notifications and create monitoring queries 179

Create Aggregation Using Basic Queries
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

The simple aggregation (grouping) function queries return the combined value of all metric
streams for the selected statistic. They can be written manually in the Query Code Editor pane
by checking the Advanced mode option, or you can use the Standard Query mode used above.

1. From the navigation menu, select Observability & Management. Under Monitoring,

se
click Metrics Explorer.

en
lic
2. Enter the following values to create a grouping function using Basic mode in the Query

bl e
section:

ra
• Compartment: Select your <assigned compartment>.

sfe
• Metric namespace: Select oci_devops_build from the drop-down list.

an
• Metric name: Select BuildSuccess from the drop-down list.

-tr
• Interval: Select 1m from the drop-down list.

. non
• Statistic: Select Mean from the drop-down list.

3. ide a
In the Metric dimensions section, enter the following values:
Gu as
is ) h

• Dimension name: Select projectId from the drop-down list.

e om

• Dimension value: Select <Project OCID> from the drop-down list. This is the OCID
of the DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.
us il.c
th

• Enable Aggregate metric streams.

to gma

4. Click Update Chart.

@
iss

If the chart does not display data, select Last 24 hours under Quick Selects on top of the
r
.d

page. You can also toggle between Show Data Table and Show Graph option.
e
an

The graph displays the aggregation of successful builds run on the project, with an interval of 1
(ri

minute, and a statistic option of the Mean function. The function Mean returns the value of
E

sum divided by count during the specified period.

The selection of Aggregate metric streams check box is referred to as grouping function
RI

while using Advanced mode. This query can be viewed with selecting Advanced mode check
iss

box.
Dr

Copyright © 2023, Oracle and/or its affiliates.

180 Configure alarms with notifications and create monitoring queries

Create Advanced Queries
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

The nested queries are written as part of the Advanced mode in the Query code editor.

1. Open the navigation menu and select Observability & Management. Under Monitoring,
click Metrics Explorer.

se
2. Enter the following values to create a grouping function using Basic mode in the Query

en
section:

lic
• Compartment: Select your <assigned compartment>.

bl e
• Metric namespace: Select oci_devops_deployment from the drop-down list.

ra
• Metric name: Select DeploymentExecutionTime from the drop-down list.

sfe
• Interval: Select 1m from the drop-down list.

an
• Statistic: Select Max from the drop-down list.

-tr
. non
3. Leave the Metric dimensions section blank. Do not enable Aggregate metric streams
and click Update Chart.
ide a
Gu as
If the chart does not display data, select Last 7 days under Quick Selects on top of the
is ) h

page.
e om

The graph shows the deployment executions and time taken to complete in milliseconds,
us il.c
th

collected with an interval of 1m and shows the maximum reported duration of each
to gma

Deployment. You can also toggle between Show Data Table and Show Graph option.
@

4. Select the Advanced mode checkbox at the top-right corner of the Query 1 section.
riss

5. Enter the following code in the Query code editor field.

e .d

(DeploymentExecutionTime[1m].max() > 20000).grouping().max()

an
(ri
E

6. Click Update Chart.

The displayed output groups the deployments and displays the ones that took more than
RI

20,000 milliseconds to complete within each 1-minute interval.

iss
Dr

Congratulations! You have successfully tested various types of Alarms and Monitoring Queries
which can be used with DevOps pipelines.

Copyright © 2023, Oracle and/or its affiliates.

Configure alarms with notifications and create monitoring queries 181

Purge Resources
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Purge Instructions for Alarms

1. Open the navigation menu and select Observability & Management. Under Monitoring,
click Alarm Definitions.

se
2. Select your <assigned compartment> from List scope on the left menu.

en
lic
3. Select all the check boxes that correspond to the alarms IAD-DOP-LAB13-1-ALA-01, IAD-

bl e
DOP-LAB13-1-ALA-02, and IAD-DOP-LAB13-1-ALA-03.

ra
4. Click the Actions drop-down list and select Delete alarms.

sfe
an
5. Confirm to delete and click Close.

-tr
Purge Instructions for Topics and Subscriptions

. non
6. From the navigation menu, select Developer Services. Under Application Integration, click
ide a
Gu as
Notifications.
is ) h

7. Click iad-dop-lab13-1-nt-01-<userID> topic.

e om
us il.c

8. Click the three dots on the right of the subscription to open the Actions menu and click
th

Delete.
to gma

9. Click Delete Subscription to confirm.

@
iss

10. Navigate back to the Notifications page.

r
.d

11. Open the Actions menu and click Delete.

e
an
(ri

12. Click Delete Topic to confirm.

E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

182 Configure alarms with notifications and create monitoring queries

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
Lab 14-1 Practices -tr
OCI Console

an
sfe
ra
bl e
Estimated time: 40 minutes

lic
en
se
DevOps Project Log Using
Logging Services: Manage
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

The Oracle Cloud Infrastructure Logging service offers a fully managed, highly scalable single
point of access to all the logs in your tenancy. Logging provides access to logs from Oracle

se
Cloud Infrastructure resources. These logs include critical diagnostic information that

en
describes how resources are performing and being accessed.

lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om

In this lab, you’ll:

us il.c
th

a. Configure logs for DevOps project

to gma

b. Run the build manually

@
iss

c. Search your logs

r
.d

For more information on OCI Logging, see the OCI Logging Documentation.
e
an
(ri

Prerequisites
E

• You must complete the following labs before you perform tasks for this practice:
AN

− Microservices and Container Orchestration: Create Docker image for a web

application using Dockerfile (Lab 06-1).

iss

− Microservices and Container Orchestration: Create and work with OCIR repository
Dr

(Lab 07-1).
− Microservices and Orchestration: Set up cluster access (Lab 08-1).
− Microservice and Container Orchestration: Deploy a sample Web application on a
cluster using kubectl (Lab 09-1).

Copyright © 2023, Oracle and/or its affiliates.

184 Manage DevOps project log using OCI Console

− Continuous Integration and Continuous Delivery: Work with code repositories in OCI
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

DevOps project (Lab10-1).

− Continuous Integration and Continuous Delivery: Create and set up artifacts and
environments in DevOps project (Lab11-1).
− Continuous Integration and Continuous Delivery: Automate Web App deployment
to an OKE cluster using OCI DevOps CI/CD pipeline (Lab 12-1).

se
en
Assumptions

lic
• You are signed into your Oracle Cloud Infrastructure (OCI) account using your

bl e
credentials.

ra
• This lab assumes you’re working in the Ashburn region. The resource naming

sfe
convention (iad) used in this lab is according to Ashburn.

an
If you’re working in a different region, change the resource names accordingly. For

-tr
example, for Phoenix, use phx.

. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Manage DevOps project log using OCI Console 185

Configure Logs for DevOps Project
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

The log groups are logical containers for organizing and managing logs. A log must always be
inside a log group. You will first create a log group to enable or create logs.

After creating a log group, you will update logging for the DevOps Project.

se
Tasks

en
lic
1. Open the navigation menu and select Observability & Management. Under Logging,

bl e
click Log Groups.

ra
2.

sfe
Select your <assigned compartment> from List scope on the left menu.

an
3. Click Create Log Group.

-tr
. non
4. In the Create Log Group window, enter the following values:
• Compartment: auto-populated with your <assigned-compartment>.
• Name: IAD-DOP-LAB14-1-LGP-01 ide a
Gu as
is ) h

• Description: log group for service logs.

e om

5. Click Create.
us il.c
th
to gma

Note: The DevOps Project is created with logs enabled with a default log group named
Default_Group. You will change this log group to IAD-DOP-LAB14-1-LGP-01 and create a
@

new log for DevOps Logs.

iss

6. Open the navigation menu and select Developer Services. Under DevOps, click Projects.
r
e .d

7. Open the DevOps project IAD-DOP-LAB10-DP-01-<userID>.

an
(ri

8. Under DevOps project resources section on left menu, click Logs.

E
AN

9. Click the three dots on the right to open the Actions menu and click Edit Log.
RI

a. Click the Change Log Group button under the Choose new group field. Select IAD-
iss

DOP-LAB14-1-LGP-01 from the drop-down list.

b. Click Change Log Group.

c. Click the Edit button next to Disable Log.

d. Enter the Log Name as IAD-DOP-LAB14-1-SLOG-01

Copyright © 2023, Oracle and/or its affiliates.

186 Manage DevOps project log using OCI Console

e. Click Save Changes.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

10. Open the navigation menu and select Observability & Management. Under Logging,
click Log Groups.

11. Select your <assigned compartment> from List scope on the left menu.

se
12. Click Log Group IAD-DOP-LAB14-1-LGP-01.

en
13. Click Logs, verify the log name with IAD-DOP-LAB14-1-SLOG-01 is shown Active for

lic
Service: DevOps; Category: DevOps Logs.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Manage DevOps project log using OCI Console 187

Run the Build
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Execute the build pipeline which will trigger the deployment pipeline as well. During and after
the execution for build and deployment pipelines, the logs are generated.

Tasks

se
1. Open the DevOps project IAD-DOP-LAB10-DP-01-<userID>.

en
lic
2. Select Build Pipelines on the left menu and click IAD-DOP-LAB12-1-BPL-01.

bl e
3. Verify that three stages are available in the build pipeline: Build-Demo-WebApp, Push

ra
sfe
WebApp Artifacts, and Trigger OKE Deployment.

an
4. Click Start manual run on the top right corner of the page.

-tr
. non
5. Keep Build run name as default and click Start manual run.

ide a
The Status on the top left will be shown as In progress, and the execution will take
Gu as
approximately 5 minutes to complete.
is ) h

6. Upon completion, the status on top left will be updated to Succeeded.

e om
us il.c

7. Click your DevOps project IAD-DOP-LAB10-DP-01-<userID> using the breadcrumb list at

th
to gma

the top of the page and click Deployments from the left menu.

8. Verify if the status of the last deployment is Succeeded.

@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

188 Manage DevOps project log using OCI Console

Search Your Logs
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Logging provides the tools to search any combination or scale of logs to identify events or
patterns that may be difficult to observe via legacy methods. This is especially true when
working in a distributed scale-out environment comprising several services and platforms.

You will explore the contents of your logs and become familiar with the built-in search

se
capabilities provided by the logging service. You will learn to select service logs to be included

en
in search, examine results, and refine search for service logs. Additionally, you will update a

lic
build stage and execute build run to generate corresponding log records.

bl e
ra
You will also learn to search logs from saved searches.

sfe
Tasks

an
-tr
Search your logs

. non
1. Open the navigation menu and select Observability & Management. Under Logging,
ide a
Gu as
click Search.
is ) h

2. Click Select logs to search text field. The Select logs to search window appears.
e om
us il.c

3. In the Select logs to search field, click (x) to remove your <assigned_compartment> if
th

selected by default.
to gma

4. Expand the root compartment under the Compartment column and select your
@

<assigned_compartment> from the Compartment list.

iss
r
.d

Note: Do not click the plus (+) sign. Click the compartment name only.
e
an

This will bring up the log groups in that compartment without including the compartment
(ri

itself as part of the search criteria. You don’t want the compartment itself included,
E

because you don’t want all the logs for that compartment in the search results.
AN
RI

5. In the Log Groups column, select IAD-DOP-LAB14-1-LGP-01 log group, but again, click
the name only without clicking the plus (+) sign. This will bring up the logs for that log
iss

group.
Dr

6. In the Logs column, select IAD-DOP-LAB14-1-SLOG-01 log. This time, click the plus (+)
sign to add it as the only search criteria. The Select logs to search field at the top of the
window will be updated to <assigned_compartment>/IAD-DOP-LAB14-1-LGP-
01/IAD-DOP-LAB14-1-SLOG-01.

Copyright © 2023, Oracle and/or its affiliates.

Manage DevOps project log using OCI Console 189

7. Click Continue to execute the search.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Explore Filters

1. To examine results and refine search for service logs, in the Custom filters field at the top
of the Search area, enter the following and hit enter on your keyboard:
data.deployPipelineId = <Select pipleline OCID from the list>

se
en
This will show the log records that were executed for the selected pipeline.

lic
2. If there are no log records displayed, then Filter by time and select Today from the drop-

bl e
down list. This will return all the log records matching the condition for the entire day.

ra
sfe
3. In the Custom filters field at the top of the Search area, enter the following and hit enter

an
on your keyboard:

-tr
data.message = Completed Deployment execution

. non
This will show the log records that contains the message Completed Deployment
execution for the selected pipeline.
ide a
Gu as
is ) h

Note: You can remove the search filters by clicking (x) for Filters under Custom filters.
e om

4. In the Custom filters, enter the keyword failed and hit Enter on your keyboard.
us il.c
th

The Filters will show the following filter applied, which returns log records that contain
to gma

the keyword failed:

logContent=’*failed*’
iss

5. Select Filter by time as Past 5 minutes. Verify there is no recent log data. You may note
r
.d

the timestamp if there are log records.

e
an

6. Click Save search. Enter the following values in the form:

(ri

• Search Name: Deployment-failures

E
AN

• Compartment: Select your <assigned compartment>.

• Description: Search for failed deployments.

iss

• Click Save Search.

7. Click Reset Search to reset the search filters.

Copyright © 2023, Oracle and/or its affiliates.

190 Manage DevOps project log using OCI Console

Update a build stage and generate corresponding log records
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1. Open the DevOps project IAD-DOP-LAB10-DP-01-<userID>.

2. Select Build Pipelines on the left menu and click IAD-DOP-LAB12-1-BPL-01.

3. Click the three dots on Trigger OKE Deployment and click View details.

se
en
4. Click Edit Stage and uncheck to disable the Send build pipelines Parameters box.

lic
Note: This will block the build pipeline parameters to be shared with deployment pipeline

bl e
and thus trigger a failure in deployment.

ra
sfe
5. Click Save changes.

an
6. Click Start manual run.

-tr
. non
7. Keep the build run name as default and click Start manual run.

8. ide a
Wait until the status of build run shows Succeeded.
Gu as
is ) h

9. Click your DevOps project IAD-DOP-LAB10-DP-01-<userID> using the breadcrumb list at

e om

the top of the page and click Deployments from the left menu.
us il.c

10. Verify that the last deployment is shown as Failed.

th
to gma

11. From the navigation menu, select Observability & Management, then click Search under
@

Logging. Under Logging, click Saved Searches to reach previously saved search
iss

Deployment-failures.
r
.d

12. Choose Filter by time as Past 15 minutes if the data is not shown for Past 5 minutes.
e
an

Verify the log records containing the string failed is shown for the deployment failures.
(ri

13. Expand one of the log records by clicking the down-arrow icon on the right.
E
AN

a. On the JSON tab, the log data is shown in JSON format. Review the message under
RI

the data section, which shows the log message for the failure.
iss

b. Click the Before & After Tab. This shows the logs representing what was going on
Dr

before and after the log message was generated, which helps in the troubleshooting.

14. From the OCI Console Main Menu, select Developer Services. Under DevOps, select
Projects.

Copyright © 2023, Oracle and/or its affiliates.

Manage DevOps project log using OCI Console 191

15. Select your <assigned compartment> from List scope on the left menu.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

16. Click Project IAD-DOP-LAB10-DP-01-<userID> under Project name column.

17. Select Build Pipelines on the left and click the pipeline IAD-DOP-LAB12-1-BPL-01.

18. Click the three dots on Trigger OKE Deployment stage. Click View details.

se
en
19. Click Edit Stage, enable Send build pipelines Parameters.

lic
20. Click Save changes, Do NOT click Start manual run.

bl e
21. Click DevOps Projects on top to return to the Projects page.

ra
sfe
an
-tr
Congratulations! You have successfully configured and explored logs for your build and

. non
deployment pipelines in your DevOps Project.

ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

192 Manage DevOps project log using OCI Console

Purge Instructions
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Purge instructions for Logs and Log Groups

1. Open the navigation menu and select Observability and Management. Under Logging,
click Log Groups.

se
2. Click IAD-DOP-LAB14-1-LGP-01 log group.

en
lic
3. Under Resources in the left menu, click Logs.

bl e
4. For IAD-DOP-LAB14-1-SLOG-01, click the three dots on the right to open the Actions

ra
menu and click Delete. Confirm to Delete.

sfe
an
5. Click Log Group.

-tr
. non
6. For IAD-DOP-LAB14-1-LGP-01, click the three dots on the right to open the Actions menu
and click Delete. Confirm to Delete.

ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Manage DevOps project log using OCI Console 193

194
Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a

Copyright © 2023, Oracle and/or its affiliates.

. non
-tr
an
sfe
ra
bl e
lic
en
se

Manage DevOps project log using OCI Console

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
Occurs
ide a
. non
-tr
Lab 15-1 Practices
an
sfe
ra
Estimated Time: 20 minutes bl e
lic
en
When a DevOps Event

se
Event Service: Define Rules
that Trigger a Specific Action
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

Oracle Cloud Infrastructure (OCI) Events enables the creation of automations based on
resource state changes across the tenancy. Use Events to allow your development teams to

se
react automatically when a resource changes state.

en
Events are structured messages indicating changes in resources.

lic
bl e
The use of events goes through the creation of rules. The rules include a filter that you define

ra
to indicate events produced by resources in your tenancy.

sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
r iss
.d

In this lab, you’ll:

e
an

a. Configure a notification
(ri
E

b. Create an event rule

c. Validate the event rule by running a build

RI
iss

For more information on OCI Events, see the OCI Events Documentation.
Dr

Copyright © 2023, Oracle and/or its affiliates.

196 Define rules that trigger a specific action when a DevOps event occurs
Prerequisites
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

se
(Lab 07-1).

en
− Microservices and Orchestration: Set up cluster access (Lab 08-1).

lic
− Microservice and Container Orchestration: Deploy a sample Web application on a

bl e
cluster using kubectl (Lab 09-1).

ra
− Continuous Integration and Continuous Delivery: Work with code repositories in OCI

sfe
DevOps project (Lab10-1).

an
− Continuous Integration and Continuous Delivery: Create and set up artifacts and

-tr
environments in DevOps project (Lab11-1).

. non
− Continuous Integration and Continuous Delivery: Deploy a Web App with a CI/CD
pipeline to an OKE cluster using OCI DevOps (Lab12-1)
• ide a
You are signed into your Oracle Cloud Infrastructure (OCI) account using your
Gu as
credentials.
is ) h
e om

Assumptions
us il.c
th

• This lab assumes you’re working in the Ashburn region. The resource naming
to gma

convention (iad) used in this lab is according to Ashburn.

If you’re working in a different region, change the resource names accordingly. For
iss

example, for Phoenix, use phx.

• You will replace the <userID> placeholder with your user ID.
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Define rules that trigger a specific action when a DevOps event occurs 197
Configure a Notification
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Events Rules specify an action to trigger when the filter finds a matching event. The Action can
be the Notifications service to notify based on the rule conditions defined.

To configure an Events Rule, you must first create a Notifications Topic and Subscription so
that the rule condition has a way to notify the relevant parties.

se
en
Tasks

lic
bl e
1. Open the navigation menu and select Developer Services. Under Application

ra
Integration, select Notifications.

sfe
2. Select your <assigned compartment> from List scope on the left menu.

an
-tr
3. Click Create Topic and enter the following values in the form:

. non
• Name iad-dop-lab15-1-nt-01-<userID>

ide a
For Example, iad-dop-lab15-1-nt-01-user22
Gu as
• Description Topic for Lab15.
is ) h
e om

Note: Topic name must be unique across the tenancy; validation is case-sensitive.
us il.c

4. Click Create.
th
to gma

5. Once the topic changes state to Active, click the topic to view the details.
@

6. Select Subscriptions under Resources on the left menu, click Create Subscription and
iss

enter the following values in the form:

r
.d

• Protocol: Select Email.

e
an

• Email: Enter your email address.

(ri

7. Click Create.
E
AN

8. Click the subscription that you just created. The Subscription Information will be displayed
RI

with the status as Pending.

iss
Dr

9. Check the verification email received on the email account you specified. Click the
Confirm subscription verification link. A pop-up browser window will tell you that the
subscription has been confirmed.

Note: If the email does not arrive in the inbox, look for it in the Promotions category or
the spam box.

Copyright © 2023, Oracle and/or its affiliates.

198 Define rules that trigger a specific action when a DevOps event occurs
10. Navigate back to the Subscriptions page and verify that the subscription status has
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

changed to Active. You may need to refresh your browser if the status is not updated.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Define rules that trigger a specific action when a DevOps event occurs 199
Create an Event Rule
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will create Events Rule with few conditions and an action to send a notification.

Tasks

1. Open the navigation menu and select Observability & Management. Under Events, click

se
Rules.

en
lic
2. Select your <assigned compartment> from List scope on the left menu.

bl e
3. Click Create Rule and enter the following values in the form:

ra
sfe
a. Display Name: IAD-DOP-LAB15-1-RLE-01

an
-tr
b. Description: Notify on Build Runs and Deployments.

. non
c. Under the Rule Conditions section, choose Condition as Event Type and Service
Name as DevOps Build.
ide a
Gu as
is ) h

d. Click within Event Type field and select BuildRun - Create

e om

e. Under Actions, select the following:

us il.c

• Action Type: Notifications

th
to gma

• Notification Compartment: Select your <assigned compartment>.

• Topic: iad-dop-lab15-1-nt-01-<userID>
@
iss

4. Click Create Rule.

r
e.d

5. Click Rules on top; verify the State is shown as Active.

an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

200 Define rules that trigger a specific action when a DevOps event occurs
Validate Event Rule by Running a Build
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Execute a manual build run from DevOps Project. After the build run, an email will be triggered
with event details.

Tasks

se
1. Open the navigation menu and select Developer Services. Under DevOps, select

en
Projects.

lic
bl e
2. Select your <assigned compartment> from List scope on the left menu.

ra
sfe
3. Open the DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

an
4. Select Build Pipelines on the left menu and click the IAD-DOP-LAB12-1-BPL-01 pipeline.

-tr
. non
5. Verify the three stages are available: Build WebApp, Push WebApp Artifacts, and Trigger
OKE Deployment.
ide a
Gu as
6. Click Start manual run on the top right. Enter the Build run name as IAD-DOP-LAB15-1-
is ) h

BRUN-01.
e om

7. Click Start manual run. A Build Run is created with name IAD-DOP-LAB15-1-BRUN-01.
us il.c
th
to gma

8. You will receive an email with the subject line Event -

com.oraclecloud.devopsbuild.createbuildrun along with Event details in the body in
@

JSON format, including: resourceName as IAD-DOP-LAB15-1-BRUN-01.

riss
e .d
an
(ri
E
AN
RI
iss
Dr

Copyright © 2023, Oracle and/or its affiliates.

Define rules that trigger a specific action when a DevOps event occurs 201
9. Open the navigation menu, select Observability & Management. Under Events, click
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Rules.

10. Select your <assigned compartment> from List scope on the left menu.

11. Click IAD-DOP-LAB15-1-RLE-01 and click Edit Rule.

se
12. Under Rule Conditions, click + Another Condition to add a second condition as follows:

en
• Condition: Event Type

lic
• Service Name: Devops Deploy

bl e
• Click within Event Type field and select: DeployStage – Create Begin, and

ra
Deployment – Create.

sfe
13. Click Save changes.

an
-tr
After updating the event rule, execute another manual build run to receive email

. non
notification according to the updated event rules.

ide a
14. Open the DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.
Gu as
is ) h

15. Select Build Pipelines on the left menu and click the IAD-DOP-LAB11-1-BPL-1 pipeline.
e om

16. Verify the three stages are available: Build WebApp, Push WebApp Artifacts, and Trigger
us il.c
th

OKE Deployment.
to gma

17. Click Start manual run on top right. Enter the Build run name as IAD-DOP-LAB15-1-
@

BRUN-02.
iss

18. Click Start manual run. A Build Run is created with name IAD-DOP-LAB15-1-BRUN-02.
r
e.d
an

19. You will receive an email with the subject line Event -
(ri

com.oraclecloud.devopsbuild.createbuildrun along with Event details in the body in

JSON format, including: resourceName as IAD-DOP-LAB15-1-BRUN-02.
E
AN
RI
iss
Dr

se
en
lic
bl e
ra
sfe
20. You will receive another email with the subject line Event -

an
com.oraclecloud.devopsbuild.createdeployment along with Event details in the body in

-tr
JSON format.

. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN

Congratulations! You have successfully configured event rules to trigger email notifications for
RI

specific actions.
iss
Dr

Define rules that trigger a specific action when a DevOps event occurs 203
Purge Instructions
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Purge Instructions for Event Rule

1. Open the navigation menu and select Observability & Management. Under Events, click
Rules.

se
2. Select your <assigned compartment> from List scope on the left menu.

en
lic
3. For the rule IAD-DOP-LAB15-1-RLE-01, click the three dots on the right to open the

bl e
Actions menu and select Delete

ra
4. Type DELETE to confirm, click Delete.

sfe
an
Purge Instructions for Subscription

-tr
1. Open the navigation menu and select Developer Services. Under Application

. non
Integration, click Notifications.

ide a
Gu as
2. Select your <assigned compartment> from List scope on the left menu.
is ) h

3. Click the topic IAD-DOP-LAB15-1-TOP-01.

e om
us il.c

4. For the subscription, click the three dots on the right to open the Actions menu and select
th

Delete.
to gma

5. Click Delete Subscription to confirm.

@
iss

Purge Instructions for Topic

r
.d

1. Open the navigation menu and select Developer Services. Under Application Integration,
e
an

click Notifications.
(ri

2. Select your <assigned compartment> from List scope on the left menu.
E
AN

3. For the topic IAD-DOP-LAB15-1-TOP-01, click the three dots on the right to open the
RI

Actions menu and select Delete.

iss
Dr

4. Click Delete Topic to confirm.

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as

DevOps
ide a
. non
-tr

Lab 18-1 Practices

an
sfe
ra
bl e

Estimated Time: 120 minutes

lic
en
se
Chart Deployment in OCI
an OKE Cluster Using Helm
Continuous Integration and
Continuous Delivery: Deploy
a Sample Web Application to
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

Rapid delivery of software is essential for efficiently running your applications in the cloud.
Automating software releases with pipeline deployment increases developer productivity and

se
allows you to release features more frequently and with fewer errors. It helps avoid downtime

en
during deployments and automates the complexity of updating applications.

lic
The Oracle Cloud Infrastructure (OCI) DevOps service is an end-to-end, continuous integration

bl e
and continuous delivery (CI/CD) platform for developers. You can use OCI DevOps service to

ra
easily build, test, and deploy software and applications on Oracle Cloud. The DevOps build and

sfe
deployment pipelines reduce change-driven errors and decrease the time customers spend on

an
building and deploying releases.

-tr
. non
Oracle Cloud Infrastructure (OCI) DevOps service supports deployment of Helm charts to
Container Engine for Kubernetes (OKE) cluster. The developers can add a specific Helm chart

ide a
stage to deployment pipelines to automate the Helm deployment and automatically roll back
Gu as
on OKE environments.
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

276 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
For more information on OCI DevOps Project Helm Chart Deployment, see the OCI Deploying
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

a helm chart Documentation.

In this lab, you’ll:

a. Create a DevOps project and manage code repositories

se
b. Create OCIR repositories for Container Image and Helm Chart

en
c. Set up artifacts and environments for your DevOps project

lic
bl e
d. Create DevOps build pipeline and build stages

ra
sfe
e. Create DevOps deployment pipeline and deploy stage

an
f. Create a Trigger Deployment Stage in build pipeline

-tr
. non
g. Set up the kubeconfig file and create a Kubernetes namespace.

h.
ide a
Automate sample web application deployment to OKE cluster using Helm Chart
Gu as
is ) h

i. View the artifacts generated as part of the automated build

e om

Prerequisites
us il.c
th

• You are signed in to your Oracle Cloud Infrastructure (OCI) account using your
to gma

credentials.
@

• You need to have a GitHub account.

iss

• A pre-created OKE cluster <EventID>-OCI-ELS-DEVOPS-OKE is available in the root

compartment. <EventID> can be fetched from the Lab tab available in the course
e .d

page.
an
(ri

Assumptions
E
AN

• You will replace the <userID> placeholder with your user ID.
• This lab assumes you’re working in the Ashburn region. The resource naming
RI

convention (iad) used in this lab is according to Ashburn.

iss

If you’re working in a different region, change the resource names accordingly. For
Dr

example, for Phoenix, use phx.

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 277
Create a DevOps Project and Manage Code Repositories
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will fork a repository, create access token, and use an existing Vault that is at the root level
compartment to create keys and secrets required to connect to an external repository.

You’ll then create a topic, a DevOps project, and a connection to external repositories, such as
GitHub.

se
en
You’ll also learn to mirror repositories to and from external sources.

lic
bl e
Fork GitHub Repository

ra
1. Sign in to your GitHub account and go to the https://github.com/ou-developers/oci-

sfe
helm-node-service repository.

an
-tr
2. In the top right, click Fork and then click Create fork at the bottom of Create a new fork

. non
page.

ide a
Note: By default, forks use the same name as their upstream repository.
Gu as
is ) h

Create a Personal Access Token

e om

1. In your GitHub account, click the profile icon on the top-right corner, and then go to
us il.c
th

Settings.
to gma

2. Navigate to Developer settings and find Personal access tokens > Token (classic) on
@

the left menu and then click Generate new token > Generate new token (classic) for
iss

general use.
r
.d

3. On the New personal access token (classic) page,

e
an

a. Provide a name as OCI-DevOps-ELS-LAB18 in Note

(ri
E

b. Set the token Expiration to 30 days

AN
RI

c. In the Select scopes section, select repo (Full control of private repositories) as your
iss

scope
Dr

4. Click Generate token and make a note of it in a notepad. You’ll need this token later when
you create secrets. Here’s an example how a token would look like:
ghp_YnDABCDEPQRxzGZXXXXduoAZgrPemTj1xxXxx

278 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
Create a Master Encryption Key in OCI Vault
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1. Switch to the OCI Console, navigate to Identity & Security, and select Vault. From the list
of vaults, select OCI-ELS-DEVOPS-VAULT-1 under the root compartment.

2. On the Vault details page, click Create Key to create a master encryption key.

se
Enter the following values for your key:

en
• Create in Compartment: Select your <assigned compartment>.

lic
• Protection Mode: HSM

bl e
• Name: iad-dop-lab18-1-vk-01

ra
sfe
• Leave everything else to default values and click Create Key.
It will take about a minute to create the master encryption key. The key will go from the

an
Creating state to the Enabled state.

-tr
. non
3. On the Vault details page, select your <assigned compartment> from List scope on
the left menu. You’ll see the key “iad-dop-lab18-1-vk-01” that you created which is
ide a
Gu as
in Enabled state.
is ) h

Create a Secret in OCI Vault

e om
us il.c

1. In the Resources section of the Vault details page, click Secrets. Click Create Secret and
th
to gma

enter the following values for the secret:

• Compartment: Select your <assigned compartment>.
@

• Name: iad-dop-lab18-1-vs-01-<userID>
iss

For example, iad-dop-lab18-1-vs-01-user22

r
.d

• Description: Secret to pull GitHub repo.

e
an

• Encryption Key: iad-dop-lab18-1-vk-01

(ri

• Secret Type Template: Plain-Text

E
AN

• Secret Contents: <Add the Personal access token string that you created in GitHub
earlier>
RI

• Click Create Secret. It will take few minutes to create the Vault Secret. The secret will
iss

go through the Creating state to the Enabled state.

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 279
Create a Topic
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1. In the Console, open the navigation menu and click Developer Services. Under
Application Integration, click Notifications.

2. Select your <assigned compartment> from List scope on the left menu. The page
updates to display only the resources in that compartment.

se
en
3. Click Topics. Click Create Topic at the top of the topic list.

lic
bl e
4. In the Create Topic page, configure your topic and click Create.
• Name: iad-dop-lab18-1-nt-01-<userID>.

ra
sfe
• Description: This topic is for my Devops lab.

an
Note: Topic name is case-sensitive and must be unique across the tenancy.

-tr
. non
Create a DevOps project

1. ide a
Open the navigation menu and click Developer Services. Under DevOps, click Projects.
Gu as
is ) h

2. Click Create DevOps project.

e om

• Name: IAD-DOP-LAB18-1-DP-01-<userID>
us il.c

• Description: This project is for Devops lab18.

th
to gma

• To set up project notifications, click Select Topic. Select the topic that you created
earlier, for example iad-dop-lab18-1-nt-01-user22. Project notifications keep you
@

informed of important events and the latest project status.

iss

• Click Create DevOps project.

r
e .d

3. You can use the OCI logging service to record the output it generates when the pipeline
an

runs. On the page of your newly created project, click Enable Log which takes you to the
(ri

log management page.

E
AN

4. In the Logs table, toggle to enable the log. This will pop-up to the Enable Log window.
RI

Leave all the options as default and click Enable Log at the bottom. The logs will go
iss

through the Creating state to the Active state. You have successfully created a DevOps
Dr

project.

280 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
Create an External Connection
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1. Open the navigation menu and click Developer Services. Under DevOps, click Projects.

2. Select the project IAD-DOP-LAB18-1-DP-01-<userID> and go to External Connections

on the left menu. Click Create external connection and enter following values:

se
• Name: IAD-DOP-LAB18-1-EC-01

en
• Description: Connecting to GitHub.

lic
• Type: GitHub

bl e
• In the Vault Secret section,

ra
1)

sfe
Click Change Compartment and select the root compartment.

an
2) Select the Vault OCI-ELS-DEVOPS-VAULT-1 from the drop-down list.

-tr
. non
3) Select the secret iad-dop-lab18-1-vs-01-<userID> within you compartment that
contains your Personal Access Token (PAT) to connect to GitHub.
• Click Create. ide a
Gu as
is ) h

The connection to the selected external repository is successfully created and active.
e om

Create a Mirrored Code Repository

us il.c
th
to gma

1. Navigate to your DevOps project IAD-DOP-LAB18-1-DP-01-<userID>.

2. Click Code Repositories on the left menu and then click Mirror Repository to mirror
iss

code repository from GitHub. Enter the following values:

r
.d

• Connection: IAD-DOP-LAB18-1-EC-01. This is the external connection you created.

e
an

• Repository: Select the oci-helm-node-service repository from the drop-down

(ri

list which you had forked earlier.

• Mirroring Schedule: Select Custom from the drop-down list and set the minutes
AN

field to 2.
RI

• Name: IAD-DOP-LAB18-1-MR-01
iss

• Description: This is mirroring GitHub repository.

Click Mirror repository at the bottom. After some time, the mirrored repository will be
available in OCI Code Repository.

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 281
3. You will have to update the build_spec.yaml file in your git repository to have it
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

mirrored in the code repository.

a. Sign in to your GitHub account and navigate to the forked oci-helm-node-service

repository.

b. Click the build_spec.yaml file to open for editing.

se
en
c. Click the Edit this file option and make the following two changes in the highlighted

lic
section:

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h

• Scroll to the end of the file and locate line containing following code:
e om

docker build --pull --rm -t iad-dop-lab18-1-ocir-1/node-

us il.c

service-<userID> .
th
to gma

Here, replace userID with your user ID. For example,

docker build --pull --rm -t iad-dop-lab18-1-ocir-1/node-

iss

service-user22 .
r
e .d

• Move to the last line of this file and make the following change in the
an

outputArtifacts section:
(ri

location: iad-dop-lab18-1-ocir-1/node-service-<userID>:latest
E
AN

Here, replace <userID> with your user ID. For example,

iad-dop-lab18-1-ocir-1/node-service-user22:latest
iss

d. Scroll to the bottom of the page and click Commit Changes.

e. Switch to the OCI Console, navigate to the Mirrored Code Repository IAD-DOP-
LAB18-1-MR-01. You’ll see a message “Mirroring is in Progress” at the top of the
page. You can also start the Mirroring process manually by clicking the Synchronize
now button.

282 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
f. After two minutes, click Files from the left menu and scan through the
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

build_spec.yaml file to see if the changes are now reflecting in the mirrored OCI
Repository.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 283
Create OCI Repositories for Container Image and Helm
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Chart
You will create two empty repositories in your compartment and give them a name that's
unique in the entire tenancy. One repository will be used to host the container image and the
other one for Helm artifacts.

se
en
Tasks

lic
1. Navigate to the Oracle Cloud Infrastructure Registry (OCIR):

bl e
ra
a. In the Console, open the navigation menu and click Developer Services. Under

sfe
Containers & Artifacts, click Container Registry.

an
b. Select your <assigned compartment> from List scope on the left menu.

-tr
. non
2. Click Create Repository to create a new repository.

a. ide a
Compartment: Select your <assigned compartment>.
Gu as
is ) h

b. Repository name: <region-key>-dop-lab18-1-ocir-1/node-service-

e om

<userID>
us il.c
th

Where,
to gma

• <region-key> is the key for the Oracle Cloud Infrastructure Registry region
you're using. For example, iad is the region key for US EAST (Ashburn)
@
iss

region. See the Availability by Region topic in the Oracle Cloud Infrastructure
documentation.
r
.d

• Replace <userID> with your user ID.

e
an
(ri

For example, iad-dop-lab18-1-ocir-1/node-service-user22

E
AN

c. Select Public access option to enable unauthenticated access.

d. Click Create Repository.

iss

3. Now, repeat the Step 2 to create another public repository with the name <region-
Dr

key>-dop-lab18-1-ocir-2/helm-repo-<userID>/node-service

Replace <userID> with your user ID.

For example, iad-dop-lab18-1-ocir-2/helm-repo-user22/node-service

284 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
Set Up Artifacts and Environments for Your DevOps
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Project
Artifacts are used to specify software package versions for deployment. DevOps artifacts can
be of following types:
• Container image repository

se
• Instance group deployment configuration

en
• Kubernetes manifest

lic
• General artifact

bl e
• Helm Chart

ra
sfe
You will add Container image repository, Helm Chart, and general artifacts to the OCI

an
Repositories. Additionally, you will create an environment to point to your OKE cluster which

-tr
will work as a target platform for your application.

. non
Tasks
ide a
Gu as
1. Let’s add the container image repository artifact. Open the navigation menu and click
is ) h

Developer Services. Under DevOps, click Projects.

e om

2. Select your <assigned compartment> from List scope on the left menu.
us il.c
th
to gma

3. Open the DevOps project IAD-DOP-LAB18-1-DP-01-<userID>.

4. Click Artifacts from the left menu to navigate to the artifacts page.
iss

5. Click Add artifact to create an artifact and fill the form with following values:
r
.d

• Name: IAD-DOP-LAB18-1-AF-01
e
an

• Type: Select Container image repository from the list of options.

(ri

• Fully qualified path to the image in Container Registry:

<region-key>.ocir.io/<tenancy-namespace>/<repo-name>:<tag>
AN
RI

For example,
iss

iad.ocir.io/oracletenancy/iad-dop-lab18-1-ocir-1/node-service-
user22:${BUILDRUN_HASH}
Dr

Note: Replace <tenancy-namespace> with your tenancy name and <userID> with your
user ID and ensure you append ${BUILDRUN_HASH} in the fully qualified image URL.
This dynamically updates the version of the pushed docker image.
• Select Allow parameterization and click Add.

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 285
6. Again, click Add artifact to create a Helm Chart artifact and enter the following values in
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

the form:
• Name: IAD-DOP-LAB18-1-AF-02
• Type: Select Helm Chart from the list of options.
• Helm Chart URL:
oci://<region-key>.ocir.io/<tenancy-namespace>/<repo-name>:<tag>

se
en
For example,

lic
oci://iad.ocir.io/oracletenancy/iad-dop-lab18-1-ocir-2/helm-
repo-<userID>/node-service

bl e
ra
Note: Replace <tenancy-namespace> with your tenancy name, <region-key> with

sfe
the code for the region in use i.e., iad, <userID> with your user ID.

an
• Version: 0.1.0-${BUILDRUN_HASH}

-tr
• Click Add.

. non
7. Finally, click Add artifact to create a Generic artifact and enter the following values in the
form: ide a
Gu as
• Name: values.yaml
is ) h

• Type: Select General artifact from the list of options.

e om

• Artifact source: Select inline.

us il.c
th

• Value: Paste the following code snippet in this field

to gma

replicaCount: 3
@

service:
iss

type: LoadBalancer
r
.d

port: 80
e
an

image:
(ri

repository: iad.ocir.io/<tenancy-namespace>/iad-dop-lab18-1-
E

ocir-1/node-service-<userID>
AN

pullPolicy: IfNotPresent
RI

# Overrides the image tag whose default is the chart

appVersion.
iss

tag: ${BUILDRUN_HASH}
Dr

Note: Replace <tenancy-namespace> with your tenancy name and <userID> with your
user ID under the image: section in the code snippet.

286 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
For example,
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

iad.ocir.io/oracletenancy/iad-dop-lab18-1-ocir-1/node-service-
user22

Note: Also ensure if you are working in any region other than US EAST(Ashburn) then
replace “iad” with the respective region key of the region you are working in. See
the Availability by Region topic in the Oracle Cloud Infrastructure documentation.

se
en
• Select Allow parameterization and click Add.

lic
8.

bl e
On the Artifacts page, you will see the following three artifacts created:

ra
Name Type Source Path Version

sfe
an
General
values.yaml Inline - -

-tr
artifact

. non
oci://iad.ocir.io/<tena 0.1.0-
IAD-DOP- ncy-namespace>/iad-dop-
LAB18-1-AF-
Helm ide a lab18-1-ocir-2/helm- ${BUILD
Gu as
Helm chart
Chart repo-<userID>/node- RUN_HAS
02
is ) h

service H}
e om

iad.ocir.io/<tenancy-
namespace>/iad-dop-
us il.c

IAD-DOP-
lab18-1-ocir-1/node-
th

Docker OCI
LAB18-1-AF- -
to gma

image Registry service-

01 <userID>:${BUILDRUN_HAS
H}
@
iss

After creating the artifacts, you’ll now create an Environment for your project.
r
.d

9. Open the DevOps project IAD-DOP-LAB18-1-DP-01-<userID>.

e
an
(ri

10. Click Environments from the left menu to navigate to the environments page.
E

11. Click Create environment. Select Oracle Kubernetes Engine as the Environment Type.
AN
RI

a. Enter the following values in the form:

iss

− Name: IAD-DOP-LAB18-1-ENV-01
Dr

− Description: This environment is pointing to pre created OKE

cluster <EventID>-OCI-ELS-DEVOPS-OKE.

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 287
b. Click Next and enter the following information:
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

− Region: The region you are working in. This is populated by default.
− Compartment: Select the root compartment.
− Cluster: Select <EventID>-OCI-ELS-DEVOPS-OKE from the list.

c. Click Create environment.

se
en
You will now see the environment IAD-DOP-LAB18-1-ENV-01 in Active state, listed on the

lic
Environment details page in your DevOps project IAD-DOP-LAB18-1-DP-01-<userID>.

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

288 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
Create DevOps Build Pipeline and Build Stages
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

A build pipeline contains the stages that define the build process for successfully compiling,
testing, and running software applications before deployment.

A stage is an action in the build pipeline. The OCI DevOps service includes the following
predefined stages that you can use in a build pipeline:

se
en
• Managed Build: Build and test your software applications.

lic
• Deliver Artifacts: Store your software applications created from the Managed Build

bl e
stage in the OCI Artifact Registry or OCI Container Registry repositories.
• Trigger Deployment: Start a deployment pipeline to deploy the output from the

ra
sfe
build pipeline.

an
• Wait: Pause a specific duration for testing the build pipeline.

-tr
You can add multiple stages to a pipeline. Stages can be added in a sequence or in parallel.

Tasks
us il.c
th

1. Open the navigation menu and click Developer Services. Under DevOps, click Projects.
to gma

2. Select your <assigned compartment> from List scope on the left menu.
@
iss

3. Click the DevOps project IAD-DOP-LAB18-1-DP-01-<userID>.

r
.d

4.
e

Click Build Pipelines from the left menu to navigate to the Build pipelines page.
an
(ri

5. Click Create build pipeline and enter the following values in the form:
E

• Name: IAD-DOP-LAB18-1-BPL-01
AN

• Description: This is the Build pipeline for Lab18.

6. Click Create. The Build pipeline tab will open.

iss
Dr

7. To add the first stage to the build pipeline, click the (+) icon and click Add stage.

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 289
8. Select Managed Build as stage type and click Next. Only fill the fields mentioned here
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

and leave the rest of the fields to default value:

• Stage name: Build-Demo-Node-service
• Description: This stage executes the commands specified in
build_spec.yaml file.
• Build spec file path: The build specification contains build steps and settings that the

se
build pipeline uses to run a build. The file build_spec.yaml is in the root directory,

en
so you will leave this field blank.

lic
• Primary code repository: Click Select. This opens the window to select Primary code

bl e
repository:

ra
sfe
a. Select the OCI Code Repository from the drop-down list for Source: Connection
type.

an
-tr
This will populate the Code repositories available within your DevOps project.

. non
b. Select the code repository IAD-DOP-LAB18-1-MR-01.
ide a
Gu as
c. Select the main branch.
is ) h
e om

d. Set the Build source name as node_express.

us il.c

e. Click Select.
th
to gma

9. Click Add. You will notice a stage with name Build-Demo-Node-service (Managed
@

Build) has been added.

iss

10. Add the second stage to the Build pipeline by clicking the (+) icon at the bottom of the
r
.d

Build-Demo-Node-service (Managed build) box and click Add stage.

e
an

11. Select Deliver Artifacts as stage type from the optional section and click Next. Fill the
(ri

form with following values:

E
AN

• Stage name: Push-Node-Service-Artifacts

• Description: This stage uploads artifacts to registries.

iss

• Click the Select Artifact(s) button: Select the following artifact and click Add.
Dr

IAD-DOP-LAB18-1-AF-01 Docker Image

You will see the artifact now listed on the Add stage page.

290 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
12. Associate artifacts with build result: In this section, you will provide the output names
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

used in the outputArtifacts section of the build_spec.yaml file corresponding to the

artifact types in the build config/result artifact name field.

A snippet of the build_spec.yaml file:

se
en
lic
bl e
ra
sfe
The build_spec.yaml is available in the root directory of your DevOps code repository
IAD-DOP-LAB18-1-CR-01.

an
-tr
After reading through the code snippet, you will be able to identify the output name used

. non
for image artifact type. Fill the field as shown in the following table:

Destination DevOps artifact ide a

Type Build config/result artifact
Gu as
name name
is ) h

IAD-DOP-LAB18-1-AF-01 Docker image APPLICATION_DOCKER_IMAGE

e om

13. Click Add. You will notice a stage with name Push Node Service Artifacts (Deliver
us il.c
th

Artifacts) added.
to gma

Note: At this point you have two stages in your Build pipeline IAD-DOP-LAB18-1-BPL-01.
@
iss

14. You will now create an auth token to be use with Oracle Cloud Infrastructure Registry
r

(OCIR):
e .d
an

a. In the top-right corner of the Console, open the Profile menu, and then click User
(ri

Settings.
E
AN

b. On the Auth Tokens page, click Generate Token.

c. Enter IAD-DOP-LAB18-1-AT-01, as a friendly description for the auth token.

iss
Dr

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 291
d. Click Generate Token. The new auth token is displayed. Here’s a sample of how an
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

auth token looks like XX6{KJr<q:zBdXXXXXX_. It’ll be different in your case.

Note: Copy the auth token to a notepad because you won't see the auth token again
in the Console. You’ll need this auth token later in this lab.

For example,

se
R5kwpS-xxxxx((]51r]]

en
lic
15. Navigate back to the Devops project IAD-DOP-LAB18-1-DP-01-<userID> build pipeline
IAD-DOP-LAB18-1-BPL-01

bl e
ra
16. The build_spec.yaml file takes care of running build and pushing helm charts to the

sfe
OCI Repository. For publishing helm charts to OCIR, the credentials and OCIR path are

an
sent as parameters.

-tr
. non
Under Parameters tab, create below parameters with appropriate values.

Name
ide a
Default value Description
Gu as
oci://<REGION-
is ) h

KEY>.ocir.io/<tenancy-
OCIR Helm Repo
HELM_REPO_URL namespace>/<REGION-KEY>-
e om

URL
dop-lab18-1-ocir-2/helm-
us il.c

repo-<userID>/
th

HELM_REPO <REGION-KEY>.ocir.io Helm repo

to gma

Username to
<tenancy-
HELM_REPO_USER publish helm
@

namespace>/<username>
package to OCIR
iss

USER_AUTH_TOKEN XX6{KJr<q:zBdXXXXXX_ User auth token

r
e .d

Here,
an

• Replace the <tenancy-namespace> placeholder with the namespace of your

(ri

tenancy. For example, oracletenancy.

E
AN

• <region-key> is the key for the Oracle Cloud Infrastructure Registry region you're
using. For example, iad is the region key for US EAST (Ashburn) region. See
RI

the Availability by Region topic in the Oracle Cloud Infrastructure documentation.

iss

• Replace <username> with your user ID from profile menu. For example, user22.
Dr

• The auth token IAD-DOP-LAB18-1-AT-01 (random string) you pasted to your notepad.
For example, XX6{KJr<q:zBdXXXXXX_.

292 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
The parameters will appear like the following table:
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Name Default value Description

oci://iad.ocir.io/oraclete
OCIR helm repo
HELM_REPO_URL nancy/iad-dop-lab18-1-
URL
ocir-2/helm-repo-user22/
HELM_REPO iad.ocir.io Helm repo

se
Username to

en
HELM_REPO_USER oracletenancy/user22 publish helm

lic
package to OCIR
USER_AUTH_TOKEN XX6{KJr<q:zBdXXXXXX_ User auth token

bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 293
Create DevOps Deployment Pipeline and Deploy Stage
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

se
pipeline:

en
• Deploy based on Blue-Green strategy: Uses blue-green release strategy for

lic
Container Engine for Kubernetes (OKE) and instance group deployment.

bl e
• Deploy based on Canary strategy: Uses Canary release strategy for OKE and

ra
instance group deployment

sfe
• Deploying a Helm Chart: Install Helm charts in OKE cluster

an
You will create the DevOps deployment pipeline and add stage to deploy a helm chart.

-tr
. non
Tasks

1. ide a
Open the DevOps project IAD-DOP-LAB18-1-DP-01-<userID>. For example, IAD-DOP-
Gu as
LAB18-1-DP-01-user22.
is ) h
e om

2. Click Deployment Pipelines from the left menu to navigate to the Deployment pipelines
us il.c

page.
th
to gma

3. Click Create pipeline and enter the following values in the form:
@

• Name: IAD-DOP-LAB18-1-DPL-01
iss

• Description: This is Deployment pipeline for Lab18.

r
.d

4. Click Create pipeline. The Pipeline tab will open.

e
an

5. To add a stage to the Deployment pipeline, click the (+) icon and click Add stage.
(ri
E

6. Select Install Helm chart to Kubernetes cluster as stage type and click Next. Enter the
AN

following values in the form:

• Stage name: OCI-Helm-Chart-Deployment

iss

• Description: Deploys the sample WebApp helm chart to OKE cluster.

• Environment: Select IAD-DOP-LAB18-1-ENV-01

• Release name: oke-helm-<userID>

Note: Replace <userID> with your user ID. For example, user22.

294 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
• Under helm chart deploy artifact field, click Select Artifact. This opens the window to
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

add helm chart. Select the following artifact and click Save Changes.
• IAD-DOP-LAB18-1-AF-02 Helm Chart

You will see the artifact now listed on the Add stage page.
• Under select values artifacts (optional) field, click Select Artifact. This opens the

se
window to add values.yaml file. Select the following artifact and click Save

en
Changes.

lic
• values.yaml Generic artifact

bl e
You will see the artifact now listed on the Add stage page.

ra
• Override Kubernetes namespace: set this field as ns-helm-<userID>.

sfe
an
Note: Replace <userID> with your user ID. For example, ns-helm-user22.

-tr
• Timeout: Set timeout to 1200 seconds.

. non
• If validation fails, automatically rollback to the last successful version? Select Yes

ide a
to automatically rollback to last successful version.
Gu as
7. Click Add. You will notice a stage with name OCI-Helm-Chart-Deployment (Helm chart)
is ) h

added.
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 295
Create a Trigger Deployment Stage in Build Pipeline
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will create a Trigger Deployment Stage within the build pipeline that triggers the
deployment pipeline to deploy the application based on the output artifacts from the build
pipeline execution and the helm charts.

Tasks

se
en
1. Navigate to the build pipeline IAD-DOP-LAB18-1-BPL-01 in your current DevOps project.

lic
bl e
2. On the Build Pipeline tab, click the (+) icon at the bottom of the Push-Node-Service-

ra
Artifacts (Deliver Artifacts) box and click Add stage.

sfe
3. Select Trigger Deployment as stage type from the optional section and click Next. Enter

an
the following values in the form:

-tr
• Stage name: Trigger Helm-Chart OKE Deployment

. non
• Description: This triggers the IAD-DOP-LAB18-1-DPL-01 Deployment
pipeline stages.
ide a
Gu as
• Click Select Deployment Pipeline. This opens the window to select the deployment
is ) h

pipelines you have created.

e om

• Select IAD-DOP-LAB18-1-DPL-01 and click Save Changes.

us il.c

• Enable Send build pipelines Parameters.

th
to gma

• Artifacts used in the deployment pipeline will be empty.

4. Click Add. You will notice a stage with name Trigger Helm-Chart OKE Deployment
iss

(Trigger deployment) added.

r
e .d
an
(ri
E
AN
RI
iss
Dr

296 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
Set Up the kubeconfig File and Create a Kubernetes
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Namespace
To access a cluster using kubectl, you must set up a Kubernetes configuration file commonly
known as a kubeconfig file for the cluster. The kubeconfig file provides the necessary
details to access the cluster.

se
en
Having set up the kubeconfig file, you can start using kubectl to access the cluster by

lic
creating a sample deployment in OKE cluster.

bl e
Tasks

ra
sfe
1. In the Console, open the navigation menu and click Developer Services. Under

an
Containers and Artifacts, click Kubernetes Clusters (OKE).

-tr
. non
2. Choose root compartment from List Scope on the left menu.

3.
ide a
In the table listing Clusters, click the cluster <EventID>-OCI-ELS-DEVOPS-OKE to access
Gu as
using kubectl. The Cluster details page shows information on the cluster.
is ) h

4. Click Access Cluster to display the Access Your Cluster window.

e om
us il.c

5. Click Cloud Shell Access, copy the command to access the kubeconfig for your cluster via
th
to gma

the VCN-Native public endpoint and paste it on a notepad.

6.
@

Launch Cloud Shell and run the copied command. On successful execution, it will return a
iss

new config written to kubeconfig file.

r
.d

For example,
e

$ oci ce cluster create-kubeconfig --cluster-id

ocid1.cluster.oc1.iad.xxxxxaaaziwdigokvlwhuaeslgxi6tdk473xqgodcb
(ri

oc6nlgecsyudoxxxxx --file $HOME/.kube/config --region us-

ashburn-1 --token-version 2.0.0 --kube-endpoint PUBLIC_ENDPOINT

Note: This is just a representation of the command. Do not use this command to connect
RI

with the cluster that’s created for this lab.

iss
Dr

7. Verify that kubectl can connect to the cluster.

$ kubectl get nodes

This will return the IP addresses of three worker nodes setup within this OKE cluster.

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 297
8. Create namespace in your Kubernetes cluster to manage your helm resources.
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

$ kubectl create ns ns-helm-<userID>

Where,
ns-helm-<userID> is a unique namespace for your group of resources within a cluster.
Replace <userID> with your user ID. For example, user22.

se
For example,

en
$ kubectl create ns ns-helm-user22

lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

298 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
Automate Sample Web Application Deployment to OKE
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Cluster Using Helm Chart

You will run the build pipeline to execute all its stages in sequence and populate the Artifact as
well as the Container Registry with the Helm artifacts and Docker image, respectively. The
successful execution of the build pipeline will trigger the deployment pipeline, which uses the

se
output artifacts and Helm Charts and applies them to the target environment, which in this

en
case is an OKE cluster.

lic
Tasks

bl e
ra
1. Switch to the OCI Console, navigate to the Build Pipeline IAD-DOP-LAB18-1-BPL-01.

sfe
Click the Start Manual Run button. The Start Manual Run page opens.

an
-tr
a. OCI assigns your build a Build run name.

. non
b. The parameters you specified in the parameters tab are displayed here.

ide a
Gu as
Note: You can change the parameters for the build run if required.
is ) h

c. Click Start manual run at the bottom left.

e om
us il.c

2. You will reach the Build run tab. Observe that all the build stages are listed here. Build
th

stages will execute sequentially. You can observe the logs for each stage in the right
to gma

window.
@

Note: If the build pipeline fails due to timeout issues, Re-run the build pipeline.
iss
r
.d

Once the Trigger Helm-Chart OKE Deployment stage completes, click Deployments from
e

the left menu under your DevOps project IAD-DOP-LAB18-1-DP-01-<userID> to navigate

to the Deployments page.

(ri
E

You will observe deployment listed here that got automatically kicked-off and is either in
AN

an In-progress or Succeeded state.

RI
iss

Further, when you click the deployment name, you will reach the Deployments tab. Under
Dr

the Deployments tab, you can see the logs and additional details for the Deployment
pipeline run.

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 299
3. Once the deployment is successful, let’s now confirm the helm chart deployment and try
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

to access the application using the External (or Public) endpoint i.e., the oke-helm-
<userID>-node-service Load Balancer IP.

Note: If the Deployment Pipeline fails due to timeout issues, Re-run the build pipeline.

a. Open Cloud Shell:

se
en
$ helm list -n ns-helm-<userID>

lic
Note: Replace <userID> with your user ID. For example, user22.

bl e
ra
For example,

sfe
$ helm list -n ns-helm-user22

an
You will observe the helm chart deployed with revision set to 1 in the ns-helm-

-tr
<userID> namespace using the chart available in the OCIR Helm Repository iad-

. non
dop-lab18-1-ocir-2/helm-repo-user22/node-service.

b. ide a
Gu as
To access the application deployed on the OKE cluster, you can retrieve the service
is ) h

load balancer IP using the following command.

$ kubectl get svc -n ns-helm-<userID>
e om
us il.c

Note: Replace <userID> with your user ID. For example, user22.
th
to gma

For example,
$ kubectl get svc -n ns-helm-user22
@

You will observe the External IP listed in the output

riss
.d

c. Launch a Web Browser and enter the IP address into the browser’s address bar to
e

access the application. Once the request is processed, you’ll see a web page with the
an

following content:
(ri
E
AN
RI
iss
Dr

300 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
View the Artifacts Generated as Part of the Automated
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Build
You will view the artifacts generated as part of the build pipeline execution.

Tasks

se
en
1. To view Container Image Repository Artifact:

lic
a. In the Console, click Developer Services. Under Containers & Artifacts, click

bl e
Container Registry.

ra
sfe
b. Select your compartment and then select the container repository iad-dop-lab18-
1-ocir-1/node-service-<userID>

an
-tr
c. You will notice a new image present in your repository with a random string like

. non
xxmjbpxx as tag. This random string is the BUILDRUN_HASH of the build that
pushed the image in OCIR.
ide a
Gu as
2. To view the Helm Artifacts:
is ) h
e om

a. In the Console, click Developer Services. Under Containers & Artifacts, click
us il.c

Container Registry.
th
to gma

b. Select your compartment and then select the container repository iad-dop-lab18-
1-ocir-1/helm-repo-<userID>/node-service
@
iss

c. You will notice an artifact present in your repository with a random string like 0.1.0-
r

amjbpm4 as tag. This random string is the BUILDRUN_HASH of the build that pushed
e .d

the image in OCIR.

an
(ri

Every time you run a build pipeline, these artifacts will be generated and stored in the
E

container registry with a unique string to identify them. In case of a build failure, these
AN

artifacts are used to roll back to last successful version.

Congratulations! You have successfully deployed a Web Application to an OKE cluster using
iss

Helm chart in OCI Devops build and deployment pipelines.

Further, you also verified the artifacts generated as part of the successful build pipeline run

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 301
Purge Instructions
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Purge Instructions for Helm Chart in OKE cluster

1. Open Cloud Shell, run the following command to list all Helm deployments in your
namespace:

se
$ helm list -n ns-helm-<userID>

en
2. Choose the deployment you wish to remove and run the following command:

lic
$ helm delete <helm_release_name> -n ns-helm-<userID>

bl e
Where,

ra
sfe
• <helm_release_name> is your Helm release name.

an
• ns-helm-<userID> is your Kubernetes namespace name. Replace <userID> with

-tr
you user ID.

. non
The output says release "oke-helm-<userID>" uninstalled.

Purge Instructions for Namespace in OKE cluster ide a

Gu as
is ) h

1. Open Cloud Shell, run the following command for the namespace you wish to delete:
e om

$ kubectl delete namespace ns-helm-<userID>

us il.c
th

Where, ns-helm-<userID> is your Kubernetes namespace name. Replace <userID>

to gma

with you user ID.

Purge Instructions for Deployment Stages

riss
.d

1. Open your DevOps project IAD-DOP-LAB18-1-DP-01-<userID> by navigating to Projects

under DevOps in Developer Services.

an
(ri

2. Open the Deployment Pipelines page from the left menu under DevOps project
E

resources and select your Deployment pipeline IAD-DOP-LAB18-1-DPL-01. This will

open the Pipeline tab.

3. On the Pipeline tab, for the box representing OCI-WebApp-Deployment (deploy OKE:
iss

Rolling) stage, click the three dots on the right to open the Actions menu. Select Delete
Dr

and click Delete to confirm.

302 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
Purge Instructions for Deployment Pipeline
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1. Switch to the Deployment Pipelines page under your DevOps project IAD-DOP-LAB18-
1-DP-01-<userID>.

2. For the deployment pipeline IAD-DOP-LAB18-1-DPL-01, click the three dots on the right
to open the Actions menu. Select Delete and click Delete to confirm.

se
en
Purge Instructions for Build Stages

lic
1. Open your DevOps project IAD-DOP-LAB18-1-DP-01-<userID> by navigating to Projects

bl e
under DevOps in Developer Services.

ra
sfe
2. Open the Build Pipelines page from the left menu under DevOps project resources and

an
select your build pipeline IAD-DOP-LAB18-1-BPL-01.

-tr
. non
3. On the Build Pipeline tab, for each box representing a build stage, click the three dots on
the right to open the Actions menu. Select Delete and then click Delete to confirm.

ide a
Gu as
The stages will have to be deleted in reverse order, starting from Trigger Deployment,
is ) h

then Deliver Artifact, and lastly the Managed Build stage.

e om

Purge Instructions for Build Pipeline

us il.c
th
to gma

1. Switch to the Build Pipelines page under your DevOps project IAD-DOP-LAB18-1-DP-01-
<userID>.
@

2. For the build pipeline IAD-DOP-LAB18-1-BPL-01, click the three dots on the right to open
iss

the Actions menu. Select Delete and then click Yes, delete to confirm.
r
e .d

Purge Instructions for Artifacts in DevOps project

an
(ri

1. Open the DevOps project IAD-DOP-LAB18-1-DP-01-<userID> and select your

compartment (from left pane).

AN
RI

2. Click Artifacts from the left menu to navigate to the Artifacts page.
iss

3. For the artifact you wish to delete, click the three dots on the right to open the Actions
Dr

menu. Select Remove and click Yes, remove artifact to confirm.

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 303
Purge Instructions for Environment in DevOps project
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1. Open the DevOps project IAD-DOP-LAB18-1-DP-01-<userID>.

2. Click Environments from the left menu to navigate to the Environments page.

3. For the environment you wish to delete, click the three dots on the right to open the

se
Actions menu. Select Delete Environment and click Yes, delete to confirm.

en
lic
Purge Instructions for Mirrored Code Repository in DevOps Project

bl e
1. Open the DevOps project IAD-DOP-LAB10-1-DP-01-<userID>.

ra
sfe
2. Click Code Repositories on the left menu of your project page and locate your mirrored

an
repository IAD-DOP-LAB18-1-MR-01.

-tr
3. Click the three dots on the right to open the Actions menu. Select Delete.

. non
4. Type the repository name in the provided field to confirm the Delete action and then click
Delete. ide a
Gu as
is ) h

Purge Instructions for External Connection

e om

1. Open the DevOps project IAD-DOP-LAB18-1-DP-01-<userID>.

us il.c
th
to gma

2. Click External Connections on the left menu of your project page and locate your
connection IAD-DOP-LAB18-1-EC-01.
@
iss

3. Click the three dots on the right to open the Actions menu. Select Delete.
r
.d

4. Click Yes, remove external connection to confirm.

e
an

Purge Instructions for DevOps Project

(ri
E

1.
AN

In the Console, open the navigation menu and click Developer Services. Under DevOps,
click Projects.
RI
iss

2. For your DevOps project IAD-DOP-LAB18-1-DP-01-<userID>, click the three dots on the
Dr

right to open the Actions menu. Select Delete.

3. Type the project name in the provided field to confirm the Delete action and then click
Delete.

304 Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
Purge Instructions for OCIR Repositories
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

1. In the Console, open the navigation menu and click Developer Services. Under
Containers & Artifacts, click Container Registry.

2. Click the name of the name of the repository to be deleted.

se
1) <region-key>-dop-lab18-1-ocir-1/node-service-<userID>

en
lic
2) <region-key>-dop-lab18-1-ocir-2/helm-repo-<userID>/node-service

bl e
3. Click the Actions menu on the repository summary page and select Delete Repository.

ra
sfe
4. Click Delete to confirm that you want to delete the repository.

an
Purge Instructions for Auth Token

-tr
. non
1. In the top-right corner of the OCI Console, open the Profile menu, and then click User
Settings.
ide a
Gu as
2. On the left menu, click Auth Tokens.
is ) h
e om

3. For the auth token you want to delete “<region-key>-DOP-LAB18-1-AT-01”, click the three
dots on the right to open the Actions menu. Select Delete and then click Delete to
us il.c
th

confirm.
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps 305
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

306
Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a

. non
-tr
an
sfe
ra
bl e
lic
en
se

Deploy a sample web application to OKE cluster using Helm Chart deployment in OCI DevOps in OCI DevOps
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non Operations
Lab 19-1 Practice
-tr
an
sfe
ra
Estimated Time: 30 minutes bl e
lic
en
se
Perform Cryptographic
Using OCI Vault Service to
DevSecOps: Generate a Key
Get Started
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Overview

Oracle Cloud Infrastructure (OCI) Vault is a key management service that stores and manages
master encryption keys and secrets for protected resource access. Specifically, depending on

se
the protection mode, vault keys are either saved on the server or stored in highly accessible

en
and robust hardware security modules (HSM).

lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th

In this lab, you’ll:

to gma

a. Prepare for master encryption key

@
iss

b. Create master encryption key

r
.d

c. Prepare for encryption and decryption

e
an

d. Perform encryption
(ri
E

e. Perform decryption
AN
RI

f. Rotate the master encryption key

iss

For more information on OCI Vault, see the OCI Vault Documentation.
Dr

Assumptions
• You are signed in to your Oracle Cloud Infrastructure account using your credentials.
• A pre-created Vault OCI-ELS-DEVOPS-VAULT-1 is available in the root
compartment.

308 Generate a key using OCI Vault service to perform cryptographic operations
Prepare for Master Encryption Key
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

To create a master encryption key, you’ll need the compartment OCID and management
endpoint URL.

Note: While you’re performing these tasks, copy and save the compartment OCID, Vault OCID,
and management endpoint URL in a notepad. You’ll be using these OCIDs and URL later in this

se
lab.

en
lic
Tasks

bl e
ra
1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

sfe
2. Open Cloud Shell.

an
-tr
3. Verify that you are in the home directory.

. non
$ cd ~

4. Get the compartment OCID. ide a

Gu as
$ oci iam compartment list --name <assigned_compartment>| grep
is ) h

'<assigned_compartment>\|ocid1.compartment'
e om

Note: Replace the <assigned_compartment> with the compartment name that is

us il.c

assigned to you.
th
to gma

For example,
@

$ oci iam compartment list --name user22_compartment| grep '

user22_compartment\|ocid1.compartment'
riss
.d

Sample Output:
e

"id": "ocid1.compartment.oc1..axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
an

"name": "<assigned_compartment>"
(ri
E

5. Get the management endpoint URL.

a. You will need a Vault OCID to get the management endpoint URL. To get the Vault
RI

OCID:
iss
Dr

1) Open the navigation menu, click Identity & Security, and then click Vault.

2) Select root compartment from List scope on the left menu.

3) From the list of vaults, click the vault OCI-ELS-DEVOPS-VAULT-1. The Console
displays the vault configuration details.

Generate a key using OCI Vault service to perform cryptographic operations 309
4) Copy the Vault OCID and paste it to a notepad for later use. OCID is the unique
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Oracle-assigned ID of the vault.

b. Generate and copy the management endpoint URL in a notepad:

$ oci kms management vault get --vault-id <vault_ocid> | grep
'display-name\|management-endpoint'

se
Note: Replace <vault_ocid> with the vault OCID you copied earlier.

en
For example,

lic
$ oci kms management vault get --vault-id

bl e
ocid1.vault.oc1.iad.bzqtr2wtaacuu.xxxxxxxxxxxvqpv6ftcjfgazjls7mv

ra
hcoadxxxxxxxxxust5aq | grep 'display-name\|management-endpoint'

sfe
Sample Output: Copy the URL highlighted below in bold.

an
"display-name": "OCI-ELS-DEVOPS-VAULT-1",

-tr
"management-endpoint": "https://bxxxxxu-management.kms.us-

. non
ashburn-1.oraclecloud.com",

ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
.d
e
an
(ri
E
AN
RI
iss
Dr

310 Generate a key using OCI Vault service to perform cryptographic operations
Create Master Encryption Key
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will create a master encryption key needed to carry out cryptographic operations
using an existing Vault at the root level compartment.

Tasks

se
1. Create a master encryption key.

en
$ oci kms management key create --compartment-id

lic
<compartment_ocid> --display-name <key_name> --key-shape

bl e
<key_encryption_information> --endpoint
<management_endpoint_url>

ra
sfe
Note: Replace <compartment_ocid> and <management_endpoint_url> with the

an
compartment OCID and the management endpoint URL you saved earlier.

-tr
Replace <key_name> with IAD-DP-LAB19-1-MSK-01 and

. non
<key_encryption_information> with '{"algorithm":"AES","length":"16"}'

ide a
Gu as
For example,
is ) h

$ oci kms management key create --compartment-id

ocid1.compartment.oc1..axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --
e om

display-name IAD-DP-LAB19-1-MSK-01 --key-shape

'{"algorithm":"AES","length":"16"}' --endpoint https://bxxxxxu-
us il.c
th

management.kms.us-ashburn-1.oraclecloud.com
to gma

Sample Output:
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Generate a key using OCI Vault service to perform cryptographic operations 311
Prepare for Encryption and Decryption
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

To perform encryption and decryption, you will need the master encryption key OCID and OCI
Vault cryptographic endpoint URL to perform encryption.

Note: Copy and save master encryption key OCID and OCI Vault cryptographic endpoint URL
in a notepad. You’ll be using these OCIDs and URL later in this lab.

se
en
Tasks

lic
bl e
1. Get the master encryption key OCID and copy in notepad.

ra
$ oci kms management key list --compartment-id

sfe
<compartment_ocid> --endpoint <management_endpoint_url> | grep
'display-name\|ocid1.key'

an
-tr
Note: Replace <compartment_ocid> and <management_endpoint_url> with the

. non
compartment OCID and the management endpoint URL you saved earlier.

For example,
ide a
Gu as
$ oci kms management key list --compartment-id
is ) h

ocid1.compartment.oc1..axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --
endpoint https://bxxxxxu-management.kms.us-ashburn-
e om

1.oraclecloud.com | grep 'display-name\|ocid1.key'

us il.c
th

Sample Output:
to gma

"display-name": "IAD-DP-LAB19-1-MSK-01",
"id": "ocid1.key.oc1.iad.bxxuu.xxxxxxxxxxxxxxxxxxwxxxxxxxxxxxxx"
@
iss

2. Get the cryptographic endpoint URL and copy in notepad.

$ oci kms management vault get --vault-id <vault_ocid> | grep

'display-name\|crypto-endpoint'
e
an

Note: Replace <vault_ocid> with the Vault OCID you saved earlier.
(ri
E

For example,
AN

$ oci kms management vault get --vault-id

ocid1.vault.oc1.iad.bzqtr2wtaacuu.abuwcljrylhau3fxxxxxxxxxxazjls
7mvhcoadxxxxxxxxxxt5aq | grep 'display-name\|crypto-endpoint'
iss
Dr

Sample Output:
"crypto-endpoint": "https://bxxxxxuu-crypto.kms.us-ashburn-
1.oraclecloud.com",
"display-name": "OCI-ELS-DEVOPS-VAULT-1",

312 Generate a key using OCI Vault service to perform cryptographic operations
Perform Encryption
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will execute CLI commands to perform encryption. The CLI command invokes oci kms
crypto encrypt to perform data encryption which will require three inputs: the plain text to
be encrypted, the OCID of the master encryption key you created in the last step, and the OCI
Vault cryptographic endpoint.

se
en
Tasks

lic
1. Perform encryption.

bl e
ra
$ oci kms crypto encrypt --key-id <master_encryption_key_OCID> --

sfe
endpoint <crypto_endpoint> --plaintext "base64_plain_text"

an
Note: Replace <master_encryption_key_OCID> and <crypto_endpoint> with the

-tr
master key OCID and crypto endpoint you saved in the previous task. Additionally, add a

. non
base64 plain text for encryption.

For example, ide a

Gu as
$ oci kms crypto encrypt --key-id
is ) h

ocid1.key.oc1.iad.bxxuu.xxxxxxxxxxxxxxxxxxwxxxxxxxxxxxxx --
e om

endpoint https://bxxxxxuu-crypto.kms.us-ashburn-
1.oraclecloud.com --plaintext "$(echo HELLO_WORLD | base64)"
us il.c
th

Sample Output:
to gma
@
riss
e .d
an

2. Copy ciphertext from your output as highlighted using arrow in the sample output and
(ri

paste it in a notepad to use later during the decryption process.

E
AN
RI
iss
Dr

Generate a key using OCI Vault service to perform cryptographic operations 313
Perform Decryption
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will execute CLI commands to perform decryption. The CLI command invokes oci kms
crypto decrypt to perform data encryption which will require three inputs: the encrypted
plain text that needs to be decrypted, the OCID of the master encryption key you created in
the previous step, and the OCI Vault cryptographic endpoint.

se
en
Tasks

lic
1. Perform decryption.

bl e
$ oci kms crypto decrypt --key-id <master_encryption_key_OCID> -

ra
-endpoint <crypto_endpoint> --ciphertext <ciphertext>

sfe
Note: Replace the <master_encryption_key_OCID>, <crypto_endpoint>, and the

an
<ciphertext> with the master key OCID, crypto endpoint, and the ciphertext

-tr
respectively you saved earlier.

. non
For example,
ide a
Gu as
oci kms crypto decrypt --key-id
is ) h

ocid1.key.oc1.iad.bxxuu.xxxxxxxxxxxxxxxxxxwxxxxxxxxxxxxx --
e om

endpoint https://bxxxxxuu-crypto.kms.us-ashburn-
1.oraclecloud.com --ciphertext
us il.c

Qc1hSOIo3b4+ADKTNBoqrxxxxxxx/LsWz95x9aN4AAAAA
th
to gma

Sample Output:
@
iss
r
e.d
an
(ri
E

2. Copy the plaintext code from your output as highlighted using arrow in the sample
AN

output and paste it in a notepad to use it during decoding process.

3. Decode base64 plaintext:

iss

$ echo <plaintext_code> | base64 --decode

Note: Replace the <plaintext_code> with the plaintext code you saved in the previous
step. For example,

314 Generate a key using OCI Vault service to perform cryptographic operations
Rotate the Master Encryption Key
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

You will rotate the master encryption key to restrict the data/sensitive information encrypted
using one master encryption key version. It's a good practice as it reduces the risk of
compromising a master encryption key.

Tasks

se
en
1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

lic
bl e
2. Navigate to Identity & Security and select Vault.

ra
3.

sfe
Select root compartment from List scope on the left menu.

an
4. From the list of vaults, click the vault OCI-ELS-DEVOPS-VAULT-1.

-tr
. non
5. Select your <assigned compartment> from List scope on the left menu. You will see
the key that you have created.
ide a
Gu as
6. Click your Master Encryption Key - IAD-DP-LAB19-1-MSK-01.
is ) h

7. Under Resources, click Versions.

e om
us il.c

8. On the Key details page, under the Key Information tab. Notice Key version OCID. When
th
to gma

you rotate a key, the Vault service generates a new key version. But the master encryption
key’s unique, Oracle Cloud ID (OCID), remains the same across rotations.
@

9.
iss

On the Key details page, click Rotate Key. Leave the Import External key version
unchecked. Confirm that you want to rotate the key by clicking the Rotate Key. Close the
r
.d

pop-up after success. You will notice Vault service generated a new key version.
e
an

10. Perform the process of decryption again as earlier on the same encrypted text.
(ri
E

11. Observation on Output: The key version ID in the output is now different from what is
AN

displayed on the key information page. As a result, cryptographic operations involving

data/objects encrypted with an earlier version of this key will continue to use the older key
iss

version.
Dr

Congratulations! You learned to generate a master encryption key and use it to conduct
cryptographic operations.

Generate a key using OCI Vault service to perform cryptographic operations 315
Purge Instructions
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

Purge Instructions for Master Encryption Key

1. Sign in to Oracle Cloud Infrastructure.

2. Open the navigation menu, click Identity & Security, and then click Vault.

se
en
3. Select root compartment from List scope on the left menu.

lic
4. From the list of vaults, click the vault OCI-ELS-DEVOPS-VAULT-1.

bl e
ra
5. Select your <assigned compartment> from List scope on the left menu.

sfe
an
6. Click Master Encryption Keys and locate the key with the name IAD-DP-LAB19-1-MSK-
01.

-tr
. non
7. Click the three dots on the right to open the Actions menu. Select Delete Key.

• ide a
Confirm that you want to delete the key by clicking the box and then typing the key
Gu as
name.
is ) h
e om

• Schedule when you want the Vault service to delete the key. You can set a date after 8
us il.c

days.
th
to gma

8. Click Delete Key.

@
iss
r
.d
e
an
(ri
E
AN
RI
iss
Dr

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
-tr
Lab 20-1 Practices

an
sfe
ra
bl e
Estimated Time: 30 minutes

Overview

Imagine a software development team working to deliver a business-critical application that

passes sensitive data. A developer commits code to a continuous integration and continuous

se
delivery (CI/CD) tool kicking off a build process. Then, the CI/CD tool pushes the newly built

en
container image to an Oracle Cloud Infrastructure Registry (OCIR) repository and when ready,

lic
the new image is deployed to a production Oracle Cloud Infrastructure (OCI) Container Engine
for Kubernetes (OKE) cluster.

bl e
ra
While this CI/CD process sounds reasonable, it is missing few key steps. Critical to shipping

sfe
compliant and secure containers, system administrators need to ensure that container images

an
have the following characteristics:

-tr
• Are free of known critical vulnerabilities that can cause an accidental system failure or

. non
result in malicious activity
• Have not been modified since they were published to maintain their integrity
ide a
Gu as
• Are only deployed to a Kubernetes cluster and come from a trusted source
is ) h

OCI container image scanning, signing, and verification address all these secure container
e om

deployment needs.
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

318 Container image scanning for vulnerabilities

a. Create an auth token

b. Create a new container repository

c. Enable image scanning

se
d.

en
Sign in to OCIR from the Cloud Shell

lic
e. Pull the Docker image from Docker hub

bl e
f. Tag the Docker image

ra
sfe
g. Push the tagged Docker image to OCIR

an
-tr
h. Verify if the image has been pushed

. non
i. View scan results

ide a
Gu as
j. View vulnerability reports
is ) h

k. View container image scans

e om
us il.c

l. Export a vulnerability report

th
to gma

For more information on OCI container image security, see the OCI Scanning Images for
Vulnerabilities Documentation.
@
iss

Prerequisites
r
.d

• You are signed in to your Oracle Cloud Infrastructure account using your credentials.
e
an

• You are familiar with Docker CLI and OCIR.

(ri
E
AN
RI
iss
Dr

Container image scanning for vulnerabilities 319

Create an auth token to use when authenticating with your <assigned user account> with
Oracle Cloud Infrastructure Registry (OCIR).

Tasks

se
1. In the top-right corner of the OCI Console, open the Profile menu, and then click User

en
settings.

lic
bl e
2. On the Auth Tokens page, click Generate Token.

ra
sfe
Note: Each user can only have two auth tokens at a time. Delete an older auth token if you
need to create a new one.

an
-tr
3. Enter IAD-DOP-LAB20-1-AT-01, as a friendly description for the auth token.

. non
Click Generate Token. The new auth token is displayed. Here’s a sample of how an auth
ide a
token looks like R5kwpS-xxxxx((]51r]]. It’ll be different in your case.
Gu as
is ) h

Note: Copy the auth token to a notepad because you won't see the auth token again in
e om

the Console. You’ll need this auth token later in the labs.
us il.c
th

For example,
to gma

R5kwpS-xxxxx((]51r]]
@

4. Click Close.
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

320 Container image scanning for vulnerabilities

Create a repository in your assigned compartment and give it a name that's unique across all
compartments in the entire tenancy. Having created the new repository, you can push an
image to the repository using the Docker CLI.

Tasks

se
en
1. Sign in to the Oracle Cloud Infrastructure (OCI) Console.

lic
bl e
2. Open the navigation menu and click Developer Services. Under Containers & Artifacts,

ra
click Container Registry.

sfe
3. Select your <assigned compartment> from List scope on the left menu.

an
-tr
4. Click Create repository.

. non
5. Select your <assigned compartment> to create a new repository.
ide a
Gu as
6. Enter a name for the new repository: <region-key>-dop-lab20-1-ocir-
is ) h

1/oci_demo_imagescan_<userID>
e om

Where,
us il.c
th

• <region-key> is the key for the Oracle Cloud Infrastructure Registry region you're
to gma

using. For example, iad is the region key for US EAST (Ashburn) region. See
the Availability by Region topic in the Oracle Cloud Infrastructure documentation.
@
iss

• Replace <userID> with your user ID.

r
.d

For example, iad-dop-lab20-1-ocir-1/oci_demo_imagescan_user22

e
an

Note: Only use lower case characters, numbers, and special characters.
(ri
E

7. Copy the <repo-name> on a notepad for use later in this lab.

AN
RI

8. Select the Private option to limit access to the new repository.

iss

9. Click Create Repository.

Container image scanning for vulnerabilities 321

When you create a new repository, image scanning is disabled by default. You can use
the Console to enable image scanning for a repository by creating a new image scanner. If
image scanning has already been enabled, you can use the Console to disable it.

Tasks

se
en
1. Once the repository is created, select the newly created repository <region-key>-dop-

lic
lab20-1-ocir-1/oci_demo_imagescan_<userID> from the list of repositories by

bl e
clicking on the dropdown menu labelled Repositories and images.

ra
sfe
2. Click on Add scanner button.

an
Note: The Add scanner option will take some time to load.

-tr
. non
3. In the Add scanner to repository pane, enter the following values:
• Target name: IAD-DOP-LAB20-1-ISC-01-<userID>
ide a
Gu as
For example, IAD-DOP-LAB20-1-ISC-01-user22
is ) h

• Create in compartment: Select your <assigned compartment>.

e om

• Description (Optional): Scanning Docker images.

us il.c
th

4. Configure the Scan configuration settings.

to gma

Note: A scan configuration identifies which images to scan by designating the

compartment where they reside.

iss

• Select Create a new scan configuration.

r
.d

• Name: Scan_Config_<userID>
e
an

For example, Scan_Config_user22

(ri

• Create in compartment: Select your <assigned compartment>.

E
AN

5. Click Create.
RI

Note: Now that a scanner has been created and configured, images saved to the
iss

repository will be scanned for vulnerabilities. If the repository already contains images, the
Dr

four most recently saved images will have been immediately scanned for vulnerabilities
when the scanner was created.

322 Container image scanning for vulnerabilities

Once you have generated the auth token and created a new repository, sign in to OCIR from
Docker CLI in cloud shell.

Tasks

se
1. Open Cloud Shell.

en
lic
Note: The OCI CLI running in Cloud Shell will execute commands against the region

bl e
selected in the Console's region selection menu when Cloud Shell was started.

ra
2.

sfe
In the Cloud Shell, log in to OCIR by entering:
$ docker login <region-key>.ocir.io

an
-tr
Where,

. non
<region-key> is the key for the Oracle Cloud Infrastructure Registry region you're
using. For example, iad is the region key for US EAST (Ashburn) region. See the
ide a
Availability by Region topic in the Oracle Cloud Infrastructure documentation.
Gu as
is ) h

For example,
e om

$ docker login iad.ocir.io

us il.c
th

3. When prompted, enter your username in the format given below.

to gma

<tenancy-namespace>/<username>.
@
iss

Replace the <tenancy-namespace> and <username> values from the information

given in the Profile menu.

e .d
an

where <tenancy-namespace> is the auto-generated Object Storage namespace string

(ri

of the tenancy in which to create repositories (as shown on the Tenancy Information
E

page). And for username use the username as shown in the profile menu. For example,
AN

ansh81vru1zp/mahendra@acme.com. Or outenancy29/ 99239886-lab.user16

Note that for some older tenancies, the namespace string might be the same as the
iss

tenancy name in all lower-case letters (for example, acme-dev).

If your tenancy is federated with Oracle Identity Cloud Service, use the format <tenancy-
namespace>/oracleidentitycloudservice/<username>.

Enter the auth token IAD-DOP-LAB20-1-AT-01 (random string) you copied earlier as
the password.

Container image scanning for vulnerabilities 323

For example,
R5kwpS-xxxxx((]51r]]

Note: When you enter or paste the password, you’ll not see masked characters. Press
Enter on your keyboard to continue and you should see the “Login Succeeded”
message on the screen.

se
en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e.d
an
(ri
E
AN
RI
iss
Dr

324 Container image scanning for vulnerabilities

Begin by copying a prebuilt maven image tagged latest (maven:latest) from Docker
Hub. This image will later be tagged and pushed to your OCIR repository.

Tasks

se
1. Issue the following Docker pull command:

en
$ docker pull maven:latest

lic
bl e
For example,

ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om

2. Verify the Docker pull command successfully executed:

us il.c
th

$ docker images
to gma

Note: You should see the maven:latest image in the list of images.
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Container image scanning for vulnerabilities 325

A tag identifies the Oracle Cloud Infrastructure Registry region, tenancy, and repository to
which you want to push the image.

Tasks

se
1. In the Cloud Shell, run the following command to attach a tag to the image that you're

en
going to push to OCIR repository:

lic
$ docker tag maven:latest <region-key>.ocir.io/<tenancy-

bl e
namespace>/<repo-name>:<tag>

ra
Where,

sfe
• <region-key> is the key for the Oracle Cloud Infrastructure Registry region you're

an
using. For example, iad is the region key for US EAST (Ashburn) region. See

-tr
the Availability by Region topic in the Oracle Cloud Infrastructure documentation.

. non
• ocir.io is the Oracle Cloud Infrastructure Registry name.
• ide a
<tenancy-namespace> is the auto-generated Object Storage namespace string of
Gu as
the tenancy (as shown on the Tenancy Information page) to which you want to push
is ) h

the image. For example, oracletenancy.

e om

• <repo-name> is the name of the target repository to which you want to push the
us il.c

image (for example, iad-dop-lab20-1-ocir-1/oci_demo_imagescan_user22).

th
to gma

• <tag> is an image tag you want to give the image in Oracle Cloud Infrastructure
Registry (for example, 1.0).
@
iss

For example,
r
.d

$ docker tag maven:latest iad.ocir.io/oracletenancy/iad-dop-

lab20-1-ocir-1/oci_demo_imagescan_user22:1.0
an
(ri

2. Validate if the new image with the tag is listed.

$ docker images
E
AN

Note: Although two tagged images will be shown (latest and 1.0), both are based on
RI

the same image with the same IMAGE_ID.

iss
Dr

326 Container image scanning for vulnerabilities

After assigning a tag to the image, push it to Oracle Cloud Infrastructure Registry repository.

Tasks

1. In the Cloud Shell, run the following command to push the tagged Docker image to OCIR

se
repository:

en
$ docker push <region-key>.ocir.io/<tenancy-namespace>/<repo-

lic
name>:<tag>

bl e
Where,

ra
sfe
• <region-key> is the key for the Oracle Cloud Infrastructure Registry region you're
using. For example, iad is the region key for US EAST (Ashburn) region. See the

an
Availability by Region topic in the Oracle Cloud Infrastructure documentation.

-tr
. non
• ocir.io is the Oracle Cloud Infrastructure Registry name.
• <tenancy-namespace> is the auto-generated Object Storage namespace string of
ide a
the tenancy (as shown on the Tenancy Information page) to which you want to push
Gu as
the image. For example, oracletenancy.
is ) h

• <repo-name> is the name of the target repository to which you want to push the
e om

image (for example, iad-dop-lab07-1-ocir-1/oci_sample_webapp_user22).

us il.c
th

• <tag> is an image tag you want to give the image in Oracle Cloud Infrastructure
to gma

Registry (for example, latest).

@
iss

For example,
r

$ docker push iad.ocir.io/oracletenancy/iad-dop-lab20-1-ocir-

1/oci_demo_imagescan_user22:1.0
e
an

You will see the different layers of the image are pushed in turn.
(ri
E
AN
RI
iss
Dr

Container image scanning for vulnerabilities 327

Verify the image was successfully pushed to the OCIR repository.

Tasks

1. Go back to the OCIR Service page and select your <assigned compartment> from List

se
scope on the left menu.

en
lic
2. Click on the dropdown menu labelled Repositories and images

bl e
3. You’ll see the private repository iad-dop-lab20-1-ocir-

ra
sfe
1/oci_demo_imagescan_<userID> that you created.

an
4. Expand by clicking on the (+) icon preceding the name of the repository that contains the

-tr
image you just pushed. You’ll see:

. non
• An image with the tag 1.0.
•
ide a
A summary page that shows you the details about the repository, including who
Gu as
created it and when, its size, and whether it's a public or a private repository.
is ) h

5. Click the image tag 1.0.

e om
us il.c

On the Summary page, you’ll see the image size, when it was pushed and by which user,
th
to gma

and the number of times the image has been pulled.

@
r iss
e.d
an
(ri
E
AN
RI
iss
Dr

328 Container image scanning for vulnerabilities

The results of a container image scan include the specific vulnerabilities in the CVE database
that were detected in the image.

Tasks

se
1. While still on the OCIR Service page, and having selected the image 1.0, click the Scan

en
Results tab. This will show you the following info:

lic
• Risk level

bl e
• Issues found

ra
sfe
• Scan started

an
• Scan completed

-tr
Note: It will take some time before the scan results show up.

. non
2. Click the three dots on the right to open the Actions menu. Select View Details to see the
ide a
issues in more detail with risk level associated with each of them and their descriptions.
Gu as
is ) h
e om
us il.c
th
to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Container image scanning for vulnerabilities 329

The results of a container image scan include the specific vulnerabilities in the CVE database
that were detected in the image.

In this section, you will explore Vulnerability Reports, accessing information about specific
vulnerabilities that were detected in one or more targets.

se
en
Tasks

lic
bl e
1. Open the navigation menu and click Identity & Security. Under Scanning,

ra
click Vulnerability Reports.

sfe
Note: If you are presented with a general information screen labeled Vulnerability

an
Scanning Service, locate, and click Skip.

-tr
. non
2. From the left menu, under Scanning, and select Vulnerability Reports.

3. ide a
Select your <assigned compartment> from List scope on the left menu.
Gu as
is ) h

4. From the left menu, under Filters, select the Risk level, All.
e om

5. Click the Risk level header to sort by risk level.

us il.c
th
to gma

6. To view a description of a specific vulnerability, click Show in the CVE description column.

7. To view details about a specific vulnerability, click a report's CVE ID. This will result in your
@
iss

viewing a vulnerabilities report. A vulnerabilities report includes details about the affected
resources and CVEs.
r
e.d

8. On the Vulnerabilities report page, in the left menu, under Resources, select Container
an

Images to view a list of Container images that are affected by the selected vulnerability.
(ri
E
AN
RI
iss
Dr

330 Container image scanning for vulnerabilities

The results of a container image scan include the specific vulnerabilities in the CVE database
that were detected in the image.

Tasks

se
1. Open the navigation menu and click Identity & Security. Under Scanning, click Scanning

en
Reports.

lic
bl e
2. Select your <assigned compartment> from List scope on the left menu.

ra
sfe
3. Click the Container images tab.

an
4. Locate the Risk level filter drop-down menu. Select All.

-tr
. non
5. Locate the Scan start date and Scan end date filter drop-down menus.

ide a
By default, only the most recent scan reports are displayed. To view older reports, choose
Gu as
specific start and end dates.
is ) h

Alternatively, click Scan start date and choose to view reports for either the Past 7
e om

Days or the Past 30 Days.

us il.c
th
to gma

6. Locate the Reset button. Click Reset at any time to set the risk level and date ranges back
to the default values.
@

7.
iss

(Optional) Click the table columns to sort the container image scans by:
r

• Issues found
e .d

• Risk level
an

• Scan completed
(ri
E

8. To view a Container image report, click the name of the Container image.
AN

For example, iad-dop-lab20-1-ocir-1/oci_demo_imagescan_user22:1.0

9. The following details are shown for each issue that was detected in this image:
iss

• Issue ID
Dr

• Risk level
• Issue description
• Last detected

Container image scanning for vulnerabilities 331

• Cause and Remediation

10. Click an Issue ID to view more details about a specific vulnerability.

11. Navigate back to the Container image report details page using breadcrumb link. Click
the View detail button in the Cause and remediation column to get more information on

se
how to address this vulnerability.

en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

332 Container image scanning for vulnerabilities

Use the Console to export all vulnerabilities reports as a file in comma-separated value (CSV)
format for offline analysis.

Tasks

se
1. Open the navigation menu and click Identity & Security. Under Scanning,

en
click Vulnerability Reports.

lic
bl e
2. Select your <assigned compartment> from List scope on the left menu.

ra
sfe
3. Click Export CSV and save the .csv file on your local machine.

an
Example output:

-tr
. non
ide a
Gu as
is ) h
e om
us il.c

Congratulations! You have successfully uploaded an image to the OCIR repository, run the
th

vulnerability scan on the image, and analyzed the scan reports.

to gma
@
riss
e .d
an
(ri
E
AN
RI
iss
Dr

Container image scanning for vulnerabilities 333

Purge Instructions for Image and Repository

1. In the Console, open the navigation menu and click Developer Services. Under
Containers & Artifacts, click Container Registry.

se
2. Click the name of the name of the repository to be deleted from the dropdown menu.

en
lic
3. Click the Delete Repository button on the repository summary page.

bl e
4. Click Delete to confirm.

ra
sfe
Purge Instructions for Auth Token

an
-tr
1. In the top-right corner of the Console, click the user Profile menu, and select User

. non
settings.

2. On the left menu, click Auth Tokens.

ide a
Gu as
3. For the auth token you want to delete, click the three dots on the right to open the Actions
is ) h

menu. Select Delete and then click Delete to confirm.

e om
us il.c

Purge Instructions for Docker image

th
to gma

1. In the Cloud Shell, run the following command to list all the images to get the image IDs,
image name and other details:
@
iss

$ docker images
r
.d

2. Run docker rmi <IMAGE ID> command to remove the image.

e
an

Deleting a Target
(ri
E

Deleting a target doesn’t delete the cloud resources (compute instances, container image for
AN

example) in the target.

1. Log in to the Oracle Cloud Infrastructure (OCI) console.

iss

2. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
Dr

3. Select the Compartment that contains your target.

4. Click the Container image tab for the type of target that you want to delete.

334 Container image scanning for vulnerabilities

6. Click Delete.
7. When prompted for confirmation, click Delete.

Deleting a Scan Recipe

se
To delete a scan recipe, it must not be associated with any scan targets.

en
lic
1. Log in to the Oracle Cloud Infrastructure (OCI) console.

bl e
2. Open the navigation menu and click Identity & Security. Under Scanning, click Scan

ra
Recipes.

sfe
3. Select the Compartment that contains your recipe.

an
-tr
4. Click the Container image tab for the type of recipe that you want to delete.

. non
5. Click the name of the recipe.
6. Click Delete.
ide a
Gu as
7. When prompted for confirmation, click Delete.
is ) h
e om

Deleting Container Images Scanning reports

us il.c
th

Delete old reports that you no longer need.

to gma

1. Log in to the Oracle Cloud Infrastructure (OCI) console.

@
iss

2. Open the navigation menu and click Identity & Security. Under Scanning, click Scanning
r

Reports.
e .d

3. Select the Compartment in which you created the target.

an
(ri

4. Click the Container images tab.

5. Click the name of the scan.

6. Click Delete.
RI

7. Confirm the deletion.

iss
Dr

Container image scanning for vulnerabilities 335

336
Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a

. non
-tr
an
sfe
ra
bl e
lic
en
se

Container image scanning for vulnerabilities

Dr
iss
RI
AN
E
(ri
an
e .d
riss
@
to gma
us il.c
e om
th
is ) h
Gu as
ide a
. non
-tr
Lab 21-1 Practices

an
sfe
ra
bl e
Estimated Time: 40 minutes

Overview

For compliance and security reasons, system administrators seek to deploy a software into a
production system only when they are sure that:

se
• The software comes from a trusted source

en
• The software has not been modified since it was published, thus its integrity is

lic
maintained

bl e
To fulfil these requirements, you can sign images stored in the Oracle Cloud Infrastructure

ra
(OCI) Registry, also known as Container Registry. Signed images provide a way to verify both

sfe
the source and the integrity of an image.

an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri

In this lab, you’ll:

E
AN

a. Create an Auth Token

b. Create a Container Registry

iss
Dr

c. Pull a sample image from Docker Hub

d. Tag and push the image to Container Registry

e. Create a master encryption key in OCI Vault

338 Sign and verify container image in OCIR

g. View signed image and further explore image signatures

For more information on OCI container image security, see the OCI Signing Images for
Security Documentation.

se
Prerequisites

en
• You are signed in to your Oracle Cloud Infrastructure account using your credentials.

lic
• A pre-created Vault OCI-ELS-DEVOPS-VAULT-1 is available in the root

bl e
compartment.

ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
r iss
e .d
an
(ri
E
AN
RI
iss
Dr

Sign and verify container image in OCIR 339

To push or pull Docker images from OCIR, you must have an OCI username and an auth
token. You only see the auth token string when you create it, so be sure to copy the auth token
to a secure location immediately. Each OCI user can have up to two auth tokens at a time. So,
if you do lose or forget the auth token, you can always create a second auth token.

se
Tasks

en
lic
1. In the top-right corner of the Console, click the user Profile menu, and select User

bl e
settings.

ra
sfe
2. On the Auth Tokens page, click Generate Token.

an
Note: Each user can only have two auth tokens at a time. Delete an older auth token if you

-tr
need to create a new one.

. non
3. Enter IAD-DOP-LAB21-1-AT-01, as a friendly description for the auth token.
ide a
Gu as
4. Click Generate Token. The new auth token is displayed. Here’s a sample of how an auth
is ) h

token looks like R5xxxx-ZS519((]51r]]. It’ll be different in your case.

e om

Note: Copy the auth token to a notepad because you won't see the auth token again in
us il.c
th

the Console. You’ll need this auth token later in this lab.
to gma

For example,
@

R5xxxx-ZS519((]51r]]
iss

5. Click Close.
r
e.d
an
(ri
E
AN
RI
iss
Dr

340 Sign and verify container image in OCIR

OCI Registry or the Container Registry is an open standards-based, Oracle-managed Docker

registry service for securely storing and sharing container images. You can easily push and
pull Docker images using familiar Docker CLI.

se
You will now create an empty repository with a unique name across the tenancy.

en
Tasks

lic
bl e
1. Check if you can access OCIR:

ra
sfe
a. In the Console, open the navigation menu and click Developer Services, under

an
Containers & Artifacts, click Container Registry.

-tr
b. Select your <assigned compartment> from List scope on the left menu.

. non
c. Review the repositories that already exist.
ide a
Gu as
2. Click Create Repository.
is ) h
e om

3. Select your <assigned compartment> to create a new repository.

us il.c

4. Enter a name for the new repository: <region-key>-dop-lab21-1-ocir-

th
to gma

1/oci_demo_imagesign_<userID>
@

Where <region-key> is the key for the Oracle Cloud Infrastructure Registry region
iss

you're using. For example, iad is the region key for US EAST (Ashburn) region. See
r

the Availability by Region topic in the Oracle Cloud Infrastructure documentation.

e .d
an

For example: iad-dop-lab21-1-ocir-1/oci_demo_imagesign_user22

(ri

5. Select the Public option to enable unauthenticated access to the new repository.
E
AN

6. Click Create Repository.

RI
iss
Dr

Sign and verify container image in OCIR 341

Once you have generated an auth token and created a new repository, sign in to OCIR from
Docker CLI in Cloud Shell and pull a sample image from docker hub.

Tasks

se
1. Open Cloud Shell.

en
lic
Note: The OCI CLI running in Cloud Shell will execute commands against the region

bl e
selected in the Console's region selection menu when Cloud Shell was started.

ra
2.

sfe
In Cloud Shell window, log in to OCIR by entering:
$ docker login <region-key>.ocir.io

an
-tr
Where <region-key> is the key for the Oracle Cloud Infrastructure Registry region

. non
you're using. For example, iad is the region key for US EAST (Ashburn) region. See
the Availability by Region topic in the Oracle Cloud Infrastructure documentation.
ide a
Gu as
For example,
is ) h

$ docker login iad.ocir.io

e om

3. When prompted, enter your username in the format <tenancy-

us il.c
th

namespace>/<username>. For example, oracletenancy/user22. Enter the auth

to gma

token IAD-DOP-LAB21-1-AT-01 (random string) you copied earlier as the password.

For example,
iss

R5kwpS-xxxxx((]51r]]
r
.d

Note: When you enter or paste the password, you’ll not see masked characters. Press
e
an

Enter on your keyboard to continue.

(ri

4. As a sample image, you will pull the official mysql:latest image from the Docker Hub:
E
AN

$ docker pull mysql:latest

RI
iss

5. Run the following command to check whether the image is pulled successfully:
Dr

$ docker images

You should see mysql:latest image in the list of images.

342 Sign and verify container image in OCIR

Once you have pulled the sample image from the docker hub, sign in to OCIR using Docker CLI
in Cloud Shell to tag the new image and push it to OCIR.

Tasks

se
1. In the Cloud Shell, run the following command to attach a tag to the image that you're

en
going to push to OCIR repository:

lic
$ docker tag mysql:latest <region-key>.ocir.io/<tenancy-

bl e
namespace>/<repo-name>:<tag>

ra
Where,

sfe
• <region-key> is the key for the Oracle Cloud Infrastructure Registry region you're

an
using. For example, IAD is the region key for US EAST (Ashburn) region. See the

-tr
Availability by Region topic in the Oracle Cloud Infrastructure Registry

. non
documentation.
• ide a
ocir.io is the Oracle Cloud Infrastructure Registry name.
Gu as
• <tenancy-namespace> is the auto-generated Object Storage namespace string of
is ) h

the tenancy (as shown on the Tenancy Information page) to which you want to push
e om

the image.
us il.c

• <repo-name> is the name of the target repository to which you want to push the
th
to gma

image (for example, iad-dop-lab21-1-ocir-1/oci_demo_imagesign_user22).

Note that you'll specify a repository that you created previously as part of this lab.
@

• <tag> is an image tag you want to give the image in Oracle Cloud Infrastructure
iss

Registry.
r
.d

• For example,
e

$ docker tag mysql:latest iad.ocir.io/oracletenancy/iad-dop-

lab21-1-ocir-1/oci_demo_imagesign_user22:1.0
(ri
E

Here 1.0 is the tag given to the image.

AN
RI

2. Run the following command to validate whether the newly tagged image is listed:
iss

$ docker images
Dr

You should see the tagged image in the list of images.

Sign and verify container image in OCIR 343

$ docker push <region-key>.ocir.io/<tenancy-namespace>/<repo-

name>:<tag>

For example,
$ docker push iad.ocir.io/oracletenancy/iad-dop-lab21-1-ocir-
1/oci_demo_imagesign_user22:1.0

se
en
The different layers of the image are pushed in turn.

lic
4. In the Console, open the navigation menu and click Developer Services. Under

bl e
Containers & Artifacts, click Container Registry.

ra
sfe
5. Go to the OCIR repository iad-dop-lab21-1-ocir-
1/oci_demo_imagesign_<userID> and check if a new image is available under the

an
repository with the tag 1.0.

-tr
. non
6. Also check the Signatures tab on the right. It should say, “No items found”.

ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

344 Sign and verify container image in OCIR

After you have built and pushed the image to the Container Registry, you can also sign the
image using a master encryption key obtained from OCI Vault, thus creating an image
signature. Note that the image signature is associated with an image's OCID, making it specific
to a particular push of the image.

se
Tasks

en
lic
1. In the Console, open the navigation menu and click Developer Services, under

bl e
Containers & Artifacts, click Container Registry.

ra
sfe
2. Select the image you just pushed in your repository with tag 1.0 to see detailed

an
information. Copy the OCID of the image shown on the Summary page and paste it on a
notepad. For example,

-tr
ocid1.containerimage.oc1.iad.0.ocuocictrng6.aaaaaaaav27t3aua3vjszar

. non
lz3hw44a5prlm2id63dfd6aej2s72exxxxxxx

3. ide a
Now, navigate to Identity & Security and click Vault. Select the vault OCI-ELS-DEVOPS-
Gu as
VAULT-1 under root compartment.
is ) h
e om

4. Click Create Key to create a master encryption key in the vault OCI-ELS-DEVOPS-VAULT-
us il.c

1.
th
to gma

5. Enter the following values for your key:

•
@

Create in Compartment: <Select your assigned compartment.>

iss

• Protection Mode: HSM

• Name: iad-dop-lab21-1-vk-01
e .d

• Key Shape: Algorithm: Select RSA from the drop-down list.

Note: Use of AES symmetric keys to sign images is not supported.

(ri

• Key shape: Length 2048 bits

E
AN

• Leave other fields to default values and click Create Key. It will take about a minute to
RI

create the master encryption key.

iss

6. Select your assigned compartment in the OCI-ELS-DEVOPS-VAULT-1 vaults page. You’ll

see the key that you just created listed under the Master Encryption Keys on the left
side. The key will go from the Creating state to the Enabled state.

Sign and verify container image in OCIR 345

7. Make a note of the OCIDs of both the master encryption key and the key version stored in
Unauthorized reproduction or distribution prohibited. Copyright© 2024, Oracle University and/or its affiliates.

OCI Vault.

a. Click the iad-dop-lab21-1-vk-01 listed on the OCI-ELS-DEVOPS-VAULT-1 Vault page

to open the key summary page. Copy the OCID of the master encryption key. For
example,
ocid1.key.oc1.iad.bzqtr2wtaacuu.abuwcljs6e5r63s54irrvi3f4zl5rnkj

se
mo2kvzw4djnsz33n6f6d2xxxxxxx

en
lic
Click Versions under Resources from the left menu and copy the OCID of the key

bl e
version. For example,
ocid1.keyversion.oc1.iad.bzqtr2wtaacuu.asqkmm3k2daaa.abuwcljsvvf

ra
ffqdzi275zx2hdv2cs6phvmk4nzrgexnz37wagd4ehxxxxxxx

sfe
an
Copy and paste both the OCIDs on a notepad for future reference.

-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

346 Sign and verify container image in OCIR

Once you obtain the OCIDs for both the master encryption key and the key version in the Vault
service, you can sign the image you pushed to Container Registry by creating an image
signature using the Container Registry CLI.

Tasks

se
en
1. Open Cloud Shell.

lic
bl e
2. In Cloud Shell window, log in to OCIR by entering:

ra
$ docker login iad.ocir.io

sfe
3. When prompted, enter your username in the format <tenancy-

an
namespace>/<username>. For example, oracletenancy/user22. Enter the auth

-tr
token IAD-DOP-LAB21-1-AT-1 (random string) you copied earlier as the password.

. non
4. Run the following command to create an image signature:
ide a
$ oci artifacts container image-signature sign-upload --
Gu as
compartment-id <compartment-ocid> --kms-key-id <key-ocid> --kms-
is ) h

key-version-id <key-version-ocid> --signing-algorithm <signing-

algorithm-name> --image-id <image-ocid> --description
e om

<signature-description>
us il.c
th

Where,
to gma

• <compartment-ocid>: The OCID of the compartment to which the image

repository belongs. Open the navigation menu, click Identify & Security. Under
iss

Identity, click Compartments. Search your assigned compartment and copy the
r

OCID.
e .d

• <key-ocid>: The OCID of the master encryption key to use to sign the image.
an

Check your notepad for the OCID.

(ri

• <key-version-ocid>: The OCID of the key version to use to sign the image.
E
AN

Check your notepad for the OCID.

• <signing-algorithm-name>: The name of one of the following algorithms to
RI

use to sign the image:

iss

SHA_224_RSA_PKCS_PSS
Dr

SHA_256_RSA_PKCS_PSS
SHA_384_RSA_PKCS_PSS
SHA_512_RSA_PKCS_PSS
SHA_224_RSA_PKCS1_V1_5
SHA_256_RSA_PKCS1_V1_5
SHA_384_RSA_PKCS1_V1_5

Sign and verify container image in OCIR 347

ECDSA_SHA_256
ECDSA_SHA_384
ECDSA_SHA_512

The algorithm to choose depends on the type of the master encryption key. For RSA
keys, supported signature schemes include PKCS #1 and RSASSA-PSS, along with

se
different hashing algorithms. For example, --signing-algorithm

en
SHA_224_RSA_PKCS_PSS

lic
• <image-ocid>: The OCID of the image to sign. Check your notepad for the OCID.

bl e
• <signature-description>: Optional field for text to describe the image. This

ra
description is included as part of the signature and is shown in the Console. For

sfe
example, "Demo Image signing for integrity test."

an
• For example,

-tr
$ oci artifacts container image-signature sign-upload --

. non
compartment-id
ocid1.compartment.oc1..aaaaaaaaztwigv63hbyoxyovjo46xorslvqplozs7
j7gioik6hh2cbxxxxxx --kms-key-id
ide a
Gu as
ocid1.key.oc1.iad.bzqtr2wtaacuu.abuwcljs6e5r63s54irrvi3f4zl5rnkj
mo2kvzw4djnsz33n6f6d2xxxxxxx --kms-key-version-id
is ) h

ocid1.keyversion.oc1.iad.bzqtr2wtaacuu.asqkmm3k2daaa.abuwcljsvvf
e om

ffqdzi275zx2hdv2cs6phvmk4nzrgexnz37wagd4ehxxxxxxx --signing-
us il.c

algorithm SHA_224_RSA_PKCS_PSS --image-id

ocid1.containerimage.oc1.iad.0.ocuocictrng6.aaaaaaaav27t3aua3vjs
to gma

zarlz3hw44a5prlm2id63dfd6aej2s72exxxxxxx --description "Demo

Image signing for integrity test."
@

• You will see the details of the uploaded image signature as the output.
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

348 Sign and verify container image in OCIR

An image signature associates an image with the master key (obtained from the Vault service)
that was used to sign the image. An image can have multiple signatures, each created using a
different master encryption key.

Having signed an image in Container Registry and created an image signature, you can:

se
en
• View details of the signature

lic
• Verify the signature with the Vault service to confirm that the master encryption key

bl e
used to sign the image is still valid and available
• Delete the signature to indicate that the image is no longer to be considered as

ra
sfe
trusted

an
Now that the image signature is uploaded, you’ll view the signed image.

-tr
Tasks

. non
1. In the Console, open the navigation menu and click Developer Services. Under
ide a
Gu as
Containers & Artifacts, click Container Registry.
is ) h

2. Select your <assigned compartment> from List scope on the left menu.
e om
us il.c

3. Select the repository iad-dop-lab21-1-ocir-1/oci_demo_imagesign_<userID>

th
to gma

containing the signed image.

You will notice the image with tag 1.0 labelled as a Signed.
iss

4. Click the name of a signed image and click the Signatures tab to view the details of the
r
.d

signatures created when the image was signed:

e
an

• Description: A description of the signature that was specified when the image was
(ri

signed
E

• Verification response: The result of the last attempt to verify the image signature
AN

with the Vault service

• Date: Date and time when the image was signed, and the image signature created
iss

5. Beside the signature, click the three dots on the right to open the Actions menu.
Dr

a. Select View key details to view the master encryption key, key version, and signing
algorithm for a signature. Click Close.

Sign and verify container image in OCIR 349

Vault service.

Note:
The Vault service checks if:
• The image source had access to a valid private key when they pushed the image

se
• The image has not been modified since it was pushed

en
lic
If both conditions are met, the signature is shown with a Verified status. Users or
systems pulling the image from the registry can be confident that the source of the

bl e
image is trusted, and that the image's integrity has not been compromised.

ra
sfe
an
Congratulations! You have successfully signed an image by creating an image signature using

-tr
a master encryption key and key version from the OCI Vault service.

. non
Further, you also checked whether image source is trusted and whether image’s integrity is
maintained by verifying the signature.
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e .d
an
(ri
E
AN
RI
iss
Dr

350 Sign and verify container image in OCIR

Purge Instructions for Signature

1. Select the repository iad-dop-lab21-1-ocir-1/oci_demo_imagesign_<userID>

containing the signed image on the Container Registry page.

se
2. Click the name of a signed image and click the Signatures tab to view the list of

en
signatures for the image.

lic
bl e
3. Besides the signature, click the three dots on the right to open the Actions menu. Select
Delete signature to delete a signature.

ra
sfe
Once the signature is deleted, it is no longer visible in the Signatures tab. If the image has

an
no other signatures, the label Signed no longer appears beside the image name in the list

-tr
of images in the repository.

. non
Purge Instructions for the Image Pushed in the Container Repository
ide a
Gu as
1. Select the image pushed in the repository on the Container Registry page.
is ) h
e om

2. Click the Actions drop-down list beside the image name and select Delete image.
us il.c
th

3. Click Delete to confirm.

to gma

Purge Instructions for Container Repository

@
iss

1. Select the repository to be deleted on the Container Registry page.

r
.d

2. Click the Actions drop-down list beside the repository name and select Delete
e
an

Repository.
(ri

3. Click Delete to confirm.

E
AN

Purge Instructions for Auth Token

RI
iss

1. In the top-right corner of the Console, open the Profile menu, and then click User
Settings.
Dr

2. On the left menu, click Auth Tokens.

3. For the auth token you want to delete, click the three dots on the right to open the Actions
menu. Select Delete and then click Delete to confirm.

Sign and verify container image in OCIR 351

1. Run the following command to list all the images to get the image ID, image name, and
other details:
$ docker images

2. Run the following command to remove the image:

se
$ docker rmi <your-image-id>

en
lic
bl e
ra
sfe
an
-tr
. non
ide a
Gu as
is ) h
e om
us il.c
th
to gma
@
iss
r
e.d
an
(ri
E
AN
RI
iss
Dr

352 Sign and verify container image in OCIR

Mysql 3rd Edition
100% (10)
Mysql 3rd Edition
646 pages
AZ 305 Designing Microsoft Azure Infrastructure Solutions
100% (10)
AZ 305 Designing Microsoft Azure Infrastructure Solutions
278 pages
Certification Exams Oracle Database 19c: RAC, ASM, and Grid Infrastructure Administration Exam Number: 1Z0-078
100% (7)
Certification Exams Oracle Database 19c: RAC, ASM, and Grid Infrastructure Administration Exam Number: 1Z0-078
26 pages
MySQL For Database Administrators (Student Guide - Volume II)
No ratings yet
MySQL For Database Administrators (Student Guide - Volume II)
448 pages
AZ 104 Microsoft Azure Administrator
100% (8)
AZ 104 Microsoft Azure Administrator
431 pages
D108654GC10 Ag
50% (2)
D108654GC10 Ag
530 pages
Perfomance Tuning
No ratings yet
Perfomance Tuning
22 pages
S105681GC10 OCI Oracle Cloud Infrastructure 2021 Architect Associate (1Z0-1072-21) Course Student Guide
100% (1)
S105681GC10 OCI Oracle Cloud Infrastructure 2021 Architect Associate (1Z0-1072-21) Course Student Guide
482 pages
Oracle Database 19c: PL/SQL Workshop: Student Guide D108650GC10
100% (1)
Oracle Database 19c: PL/SQL Workshop: Student Guide D108650GC10
24 pages
Oracle Database 19c: Backup and Recovery: Activity Guide D106548GC10
100% (3)
Oracle Database 19c: Backup and Recovery: Activity Guide D106548GC10
272 pages
SQL PDF
100% (13)
SQL PDF
221 pages
19c Database Administration
0% (1)
19c Database Administration
5 pages
Adrian Png, Heli Helskyaho - Extending Oracle Application Express with Oracle Cloud Features_ A Guide to Enhancing APEX Web Applications with Cloud-Native and Machine Learning Technologies-Apress (202
No ratings yet
Adrian Png, Heli Helskyaho - Extending Oracle Application Express with Oracle Cloud Features_ A Guide to Enhancing APEX Web Applications with Cloud-Native and Machine Learning Technologies-Apress (202
421 pages
(Database & ERP - OMG) Gaetjen, Scott - Knox, David Christopher - Maroulis, William - Oracle Database 12c security-McGraw-Hill Education (2015) PDF
100% (1)
(Database & ERP - OMG) Gaetjen, Scott - Knox, David Christopher - Maroulis, William - Oracle Database 12c security-McGraw-Hill Education (2015) PDF
549 pages
Azure Devops Explained
88% (8)
Azure Devops Explained
438 pages
Beginning MySQL
86% (37)
Beginning MySQL
865 pages
PostgreSQL Database Administration Vol 1
100% (3)
PostgreSQL Database Administration Vol 1
124 pages
A Practical Guide To Azure DevOps Learn by Doing
100% (11)
A Practical Guide To Azure DevOps Learn by Doing
170 pages
AWS Certified Solution Architect Associate Study Guide V1.0 Abdul Jaseem VP Release 30 Aug 2020
100% (6)
AWS Certified Solution Architect Associate Study Guide V1.0 Abdul Jaseem VP Release 30 Aug 2020
235 pages
Oracle 19c Install & Upgrade
No ratings yet
Oracle 19c Install & Upgrade
5 pages
Sybex - Mcts.microsoft - sql.Server.2005.Implementation - And.maintenance - Study.guide - Exam.70 431.jul.2
100% (1)
Sybex - Mcts.microsoft - sql.Server.2005.Implementation - And.maintenance - Study.guide - Exam.70 431.jul.2
679 pages
Etl With Azure Cookbook Practical Recipes For Building Modern Etl Solutions To Load and Transform Data From Any Source 1800203314 9781800203310
100% (7)
Etl With Azure Cookbook Practical Recipes For Building Modern Etl Solutions To Load and Transform Data From Any Source 1800203314 9781800203310
446 pages
Oracle RAC Administration
100% (2)
Oracle RAC Administration
26 pages
SQL Commands Cheat Sheet
86% (7)
SQL Commands Cheat Sheet
1 page
Azure Implementation Guide
100% (4)
Azure Implementation Guide
237 pages
Activity Guide OCI DB Service Professional WorkShop
No ratings yet
Activity Guide OCI DB Service Professional WorkShop
48 pages
DB Service Workshop
No ratings yet
DB Service Workshop
48 pages
OCI Devops
No ratings yet
OCI Devops
282 pages
Oracle Cloud Database Service Professional Workshop: Use This Guide
No ratings yet
Oracle Cloud Database Service Professional Workshop: Use This Guide
48 pages
D97103GC10 Ag
No ratings yet
D97103GC10 Ag
394 pages
Oracle HCM Cloud: Reporting and Analytics: license to use this Student Guideฺ
No ratings yet
Oracle HCM Cloud: Reporting and Analytics: license to use this Student Guideฺ
288 pages
D77758CN20 sg2
No ratings yet
D77758CN20 sg2
408 pages
D89113GC10 Ag
No ratings yet
D89113GC10 Ag
316 pages
Student Guide
No ratings yet
Student Guide
430 pages
Oracle DBA 19C Administration
100% (2)
Oracle DBA 19C Administration
72 pages
OEM13c Class 1
No ratings yet
OEM13c Class 1
144 pages
Oracle Database Administration
100% (4)
Oracle Database Administration
281 pages
Step by Step Manual Upgrade Oracle Database From 12c To 19c - DBsGuru
100% (1)
Step by Step Manual Upgrade Oracle Database From 12c To 19c - DBsGuru
47 pages
Oracle Apex Hands On Guide Lab
100% (3)
Oracle Apex Hands On Guide Lab
50 pages
Oracle Database Security
No ratings yet
Oracle Database Security
160 pages
Apex Advanced Tutorials PDF
No ratings yet
Apex Advanced Tutorials PDF
60 pages
Step-By-Step Guide To Install Oracle APEX On XE On Windows
97% (32)
Step-By-Step Guide To Install Oracle APEX On XE On Windows
26 pages
Qatar Courses Sep 2021
No ratings yet
Qatar Courses Sep 2021
1 page
r12 2 Oracle Applications System Administrator Fundamentals
No ratings yet
r12 2 Oracle Applications System Administrator Fundamentals
5 pages
Oracle 19c New Features
100% (1)
Oracle 19c New Features
67 pages
Oracle GoldenGate 101 - Introduction
No ratings yet
Oracle GoldenGate 101 - Introduction
73 pages
Oracle Cloud Infrastructure 2021
No ratings yet
Oracle Cloud Infrastructure 2021
482 pages
Oracle Database 19c: New Features For Administrators: Course
100% (1)
Oracle Database 19c: New Features For Administrators: Course
3 pages
Oracle APEX Developer Professional Activity Guide D107336GC10
No ratings yet
Oracle APEX Developer Professional Activity Guide D107336GC10
454 pages
Oracle DBA
100% (2)
Oracle DBA
187 pages
Project Implementation For COSC 5050 Distributed Database Applications Lab1
No ratings yet
Project Implementation For COSC 5050 Distributed Database Applications Lab1
18 pages
Miryala N. Oracle Cloud Infrastructure (OCI) Security Handbook... 2025
No ratings yet
Miryala N. Oracle Cloud Infrastructure (OCI) Security Handbook... 2025
476 pages
Configuring OEM 13c For Oracle Database Firewall
No ratings yet
Configuring OEM 13c For Oracle Database Firewall
22 pages
Expert Oracle Exadata
No ratings yet
Expert Oracle Exadata
577 pages
Oracle DBA Checklist
No ratings yet
Oracle DBA Checklist
3 pages
ORacle Database Security 19c
No ratings yet
ORacle Database Security 19c
1 page
Oracle 19c Database Administrator
60% (5)
Oracle 19c Database Administrator
11 pages
Oracle DBA Code Examples
No ratings yet
Oracle DBA Code Examples
567 pages
D73668GC30 - Exadata Database Machine Administration Workshop Ed 3-02.03 A 06.03
No ratings yet
D73668GC30 - Exadata Database Machine Administration Workshop Ed 3-02.03 A 06.03
3 pages
Practice Test: Oracle 1z0-238
No ratings yet
Practice Test: Oracle 1z0-238
60 pages
SQL DBA PDF (20 Files Merged)
No ratings yet
SQL DBA PDF (20 Files Merged)
114 pages
Oracle DataGuard Documentation PDF
No ratings yet
Oracle DataGuard Documentation PDF
45 pages
APEX Manual
No ratings yet
APEX Manual
278 pages
Oracle Database Upgrade Methods
No ratings yet
Oracle Database Upgrade Methods
20 pages
Oracle Application R12 (12.1.3) Installation On Linux (64 Bit)
100% (1)
Oracle Application R12 (12.1.3) Installation On Linux (64 Bit)
30 pages
04 - 08 - 2021 Data Guard New Features and Best Practices
No ratings yet
04 - 08 - 2021 Data Guard New Features and Best Practices
106 pages
1jain A Mahajan N The Cloud DBA Oracle Managing Oracle Databa
100% (5)
1jain A Mahajan N The Cloud DBA Oracle Managing Oracle Databa
228 pages
Oracle APEX Lab3 Creating Data Forms
No ratings yet
Oracle APEX Lab3 Creating Data Forms
26 pages
Oracle Database Security Primer
No ratings yet
Oracle Database Security Primer
160 pages
An To Cloud Databases: A Guide For Administrators
No ratings yet
An To Cloud Databases: A Guide For Administrators
46 pages
Oracle Data Guard A Clear and Concise Reference
From Everand
Oracle Data Guard A Clear and Concise Reference
Gerardus Blokdyk
No ratings yet
Oracle Cloud Practitioner Lab
No ratings yet
Oracle Cloud Practitioner Lab
190 pages
Foundation D1108881GC10 Toc
No ratings yet
Foundation D1108881GC10 Toc
9 pages
Getting Started Oracle Cloud Customer
No ratings yet
Getting Started Oracle Cloud Customer
135 pages
Administering Oracle Unified Directory
No ratings yet
Administering Oracle Unified Directory
1,564 pages
Oracle Cloud Infrastructure Architect by IP Specialist
No ratings yet
Oracle Cloud Infrastructure Architect by IP Specialist
480 pages
Oracle Infrastructure Architect Associate All One PDF
No ratings yet
Oracle Infrastructure Architect Associate All One PDF
663 pages
Data Engineering Cookbook
88% (8)
Data Engineering Cookbook
88 pages
PostgreSQL For Beginners
100% (6)
PostgreSQL For Beginners
142 pages
Oracle 19c DataGuard Step by Step
No ratings yet
Oracle 19c DataGuard Step by Step
6 pages
Docker Tutorial
100% (3)
Docker Tutorial
150 pages
Dummy Sop
No ratings yet
Dummy Sop
2 pages
Cisco: Exam Questions 700-150
No ratings yet
Cisco: Exam Questions 700-150
8 pages
Gurucul Studio Guide
No ratings yet
Gurucul Studio Guide
34 pages
C Plus Plus Cheat Sheet
0% (1)
C Plus Plus Cheat Sheet
10 pages
TCS Corporate Sustainability Report
No ratings yet
TCS Corporate Sustainability Report
147 pages
All Android Projects Ideas
No ratings yet
All Android Projects Ideas
6 pages
Computer Practical
No ratings yet
Computer Practical
32 pages
Aspiring Minds
No ratings yet
Aspiring Minds
3 pages
Programa de Subfile Usando Cursor de SQL
No ratings yet
Programa de Subfile Usando Cursor de SQL
8 pages
Challenge 2
No ratings yet
Challenge 2
5 pages
NEP UG Syllabus BCA 18102021
No ratings yet
NEP UG Syllabus BCA 18102021
15 pages
View Invoice - Receipt
No ratings yet
View Invoice - Receipt
1 page
Course Outline Data Mining
No ratings yet
Course Outline Data Mining
4 pages
Gfx-8 Midi Implementation Revision: 1.00 Zoom Corporation Tokyo, Japan
No ratings yet
Gfx-8 Midi Implementation Revision: 1.00 Zoom Corporation Tokyo, Japan
15 pages
Open CTI Raw
No ratings yet
Open CTI Raw
4 pages
PWC Virtual Case Experience Digital Assurance - Model Work Task 4
No ratings yet
PWC Virtual Case Experience Digital Assurance - Model Work Task 4
12 pages
2009 Essential Facts: About The Computer & Video Game Industry
100% (1)
2009 Essential Facts: About The Computer & Video Game Industry
9 pages
Section4 Exercise1 Detect Patterns
No ratings yet
Section4 Exercise1 Detect Patterns
14 pages
Inteligence Agents Architecture
No ratings yet
Inteligence Agents Architecture
12 pages
TESON III-Product-Pictures-2019
No ratings yet
TESON III-Product-Pictures-2019
8 pages
Deadlocks Platform Technology
No ratings yet
Deadlocks Platform Technology
3 pages
SVKM'S Nmims Mukesh Patel School of Technology Management & Engineering Computer Engineering Department
No ratings yet
SVKM'S Nmims Mukesh Patel School of Technology Management & Engineering Computer Engineering Department
10 pages
API Security Checklist
No ratings yet
API Security Checklist
12 pages
Standalone PDF FortiSIEM
No ratings yet
Standalone PDF FortiSIEM
1,046 pages
Resume: Katpally Rakesh Reddy
No ratings yet
Resume: Katpally Rakesh Reddy
2 pages
ACT 13 Csef
No ratings yet
ACT 13 Csef
5 pages
How To - Quick Start Guide To Alibaba Cloud
No ratings yet
How To - Quick Start Guide To Alibaba Cloud
12 pages
PWC Ai and Iot PDF
No ratings yet
PWC Ai and Iot PDF
21 pages
Can Schönhage Multiplication Speed Up The RSA Encryption or Decryption?
No ratings yet
Can Schönhage Multiplication Speed Up The RSA Encryption or Decryption?
45 pages
LinkedList in Java - Javatpoint
No ratings yet
LinkedList in Java - Javatpoint
11 pages