N26 Using Oracle OCI with Juju

Juju already has knowledge of the OCI cloud (Oracle Cloud Infrastructure), which means adding your Oracle account to Juju is quick and easy.

This guide covers:

  1. Gathering information about your OCI cloud
  2. Adding a credential
  3. Bootstrapping a controller

Understanding and preparing your OCI account

The instructions on this page refer to certain OCI concepts. Familiarise yourself with them by reading Oracle’s Concepts page. The key concepts for us here are “Tenancy”, “Compartment”, and “OCID”.

Your Tenancy can be designed according to how you intend to use your OCI account but there is no hard requirement to perform any configuration changes to it in order to use it with Juju. However, for enterprise rollouts you will most certainly need to do this for both organisational and security reasons.

To organise your Tenancy and its associated compartments read Oracle’s Setting up your Tenancy page.

Oracle’s SDK tools can also be used to manage your OCI account.

1. Gathering information about your OCI cloud

The following bits of information need to be gathered:

SSL keypair and fingerprint

An SSL keypair (private and public keys) needs to be generated on your local system. It will be used to contact Oracle’s API. A “fingerprint” of the private key will be needed to identify that key. The list of Linux-based commands below accomplishes this. For a full explanation of them, in addition to what to do on a non-Linux system, see Oracle’s Required Keys and OCIDs page.

mkdir ~/.oci
openssl genrsa -out ~/.oci/oci_ssl_key_private.pem -aes128 2048
chmod go-rwx ~/.oci/oci_ssl_key_private.pem
openssl rsa -pubout -in ~/.oci/oci_ssl_key_private.pem -out ~/.oci/oci_ssl_key_public.pem
openssl rsa -pubout -outform DER -in ~/.oci/oci_ssl_key_private.pem | openssl md5 -c

The first openssl invocation will create an encrypted private key and will therefore prompt you for a passphrase. You will need this for later. Omit option -aes128 to disable encryption.

The last command will output the fingerprint of the private key.

The private key is now in ~/.oci/oci_ssl_key_private.pem and the public key is in ~/.oci/oci_ssl_key_public.pem.

We’ll later make reference to the private key, the fingerprint, and the passphrase using these variables, respectively:

$SSL_PRIVATE_KEY
$SSL_PRIVATE_KEY_FINGERPRINT
$SSL_PRIVATE_KEY_PASSPHRASE

Oracle Cloud Identifiers (OCIDs)

OCIDs are required for the following objects:

They are all gathered via Oracle’s web Console.

The below instructions for navigating the Oracle web interface assume you are the account administrator. If this is not the case, your experience may differ. In particular, you may need to access information in the top-right corner (look for “User Settings”).

User OCID

The User OCID is found by clicking in the top-left menu and choosing ‘Identity’ and then sub-menu ‘Users’. Here, we’ll assign this value to a variable so we can refer to it later:

OCID_USER=ocid1.user.oc1..aaaaaaaaizcm5ljvk624qa4ue1i8vx043brrs27656sztwqy5twrplckzghq

Tenancy OCID

The Tenancy OCID is found similarly but in the sub-menu ‘Compartments’. Again, we’ll assign this to a variable:

OCID_TENANCY=ocid1.tenancy.oc1..aaaaaaaanoslu5x9e50gvq3mdilr5lzjz4imiwj3ale4s3qyivi5liw6hcia

Compartment OCID

The Compartment OCID is found on the same page:

OCID_COMPARTMENT=ocid1.tenancy.oc1..aaaaaaaanoslu5x9e50gvq3mdilr5lzjz4imiwj3ale4s3qyivi5liw6hcia

In this example, for the Compartment OCID, we decided to use the compartment provided to us by default (the root Compartment). Notice how it’s the same as the Tenancy OCID.

You will need to specify the Compartment OCID during the controller-creation process.

Provide the public SSL key to Oracle

In order for the SSL keypair to be of any use the public key must be placed on the remote end.

Within the ‘Users’ sub-menu, click on the user’s email address, and then on ‘Add Public Key’. Paste in the key generated earlier (stored in file ~/.oci/oci_ssl_key_public.pem) and click the ‘Add’ button.

2. Adding credentials

In order to access Oracle OCI, you will need to add credentials to Juju. This can be done in one of two ways (as shown below):

A. Adding credentials using the interactive method
B. Adding credentials using a YAML file

A. Adding credentials using the interactive method

Once you gathered the information from the previous sessions, credentials can be added interactively with the command juju add-credential oracle.

Due to the private SSL key that needs to be provided this method is not recommended. Use the file method outlined next.

B. Adding credentials using a YAML file

A YAML-formatted file mycreds.yaml, can be used to store credential information for any cloud. The file in this example would be based on the following:

credentials:
  oracle:
    $CREDENTIAL_NAME:
      auth-type: httpsig
      fingerprint: $SSL_PRIVATE_KEY_FINGERPRINT
      key: |
        $SSL_PRIVATE_KEY
      region: $CLOUD_REGION
      pass-phrase: $SSL_PRIVATE_KEY_PASSPHRASE
      tenancy: $OCID_TENANCY
      user: $OCID_USER
  • $SSL_PRIVATE_KEY_PASSPHRASE is placed within double-quotes. If the key was not encrypted just use “”.
  • $CLOUD_REGION is an Oracle region (juju regions oracle).
  • $CREDENTIAL_NAME is an arbitrary label.

See section Adding credentials from a file for guidance on what such a file can look like.

This information is then added to Juju by referencing the file with the add-credential command:

juju add-credential oracle -f mycreds.yaml

Confirm that you’ve added the credential correctly

To view the credentials that Juju knows about, use the credentials command and inspect both remote and locally stored credentials:

juju credentials
juju credentials --local

For more information about credentials, read through the Credentials page.

3. Bootstrap a controller

You are now ready to create a Juju controller for the ‘oracle’ cloud (replace the variable with your own value):

juju bootstrap --config compartment-id=$OCID_COMPARTMENT oracle oracle-controller

Above, the name given to the new controller is ‘oracle-controller’. OCI will provision an instance to run the controller on.

You can optionally change the definition of cloud ‘oracle’ to avoid having to specify the compartment like this. See General cloud management for guidance.

For a detailed explanation and examples of the bootstrap command see the Creating a controller page.