rede5/infracloud
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs(nexus): documentação completa do ambiente DEV Nexus (OCI + Terraform)

Browse source 
Cobre: compartments, 3x OKE clusters, node pools, VCN/subnets,
5x Load Balancers, API Gateways, Object Storage, ArgoCD, Observabilidade
e estrutura completa do Terraform (tf_oci_clusters).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Tiago Ribeiro 2026-02-25 13:11:03 -03:00
parent 302e56baef
commit 4ff252b43d
1 changed files with 357 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

357
inventcloud/invista/nexus/OCI-DEV-NEXUS.md Normal file
View file

@ -0,0 +1,357 @@
# OCI — Ambiente DEV Nexus (cmp-dev-nexus)
> **Data:** 2026-02-25 | **Responsável:** Tiago Ribeiro
> **Contexto:** Documentação completa do ambiente DEV Nexus — recursos OCI e Terraform (`tf_oci_clusters`)
---
## 1. Compartments
### Hierarquia
```
invistacloud (root)
└── cmp-top-invista
└── cmp-dev-inv ← compartment pai (local.compartment_id no Terraform)
└── cmp-dev-nexus ← clusters OKE, node pools, LBs
```
| Compartment | OCID | Uso |
|---|---|---|
| `cmp-dev-inv` | `ocid1.compartment.oc1..aaaaaaaa76x3nykkjwvctpr6px34dysu3pbg7p62h2r65fegt7fvbrioll3a` | VCN, API Gateway, Object Storage, Observabilidade |
| `cmp-dev-nexus` | `ocid1.compartment.oc1..aaaaaaaahycc62za6ikthlhauvarvbdixc7xpjjmcrame3cirhu2kz74ddma` | Clusters OKE, Node Pools, Load Balancers |
> **Nota:** O Terraform usa `cmp-dev-inv` como compartment raiz do ambiente (`existing_compartment_id`) e `cmp-dev-nexus` como compartment dos clusters (`cluster_compartment_id_map`).
---
## 2. OKE Clusters
### Clusters Ativos
| # | Cluster | OCID (sufixo) | Versão K8s | Node Pool | Nodes |
|---|---|---|---|---|---|
| 1 | `cls-dev-nexus` | `…cobrewkvc3a` | v1.34.1 | `np-dev-1` | 3x VM.Standard.E4.Flex |
| 2 | `cls-dev-barramento` | `…cifn2eknv6q` | v1.34.1 | `np-dev-2` | 3x VM.Standard.E4.Flex |
| 3 | `cls-dev-observabilidade` | `…crszb62robq` | v1.34.1 | `np-dev-3` | 3x VM.Standard.E4.Flex |
### Configuração dos Node Pools
| Parâmetro | Valor |
|---|---|
| Shape | `VM.Standard.E4.Flex` |
| OCPUs | 2 |
| Memória | 16 GB |
| Nodes por pool | 3 (`node_pool_size_up = 3`) |
| Modo de escala | `up` (escala zero: `node_pool_size_down = 0`) |
| Autoscaler | Desabilitado |
| Pods CIDR | `10.244.0.0/16` |
| Services CIDR | `10.96.0.0/16` |
### Worker Nodes (Compute Instances)
| Instância | Cluster | Shape | Estado |
|---|---|---|---|
| `oke-cifn2eknv6q-*` (x3) | cls-dev-barramento | VM.Standard.E4.Flex | RUNNING |
| `oke-cobrewkvc3a-*` (x3) | cls-dev-nexus | VM.Standard.E4.Flex | RUNNING |
| `oke-crszb62robq-*` (x3) | cls-dev-observabilidade | VM.Standard.E4.Flex | RUNNING |
### Kubeconfig
Os kubeconfigs são gerados automaticamente pelo Terraform via `null_resource.kubeconfig`:
```
~/.kube/config-dev-1 → cls-dev-nexus
~/.kube/config-dev-2 → cls-dev-barramento
~/.kube/config-dev-3 → cls-dev-observabilidade
```
Gerar manualmente:
```bash
oci ce cluster create-kubeconfig \
--cluster-id <CLUSTER_OCID> \
--file ~/.kube/config-dev-<N> \
--token-version 2.0.0
```
---
## 3. Rede
### VCN
| VCN | CIDR | Compartment | Gerenciada por |
|---|---|---|---|
| `vcn-oke` | `10.110.0.0/16` | `cmp-dev-inv` / OKE > DEV | Terraform (`tf_oci_clusters`) |
| `VCN-DEV` | `10.6.0.0/16` | `cmp-dev-inv` | Manual |
### Subnets `vcn-oke` (10.110.0.0/16)
| Subnet | CIDR | Tipo | Uso |
|---|---|---|---|
| `sbn-workers-1` | `10.110.0.0/20` | Pública | OKE worker nodes |
| `sbn-workers-2` | `10.110.16.0/20` | Pública | OKE worker nodes |
| `sbn-workers-3` | `10.110.32.0/20` | Pública | OKE worker nodes |
| `sbn-lb-1` | `10.110.128.0/20` | Pública | Load Balancers OKE + API Gateway MFE |
| `sbn-lb-2` | `10.110.144.0/20` | Pública | Load Balancers OKE |
| `sbn-api-gateway` | `10.110.192.0/20` | **Privada** | Criada pelo Terraform (disponível — não usada atualmente) |
### Gateways de Rede
| Gateway | Tipo | Uso |
|---|---|---|
| `igw-oke` | Internet Gateway | Egress público para workers e LBs |
| `nat-oke` | NAT Gateway | Egress privado para `sbn-api-gateway` |
| `sgw-oke` | Service Gateway | Acesso a serviços OCI (Object Storage, etc.) |
| DRG | Dynamic Routing Gateway | Cross-VCN: `vcn-oke``VCN-DEV` |
---
## 4. Load Balancers
Todos os LBs são criados e gerenciados pelo OKE (via Services do tipo LoadBalancer no Kubernetes):
| Display Name (ID OKE) | IP | Shape | Cluster | Criado em |
|---|---|---|---|---|
| `35adee2d-…` | `10.110.133.131` | 100Mbps | cls-dev-barramento | 2026-01-26 |
| `b8344bb7-…` | `10.110.135.3` | 100Mbps | cls-dev-nexus | 2026-01-26 |
| `bc0548de-…` | `10.110.129.64` | 100Mbps | cls-dev-observabilidade | 2026-01-26 |
| `177c06f0-…` | `10.110.143.54` | 100Mbps | cls-dev-nexus | 2026-01-29 |
| `029cfee6-…` | `137.131.236.202` *(público)* | 100Mbps | cls-dev-nexus | 2026-02-09 |
> Os IPs privados (`10.110.x`) estão na subnet `sbn-lb-1` ou `sbn-lb-2`.
> O único IP público (`137.131.236.202`) pertence a um Service exposto externamente no `cls-dev-nexus`.
---
## 5. API Gateways
### `api-gateway-mfe-dev` — Terraform-managed
| Campo | Valor |
|---|---|
| Nome | `api-gateway-mfe-dev` |
| Compartment | `cmp-dev-inv` |
| Tipo | PUBLIC |
| Subnet | `sbn-lb-1` (10.110.128.0/20) — vcn-oke |
| Gerenciado por | Terraform (`modules/api_gateway_mfe`) |
| Hostname | `guhal72tzyekzchzamhhi3lvgi.apigateway.sa-saopaulo-1.oci.customer-oci.com` |
**Deployments configurados:**
| MFE | Bucket | Path | Backend |
|---|---|---|---|
| `mfe-user` | `mfe-user-dev` | `/{path*}` | Object Storage `grbb7qzeuoag` |
| `mfe-user` | `mfe-user-dev` | `/` (fallback SPA) | `index.html` no bucket |
### `api-gateway-nexus-dev` — Manual
| Campo | Valor |
|---|---|
| Nome | `api-gateway-nexus-dev` |
| Compartment | `cmp-dev-inv` |
| Subnet | `SBNT-DEV` (10.6.0.0/24) — VCN-DEV |
| Gerenciado por | Manual |
| Conectividade OKE | Via DRG (cross-VCN: VCN-DEV ↔ vcn-oke) |
> **Pendência:** Migrar `api-gateway-nexus-dev` para `sbn-api-gateway` na `vcn-oke` (ver `OCI-NETWORK-ANALYSIS.md` — Opção A).
---
## 6. Object Storage
### Buckets em `cmp-dev-nexus`
| Bucket | Uso | Criado em |
|---|---|---|
| `invista-inventcloud-bucket3` | Uso geral | 2026-02-06 |
| `tfstate-gqysee` | Terraform remote state | 2025-12-30 |
| `tfstate-inidhr` | Terraform remote state | 2025-12-30 |
| `tfstate-terraform` | Terraform remote state | 2025-12-30 |
### Buckets em `cmp-dev-inv`
| Bucket | Uso | Criado em |
|---|---|---|
| `mfe-shell-dev` | MFE Shell (frontend) | 2026-02-24 |
> **Namespace do Object Storage:** `grbb7qzeuoag`
---
## 7. ArgoCD
ArgoCD instalado em todos os 3 clusters via Helm pelo Terraform:
| Parâmetro | Valor |
|---|---|
| Chart Version | `7.3.0` (argo/argo-cd) |
| Namespace | `argocd` |
| LB tipo | Interno (annotation `oci-load-balancer-internal=true`) |
| OIDC | OCI IDCS (integrado via outputs do módulo `identity`) |
**URLs internas (somente acesso via VCN):**
| Cluster | URL |
|---|---|
| `cls-dev-nexus` (1) | `https://argocd.dev-01.interno.invista.com.br` |
| `cls-dev-barramento` (2) | `https://argocd.dev-02.interno.invista.com.br` |
| `cls-dev-observabilidade` (3) | `https://argocd.dev-03.interno.invista.com.br` |
**RBAC OCI IDCS:**
| Grupo OCI | Role ArgoCD |
|---|---|
| `invista-oke-admin` | `admin` |
| `invista-oke-dev` | `readonly` |
| `invista-oke-readonly` | `readonly` |
---
## 8. Observabilidade
Gerenciada pelo módulo `modules/observability` em `cmp-dev-inv`:
| Recurso | Tipo | Configuração |
|---|---|---|
| Alarmes OCI Monitoring | `oci_computeagent` | CPU > 90% (PT10M) → CRITICAL; CPU > 75% (PT15M) → WARNING |
| Log Group | OCI Logging | — |
| Dashboard | OCI Management Dashboard | Import de `dashboards/oke-observability-import.json` |
---
## 9. Terraform — `tf_oci_clusters`
### Repositório
| Campo | Valor |
|---|---|
| Organização | Azure DevOps — CN-Squad |
| Projeto | Invista FIDC - Nexus |
| Repositório | `tf_oci_clusters` |
| Pipeline | `terraform-tf_oci_clusters` (ID 51) |
| Variable Group | `oci-terraform` (ID 34) |
| Backend | Object Storage OCI (S3-compatible) — bucket `tfstate-*` em `cmp-dev-nexus` |
### Estrutura de Arquivos
```
tf_oci_clusters/
├── environments/
│ ├── dev/
│ │ ├── main.tf # Clusters, rede, bastion, observabilidade
│ │ ├── api_gateway_mfe.tf # API Gateway MFE + deployments
│ │ ├── argocd.tf # ArgoCD Helm install + kubeconfig
│ │ ├── backend.tf # Remote state config
│ │ ├── providers.tf # OCI provider
│ │ ├── variables.tf # Todas as variáveis
│ │ └── terraform.ci.tfvars # Valores do ambiente DEV (pipeline CI)
│ ├── hml/ # Ambiente HML (estrutura similar)
│ └── prod/ # Ambiente PROD (estrutura similar)
├── modules/
│ ├── oke_cluster/ # OKE cluster + node pool
│ │ ├── main.tf # oci_containerengine_cluster + node_pool
│ │ └── variables.tf
│ ├── network/ # VCN, subnets, gateways, route tables, security lists
│ │ ├── main.tf
│ │ └── variables.tf
│ ├── api_gateway_mfe/ # API Gateway PUBLIC para MFEs estáticos
│ │ ├── main.tf # oci_apigateway_gateway + deployments por MFE
│ │ └── variables.tf
│ ├── compartment/ # Criação de compartment
│ ├── observability/ # ONS + OCI Logging + Alarms + Dashboards
│ └── iam_service_accounts/ # IAM para service accounts
├── compartments/ # Gerenciamento top-level de compartments
├── dns/ # DNS OCI
├── iam/ # IAM policies
├── identity/ # OIDC / IDCS (usado pelo ArgoCD)
├── argocd/
│ ├── values.yaml # Helm values do ArgoCD
│ └── application-dev.yaml # ArgoCD Application manifest (GitOps)
└── dashboards/
└── oke-observability-import.json
```
### terraform.ci.tfvars DEV — Valores Principais
```hcl
env_name = "dev"
create_compartment = false
create_cluster_compartment = false # removido manualmente 2026-02-25
existing_compartment_id = "ocid1.compartment.oc1..aaaaaaaa76x3nykkjwvctpr6px34dysu3pbg7p62h2r65fegt7fvbrioll3a" # cmp-dev-inv
cluster_compartment_id_map = {
"1" = "ocid1.compartment.oc1..aaaaaaaahycc62za6ikthlhauvarvbdixc7xpjjmcrame3cirhu2kz74ddma" # cmp-dev-nexus
"2" = "ocid1.compartment.oc1..aaaaaaaahycc62za6ikthlhauvarvbdixc7xpjjmcrame3cirhu2kz74ddma"
"3" = "ocid1.compartment.oc1..aaaaaaaahycc62za6ikthlhauvarvbdixc7xpjjmcrame3cirhu2kz74ddma"
}
kubernetes_version = "v1.34.1"
node_shape = "VM.Standard.E4.Flex"
ocpus = 2
memory_in_gbs = 16
vcn_cidr = "10.110.0.0/16"
scale_mode = "up"
node_pool_size_up = 3
node_pool_size_down = 0
enable_bastion = true
admin_cidr = "187.65.249.125/32"
enable_api_gateway_mfe = true
```
### Pipeline CI/CD
```
Push to main (tf_oci_clusters)
→ Bootstrap (init + validate)
→ Detect Changes (diff por environment)
→ Plan (terraform plan -var-file=terraform.ci.tfvars)
→ Aprovação Manual
→ Apply (terraform apply)
```
---
## 10. Fluxo de Dependências
```
tf_oci_clusters (pipeline ID 51)
├── module.network → VCN vcn-oke (10.110.0.0/16)
│ └── subnets, IGW, NAT, SGW, route tables, security lists
├── module.cluster[1,2,3] → cls-dev-nexus / cls-dev-barramento / cls-dev-observabilidade
│ └── node_pool → np-dev-1/2/3 (VM.Standard.E4.Flex 2cpu/16gb x3)
├── module.api_gateway_mfe → api-gateway-mfe-dev (PUBLIC, sbn-lb-1)
│ └── deployment mfe-user → bucket mfe-user-dev
├── null_resource.kubeconfig → ~/.kube/config-dev-{1,2,3}
├── null_resource.argocd_setup → ArgoCD v7.3.0 em cada cluster
└── module.observability → Alarms + Log Group + Dashboards
```
---
## Referências
| Recurso | OCID / URL |
|---|---|
| Compartment `cmp-dev-nexus` | `ocid1.compartment.oc1..aaaaaaaahycc62za6ikthlhauvarvbdixc7xpjjmcrame3cirhu2kz74ddma` |
| Compartment `cmp-dev-inv` | `ocid1.compartment.oc1..aaaaaaaa76x3nykkjwvctpr6px34dysu3pbg7p62h2r65fegt7fvbrioll3a` |
| VCN `vcn-oke` | `ocid1.vcn.oc1.sa-saopaulo-1.amaaaaaasks3yliapqrmikfzagpgqohuzjqik3hx63w7r2uajiqv5krvxkda` |
| VCN `VCN-DEV` | `ocid1.vcn.oc1.sa-saopaulo-1.amaaaaaasks3yliatoq6uvqqak3kax775ksd2jastvgsbiki7mgj6jzue6dq` |
| API Gateway MFE hostname | `guhal72tzyekzchzamhhi3lvgi.apigateway.sa-saopaulo-1.oci.customer-oci.com` |
| Repo Terraform | Azure DevOps — CN-Squad / Invista FIDC - Nexus / tf_oci_clusters |
| Região | `sa-saopaulo-1` |
| Object Storage Namespace | `grbb7qzeuoag` |
---
*Atualizado em: 2026-02-25*