This repo is split into:
app/Python FastAPI "Hello" service containerized for OKEinfrastructure/Terraform for VCN, OKE (virtual nodes), DevOps build/deploy, API Gatewayskill/Codex skill for dev/test deploys
- OCI account with permissions to create: VCN, OKE, DevOps, OCIR, API Gateway
- Terraform >= 1.6
- Docker (for local build testing)
kubectlandociCLI (optional but recommended)
- Local config file at
~/.oci/configand aDEFAULTprofile - Or set env vars used by the OCI provider
- Create a tfvars file from the example:
cp infrastructure/terraform.tfvars.example infrastructure/terraform.tfvars
- Fill in required values:
# infrastructure/terraform.tfvars
compartment_id = "<COMPARTMENT_OCID>"
tenancy_ocid = "<TENANCY_OCID>"
region = "<REGION_IDENTIFIER>"
If your OCIR host is not ${region}.ocir.io, set it explicitly:
ocir_registry_host = "<OCIR_REGISTRY_HOST>"
- Init and apply:
cd infrastructure
terraform init
terraform apply
- Capture outputs (repo URLs, pipeline IDs, cluster ID, etc.).
- Get the repo URL from Terraform outputs:
terraform output devops_repository_http_url
- Add it as a remote and push:
git remote add oci <DEVOPS_REPO_URL>
git push oci main
- Create an OCI auth token and set build parameters:
REGISTRY_USERNAME:<tenancy-namespace>/<oci-username>(for identity domains,oracleidentitycloudservice/<user>is often required)REGISTRY_AUTH_TOKEN: the auth token value
- In OCI DevOps, run the build pipeline (
codex-oke-build). - The build will push an image to OCIR and trigger the deploy pipeline.
- Deploy stage uses the Kubernetes manifest in
app/deploy/manifest.yaml.
You need an OCIR auth token for both local Docker login and the Kubernetes pull secret. Create an auth token in the OCI Console (User Profile → Auth Tokens).
Login to OCIR locally:
docker login <OCIR_REGISTRY_HOST> -u "<tenancy-namespace>/<oci-username>"
Create the pull secret in the namespace:
kubectl -n hello create secret docker-registry ocir-pull \
--docker-server=<OCIR_REGISTRY_HOST> \
--docker-username='<tenancy-namespace>/<oci-username>' \
--docker-password='<auth-token>' \
--docker-email='you@example.com'
Repeat the secret creation for dev namespace:
kubectl -n hello-dev create secret docker-registry ocir-pull \
--docker-server=<OCIR_REGISTRY_HOST> \
--docker-username='<tenancy-namespace>/<oci-username>' \
--docker-password='<auth-token>' \
--docker-email='you@example.com'
Use the oke-dev-deploy skill script to build, push, and deploy to hello-dev:
OCI_NAMESPACE="<OCI_NAMESPACE>" \
OCIR_REGISTRY_HOST="<OCIR_REGISTRY_HOST>" \
IMAGE_TAG="dev" \
K8S_NAMESPACE="hello-dev" \
skill/oke-dev-deploy/scripts/deploy_dev.sh
- Skill source lives in
skill/oke-dev-deploy/ - The skill is installed into Codex by copying it to
$CODEX_HOME/skills/oke-dev-deploy - The deploy command is a local script (
skill/oke-dev-deploy/scripts/deploy_dev.sh) that builds, tags, pushes, and applies the manifest tohello-dev
Resources:
- OpenAI Codex citeturn0search0
- OCI DevOps pipelines citeturn0search5
- After deployment, get the Service private LB IP:
kubectl get svc -n hello
- Update Terraform with the LB private IP:
# infrastructure/terraform.tfvars
lb_private_ip = "<PRIVATE_LB_IP>"
- Re-apply only API Gateway:
terraform apply -target=oci_apigateway_deployment.hello
- Call the endpoint:
https://<API_GATEWAY_HOSTNAME>/hello
- After deploying to
hello-dev, get the dev Service private LB IP:
kubectl get svc -n hello-dev
- Set it in Terraform:
# infrastructure/terraform.tfvars
lb_private_ip_dev = "<DEV_PRIVATE_LB_IP>"
- Apply the API Gateway deployment (same gateway, additional route):
terraform apply -target=oci_apigateway_deployment.hello
- Call the dev endpoint:
https://<API_GATEWAY_HOSTNAME>/hello-dev
- OKE version defaults to latest in region unless overridden via
kubernetes_version. - Virtual node shape defaults to
Pod.Standard.E4.Flexand pool size to 1. Override as needed.