alan-turing-institute · jakewatson-bristol · Sep 5, 2025 · Sep 8, 2025 · Sep 8, 2025 · Sep 8, 2025
diff --git a/infra/fridge/Pulumi.yaml b/infra/fridge/Pulumi.yaml
@@ -3,8 +3,8 @@ description: FRIDGE deployment on K8s
 runtime:
   name: python
   options:
-    toolchain: pip
-    virtualenv: venv
+    toolchain: uv
+    virtualenv: ../../.venv
 config:
   argo_scopes:
     type: array
@@ -29,6 +29,19 @@ config:
     default: ""
     type: string
     description: Azure Subscription ID for the FRIDGE deployment - use a dummy value when not deploying to AKS
+  oracle_kms_key_id:
+    default: ""
+    type: string
+    description: Oracle KMS Key OCID - use a dummy value when not deploying to OKE
+    secret: true
+  oracle_region:
+    default: ""
+    type: string
+    description: Oracle Cloud region - use a dummy value when not deploying to OKE
+  oracle_ffs_volume_subnet_id:
+    default: ""
+    type: string
+    description: Oracle Cloud File Storage Service subnet OCID - use a dummy value when not deploying to OKE
   fridge_api_admin:
     type: string
     description: Admin username for the FRIDGE API

diff --git a/infra/fridge/__main__.py b/infra/fridge/__main__.py
@@ -1,6 +1,6 @@
 import pulumi
 
-from pulumi import ResourceOptions
+from pulumi import ResourceOptions, Output
 from pulumi_kubernetes.batch.v1 import CronJobPatch, CronJobSpecPatchArgs
 from pulumi_kubernetes.core.v1 import NamespacePatch
 from pulumi_kubernetes.meta.v1 import ObjectMetaPatchArgs
@@ -92,6 +92,21 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
             if k8s_environment is K8sEnvironment.AKS
             else None
         ),
+        oracle_kms_key_id=(
+            config.require("oracle_kms_key_id")
+            if k8s_environment is K8sEnvironment.OKE
+            else None
+        ),
+        oracle_region=(
+            config.require("oracle_region")
+            if k8s_environment is K8sEnvironment.OKE
+            else None
+        ),
+        oracle_ffs_volume_subnet_id=(
+            config.require("oracle_ffs_volume_subnet_id")
+            if k8s_environment is K8sEnvironment.OKE
+            else None
+        ),
     ),
 )
 
@@ -118,7 +133,7 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
 )
 
 # Argo Workflows
-enable_sso = k8s_environment is not K8sEnvironment.K3S
+enable_sso = k8s_environment is not K8sEnvironment.K3S and k8s_environment is not K8sEnvironment.OKE
 
 argo_workflows = components.WorkflowServer(
     "argo-workflows",
@@ -192,14 +207,15 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
     minio,
     storage_classes,
 ]
-
+"""
 network_policies = components.NetworkPolicies(
     name=f"{stack_name}-network-policies",
     k8s_environment=k8s_environment,
     opts=ResourceOptions(
         depends_on=resources,
     ),
 )
+"""
 
 # Pulumi exports
 pulumi.export("argo_fqdn", argo_workflows.argo_fqdn)

diff --git a/infra/fridge/components/cert_manager.py b/infra/fridge/components/cert_manager.py
@@ -2,7 +2,7 @@
 
 from pulumi import ComponentResource, ResourceOptions
 from pulumi_kubernetes.apiextensions import CustomResource
-from pulumi_kubernetes.core.v1 import Namespace
+from pulumi_kubernetes.core.v1 import Namespace, Service
 from pulumi_kubernetes.helm.v3 import Release
 from pulumi_kubernetes.helm.v4 import Chart, RepositoryOptsArgs
 from pulumi_kubernetes.meta.v1 import ObjectMetaArgs
@@ -70,6 +70,12 @@ def __init__(
                 cert_manager_ns = Namespace.get("cert-manager-ns", "cert-manager")
                 cert_manager = Release.get("cert-manager", "cert-manager")
 
+            case K8sEnvironment.OKE:
+                # OKE specific configuration
+                cert_manager_ns = Namespace.get("cert-manager-ns", "cert-manager")
+                cert_manager = Service.get("cert-manager", "cert-manager/cert-manager")
+
+
         # Create ClusterIssuers
         issuer_outputs = {}
         # if we're using TLS development use a self-signed issuer for the certificate

diff --git a/infra/fridge/components/ingress.py b/infra/fridge/components/ingress.py
@@ -54,6 +54,83 @@ def __init__(
                         child_opts, ResourceOptions(depends_on=ingress_nginx_ns)
                     ),
                 )
+
+            case K8sEnvironment.OKE:
+
+                # Ingress NGINX (ingress provider)
+                ingress_nginx_ns = Namespace(
+                    "ingress-nginx-ns",
+                    metadata=ObjectMetaArgs(
+                        name="ingress-nginx",
+                        labels={} | PodSecurityStandard.RESTRICTED.value,
+                    ),
+                )
+
+                ingress_nginx = Release(
+                    "ingress-nginx",
+                    args=ReleaseArgs(
+                        chart="ingress-nginx",
+                        version="4.13.2",
+                        skip_crds=False,
+                        repository_opts={
+                            "repo": "https://kubernetes.github.io/ingress-nginx"
+                        },
+                        namespace=ingress_nginx_ns.metadata.name,
+                        create_namespace=False,
+                        replace=True,
+                        values={
+                            "controller": {
+                                "admissionWebhooks": {"enabled": False},
+                                "service": {
+                                    "externalTrafficPolicy": "Local",
+                                    "annotations": {
+                                        "oci.oraclecloud.com/load-balancer-type": "lb",
+                                        "service.beta.kubernetes.io/oci-load-balancer-internal": "true",
+                                        "trigger": "reload1",
+                                    },
+                                },
+                            },
+                        },
+                    ),
+                    opts=ResourceOptions.merge(
+                        child_opts, ResourceOptions(depends_on=[ingress_nginx_ns])
+                    )
+                )
+                # ingress_nginx_ns = Namespace(
+                #     "ingress-nginx-ns",
+                #     metadata=ObjectMetaArgs(
+                #         name="ingress-nginx",
+                #         labels={} | PodSecurityStandard.RESTRICTED.value,
+                #     ),
+                #     opts=child_opts,
+                # )
+
+                # ingress_nginx = Release(
+                #     "ingress-nginx",
+                #     ReleaseArgs(
+                #         chart="ingress-nginx",
+                #         version="4.13.2",
+                #         repository_opts={
+                #             "repo": "https://kubernetes.github.io/ingress-nginx"
+                #         },
+                #         namespace=ingress_nginx_ns.metadata.name,
+                #         create_namespace=False,
+                #         values={
+                #             "controller": {
+                #                 "nodeSelector": {"kubernetes.io/os": "linux"},
+                #                 "service": {
+                #                     "externalTrafficPolicy": "Local",
+                #                     "annotations": {
+                #                         "oci.oraclecloud.com/load-balancer-type": "lb"
+                #                     },
+                #                 },
+                #             }
+                #         },
+                #     ),
+                #     opts=ResourceOptions.merge(
+                #         child_opts, ResourceOptions(depends_on=ingress_nginx_ns)
+                #     ),
+                # )
             case K8sEnvironment.DAWN:
                 # Dawn specific configuration
                 ingress_nginx_ns = Namespace.get("ingress-nginx-ns", "ingress-nginx")

diff --git a/infra/fridge/components/object_storage.py b/infra/fridge/components/object_storage.py
@@ -184,6 +184,9 @@ def __init__(
                 annotations={
                     "nginx.ingress.kubernetes.io/proxy-body-size": "0",
                     "nginx.ingress.kubernetes.io/force-ssl-redirect": "true",
+                    "nginx.ingress.kubernetes.io/proxy-read-timeout": "360",
+                    "nginx.ingress.kubernetes.io/proxy-send-timeout": "360",
+                    "nginx.org/websocket-services": "[argo-artifacts-console]",
                     "cert-manager.io/cluster-issuer": tls_issuer_names[
                         args.tls_environment
                     ],

diff --git a/infra/fridge/components/storage_classes.py b/infra/fridge/components/storage_classes.py
@@ -1,9 +1,9 @@
 from pulumi import ComponentResource, ResourceOptions
 from pulumi_kubernetes.core.v1 import Namespace
-from pulumi_kubernetes.meta.v1 import ObjectMetaArgs
+from pulumi_kubernetes.meta.v1 import ObjectMetaArgs, ObjectMetaPatchArgs
 from pulumi_kubernetes.helm.v3 import Release
 from pulumi_kubernetes.helm.v4 import RepositoryOptsArgs
-from pulumi_kubernetes.storage.v1 import StorageClass
+from pulumi_kubernetes.storage.v1 import StorageClass, CSIDriverPatch, CSIDriverSpecPatchArgs
 
 from enums import K8sEnvironment, PodSecurityStandard
 
@@ -17,11 +17,17 @@ def __init__(
         azure_disk_encryption_set: str | None = None,
         azure_resource_group: str | None = None,
         azure_subscription_id: str | None = None,
+        oracle_kms_key_id: str | None = None,
+        oracle_region: str | None = None,
+        oracle_ffs_volume_subnet_id: str | None = None,
     ) -> None:
         self.k8s_environment = k8s_environment
         self.azure_disk_encryption_set = azure_disk_encryption_set
         self.azure_resource_group = azure_resource_group
         self.azure_subscription_id = azure_subscription_id
+        self.oracle_kms_key_id = oracle_kms_key_id
+        self.oracle_region = oracle_region
+        self.oracle_ffs_volume_subnet_id = oracle_ffs_volume_subnet_id
 
 
 class StorageClasses(ComponentResource):
@@ -111,6 +117,41 @@ def __init__(
                     ),
                 )
 
+                standard_storage_name = storage_class.metadata.name
+                standard_supports_rwm = True
+            case K8sEnvironment.OKE:
+                # Patch the OCI CSI Driver to set the fsGroupPolicy to "File", which is required for ReadWriteMany support
+                # fixes issues with pods not starting due to permission issues
+                # oci_drive_patch = CSIDriverPatch(
+                #     "oci-csi-driver-patch",
+                #     metadata=ObjectMetaPatchArgs(name="fss.csi.oraclecloud.com"),
+                #     spec=CSIDriverSpecPatchArgs(
+                #         fs_group_policy="file",
+                #     ),
+                #     opts=child_opts,
+                # )
+                storage_class = StorageClass(
+                    "fridge_storage_class",
+                    allow_volume_expansion=True,
+                    metadata=ObjectMetaArgs(
+                        name=STORAGE_CLASS_NAME,
+                        annotations={
+                            "storageclass.kubernetes.io/is-default-class": "true"
+                        },
+                    ),
+                    parameters={
+                        #"attachment-type": "paravirtualized",
+                        #"kms-key-id": args.oracle_kms_key_id,
+                        **({"availabilityDomain": f"{args.oracle_region}-AD-1"} if args.oracle_region else {}),
+                        **({"kmsKeyOcid": args.oracle_kms_key_id} if args.oracle_kms_key_id else {}),
+                        **({"mountTargetOcid": args.oracle_ffs_volume_subnet_id} if args.oracle_ffs_volume_subnet_id else {}),
+                    },
+                    provisioner="fss.csi.oraclecloud.com",
+                    reclaim_policy="Delete",
+                    volume_binding_mode="Immediate",
+                    opts=child_opts,
+                )
+
                 standard_storage_name = storage_class.metadata.name
                 standard_supports_rwm = True
             case K8sEnvironment.K3S:

diff --git a/infra/fridge/enums/__init__.py b/infra/fridge/enums/__init__.py
@@ -6,7 +6,7 @@ class K8sEnvironment(Enum):
     AKS = "AKS"
     DAWN = "Dawn"
     K3S = "K3s"
-
+    OKE = "OKE"
 
 @unique
 class PodSecurityStandard(Enum):

diff --git a/infra/fridge/requirements.txt b/infra/fridge/requirements.txt
@@ -1,3 +1,4 @@
 pulumi-azuread~=6.0
 pulumi-kubernetes~=4.0
 pulumi~=3.0
+requests[socks]~=2.0