doitintl · kdeng · Jun 11, 2025 · Jun 11, 2025 · Jun 12, 2025 · Jun 12, 2025
diff --git a/cdk.context.json b/cdk.context.json
@@ -1,86 +1,5 @@
 {
-  "availability-zones:account=905418347382:region=ca-central-1": [
-    "ca-central-1a",
-    "ca-central-1b",
-    "ca-central-1d"
-  ],
-  "ami:account=905418347382:filters.image-type.0=machine:filters.name.0=fck-nat-al2023-*-arm64-ebs:filters.state.0=available:owners.0=568608671756:region=ca-central-1": "ami-045d3a84706b8feeb",
-  "key-provider:account=905418347382:aliasName=alias/eks/lower-envs:region=ca-central-1": {
-    "keyId": "2c710e12-cad3-42f5-a92f-e7d7980aebea"
-  },
   "acknowledged-issue-numbers": [
     32775
-  ],
-  "availability-zones:account=092464092456:region=ca-central-1": [
-    "ca-central-1a",
-    "ca-central-1b",
-    "ca-central-1d"
-  ],
-  "ami:account=092464092456:filters.image-type.0=machine:filters.name.0=fck-nat-al2023-*-arm64-ebs:filters.state.0=available:owners.0=568608671756:region=ca-central-1": "ami-045d3a84706b8feeb",
-  "availability-zones:account=092464092456:region=ap-southeast-2": [
-    "ap-southeast-2a",
-    "ap-southeast-2b",
-    "ap-southeast-2c",
-    "ap-southeast-2-akl-1a"
-  ],
-  "ami:account=092464092456:filters.image-type.0=machine:filters.name.0=fck-nat-al2023-*-arm64-ebs:filters.state.0=available:owners.0=568608671756:region=ap-southeast-2": "ami-0799b4d92d35edd4a",
-  "vpc-provider:account=092464092456:filter.isDefault=false:filter.tag:Name=lower-envs-vpc:filter.vpc-id=vpc-0b0a49daf937ebd4e:region=ap-southeast-2:returnAsymmetricSubnets=true": {
-    "vpcId": "vpc-0b0a49daf937ebd4e",
-    "vpcCidrBlock": "10.99.0.0/16",
-    "ownerAccountId": "092464092456",
-    "availabilityZones": [],
-    "subnetGroups": [
-      {
-        "name": "Public",
-        "type": "Public",
-        "subnets": [
-          {
-            "subnetId": "subnet-086ef6db7aa03a0c8",
-            "cidr": "10.99.0.0/23",
-            "availabilityZone": "ap-southeast-2a",
-            "routeTableId": "rtb-0ff297699d4ac7ad7"
-          },
-          {
-            "subnetId": "subnet-0aa59909b88944cae",
-            "cidr": "10.99.2.0/23",
-            "availabilityZone": "ap-southeast-2b",
-            "routeTableId": "rtb-006b3e4abc859c868"
-          },
-          {
-            "subnetId": "subnet-0dd9405e4884934d9",
-            "cidr": "10.99.4.0/23",
-            "availabilityZone": "ap-southeast-2c",
-            "routeTableId": "rtb-098ce61b7fa0c7c14"
-          }
-        ]
-      },
-      {
-        "name": "Private",
-        "type": "Private",
-        "subnets": [
-          {
-            "subnetId": "subnet-0c1bbe1320a8d4d4f",
-            "cidr": "10.99.32.0/19",
-            "availabilityZone": "ap-southeast-2a",
-            "routeTableId": "rtb-039cbceea7f95d542"
-          },
-          {
-            "subnetId": "subnet-048c00d9bab4574e1",
-            "cidr": "10.99.64.0/19",
-            "availabilityZone": "ap-southeast-2b",
-            "routeTableId": "rtb-09947c85e71d96615"
-          },
-          {
-            "subnetId": "subnet-0835a3d4741890dfa",
-            "cidr": "10.99.96.0/19",
-            "availabilityZone": "ap-southeast-2c",
-            "routeTableId": "rtb-0f3be7c4448dcd376"
-          }
-        ]
-      }
-    ]
-  },
-  "key-provider:account=092464092456:aliasName=alias/eks/lower-envs:region=ap-southeast-2": {
-    "keyId": "53d98ec6-3051-46b6-a9c6-bd1e4dbf8904"
-  }
+  ]
 }
diff --git a/config/eks/dev_eks_config.ts b/config/eks/dev_eks_config.ts
@@ -3,7 +3,7 @@ import * as cdk from 'aws-cdk-lib';
 import * as eks from 'aws-cdk-lib/aws-eks'
 import {
   Apply_Podinfo_Helm_Chart,
-  Apply_Podinfo_Ingress_YAML,
+  Apply_Podinfo_Http_Ingress_YAML,
   Podinfo_Helm_Config,
   Podinfo_Http_Ingress_Yaml_Generator,
   Podinfo_Https_Ingress_Yaml_Generator,
@@ -28,8 +28,76 @@ export function deploy_dependencies(config: Easy_EKS_Config_Data, stack: cdk.Sta
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
-export function deploy_workload_dependencies(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster) {
-
+export function deploy_workload_dependencies(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster){
+    // This is an example of a workload that uses a PersistentVolumeClaim with a storage class that is encrypted
+    // with AWS KMS key.
+    // IMPORTANT: if the cdk insfrastructure is destroyed it will leave the volume orphans, and they will 
+    // need to be manually deleted.
+    let name="test-claim-gp3";
+    let size="10Gi";
+    const volume_claim_gp3 = {
+        "apiVersion": "v1",
+        "kind": "PersistentVolumeClaim",
+        "metadata": {
+            "name": `${name}`,
+            "namespace": "default"
+        },
+        "spec": {
+            "accessModes": [
+                "ReadWriteOnce"
+            ],
+            "storageClassName": "kms-encrypted-gp3",
+            "resources": {
+                "requests": {
+                    "storage": `${size}`
+                }
+            }
+        }
+    }
+    const pod_using_volume_claim = {
+        "apiVersion": "v1",
+        "kind": "Pod",
+        "metadata": {
+            "name": "app"
+        },
+        "spec": {
+            "containers": [
+                {
+                    "name": "app",
+                    "image": "ubuntu:latest",
+                    "command": [
+                        "/bin/sh"
+                    ],
+                    "args": [
+                        "-c",
+                        "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"
+                    ],
+                    "volumeMounts": [
+                        {
+                            "name": "persistent-storage",
+                            "mountPath": "/data"
+                        }
+                    ]
+                }
+            ],
+            "volumes": [
+                {
+                    "name": "persistent-storage",
+                    "persistentVolumeClaim": {
+                        "claimName": `${name}`
+                    }
+                }
+            ]
+        }
+    }
+    const pvc_demo_construct = new eks.KubernetesManifest(stack, "persistentVolumeClaimManifest",
+    {
+        cluster: cluster,
+        manifest: [volume_claim_gp3, pod_using_volume_claim],
+        overwrite: true,
+        prune: true,
+    });
+    pvc_demo_construct.node.addDependency(cluster.awsAuth);
 }//end deploy_workload_dependencies()
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -49,47 +117,47 @@ export function deploy_workloads(config: Easy_EKS_Config_Data, stack: cdk.Stack,
   } as Podinfo_Helm_Config
 
   // Deploy a podinfo sample application with BLUE background
-  Apply_Podinfo_Helm_Chart(cluster, BLUE_PODINFO_HELM_CONFIG);
+  Apply_Podinfo_Helm_Chart(cluster, config, stack, BLUE_PODINFO_HELM_CONFIG);
 
   // Generate HTTP ingress manifest
   const http_ingress_yaml = Podinfo_Http_Ingress_Yaml_Generator(BLUE_PODINFO_HELM_CONFIG);
 
   // kubectl apply manifest
-  Apply_Podinfo_Ingress_YAML(cluster, BLUE_PODINFO_HELM_CONFIG, http_ingress_yaml)
-
-  // Define a GREEN podinfo application with secure ALB (HTTPS)
-  const GREEN_PODINFO_HELM_CONFIG = {
-    helm_chart_release: "podinfo-green",
-    helm_chart_values: {
-      ui: {
-        color: "#008000",
-        message: "This is an secure application with GREEN background",
-      },
-    } as Record<string, any>,
-  } as Podinfo_Helm_Config
-
-  // Deploy a podinfo sample application with GREEN background
-  Apply_Podinfo_Helm_Chart(cluster, GREEN_PODINFO_HELM_CONFIG);
-
-  // Generate HTTPS ingress manifest
-  /**
-   * TODO: due to DNS ACME challenge, we just use the existing ACME's ARN and subdomain
-   * To make this happen, you need to do:
-   * 1. Prepare a domain or sub-domain
-   * 2. Create a certificate in ACM for the domain / sub-domain
-   * 3. Create CNAME to verify the certificate successfully
-   * 4. Get the ARN of the certificate
-   * 5. Deploy the stack
-   * 6. After ALB is provisioned, create a CNAME record of the domain/sub-domain with the value in the DNS hostname of the ALB
-   */
-  const https_ingress_yaml = Podinfo_Https_Ingress_Yaml_Generator(
-    GREEN_PODINFO_HELM_CONFIG,
-    // ACME ARN
-    "arn:aws:acm:ap-southeast-2:092464092456:certificate/a2e016d5-58fb-4308-b894-f7a21f7df0b8",
-    // Sub-domain
-    "kefeng-easyeks.gcp.au-pod-1.cs.doit-playgrounds.dev",
-  )
-
-  // kubectl apply manifest
-  Apply_Podinfo_Ingress_YAML(cluster, GREEN_PODINFO_HELM_CONFIG, https_ingress_yaml)
+  Apply_Podinfo_Http_Ingress_YAML(cluster, config, stack, BLUE_PODINFO_HELM_CONFIG, http_ingress_yaml)
+
+  // // Define a GREEN podinfo application with secure ALB (HTTPS)
+  // const GREEN_PODINFO_HELM_CONFIG = {
+  //   helm_chart_release: "podinfo-green",
+  //   helm_chart_values: {
+  //     ui: {
+  //       color: "#008000",
+  //       message: "This is an secure application with GREEN background",
+  //     },
+  //   } as Record<string, any>,
+  // } as Podinfo_Helm_Config
+  //
+  // // Deploy a podinfo sample application with GREEN background
+  // Apply_Podinfo_Helm_Chart(cluster, GREEN_PODINFO_HELM_CONFIG);
+
+  // // Generate HTTPS ingress manifest
+  // /**
+  //  * TODO: due to DNS ACME challenge, we just use the existing ACME's ARN and subdomain
+  //  * To make this happen, you need to do:
+  //  * 1. Prepare a domain or sub-domain
+  //  * 2. Create a certificate in ACM for the domain / sub-domain
+  //  * 3. Create CNAME to verify the certificate successfully
+  //  * 4. Get the ARN of the certificate
+  //  * 5. Deploy the stack
+  //  * 6. After ALB is provisioned, create a CNAME record of the domain/sub-domain with the value in the DNS hostname of the ALB
+  //  */
+  // const https_ingress_yaml = Podinfo_Https_Ingress_Yaml_Generator(
+  //   GREEN_PODINFO_HELM_CONFIG,
+  //   // ACME ARN
+  //   "arn:aws:acm:ap-southeast-2:092464092456:certificate/a2e016d5-58fb-4308-b894-f7a21f7df0b8",
+  //   // Sub-domain
+  //   "kefeng-easyeks.gcp.au-pod-1.cs.doit-playgrounds.dev",
+  // )
+  //
+  // // kubectl apply manifest
+  // Apply_Podinfo_Ingress_YAML(cluster, GREEN_PODINFO_HELM_CONFIG, https_ingress_yaml)
 }//end deploy_workloads()
diff --git a/config/eks/higher_envs_eks_config.ts b/config/eks/higher_envs_eks_config.ts
@@ -16,7 +16,11 @@ export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //
     config.setBaselineMNGType(eks.CapacityType.ON_DEMAND);
     if(process.env.CDK_DEFAULT_ACCOUNT==="111122223333"){
         config.addClusterAdminARN(`arn:aws:iam::111122223333:user/example`); 
-        /* Note: 
+        /* Note 1:
+           The IAM user/role running cdk deploy dev1-eks, gets added to the list of Cluster Admins by default.
+           This is done for convenience, if you want to change this default, you'll need to edit ./lib/Easy_EKS.ts
+
+           Note 2: 
            config.addClusterAdminARN('...:user/example') should only be used in an if statement,
            Because the identity referenced in ARN must exist or the deployment will fail
            This allows you to create a explicit list of ARNs (representing IAM roles or users)

diff --git a/config/eks/lower_envs_eks_config.ts b/config/eks/lower_envs_eks_config.ts
@@ -15,8 +15,12 @@ export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //
     config.setBaselineMNGSize(2);
     config.setBaselineMNGType(eks.CapacityType.SPOT);
     if(process.env.CDK_DEFAULT_ACCOUNT==="111122223333"){
-        config.addClusterAdminARN(`arn:aws:iam::111122223333:user/example`); 
-        /* Note: 
+        config.addClusterAdminARN(`arn:aws:iam::111122223333:user/example`);
+        /* Note 1:
+           The IAM user/role running cdk deploy dev1-eks, gets added to the list of Cluster Admins by default.
+           This is done for convenience, if you want to change this default, you'll need to edit ./lib/Easy_EKS.ts
+
+           Note 2: 
            config.addClusterAdminARN('...:user/example') should only be used in an if statement,
            Because the identity referenced in ARN must exist or the deployment will fail
            This allows you to create a explicit list of ARNs (representing IAM roles or users)

diff --git a/config/eks/my_orgs_baseline_eks_config.ts b/config/eks/my_orgs_baseline_eks_config.ts
@@ -268,6 +268,35 @@ export function deploy_workload_dependencies(config: Easy_EKS_Config_Data, stack
             },
         }`, //end aws-ebs-csi-driver configurationValues override
     });
+    // adding gp3 storage class
+    const storage_class_gp3_manifest = {
+        "apiVersion": "storage.k8s.io/v1",
+        "kind": "StorageClass",
+        "metadata": {
+            "name": "kms-encrypted-gp3",
+            "annotations": {
+                "storageclass.kubernetes.io/is-default-class": "true"
+            }
+        },
+        "provisioner": "ebs.csi.aws.com",
+        "volumeBindingMode": "WaitForFirstConsumer",
+        "allowVolumeExpansion": true,
+        "reclaimPolicy": "Delete",
+        "parameters": {
+            "type": "gp3",
+            "encrypted": "true",
+            //"kmsKeyId": `${config.kmsKey.keyArn}` //commentig it out as while we test the logic to add permissions to customer's KMS key
+        }
+    }
+    const storage_class_gp3_construct = new eks.KubernetesManifest(stack, "StorageClassManifest",
+        {
+            cluster: cluster,
+            manifest: [storage_class_gp3_manifest],
+            overwrite: true,
+            prune: true,   
+        }
+    );
+    storage_class_gp3_construct.node.addDependency(cluster.awsAuth);
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
     // v-- most won't need this, disabling by default

diff --git a/docs/03_Quickstart/Quickstart.md b/docs/03_Quickstart/Quickstart.md
@@ -299,10 +299,10 @@ dev1-eks: creating CloudFormation changeset...
 ✨  Deployment time: 1052.74s
 
 Outputs:
-dev1-eks.dev1eksConfigCommand9B300592 = aws eks update-kubeconfig --name dev1-eks --region ca-central-1 --role-arn arn:aws:iam::905418347382:role/dev1-eks-assumableEKSAdminAccessRoleC284FA0F-F22KjKQrjLpO
-dev1-eks.dev1eksGetTokenCommandDE6D6947 = aws eks get-token --cluster-name dev1-eks --region ca-central-1 --role-arn arn:aws:iam::905418347382:role/dev1-eks-assumableEKSAdminAccessRoleC284FA0F-F22KjKQrjLpO
-Stack ARN:
-arn:aws:cloudformation:ca-central-1:905418347382:stack/dev1-eks/60d97430-27d0-11f0-ae18-0e71104456e5
+dev1-eks.iamWhitelistedKubeConfigCmd = aws eks update-kubeconfig --region ca-central-1 --name dev1-eks
+
+Note: This only works for the user/role deploying cdk and IAM Whitelisted Admins.
+      To learn more review ./easyeks/config/eks/lower_envs_eks_config.ts
 
 ✨  Total time: 1069.52s
 ```