feat: add istiod, istio base and istio ingressgateway helm charts to …

…cdk (#155)
juspay · May 27, 2024 · 85e2ac9 · 85e2ac9
1 parent 98e6010
commit 85e2ac9
Show file tree

Hide file tree

Showing 5 changed files with 142 additions and 20 deletions.
diff --git a/dependencies/code_builder/buildspec.yml b/dependencies/code_builder/buildspec.yml
@@ -5,7 +5,7 @@ phases:
     commands:
        - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin https://$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
        - |
-        PULL_FROM_DOCKER=("grafana/grafana" "grafana/loki" "grafana/promtail" "grafana/fluent-bit-plugin-loki" "nginx" "juspaydotin/hyperswitch-router" "juspaydotin/hyperswitch-producer" "juspaydotin/hyperswitch-consumer" "juspaydotin/hyperswitch-control-center" "juspaydotin/hyperswitch-web" "bitnami/metrics-server")
+        PULL_FROM_DOCKER=("grafana/grafana" "grafana/loki" "grafana/promtail" "grafana/fluent-bit-plugin-loki" "nginx" "juspaydotin/hyperswitch-router" "juspaydotin/hyperswitch-producer" "juspaydotin/hyperswitch-consumer" "juspaydotin/hyperswitch-control-center" "juspaydotin/hyperswitch-web" "bitnami/metrics-server" "istio/proxyv2" "istio/pilot")
         PULL_FROM_AWS=("eks/aws-load-balancer-controller" "ebs-csi-driver/aws-ebs-csi-driver" "eks-distro/kubernetes-csi/external-provisioner" "eks-distro/kubernetes-csi/external-attacher" "eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter" "eks-distro/kubernetes-csi/livenessprobe" "eks-distro/kubernetes-csi/external-resizer" "eks-distro/kubernetes-csi/node-driver-registrar" "ebs-csi-driver/volume-modifier-for-k8s")
 
         repository_exists() {
@@ -43,6 +43,11 @@ phases:
           elif [[ $IMAGE == "bitnami/metrics-server" ]]; then
               docker pull "$IMAGE:v0.7.0" && \
               docker tag "$IMAGE:v0.7.0" "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE:v0.7.0"
+              docker push "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE:v0.7.0"
+          elif [[ $IMAGE == "istio/proxyv2" || $IMAGE == "istio/pilot" ]]; then
+              docker pull "$IMAGE:1.21.2" && \
+              docker tag "$IMAGE:1.21.2" "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE:1.21.2"
+              docker push "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE:1.21.2"
           else
               docker pull "$IMAGE" && \
               docker tag "$IMAGE" "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE:latest" && \

diff --git a/lib/aws/card-vault/components.ts b/lib/aws/card-vault/components.ts
@@ -67,7 +67,7 @@ export class LockerEc2 extends Construct {
         blockPublicAcls: true,
       }),
       publicReadAccess: false,
-      encryption: s3.BucketEncryption.KMS,
+      encryptionKey: kms_key,
       enforceSSL: true,
       autoDeleteObjects: true,
       bucketName:
@@ -101,6 +101,25 @@ export class LockerEc2 extends Construct {
       },
     });
 
+    lambda_role.addToPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          "ec2:CreateNetworkInterface",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DeleteNetworkInterface",
+          "ec2:AttachNetworkInterface",
+          "ec2:DetachNetworkInterface",
+          "secretsmanager:GetSecretValue",
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "s3:GetObject",
+          "s3:PutObject"
+        ],
+        resources: ["*"],
+      })
+    );
+
     const { privateKey: locker_private_key, publicKey: locker_public_key } =
       generateKeyPairSync("rsa", {
         modulusLength: 2048,
@@ -166,6 +185,10 @@ export class LockerEc2 extends Construct {
         ENV_BUCKET_NAME: envBucket.bucketName,
         ENV_FILE: env_file,
       },
+      vpc: vpc,
+      vpcSubnets: {
+        subnetGroupName: "locker-database-zone",
+      },
       logRetention: RetentionDays.INFINITE,
     });
 
@@ -223,7 +246,7 @@ export class LockerEc2 extends Construct {
       };
     } else {
       vpcSubnets = {
-        subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
+        subnetGroupName: "locker-server-zone",
       };
     }
 
@@ -327,7 +350,7 @@ export class LockerSetup extends Construct {
       };
     } else {
       vpcSubnetsDb = {
-        subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
+        subnetGroupName: "locker-database-zone",
       };
     }
 

diff --git a/lib/aws/card-vault/encryption.py b/lib/aws/card-vault/encryption.py
@@ -14,15 +14,16 @@ def worker():
     secrets_manager = boto3.client('secretsmanager')
     s3_client = boto3.client('s3')
     kms_client = boto3.client('kms')
-
     secret_arn = os.environ['SECRET_MANAGER_ARN']
     secret_value_response = secrets_manager.get_secret_value(SecretId=secret_arn)
+
     credentials = json.loads(secret_value_response['SecretString'])
 
     kms_fun = kms_encryptor(credentials["kms_id"], credentials["region"], kms_client)
+
     enc_pl = lambda x: kms_fun(credentials[x])
-    pl = lambda x: credentials[x]
 
+    pl = lambda x: credentials[x]
 
 
     output = f"""
@@ -54,7 +55,7 @@ def worker():
     filename = os.environ['ENV_FILE']
 
     s3_client.put_object(Bucket=bucket_name, Key=filename, Body=output.encode("utf-8"))
-    
+
 
 
 
@@ -105,6 +106,7 @@ def lambda_handler(event, context):
                 status = "SUCCESS"
             except Exception as e:
                 message = str(e)
+                print(message)
                 status = "FAILED"
 
             send(event, context, status, { "message": message})

diff --git a/lib/aws/eks.ts b/lib/aws/eks.ts
@@ -38,7 +38,7 @@ export class EksStack {
     locker: LockerSetup | undefined,
   ) {
 
-    const ecrTransfer = new DockerImagesToEcr(scope);
+    const ecrTransfer = new DockerImagesToEcr(scope, vpc);
     const privateEcrRepository = `${process.env.CDK_DEFAULT_ACCOUNT}.dkr.ecr.${process.env.CDK_DEFAULT_REGION}.amazonaws.com`
     let vpn_ips: string[] = (scope.node.tryGetContext("vpn_ips") || "0.0.0.0").split(",");
     vpn_ips = vpn_ips.map((ip: string) => {
@@ -615,6 +615,52 @@ export class EksStack {
       },
     });
 
+    const istioBase = cluster.addHelmChart("IstioBase", {
+      chart: "base",
+      repository: "https://istio-release.storage.googleapis.com/charts",
+      namespace: "istio-system",
+      release: "istio-base",
+      version: "1.21.2",
+    });
+
+    const istiod = cluster.addHelmChart("Istiod", {
+      chart: "istiod",
+      repository: "https://istio-release.storage.googleapis.com/charts",
+      namespace: "istio-system",
+      release: "istio-discorvery",
+      version: "1.21.2",
+      values: {
+        defaults: {
+          global: {
+            hub: `${privateEcrRepository}/istio`,
+          },
+          pilot: {
+            nodeSelector: {
+              "node-type": "memory-optimized",
+            },
+          }
+      },
+      }
+    });
+
+    const gateway = cluster.addHelmChart("Gateway", {
+      chart: "gateway",
+      repository: "https://istio-release.storage.googleapis.com/charts",
+      namespace: "istio-system",
+      release: "istio-ingressgateway",
+      version: "1.21.2",
+      values: {
+        defaults: {
+          service: {
+            type: "ClusterIP"
+          },
+          nodeSelector: {
+            "node-type": "memory-optimized",
+          },
+        }
+      },
+    });
+
     const sdkCorsRule: s3.CorsRule = {
       allowedOrigins: ["*"],
       allowedMethods: [s3.HttpMethods.GET, s3.HttpMethods.HEAD],
@@ -785,21 +831,21 @@ export class EksStack {
             targetCPUUtilizationPercentage: 80,
           },
           "hyperswitch-card-vault": {
-            enabled: locker ? true : false,
+            enabled: false,
             postgresql: {
-              enabled: locker ? true : false,
+              enabled: false,
             },
-            server: {
-              secrets: {
-                locker_private_key: locker?.locker_ec2.locker_pair.private_key || '',
-                tenant_public_key: locker?.locker_ec2.tenant.public_key || '',
-                master_key: locker ? config.locker.master_key : ""
-              }
-            }
+            // server: {
+            //   secrets: {
+            //     locker_private_key: locker?.locker_ec2.locker_pair.private_key || '',
+            //     tenant_public_key: locker?.locker_ec2.tenant.public_key || '',
+            //     master_key: locker ? config.locker.master_key : ""
+            //   }
+            // }
           }
         },
         "hyperswitchsdk": {
-          enabled: true,
+          enabled: false,
           services: {
             router: {
               host: "http://localhost:8080"
@@ -845,7 +891,7 @@ export class EksStack {
             buildParam: {
               envSdkUrl: `http://${this.sdkDistribution.distributionDomainName}`
             },
-            // nginxConfig: { extraPath: "v0" }
+            nginxConfig: { extraPath: "v0" }
           }
         },
       },
@@ -1109,7 +1155,7 @@ class DockerImagesToEcr {
   codebuildProject: codebuild.Project;
   codebuildTrigger: cdk.CustomResource;
 
-  constructor(scope: Construct) {
+  constructor(scope: Construct, vpc: ec2.Vpc) {
 
     const ecrRole = new iam.Role(scope, "ECRRole", {
       assumedBy: new iam.ServicePrincipal("codebuild.amazonaws.com"),
@@ -1190,6 +1236,25 @@ class DockerImagesToEcr {
       }),
     );
 
+    triggerCodeBuildRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          "ec2:CreateNetworkInterface",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DeleteNetworkInterface",
+          "ec2:AttachNetworkInterface",
+          "ec2:DetachNetworkInterface",
+          "secretsmanager:GetSecretValue",
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "s3:GetObject",
+          "s3:PutObject"
+        ],
+        resources: ["*"],
+      })
+    );
+
     triggerCodeBuildRole.attachInlinePolicy(
       new iam.Policy(scope, "ECRImageTransferLambdaLogsPolicy", {
         document: logsPolicy,
@@ -1205,6 +1270,10 @@ class DockerImagesToEcr {
       environment: {
         PROJECT_NAME: this.codebuildProject.projectName,
       },
+      vpc: vpc,
+      vpcSubnets: {
+        subnetGroupName: "isolated-subnet-1"
+      }
     });
 
     this.codebuildTrigger = new cdk.CustomResource(scope, "ECRImageTransferCR", {

diff --git a/lib/aws/stack.ts b/lib/aws/stack.ts
@@ -271,6 +271,29 @@ export class AWSStack extends cdk.Stack {
         },
       });
 
+      const vpc_endpoint4 = new ec2.InterfaceVpcEndpoint(this, "SecretsManagerEP", {
+        vpc: vpc.vpc,
+        service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
+        securityGroups: [sg],
+        subnets: {
+          subnetGroupName: "locker-database-zone",
+        },
+      });
+
+      const s3VPCEndpoint = new ec2.GatewayVpcEndpoint(this, "S3VPCEndpoint", {
+        vpc: vpc.vpc,
+        service: ec2.GatewayVpcEndpointAwsService.S3,
+      });
+
+      const kmsVPCEndpoint = new ec2.InterfaceVpcEndpoint(this, "KMSVPCEndpoint", {
+        vpc: vpc.vpc,
+        service: ec2.InterfaceVpcEndpointAwsService.KMS,
+        securityGroups: [sg],
+        subnets: {
+          subnetGroupName: "database-zone",
+        }
+      });
+
       const rdsEndpoint = new ec2.InterfaceVpcEndpoint(this, "RdsEndpoint", {
         vpc: vpc.vpc,
         service: ec2.InterfaceVpcEndpointAwsService.RDS,