From 85e2ac93764a987943d07d5cc74247ad38920771 Mon Sep 17 00:00:00 2001 From: Nitesh <126162378+nitesh-balla@users.noreply.github.com> Date: Mon, 27 May 2024 23:47:13 +0530 Subject: [PATCH] feat: add istiod, istio base and istio ingressgateway helm charts to cdk (#155) --- dependencies/code_builder/buildspec.yml | 7 +- lib/aws/card-vault/components.ts | 29 +++++++- lib/aws/card-vault/encryption.py | 8 ++- lib/aws/eks.ts | 95 +++++++++++++++++++++---- lib/aws/stack.ts | 23 ++++++ 5 files changed, 142 insertions(+), 20 deletions(-) diff --git a/dependencies/code_builder/buildspec.yml b/dependencies/code_builder/buildspec.yml index 43178a8e..2781956c 100644 --- a/dependencies/code_builder/buildspec.yml +++ b/dependencies/code_builder/buildspec.yml @@ -5,7 +5,7 @@ phases: commands: - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin https://$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com - | - PULL_FROM_DOCKER=("grafana/grafana" "grafana/loki" "grafana/promtail" "grafana/fluent-bit-plugin-loki" "nginx" "juspaydotin/hyperswitch-router" "juspaydotin/hyperswitch-producer" "juspaydotin/hyperswitch-consumer" "juspaydotin/hyperswitch-control-center" "juspaydotin/hyperswitch-web" "bitnami/metrics-server") + PULL_FROM_DOCKER=("grafana/grafana" "grafana/loki" "grafana/promtail" "grafana/fluent-bit-plugin-loki" "nginx" "juspaydotin/hyperswitch-router" "juspaydotin/hyperswitch-producer" "juspaydotin/hyperswitch-consumer" "juspaydotin/hyperswitch-control-center" "juspaydotin/hyperswitch-web" "bitnami/metrics-server" "istio/proxyv2" "istio/pilot") PULL_FROM_AWS=("eks/aws-load-balancer-controller" "ebs-csi-driver/aws-ebs-csi-driver" "eks-distro/kubernetes-csi/external-provisioner" "eks-distro/kubernetes-csi/external-attacher" "eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter" "eks-distro/kubernetes-csi/livenessprobe" "eks-distro/kubernetes-csi/external-resizer" "eks-distro/kubernetes-csi/node-driver-registrar" "ebs-csi-driver/volume-modifier-for-k8s") repository_exists() { @@ -43,6 +43,11 @@ phases: elif [[ $IMAGE == "bitnami/metrics-server" ]]; then docker pull "$IMAGE:v0.7.0" && \ docker tag "$IMAGE:v0.7.0" "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE:v0.7.0" + docker push "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE:v0.7.0" + elif [[ $IMAGE == "istio/proxyv2" || $IMAGE == "istio/pilot" ]]; then + docker pull "$IMAGE:1.21.2" && \ + docker tag "$IMAGE:1.21.2" "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE:1.21.2" + docker push "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE:1.21.2" else docker pull "$IMAGE" && \ docker tag "$IMAGE" "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE:latest" && \ diff --git a/lib/aws/card-vault/components.ts b/lib/aws/card-vault/components.ts index c7865301..9bbaca0f 100644 --- a/lib/aws/card-vault/components.ts +++ b/lib/aws/card-vault/components.ts @@ -67,7 +67,7 @@ export class LockerEc2 extends Construct { blockPublicAcls: true, }), publicReadAccess: false, - encryption: s3.BucketEncryption.KMS, + encryptionKey: kms_key, enforceSSL: true, autoDeleteObjects: true, bucketName: @@ -101,6 +101,25 @@ export class LockerEc2 extends Construct { }, }); + lambda_role.addToPolicy( + new iam.PolicyStatement({ + actions: [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:AttachNetworkInterface", + "ec2:DetachNetworkInterface", + "secretsmanager:GetSecretValue", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "s3:GetObject", + "s3:PutObject" + ], + resources: ["*"], + }) + ); + const { privateKey: locker_private_key, publicKey: locker_public_key } = generateKeyPairSync("rsa", { modulusLength: 2048, @@ -166,6 +185,10 @@ export class LockerEc2 extends Construct { ENV_BUCKET_NAME: envBucket.bucketName, ENV_FILE: env_file, }, + vpc: vpc, + vpcSubnets: { + subnetGroupName: "locker-database-zone", + }, logRetention: RetentionDays.INFINITE, }); @@ -223,7 +246,7 @@ export class LockerEc2 extends Construct { }; } else { vpcSubnets = { - subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS, + subnetGroupName: "locker-server-zone", }; } @@ -327,7 +350,7 @@ export class LockerSetup extends Construct { }; } else { vpcSubnetsDb = { - subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS, + subnetGroupName: "locker-database-zone", }; } diff --git a/lib/aws/card-vault/encryption.py b/lib/aws/card-vault/encryption.py index 7f32b486..89eb8b80 100644 --- a/lib/aws/card-vault/encryption.py +++ b/lib/aws/card-vault/encryption.py @@ -14,15 +14,16 @@ def worker(): secrets_manager = boto3.client('secretsmanager') s3_client = boto3.client('s3') kms_client = boto3.client('kms') - secret_arn = os.environ['SECRET_MANAGER_ARN'] secret_value_response = secrets_manager.get_secret_value(SecretId=secret_arn) + credentials = json.loads(secret_value_response['SecretString']) kms_fun = kms_encryptor(credentials["kms_id"], credentials["region"], kms_client) + enc_pl = lambda x: kms_fun(credentials[x]) - pl = lambda x: credentials[x] + pl = lambda x: credentials[x] output = f""" @@ -54,7 +55,7 @@ def worker(): filename = os.environ['ENV_FILE'] s3_client.put_object(Bucket=bucket_name, Key=filename, Body=output.encode("utf-8")) - + @@ -105,6 +106,7 @@ def lambda_handler(event, context): status = "SUCCESS" except Exception as e: message = str(e) + print(message) status = "FAILED" send(event, context, status, { "message": message}) diff --git a/lib/aws/eks.ts b/lib/aws/eks.ts index 754cd09d..4b313363 100644 --- a/lib/aws/eks.ts +++ b/lib/aws/eks.ts @@ -38,7 +38,7 @@ export class EksStack { locker: LockerSetup | undefined, ) { - const ecrTransfer = new DockerImagesToEcr(scope); + const ecrTransfer = new DockerImagesToEcr(scope, vpc); const privateEcrRepository = `${process.env.CDK_DEFAULT_ACCOUNT}.dkr.ecr.${process.env.CDK_DEFAULT_REGION}.amazonaws.com` let vpn_ips: string[] = (scope.node.tryGetContext("vpn_ips") || "0.0.0.0").split(","); vpn_ips = vpn_ips.map((ip: string) => { @@ -615,6 +615,52 @@ export class EksStack { }, }); + const istioBase = cluster.addHelmChart("IstioBase", { + chart: "base", + repository: "https://istio-release.storage.googleapis.com/charts", + namespace: "istio-system", + release: "istio-base", + version: "1.21.2", + }); + + const istiod = cluster.addHelmChart("Istiod", { + chart: "istiod", + repository: "https://istio-release.storage.googleapis.com/charts", + namespace: "istio-system", + release: "istio-discorvery", + version: "1.21.2", + values: { + defaults: { + global: { + hub: `${privateEcrRepository}/istio`, + }, + pilot: { + nodeSelector: { + "node-type": "memory-optimized", + }, + } + }, + } + }); + + const gateway = cluster.addHelmChart("Gateway", { + chart: "gateway", + repository: "https://istio-release.storage.googleapis.com/charts", + namespace: "istio-system", + release: "istio-ingressgateway", + version: "1.21.2", + values: { + defaults: { + service: { + type: "ClusterIP" + }, + nodeSelector: { + "node-type": "memory-optimized", + }, + } + }, + }); + const sdkCorsRule: s3.CorsRule = { allowedOrigins: ["*"], allowedMethods: [s3.HttpMethods.GET, s3.HttpMethods.HEAD], @@ -785,21 +831,21 @@ export class EksStack { targetCPUUtilizationPercentage: 80, }, "hyperswitch-card-vault": { - enabled: locker ? true : false, + enabled: false, postgresql: { - enabled: locker ? true : false, + enabled: false, }, - server: { - secrets: { - locker_private_key: locker?.locker_ec2.locker_pair.private_key || '', - tenant_public_key: locker?.locker_ec2.tenant.public_key || '', - master_key: locker ? config.locker.master_key : "" - } - } + // server: { + // secrets: { + // locker_private_key: locker?.locker_ec2.locker_pair.private_key || '', + // tenant_public_key: locker?.locker_ec2.tenant.public_key || '', + // master_key: locker ? config.locker.master_key : "" + // } + // } } }, "hyperswitchsdk": { - enabled: true, + enabled: false, services: { router: { host: "http://localhost:8080" @@ -845,7 +891,7 @@ export class EksStack { buildParam: { envSdkUrl: `http://${this.sdkDistribution.distributionDomainName}` }, - // nginxConfig: { extraPath: "v0" } + nginxConfig: { extraPath: "v0" } } }, }, @@ -1109,7 +1155,7 @@ class DockerImagesToEcr { codebuildProject: codebuild.Project; codebuildTrigger: cdk.CustomResource; - constructor(scope: Construct) { + constructor(scope: Construct, vpc: ec2.Vpc) { const ecrRole = new iam.Role(scope, "ECRRole", { assumedBy: new iam.ServicePrincipal("codebuild.amazonaws.com"), @@ -1190,6 +1236,25 @@ class DockerImagesToEcr { }), ); + triggerCodeBuildRole.addToPolicy( + new iam.PolicyStatement({ + actions: [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:AttachNetworkInterface", + "ec2:DetachNetworkInterface", + "secretsmanager:GetSecretValue", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "s3:GetObject", + "s3:PutObject" + ], + resources: ["*"], + }) + ); + triggerCodeBuildRole.attachInlinePolicy( new iam.Policy(scope, "ECRImageTransferLambdaLogsPolicy", { document: logsPolicy, @@ -1205,6 +1270,10 @@ class DockerImagesToEcr { environment: { PROJECT_NAME: this.codebuildProject.projectName, }, + vpc: vpc, + vpcSubnets: { + subnetGroupName: "isolated-subnet-1" + } }); this.codebuildTrigger = new cdk.CustomResource(scope, "ECRImageTransferCR", { diff --git a/lib/aws/stack.ts b/lib/aws/stack.ts index b3c3296b..e20d1145 100644 --- a/lib/aws/stack.ts +++ b/lib/aws/stack.ts @@ -271,6 +271,29 @@ export class AWSStack extends cdk.Stack { }, }); + const vpc_endpoint4 = new ec2.InterfaceVpcEndpoint(this, "SecretsManagerEP", { + vpc: vpc.vpc, + service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER, + securityGroups: [sg], + subnets: { + subnetGroupName: "locker-database-zone", + }, + }); + + const s3VPCEndpoint = new ec2.GatewayVpcEndpoint(this, "S3VPCEndpoint", { + vpc: vpc.vpc, + service: ec2.GatewayVpcEndpointAwsService.S3, + }); + + const kmsVPCEndpoint = new ec2.InterfaceVpcEndpoint(this, "KMSVPCEndpoint", { + vpc: vpc.vpc, + service: ec2.InterfaceVpcEndpointAwsService.KMS, + securityGroups: [sg], + subnets: { + subnetGroupName: "database-zone", + } + }); + const rdsEndpoint = new ec2.InterfaceVpcEndpoint(this, "RdsEndpoint", { vpc: vpc.vpc, service: ec2.InterfaceVpcEndpointAwsService.RDS,