doitintl · kdeng · May 27, 2025 · May 27, 2025
diff --git a/.gitignore b/.gitignore
@@ -7,4 +7,8 @@ node_modules
 
 .cdk.staging
 cdk.out
+
+# IDE files
+.idea/
+.vscode/
 ################################
diff --git a/bin/cdk-main.ts b/bin/cdk-main.ts
@@ -142,6 +142,7 @@ dev1_eks.stage_deployment_of_my_orgs_baseline_eks_workloads();
 dev1_eks.stage_deployment_of_lower_envs_eks_workloads();
 dev1_eks.stage_deployment_of_dev_eks_workloads();
 //^-- deployment time of ~18.6mins (~15-20mins)
+///////////////////////////////////////////////////////////////////////////////////////////
 
 //Example 2: Equivalent to Example 1, just with convenience methods as short hand
 //(This format balances usability and debugability)

diff --git a/cdk.context.json b/cdk.context.json
@@ -10,5 +10,77 @@
   },
   "acknowledged-issue-numbers": [
     32775
-  ]
+  ],
+  "availability-zones:account=092464092456:region=ca-central-1": [
+    "ca-central-1a",
+    "ca-central-1b",
+    "ca-central-1d"
+  ],
+  "ami:account=092464092456:filters.image-type.0=machine:filters.name.0=fck-nat-al2023-*-arm64-ebs:filters.state.0=available:owners.0=568608671756:region=ca-central-1": "ami-045d3a84706b8feeb",
+  "availability-zones:account=092464092456:region=ap-southeast-2": [
+    "ap-southeast-2a",
+    "ap-southeast-2b",
+    "ap-southeast-2c",
+    "ap-southeast-2-akl-1a"
+  ],
+  "ami:account=092464092456:filters.image-type.0=machine:filters.name.0=fck-nat-al2023-*-arm64-ebs:filters.state.0=available:owners.0=568608671756:region=ap-southeast-2": "ami-0799b4d92d35edd4a",
+  "vpc-provider:account=092464092456:filter.isDefault=false:filter.tag:Name=lower-envs-vpc:filter.vpc-id=vpc-0b0a49daf937ebd4e:region=ap-southeast-2:returnAsymmetricSubnets=true": {
+    "vpcId": "vpc-0b0a49daf937ebd4e",
+    "vpcCidrBlock": "10.99.0.0/16",
+    "ownerAccountId": "092464092456",
+    "availabilityZones": [],
+    "subnetGroups": [
+      {
+        "name": "Public",
+        "type": "Public",
+        "subnets": [
+          {
+            "subnetId": "subnet-086ef6db7aa03a0c8",
+            "cidr": "10.99.0.0/23",
+            "availabilityZone": "ap-southeast-2a",
+            "routeTableId": "rtb-0ff297699d4ac7ad7"
+          },
+          {
+            "subnetId": "subnet-0aa59909b88944cae",
+            "cidr": "10.99.2.0/23",
+            "availabilityZone": "ap-southeast-2b",
+            "routeTableId": "rtb-006b3e4abc859c868"
+          },
+          {
+            "subnetId": "subnet-0dd9405e4884934d9",
+            "cidr": "10.99.4.0/23",
+            "availabilityZone": "ap-southeast-2c",
+            "routeTableId": "rtb-098ce61b7fa0c7c14"
+          }
+        ]
+      },
+      {
+        "name": "Private",
+        "type": "Private",
+        "subnets": [
+          {
+            "subnetId": "subnet-0c1bbe1320a8d4d4f",
+            "cidr": "10.99.32.0/19",
+            "availabilityZone": "ap-southeast-2a",
+            "routeTableId": "rtb-039cbceea7f95d542"
+          },
+          {
+            "subnetId": "subnet-048c00d9bab4574e1",
+            "cidr": "10.99.64.0/19",
+            "availabilityZone": "ap-southeast-2b",
+            "routeTableId": "rtb-09947c85e71d96615"
+          },
+          {
+            "subnetId": "subnet-0835a3d4741890dfa",
+            "cidr": "10.99.96.0/19",
+            "availabilityZone": "ap-southeast-2c",
+            "routeTableId": "rtb-0f3be7c4448dcd376"
+          }
+        ]
+      }
+    ]
+  },
+  "key-provider:account=092464092456:aliasName=alias/eks/lower-envs:region=ap-southeast-2": {
+    "keyId": "53d98ec6-3051-46b6-a9c6-bd1e4dbf8904"
+  }
 }
diff --git a/config/eks/dev_eks_config.ts b/config/eks/dev_eks_config.ts
@@ -1,35 +1,95 @@
 import { Easy_EKS_Config_Data } from '../../lib/Easy_EKS_Config_Data';
 import * as cdk from 'aws-cdk-lib';
 import * as eks from 'aws-cdk-lib/aws-eks'
-import * as iam from 'aws-cdk-lib/aws-iam';
-import request from 'sync-request-curl'; //npm install sync-request-curl (cdk requires sync functions, async not allowed)
+import {
+  Apply_Podinfo_Helm_Chart,
+  Apply_Podinfo_Ingress_YAML,
+  Podinfo_Helm_Config,
+  Podinfo_Http_Ingress_Yaml_Generator,
+  Podinfo_Https_Ingress_Yaml_Generator,
+} from "../../lib/Podinfo_Manifests";
+
 //Intended Use: 
 //EasyEKS Admins: edit this file with config to apply to all dev / sandbox cluster's in your org.
 
-export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //config: is of type Easy_EKS_Config_Data
-    config.addTag("Environment", "Dev");
+export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack) { //config: is of type Easy_EKS_Config_Data
+  config.addTag("Environment", "Dev");
 }//end apply_config()
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
-export function deploy_dependencies(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster){
+export function deploy_dependencies(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster) {
 
 }//end deploy_dependencies()
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
-export function deploy_workload_dependencies(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster){
+export function deploy_workload_dependencies(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster) {
 
 }//end deploy_workload_dependencies()
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
-export function deploy_workloads(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster){
+export function deploy_workloads(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster) {
+  // Define a BLUE podinfo application with insecure ALB (HTTP)
+  const BLUE_PODINFO_HELM_CONFIG = {
+    helm_chart_release: "podinfo-blue",
+    helm_chart_values: {
+      ui: {
+        color: "#0000FF",
+        message: "This is an insecure application with BLUE background",
+      },
+    } as Record<string, any>,
+  } as Podinfo_Helm_Config
+
+  // Deploy a podinfo sample application with BLUE background
+  Apply_Podinfo_Helm_Chart(cluster, BLUE_PODINFO_HELM_CONFIG);
+
+  // Generate HTTP ingress manifest
+  const http_ingress_yaml = Podinfo_Http_Ingress_Yaml_Generator(BLUE_PODINFO_HELM_CONFIG);
+
+  // kubectl apply manifest
+  Apply_Podinfo_Ingress_YAML(cluster, BLUE_PODINFO_HELM_CONFIG, http_ingress_yaml)
+
+  // Define a GREEN podinfo application with secure ALB (HTTPS)
+  const GREEN_PODINFO_HELM_CONFIG = {
+    helm_chart_release: "podinfo-green",
+    helm_chart_values: {
+      ui: {
+        color: "#008000",
+        message: "This is an secure application with GREEN background",
+      },
+    } as Record<string, any>,
+  } as Podinfo_Helm_Config
+
+  // Deploy a podinfo sample application with GREEN background
+  Apply_Podinfo_Helm_Chart(cluster, GREEN_PODINFO_HELM_CONFIG);
+
+  // Generate HTTPS ingress manifest
+  /**
+   * TODO: due to DNS ACME challenge, we just use the existing ACME's ARN and subdomain
+   * To make this happen, you need to do:
+   * 1. Prepare a domain or sub-domain
+   * 2. Create a certificate in ACM for the domain / sub-domain
+   * 3. Create CNAME to verify the certificate successfully
+   * 4. Get the ARN of the certificate
+   * 5. Deploy the stack
+   * 6. After ALB is provisioned, create a CNAME record of the domain/sub-domain with the value in the DNS hostname of the ALB
+   */
+  const https_ingress_yaml = Podinfo_Https_Ingress_Yaml_Generator(
+    GREEN_PODINFO_HELM_CONFIG,
+    // ACME ARN
+    "arn:aws:acm:ap-southeast-2:092464092456:certificate/a2e016d5-58fb-4308-b894-f7a21f7df0b8",
+    // Sub-domain
+    "kefeng-easyeks.gcp.au-pod-1.cs.doit-playgrounds.dev",
+  )
 
-}//end deploy_workloads()
+  // kubectl apply manifest
+  Apply_Podinfo_Ingress_YAML(cluster, GREEN_PODINFO_HELM_CONFIG, https_ingress_yaml)
+}//end deploy_workloads()
diff --git a/lib/Podinfo_Manifests.ts b/lib/Podinfo_Manifests.ts
@@ -0,0 +1,138 @@
+import * as cdk from 'aws-cdk-lib';
+import * as eks from 'aws-cdk-lib/aws-eks';
+
+export interface Podinfo_Helm_Config {
+  helm_chart_version: string,
+  helm_chart_release: string,
+  helm_chart_values?: Record<string, any> | undefined,
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+export const Podinfo_Http_Ingress_Yaml_Generator = (
+  podinfo_helm_config: Podinfo_Helm_Config,
+): Record<string, any> => {
+  return {
+    "apiVersion": "networking.k8s.io/v1",
+    "kind": "Ingress",
+    "metadata": {
+      "name": `${podinfo_helm_config.helm_chart_release}-ingress`,
+      "namespace": "default",
+      "annotations": {
+        "kubernetes.io/ingress.class": "alb",
+        "alb.ingress.kubernetes.io/scheme": "internet-facing",
+        "alb.ingress.kubernetes.io/target-type": "ip",
+        "alb.ingress.kubernetes.io/group.name": podinfo_helm_config.helm_chart_release,
+        "alb.ingress.kubernetes.io/ip-address-type": "dualstack",
+        "alb.ingress.kubernetes.io/listen-ports": '[{"HTTP": 80}]',
+        "alb.ingress.kubernetes.io/backend-protocol": "HTTP",
+
+      },
+      "labels": {
+        "app": podinfo_helm_config.helm_chart_release,
+      },
+    },
+    "spec": {
+      "rules": [
+        {
+          "http": {
+            "paths": [
+              {
+                "path": "/",
+                "pathType": "Prefix",
+                "backend": {
+                  "service": {
+                    "name": podinfo_helm_config.helm_chart_release,
+                    "port": {
+                      "number": podinfo_helm_config.helm_chart_values?.port ?? 9898,
+                    },
+                  },
+                },
+              },
+            ],
+          },
+        },
+      ],
+    },
+  } as Record<string, any>;
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+export const Podinfo_Https_Ingress_Yaml_Generator = (
+  podinfo_helm_config: Podinfo_Helm_Config,
+  certificateArn: string,
+  host: string,
+): Record<string, any> => {
+  return {
+    "apiVersion": "networking.k8s.io/v1",
+    "kind": "Ingress",
+    "metadata": {
+      "name": `${podinfo_helm_config.helm_chart_release}-ingress`,
+      "namespace": "default",
+      "annotations": {
+        "kubernetes.io/ingress.class": "alb",
+        "alb.ingress.kubernetes.io/scheme": "internet-facing",
+        "alb.ingress.kubernetes.io/target-type": "ip",
+        "alb.ingress.kubernetes.io/group.name": podinfo_helm_config.helm_chart_release,
+        "alb.ingress.kubernetes.io/ip-address-type": "dualstack",
+        "alb.ingress.kubernetes.io/listen-ports": '[{"HTTP": 80}, {"HTTPS": 443}]',
+        "alb.ingress.kubernetes.io/backend-protocol": "HTTP",
+        "alb.ingress.kubernetes.io/actions.ssl-redirect": '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}',
+        "alb.ingress.kubernetes.io/certificate-arn": certificateArn,
+      },
+      "labels": {
+        "app": podinfo_helm_config.helm_chart_release,
+      },
+    },
+    "spec": {
+      "rules": [
+        {
+          "host": host,
+          "http": {
+            "paths": [
+              {
+                "path": "/",
+                "pathType": "Prefix",
+                "backend": {
+                  "service": {
+                    "name": podinfo_helm_config.helm_chart_release,
+                    "port": {
+                      "number": podinfo_helm_config.helm_chart_values?.port ?? 9898,
+                    },
+                  },
+                },
+              },
+            ],
+          },
+        },
+      ],
+    },
+  } as Record<string, any>;
+}
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+export const Apply_Podinfo_Helm_Chart = (cluster: eks.Cluster,
+                                         podinfo_helm_config: Podinfo_Helm_Config) => {
+  const podinfo_helm = cluster.addHelmChart(podinfo_helm_config.helm_chart_release, {
+    repository: "https://stefanprodan.github.io/podinfo",
+    chart: "podinfo",
+    release: podinfo_helm_config.helm_chart_release,
+    version: podinfo_helm_config.helm_chart_version || "6.9.0",
+    values: {
+      ...podinfo_helm_config.helm_chart_values,
+    },
+  })
+  podinfo_helm.node.addDependency(cluster.awsAuth);
+  return podinfo_helm;
+} //end function Apply_Podinfo_Helm_Chart
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+export function Apply_Podinfo_Ingress_YAML(cluster: eks.Cluster,
+                                           podinfo_helm_config: Podinfo_Helm_Config,
+                                           podinfo_http_ingress_yaml: Record<string, any>) {
+  // kubectl apply -f
+  const ingress_manifest = cluster.addManifest(`${podinfo_helm_config.helm_chart_release}-ingress`, podinfo_http_ingress_yaml);
+  (ingress_manifest.node.defaultChild as cdk.CfnResource).applyRemovalPolicy(cdk.RemovalPolicy.RETAIN);
+
+  return ingress_manifest
+} //end function Apply_Podinfo_Ingress_YAML
+//
+// ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////