Merge pull request #16 from doitintl/feature/storage-class-gp3-aws-encryption

Feature/storage class gp3 aws encryption

Author: neoakris

config/eks/dev_eks_config.ts

@@ -23,7 +23,75 @@ export function deploy_dependencies(config: Easy_EKS_Config_Data, stack: cdk.Sta
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
 export function deploy_workload_dependencies(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster){
-
+    // This is an example of a workload that uses a PersistentVolumeClaim with a storage class that is encrypted
+    // with AWS KMS key.
+    // IMPORTANT: if the cdk insfrastructure is destroyed it will leave the volume orphans, and they will 
+    // need to be manually deleted.
+    let name="test-claim-gp3";
+    let size="10Gi";
+    const volume_claim_gp3 = {
+        "apiVersion": "v1",
+        "kind": "PersistentVolumeClaim",
+        "metadata": {
+            "name": `${name}`,
+            "namespace": "default"
+        },
+        "spec": {
+            "accessModes": [
+                "ReadWriteOnce"
+            ],
+            "storageClassName": "kms-encrypted-gp3",
+            "resources": {
+                "requests": {
+                    "storage": `${size}`
+                }
+            }
+        }
+    }
+    const pod_using_volume_claim = {
+        "apiVersion": "v1",
+        "kind": "Pod",
+        "metadata": {
+            "name": "app"
+        },
+        "spec": {
+            "containers": [
+                {
+                    "name": "app",
+                    "image": "ubuntu:latest",
+                    "command": [
+                        "/bin/sh"
+                    ],
+                    "args": [
+                        "-c",
+                        "while true; do echo $(date -u) >> /data/out.txt; sleep 5; done"
+                    ],
+                    "volumeMounts": [
+                        {
+                            "name": "persistent-storage",
+                            "mountPath": "/data"
+                        }
+                    ]
+                }
+            ],
+            "volumes": [
+                {
+                    "name": "persistent-storage",
+                    "persistentVolumeClaim": {
+                        "claimName": `${name}`
+                    }
+                }
+            ]
+        }
+    }
+    const pvc_demo_construct = new eks.KubernetesManifest(stack, "persistentVolumeClaimManifest",
+    {
+        cluster: cluster,
+        manifest: [volume_claim_gp3, pod_using_volume_claim],
+        overwrite: true,
+        prune: true,
+    });
+    pvc_demo_construct.node.addDependency(cluster.awsAuth);
 }//end deploy_workload_dependencies()
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

config/eks/my_orgs_baseline_eks_config.ts

@@ -268,6 +268,35 @@ export function deploy_workload_dependencies(config: Easy_EKS_Config_Data, stack
             },
         }`, //end aws-ebs-csi-driver configurationValues override
     });
+    // adding gp3 storage class
+    const storage_class_gp3_manifest = {
+        "apiVersion": "storage.k8s.io/v1",
+        "kind": "StorageClass",
+        "metadata": {
+            "name": "kms-encrypted-gp3",
+            "annotations": {
+                "storageclass.kubernetes.io/is-default-class": "true"
+            }
+        },
+        "provisioner": "ebs.csi.aws.com",
+        "volumeBindingMode": "WaitForFirstConsumer",
+        "allowVolumeExpansion": true,
+        "reclaimPolicy": "Delete",
+        "parameters": {
+            "type": "gp3",
+            "encrypted": "true",
+            //"kmsKeyId": `${config.kmsKey.keyArn}` //commentig it out as while we test the logic to add permissions to customer's KMS key
+        }
+    }
+    const storage_class_gp3_construct = new eks.KubernetesManifest(stack, "StorageClassManifest",
+        {
+            cluster: cluster,
+            manifest: [storage_class_gp3_manifest],
+            overwrite: true,
+            prune: true,   
+        }
+    );
+    storage_class_gp3_construct.node.addDependency(cluster.awsAuth);
     ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
     // v-- most won't need this, disabling by default

lib/Easy_EKS.ts

@@ -239,9 +239,8 @@ export class Easy_EKS{ //purposefully don't extend stack, to implement builder p
         //     this.config.kmsKeyAlias, {description: "Easy EKS generated kms key, used to encrypt etcd and ebs-csi-driver provisioned volumes"}
         // ));}
         // else { eksBlueprint.resourceProvider(blueprints.GlobalResources.KmsKey, new blueprints.LookupKmsKeyProvider(this.config.kmsKeyAlias)); }
-        ensure_existance_of_aliased_kms_key(this.config.kmsKeyAlias);
-        const kms_key = kms.Key.fromLookup(this.stack, 'pre-existing-kms-key', { aliasName: this.config.kmsKeyAlias });
-
+        ensure_existance_of_aliased_kms_key(this.config.kmsKeyAlias, this.stack.stackName, this.stack.region);
+        const kms_key = this.config.kmsKey;
         this.cluster = new eks.Cluster(this.stack, this.config.id, {
             clusterName: this.config.id,
             version: this.config.kubernetesVersion,
@@ -632,7 +631,7 @@ const enhanced_viewer_cr = {
 }
 ///////////////////////////////////////////////////////////////////////////////////////////////////
 
-function ensure_existance_of_aliased_kms_key(kmsKeyAlias: string){
+function ensure_existance_of_aliased_kms_key(kmsKeyAlias: string, stackName: string, region: string){
     /*UX Improvement: By default EKS Blueprint will make new KMS key everytime you make a cluster.
     This logic checks for pre-existing keys, and prefers to reuse them. Else create if needed, reuse next time.
     The intent is to achieve the following EasyEKS default: (which is overrideable):
@@ -641,15 +640,69 @@ function ensure_existance_of_aliased_kms_key(kmsKeyAlias: string){
     * prod envs share a kms key: "alias/eks/prod"
     */
     let kms_key:kms.Key;   
-    const cmd = `aws kms list-aliases | jq '.Aliases[] | select(.AliasName == "${kmsKeyAlias}") | .TargetKeyId'`
+    const cmd = `aws kms list-aliases --region ${region} | jq '.Aliases[] | select(.AliasName == "${kmsKeyAlias}") | .TargetKeyId'`
     const cmd_results = execSync(cmd).toString();
+    let key_id = "";
     if(cmd_results===""){ //if alias not found, then make a kms key with the alias
-        const create_key_cmd = `aws kms create-key --description="Easy EKS generated kms key, used to encrypt etcd and ebs-csi-driver provisioned volumes"`
+        const create_key_cmd = `aws kms create-key --region ${region} --description="Easy EKS generated kms key, used to encrypt etcd and ebs-csi-driver provisioned volumes"`
         const results = JSON.parse( execSync(create_key_cmd).toString() );
-        const key_id = results.KeyMetadata.KeyId;
-        const add_alias_cmd = `aws kms create-alias --alias-name ${kmsKeyAlias} --target-key-id ${key_id}`;
+        key_id = results.KeyMetadata.KeyId;
+        const add_alias_cmd = `aws kms create-alias --alias-name ${kmsKeyAlias} --target-key-id ${key_id} --region ${region}`;
         execSync(add_alias_cmd);
+        //get the ebs csi role, so it can be used to add permissions to the new key
     }
+    // disabled for now, as we need to test that it assigns the permissions correctly before enable customer eks 
+    // for encription.
+    //else { //if alias found, then get the key id
+    //    key_id = cmd_results.replace(/"/g, ''); //remove quotes from string
+    //}
+    //give_kms_access_to_ebs_csi_role(stackName, region, key_id); 
+    
 }
 
+
+/*function give_kms_access_to_ebs_csi_role(stackName: string, region: string, KeyId: string){
+    const roleName = stackName + '-awsebscsidriveriamrole';
+    const cdm_list_ebs_csi_role = `aws iam list-roles --query "Roles[?contains(RoleName, '${roleName}')].Arn" --output text`;
+    const list_roles = execSync(cdm_list_ebs_csi_role);
+    if (list_roles.toString() !== '') {
+        const policy = `{
+          "Version": "2012-10-17",
+          "Id": "key-default-1",
+          "Statement": [
+            {
+              "Sid": "Enable IAM User Permissions",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "arn:aws:iam::381492072749:root"
+              },
+              "Action": "kms:*",
+              "Resource": "*"
+            },
+            {
+              "Sid": "Enable IAM User Permissions",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": "${list_roles.toString().trim()}"
+              },
+              "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey",
+                "kms:CreateGrant",
+                "kms:ListGrants",
+                "kms:RevokeGrant"
+              ],
+              "Resource": "*"
+            }
+          ]
+        }`;
+        const cmp_policy = `aws kms put-key-policy --policy-name default --key-id ${KeyId.trim()} --region ${region} --policy '${policy}'`;
+        execSync(cmp_policy);
+    } else {
+        console.log(`EBS CSI Role with name: ${roleName} already exists.`);
+    }
+}*/
 ///////////////////////////////////////////////////////////////////////////////////////////////////

lib/Easy_EKS_Config_Data.ts

@@ -3,6 +3,7 @@ import * as cdk from 'aws-cdk-lib';
 import * as eks from 'aws-cdk-lib/aws-eks';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as iam from 'aws-cdk-lib/aws-iam';
+import * as kms from 'aws-cdk-lib/aws-kms';
 import { execSync } from 'child_process';
 import { validateTag } from './Utilities';
 
@@ -23,6 +24,7 @@ export class Easy_EKS_Config_Data { //This object just holds config data.
     clusterAdminAccessEksApiArns?: string[];
     clusterViewerAccessAwsAuthConfigmapAccounts?: string[]; //only aws-auth configmap supports accounts
     kmsKeyAlias: string; //kms key with this alias will be created or reused if pre-existing
+    kmsKey: kms.IKey; //store pre-existing KMS key
     baselineNodesNumber: number;
     baselineNodesType: eks.CapacityType; //enum eks.CapacityType.SPOT or eks.CapacityType.ON_DEMAND
     workerNodeRole: iam.Role; //used by baselineMNG & Karpenter
@@ -119,5 +121,7 @@ export class Easy_EKS_Config_Data { //This object just holds config data.
         if(kms_key_alias.startsWith('alias/')){ this.kmsKeyAlias = kms_key_alias; }
         else{ this.kmsKeyAlias = `alias/${kms_key_alias}`; }
     }
-
+    setKmsKey(stack: cdk.Stack){
+        this.kmsKey = kms.Key.fromLookup(stack, 'pre-existing-kms-key', { aliasName: this.kmsKeyAlias });
+    } 
 }//end of Easy_EKS_Config_Data