Merge pull request #5 from aws-samples/fixes-jan25

Fixes jan25

Author: samkool

lib/alb_controller_iam_policy.json

@@ -38,7 +38,8 @@
                 "elasticloadbalancing:DescribeTargetGroups",
                 "elasticloadbalancing:DescribeTargetGroupAttributes",
                 "elasticloadbalancing:DescribeTargetHealth",
-                "elasticloadbalancing:DescribeTags"
+                "elasticloadbalancing:DescribeTags",
+                "elasticloadbalancing:DescribeListenerAttributes"
             ],
             "Resource": "*"
         },

lib/posit-db.ts

@@ -24,6 +24,12 @@ export class DbStack extends cdk.NestedStack {
         reason: 'Adds complexity and will break the solution without Kube restart. As a solution starter this is not required.'
       },
     ])
+    NagSuppressions.addStackSuppressions(this, [
+      {
+        id: 'AwsSolutions-RDS10',
+        reason: 'Conflicts with stack deletion.'
+      },
+    ])
     NagSuppressions.addStackSuppressions(this, [
       {
         id: 'AwsSolutions-RDS6',
@@ -52,8 +58,8 @@ export class DbStack extends cdk.NestedStack {
         instanceType: ec2.InstanceType.of(ec2.InstanceClass.R6G, ec2.InstanceSize.XLARGE),
       }),
       vpc: props.vpc,
-      deletionProtection: true,
-      removalPolicy: cdk.RemovalPolicy.RETAIN,
+      deletionProtection: false,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
       securityGroups: [this.clusterSg]
     })
 

lib/posit-eks.ts

@@ -54,7 +54,7 @@ export class EksStack extends cdk.NestedStack {
         subnetIds: props.vpc.privateSubnets.map(subnet => subnet.subnetId),
         endpointPrivateAccess: true
       },
-      version: '1.29', // eks.KubernetesVersion.V1_28.version
+      version: '1.30',
       logging: {
         clusterLogging: {
           enabledTypes: [
@@ -82,7 +82,6 @@ export class EksStack extends cdk.NestedStack {
       assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
       managedPolicies: [
         iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKSWorkerNodePolicy'),
-        // needed at first, otherwise node group doesn't join cluster
         iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKS_CNI_Policy'),
         iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly'),
         iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'),

package.json

@@ -14,8 +14,8 @@
     "@types/jest": "^29.5.8",
     "@types/node": "20.9.1",
     "@typescript-eslint/eslint-plugin": "^6.21.0",
-    "aws-cdk": "2.126.0",
-    "cdk8s-cli": "^2.198.45",
+    "aws-cdk": "2.173.1",
+    "cdk8s-cli": "^2.198.248",
     "eslint": "^8.56.0",
     "eslint-config-standard-with-typescript": "^43.0.1",
     "eslint-plugin-import": "^2.29.1",
@@ -27,10 +27,10 @@
     "typescript": "^5.3.3"
   },
   "dependencies": {
-    "aws-cdk-lib": "2.126.0",
-    "cdk-nag": "^2.28.149",
+    "aws-cdk-lib": "2.173.1",
+    "cdk-nag": "^2.34.23",
     "cdk8s": "^2.68.35",
-    "cdk8s-plus-25": "^2.22.75",
+    "cdk8s-plus-25": "^2.22.2",
     "constructs": "^10.0.0",
     "dotenv": "^16.4.1",
     "source-map-support": "^0.5.21"

scripts/cert-install.sh

@@ -4,7 +4,7 @@ source "./scripts/utils.sh"
 # Define your domain
 export_env_from_file "./.env"
 if ! aws eks update-kubeconfig --name $EKS_CLUSTER_NAME; then exit; fi
-DOMAIN=$(kubectl get ingress traefik -n traefik -o json | jq -r ".status.loadBalancer.ingress[0].hostname")
+export LB_NAME="${EKS_CLUSTER_NAME}-alb"
 
 # Check if ACM certificate exists for the domain
 certificate_arn=$(aws acm list-certificates --query "CertificateSummaryList[?DomainName=='$DOMAIN'].CertificateArn" --output text)
@@ -13,18 +13,18 @@ if [ -n "$certificate_arn" ]; then
     echo "Certificate already exists for $DOMAIN with ARN: $certificate_arn"
 else
     echo "Certificate doesn't exist for $DOMAIN. Generating one..."
-    openssl genrsa -out "$DOMAIN.key" 2048
-    openssl req -new -key "$DOMAIN.key" -out "$DOMAIN.csr" -subj "/CN=$DOMAIN"
-    openssl x509 -req -days 365 -in "$DOMAIN.csr" -signkey "$DOMAIN.key" -out "$DOMAIN.crt"
-    aws acm import-certificate --certificate fileb://"$DOMAIN.crt" --private-key fileb://"$DOMAIN.key"
+    openssl genrsa -out "$LB_NAME.key" 2048
+    openssl req -new -key "$LB_NAME.key" -out "$LB_NAME.csr" -subj "/CN=$DOMAIN"
+    openssl x509 -req -days 365 -in "$LB_NAME.csr" -signkey "$LB_NAME.key" -out "$LB_NAME.crt"
+    aws acm import-certificate --certificate fileb://"$LB_NAME.crt" --private-key fileb://"$LB_NAME.key"
 
     rm "$DOMAIN.key" "$DOMAIN.csr" "$DOMAIN.crt"
     echo "Certificate has been generated and added to ACM for $DOMAIN"
 fi
 
 #Get ALB from domain name
 certificate_arn=$(aws acm list-certificates --query "CertificateSummaryList[?DomainName=='$DOMAIN'].CertificateArn" --output text)
-alb=$(aws elbv2 describe-load-balancers --query "LoadBalancers[?DNSName=='$DOMAIN'].LoadBalancerArn" --output text)
+alb=$(aws elbv2 describe-load-balancers --names $LB_NAME --query 'LoadBalancers[0].LoadBalancerArn' --output text)
 
 #Get data, copy HTTP Rule directly
 https_listener=$(aws elbv2 describe-listeners --load-balancer-arn $alb --query "Listeners[?Protocol=='HTTPS'].ListenerArn" --output text)

scripts/manifests/aws-lb-controller-ingress.yaml

@@ -7,7 +7,7 @@ metadata:
   annotations:
     alb.ingress.kubernetes.io/backend-protocol: HTTP
     alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
-    alb.ingress.kubernetes.io/load-balancer-name: posit-sce-alb
+    alb.ingress.kubernetes.io/load-balancer-name: ${LB_NAME}
     alb.ingress.kubernetes.io/scheme: internet-facing
     alb.ingress.kubernetes.io/success-codes: 200-404
     alb.ingress.kubernetes.io/target-type: instance

scripts/manifests/posit-helm-workbench.yaml

@@ -25,11 +25,11 @@ userCreate: true
 session:
   image:
     repository: rstudio/r-session-complete
-    tagPrefix: ubuntu2204-2023.12.1-402.pro1
+    tag: ubuntu2204
 
 image:
   repository: rstudio/rstudio-workbench
-  tag: ubuntu2204-2023.12.1-402.pro1
+  tag: ubuntu2204
 
 service:
   type: ClusterIP
@@ -65,6 +65,8 @@ config:
       # These settings apply to Jupyter Notebook and JupyterLab IDE sessions
       session-cull-minutes: 60
       session-shutdown-minutes: 5
+    vscode.conf:
+      enabled: 1
   profiles:
     launcher.kubernetes.profiles.conf:
       "*":
@@ -76,3 +78,8 @@ config:
         default-mem-mb: "1024"
         max-cpus: "12.0"
         max-mem-mb: "16384"
+prometheus:
+  enabled: false
+  legacy: false
+prometheusExporter:
+  enabled: false

scripts/posit-install.sh

@@ -27,7 +27,7 @@ load_secrets() {
 
 # Function to check the status of the load balancer
 check_load_balancer_status() {
-    lb_status=$(aws elbv2 describe-load-balancers --names 'posit-sce-alb' --query 'LoadBalancers[0].State.Code' --output text)
+    lb_status=$(aws elbv2 describe-load-balancers --names $LB_NAME --query 'LoadBalancers[0].State.Code' --output text)
 
     # Check if the load balancer is active
     if [ "$lb_status" == "active" ]; then
@@ -78,6 +78,7 @@ NC="\e[0m"
 set_defaults
 export_env_from_file "./.env"
 RDS_PARAMS=$(load_secrets $POSTGRES_SECRET)
+export LB_NAME="${EKS_CLUSTER_NAME}-alb"
 
 # 1.1 Configure EKS Cluster
 printf "${BLUE}------------------------------------------------------${NC} \n"
@@ -119,13 +120,15 @@ kubectl wait --namespace traefik --for=condition=available deployment/traefik --
 
 # 4. Create Ingress (creates LB)
 envsubst < scripts/manifests/aws-lb-controller-ingress.yaml | kubectl apply -f -
+sleep 5
 check_load_balancer_status
 
-export LB=$(kubectl get ingress traefik -n traefik -o json | jq -r ".status.loadBalancer.ingress[0].hostname")
+export LB_URL=$(aws elbv2 describe-load-balancers --names $LB_NAME --query 'LoadBalancers[0].DNSName' --output text)
+printf "Loadbalancer DNS: ${LB_URL}" 
 if $domain; then
     export DOMAIN=$domain
 else 
-    export DOMAIN=$LB
+    export DOMAIN=$LB_URL
 fi
 
 # 5. Setup POSIT PV's
@@ -164,7 +167,7 @@ printf "${BLUE}------------------------------------------------------${NC} \n"
 printf "${BLUE}Installing & configuring the Workbench helm chart (Max. 30 seconds) ${NC} \n"
 printf "${BLUE}------------------------------------------------------${NC} \n"
 kubectl config set-context --current --namespace=posit-workbench
-envsubst < ./scripts/manifests/posit-helm-workbench.yaml | helm upgrade --install rstudio-workbench-prod rstudio/rstudio-workbench \
+envsubst < ./scripts/manifests/posit-helm-workbench.yaml | helm upgrade --install rstudio-workbench-prod rstudio/rstudio-workbench --version 0.8.9 \
     --set license.key="${PWB_LICENSE}" \
     --set config.secret.'database\.conf'.password="${POSTGRES_PASSWORD}" \
     -f -