Sunbird-RC
diff --git a/‎README.md‎
Lines changed: 9 additions & 3 deletions b/‎README.md‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎bin/sunbirdrc2-cdk.ts‎
Lines changed: 1 addition & 1 deletion b/‎bin/sunbirdrc2-cdk.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎documentation/01-Deployment-CDK-Sunbirdrc2.md‎
Lines changed: 39 additions & 23 deletions b/‎documentation/01-Deployment-CDK-Sunbirdrc2.md‎
Lines changed: 39 additions & 23 deletions
diff --git a/‎documentation/imgs/aws-cdk-diagrams-Page-4.jpg‎
72.8 KB b/‎documentation/imgs/aws-cdk-diagrams-Page-4.jpg‎
72.8 KB
diff --git a/‎helm/vault-init/Chart.yaml‎
Lines changed: 1 addition & 1 deletion b/‎helm/vault-init/Chart.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎helm/vault-init/templates/init-sa-role.yaml‎
Lines changed: 1 addition & 0 deletions b/‎helm/vault-init/templates/init-sa-role.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎helm/vault-init/templates/service.yaml‎
Lines changed: 0 additions & 15 deletions b/‎helm/vault-init/templates/service.yaml‎
Lines changed: 0 additions & 15 deletions
diff --git a/‎lib/eks-ec2-stack.ts‎
Lines changed: 8 additions & 7 deletions b/‎lib/eks-ec2-stack.ts‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎lib/helm-vault-stack.ts‎
Lines changed: 3 additions & 0 deletions b/‎lib/helm-vault-stack.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎lib/vpc-stack.ts‎
Lines changed: 4 additions & 5 deletions b/‎lib/vpc-stack.ts‎
Lines changed: 4 additions & 5 deletions
@@ -2,7 +2,13 @@
 
 
 ### Description
-Sunbird RC 2.0 is an interoperable and unified registry infrastructure that needs to be established to enable "live," "reusable," and "trustworthy" registries as a "single source of truth" to address the three core issues mentioned. To learn more about Sunbird RC, please visit [SunbirdRC 2.0](https://docs.sunbirdrc.dev/).
+Sunbird RC 2.0 is an interoperable and unified registry infrastructure that needs to be established to enable "live," "reusable," and "trustworthy" registries as a "single source of truth" to address the three core issues mentioned.
+
+**Sunbird-RC has two core components:**
+[Registry](https://rc.sunbird.org/learn/technical-overview/registry/high-level-architecture)
+[Credentialling](https://rc.sunbird.org/learn/technical-overview/credentialling/high-level-architecture)
+
+To learn more about Sunbird RC, please visit [SunbirdRC 2.0](https://docs.sunbirdrc.dev/).
 
 ### Packaging overview
 This packaging initiative offers a practical approach to increase the adoption, streamline deployment and management of Sunbird RC 2.0 building blocks on AWS by providing a reference architecture and one-click deployment automation scripts. It allows builders to manage AWS resource provisioning and application deployment in a programmatic and repeatable way.
@@ -23,9 +29,9 @@ An alternative deployment approach accommodates users with existing essential AW
 * [Helm Chart Deployment](documentation/02-Deployment-Helm-Sunbirdrc2.md)
 
 ### Sunbird RC 2.0 reference architecture
-Required AWS services to operate the core Sunbird RC 2.0 registry services:
+Required AWS services to operate the core Sunbird RC 2.0 registry and credentialling services:
 * Amazon VPC
-* Amazon RDS for PostgreSQL Serverless V2
+* Amazon RDS for PostgreSQL
 * Amazon Elastic Kubernetes Service (Amazon EKS)
 * Elastic Load Balancing (ELB)
 
 
@@ -43,7 +43,7 @@ const rds = new rdsStack(app, "rdsstacksbrc2", {
     rdspassword: config.RDS_PASSWORD,
 });
 
-// Provision target EKS with Fargate Cluster within the VPC
+// Provision target EKS cluster with PRIVATE access
 const eksCluster = new eksec2Stack(app, "eksstacksbrc2", {
     env: {
         region: config.REGION,
 
@@ -4,9 +4,15 @@
 
 - **AWS Account**: An AWS account to deploy AWS CDK stacks
 - **[AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)**: Configured with AWS account
-- **Kubectl Client**: Configured with the Amazon EKS cluster. 
+- **Amazon EC2 bastion host**: For accessing a [private only Amazon EKS API](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) server.
+- **Kubectl Client**: Configured on Amazon EC2 bastion host with the Amazon EKS cluster. 
 - **Public Domain/Sub-Domain**: Along with SSL certificates for HTTPS.
 
+
+![AWS CDK Flow](imgs/aws-cdk-diagrams-Page-4.jpg)
+
+
+
 ### Public Domain/sub-domain
 
 Sunbird RC requires a public domain to be associated with `Registry` service.
@@ -74,25 +80,21 @@ cdk bootstrap aws://<ACCOUNT-NUMBER>/<REGION>
 
 ## Deploy CDK
 
-<<<<<<< HEAD
-   | ENVIRONMENT   VARIABLES   | EXAMPLE VALUE                                                                         | DESCRIPTION                                                                                                                                                            |
-|---------------------------|---------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| REGION                    | us-east-1                                                                             | AWS region                                                                                                                                                             |
-| ACCOUNT                   | 123456789123                                                                          | AWS 12 digit account number                                                                                                                                            |
-| CIDR                      | 10.20.0.0/16                                                                          | VPC CIDR, change it as per your   environment                                                                                                                          |
-| MAX_AZS                   | 2                                                                                     | AWS Availability Zone count,   default 2                                                                                                                               |
-| RDS_USER                  | postgres                                                                              | Database user name for core   registory service, default 'postgres'                                                                                                    |
-| RDS_PASSWORD              | NLhL*I-e54e                                                                           | Database password, used while DB   creation and passed down to Sunbrd RC services helm chart                                                                           |
-| EKS_CLUSTER_NAME          | ekscluster-sbrc2                                                                      | AWS EKS Cluster name                                                                                                                                               |
-| ROLE_ARN                  | `arn:aws:iam::<aws-account-id>:role/Admin` | Amazon EKS mastersRole, to be   associated with the system:masters RBAC group, giving super-user access to   the cluster      
-| CERT_ARN          | `arn:aws:acm:ap-south-1:<aws-account-id>:certificate/<identifier>`                                                                      | SSL Certificate Role ARN obtain from AWS Certificate Manager service    
-                                         |
-| RC_EXTERNAL_DOMAIN          | `sunbric-rc.exmaple.com`                                                                      | Domain/subdomain to be used with `registry` service and for which SSL CERT ARN is generated.    
-                                         |
-| SUNBIRD_RC_MODULES_CHOICE | RC                                                                                    | Modules to be installed as part   of this deployment. Values may be  **'R'** -     Registry,  **'C'** - Credentialing, **'RC'** - Registry and Credentialing. Default value is 'RC'  |
-=======
+| ENVIRONMENT VARIABLES       | EXAMPLE VALUE                                                       | DESCRIPTION                                                                                                                                                  |
+|----------------------------|-------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| REGION                     | us-east-1                                                       | AWS region                                                                                                                                                   |
+| ACCOUNT                    | 123456789123                                                    | AWS 12-digit account number                                                                                                                                  |
+| CIDR                       | 10.20.0.0/16                                                   | VPC CIDR, change it as per your environment                                                                                                                  |
+| MAX_AZS                    | 2                                                               | AWS Availability Zone count, default 2                                                                                                                       |
+| RDS_USER                   | postgres                                                       | Database user name for core registry service, default 'postgres'                                                                                            |
+| RDS_PASSWORD               | NLhL*I-e54e                                                   | Database password, used while DB creation and passed down to Sunbird RC services Helm chart                                                                  |
+| EKS_CLUSTER_NAME           | ekscluster-sbrc2                                              | AWS EKS Cluster name                                                                                                                                         |
+| ROLE_ARN                   | `arn:aws:iam::<aws-account-id>:role/Admin`                     | Amazon EKS mastersRole, to be associated with the system:masters RBAC group, giving super-user access to the cluster                                        |
+| CERT_ARN                   | `arn:aws:acm:ap-south-1:<aws-account-id>:certificate/<identifier>` | SSL Certificate ARN obtained from AWS Certificate Manager service                                                                                            |
+| RC_EXTERNAL_DOMAIN         | `sunbird-rc.example.com`                                        | Domain/subdomain to be used with `registry` service and for which SSL CERT ARN is generated.                                                                |
+| SUNBIRD_RC_MODULES_CHOICE  | RC                                                             | Modules to be installed as part of this deployment. Values may be **'R'** - Registry, **'C'** - Credentialing, **'RC'** - Registry and Credentialing. Default is 'RC'. |
+
 **Ensure you have updated the .env file before running following commands to begin deployment.**
->>>>>>> 934116f0a2f90356de78f18792b55e39e7f0a9fc
 
 ```
 # Emits the synthesized CloudFormation template
@@ -101,16 +103,30 @@ cdk synth
 # List CDK stack
 cdk list
 
-# Deploy single stack  - vpcstacksbrc2, rdsstacksbrc2, eksstacksbrc2,sunbirdrc2helmStacksbrc2
+Expected output:
+vpcstacksbrc2
+rdsstacksbrc2
+eksstacksbrc2
+vaulthelmstacksbrc2
+vaultinithelmstacksbrc2
+sunbirdrc2helmStacksbrc2
+
+# Deploy single stack
 cdk deploy <stack_name>
 
-# Alternatively you could also deploy all stacks and CDK would handle the sequence
+# Alternatively you could also deploy all stacks and CDK would handle the dependencies
 cdk deploy --all 
 ```
 
-After installing all the CDK stacks, verify the AWS services in the AWS web console. The stack 'sunbirdrc2helmStacksbrc2' installs the Sunbird RC 2.0 helm chart, vault helm chart and vault init helm chart to initialize and unseal the vault in the EKS cluster. It is recommended to review the [Deployment through Helm](02-Deployment-Helm-Sunbirdrc2.md) guide to become familiar with Helm charts, services, and parameters. This will be beneficial if you opt to run the Helm chart separately from the CDK, following the "Mode Two: Direct Helm Chart Invocation" approach for installing the Sunbird RC stack.
+After installing all the CDK stacks, verify the AWS services in the AWS web console such as VPC, Amazon EKS cluster and RDS Postgres instance. 
+
+The CDK creates a private only EKS cluster. You would require to have an EC2 client machine in the same VPC where EKS is deployed. The `ROLE_ARN` variable governs Amazon EKS mastersRole, giving super-user access to the cluster. If you need to grant access to additional IAM users, groups, or roles, create the necessary [EKS access entries](https://docs.aws.amazon.com/eks/latest/userguide/creating-access-entries.html) accordingly.
+
+The stack `sunbirdrc2helmStacksbrc2` installs the Sunbird RC 2.0 services' helm chart including its dependencies `vaulthelmstacksbrc2` and `vaultinithelmstacksbrc2` that initializes and unseal the vault in the EKS cluster. 
+
+It is recommended to review the [Deployment through Helm](02-Deployment-Helm-Sunbirdrc2.md) guide to become familiar with Sunbird RC 2.0 Helm charts.
 
-Follow the post installation steps to start using Sunbird RC2.0 services
+Follow the post installation steps to start using Sunbird RC 2.0 services
 
 * [Post Installation Procedure](03-Post-Installation-Procedure.md)
 
 
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 
@@ -15,5 +15,6 @@ rules:
   - secrets
   verbs:
   - create
+  - delete
   - get
   - list
@@ -5,7 +5,7 @@ import * as eks from "aws-cdk-lib/aws-eks";
 import * as iam from "aws-cdk-lib/aws-iam";
 import { Construct } from "constructs";
 import { ConfigProps } from "./config";
-import { KubectlV30Layer } from '@aws-cdk/lambda-layer-kubectl-v30'
+import { KubectlV31Layer } from '@aws-cdk/lambda-layer-kubectl-v31' 
 
 export interface EksEC2StackProps extends cdk.StackProps {
     config: ConfigProps;
@@ -47,11 +47,12 @@ export class eksec2Stack extends cdk.Stack {
             vpc: vpc,
             vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }],
             defaultCapacity: 3,
-            defaultCapacityInstance: new ec2.InstanceType("t2.large"),
-            kubectlLayer: new KubectlV30Layer(this, "kubectl"),
-            version: eks.KubernetesVersion.V1_30,
-            securityGroup: securityGroupEKS,
-            endpointAccess: eks.EndpointAccess.PUBLIC_AND_PRIVATE,
+            defaultCapacityInstance: new ec2.InstanceType("t3.large"),
+            kubectlLayer: new KubectlV31Layer(this, "kubectl"),
+            version: eks.KubernetesVersion.V1_31,
+            //securityGroup: securityGroupEKS,
+            endpointAccess: eks.EndpointAccess.PRIVATE,
+            //endpointAccess: eks.EndpointAccess.PUBLIC_AND_PRIVATE,
             ipFamily: eks.IpFamily.IP_V4,
             clusterName: EKS_CLUSTER_NAME,
             mastersRole: iamRole,
@@ -60,7 +61,7 @@ export class eksec2Stack extends cdk.Stack {
             outputConfigCommand: true,
 
             albController: {
-                version: eks.AlbControllerVersion.V2_8_1,
+                version: eks.AlbControllerVersion.V2_8_2,
                 repository: "public.ecr.aws/eks/aws-load-balancer-controller",
             },
         });
 
@@ -35,6 +35,9 @@ export class helmvaultStack extends cdk.Stack {
                 },
                 server: {
                     affinity: "",
+                    dataStorage: {
+                        storageClass: "gp2", // Default storage class for EBS CSI driver.
+                    },
                     ha: {
                         enabled: true,
                         raft: {
 
@@ -8,9 +8,10 @@ type AwsEnvStackProps = StackProps & {
     config: Readonly<ConfigProps>;
 };
 
-// Provisons VPC with 3 Subnets (App, DB & Public)
+// Provisions VPC with 3 Subnets (App, DB & Public)
 export class vpcStack extends cdk.Stack {
     public readonly vpc: ec2.Vpc;
+    
     constructor(scope: Construct, id: string, props: AwsEnvStackProps) {
         super(scope, id, props);
 
@@ -20,21 +21,19 @@ export class vpcStack extends cdk.Stack {
 
         this.vpc = new ec2.Vpc(this, "sbrc2", {
             maxAzs: MAX_AZS,
-            cidr: cidr,
+            ipAddresses: ec2.IpAddresses.cidr(cidr),
             natGateways: 1,
             subnetConfiguration: [
                 {
                     cidrMask: 24,
                     name: "public-",
                     subnetType: ec2.SubnetType.PUBLIC,
                 },
-
                 {
                     cidrMask: 24,
                     name: "app-pvt-",
                     subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
                 },
-
                 {
                     cidrMask: 24,
                     name: "db-pvt-",
@@ -43,4 +42,4 @@ export class vpcStack extends cdk.Stack {
             ],
         });
     }
-}
+}
-Original file line number
+Diff line change
   - secrets
   verbs:
   - create
 +  - delete
   - get
   - list