--- AWSTemplateFormatVersion: 2010-09-09 Description: "This template deploys the 3decision helm chart, as well as related helm and kubernetes resources. (qs-1snm79fel)." Metadata: cfn-lint: { config: { ignore_checks: [ E3001 ] } } LintSpellExclude: - Discngine - 3decision Parameters: TNamespace: Default: tdecision Type: String JWTPrivateKey: Type: String NoEcho: true JWTPublicKey: Type: String EKSClusterName: Type: String DBConnectionString: Type: String DataPubVolumeID: Type: String DomainName: Type: String CertificateArn: Type: String HostString: Type: String DBName: Type: String LoadBalancerType: Type: String AzureClientId: Type: String AzureTenant: Type: String AzureSecret: Type: String AzureRedirectUri: Type: String OktaClientId: Type: String OktaSecret: Type: String OktaDomain: Type: String OktaServerId: Type: String OktaRedirectUri: Type: String MainSubdomain: Type: String ApiSubdomain: Type: String HelpSubdomain: Type: String LoadBalancerClass: Type: String EKSServiceCidr: Type: String SecretRoleArn: Type: String Conditions: AzureUnused: !Equals [!Ref AzureClientId, ""] OktaUnused: !Equals [!Ref OktaClientId, ""] NginxLB: !Equals [!Ref LoadBalancerClass, "nginx"] ServiceCidrSecondary: !Equals [!Ref EKSServiceCidr, "10.100.0.0/16"] Resources: EncryptedStorageClass: Type: "AWSQS::Kubernetes::Resource" Properties: ClusterName: !Ref EKSClusterName Namespace: 'default' Manifest: | apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: gp2-encrypted parameters: fsType: ext4 type: gp2 encrypted: "true" provisioner: kubernetes.io/aws-ebs reclaimPolicy: Delete volumeBindingMode: WaitForFirstConsumer TDecisionNamespace: Type: "AWSQS::Kubernetes::Resource" UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: ClusterName: !Ref EKSClusterName Namespace: 'kube-system' Manifest: !Sub | kind: Namespace apiVersion: v1 metadata: name: ${TNamespace} ChoralNamespace: Type: "AWSQS::Kubernetes::Resource" UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: ClusterName: !Ref EKSClusterName Namespace: 'kube-system' Manifest: | kind: Namespace apiVersion: v1 metadata: name: choral CertManager: Type: "AWSQS::Kubernetes::Helm" Metadata: { cfn-lint: { config: { ignore_checks: [ E3012 ] } } } Properties: ClusterID: !Ref EKSClusterName Name: cert-manager Namespace: cert-manager Repository: https://charts.jetstack.io Chart: cert-manager Version: 1.8.0 Values: installCRDs: true IngressNginx: Type: "AWSQS::Kubernetes::Helm" Condition: NginxLB Metadata: { cfn-lint: { config: { ignore_checks: [ E3012 ] } } } Properties: ClusterID: !Ref EKSClusterName Name: ingress-nginx Namespace: ingress-nginx Repository: https://kubernetes.github.io/ingress-nginx Chart: ingress-nginx RedisChart: Type: "AWSQS::Kubernetes::Helm" Metadata: { cfn-lint: { config: { ignore_checks: [ E3012 ] } } } DependsOn: EncryptedStorageClass Properties: ClusterID: !Ref EKSClusterName Name: sentinel Namespace: redis-cluster Chart: oci://fra.ocir.io/discngine1/3decision_kube/redis-sentinel:16.3.1 Values: global.storageClass: gp2-encrypted ExternalSecretsOperator: Type: "AWSQS::Kubernetes::Helm" Metadata: { cfn-lint: { config: { ignore_checks: [ E3012 ] } } } Properties: ClusterID: !Ref EKSClusterName Name: external-secrets Namespace: external-secrets Repository: https://charts.external-secrets.io Chart: external-secrets Reloader: Type: "AWSQS::Kubernetes::Helm" Metadata: { cfn-lint: { config: { ignore_checks: [ E3012 ] } } } Properties: ClusterID: !Ref EKSClusterName Name: reloader Namespace: reloader Repository: https://stakater.github.io/stakater-charts Chart: reloader JWTSecret: Type: "AWSQS::Kubernetes::Resource" DependsOn: TDecisionNamespace Properties: ClusterName: !Ref EKSClusterName Namespace: !Ref TNamespace Manifest: !Sub | kind: Secret apiVersion: v1 type: opaque metadata: name: 3decision-jwt-secret namespace: ${TNamespace} data: id_rsa: ${JWTPrivateKey} id_rsa.pub: ${JWTPublicKey} NestAuthSecret: Type: "AWSQS::Kubernetes::Resource" DependsOn: TDecisionNamespace Properties: ClusterName: !Ref EKSClusterName Namespace: !Ref TNamespace Manifest: !Sub | kind: Secret apiVersion: v1 type: opaque metadata: name: nest-authentication-secrets namespace: ${TNamespace} stringData: AZURE_TENANT: "${AzureTenant}" AZURE_SECRET: "${AzureSecret}" OKTA_DOMAIN: "${OktaDomain}" OKTA_SERVER_ID: "${OktaServerId}" OKTA_SECRET: "${OktaSecret}" DatabaseSecrets: Type: "AWSQS::Kubernetes::Resource" DependsOn: [ TDecisionNamespace, ChoralNamespace, ExternalSecretsOperator ] Properties: ClusterName: !Ref EKSClusterName Namespace: external-secrets Manifest: !Sub | --- apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: name: aws-secret-store spec: provider: aws: service: SecretsManager region: ${AWS::Region} role: ${SecretRoleArn} --- apiVersion: external-secrets.io/v1beta1 kind: ClusterExternalSecret metadata: name: database-secrets spec: externalSecretName: database-secrets namespaceSelector: matchExpressions: - {key: kubernetes.io/metadata.name, operator: In, values: [${TNamespace}, choral]} refreshTime: 1m externalSecretSpec: refreshInterval: 1m secretStoreRef: name: aws-secret-store kind: ClusterSecretStore target: name: database-secrets creationPolicy: Owner data: - secretKey: SYS_DB_PASSWD remoteRef: key: 3dec-admin-db property: password - secretKey: DB_PASSWD remoteRef: key: 3dec-user-db property: password - secretKey: ORACLE_PASSWORD remoteRef: key: 3dec-user-db property: password - secretKey: CHEMBL_DB_PASSWD remoteRef: key: 3dec-chembl-db property: password - secretKey: CHORAL_DB_PASSWD remoteRef: key: 3dec-choral-db property: password TdecisionChart: Type: "AWSQS::Kubernetes::Helm" DependsOn: [ JWTSecret, EncryptedStorageClass, NestAuthSecret, DatabaseSecrets, CertManager ] Metadata: { cfn-lint: { config: { ignore_checks: [ E3012 ] } } } Properties: ClusterID: !Ref EKSClusterName Name: tdecision Namespace: !Ref TNamespace Chart: oci://fra.ocir.io/discngine1/3decision_kube/3decision-helm:2.1.5 Values: nodeCloud.volumes.jwtSecret.name: 3decision-jwt-secret oracle.connectionString: !Ref DBConnectionString oracle.hostString: !Ref HostString oracle.pdbString: !Ref DBName volumes.storageClassName: gp2-encrypted wikijs.pvc.storageClassName: gp2-encrypted volumes.claimPods.backend.publicdata.awsElasticBlockStore.fsType: ext4 volumes.claimPods.backend.publicdata.awsElasticBlockStore.volumeID: !Ref DataPubVolumeID volumes.claimPods.backend.publicdata.awsElasticBlockStore.availabilityZone: !Select [ 0, Fn::GetAZs: !Ref 'AWS::Region' ] ingress.host: !Ref DomainName ingress.certificateArn: !Ref CertificateArn ingress.visibility: !Ref LoadBalancerType ingress.ui.host: !Ref MainSubdomain ingress.api.host: !Ref ApiSubdomain ingress.wikijs.host: !Ref HelpSubdomain ingress.class: !Ref LoadBalancerClass nest.env.azure_client_id.name: "AZURE_CLIENT_ID" nest.env.azure_client_id.value: !If [ AzureUnused, "none", !Ref AzureClientId ] nest.env.azure_redirect_uri.name: "AZURE_REDIRECT_URI" nest.env.azure_redirect_uri.value: !Ref AzureRedirectUri nest.env.okta_client_id.name: "OKTA_CLIENT_ID" nest.env.okta_client_id.value: !If [ OktaUnused, "none", !Ref OktaClientId ] nest.env.okta_redirect_uri.name: "OKTA_REDIRECT_URI" nest.env.okta_redirect_uri.value: !Ref OktaRedirectUri nfs.public.serviceIP: !If [ ServiceCidrSecondary, "10.100.10.10", "172.20.10.10" ] nfs.private.serviceIP: !If [ ServiceCidrSecondary, "10.100.10.11", "172.20.10.11" ] ChoralChart: Type: "AWSQS::Kubernetes::Helm" DependsOn: DatabaseSecrets Metadata: { cfn-lint: { config: { ignore_checks: [ E3012 ] } } } Properties: ClusterID: !Ref EKSClusterName Name: choral Namespace: choral Chart: oci://fra.ocir.io/discngine1/3decision_kube/choral-helm:1.1.6 Values: oracle.connectionString: !Ref DBConnectionString pvc.storageClassName: gp2-encrypted