SDP-2091 chore: update cloudformation stacks

[hypekostas]

What

Updated the cloudformation/eks deployment templates, supporting Helm/ExternalSecret manifests and the deployment README.

A summary of notable changes:

For all stacks and templates: removed redundant/dead parameters, resources and code blocks.

sdp-network-eks.yaml (network stack)

• Added an ExistingVPCCidr parameter for the bring-your-own-VPC path.
• Fixed bug with VPCCidr output being empty when no VPC is created

sdp-keys-eks.yaml (secrets stack)

• Added all secrets as parameters. Optional secrets are created only if supplied.
• Reworked key generation: the Lambda now also derives a keypair from a provided seed (not only random generation), gated on whether the public key was supplied (fixes empty-SecretString failure when seed was provided without its public key. Generation/derivation infra is created only when needed (NeedKeyGeneration).
• Bumped the layer/function runtime to nodejs22.x.
• Gave distribution-account encryption passphrase its own independent generated key (no key now serves double duty).

sdp-eks.yaml (EKS cluster stack)

• Bumped cluster from unsupported Kubernetes to 1.32 (previously caused CREATE_FAILED: unsupported Kubernetes version).
• Bumped OIDC-helper Lambda runtime to python3.12.
• Removed node instance role's secretsmanager:GetSecretValue grant (over-permissive and redundant).

helm/values-testnet.yaml / helm/values-mainnet.yaml

• Fixed the hardcoded /sdp/dev/ secret paths in mainnet file
• Moved around public and secret values to their correct fields

helm/sdp-secrets-dev.yaml

• Filename now env agnostic; env injected when running external secret creation command.
• Removed hardcoded remoteRef entries. All secrets from sdp-keys-eks.yaml that have values now imported.

README.md

• Fixed broken shell snippets and stale references
• Added new shell snippets to simplify / assist
• Added the Route53 public-hosted-zone prerequisite
• Split the keys-stack step into testnet (auto-generate, including building/uploading the Lambda layer) vs. mainnet (bring-your-own secrets)
• Bumped the ingress-nginx chart pin to 4.15.1 (to match Kubernetes 1.32).

.github/copilot-instructions.md

• Added new section for configuration / deployment changes

Why

The cloudformation/eks folder has a mix of deployment blocking bugs, inconsistency between keys stack/External Secrets/Helm values, and a README with broken commands.

These changes make the EKS deployment guide functional, internally consistent, more secure and better documented for prospective SDP operators.

Known limitations

The below are noted in the README:

• Keys stack contains insecure default values that the deployer is instructed to override for prod environments.
• Secrets and helm values contain only minimum required values. The deployer must manually add all additional parameters/values desired (e.g. for messaging and embedded wallet support).
• ingress-nginx is archived (EOL as of March 2026) and pinned to the last release (4.15.1). A future migration off ingress-nginx (e.g. Gateway API) will eventually be needed.

Checklist

• Title follows SDP-1234: Add new feature or Chore: Refactor package xyz format. The Jira ticket code was included if available.
• PR has a focused scope and doesn't mix features with refactoring
• Tests are included (if applicable)
• CHANGELOG.md is updated (if applicable)
• If contracts changed, run the Contract WASM Artifacts workflow and open a PR to update the WASMs on dev
• CONFIG/SECRETS changes are updated in helmcharts and deployments (if applicable)
• Preview deployment works as expected
• Ready for production

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ba174c1e09

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[Copilot]

Pull request overview

Updates the cloudformation/eks deployment stack templates and accompanying operator-facing manifests/docs to make SDP’s EKS deployment flow more consistent, secure, and usable (including newer runtimes and Kubernetes version), while pruning legacy/dead config.

Changes:

• Network stack: adds bring-your-own-VPC CIDR support, improves AZ selection, and standardizes resource tags.
• Keys + EKS stacks: reworks key generation/derivation logic, bumps Lambda runtimes, tightens Secrets Manager IAM scope, and bumps EKS Kubernetes version.
• Operator assets: refreshes the EKS deployment README plus example Helm values and ExternalSecret manifests (dev/prod).

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
cloudformation/eks/sdp-network-eks.yaml	Adds existing-VPC CIDR parameter, updates AZ selection, standardizes tags, and adjusts VPC CIDR output behavior.
cloudformation/eks/sdp-keys.yaml	Removes legacy keys stack template (superseded by EKS-focused template).
cloudformation/eks/sdp-keys-eks.yaml	Reworks secrets/key generation logic, bumps Node runtime, and rationalizes secrets created for EKS deployments.
cloudformation/eks/sdp-eks.yaml	Bumps Kubernetes version, updates IRSA/IAM scoping for Secrets Manager, and removes unused/broken resources.
cloudformation/eks/sdp-database-eks.yaml	Prunes redundant Secrets Manager secrets and aligns parameter paths with namespace/env.
cloudformation/eks/README.md	Updates EKS deployment guide, adds clearer steps/snippets, and aligns operator workflow with the updated stacks.
cloudformation/eks/helm/values-testnet.yaml	Updates example values (image versions, secret mappings, and config placement) for testnet.
cloudformation/eks/helm/values-mainnet.yaml	Fixes mainnet secret paths and updates example values (image versions, config placement).
cloudformation/eks/helm/sdp-secrets-prod.yaml	Adds a prod ExternalSecret manifest mapping required keys from Secrets Manager.
cloudformation/eks/helm/sdp-secrets-dev.yaml	Updates dev ExternalSecret manifest (API version + prunes orphaned entries + adds admin account).
cloudformation/eks/helm/cluster-issuer.yaml	Replaces hard-coded email with a placeholder.
.github/copilot-instructions.md	Adds deployment/config-specific review reminders for future PRs.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d2af47c182

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2b4330aaac

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.