Deploy the harbor-operator helm chart on Azure Kubernetes Service (AKS)

Question

Pulumi · Accepted Answer

To deploy the `harbor-operator` Helm chart on an Azure Kubernetes Service (AKS) cluster via Pulumi, you will follow these general steps:

1. Create an AKS cluster if you don't already have one. An AKS cluster is a managed Kubernetes service provided by Azure which simplifies the deployment and management of Kubernetes.

2. Once your AKS cluster is ready, configure Kubectl to connect to your AKS cluster. This step is crucial for Helm to interact with the cluster and deploy applications.

3. Install the `harbor-operator` Helm chart on your AKS cluster. The Helm chart contains a collection of files that describe a related set of Kubernetes resources, and it may require certain configuration values which can be set before deploying the chart.

Let's translate these steps into Pulumi code using TypeScript.

Firstly, ensure you have installed Pulumi and configured it to use the Azure provider. If you have not already done this, you can follow the installation instructions on the Pulumi website.

Below is the TypeScript program using Pulumi to create an AKS cluster and then deploy the `harbor-operator` Helm chart. Make sure you have Pulumi installed and configured with your Azure account.

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
import * as azure from "@pulumi/azure";
import * as azuread from "@pulumi/azuread";
import * as random from "@pulumi/random";

// Create an Azure Resource Group
const resourceGroup = new azure.core.ResourceGroup("aksResourceGroup", {
    location: "East US", // Change to the appropriate Azure region
});

// Create an AD service principal for the AKS cluster.
const adApp = new azuread.Application("aks");
const adSp = new azuread.ServicePrincipal("aksSp", {applicationId: adApp.applicationId});
const password = new random.RandomPassword("password", {
    length: 20,
    special: true,
});
const adSpPassword = new azuread.ServicePrincipalPassword("aksSpPassword", {
    servicePrincipalId: adSp.id,
    value: password.result,
    endDate: "2099-01-01T00:00:00Z",
});

// Grant networking permissions to the service principal (required for AKS creation).
const assignment = new azure.authorization.Assignment("role-assignment", {
    principalId: adSp.id,
    scope: resourceGroup.id,
    roleDefinitionName: "Network Contributor",
});

// Create an AKS cluster.
const aksCluster = new azure.containerservice.KubernetesCluster("aksCluster", {
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    agentPoolProfiles: [{
        name: "aksagentpool",
        count: 3,
        vmSize: "Standard_DS2_v2",
    }],
    dnsPrefix: `${pulumi.getStack()}-kube`,
    linuxProfile: {
        adminUsername: "aksuser",
        sshKey: {
            keyData: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD..." // replace with your own SSH public key
        },
    },
    servicePrincipal: {
        clientId: adApp.applicationId,
        clientSecret: adSpPassword.value,
    },
    kubernetesVersion: "1.14.6",
}, {dependsOn: [assignment]});

// Export the kubeconfig for the cluster
export const kubeconfig = aksCluster.kubeConfigRaw;

// Create a Kubernetes provider instance that uses our cluster from above.
const k8sProvider = new k8s.Provider("k8sProvider", {
    kubeconfig: kubeconfig,
});

// Deploy the harbor-operator Helm chart using the k8s provider.
const harborOperatorChart = new k8s.helm.v3.Chart("harbor-operator", {
    chart: "harbor-operator",
    version: "1.1.1", // Specify the version of the Harbor Operator you want to deploy
    fetchOpts: {
        repo: "https://helm.goharbor.io", // Replace with the Harbor Operator Helm chart repository
    },
}, { provider: k8sProvider });

// Export the Harbor operator deployment name
export const harborOperatorName = harborOperatorChart.getResource("v1/Service", "harbor-operator", "harbor-operator").metadata.name;
```

Here is the breakdown of the code above:

- The `azurerm_resource_group` resource will create an Azure Resource Group where you will deploy the AKS cluster.

- The `azuread_application` and `azuread_service_principal` resources set up an Azure Active Directory service principal which will be used by AKS for creating resources in your subscription like Load Balancers, Managed Disks, etc.

- The `azuread_service_principal_password` resource creates a password for the service principal.

- The `azure_authorization_role_assignment` resource assigns the "Network Contributor" role to the service principal for your resource group which allows the AKS cluster to interact with network resources.

- `azure.containerservice.KubernetesCluster` resource creates an AKS cluster. You will see that it references the service principal credentials. It also takes an SSH public key to allow secure access to the nodes within the cluster.

- We export the raw KubeConfig of the cluster which can be used to access the cluster via `kubectl`.

- Next, we create a Pulumi Kubernetes provider, referencing the kubeconfig from our AKS cluster. This provider is responsible for deploying Kubernetes resources.

- The `kubernetes.helm.v3.Chart` resource deploys the `harbor-operator` Helm chart to the AKS cluster. This resource references the `k8sProvider` which contains the necessary configuration to connect and authenticate with our AKS cluster.

- Finally, we export the name of the Harbor operator service which can be used to interact with the Harbor deployment.

Remember to replace the SSH public key, Helm chart version, and Helm chart repository with the appropriate values for your deployment.

After you've reviewed the code, you can deploy it using `pulumi up`. Pulumi will print out the status of resources as it creates them. After the deployment is complete, `harbor-operator` should be running in the AKS cluster. Use `kubectl` with the exported kubeconfig to manage your new Harbor installation.