Deploy the knative-istio-authz helm chart on Azure Managed Openshift Service

Question

Pulumi · Accepted Answer

To deploy the `knative-istio-authz` Helm chart on Azure Managed Openshift Service using Pulumi, you will need to follow these steps:

1. **Set up an Azure Managed OpenShift Cluster**: First, you need to create an OpenShift cluster in Azure using the `azure-native.containerservice.OpenShiftManagedCluster` resource. This cluster will be the foundational infrastructure on which your applications will run.

2. **Install Knative and Istio**: Knative depends on Istio as the ingress gateway. Ensure that Istio is installed and properly configured before deploying Knative. Knative can be installed using Helm charts, which brings us to the next step.

3. **Deploy the Helm Chart**: You will use Pulumi's native Helm Chart support to deploy the `knative-istio-authz` chart. The resource `kubernetes.helm.v3.Chart` allows Pulumi to deploy a Helm chart from a repository.

Here is a Pulumi program written in TypeScript that illustrates these steps:

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as azureNative from "@pulumi/azure-native";
import * as k8s from "@pulumi/kubernetes";

// Step 1: Set up an Azure Managed OpenShift Cluster
const resourceGroupName = "myResourceGroup";
const resourceGroup = new azureNative.resources.ResourceGroup(resourceGroupName, {
    resourceGroupName: resourceGroupName,
});

const openShiftCluster = new azureNative.containerservice.OpenShiftManagedCluster("myOpenShiftCluster", {
    resourceName: "myOpenShiftCluster",
    resourceGroupName: resourceGroup.name,
    location: "East US", // Choose an appropriate Azure region
    openShiftVersion: "v4.3", // Specify the desired OpenShift version
    networkProfile: {
        vnetCidr: "10.0.0.0/8",
    },
    masterPoolProfile: {
        count: 3,
        vmSize: "Standard_D4s_v3",
    },
    agentPoolProfiles: [{
        name: "agentpool",
        count: 3,
        vmSize: "Standard_D4s_v3",
        role: "Compute",
    }],
});

// Assuming you have already set up the k8s provider to point to the OpenShift cluster
const k8sProvider = new k8s.Provider("k8sProvider", {
    // Make sure to use the appropriate kubeconfig
    kubeconfig: openShiftCluster.config.clusterAdminKubeconfig.apply(c => c.kubeconfig),
});

// Step 2: Deploy Istio - This would typically be included as a separate Helm chart deployment

// Step 3: Deploy the `knative-istio-authz` Helm chart
const knativeIstioAuthzChart = new k8s.helm.v3.Chart("knative-istio-authz", {
    chart: "knative-istio-authz",
    version: "0.1.0", // Specify the version of the chart you want to deploy
    fetchOpts: {
        // This should be the repository where the knative-istio-authz chart is located
        repo: "https://knative-releases.github.io/serving/",
    },
}, { provider: k8sProvider });

// Export the cluster's kubeconfig and the public IP for accessing applications
export const kubeconfig = openShiftCluster.config.clusterAdminKubeconfig.apply(c => c.kubeconfig);

// Use this to interact with the cluster to get additional resources and status
// For example, output the service URL of Istio Ingress Gateway
export const istioIngressIp = knativeIstioAuthzChart.getResourceProperty("v1/Service", "istio-ingressgateway", "status")
    .apply(status => status.loadBalancer.ingress[0].ip);
```

Here's what each part of the code is doing:

- **Resource Group Creation**: The `resourceGroup` object creates an Azure Resource Group that will contain the other Azure resources being provisioned.
  
- **OpenShift Cluster Creation**: The `openShiftCluster` object stands up an OpenShift cluster in Azure. The location, version, and sizing details of the master and agent nodes are specified as parameters. This process might take a while.

- **Kubernetes Provider Setup**: The `k8sProvider` object configures the Pulumi Kubernetes provider with the kubeconfig from the created OpenShift cluster. This allows Pulumi to communicate with your cluster.

- **Helm Chart Deployment**: The `knativeIstioAuthzChart` object represents the Helm chart that you want to deploy. By setting the `fetchOpts` to point to the chart's repository, Pulumi knows where to fetch the chart from and which version to deploy.

- **Exports**: The `kubeconfig` output makes it easy to use `kubectl` with your new OpenShift cluster, and `istioIngressIp` could be used to get the IP for accessing the Istio Ingress Gateway, although you would need to ensure Istio is installed prior to using this export.

Please replace placeholder values with actual values that pertain to your use case, such as the `location`, `openShiftVersion`, chart `version` and `repo`. Additionally, you would perform Istio setup before installing Knative, which might involve installing another Helm chart or following istio's installation instructions.

Make sure you have the Pulumi CLI installed and have the appropriate cloud provider CLI configured for authentication purposes—Azure CLI in this case. Run `pulumi up` to create the resources defined in the program above.