Deploy the oidc-proxy helm chart on Rancher

Question

Pulumi · Accepted Answer

To deploy an OIDC (OpenID Connect) proxy Helm chart on a Rancher-managed Kubernetes cluster, you would typically follow these high-level steps:

Set up your Rancher cluster with appropriate access and configuration.
Install the Helm chart onto your Rancher Kubernetes cluster with values that enable OIDC authentication.

Since Pulumi does not directly interact with Helm charts, we need to use the Kubernetes provider to deploy Helm charts. Pulumi does this through the helm.v3.Chart class, which can install a chart from various sources, including a repository or a local chart.

Below is a detailed Pulumi program written in TypeScript that demonstrates how to deploy a Helm chart for an OIDC proxy on a Rancher-managed cluster. Please note that you should already have a configured OIDC provider and have the required OIDC client configurations such as the client ID, client secret, and the issuer URL.

Detailed Explanation and Pulumi Program

Firstly, we import the necessary Pulumi libraries. We use the @pulumi/rancher2 provider to interact with Rancher and the @pulumi/kubernetes provider to deploy the Helm chart.

import * as pulumi from "@pulumi/pulumi";
import * as rancher2 from "@pulumi/rancher2";
import * as k8s from "@pulumi/kubernetes";

// Initialize the Rancher2 provider
const rancher2Provider = new rancher2.Provider("my-rancher", {
    apiURL: "https://<your-rancher-api-url>",
    accessToken: "<your-rancher-access-token>",
    // You can also use a Bearer token with bearerToken field
});

In the above code, we set up the rancher2Provider. Replace <your-rancher-api-url> and <your-rancher-access-token> with your actual Rancher API URL and access token.

Next, we need to create a Kubernetes provider configured to use the Rancher-provided Kubernetes cluster. We do this by getting the kubeconfig from a Rancher cluster resource or by providing a pre-configured kubeconfig file.

// Create a Kubernetes provider instance that uses the kubeconfig from Rancher-managed cluster
const k8sProvider = new k8s.Provider("rancher-k8s", {
    kubeconfig: "<your-rancher-generated-kubeconfig>",
    // You can also reference an existing K8s cluster in Rancher and fetch the kubeConfig
});

Replace <your-rancher-generated-kubeconfig> with the kubeconfig content you've obtained from Rancher.

Now we'll go ahead and define our Helm chart deployment. We'll use a placeholder Helm chart for the OIDC proxy, so be sure to replace "oidc-proxy-chart" and "http://charts.example.com/" with the actual name and repository of the Helm chart you wish to deploy.

// Deploy the OIDC Proxy Helm chart
const oidcProxyChart = new k8s.helm.v3.Chart("oidc-proxy", {
    chart: "oidc-proxy-chart",
    version: "1.2.3", // Specify the version of the chart you want to deploy, if applicable
    fetchOpts:{
        repo: "http://charts.example.com/", // The Helm chart repository URL
    },
    values: {
        // Specify values required for your OIDC proxy setup.
        // This might include the OIDC issuer URL, client ID, client secret, and other necessary values.
        // These should be treated as sensitive data; make sure to handle them appropriately.
    },
}, { provider: k8sProvider });

The oidcProxyChart object represents the Helm chart we're deploying. The values block within the chart should be configured as per the chart's requirements to set up OIDC authentication. This could include the OIDC issuer URL, client ID, client secret, and required scopes or claims. It's important to keep this information secure.

Finally, we may want to export the endpoint of our OIDC proxy once deployed, so we can easily access it:

// Export the OIDC Proxy endpoint
export const oidcProxyEndpoint = oidcProxyChart.getResourceProperty("v1/Service", "oidc-proxy", "status");

To put it all together, your complete Pulumi program will look like this:

import * as pulumi from "@pulumi/pulumi";
import * as rancher2 from "@pulumi/rancher2";
import * as k8s from "@pulumi/kubernetes";

// Initialize the Rancher2 provider
const rancher2Provider = new rancher2.Provider("my-rancher", {
    apiURL: "https://<your-rancher-api-url>",
    accessToken: "<your-rancher-access-token>",
});

// Create a Kubernetes provider instance that uses kubeconfig from Rancher-managed cluster
const k8sProvider = new k8s.Provider("rancher-k8s", {
    kubeconfig: "<your-rancher-generated-kubeconfig>",
});

// Deploy the OIDC Proxy Helm chart
const oidcProxyChart = new k8s.helm.v3.Chart("oidc-proxy", {
    chart: "oidc-proxy-chart",
    version: "1.2.3", // Specify the version of the chart you want to deploy
    fetchOpts:{
        repo: "http://charts.example.com/", // The Helm chart repository URL
    },
    values: {
        // Configuration values for OIDC
    },
}, { provider: k8sProvider });

// Export the OIDC Proxy endpoint
export const oidcProxyEndpoint = oidcProxyChart.getResourceProperty("v1/Service", "oidc-proxy", "status");

Save the above code into a .ts file, and from the command line in the same directory, you can run pulumi up to deploy the chart to your Rancher-managed Kubernetes cluster.

Make sure to replace placeholder values with actual information specific to your environment, and carefully handle any sensitive information such as tokens, secrets, etc.