Deploy the istio-ingress-gateway helm chart on Google Kubernetes Engine (GKE)

Question

Pulumi · Accepted Answer

To deploy the Istio Ingress Gateway using Helm on a Google Kubernetes Engine (GKE) cluster with Pulumi, we're going to follow these high-level steps:

1. Create a GKE cluster using `gcp.container.Cluster`.
2. Deploy the Istio Ingress Gateway using the `harness.service.Helm` resource which provides a way to deploy applications on Kubernetes using Helm.

Here's a TypeScript program that accomplishes this:

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
import * as harness from "@pulumi/harness";

// Create a GKE cluster.
const cluster = new gcp.container.Cluster("gke-cluster", {
    initialNodeCount: 2,
    minMasterVersion: "latest", // specify the version that is compatible with Istio
    nodeVersion: "latest",
    nodeConfig: {
        machineType: "n1-standard-2", // adjust the machine type as necessary
        oauthScopes: [
            "https://www.googleapis.com/auth/compute",
            "https://www.googleapis.com/auth/devstorage.read_only",
            "https://www.googleapis.com/auth/logging.write",
            "https://www.googleapis.com/auth/monitoring",
        ],
    },
});

// Export the Kubeconfig
const kubeconfig = pulumi.
    all([cluster.name, cluster.endpoint, cluster.masterAuth]).
    apply(([name, endpoint, auth]) => {
        const context = `${gcp.config.project}_${gcp.config.zone}_${name}`;
        return `apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${auth.clusterCaCertificate}
    server: https://${endpoint}
  name: ${context}
contexts:
- context:
    cluster: ${context}
    user: ${context}
  name: ${context}
current-context: ${context}
kind: Config
preferences: {}
users:
- name: ${context}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;
    });

// Create a Kubernetes provider instance that uses our cluster from above.
const k8sProvider = new k8s.Provider("k8s-provider", {
    kubeconfig: kubeconfig,
});

// Deploy the Istio Ingress Gateway using the Helm Resource.
const istioIngressGateway = new harness.service.Helm("istio-ingress", {
    chart: "istio-ingress",
    version: "1.7.0", // specify the version of Istio you want to deploy
    namespace: "istio-system", // make sure the namespace exists or is created
    fetchOpts: {
        repo: "https://istio-release.storage.googleapis.com/charts",
    },
}, { provider: k8sProvider });

// Export the cluster name and endpoint to be accessed after deployment.
export const clusterName = cluster.name;
export const clusterEndpoint = cluster.endpoint;
```

Explanation of code:

1. We create an instance of the `gcp.container.Cluster` resource, specifying the minimum required configuration which includes the number of nodes, Kubernetes versions, and machine types.
2. We construct the Kubernetes configuration (kubeconfig) that will be used to interact with the cluster by the Pulumi Kubernetes provider.
3. We create a new `k8s.Provider` instance, passing the generated kubeconfig that will be used to deploy Kubernetes resources including Helm charts.
4. We use the `harness.service.Helm` resource to deploy the Istio Ingress Gateway Helm chart, specifying the chart, version, and namespace.
5. Finally, we export the cluster name and endpoint for easy access, as you may want to interact with your newly created cluster directly using kubectl after your Pulumi program has run.

Before running this code, ensure that you have the necessary Pulumi and GCP credentials set up on your machine. To deploy this program, run `pulumi up` in the directory containing your Pulumi program. After confirming the resources to be created as previewed by Pulumi, the deployment will create a GKE cluster and install the Istio Ingress Gateway Helm chart.