Deploy the ibm-apic-gtw-instance helm chart on Azure Managed Openshift Service

Question

Pulumi · Accepted Answer

To deploy an IBM API Connect Gateway (ibm-apic-gtw-instance) Helm chart on an Azure Managed OpenShift Service, you'll want to accomplish the following tasks:

Set up Azure Managed OpenShift Service, which in this context means creating an OpenShift cluster on Azure.
Install the Helm chart for the IBM API Connect Gateway instance onto the OpenShift cluster.

Let's break down these steps.

Step 1: Create an Azure OpenShift Cluster

To create a managed OpenShift cluster, we will use Pulumi's azure-native.redhatopenshift.OpenShiftCluster resource (docs). This will provision an OpenShift cluster managed by Azure Red Hat OpenShift, without you having to manually configure and manage the details of OpenShift.

Step 2: Deploy the Helm Chart

Next, we’ll use the kubernetes.helm.v3.Chart resource (docs) from the Pulumi Kubernetes provider to deploy the IBM API Connect Gateway instance Helm chart to the OpenShift cluster. The Helm Chart resource is a way to deploy complex Kubernetes applications without manually writing every Kubernetes manifest.

Below is the TypeScript code in Pulumi that performs these steps. Be sure to replace placeholders like <RESOURCE_GROUP_NAME>, <CLUSTER_NAME>, and <CHART_VERSION> with actual values you intend to use.

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
import * as azureNative from "@pulumi/azure-native";

// Step 1: Create an OpenShift cluster
const resourceGroupName = "<RESOURCE_GROUP_NAME>";
const openshiftClusterName = "<CLUSTER_NAME>";

const openshiftCluster = new azureNative.redhatopenshift.OpenShiftCluster(openshiftClusterName, {
    resourceName: openshiftClusterName,
    resourceGroupName: resourceGroupName,
    location: "<LOCATION>", // e.g., 'westus'
    clusterProfile: {
        domain: "<CLUSTER_DOMAIN>", // Custom domain for the OpenShift cluster
        version: "<OPENSHIFT_VERSION>", // e.g., '4.3.0'
        resourceGroupId: pulumi.interpolate(`/subscriptions/${azureNative.config.subscriptionId}/resourceGroups/${resourceGroupName}`),
    },
    masterProfile: {
        vmSize: "Standard_D4s_v3",
    },
    workerProfiles: [{
        name: "worker",
        count: 3,
        vmSize: "Standard_D2s_v3",
    }],
    networkProfile: {
        podCidr: "10.128.0.0/14",
        serviceCidr: "172.30.0.0/16",
    },
    servicePrincipalProfile: {
        clientId: "<AZURE_CLIENT_ID>",
        clientSecret: "<AZURE_CLIENT_SECRET>",
    },
});

// Step 2: Deploy the IBM API Connect Gateway helm chart
// We need to set up a Kubernetes provider that uses the kubeconfig from the newly created OpenShift cluster
const kubeconfig = openshiftCluster.kubeconfig.apply(kubeconfig => Buffer.from(kubeconfig, "base64").toString());

const k8sProvider = new k8s.Provider("openshiftK8s", {
    kubeconfig: kubeconfig,
});

const ibmApicGtwInstanceChart = new k8s.helm.v3.Chart("ibm-apic-gtw-instance", {
    chart: "ibm-apic-gtw-instance",
    version: "<CHART_VERSION>", // Specify the version of the chart you want to deploy
    fetchOpts:{ 
        repo: "https://charts.ibm.com/",
    },
}, { provider: k8sProvider });

// Export the OpenShift cluster's API server URL and the kubeconfig to access the cluster
export const openshiftApiServerUrl = openshiftCluster.apiserverUrl;
export const clusterKubeconfig = pulumi.secret(kubeconfig);

Explanation

The openshiftCluster resource is where you configure details of the OpenShift cluster such as the domain, the version, the size of VMs for master and worker nodes, CIDR blocks for pods and services, etc.
The openshiftCluster.kubeconfig applies a transformation to the kubeconfig output from the OpenShiftCluster resource to convert it from a base64 string into a regular string.
The k8s.Provider setup uses the kubeconfig from our OpenShift cluster which will allow Pulumi to communicate with our OpenShift cluster for further configurations and deployments.
The ibmApicGtwInstanceChart resource is the Helm chart representing the IBM API Connect Gateway instance application, we specify the name of the chart, the version, and the repository URL where the chart can be found.

Be sure to replace placeholders with actual values. Keep sensitive data like the service principal secret safe and consider using Pulumi's secret handling for these values. The code includes exports for the OpenShift API server URL and the kubeconfig to allow you to interact with your OpenShift cluster once it's up and running. The kubeconfig is marked as a secret because it contains sensitive credentials.