Deploy the aws-iam-role-service-account helm chart on Linode Kubernetes Engine

Question

Pulumi · Accepted Answer

To deploy a Helm chart on Linode Kubernetes Engine (LKE) using the AWS Identity and Access Management (IAM) roles for service accounts, you will first need to have an LKE cluster up and running and your kubectl configured to communicate with it. The Helm chart will then associate a Kubernetes service account with an AWS IAM role. Pulumi allows you to write this infrastructure as code using TypeScript.

You will need to perform the following general steps in your Pulumi program:

1. Configure Pulumi to use your Kubernetes cluster.
2. Create the Kubernetes service account.
3. Associate the AWS IAM role with the service account using annotations.

Below is a Pulumi program in TypeScript which you can use as a starting point. This program assumes you've already set up the LKE cluster and have the necessary AWS role you wish to associate with your Kubernetes service account.

Firstly, install the necessary Pulumi packages by running these commands:

```bash
pulumi plugin install resource kubernetes v4.4.0
npm install @pulumi/kubernetes
npm install @pulumi/aws
```

Now you can use the following Pulumi program:

```typescript
import * as k8s from "@pulumi/kubernetes";
import * as aws from "@pulumi/aws";

// The name of the Kubernetes service account you want to create.
const serviceAccountName = "aws-iam-role-service-account";

// AWS IAM role ARN that will be associated with the service account.
// Ensure this IAM role has the trust relationship for the OIDC provider for your EKS cluster.
const iamRoleArn = "arn:aws:iam::123456789012:role/YourIAMRoleName";

// Create a Kubernetes service account in the appropriate namespace.
const serviceAccount = new k8s.core.v1.ServiceAccount(serviceAccountName, {
    metadata: {
        name: serviceAccountName,
        // The namespace where you want to deploy your service account.
        // This should be the same namespace where your Helm chart will be installed.
        namespace: "default",
        // Annotate the service account with the ARN of the AWS IAM role.
        annotations: {
            "eks.amazonaws.com/role-arn": iamRoleArn,
        }
    }
});

// The path to the directory where the values.yaml file for your Helm chart is located.
const valuesPath = "./path/to/your/helm/values.yaml";

// Deploy the aws-iam-role-service-account Helm chart.
const helmChart = new k8s.helm.v3.Chart("aws-iam-role-service-account", {
    chart: "aws-iam-role-service-account",
    // The Helm repository where your chart is located.
    fetchOpts: { repo: "https://your-helm-chart-repository/" },
    // Since the chart is deployed outside of Helm, Pulumi needs to know where to find it.
    // Assuming the values file is required for your Helm chart,
    // specify the custom values required by passing the path to the values file.
    values: valuesPath,
    // The namespace where you want to install your Helm chart.
    // It should match the namespace where the service account was created.
    namespace: "default",
});

// Exports a Kubernetes service account name.
export const saName = serviceAccount.metadata.apply(meta => meta.name);
```

Each component is described below:

- `@pulumi/kubernetes`: The Pulumi Kubernetes SDK, which allows you to define Kubernetes resources such as deployments, services, and in this case, a service account.
- `@pulumi/aws`: The Pulumi AWS SDK, which provides the integration with AWS services including IAM.
- `serviceAccount`: This resource is a Kubernetes `ServiceAccount` object that will be created in your cluster. It includes annotations that bind it to an AWS IAM role.
- `helmChart`: This resource is a Pulumi wrapper around a Helm chart, which allows you to deploy applications packaged as Helm charts. The chart name should match with the one you intend to install, and you might need to provide the Helm repository URL where the chart can be found.
- `valuesPath`: Helm charts often require a `values.yaml` file to customize the deployment. This would be the path to that file on your local filesystem.

Before running this, please ensure:

- You have the AWS CLI configured with sufficient permissions.
- You have Pulumi installed and set up for TypeScript.
- You replace `"arn:aws:iam::123456789012:role/YourIAMRoleName"` with your actual IAM role ARN.
- The Helm chart name and repository are correctly specified. The example here is a placeholder and you'll need the actual chart information.
- You update the `valuesPath` to the location where your Helm chart `values.yaml` is stored.

To apply this Pulumi program, run the `pulumi up` command, which will provision the resources as per the defined program. The result will be the creation of a Kubernetes service account linked with the AWS IAM role, and the deployment of your Helm chart to the LKE cluster.