Deploy the harbor-scanner-trivy helm chart on Google Kubernetes Engine (GKE)
TypeScriptTo deploy the Harbor Scanner Trivy Helm chart on Google Kubernetes Engine (GKE), you'll need to follow a few distinct steps:
-
Create a GKE cluster: Use Pulumi to provision a new GKE cluster. This is where your applications and services will run.
-
Configure Kubectl: Set up
kubectlto communicate with the new GKE cluster so that you can deploy applications onto it. -
Deploy the Helm chart: Use Pulumi's Helm support to deploy the Harbor Scanner Trivy chart into your GKE cluster.
Below is a Pulumi program written in TypeScript that demonstrates how to carry out these steps. Here, we are using Pulumi's
@pulumi/kubernetesand@pulumi/gcppackages to create the cluster and deploy the Helm chart to it.Before running this program, ensure you have completed the following pre-requisites:
- Install Node.js
- Install Pulumi
- Set up Google Cloud Platform (GCP) credentials for Pulumi
- Install the Pulumi GCP and Pulumi Kubernetes packages
import * as pulumi from "@pulumi/pulumi"; import * as gcp from "@pulumi/gcp"; import * as k8s from "@pulumi/kubernetes"; // Create a GKE cluster const cluster = new gcp.container.Cluster("my-gke-cluster", { initialNodeCount: 2, minMasterVersion: "latest", nodeVersion: "latest", location: "us-central1", nodeConfig: { machineType: "n1-standard-1", oauthScopes: [ "https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring" ], }, }); // Export the Cluster name and Kubeconfig export const clusterName = cluster.name; export const kubeconfig = pulumi.all([cluster.name, cluster.endpoint, cluster.masterAuth]).apply(([name, endpoint, masterAuth]) => { const context = `${gcp.config.project}_${gcp.config.zone}_${name}`; return `apiVersion: v1 clusters: - cluster: certificate-authority-data: ${masterAuth.clusterCaCertificate} server: https://${endpoint} name: ${context} contexts: - context: cluster: ${context} user: ${context} name: ${context} current-context: ${context} kind: Config preferences: {} users: - name: ${context} user: auth-provider: config: cmd-args: config config-helper --format=json cmd-path: gcloud expiry-key: '{.credential.token_expiry}' token-key: '{.credential.access_token}' name: gcp `; }); // Create a Kubernetes provider instance that uses our cluster from above. const k8sProvider = new k8s.Provider("gke-k8s", { kubeconfig: kubeconfig, }); // Deploy the Harbor Scanner Trivy Helm chart into the GKE cluster const trivyChart = new k8s.helm.v3.Chart("trivy", { chart: "harbor-trivy", version: "x.y.z", // Specify the Helm chart version here fetchOpts:{ repo: "https://helm.goharbor.io", // Specify the chart repository URL }, }, { provider: k8sProvider }); // Export the Harbor Trivy service endpoint export const trivyServiceEndpoint = trivyChart.getResourceProperty("v1/Service", "harbor-trivy", "status").apply(status => status.loadBalancer.ingress[0].ip);This program sets up the GKE cluster with 2 nodes using a standard machine type (
n1-standard-1). Then, it configures thekubectlby exportingkubeconfigwhich is used by a Pulumi Kubernetes provider to createtrivyChart. Here, we are deploying the Harbor Scanner Trivy Helm chart from its repository using Pulumi's Helm Chart resource.To run this program:
- Save the code to a file with a
.tsextension, for example,deploy-trivy.ts. - Run
pulumi upto preview and deploy the changes.
Remember to replace the placeholder
x.y.zwith the version of the Harbor Scanner Trivy Helm chart that you wish to deploy.The last exported variable
trivyServiceEndpointis the endpoint at which the deployed Trivy service can be accessed, once it's provisioned and assigned an IP by GKE's load balancer.-