Deploy the fluentd-cloudwatch helm chart on AWS EKS

Question

Pulumi · Accepted Answer

To deploy the `fluentd-cloudwatch` Helm chart on AWS EKS, you need to follow these steps:

1. **Create an EKS Cluster**: An Amazon EKS (Elastic Kubernetes Service) cluster provides the Kubernetes control plane. This control plane consists of at least two EC2 instances that run the Kubernetes software, such as `etcd` and the API server.

2. **Configure IAM Role for the Cluster**: Amazon EKS requires at least one IAM role to be associated with the cluster for EKS to manage resources on your behalf.

3. **Set Up Node Group**: You must configure worker nodes that the Kubernetes scheduler uses to host your Kubernetes pods.

4. **Deploy the Helm Chart**: Helm is an application manager for Kubernetes that streamlines the installation and management of applications. You will then use Helm to install the `fluentd-cloudwatch` chart.

Let's write a Pulumi program in TypeScript which carries out these steps:

```typescript
import * as eks from "@pulumi/eks";
import * as aws from "@pulumi/aws";
import * as k8s from "@pulumi/kubernetes";

// Step 1: Create EKS Cluster
const cluster = new eks.Cluster("my-cluster", {
    desiredCapacity: 2,      // Number of worker nodes
    minSize: 1,
    maxSize: 3,
    storageClasses: "gp2",   // Storage class for EBS volumes
    deployDashboard: false,  // Kubernetes Dashboard is not recommended in AWS
});

// Step 2: Configure IAM Role for the EKS Cluster - EKS automatically creates a role
// The role used by EKS is automatically generated by the `eks.Cluster` resource.

// Step 3: Set Up Node Group - EKS manages the default node group when specifying desired capacity.
// The `eks.Cluster` resource has already set up a default node group.

// Step 4: Deploy the fluentd-cloudwatch Helm chart
const fluentdChart = new k8s.helm.v3.Chart("fluentd-cloudwatch", {
    chart: "fluentd-cloudwatch",
    namespace: "kube-system", // It's common practice to deploy logging utilities into the `kube-system` namespace.
    fetchOpts: {
        repo: "https://charts.fluentd.io", // Make sure to specify the correct Helm repository URL.
    },
    values: {
        // Here you can specify the values for the fluentd-cloudwatch Helm chart.
        // For a complete list of configurable values, refer to the chart's documentation at its repository.
        awsRegion: aws.config.region,
        // You will likely need to configure IAM roles and access policies for Fluentd to write to CloudWatch.
        // The specific values depend on your particular use case and permissions setup.
    },
}, { provider: cluster.provider }); // Use the provider from the EKS cluster to ensure it targets the right K8s cluster.

// Export the cluster's kubeconfig.
export const kubeconfig = cluster.kubeconfig;
```

### Explanation:

Here's a brief explanation of the program:

- **eks.Cluster**: This resource creates a new EKS cluster with the defined node capacity and storage options. It also creates related resources, such as the IAM role assumed by the worker nodes, which provides the permissions the EKS nodes need for AWS integration.

- **Helm Chart Deployment**: The `k8s.helm.v3.Chart` resource manages the deployment of the `fluentd-cloudwatch` Helm chart. 
  - **Namespace**: Helm charts should typically be deployed into an appropriate Namespace. In the case of infrastructure components like fluentd, this is often `kube-system`.
  - **Helm Repository**: Helm charts are generally hosted in Helm repositories. The URL provided must be that of the specific repository where the `fluentd-cloudwatch` chart is hosted.
  - **Values**: Custom values are provided to configure the chart, including the AWS region. You might also need to supply IAM roles and access policies depending on your setup and the permissions required for your cluster and Fluentd to communicate with AWS CloudWatch.

The program finally exports the `kubeconfig`, which you can use to interact with your Kubernetes cluster using `kubectl` or other Kubernetes tooling.

Remember, you'll need to have Pulumi (with your preferred configuration and AWS credentials set up) and Helm installed on your machine to run this code. Ensure your environment is properly configured for Pulumi with the correct AWS account and region. Additionally, the IAM permissions should be correctly configured for `fluentd-cloudwatch` to access AWS CloudWatch Logs.