Deploy the basic-auth-secret helm chart on Google Kubernetes Engine (GKE)

Question

Pulumi · Accepted Answer

To deploy a Helm chart on Google Kubernetes Engine (GKE), you'll need to follow these steps:

1. **Set up the GKE Cluster**: Before deploying any Helm charts, a Kubernetes cluster must be running. We will use Pulumi to declare a GKE cluster.
2. **Deploy the Helm chart**: Once the cluster is up and running, we will deploy the Helm chart to the cluster. For basic authentication secret management, we can use the `basic-auth-secret` as an example Helm chart.

We will be using the `@pulumi/kubernetes` package to create a GKE cluster and then to deploy the Helm chart on it.

Let's go through each step in detail:

### Step 1: Create a Google Kubernetes Engine Cluster
The `google-native.container.v1.Cluster` resource is used to create a new GKE cluster. This setup includes the necessary configuration such as the zone, initial node count, and network settings.

### Step 2: Deploy a Helm Chart
The `@pulumi/kubernetes/helm/v3.Chart` resource allows you to deploy Helm charts into a Kubernetes cluster. In this case, we will assume that the `basic-auth-secret` Helm chart is available in a known Helm repository.

Below is a TypeScript program that illustrates how to accomplish this:

```typescript
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
import * as pulumi from "@pulumi/pulumi";

// Step 1: Create a GKE cluster
const cluster = new gcp.container.Cluster("gke-cluster", {
    initialNodeCount: 1,
    nodeVersion: "latest",
    minMasterVersion: "latest",
    nodeConfig: {
        machineType: "e2-medium",
        oauthScopes: [
            "https://www.googleapis.com/auth/compute",
            "https://www.googleapis.com/auth/devstorage.read_only",
            "https://www.googleapis.com/auth/logging.write",
            "https://www.googleapis.com/auth/monitoring",
        ],
    },
});

// Export the Cluster name
export const clusterName = cluster.name;

// Export the Kubeconfig to access the cluster using kubectl
export const kubeconfig = pulumi.
    all([cluster.name, cluster.endpoint, cluster.masterAuth]).
    apply(([name, endpoint, masterAuth]) => {
        const context = `${gcp.config.project}_${gcp.config.zone}_${name}`;
        return `apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${masterAuth.clusterCaCertificate}
    server: https://${endpoint}
  name: ${context}
contexts:
- context:
    cluster: ${context}
    user: ${context}
  name: ${context}
current-context: ${context}
kind: Config
preferences: {}
users:
- name: ${context}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;
    });

// Step 2: Deploy the Helm chart for basic-auth-secret
const helmChart = new k8s.helm.v3.Chart("basic-auth-secret", {
    chart: "basic-auth-secret",
    // Assuming 'basic-auth-secret' is the chart name and it is available in the specified repository
    // Replace `REPO_URL` with the repository where your desired helm chart is located
    fetchOpts: {
        repo: "REPO_URL",
    },
    // Specify the values for the Helm chart
    // Replace these with your desired values for 'username' and 'password'
    values: {
        username: "admin",
        password: "password",
    },
}, { provider: new k8s.Provider("k8s-provider", { kubeconfig: kubeconfig }) });

// Export the Helm chart resource name
export const helmChartName = helmChart.getResourceName();
```

This program performs the following actions:
- It initializes a new GKE cluster with the specified node count and machine type.
- A kubeconfig file is generated for accessing the cluster. This kubeconfig is outputted as one of the stack exports, allowing you to interact with your cluster via kubectl or other Kubernetes tools.
- It then creates a Helm release for the `basic-auth-secret` chart. The release is configured with the values you specify, which in this case are placeholders for the basic auth username and password.
- It uses a Kubernetes Provider that is configured with the kubeconfig. This tells Pulumi to use this specific Kubernetes cluster for deploying resources.

Remember to replace `REPO_URL` with the actual URL of the Helm chart repository containing the `basic-auth-secret` Helm chart, and fill in the `values` with the actual username and password you'd like to use for basic authentication.

You will need to have Pulumi installed, along with the appropriate GCP credentials configured on your system to run this program. Execute `pulumi up` in the project directory to create the resources.

For more information on how to use GKE with Pulumi, you can refer to the [Pulumi GKE documentation](https://www.pulumi.com/registry/packages/gcp/api-docs/container/cluster/). For working with Kubernetes resources in general, see the [Pulumi Kubernetes documentation](https://www.pulumi.com/registry/packages/kubernetes/).