Deploy the vault-token-injector helm chart on AWS EKS

Question

Pulumi · Accepted Answer

To deploy the `vault-token-injector` Helm chart on AWS EKS using Pulumi, you'll first need to create an EKS cluster and then use the Helm chart resource to deploy the chart onto your cluster.

### Overview
Here's what we will be doing:

1. Provision an EKS Cluster: we will create the foundation infrastructure for Kubernetes on AWS.
2. Setup an EKS Role: we will configure proper IAM roles that EKS requires for operating clusters.
3. Deploy the Helm Chart: we will then deploy the `vault-token-injector` Helm chart onto the EKS cluster.

Let's go through this step by step.

### Step 1: Create the EKS Cluster

To create an AWS EKS Cluster, you'll first need to set up a VPC and specify the subnets and security groups for the cluster control plane to use when communicating with worker nodes.

After setting up the necessary network infrastructure, you can create an EKS cluster by using the `aws.eks.Cluster` resource.

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
import * as eks from "@pulumi/eks";
import * as k8s from "@pulumi/kubernetes";

// Create a VPC for our cluster
const vpc = new awsx.ec2.Vpc("my-vpc", { numberOfAvailabilityZones: 2 });

// IAM role for the EKS cluster
const iamRole = new aws.iam.Role("eks-role", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
        Service: "eks.amazonaws.com",
    }),
});

// Attach the Amazon EKS cluster policy to the IAM role
new aws.iam.RolePolicyAttachment("eks-cluster-policy", {
    role: iamRole,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", // This is a managed policy provided by AWS for EKS clusters
});

// Create an EKS cluster
const cluster = new eks.Cluster("my-cluster", {
    vpcId: vpc.id,
    subnetIds: vpc.publicSubnetIds,
    instanceType: "t2.medium",
    desiredCapacity: 2,
    minSize: 1,
    maxSize: 2,
    role: iamRole,
});

// Export the cluster's kubeconfig
export const kubeconfig = cluster.kubeconfig;
```

### Step 2: Set Up EKS Role

AWS requires the EKS Role for authentication. The role will allow Kubernetes to talk to other AWS services it integrates with. We've already set up the role in the cluster creation code above. Note that you need to attach specific policies that allow EKS to manage resources on your behalf.

### Step 3: Deploy the Vault Token Injector Helm Chart

The next step is to deploy the `vault-token-injector` Helm chart onto your cluster. You can do this by creating a `Chart` resource from the `@pulumi/kubernetes` package, which represents a chart from Helm's package manager.

Before executing this step, you need to have Helm installed on your local machine, and make sure that you have added the chart's repository to your Helm configuration if it's a third-party chart.

```typescript
// Create a Kubernetes provider instance that uses our EKS Kubeconfig
const provider = new k8s.Provider("k8s-provider", {
    kubeconfig: cluster.kubeconfig.apply(JSON.stringify),
});

// Deploy the vault-token-injector Helm chart
const chart = new k8s.helm.v3.Chart("vault-token-injector", {
    chart: "vault-token-injector",
    // In case you need to specify the Helm repository:
    // repo: "https://repository.url/",
    version: "1.0.0", // Specify the version of the chart you want to deploy
    namespace: "default",
    values: {
        // Set any custom values you require for this Helm chart
    },
}, { provider });

// Export the Helm chart resources created
export const vaultInjectorResources = chart.resources;
```

In the `values` of the `Chart` resource, you would specify any values that the `vault-token-injector` chart requires. Check the chart's documentation for more details.

### Final Remarks

After deploying your Pulumi program using `pulumi up`, your AWS EKS cluster will be up and running with the `vault-token-injector` Helm chart deployed. Pulumi handles the provisioning and deployment, allowing you to manage infrastructure and applications with code.

Remember to replace the placeholder values like `1.0.0` for your specific chart version and customize the `values` configuration based on the Helm chart’s requirements. Also, review the IAM policies to adhere to the least privilege principle and avoid overly permissive permissions.

When you're ready to clean up resources, simply execute `pulumi destroy` and Pulumi will tear down all the resources created.