Deploy the vault-token-injector helm chart on AWS EKS
TypeScriptTo deploy the
vault-token-injector
Helm chart on AWS EKS using Pulumi, you'll first need to create an EKS cluster and then use the Helm chart resource to deploy the chart onto your cluster.Overview
Here's what we will be doing:
- Provision an EKS Cluster: we will create the foundation infrastructure for Kubernetes on AWS.
- Setup an EKS Role: we will configure proper IAM roles that EKS requires for operating clusters.
- Deploy the Helm Chart: we will then deploy the
vault-token-injector
Helm chart onto the EKS cluster.
Let's go through this step by step.
Step 1: Create the EKS Cluster
To create an AWS EKS Cluster, you'll first need to set up a VPC and specify the subnets and security groups for the cluster control plane to use when communicating with worker nodes.
After setting up the necessary network infrastructure, you can create an EKS cluster by using the
aws.eks.Cluster
resource.import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; import * as awsx from "@pulumi/awsx"; import * as eks from "@pulumi/eks"; import * as k8s from "@pulumi/kubernetes"; // Create a VPC for our cluster const vpc = new awsx.ec2.Vpc("my-vpc", { numberOfAvailabilityZones: 2 }); // IAM role for the EKS cluster const iamRole = new aws.iam.Role("eks-role", { assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "eks.amazonaws.com", }), }); // Attach the Amazon EKS cluster policy to the IAM role new aws.iam.RolePolicyAttachment("eks-cluster-policy", { role: iamRole, policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", // This is a managed policy provided by AWS for EKS clusters }); // Create an EKS cluster const cluster = new eks.Cluster("my-cluster", { vpcId: vpc.id, subnetIds: vpc.publicSubnetIds, instanceType: "t2.medium", desiredCapacity: 2, minSize: 1, maxSize: 2, role: iamRole, }); // Export the cluster's kubeconfig export const kubeconfig = cluster.kubeconfig;
Step 2: Set Up EKS Role
AWS requires the EKS Role for authentication. The role will allow Kubernetes to talk to other AWS services it integrates with. We've already set up the role in the cluster creation code above. Note that you need to attach specific policies that allow EKS to manage resources on your behalf.
Step 3: Deploy the Vault Token Injector Helm Chart
The next step is to deploy the
vault-token-injector
Helm chart onto your cluster. You can do this by creating aChart
resource from the@pulumi/kubernetes
package, which represents a chart from Helm's package manager.Before executing this step, you need to have Helm installed on your local machine, and make sure that you have added the chart's repository to your Helm configuration if it's a third-party chart.
// Create a Kubernetes provider instance that uses our EKS Kubeconfig const provider = new k8s.Provider("k8s-provider", { kubeconfig: cluster.kubeconfig.apply(JSON.stringify), }); // Deploy the vault-token-injector Helm chart const chart = new k8s.helm.v3.Chart("vault-token-injector", { chart: "vault-token-injector", // In case you need to specify the Helm repository: // repo: "https://repository.url/", version: "1.0.0", // Specify the version of the chart you want to deploy namespace: "default", values: { // Set any custom values you require for this Helm chart }, }, { provider }); // Export the Helm chart resources created export const vaultInjectorResources = chart.resources;
In the
values
of theChart
resource, you would specify any values that thevault-token-injector
chart requires. Check the chart's documentation for more details.Final Remarks
After deploying your Pulumi program using
pulumi up
, your AWS EKS cluster will be up and running with thevault-token-injector
Helm chart deployed. Pulumi handles the provisioning and deployment, allowing you to manage infrastructure and applications with code.Remember to replace the placeholder values like
1.0.0
for your specific chart version and customize thevalues
configuration based on the Helm chart’s requirements. Also, review the IAM policies to adhere to the least privilege principle and avoid overly permissive permissions.When you're ready to clean up resources, simply execute
pulumi destroy
and Pulumi will tear down all the resources created.