Deploy the envoy helm chart on Azure Kubernetes Service (AKS)

Question

Pulumi · Accepted Answer

Deploying a Helm chart to Azure Kubernetes Service (AKS) using Pulumi is a multi-step process that involves:

1. Provisioning an AKS cluster where your applications will run.
2. Configuring `kubectl` to connect to your AKS cluster.
3. Deploying applications onto the cluster using Helm charts.

I will guide you through creating a Pulumi program in TypeScript to deploy the Envoy proxy as a Helm chart onto an AKS cluster. Pulumi's Kubernetes provider can be used to interact with Helm charts, enabling you to specify the Helm chart and its configuration parameters in your Pulumi program.

Here is a step-by-step example of how to accomplish this. This example assumes you have an Azure account set up with the necessary permissions to create resources and that you've configured Pulumi to use your Azure credentials.

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure-native";
import * as k8s from "@pulumi/kubernetes";

// Step 1: Create a new AKS cluster
const resourceGroup = new azure.resources.ResourceGroup("myResourceGroup");

const k8sCluster = new azure.containerservice.ManagedCluster("myAKSCluster", {
    resourceGroupName: resourceGroup.name,
    agentPoolProfiles: [{
        count: 2,
        maxPods: 110,
        mode: "System",
        name: "agentpool",
        osType: "Linux",
        vmSize: "Standard_DS2_v2",
    }],
    dnsPrefix: "myakscluster",
    enableRBAC: true,
    kubernetesVersion: "1.18.14",
    linuxProfile: {
        adminUsername: "adminuser",
        ssh: {
            publicKeys: [{
                keyData: "ssh-rsa ...",
            }],
        },
    },
    servicePrincipalProfile: {
        clientId: "client-id",
        secret: "client-secret",
    }
});

// Extract the Kubeconfig from the generated AKS cluster
const creds = pulumi.all([resourceGroup.name, k8sCluster.name]).apply(([resourceGroupName, clusterName]) =>
    azure.containerservice.listManagedClusterAdminCredentials({
        resourceGroupName,
        resourceName: clusterName,
    }));

const kubeconfig = creds.kubeconfigs[0].value.apply(v => Buffer.from(v, "base64").toString());

// Step 2: Use the Kubernetes provider to interact with the AKS cluster
const clusterProvider = new k8s.Provider("myAKSClusterProvider", {
    kubeconfig: kubeconfig,
});

// Step 3: Deploy the Envoy Helm chart onto the AKS cluster
const envoyChart = new k8s.helm.v3.Chart("envoy", {
    chart: "envoy",
    version: "1.14.4",
    fetchOpts: {
        repo: "https://envoyproxy.github.io/data-plane-api/",
    },
}, { provider: clusterProvider });

// Export the kubeconfig and service endpoint to access the Envoy service
export const kubeconfigOut = kubeconfig;
export const envoyServiceIp = envoyChart.getResourceProperty("v1/Service", "envoy", "status").apply(status => status.loadBalancer.ingress[0].ip);
```

### Breakdown of the Pulumi Program:

1. Import the required Pulumi libraries. We're using the `@pulumi/pulumi`, `@pulumi/azure-native`, and `@pulumi/kubernetes` packages.
2. Define a resource group, which is a logical container in Azure that holds related resources for an Azure solution.
3. Create an AKS cluster within the resource group. Configure the desired number of nodes, VM size, Kubernetes version, and SSH keys for accessing the nodes.
4. Retrieve the kubeconfig of the AKS cluster. The kubeconfig is required to communicate with the Kubernetes cluster and deploy resources onto it.
5. Instantiate the Pulumi Kubernetes provider with the obtained kubeconfig, which allows us to interact with the AKS Kubernetes cluster.
6. Deploy the Envoy Helm chart using Pulumi's Helm chart resource. Specify the name, version, and repository of the Helm chart. The `provider` option ensures that this Helm chart is deployed to the AKS cluster we created earlier.
7. Export the kubeconfig and IP address of the Envoy service so that we can interact with it after the deployment is complete.

Please replace placeholders like `ssh-rsa ...`, `client-id`, and `client-secret` with your actual SSH public key, Azure client ID, and client secret.

Once you have this program, run it using the Pulumi CLI with the following commands:

```bash
pulumi up      # Preview and deploy the changes
pulumi export  # Export the current stack's state to stdout
```

This will provision the AKS cluster and deploy the Envoy Helm chart. After the deployment, you can use the exported `kubeconfigOut` to connect to your Kubernetes cluster with `kubectl` and the `envoyServiceIp` to send traffic to your new Envoy service.