Deploy the aws-container-insight-fluent-bit helm chart on Azure Kubernetes Service (AKS)

Question

Pulumi · Accepted Answer

To deploy the `aws-container-insight-fluent-bit` Helm chart on Azure Kubernetes Service (AKS), you'll proceed through a few stages:

1. **Provision an AKS Cluster**: You need to start with a running Kubernetes cluster on the Azure cloud platform. You will use Pulumi's `azure-native` library to create and configure this cluster.
2. **Install Helm and Setup**: Helm is the package manager for Kubernetes, which helps in deploying and managing Kubernetes applications. Pulumi provides an integration with Helm via its `kubernetes` library.
3. **Deploy the Helm Chart**: You will deploy the `aws-container-insight-fluent-bit` Helm chart on the provisioned AKS cluster.

Below is a complete Pulumi program written in TypeScript that demonstrates each of these steps. The program includes the necessary imports, creating an AKS cluster, and deploying the Helm chart to this cluster.

Here is the program that accomplishes all these tasks:

```typescript
import * as azure from "@pulumi/azure";
import * as k8s from "@pulumi/kubernetes";
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
import * as azure_native from "@pulumi/azure-native";

// Step 1: Provision an AKS Cluster.
// Create an Azure AD service principal for the AKS cluster.
const adApp = new azuread.Application("aks");
const adSp = new azuread.ServicePrincipal("aksSp", { applicationId: adApp.applicationId });
const adSpPassword = new azuread.ServicePrincipalPassword("aksSpPassword", {
    servicePrincipalId: adSp.id,
    value: "REPLACE_WITH_A_SECURE_PASSWORD",
    endDate: "2099-01-01T00:00:00Z",
});

const resourceGroup = new azure_native.resources.ResourceGroup("aksRg", {
    resourceGroupName: "aksResourceGroup",
    location: "West US",
});

const vnet = new azure_native.network.VirtualNetwork("aksVnet", {
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    addressSpace: {
        addressPrefixes: ["10.2.0.0/16"],
    },
    subnets: [{
        name: "aksSubnet",
        addressPrefix: "10.2.0.0/24",
    }],
});

const subnet = vnet.subnets[0];

const aksCluster = new azure_native.containerservice.ManagedCluster("aksCluster", {
    resourceGroupName: resourceGroup.name,
    agentPoolProfiles: [{
        name: "aksagentpool",
        count: 1,
        vmSize: "Standard_DS2_v2",
        osType: "Linux",
        subnetId: subnet.id,
    }],
    dnsPrefix: `${pulumi.getStack()}-kube`,
    enabledRBAC: true,
    kubernetesVersion: "1.18.14",
    linuxProfile: {
        adminUsername: "adminuser",
        ssh: {
            publicKeys: [{
                keyData: "ssh-rsa ...", // Replace with your SSH public key
            }],
        },
    },
    servicePrincipalProfile: {
        clientId: adSp.applicationId,
        secret: adSpPassword.value,
    },
});

// Export the AKS cluster's kubeconfig.
export const kubeconfig = pulumi.all([aksCluster.name, resourceGroup.name]).apply(([aksClusterName, aksRgName]) => {
    return azure.containerservice.getKubeConfig({
        name: aksClusterName,
        resourceGroupName: aksRgName,
    }).then(kc => kc.kubeConfigs[0].value);
});

// Step 2: Install Helm and Setup.
// Use the AKS cluster kubeconfig to create a provider instance for the kubernetes provider.
const k8sProvider = new k8s.Provider("k8sProvider", {
    kubeconfig: kubeconfig,
});

// Step 3: Deploy the Helm Chart.
// Deploy the aws-container-insight-fluent-bit on the AKS cluster using the kubernetes provider.
const fluentBitHelmChart = new k8s.helm.v3.Chart("fluent-bit", {
    chart: "aws-container-insight-fluent-bit",
    fetchOpts: {
        repo: "https://aws.github.io/eks-charts",
    },
}, { provider: k8sProvider });

// Export the Helm chart name.
export const fluentBitChartName = fluentBitHelmChart.id;
```

**Note:** As a security best practice, do not hardcode your service principal password or SSH key in plaintext. You may want to use secret management tools like Pulumi's `Config` or Azure Key Vault for such sensitive information.

This program completes the following actions:

- Sets up a new Azure AD application and service principal that AKS uses to manage resources on your behalf in Azure.
- Creates a new resource group and provisions a virtual network with a subnet in it. This network will hold your AKS cluster's resources.
- Provisions an AKS cluster with a single node pool using size `Standard_DS2_v2` VMs.
- Fetches the generated `kubeconfig` file that you need to use to communicate with your AKS cluster.
- Sets up a Helm chart provider configured to deploy on your AKS cluster using the retrieved `kubeconfig`.
- Uses the Helm chart provider to deploy the `aws-container-insight-fluent-bit` chart from the specified Helm repository.

To apply this Pulumi program:

1. Save the code to a file named `index.ts` in a new Pulumi project directory.
2. Replace the placeholders – for example, `REPLACE_WITH_A_SECURE_PASSWORD` with a secure password, and the placeholder for the SSH public key with your actual SSH public key.
3. Run `pulumi up` from the command line in the same directory as your `index.ts` file. Pulumi will perform the deployment, which you can monitor directly from your terminal.

Remember, for production deployments, it's crucial to handle secrets (like the service principal password) with care to avoid leaking sensitive information. Use Pulumi's secret handling capabilities or an external secret store for better security practices.