Deploy the docker-config-secret helm chart on Azure Kubernetes Service (AKS)

Question

Pulumi · Accepted Answer

Deploying a Helm chart on Azure Kubernetes Service (AKS) involves several steps that you can automate using Pulumi. The general flow is as follows:

1. Set up an AKS cluster if you don't already have one.
2. Configure Kubernetes provider in Pulumi to point to your AKS cluster.
3. Deploy the Docker secret configuration using a Helm chart.

Below you'll find a Pulumi TypeScript program that covers these steps. We'll use the `azure-native` package for creating AKS resources and the `kubernetes` package for deploying the Helm chart to the AKS cluster.

First, you will need to install the necessary Pulumi packages. You can do this by running the following command:

```bash
pulumi plugin install resource kubernetes v3.8.1
pulumi plugin install resource azure-native v1.47.0
```

Next, here's the Pulumi program that you can use to accomplish the deployment:

```typescript
import * as pulumi from '@pulumi/pulumi';
import * as azure_native from '@pulumi/azure-native';
import * as k8s from '@pulumi/kubernetes';

// Step 1: Create an AKS cluster (if you don't have one).
// This is a minimal configuration for an AKS cluster. You may need to add more configurations depending on your requirements.

const resourceGroupName = new azure_native.resources.ResourceGroup('myResourceGroup');

const managedCluster = new azure_native.containerservice.ManagedCluster('myAKSCluster', {
    resourceGroupName: resourceGroupName.name,
    agentPoolProfiles: [{
        count: 1,
        maxPods: 110,
        mode: 'System',
        name: 'agentpool',
        osDiskSizeGB: 30,
        osType: 'Linux',
        vmSize: 'Standard_DS2_v2',
    }],
    dnsPrefix: 'myakscluster',
    kubernetesVersion: '1.20.7',
    linuxProfile: {
        adminUsername: 'adminuser',
        ssh: {
            publicKeys: [{ keyData: 'ssh-rsa YOUR_SSH_PUBLIC_KEY' }], // replace YOUR_SSH_PUBLIC_KEY with your actual SSH public key.
        },
    },
    location: resourceGroupName.location,
    enableRBAC: true, // Enable Kubernetes RBAC for the cluster.
});

// Step 2: Configure the Kubernetes provider to point to the AKS cluster.

const creds = pulumi.all([resourceGroupName.name, managedCluster.name]).apply(([resourceGroupName, clusterName]) =>
    azure_native.containerservice.listManagedClusterUserCredentials({
        resourceGroupName: resourceGroupName,
        resourceName: clusterName,
    }),
);

// Export the Kubeconfig.
const kubeconfig = creds.apply(c => Buffer.from(c.kubeconfigs[0].value, 'base64').toString());

const k8sProvider = new k8s.Provider('k8sProvider', {
    kubeconfig: kubeconfig,
});

// Step 3: Deploy the Docker secret configuration using a Helm chart.

const dockerConfigSecretChart = new k8s.helm.v3.Chart('dockerConfigSecretChart', {
    chart: 'docker-config-secret',
    // You will need to specify the chart version and repository or load it from a local path.
    // For example:
    // version: '1.0.0',
    // fetchOpts: { repo: 'http://your-helm-chart-repo/' },
    // values: { /* chart values go here */ },
}, { provider: k8sProvider });

// Export the AKS cluster name and kubeconfig.
export const clusterName = managedCluster.name;
export const kubeconfigOutput = pulumi.secret(kubeconfig); // Marking kubeconfig as a secret to prevent it from being displayed in plaintext outputs.
```

**Please note:** Substitute `YOUR_SSH_PUBLIC_KEY` with your actual SSH public key to ensure you can access nodes in your AKS cluster.

This script does the following:
- It first defines a new Azure Resource Group to hold our AKS cluster.
- It then creates an AKS cluster with a single node pool and RBAC enabled.
- It retrieves the `kubeconfig` for the created AKS cluster which is needed to communicate with your Kubernetes cluster.
- We use pulumi's `secret` function to declare that our `kubeconfig` output should be treated as a secret, avoiding it to be logged in plaintext.
- A Kubernetes provider is set up to point to the newly created AKS cluster using the retrieved `kubeconfig`.
- Finally, we declare a new Helm Chart resource that Pulumi will deploy when you run `pulumi up`. The actual Helm chart should be the docker-config-secret chart you're looking to deploy. For this, you'll need to specify the chart version, repository or possibly the path if it's a locally located chart, and any values that need to be overridden in the default chart configuration.

Remember to install the required Helm chart and any dependencies beforehand or ensure your Helm repository configuration allows fetching the chart.

To execute this program, save it to a file with a `.ts` extension, and run it with `pulumi up`. This will provision the resources as defined in Azure and Kubernetes. Remember that you will need to log in to your Pulumi account and set up the appropriate cloud credentials for Azure before running this command.