Deploy the simple-keycloak helm chart on Google Kubernetes Engine (GKE)

Question

Pulumi · Accepted Answer

Deploying a Helm chart on Google Kubernetes Engine (GKE) involves several steps. Here's a high-level overview, followed by the Pulumi TypeScript code that accomplishes this:

1. **Provision a GKE Cluster**: Use Pulumi's GCP provider to create a GKE Cluster. This will be the environment where Keycloak will run.
2. **Install the Helm Chart**: Pulumi has a native Kubernetes provider which can be used to deploy Helm charts directly into a Kubernetes cluster.

In this case, we will use the `kubernetes.helm.v3.Chart` resource to deploy the `simple-keycloak` Helm chart onto our GKE cluster. To do this, first, we need to create a Kubernetes cluster in GKE with the `google-native.container.v1.Cluster` resource. Once the cluster is up and running, we utilize the Helm Chart resource to deploy Keycloak.

Below you'll find the Pulumi TypeScript code to accomplish this deployment:

```typescript
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
import * as pulumi from "@pulumi/pulumi";

// Create a GKE cluster.
const cluster = new gcp.container.Cluster("gke-cluster", {
    initialNodeCount: 2,
    minMasterVersion: "latest",
    nodeVersion: "latest",
    nodeConfig: {
        preemptible: true,
        machineType: "e2-medium",
        oauthScopes: [
            "https://www.googleapis.com/auth/compute",
            "https://www.googleapis.com/auth/devstorage.read_only",
            "https://www.googleapis.com/auth/logging.write",
            "https://www.googleapis.com/auth/monitoring",
        ],
    },
});

// Export the Cluster name and Kubeconfig so we can easily interact with the Cluster using kubectl
export const clusterName = cluster.name;
export const kubeconfig = pulumi.
    all([cluster.name, cluster.endpoint, cluster.masterAuth]).
    apply(([name, endpoint, masterAuth]) => {
        const context = `${gcp.config.project}_${gcp.config.zone}_${name}`;
        return `apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${masterAuth.clusterCaCertificate}
    server: https://${endpoint}
  name: ${context}
contexts:
- context:
    cluster: ${context}
    user: ${context}
  name: ${context}
current-context: ${context}
kind: Config
preferences: {}
users:
- name: ${context}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;
    });

// Create a Kubernetes provider instance that uses our cluster from above.

const clusterProvider = new k8s.Provider("gke-k8s", {
    kubeconfig: kubeconfig,
});

// Deploy the simple-keycloak Helm chart.
const keycloak = new k8s.helm.v3.Chart("simple-keycloak", {
    chart: "keycloak",
    version: "13.0.1", // Use the specific chart version you want to deploy; refer to your helm repository for the correct version.
    fetchOpts:{
        repo: "https://codecentric.github.io/helm-charts", // This is the helm repository where the keycloak chart is hosted.
    },
    values: {
        persistence: {
            deployPostgres: true, // Changes this setting according to whether you want an in-cluster Postgres or not.
        },
        // Include here any other values you might want to override from the default chart values.
    },
}, { provider: clusterProvider });

// Export the Keycloak service endpoint to access it
export const keycloakEndpoint = keycloak.getResourceProperty("v1/Service", "simple-keycloak", "status")
    .apply(status => `http://${status.loadBalancer.ingress[0].ip}:8080`);
```

Here's what each part of the code is doing:

- We start by importing the necessary Pulumi packages for GCP and Kubernetes.
- Next, we create a GKE cluster with two nodes using the `gcp.container.Cluster` class. We've made the nodes `preemptible` to reduce costs, and specified OAuth scopes that the nodes will need.
- We define `kubeconfig` which is a configuration file that allows Kubernetes command-line tool `kubectl` to access the cluster.
- We create a Kubernetes provider `clusterProvider` which is a Pulumi concept that packages the configuration needed to manage Kubernetes resources within the cluster.
- We deploy Keycloak using the `k8s.helm.v3.Chart` class, specifying the `keycloak` chart from the `codecentric` Helm chart repository. The `values` parameter allows us to override default values from the chart, such as enabling the deployment of a Postgres instance.
- Finally, we export the `keycloakEndpoint` which will allow us to access the Keycloak service from outside the cluster.

This code assumes you have Pulumi and `gcloud` CLI set up and configured to interact with your GCP account. When you run this Pulumi program, it will provision the necessary infrastructure and deploy the `simple-keycloak` Helm chart to the GKE cluster. Remember to run `pulumi up` from the same directory as your program to initiate the deployment.

Make sure to have the Helm repository added that contains the `simple-keycloak` chart if the Helm chart is available from a particular source, and replace the `values` with the actual values that you want to configure for your Keycloak installation.