Deploy the selfsigned-cert-manager helm chart on Google Kubernetes Engine (GKE)

Question

Pulumi · Accepted Answer

Deploying a Helm chart on Google Kubernetes Engine (GKE) involves several steps. First, we need to provision a GKE cluster. After the cluster is up and running, we need to install the Helm CLI, which is a package manager for Kubernetes that allows us to manage applications defined in Helm charts. Finally, we will deploy the `selfsigned-cert-manager` Helm chart on the GKE cluster.

Below is a Pulumi program in TypeScript that performs the following actions:

1. **Create a GKE Cluster**: We use the `Cluster` resource from the `gcp` provider to create a new GKE cluster. This is a simple cluster configuration suitable for deploying Helm charts. You can add additional configurations as needed.
   
2. **Install Helm Chart**: We then use the Pulumi `Chart` resource from the `kubernetes` provider to deploy the `cert-manager` Helm chart. Pulumi understands Helm charts and can install them directly. In this example, we will pretend there's a `selfsigned-cert-manager` chart, but you should replace it with the actual chart name you wish to install. For cert-manager, we typically need to also install the CustomResourceDefinitions (CRDs) which can be handled by setting `skipCRDRendering: false`.

3. **Configure kubeconfig**: To allow Pulumi to communicate with the created GKE cluster, it uses the kubeconfig file, which Pulumi can automatically fetch from GKE once the cluster is created.

4. **Set up self-signed issuer**: After installing cert-manager, you can create a self-signed issuer to issue certificates.

Here is the full program:

```typescript
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
import * as pulumi from "@pulumi/pulumi";

// Create a GKE cluster
const cluster = new gcp.container.Cluster("pulumi-gke-cluster", {
    initialNodeCount: 2,
    minMasterVersion: "latest",
    nodeVersion: "latest",
    nodeConfig: {
        machineType: "n1-standard-1",
        oauthScopes: [
            "https://www.googleapis.com/auth/compute",
            "https://www.googleapis.com/auth/devstorage.read_only",
            "https://www.googleapis.com/auth/logging.write",
            "https://www.googleapis.com/auth/monitoring",
        ],
    },
});

// Export the Cluster name
export const clusterName = cluster.name;

// Export the Kubeconfig to access the GKE cluster using kubectl
export const kubeconfig = pulumi.
    all([cluster.name, cluster.endpoint, cluster.masterAuth]).
    apply(([name, endpoint, masterAuth]) => {
        const context = `${gcp.config.project}_${gcp.config.zone}_${name}`;
        return `apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${masterAuth.clusterCaCertificate}
    server: https://${endpoint}
  name: ${context}
contexts:
- context:
    cluster: ${context}
    user: ${context}
  name: ${context}
current-context: ${context}
kind: Config
preferences: {}
users:
- name: ${context}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;
    });

// Initialize a new kubernetes provider with the kubeconfig.
const k8sProvider = new k8s.Provider("gkeK8s", {
    kubeconfig: kubeconfig,
});

// Install the selfsigned-cert-manager Helm chart.
const certManager = new k8s.helm.v3.Chart("cert-manager", {
    chart: "cert-manager",
    version: "v1.3.0", // use the correct version
    namespace: "cert-manager",
    fetchOpts:{
        repo: "https://charts.jetstack.io", // This is the actual cert-manager repo
    },
    // We need to set `skipCRDRendering` to false to install CRDs for cert-manager.
    skipCRDRendering: false,
    values: {
        // Your values here or leave empty if you want the defaults
    },
}, { provider: k8sProvider });

// To interact with resources created by the Chart, you can follow the documentation 
// of the chart for configuring specific resources like a ClusterIssuer for self-signing.

// Export the Helm chart name
export const certManagerName = certManager.getResourceProperty("v1/Namespace", "cert-manager", "metadata").apply(m => m["name"]);

// At this point, your cert-manager is deployed and you can interact with it using kubectl,
// by applying Kubernetes YAML files, or by using the Pulumi Kubernetes SDK.
```

This program sets up a basic GKE cluster and deploys the `cert-manager` Helm chart within it. Make sure you have Helm and kubectl installed on your machine if you intend to interact with the cluster from your local machine.

It's important to note that this code makes some assumptions about the default node type and other settings. Depending on your requirements, you may need to customize the cluster and Helm chart configuration. The `cert-manager` version and repository provided here are examples; please replace them with the desired version and chart information.

Remember to replace the chart name, version, and values with the ones specific to `selfsigned-cert-manager`. If `selfsigned-cert-manager` is a custom or private chart, you'll need to specify the correct `fetchOpts.repo` URL as well.

To deploy this Pulumi program, save it to a file named `index.ts`, set up a new Pulumi project, and run `pulumi up` in the same directory where the file is located. Pulumi will perform the necessary actions to deploy your resources onto GKE.