Deploy the namespace-rbac-cronjob helm chart on AWS EKS

Question

Pulumi · Accepted Answer

To deploy a Helm chart on AWS EKS using Pulumi, we need to set up several resources:

1. **EKS Cluster**: A managed Kubernetes service that we'll use to deploy our Helm chart.
2. **Kubernetes Service Role**: The IAM service role that EKS will use to manage resources on our behalf.
3. **ECR Repository (Optional)**: If the Docker images used by the Helm chart are not public, we'll need an Elastic Container Registry to store the images.

Here's a step-by-step guide to deploying the `namespace-rbac-cronjob` Helm chart on AWS EKS with Pulumi TypeScript:

### Step 1: Import necessary modules

We'll begin by importing the Pulumi AWS, EKS, and Kubernetes modules.

```typescript
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
import * as eks from "@pulumi/eks";
import * as k8s from "@pulumi/kubernetes";
```

### Step 2: Set up an EKS Cluster

Let's create an EKS cluster. We need an IAM role for the EKS service and the node group so that they have the permissions to manage resources:

```typescript
// Create an IAM role for the EKS cluster with the necessary AWS managed policies.
const eksRole = new aws.iam.Role("eksRole", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "eks.amazonaws.com" }),
});

const servicePolicyAttachment = new aws.iam.RolePolicyAttachment("eks-service-policy", {
    policyArn: "arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
    role: eksRole.name,
});

const clusterPolicyAttachment = new aws.iam.RolePolicyAttachment("eks-cluster-policy", {
    policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
    role: eksRole.name,  
});

// Create an EKS cluster.
const cluster = new eks.Cluster("my-eks-cluster", {
    roleArn: eksRole.arn,
    vpcId: awsx.ec2.Vpc.getDefault().then(vpc => vpc.id), // Use the default VPC.
    subnetIds: awsx.ec2.Vpc.getDefault().then(vpc => vpc.privateSubnetIds), // Use default subnets.
    version: "1.18", // Specify your desired Kubernetes version here, e.g., "1.18"
    instanceType: "t2.medium", // Specify the desired instance type for your workloads.
    desiredCapacity: 2, // This is the desired number of worker nodes.
    minSize: 1,
    maxSize: 3,
});
```

### Step 3: Set up an RBAC-enabled Namespace

Before deploying the Helm chart, let's create a namespace and a service account with necessary RBAC roles:

```typescript
const ns = new k8s.core.v1.Namespace("namespace-rbac", {
    metadata: { name: "rbac-ns" },
}, { provider: cluster.provider });

const sa = new k8s.core.v1.ServiceAccount("sa-rbac", {
    metadata: {
        namespace: ns.metadata.name,
        name: "rbac-service-account"
    },
}, { provider: cluster.provider });

// Create a role with the necessary permissions for the cron job
const role = new k8s.rbac.v1.Role("role-rbac", {
    metadata: {
        namespace: ns.metadata.name,
    },
    rules: [{
        apiGroups: [""], // "" indicates the core API group
        resources: ["pods"],
        verbs: ["create", "list", "get", "delete"],
    }],
}, { provider: cluster.provider });

// Bind the service account to the role
const roleBinding = new k8s.rbac.v1.RoleBinding("rolebinding-rbac", {
    metadata: {
        namespace: ns.metadata.name,
    },
    subjects: [{
        kind: "ServiceAccount",
        name: sa.metadata.name,
        namespace: ns.metadata.name,
    }],
    roleRef: {
        kind: "Role",
        name: role.metadata.name,
        apiGroup: "rbac.authorization.k8s.io",
    },
}, { provider: cluster.provider });
```

### Step 4: Deploy Helm Chart

Now that we have the namespace and RBAC setup, we can deploy the Helm chart using the `helm.v3.Chart` class from Pulumi's Kubernetes package:

```typescript
// Deploy a Helm chart
const helmChart = new k8s.helm.v3.Chart("my-cronjob-chart", {
    chart: "namespace-rbac-cronjob", // Make sure to specify the correct Helm chart name here.
    namespace: ns.metadata.name,
    // Values to pass to the Helm chart.
    values: {
        // ... specify the chart values here, according to the Helm chart's requirements.
    },
}, { provider: cluster.provider });
```

Remember that you need to have the Helm chart `namespace-rbac-cronjob` available. If that's a custom chart, you'd need to upload it to a chart repository or load it from a local path.

---

This program creates an AWS EKS cluster, sets up a Kubernetes namespace with RBAC, and deploys a Helm chart in that namespace. Once you run this Pulumi program, it will provision all the resources in your AWS account, and you'll have the Helm chart running inside an EKS cluster.

To check the status of your resources or fetch outputs like the EKS endpoint or kubeconfig, you can use `pulumi stack output`. Remember to set up your AWS credentials and Pulumi before you start with the deployment process.