Deploy the vault-token-injector helm chart on Azure Kubernetes Service (AKS)

Question

Pulumi · Accepted Answer

To deploy the `vault-token-injector` Helm chart on Azure Kubernetes Service (AKS), you will need to follow these steps:

1. **Set up an AKS cluster**: You will need to create an AKS cluster where your applications will be hosted.

2. **Install the Helm chart**: Once you have the AKS cluster set up, you will use Pulumi to deploy the `vault-token-injector` Helm chart to the cluster.

Let's break down each step with the corresponding Pulumi TypeScript code:

### Step 1: Setting Up an AKS Cluster

You will start by creating an AKS cluster. The Pulumi resource `azure-native.containerservice.ManagedCluster` from the `azure-native` package will be used to provision an AKS cluster. This resource allows you to define the properties of an AKS cluster including the node pool, which defines the size and number of VMs that run your applications.

### Step 2: Deploy the Helm Chart

With the AKS cluster in place, you'll then deploy the `vault-token-injector` Helm chart using the `kubernetes.helm.v3.Chart` resource from the `kubernetes` provider. Helm charts help you define, install, and upgrade even the most complex Kubernetes applications.

Below is a program written in TypeScript which carries out these steps. Make sure you have Pulumi installed and configured to run with Azure.

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
import * as kubernetes from "@pulumi/kubernetes";
import * as azuread from "@pulumi/azuread";

// Step 1: Create an Azure Resource Group
const resourceGroup = new azure_native.resources.ResourceGroup("myResourceGroup");

// Create an AKS cluster
const managedCluster = new azure_native.containerservice.ManagedCluster("myAksCluster", {
    resourceGroupName: resourceGroup.name,
    agentPoolProfiles: [{
        count: 1,
        maxPods: 110,
        mode: "System",
        name: "agentpool",
        osType: "Linux",
        vmSize: "Standard_DS2_v2",
    }],
    dnsPrefix: "myakscluster",
    enableRBAC: true,
    kubernetesVersion: "1.18.14",
    linuxProfile: {
        adminUsername: "adminuser",
        ssh: {
            publicKeys: [{
                keyData: "your-ssh-public-key",
            }],
        },
    },
    resourceGroupName: resourceGroup.name,
    servicePrincipalProfile: {
        clientId: "your-service-principal-client-id",
        secret: "your-service-principal-client-secret",
    },
});

// Export the AKS cluster kubeconfig
export const kubeconfig = managedCluster.kubeConfig;

// Step 2: Deploy the Helm Chart onto the AKS cluster
const aksCluster = new kubernetes.Provider("aksCluster", {
    kubeconfig: managedCluster.kubeConfig.apply(JSON.stringify),
});

const chart = new kubernetes.helm.v3.Chart("vault-token-injector", {
    chart: "vault-token-injector",
    version: "0.1.0", // replace with the exact chart version
    fetchOpts: {
        repo: "https://your-helm-chart-repository/", // replace with the vault-token-injector Helm chart repository URL
    },
}, { provider: aksCluster });

// Export the Chart's status
export const chartStatus = chart.status;
```

In the code above, replace `your-ssh-public-key` with your actual public SSH key, and put the actual `clientId` and `secret` for your service principal. Also, replace `https://your-helm-chart-repository/` with the correct Helm chart repository URL for `vault-token-injector`.

The `kubeconfig` output will allow you to interact with your AKS cluster using tools like `kubectl`. The `chartStatus` can be used to check the status of the deployment.

### What's happening in the code?

- **Resource Group**: A resource group is a container that holds related resources for an Azure solution. In this code, a resource group named `myResourceGroup` is created.

- **AKS Cluster**: The AKS cluster is defined with one agent pool that has a VM size suitable for most general-purpose workloads. RBAC is enabled for security, and you must provide your own SSH public key and service principal credentials.

- **Kubernetes Provider**: This is the Pulumi provider instance which uses the kubeconfig of the AKS cluster to interact with it.

- **Helm Chart**: Using the `kubernetes.helm.v3.Chart` resource, the `vault-token-injector` chart is fetched from the provided Helm repository and deployed to the AKS cluster. The `provider` field ensures that this Helm chart is deployed on the previously created AKS cluster.

### Running the program

To run this Pulumi program, save it to a file named `index.ts`, then execute the following commands in the terminal:

```bash
pulumi stack init dev                               # Initialize a new Pulumi stack called 'dev'
pulumi up                                           # Deploy the changes
```

After you run `pulumi up`, you will be shown a preview of the resources that will be created. Upon confirmation, Pulumi will provision the resources in the order specified by the program.

Once deployment is complete, you can use the output `kubeconfig` to manage your AKS cluster with `kubectl` and see the status of your Helm chart deployment.

Remember, it is important to keep your service principal credentials and SSH keys secure and manage access to them according to your organization’s security policies.