Deploy the keycloak-db-storage helm chart on Google Kubernetes Engine (GKE)

Question

Pulumi · Accepted Answer

To deploy a Helm chart on a Google Kubernetes Engine (GKE) cluster using Pulumi, you'll need to perform the following broad steps:

1. **Create a GKE Cluster**: Define a Kubernetes cluster on GKE where Keycloak and the associated database storage will be deployed.
2. **Install and Configure Helm**: Ensure Helm is set up to manage deployments on the Kubernetes cluster.
3. **Deploy the `keycloak-db-storage` Helm Chart**: Use Pulumi's `Chart` resource to deploy the required Helm chart to the GKE cluster.

Below is a Pulumi TypeScript program that performs these steps. This assumes you have set up your GCP credentials and Pulumi correctly. You also need to have Helm installed locally if you wish to manage the Helm charts beyond deployment.

This program uses the `@pulumi/gcp` and `@pulumi/kubernetes` packages:

- `@pulumi/gcp` to work with resources in Google Cloud Platform.
- `@pulumi/kubernetes` to manage Kubernetes resources, including deploying Helm charts.

Firstly, ensure you have the necessary Pulumi packages installed:

```bash
# Install the necessary Pulumi packages
npm install @pulumi/gcp @pulumi/kubernetes
```

Here's the Pulumi TypeScript program that describes these resources and actions:

```typescript
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
import * as pulumi from "@pulumi/pulumi";

// Create a GKE cluster
const cluster = new gcp.container.Cluster("keycloak-cluster", {
    initialNodeCount: 2,
    nodeVersion: "latest",
    minMasterVersion: "latest",
});

// Export the Cluster name
export const clusterName = cluster.name;

// Export the Kubeconfig to access the Cluster
export const kubeconfig = pulumi.
    all([cluster.name, cluster.endpoint, cluster.masterAuth]).
    apply(([name, endpoint, masterAuth]) => {
        const context = `${gcp.config.project}_${gcp.config.zone}_${name}`;
        return `apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${masterAuth.clusterCaCertificate}
    server: https://${endpoint}
  name: ${context}
contexts:
- context:
    cluster: ${context}
    user: ${context}
  name: ${context}
current-context: ${context}
kind: Config
preferences: {}
users:
- name: ${context}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;
    });

// Create a Kubernetes provider instance that uses our cluster from above.
const clusterProvider = new k8s.Provider("keycloak-cluster-provider", {
    kubeconfig: kubeconfig,
});

// Deploy the keycloak-db-storage Helm chart
const keycloakChart = new k8s.helm.v3.Chart("keycloak-db-storage", {
    // Specify the Helm chart, version, and repository
    chart: "keycloak",
    version: "x.y.z", // replace with the desired chart version
    fetchOpts: {
        repo: "http://storage.googleapis.com/kubernetes-charts", // replace with the Helm repository URL
    },
    // Specify the namespace and values
    namespace: "keycloak",
    values: {
        // Configure values for the Keycloak Helm chart
        // Refer to the Keycloak Helm chart documentation for specific values to set
        // This is an example placeholder for where those settings would go
    },
}, { 
    provider: clusterProvider, // Ensure we use the GKE cluster provider
    dependsOn: [cluster], // Make sure the chart is installed after the cluster is provisioned
});

// Export the Helm chart resources
export const keycloakResources = keycloakChart.resources;
```

Explanation:
- We create a new GKE cluster with minimal configuration, scaling out to two nodes to start with.
- We generate a kubeconfig file that you can use to authenticate kubectl against your GKE cluster.
- We create a `Provider` resource representing the Kubernetes provider associated with the cluster. This will be targeted by Helm chart deployments.
- We then declare a Helm chart resource for Keycloak. You'll need to provide the correct chart version and repository URL. Additionally, you may need to specify values in the `values` property to configure Keycloak according to your needs.
- `dependsOn` is used to ensure that the chart is installed only after the GKE cluster is up and running.
- We export the resources created by the Helm chart in case you want to reference them later, such as by other Pulumi programs or in stack outputs.

Remember to replace `"x.y.z"` with the actual version of the Keycloak Helm chart you wish to deploy and the `repo` with the actual Helm chart repository URL.

Once you have this program set up, you can deploy it using the Pulumi CLI with:

```bash
pulumi up
```

After the deployment is successful, you should have Keycloak up and running on your GKE cluster, backed by persistent storage as defined by the Helm chart.