Deploy the istio-egress-gateway helm chart on Google Kubernetes Engine (GKE)

Question

Pulumi · Accepted Answer

To deploy the Istio Egress Gateway Helm chart on Google Kubernetes Engine (GKE), you will need to perform the following steps:

1. Set up a GKE cluster where you will deploy the Istio Egress Gateway.
2. Install the Helm CLI tool locally or within a CI/CD system that will run the deployment.
3. Add the Istio Helm chart repository to your Helm configuration.
4. Create a Helm chart deployment for the Istio Egress Gateway onto your GKE cluster.
5. Verify that the Istio Egress Gateway is successfully deployed and operational.

Below is a Pulumi program written in TypeScript that demonstrates how to automate this deployment. The program assumes that you have already configured Pulumi with the appropriate credentials to access Google Cloud.

Firstly, we'll add the necessary package imports and setup the GKE cluster.

```typescript
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
import { Config } from "@pulumi/pulumi";

// Configuration for the GKE cluster
const config = new Config();
const projectName = config.require("gcpProject");
const clusterZone = config.require("gcpZone");

// Create a GKE cluster to deploy Istio Egress Gateway
const cluster = new gcp.container.Cluster("istio-gke-cluster", {
    initialNodeCount: 2,
    nodeVersion: "latest", // Use the latest GKE node version
    minMasterVersion: "latest", // Use the latest GKE master version
    location: clusterZone,
    project: projectName,
});

// Export the cluster name and kubeconfig
export const clusterName = cluster.name;
export const kubeconfig = cluster.name.apply(name => {
    return gcp.container.getCluster({
        name: name,
        location: clusterZone,
        project: projectName,
    }).then(cluster => {
        const context = `${cluster.project}_${cluster.location}_${cluster.name}`;
        return `apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${cluster.masterAuth.clusterCaCertificate}
    server: https://${cluster.endpoint}
  name: ${context}
contexts:
- context:
    cluster: ${context}
    user: ${context}
  name: ${context}
current-context: ${context}
kind: Config
preferences: {}
users:
- name: ${context}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;
    });
});

// Initialize a Kubernetes provider with the above cluster's kubeconfig
const k8sProvider = new k8s.Provider("gke-k8s", {
    kubeconfig: kubeconfig,
});
```

This sets up a Pulumi stack configuration for the project name and GKE cluster zone which are required to create a GKE cluster (these values need to be provided by you). We create a cluster with `initialNodeCount` set to 2 and use the latest GKE versions for nodes and master.

We also export the `clusterName` and the `kubeconfig` which is needed to communicate with the cluster using the Kubernetes API. An instance of `k8s.Provider` is initialized with the generated `kubeconfig`, this provider will be used to interact with our GKE cluster.

Next, we will deploy the Istio Egress Gateway Helm chart onto the GKE cluster we created.

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

//...[previous code comes here]...

// Deploy Istio Egress Gateway Helm chart
const istioEgressGateway = new k8s.helm.v3.Chart("istio-egress", {
    chart: "istio-egressgateway",
    version: "1.11.4", // Specify the version of Istio you want to deploy
    fetchOpts: {
        repo: "https://istio-release.storage.googleapis.com/charts",
    },
}, { provider: k8sProvider });

// Export the resources that we have created
export const istioEgressGatewayName = istioEgressGateway.getResourceProperty(
    "v1/Service", "istio-egress/istio-egressgateway", "metadata", "name");
```

Here we define a new Helm chart component resource and specify that we want to deploy the `istio-egressgateway` Helm chart. The version `1.11.4` should be replaced with the exact version you want to deploy. We pull this chart from the official Istio release storage repository.

After deploying the Helm chart, we export the service name as `istioEgressGatewayName`. This service is the LoadBalancer that gets created to access your Istio Egress Gateway from outside the GKE cluster.

To confirm that the Istio Egress Gateway is running correctly, you would typically use `kubectl` commands, such as `kubectl get svc -n istio-system`, to see the service and its external IP after deployment. The external IP will allow you to configure external services that your in-cluster services need to access securely.

This program should provide you with a solid foundation for deploying the Istio Egress Gateway on GKE with Pulumi. You may need to add additional configurations specific to your environment or use case. As always, refer to the [Istio official documentation](https://istio.io/latest/docs/setup/additional-setup/helm/) for more details on customizing your Istio installation.