1. Deploy the vault-helm-chart helm chart on Google Kubernetes Engine (GKE)


    Deploying a Helm chart on a Google Kubernetes Engine (GKE) cluster typically involves a few key steps:

    1. Setting up a GKE cluster.
    2. Installing Helm, a package manager for Kubernetes that simplifies the deployment of applications.
    3. Adding the necessary Helm chart repository that includes the Vault Helm chart.
    4. Installing the Vault Helm chart from the repository onto your GKE cluster.

    For the setup below, you'll need:

    • An active Google Cloud Platform (GCP) account with the necessary permissions to create GKE clusters and interact with Google Container Registry.
    • kubectl installed and configured to interact with your Kubernetes cluster.
    • Helm installed and configured on your machine. Helm will communicate with the Kubernetes cluster to deploy the Vault chart.

    Below, you'll find a Pulumi program written in TypeScript, that demonstrates how to carry out the aforementioned steps programmatically. Make sure you have followed the Pulumi installation and setup guide and have authenticated to GCP.

    Here's a Pulumi TypeScript program that deploys a GKE cluster and installs the Vault Helm chart onto it:

    import * as pulumi from "@pulumi/pulumi"; import * as gcp from "@pulumi/gcp"; import * as k8s from "@pulumi/kubernetes"; // Create a GKE cluster const cluster = new gcp.container.Cluster("vault-cluster", { initialNodeCount: 2, nodeConfig: { machineType: "n1-standard-1", oauthScopes: [ "https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring", ], }, }); // Export the Kubeconfig so that the Kubernetes provider can use it to communicate with the GKE cluster const kubeconfig = pulumi. all([cluster.name, cluster.endpoint, cluster.masterAuth]). apply(([name, endpoint, masterAuth]) => { const context = `${gcp.config.project}_${gcp.config.zone}_${name}`; return `apiVersion: v1 clusters: - cluster: certificate-authority-data: ${masterAuth.clusterCaCertificate} server: https://${endpoint} name: ${context} contexts: - context: cluster: ${context} user: ${context} name: ${context} current-context: ${context} kind: Config preferences: {} users: - name: ${context} user: auth-provider: config: cmd-args: config config-helper --format=json cmd-path: gcloud expiry-key: '{.credential.token_expiry}' token-key: '{.credential.access_token}' name: gcp `; }); // Create a Kubernetes provider instance that uses our cluster from above const provider = new k8s.Provider("gkeK8s", { kubeconfig: kubeconfig, }); // Add the Helm chart repository const vaultRepo = "https://helm.releases.hashicorp.com"; // Install Vault Helm chart const vaultChart = new k8s.helm.v3.Chart("vault", { chart: "vault", version: "0.13.0", // specify the version you wish to use fetchOpts: { repo: vaultRepo, }, }, { provider: provider }); // Export the Vault Helm chart status export const vaultStatus = vaultChart.status;

    In this program:

    • We use the @pulumi/gcp package to create a new GKE cluster with gcp.container.Cluster.
    • The @pulumi/kubernetes package is used to interact with Kubernetes, specifically to set up Helm and deploy a Helm chart.
    • The kubeconfig variable is created to authenticate the Kubernetes provider with your GKE cluster. It uses Pulumi's pulumi.all to construct a kubeconfig file from the GKE cluster's data.
    • A Kubernetes provider (k8s.Provider) is instantiated using the generated kubeconfig, which in turn is used to deploy resources on the Kubernetes cluster.
    • We then use k8s.helm.v3.Chart to deploy Vault using its Helm chart. Note that the version parameter is optional, specifying it here for demonstration purposes. You can change or omit it as needed. Ensure that you're using a valid chart version by checking Vault's Helm Chart repository.

    You would run this Pulumi program with the Pulumi CLI. After you set up Pulumi and your GCP credentials, run the following commands in your terminal:

    pulumi stack init dev pulumi up

    This will set up the necessary resources in GCP and deploy the Vault Helm chart onto GKE. After the deployment is complete, Pulumi will output any exported variables, such as vaultStatus in this instance. You would use kubectl commands to interact with your Vault instance on GKE afterwards. Remember, any interaction with Vault beyond deployment (like initializing and unsealing) should be done following Vault's documentation outside of Pulumi.

    When you are done with your deployment and wish to clean up resources, you can run:

    pulumi destroy

    This command de-provisions all resources associated with the current stack.