Deploy the vault-helm-chart helm chart on Google Kubernetes Engine (GKE)

Question

Pulumi · Accepted Answer

Deploying a Helm chart on a Google Kubernetes Engine (GKE) cluster typically involves a few key steps:

1. Setting up a GKE cluster.
2. Installing Helm, a package manager for Kubernetes that simplifies the deployment of applications.
3. Adding the necessary Helm chart repository that includes the Vault Helm chart.
4. Installing the Vault Helm chart from the repository onto your GKE cluster.

For the setup below, you'll need:
- An active Google Cloud Platform (GCP) account with the necessary permissions to create GKE clusters and interact with Google Container Registry.
- `kubectl` installed and configured to interact with your Kubernetes cluster.
- Helm installed and configured on your machine. Helm will communicate with the Kubernetes cluster to deploy the Vault chart.

Below, you'll find a Pulumi program written in TypeScript, that demonstrates how to carry out the aforementioned steps programmatically. Make sure you have followed the Pulumi [installation and setup guide](https://www.pulumi.com/docs/get-started/gcp/) and have authenticated to GCP.

Here's a Pulumi TypeScript program that deploys a GKE cluster and installs the Vault Helm chart onto it:

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";

// Create a GKE cluster
const cluster = new gcp.container.Cluster("vault-cluster", {
    initialNodeCount: 2,
    nodeConfig: {
        machineType: "n1-standard-1",
        oauthScopes: [
            "https://www.googleapis.com/auth/compute",
            "https://www.googleapis.com/auth/devstorage.read_only",
            "https://www.googleapis.com/auth/logging.write",
            "https://www.googleapis.com/auth/monitoring",
        ],
    },
});

// Export the Kubeconfig so that the Kubernetes provider can use it to communicate with the GKE cluster
const kubeconfig = pulumi.
    all([cluster.name, cluster.endpoint, cluster.masterAuth]).
    apply(([name, endpoint, masterAuth]) => {
        const context = `${gcp.config.project}_${gcp.config.zone}_${name}`;
        return `apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${masterAuth.clusterCaCertificate}
    server: https://${endpoint}
  name: ${context}
contexts:
- context:
    cluster: ${context}
    user: ${context}
  name: ${context}
current-context: ${context}
kind: Config
preferences: {}
users:
- name: ${context}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;
    });

// Create a Kubernetes provider instance that uses our cluster from above
const provider = new k8s.Provider("gkeK8s", {
    kubeconfig: kubeconfig,
});

// Add the Helm chart repository
const vaultRepo = "https://helm.releases.hashicorp.com";

// Install Vault Helm chart
const vaultChart = new k8s.helm.v3.Chart("vault", {
    chart: "vault",
    version: "0.13.0", // specify the version you wish to use
    fetchOpts: {
        repo: vaultRepo,
    },
}, { provider: provider });

// Export the Vault Helm chart status
export const vaultStatus = vaultChart.status;
```

In this program:

- We use the `@pulumi/gcp` package to create a new GKE cluster with `gcp.container.Cluster`.
- The `@pulumi/kubernetes` package is used to interact with Kubernetes, specifically to set up Helm and deploy a Helm chart.
- The `kubeconfig` variable is created to authenticate the Kubernetes provider with your GKE cluster. It uses Pulumi's `pulumi.all` to construct a kubeconfig file from the GKE cluster's data.
- A Kubernetes provider (`k8s.Provider`) is instantiated using the generated kubeconfig, which in turn is used to deploy resources on the Kubernetes cluster.
- We then use `k8s.helm.v3.Chart` to deploy Vault using its Helm chart. Note that the `version` parameter is optional, specifying it here for demonstration purposes. You can change or omit it as needed. Ensure that you're using a valid chart version by checking Vault's [Helm Chart repository](https://helm.releases.hashicorp.com/).

You would run this Pulumi program with the Pulumi CLI. After you set up Pulumi and your GCP credentials, run the following commands in your terminal:

```
pulumi stack init dev
pulumi up
```

This will set up the necessary resources in GCP and deploy the Vault Helm chart onto GKE. After the deployment is complete, Pulumi will output any exported variables, such as `vaultStatus` in this instance. You would use `kubectl` commands to interact with your Vault instance on GKE afterwards. Remember, any interaction with Vault beyond deployment (like initializing and unsealing) should be done following Vault's documentation outside of Pulumi.

When you are done with your deployment and wish to clean up resources, you can run:

```
pulumi destroy
```

This command de-provisions all resources associated with the current stack.