Deploy the harbor-scanner-sysdig-secure helm chart on Azure Kubernetes Service (AKS)

Question

Pulumi · Accepted Answer

Deploying a Helm chart on an Azure Kubernetes Service (AKS) cluster involves several steps. Firstly, you need to create an AKS cluster where the Helm chart will be deployed. After the cluster is up and running, you can utilize Pulumi's Kubernetes provider to deploy the Helm chart.

To facilitate this process, we will be using two primary Pulumi resources from the `azure-native` and `kubernetes` packages:

1. `azure-native:containerservice:KubernetesCluster` to create an AKS cluster. ([azure-native Kubernetes Cluster Documentation](https://www.pulumi.com/registry/packages/azure-native/api-docs/containerservice/kubernetescluster/))
2. `kubernetes:helm.sh/v3:Chart` to deploy the `harbor-scanner-sysdig-secure` Helm chart. ([Helm Chart Documentation](https://www.pulumi.com/registry/packages/kubernetes/api-docs/helm.sh/v3/chart/))

Below is a TypeScript program that sets up an AKS cluster and then deploys the `harbor-scanner-sysdig-secure` Helm chart onto it.

Before running the program, make sure you've installed Pulumi and set up the Azure CLI with the right permissions. You must be logged in to both Pulumi and Azure CLI on your local machine.

Here's the TypeScript program:

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
import * as k8s from "@pulumi/kubernetes";

// Create an Azure Resource Group
const resourceGroup = new azure_native.resources.ResourceGroup("myResourceGroup");

// Create an AKS cluster
const cluster = new azure_native.containerservice.ManagedCluster("myAKSCluster", {
    resourceGroupName: resourceGroup.name,
    agentPoolProfiles: [{
        count: 3,
        vmSize: "Standard_DS2_v2",
        name: "agentpool",
        mode: "System",
        osType: "Linux",
    }],
    dnsPrefix: "myakscluster",
    enableRBAC: true,
    kubernetesVersion: "1.19.7",
    sku: {
        name: "Basic",
        tier: "Free",
    },
});

// Export the kubeconfig to access the AKS cluster
export const kubeconfig = pulumi.
    all([cluster.name, resourceGroup.name]).
    apply(([clusterName, rgName]) =>
        azure_native.containerservice.listManagedClusterUserCredentials({
            resourceName: clusterName,
            resourceGroupName: rgName,
        }),
    ).apply(creds => Buffer.from(creds.kubeconfigs[0].value, "base64").toString());

// Create a Kubernetes provider using the AKS cluster's kubeconfig
const k8sProvider = new k8s.Provider("k8sProvider", {
    kubeconfig: kubeconfig,
});

// Deploy harbor-scanner-sysdig-secure Helm chart using the 'kubernetes.helm.v3.Chart' resource
const helmChart = new k8s.helm.v3.Chart("harbor-scanner-sysdig-secure", {
    chart: "harbor-scanner-sysdig-secure",
    version: "1.0.0", // Replace with the target version of the Helm chart
    fetchOpts: {
        repo: "https://your-helm-chart-repository", // Replace with the Helm chart repository URL
    },
}, { provider: k8sProvider });

// Export the Harbor Scanner Sysdig Secure endpoint to access it
export let harborScannerEndpoint = helmChart.getResourceProperty("v1/Service", "harbor-scanner-sysdig-secure", "status")
    .apply(status => status.loadBalancer.ingress[0].ip);
```

In the above code:

1. We start by creating a resource group which is a logical container where all resources are deployed.
2. We define an AKS cluster with a default node pool of VM size `Standard_DS2_v2` and set the Kubernetes version.
3. We export the `kubeconfig` which is required to communicate with the AKS cluster. This is sensitive data and should be handled securely.
4. A `k8s.Provider` is instantiated using the acquired `kubeconfig` which allows Pulumi to deploy resources on our newly created AKS cluster.
5. We then define a `k8s.helm.v3.Chart` which represents the Helm chart that we want to deploy. We specify the Helm chart name, version, and the repository containing the chart. This Helm chart resource utilizes the Kubernetes provider we've created.
6. Lastly, we export the IP address of the deployed service to be able to access the Harbor Scanner once it's up and running.

Please replace `"https://your-helm-chart-repository"` with the actual repository URL of the `harbor-scanner-sysdig-secure` Helm chart and specify the correct version of the chart you intend to deploy.

To run the program, save the code to a `index.ts` file and execute it using the Pulumi CLI commands `pulumi up` to deploy the stack.

Keep in mind that running this program might incur costs on your Azure account, as it provisions resources that are billed by Azure. Also, make sure that billing and service quota/limit permissions in Azure are understood and monitored.