Deploy the quorumkeymanager helm chart on Azure Managed Openshift Service

Question

Pulumi · Accepted Answer

To deploy the Quorum Key Manager helm chart on an Azure Managed OpenShift Service instance using Pulumi, we can follow a two-step process:

Provision an Azure Red Hat OpenShift (ARO) Cluster.
Deploy the Quorum Key Manager helm chart to the provisioned ARO cluster using the kubernetes.helm.v3.Chart resource.

I'll break down the process into a Pulumi TypeScript program below.

First, we will create an instance of OpenShiftCluster, which represents a Managed Azure Red Hat OpenShift cluster. This is part of the azure-native.redhatopenshift package. The cluster will require information such as the resource group it belongs to, location, cluster profile (which specifies the OpenShift version among other things), and profiles for the master and worker nodes, including the VM sizes and number of nodes.

Once the cluster is set up, we'll obtain the necessary configuration to establish a connection to the Kubernetes API server running on the newly-created Azure Red Hat OpenShift cluster.

In the second part of the process, we will use the kubernetes.helm.v3.Chart resource to deploy the Quorum Key Manager helm chart. This resource is a standard way to deploy Helm charts in a Pulumi program and can work with any Kubernetes cluster, including the ARO cluster we created. You will need to provide the values pertinent to the Quorum Key Manager helm chart (like values, repo, chart, version, etc.), which are typically found in the Helm chart documentation or repository.

Here's how it could look in Pulumi TypeScript:

import * as pulumi from "@pulumi/pulumi";
import * as azureNative from "@pulumi/azure-native";
import * as k8s from "@pulumi/kubernetes";

// Step 1: Provision an Azure Red Hat OpenShift (ARO) Cluster
const openshiftCluster = new azureNative.redhatopenshift.OpenShiftCluster("myAroCluster", {
    resourceGroupName: "<resource-group-name>", // replace with actual resource group name
    resourceName: "aroCluster",
    location: "<location>", // replace with the location for your cluster
    clusterProfile: {
        pullSecret: "<pull-secret>", // replace with your pull secret for registering the cluster with Red Hat
        domain: "example-domain", // replace with your domain
        version: "4.6", // specify the version of OpenShift
    },
    masterProfile: {
        vmSize: "Standard_D16s_v3", // choose an appropriate VM size
        subnetId: "<subnet-resource-id>", // replace with the subnet resource id for the master nodes
    },
    workerProfiles: [{
        name: "worker",
        vmSize: "Standard_D16s_v3", // choose an appropriate VM size for worker nodes
        subnetId: "<subnet-resource-id>", // replace with the subnet resource id for the worker nodes
        count: 3, // specify the number of worker nodes
    }],
    // You need to fill in additional mandatory fields as per your requirements
});

// Output cluster credentials after it is created to be used to configure k8s provider
const kubeConfig = pulumi.secret(openshiftCluster.kubeconfig); // Get the kubeconfig from created ARO cluster

// Step 2: Deploy the Quorum Key Manager helm chart on the provisioned ARO cluster using the Kubernetes provider

// Configure the Kubernetes provider with the kubeconfig from the newly created ARO cluster
const k8sProvider = new k8s.Provider("k8sProvider", {
    kubeconfig: kubeConfig,
});

// Deploy Quorum Key Manager using the Helm chart
const quorumKeyManagerChart = new k8s.helm.v3.Chart("quorumKeyManagerChart", {
    repo: "https://consensys.github.io/quorum-key-manager/", // this might change, refer to Quorum Key Manager Helm chart repository
    chart: "quorumkeymanager",
    version: "1.0.0", // specify the version of the Chart you wish to deploy
    // specify any custom values needed for Quorum Key Manager Helm chart
    values: {},
}, { provider: k8sProvider });

// Export the public IP to access Quorum Key Manager (it might be in LoadBalancer service manifest)
export const quorumManagerIp = quorumKeyManagerChart.getResourceProperty("v1/Service", "quorumkeymanager-svc", "status").apply(status => status.loadBalancer.ingress[0].ip);

In this program:

We first declare our OpenShift cluster, defining properties like the cluster profile, master, and worker profiles.
After provisioning the OpenShift cluster, we access the kubeconfig output from the cluster. This kubeconfig is necessary to communicate with the Kubernetes API of the OpenShift cluster and will be used to configure the Kubernetes provider.
Next, we set up the Kubernetes provider using the kubeconfig obtained from the OpenShift cluster, ensuring that following resources are applied within our ARO cluster.
We then use the Chart class from Pulumi’s Kubernetes SDK to deploy the helm chart for Quorum Key Manager.

Make sure to replace placeholder values like <resource-group-name>, <location>, <pull-secret>, and <subnet-resource-id> with actual values based on your Azure and OpenShift setup. These will be used to correctly provision the resources within your cloud environment.

Remember to replace the repo, chart, and version with the actual chart details for Quorum Key Manager, as those may change over time.

Note: The resource QuorumKeyManagerChart expects a running instance of an OpenShift cluster and a properly configured Helm chart repository. The values should be provided based on the actual configuration needed for the Quorum Key Manager.

Lastly, we export the public IP (if available and depending on your service configuration) for the Quorum Key Manager, which can be used to access it from outside the OpenShift cluster. The exact property path to export would depend on the specific configuration of the Quorum Key Manager's Helm chart.