Deploy the cloudflare-tunnel-ingress-controller helm chart on Azure Kubernetes Service (AKS)

Question

Pulumi · Accepted Answer

Deploying a Helm chart onto an Azure Kubernetes Service (AKS) cluster involves a few steps. First, you will need to create the AKS cluster itself, and then you'll need to configure your Pulumi program to deploy the Helm chart to the cluster. Below, I outline these steps and provide you with a comprehensive Pulumi program that achieves this deployment.

1. **Creating the AKS Cluster**: We'll start by defining an AKS cluster using the `azure-native` package. This cluster will be our Kubernetes environment where the Cloudflare tunnel ingress controller will run.

2. **Configuring Kubernetes Provider**: Once we have an AKS cluster, we also need to configure a Kubernetes provider to interact with it. Pulumi allows us to fetch kubeconfig from the created AKS cluster and use it to configure our Kubernetes provider.

3. **Deploying the Helm Chart**: Finally, we use the Kubernetes provider to deploy the Cloudflare Tunnel Ingress Controller Helm chart. Since Pulumi supports Helm natively, this step is straightforward and involves specifying the chart and its settings.

The following TypeScript program illustrates how to achieve this deployment:

```typescript
import * as pulumi from '@pulumi/pulumi';
import * as azure_native from '@pulumi/azure-native';
import * as k8s from '@pulumi/kubernetes';

// Step 1: Define the AKS cluster
const resourceGroup = new azure_native.resources.ResourceGroup("resourceGroup");

// Create the AD service principal for the K8s cluster.
const adApp = new azure_native.graphrbac.Application("adApp", {
    displayName: "aks",
});

const adSp = new azure_native.graphrbac.ServicePrincipal("adSp", {
    appId: adApp.applicationId,
});

const adSpPassword = new azure_native.graphrbac.ServicePrincipalPassword("adSpPassword", {
    servicePrincipalId: adSp.id,
    value: process.env.AZURE_PASSWORD,
    endDate: "2099-01-01T00:00:00Z",
});

// Now let's create an AKS cluster.
const aksCluster = new azure_native.containerservice.ManagedCluster("aksCluster", {
    resourceGroupName: resourceGroup.name,
    // Generate SSH keys.
    linuxProfile: {
        adminUsername: "adminuser",
        ssh: {
            publicKeys: [{
                keyData: process.env.SSH_PUBLIC_KEY,
            }],
        },
    },
    // The AD application we just created.
    servicePrincipalProfile: {
        clientId: adApp.applicationId,
        secret: adSpPassword.value,
    },
    // Use the default node pool of the cluster.
    agentPoolProfiles: [{
        name: "aksagentpool",
        count: 1,
        vmSize: azure_native.containerservice.ContainerServiceVMSizeTypes.Standard_DS2_v2,
    }],
    dnsPrefix: `${pulumi.getStack()}-kube`,
});

// Export the kubeconfig for the cluster
export const kubeconfig = pulumi.
    all([aksCluster.name, resourceGroup.name]).
    apply(([clusterName, rgName]) => {
        return azure_native.containerservice.listManagedClusterUserCredentials({
            resourceGroupName: rgName,
            resourceName: clusterName,
        }).then(creds => Buffer.from(creds.kubeconfigs[0].value, 'base64').toString());
    });

// Step 2: Set up the Kubernetes provider with the kubeconfig from our cluster.
const provider = new k8s.Provider("k8s-provider", {
    kubeconfig,
});

// Step 3: Deploy the Cloudflare Tunnel Ingress Controller using a Helm chart.
const cloudflareIngressControllerChart = new k8s.helm.v3.Chart("cloudflare-tunnel-ingress", {
    chart: "cloudflare-tunnel-ingress-controller",
    // Replace 'repo_url' with the correct repository containing the Helm chart.
    repo: "repo_url",
    // You may need to specify additional configuration for your Helm chart here.
    values: {
        // Add any chart-specific values here.
    },
}, { provider });

// To be able to access the deployed Helm release, you might need to export endpoints or other resources.
export const ingressEndpoint = cloudflareIngressControllerChart.getResourceProperty("v1/Service", "cloudflare-tunnel-ingress-controller", "status");
```

In the code above, you should replace `process.env.AZURE_PASSWORD` with the actual password, and `process.env.SSH_PUBLIC_KEY` with the actual SSH public key. These values should be safely stored and accessed. For security reasons, avoid putting passwords or secrets directly in your code.

Before running this code, ensure you have Pulumi installed and configured with the appropriate Azure credentials.

This program does the following:

- Sets up a new resource group.
- Creates an AD application and service principal that the AKS cluster will use for interactions with other Azure services.
- Generates a new AKS cluster with a default node pool.
- Obtains the kubeconfig from the newly created AKS cluster.
- Establishes the Kubernetes provider using the kubeconfig.
- Deploys the Helm chart for the Cloudflare Tunnel Ingress Controller to the AKS cluster.

Keep in mind that if the Helm chart is not available in a public repository, you might have to add its repository to your Helm configuration first, or specify the chart's `.tgz` URL directly.

To run the Pulumi program, execute `pulumi up` in the same directory as the program. This will start the deployment process which you can then monitor at your command line. After the deployment is successful, the output will include any exported endpoints or other important information.