Deploy the secrets-store-csi-driver-provider-aws helm chart on Azure Managed Openshift Service

Question

Pulumi · Accepted Answer

To achieve the deployment of the `secrets-store-csi-driver-provider-aws` Helm chart on Azure Managed OpenShift Service (ARO), you will need a combination of cloud resources and services. Pulumi provides a way to script the deployment in a repeatable and clear manner. Here's a step-by-step guide on how you could set this up using TypeScript, followed by the corresponding Pulumi program.

Before beginning, ensure that you have access to an Azure subscription and have the appropriate permissions to manage resources within it. Also, make sure you have the Pulumi CLI installed and configured to connect to your Azure account.

1. **Setting Up Authentication**: You must be authenticated to deploy resources to Azure. Configure your Azure CLI with your credentials.

2. **Create a New Project**: Start by creating a new Pulumi project for your TypeScript program.

3. **Define Configuration**: Define the configuration for your OpenShift cluster and the Helm chart.

4. **Create Azure Managed OpenShift Service**: Use the `azure-native` package to create an Azure Managed OpenShift cluster if you don't have one already.

5. **Install Helm Chart**: After your OpenShift cluster is up and running, you will install the Helm chart onto your cluster, which in this case is the `secrets-store-csi-driver-provider-aws`.

Unfortunately, Pulumi does not currently have a dedicated resource for deploying Helm charts on Azure Managed OpenShift Service directly. So, you would typically use the `kubernetes` provider along with the `helm.v3.Chart` resource to deploy the Helm chart on the existing cluster.

Here is the Pulumi TypeScript program which outlines these steps:

```typescript
import * as pulumi from '@pulumi/pulumi';
import * as azure_native from '@pulumi/azure-native';
import * as k8s from '@pulumi/kubernetes';

// Initialize the Pulumi program with your preferred settings.
const projectName = 'myAroProject';
const stackName = 'dev';

// Initialize Pulumi project and stack names.
const project = new pulumi.Project(projectName);
const stack = project.newStack(stackName);

// Configuration variables for the OpenShift cluster.
const resourceGroupConfig = {
  resourceGroupName: 'myResourceGroup',  // Customize the name accordingly
  location: 'EastUS', // Customize the location accordingly
};

// Define the resources for your Azure Managed OpenShift (ARO) cluster.
const resourceGroup = new azure_native.resources.ResourceGroup(resourceGroupConfig);

const cluster = new azure_native.redhatopenshift.OpenShiftCluster('myAroCluster', {
  resourceGroupName: resourceGroup.name,
  resourceName: 'myOpenShiftCluster',
  // Add necessary configuration specific to your setup.
  // This can include cluster size, location, tags, network profiles, etc.
  location: resourceGroupConfig.location,
  // For the sake of brevity, many of the required properties are omitted.
});

// Await the creation of the OpenShift cluster before proceeding to install the Helm chart.
cluster.ready().then(() => {
  // Connect to the Kubernetes cluster created by ARO.
  const k8sProvider = new k8s.Provider('k8sProvider', {
    kubeconfig: cluster.kubeConfig.raw,
  });

// Define the Helm chart resource that needs to be deployed.
  const helmChart = new k8s.helm.v3.Chart('awsSecretsCsiDriver', {
    chart: 'secrets-store-csi-driver-provider-aws',
    version: '0.1.0', // Specify the correct chart version
    fetchOpts:{
      repo: 'https://YourChartRepositoryURL', // Specify the Helm repository URL
    },
    // Pass any required values to the Helm chart here
  }, { provider: k8sProvider });

// Exports
  export const aroClusterName = cluster.name;
  export const aroClusterKubeConfig = cluster.kubeConfig;
});
```

This Pulumi program does the following:
- Configures Azure resources using the `azure-native` package.
- Creates a resource group to contain the OpenShift cluster.
- Creates the actual OpenShift cluster with necessary settings which may need customization such as size, location, network profiles, etc.
- Utilizes the `kubeconfig` output of the ARO cluster to create a `kubernetes` provider instance.
- Finally, the program attempts to install the `secrets-store-csi-driver-provider-aws` Helm chart to the ARO cluster using the `kubernetes` provider and the `helm.v3.Chart` resource.

Remember to:
- Replace chart version and Helm repository URL with actual values.
- Fill in the required properties for your ARO cluster that have been omitted here for brevity.

To run this program, you will save it to a `index.ts` file within your Pulumi project and use the `pulumi up` command to create and apply the resources.

Keep in mind that integrating AWS Secrets Manager with Azure OpenShift might involve additional configuration steps, including setting up the correct IAM roles and policies on the AWS side, as well as managing the appropriate access controls within Azure OpenShift.

Always refer to the latest documentation for each service to ensure compatibility and correct configuration:

- [Pulumi Azure Native](https://www.pulumi.com/docs/reference/pkg/azure-native/)
- [Pulumi Kubernetes Provider](https://www.pulumi.com/docs/reference/pkg/kubernetes/)
- [Helm Charts in Pulumi](https://www.pulumi.com/docs/guides/crosswalk/kubernetes/helm/)