Deploy the openunison-kiali helm chart on AWS EKS

Question

Pulumi · Accepted Answer

To deploy the openunison-kiali Helm chart on AWS EKS, we will follow these steps:

1. Set up an EKS Cluster: We will use the `aws.eks.Cluster` resource to provision a managed Kubernetes cluster on AWS.
2. Create an IAM Role for EKS: This step uses the `aws-iam.EKSRole` resource to create the necessary AWS IAM role with permissions for EKS to manage resources on behalf of your Kubernetes workloads.
3. Deploy the Helm Chart: Once the Kubernetes cluster is up and running, we will use the `kubernetes.helm.sh/v3.Chart` resource to deploy the openunison-kiali Helm chart into our EKS cluster.

Let's write the Pulumi program in TypeScript to accomplish this:

```typescript
import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';
import * as eks from '@pulumi/eks';
import * as k8s from '@pulumi/kubernetes';

// Step 1: Create an EKS Cluster.
// This will set up an EKS cluster with the default configuration.
const cluster = new eks.Cluster('my-cluster',{
    // Define other required fields, like vpcId and subnetIds if you're not using the default VPC.
});

// Step 2: Create an IAM Role for EKS.
// This IAM role is the `Role` that nodes will assume for AWS permissions.
const eksRole = new aws.iam.Role('eksRole', {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
        Service: "eks.amazonaws.com",
    }),
});

// Step 3: Define a role policy attachment for the Amazon EKS worker node policy.
new aws.iam.RolePolicyAttachment('eksWorkerNodePolicyAttachment', {
    policyArn: 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy',
    role: eksRole.name,
});

// Define a role policy attachment for the Amazon EKS CNI policy.
new aws.iam.RolePolicyAttachment('eksCniPolicyAttachment', {
    policyArn: 'arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy',
    role: eksRole.name,
});

// Define a role policy attachment for the Amazon EC2 Container Registry ReadOnly policy.
new aws.iam.RolePolicyAttachment('eksEcrReadOnlyPolicyAttachment', {
    policyArn: 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly',
    role: eksRole.name,
});

// Deploy the openunison-kiali Helm chat into the EKS cluster.
// Step 4: Create a Kubernetes provider instance that uses our EKS cluster's kubeconfig.
const k8sProvider = new k8s.Provider('k8s', {
    kubeconfig: cluster.kubeconfig.apply(JSON.stringify),
});

// Step 5: Deploy the openunison-kiali Helm chart.
const chart = new k8s.helm.v3.Chart('openunison-kiali', {
    chart: 'openunison-kiali',
    // Specify the Helm repository here if it's not stable.
    fetchOpts: { repo: 'https://helm-repo-url/' },
    // If needed, you can specify values for the Helm chart.
    values: { /* ... */ },
}, { provider: k8sProvider });

// Exports
export const kubeconfig = cluster.kubeconfig;
export const kialiConsoleUrl = pulumi.interpolate`http://${chart.getResourceProperty("v1/Service", "openunison-kiali", "status")}.loadBalancer.ingress[0].hostname`;
```

Explanation:

- **Step 1:** We create an EKS cluster with default settings. You can customize this by providing specific VPC and subnet IDs if necessary. The `eks.Cluster` resource abstracts much of the complexity in deploying an EKS cluster. [EKS Cluster Docs](https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/)

- **Step 2:** AWS IAM roles are critical for security in AWS. Here, we set up a role that EKS will use when creating infrastructure.

- **Step 3:** Role policy attachments connect our IAM role to policies that grant the necessary permissions for EKS. Policies like `AmazonEKSWorkerNodePolicy`, `AmazonEKS_CNI_Policy`, and `AmazonEC2ContainerRegistryReadOnly` are typical for EKS clusters.

- **Step 4 and Step 5:** We deploy the openunison-kiali Helm chart into the cluster using Pulumi's Kubernetes provider, which interfaces with the cluster's kubeconfig. The `k8s.helm.v3