Deploy the kube-oidc-proxy helm chart on Google Kubernetes Engine (GKE)
TypeScriptDeploying a Helm chart on a Google Kubernetes Engine (GKE) cluster involves several steps: creating the GKE cluster, installing and configuring the Helm client, and then deploying the Helm chart. Below, I will walk you through each step using Pulumi in TypeScript.
Step 1: Set up the GKE Cluster
First, you need to set up a GKE cluster where your Helm chart will be deployed. For this purpose, we use the
google-native.container/v1beta1.Cluster
resource. This allows us to create a GKE cluster configured according to our needs.import * as gcp from "@pulumi/gcp"; // Create a GKE cluster. const cluster = new gcp.container.Cluster("my-cluster", { // Specify the desired settings for the cluster here. // For a full list of available options, refer to the Pulumi Documentation: // https://www.pulumi.com/registry/packages/gcp/api-docs/container/cluster/ });
Step 2: Configure kubectl
Once the cluster is provisioned, we need to configure
kubectl
to interact with it. Pulumi provides us with the necessary details to do this once the cluster is created.// After the cluster is created, we can acquire a kubeconfig file that `kubectl` can use. const kubeconfig = pulumi.all([cluster.name, cluster.endpoint, cluster.masterAuth]).apply(([name, endpoint, masterAuth]) => { const context = `${gcp.config.project}_${gcp.config.zone}_${name}`; return `apiVersion: v1 clusters: - cluster: certificate-authority-data: ${masterAuth.clusterCaCertificate} server: https://${endpoint} name: ${context} contexts: - context: cluster: ${context} user: ${context} name: ${context} current-context: ${context} kind: Config preferences: {} users: - name: ${context} user: client-certificate-data: ${masterAuth.clientCertificate} client-key-data: ${masterAuth.clientKey} token: ${masterAuth.token} `; });
Step 3: Deploy the kube-oidc-proxy Helm Chart
For deploying Helm charts, Pulumi provides a resource called
kubernetes.helm.v3.Chart
. This resource can be used to deploy Helm charts into a Kubernetes cluster, specifying the chart name, version, and any configuration values.import * as pulumi from "@pulumi/pulumi"; import * as k8s from "@pulumi/kubernetes"; // We'll use a K8s provider instance that consumes the kubeconfig variable to interact with the cluster. const provider = new k8s.Provider("provider", { kubeconfig: kubeconfig, }); // Deploy the kube-oidc-proxy Helm chart using the K8s provider. const oidcProxy = new k8s.helm.v3.Chart("kube-oidc-proxy", { chart: "kube-oidc-proxy", // Specify the repository that contains the chart, along with any other necessary details. // Values can be set to configure the OIDC proxy, such as details about the OIDC provider. values: { // Provide your configuration values here. }, }, { provider });
Full Pulumi Program
Putting it all together, here is the full Pulumi program for your use case:
import * as pulumi from "@pulumi/pulumi"; import * as gcp from "@pulumi/gcp"; import * as k8s from "@pulumi/kubernetes"; // Create a GKE cluster. const cluster = new gcp.container.Cluster("my-cluster", { // Replace these with appropriate values for your specific requirements. initialNodeCount: 1, nodeConfig: { machineType: "n1-standard-1", oauthScopes: [ "https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring" ], }, }); // Export the Cluster name export const clusterName = cluster.name; // Export the Kubeconfig to be used by kubectl and Pulumi's k8s Provider export const kubeconfig = pulumi.all([cluster.name, cluster.endpoint, cluster.masterAuth]).apply(([name, endpoint, masterAuth]) => { const context = `${gcp.config.project}_${gcp.config.zone}_${name}`; return `apiVersion: v1 clusters: - cluster: certificate-authority-data: ${masterAuth.clusterCaCertificate} server: https://${endpoint} name: ${context} contexts: - context: cluster: ${context} user: ${context} name: ${context} current-context: ${context} kind: Config preferences: {} users: - name: ${context} user: client-certificate-data: ${masterAuth.clientCertificate} client-key-data: ${masterAuth.clientKey} token: ${masterAuth.token} `; }); // Create a Kubernetes provider instance that uses our kubeconfig. const provider = new k8s.Provider("provider", { kubeconfig: kubeconfig, }); // Deploy the kube-oidc-proxy Helm chart. const oidcProxy = new k8s.helm.v3.Chart("kube-oidc-proxy", { chart: "kube-oidc-proxy", // Replace with your Helm chart repository and version. fetchOpts: { repo: "https://charts.jetstack.io", // For example purposes; replace with actual chart repo if different. }, // Set the values for the OIDC proxy. values: { // Your OIDC proxy configuration values go here. }, }, { provider }); // Export the OIDC Proxy's Kubernetes service details export const oidcProxyService = oidcProxy.getResource("v1/Service", "kube-oidc-proxy");
How it Works:
-
Cluster Creation: We create a GKE cluster with a specified number of nodes and machine configurations tailored to the requirements of the
kube-oidc-proxy
and your workload. -
Kubeconfig Generation: The generated kubeconfig allows us to connect to the newly created GKE cluster with
kubectl
and is used by Pulumi's Kubernetes provider to deploy resources. -
Helm Chart Deployment: We instantiate a Helm chart resource, pointing it to the
kube-oidc-proxy
chart's location and injecting the necessary configuration values. -
Exporting Outputs: Pulumi exports the kubeconfig and service details so you can interact with the cluster and the OIDC proxy outside of Pulumi as well.
This Pulumi program will provision a GKE cluster and deploy the
kube-oidc-proxy
Helm chart on it. You will need to replace placeholder values with those specific to your OIDC setup such as the configuration for the OIDC provider. Once you have set up your Pulumi account, authenticated with GCP, and installed the Pulumi CLI, you can runpulumi up
to execute this program.-