Deploy the grafana-storage helm chart on Opensshift

Question

Pulumi · Accepted Answer

Deploying a Helm chart on OpenShift is quite similar to doing so on a standard Kubernetes cluster, with some OpenShift-specific considerations for security and permissions. The `grafana-storage` Helm chart would be a chart that sets up Grafana, presumably with some persistent storage configured.

To deploy a Helm chart to OpenShift using Pulumi, you first need to set up your Pulumi project to use the Kubernetes provider, which enables you to interact with your Kubernetes and OpenShift clusters. If you don't have a Pulumi project yet, create one with `pulumi new kubernetes-typescript`.

In the below Pulumi program, we will define the deployment using the `Chart` resource from the `@pulumi/kubernetes/helm/v3` package. This package allows us to deploy Helm charts within our Pulumi programs.

Make sure you have the correct context set up in your `~/.kube/config` for OpenShift, as Pulumi relies on it to connect to your cluster.

Here's how you could write a Pulumi program to deploy the `grafana-storage` Helm chart to OpenShift:

```typescript
import * as k8s from "@pulumi/kubernetes";

// Deploy the grafana-storage Helm chart on an Openshift cluster.
// Make sure your Helm repository is added and updated, and that
// you are authenticated with your Openshift cluster.

const grafana = new k8s.helm.v3.Chart("grafana-storage", {
    // Replace with the actual repository that contains the grafana-storage Helm chart, if it's not in the default repo.
    repo: "stable",
    chart: "grafana-storage",
    // Specify the version of the chart you wish to deploy.
    version: "1.0.0",
    // Values allows you to provide a custom values file for your Helm chart to override default settings.
    values: {
        // These values would be specific to the grafana-storage Helm chart you are using.
        // For example, to set a custom admin password and configure persistence:
        adminPassword: "YourAdminPassword",
        persistence: {
            enabled: true,
            storageClassName: "standard", // This should be a storageclass available in your Openshift cluster.
            size: "10Gi", // Adjust the size as needed.
        },
        // OpenShift specific configurations could go here.
    },
    // Namespace where you want to deploy your Grafana instance. Ensure this namespace is created in your OpenShift cluster.
    namespace: "grafana",
    // OpenShift often requires specifying a SecurityContextConstraints object
    // for each pod. Depending on your cluster's configuration, you might need
    // to add custom security context settings for Grafana's pods.
    // This, however, can depend greatly on your specific OpenShift security policies.
    transformations: [
        (obj: any) => {
            if (obj.kind === "Deployment" && obj.metadata.name.startsWith("grafana-storage")) {
                // Adjust the security context, if needed.
                obj.spec.template.spec.securityContext = { runAsUser: 1001 };
            }
        },
    ],
});

// Export the base URL for the Grafana dashboard
export const grafanaUrl = grafana.getResourceProperty("v1/Service", "grafana-storage", "status")
    .apply(status => `http://${status.loadBalancer.ingress[0].hostname}`);
```

To explain, the above program defines a Helm chart resource using Pulumi's Kubernetes package. It specifies the chart name, repository (if it's not in the standard Helm repo), and version to be used. In the `values` object, we're assuming the Helm chart has options to set an admin password and configure persistent storage. We used a placeholder `YourAdminPassword` as the admin password, which should be replaced with a real password.

In the `transformations` option, we have a conditional statement that checks if the Kubernetes object being deployed is part of our Grafana Deployment. If it is, we set the `runAsUser` value in the pod's security context — this is a simplistic example, OpenShift's security constraints can be more complex, and this may need to be tailored to your cluster's requirements.

Lastly, we export `grafanaUrl`, which retrieves the hostname from the LoadBalancer service of your deployed Grafana instance so that you can access the Grafana dashboard. Please note that this assumes the Grafana service is of type LoadBalancer and your OpenShift cluster supports LoadBalancer service — this may not always be the case, so you might need to fetch the correct endpoint based on your service type and cluster configuration.

Keep in mind to replace placeholder values such as `YourAdminPassword`, the `storageClassName`, and any specific Helm chart configuration values with those that are appropriate for your actual use case and OpenShift environment.

To run this program:

1. Save it as `index.ts` in the root of your Pulumi project.
2. Run `pulumi up` to preview and deploy the changes.

Remember to have the OpenShift CLI `oc` installed and configured with the cluster where you wish to deploy Grafana.