Deploy the tiller helm chart on Azure Kubernetes Service (AKS)
TypeScriptTo deploy the Tiller Helm chart on Azure Kubernetes Service (AKS), you will need to complete several steps. Tiller is the server-side component of Helm v2, so we will first provision an AKS cluster, then configure the necessary permissions for Tiller, and finally, deploy Tiller using the Helm chart.
Below is a Pulumi program in TypeScript that illustrates these steps:
- Provision an AKS cluster using the
azure-nativeprovider. - Define a Kubernetes ServiceAccount and a ClusterRoleBinding for Tiller to grant it the necessary permissions.
- Install Tiller on AKS using the Helm v2 chart.
First, let's install the Pulumi Azure Native package and the Kubernetes package using npm or yarn. Open your terminal in the directory where you want your Pulumi program to reside and run:
npm install @pulumi/azure-native @pulumi/kubernetesNow let's write the Pulumi program:
import * as azure from "@pulumi/azure-native"; import * as pulumi from "@pulumi/pulumi"; import * as k8s from "@pulumi/kubernetes"; const name = "my-aks-cluster"; // Create an AKS cluster const cluster = new azure.containerservice.ManagedCluster(name, { resourceGroupName: "myResourceGroup", // Define your AKS cluster properties }); const creds = pulumi.output(azure.containerservice.listManagedClusterUserCredentials({ resourceGroupName: "myResourceGroup", resourceName: name, })); const kubeconfig = creds.apply(c => { const encoded = c.kubeconfigs[0].value; return Buffer.from(encoded, "base64").toString(); }); // Kubernetes provider to interact with the AKS cluster const k8sProvider = new k8s.Provider("k8s-provider", { kubeconfig: kubeconfig, }); // Create a ServiceAccount for Tiller const serviceAccount = new k8s.core.v1.ServiceAccount("tillersa", { metadata: { name: "tiller", }, }, { provider: k8sProvider }); // Create a ClusterRoleBinding for Tiller const clusterAdminBinding = new k8s.rbac.v1.ClusterRoleBinding("tiller-crb", { metadata: { name: "tiller", }, roleRef: { apiGroup: "rbac.authorization.k8s.io", kind: "ClusterRole", name: "cluster-admin", }, subjects: [{ kind: "ServiceAccount", name: serviceAccount.metadata.name, namespace: "kube-system", }], }, { provider: k8sProvider }); // Deploy Tiller using Helm v2 const tiller = new k8s.helm.v2.Chart("tiller", { chart: "tiller", namespace: "kube-system", values: { serviceAccount: { create: false, name: "tiller" }, rbac: { create: false }, }, }, { provider: k8sProvider }); // Export the kubeconfig to access the AKS cluster export const kubeconfigOutput = kubeconfig;Here's an explanation of the code:
- We start by importing the necessary modules.
- We define an AKS cluster with a specified resource group name and various properties like the region, node count, and VM size.
- After the cluster is created, we extract the Kubernetes configuration from the output of the AKS cluster. This
kubeconfigis used to configure the Kubernetes provider to interact with our AKS cluster. - We create a Kubernetes
ServiceAccountfor Tiller in thekube-systemnamespace. - We bind the Tiller service account to the
cluster-adminrole to ensure it has sufficient permissions to deploy applications on the cluster. This is done via aClusterRoleBinding. - We use the Helm v2 chart to deploy Tiller. Notice we are telling it to use the service account we created and to skip RBAC as we've already set it up.
- Finally, we export the
kubeconfigso you can interact with your Kubernetes cluster usingkubectl.
Please remember to update
myResourceGroupto the name of your Azure resource group, and also tweak other resource properties according to your requirements.After setting up your Pulumi program, you can deploy your AKS cluster and Tiller by running:
pulumi upThis command will show you a preview of the resources Pulumi will create on your behalf. If you're happy with the plan, select
yesto execute it.Remember to handle your kubeconfig carefully since it provides cluster administrator access to your AKS cluster.
- Provision an AKS cluster using the