Deploy the selfsigned-cert-manager helm chart on AWS EKS

Question

Pulumi · Accepted Answer

To deploy the `selfsigned-cert-manager` Helm chart on AWS Elastic Kubernetes Service (EKS), we'll go through the following steps:

1. Set up an EKS cluster: Before deploying any application, we need to have an EKS cluster running.
2. Create the necessary IAM roles: EKS requires specific IAM roles for cluster operation and for nodes to join the cluster.
3. Configure the EKS cluster: This includes configuring the Kubernetes version, subnets, and security groups.
4. Deploy the `selfsigned-cert-manager` using Helm: Finally, we'll deploy the `selfsigned-cert-manager` using the Helm package manager in Kubernetes.

We'll be utilizing Pulumi's EKS package to create the cluster and the Kubernetes package to deploy the Helm chart. The `eks.Cluster` resource from the Pulumi EKS package makes it simple to create and manage an EKS cluster. The `kubernetes.helm.v3.Chart` resource from the Kubernetes package makes it easy to install Helm charts.

Below is a Pulumi program written in TypeScript that carries out these tasks:

```typescript
import * as eks from '@pulumi/eks';
import * as aws from '@pulumi/aws';
import * as iam from '@pulumi/aws-iam';
import * as pulumi from '@pulumi/pulumi';
import * as k8s from '@pulumi/kubernetes';

// Step 1: Create an EKS cluster
const vpc = new aws.ec2.Vpc("vpc", { cidrBlock: "10.100.0.0/16" });

const subnet = new aws.ec2.Subnet("subnet", {
    vpcId: vpc.id,
    cidrBlock: "10.100.1.0/24",
    availabilityZone: "us-west-2a"
});

const cluster = new eks.Cluster("eks-cluster", {
    vpcId: vpc.id,
    subnetIds: [subnet.id],
    instanceType: "t2.medium",
    desiredCapacity: 2,
    minSize: 1,
    maxSize: 2,
});

// Step 2: Export the cluster's kubeconfig
export const kubeconfig = cluster.kubeconfig;

// Step 3: Create a new Kubernetes provider instance that uses our EKS kubeconfig
const provider = new k8s.Provider("provider", {
    kubeconfig: kubeconfig,
});

// Step 4: Deploy the selfsigned-cert-manager Helm chart using Pulumi's Helm support
const certManagerChart = new k8s.helm.v3.Chart("selfsigned-cert-manager", {
    repo: "jetstack",
    chart: "cert-manager",
    version: "1.0.4",
    // We can provide chart values in this `values` property.
    values: {
        installCRDs: true,
        ingressShim: {
            defaultIssuerName: "selfsigned",
            defaultIssuerKind: "ClusterIssuer"
        }
    },
}, { provider });

// Export the cluster's name and kubeconfig
export const clusterName = cluster.eksCluster.name;
```

### Explanation:

- We first create a new VPC and a subnet to place our EKS cluster in. EKS can also be configured to work with an existing VPC.
- We create a managed EKS cluster with the `eks.Cluster` class, specifying the VPC, subnets, and desired instance types and sizes for our worker nodes.
- We then export the `kubeconfig` generated by Pulumi for our cluster. This `kubeconfig` is necessary to interact with the cluster using `kubectl` and other Kubernetes tools.
- We set up a new Kubernetes provider instance to interact with our newly created EKS cluster.
- We then deploy the `selfsigned-cert-manager` Helm chart to our EKS cluster. We specify that it should install `CRDs` and configure an issuer named `selfsigned`.

This will set up `cert-manager` in your EKS cluster and configure it to use a self-signed issuer, which can issue self-signed SSL certificates for your applications. Please ensure that you have Helm's `jetstack` repository added to your Helm configuration to access the `cert-manager` chart.

Remember that to run this code, you'll need Pulumi installed, AWS credentials configured, and kubectl installed if you want to directly interact with your cluster. To run the Pulumi program, you'd save it in a file (e.g., `index.ts`), run `pulumi up`, and then approve the preview if it looks correct. Pulumi will then create the resources in AWS for you.