Deploy the cyberark-sidecar-injector helm chart on Azure Kubernetes Service (AKS)

Question

Pulumi · Accepted Answer

To deploy the CyberArk Sidecar Injector Helm chart on Azure Kubernetes Service (AKS), we will follow these steps:

1. Create an AKS cluster.
2. Configure the Kubernetes provider to interact with the AKS cluster.
3. Use Helm to install the CyberArk Sidecar Injector chart on the AKS cluster.

We'll use Pulumi's `azure-native` provider to provision the AKS cluster and then configure the `kubernetes` provider to interact with it. After that, we'll use the `helm` provider to deploy the Helm chart.

Below is a Pulumi program written in TypeScript that accomplishes these tasks:

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure-native";
import * as kubernetes from "@pulumi/kubernetes";
import * as azuread from "@pulumi/azuread";

const name = pulumi.getStack();

// Step 1: Create an Azure Resource Group
const resourceGroup = new azure.resources.ResourceGroup(`rg-${name}`);

// Step 2: Create an AKS cluster
const managedCluster = new azure.containerservice.ManagedCluster(`aks-${name}`, {
    resourceGroupName: resourceGroup.name,
    agentPoolProfiles: [{
        count: 3,
        maxPods: 110,
        mode: "System",
        name: "agentpool",
        osType: "Linux",
        vmSize: "Standard_DS2_v2",
    }],
    dnsPrefix: `${name}-k8s`,
    enableRBAC: true,
    kubernetesVersion: "1.18.14",
    linuxProfile: {
        adminUsername: "testadmin",
        ssh: {
            publicKeys: [{
                keyData: "ssh-rsa ...", // replace `...` with your SSH public key
            }],
        },
    },
    servicePrincipalProfile: {
        clientId: "YOUR_SERVICE_PRINCIPAL_CLIENT_ID",
        secret: "YOUR_SERVICE_PRINCIPAL_SECRET",
    },
});

// Step 3: Configure kubernetes provider to interact with the AKS cluster
const creds = pulumi.all([resourceGroup.name, managedCluster.name]).apply(([resourceGroupName, clusterName]) =>
    azure.containerservice.listManagedClusterUserCredentials({
        resourceGroupName,
        resourceName: clusterName,
    }));

const kubeconfig = creds.kubeconfigs[0].value.apply(enc => Buffer.from(enc, 'base64').toString());

const k8sProvider = new kubernetes.Provider(`k8sprovider-${name}`, {
    kubeconfig: kubeconfig,
});

// Step 4: Install the CyberArk Sidecar Injector Helm chart into the AKS cluster
const sidecarInjectorRelease = new kubernetes.helm.v3.Release(`cyberark-sidecar-${name}`, {
    chart: "cyberark-sidecar-injector",
    version: "1.5.2", // specify the version of the chart to deploy
    repositoryOpts: {
        repo: "https://cyberark.github.io/helm-charts", // Replace with the correct repo if necessary
    },
    namespace: "cyberark",
}, { provider: k8sProvider });

// Step 5: Export the kubeconfig
export const kubeConfig = kubeconfig;
```

Make sure you replace the placeholder for the `clientId` and `secret` with the appropriate credentials for your Azure Service Principal. Also, insert your SSH public key where indicated.

Here's what each part of the script does:

- **Resource Group:** A resource group is created as a container that holds related resources for an Azure solution.

- **Managed AKS Cluster:** Provisions an AKS cluster with a specified number of nodes, Kubernetes version, and VM size.

- **Kubernetes Provider Configuration:** Retrieves the credentials for the created AKS cluster and configures the Kubernetes provider with these credentials.

- **Helm Chart Installation:** Installs the specified version of the CyberArk Sidecar Injector Helm chart from the provided chart repository into the AKS cluster. The namespace indicates where the Helm chart will be installed.

- **Kubeconfig Export:** Finally, we export the kubeconfig that you can use to interact with your Kubernetes cluster using `kubectl` or other Kubernetes management tools.

Remember to replace the `YOUR_SERVICE_PRINCIPAL_CLIENT_ID` and `YOUR_SERVICE_PRINCIPAL_SECRET` placeholders with actual values from your Azure Service Principal.

To run this Pulumi program, you would follow these steps:

1. Install Pulumi and the required CLI tools for Azure (e.g., Azure CLI).
2. Install Node.js and configure your environment.
3. Save this program in a file, for instance `main.ts`.
4. Run `npm install` to install the dependencies.
5. Run `pulumi stack init` to create a new Pulumi stack, e.g., `dev`.
6. Run `pulumi up` to execute the Pulumi program and deploy the AKS cluster and Helm chart.

After the program has been successfully run, you will see the `kubeconfig` output which you can use to interact with your Kubernetes cluster.

For more information on the `azure-native` resources for AKS, you can refer to the [ManagedCluster documentation](https://www.pulumi.com/docs/reference/pkg/azure-native/containerservice/managedcluster/), and for the `helm` Charts, the [Helm Release documentation](https://www.pulumi.com/docs/reference/pkg/kubernetes/helm/v3/release/).