Deploy the jaeger-cert-manager helm chart on Google Kubernetes Engine (GKE)

Question

Pulumi · Accepted Answer

To deploy the Jaeger Helm chart with the `cert-manager` for SSL certificates on Google Kubernetes Engine (GKE), you'll need to follow these steps:

1. Set up a GKE cluster.
2. Install `cert-manager` Helm chart which is a prerequisite for automatically managing certificates.
3. Deploy the Jaeger Helm chart with the appropriate configuration to use `cert-manager`.

Below is a Pulumi program written in TypeScript that demonstrates how to accomplish these steps.

### Pulumi Program Explanation

Before writing the Pulumi code, ensure you have set up:

- Pulumi CLI and account: Make sure that you have Pulumi CLI installed and have an account set up. Log in via the CLI to your Pulumi account.
- Google Cloud SDK: Install and configure the `gcloud` tool with the credentials necessary for Pulumi to access your GKE resources.

The following Pulumi program defines:

- A new GKE cluster resource.
- A Kubernetes provider that uses the created GKE cluster's kubeconfig.
- The `cert-manager` Helm chart installation into the GKE cluster.
- The Jaeger Helm chart installation with a reference to `cert-manager` for certificates.

#### Google Kubernetes Engine (GKE) Cluster Creation

The program begins by creating a new GKE cluster using the `google-native.container/v1beta1.Cluster` resource. This will set up a Kubernetes cluster in GCP.

#### Kubernetes Provider Configuration

The Kubernetes provider allows Pulumi to deploy resources to the GKE cluster. The provider needs the kubeconfig generated from the newly created GKE cluster to interact with it.

#### Cert-Manager Helm Chart Installation

After setting up the GKE cluster and Kubernetes provider, `cert-manager` is installed using the `kubernetes-cert-manager.CertManager` Helm chart. This sets up the certificate management on the cluster that Jaeger requires to operate with TLS.

#### Jaeger Helm Chart Deployment

Finally, the Jaeger Helm chart is deployed using the `harness.service.Helm` Helm chart. The configuration for the chart should specify that `cert-manager` is used to manage its certificates.

Let's go ahead and see the code for these steps:

```typescript
import * as pulumi from '@pulumi/pulumi';
import * as gcp from '@pulumi/gcp';
import * as k8s from '@pulumi/kubernetes';

// Step 1: Create a GKE cluster
const cluster = new gcp.container.Cluster("gke-cluster", {
    initialNodeCount: 2,
    minMasterVersion: "latest",
    nodeVersion: "latest",
    nodeConfig: {
        machineType: "n1-standard-1",
        oauthScopes: [
            "https://www.googleapis.com/auth/compute",
            "https://www.googleapis.com/auth/devstorage.read_only",
            "https://www.googleapis.com/auth/logging.write",
            "https://www.googleapis.com/auth/monitoring"
        ],
    },
});

// Export the cluster's kubeconfig
export const kubeconfig = pulumi.all([cluster.name, cluster.endpoint, cluster.masterAuth]).apply(
    ([name, endpoint, masterAuth]) => {
        const context = `${gcp.config.project}_${gcp.config.zone}_${name}`;
        return `apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${masterAuth.clusterCaCertificate}
    server: https://${endpoint}
  name: ${context}
contexts:
- context:
    cluster: ${context}
    user: ${context}
  name: ${context}
current-context: ${context}
kind: Config
preferences: {}
users:
- name: ${context}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;
    }
);

// Step 2: Create a Kubernetes Provider instance using the GKE cluster's kubeconfig
const k8sProvider = new k8s.Provider("k8s-provider", {
    kubeconfig: kubeconfig,
});

// Step 3: Install the 'cert-manager' helm chart
const certManagerChart = new k8s.helm.v3.Chart("cert-manager", {
    chart: "cert-manager",
    version: "v1.4.0",
    namespace: "cert-manager",
    fetchOpts:{
        repo: "https://charts.jetstack.io",
    },
}, { provider: k8sProvider });

// Ensure the 'cert-manager' services are running before deploying Jaeger helm chart
const certManagerDeployment = certManagerChart.getResource("v1/Service", "cert-manager",
    "cert-manager-webhook");

// Step 4: Deploy the Jaeger helm chart configured to use 'cert-manager' for SSL
const jaegerChart = new k8s.helm.v3.Chart("jaeger", {
    chart: "jaeger",
    version: "2.19.0",
    namespace: "monitoring",
    fetchOpts: {
        repo: "https://jaegertracing.github.io/helm-charts",
    },
    values: {
        // You should configure these values according to your Jaeger setup requirements
        // and make sure to annotate Jaeger's components with the appropriate cert-manager annotations.
    },
    // Make sure Jaeger is installed after cert-manager
}, { provider: k8sProvider, dependsOn: certManagerDeployment });

// Export the Jaeger service URL, once available
export const jaegerUrl = jaegerChart
    .getResourceProperty("v1/Service", "monitoring", "jaeger-agent")
    .apply(svc => svc.status.loadBalancer.ingress[0].hostname);
```

Here are the explanations for some of the components:

- `fetchOpts.repo` specifies the Helm repository where the chart is located.
- `values` in the Helm chart declarations are where you configure the chart with the appropriate values for your setup. For Jaeger, make sure to include the necessary annotations or values for `cert-manager` to generate and manage the SSL certificates.

### Execution

To execute this Pulumi program, you need to:

1. Save this code into a file with a `.ts` extension (for example, `deploy-jaeger-gke.ts`).
2. Run `pulumi up` command in your terminal — this command will provision all the resources specified in the program.
3. After successful completion, Pulumi will output any exported values, such as the Jaeger service URL.

Make sure you review the changes before selecting 'yes' to apply them since this will incur in Google Cloud Platform costs.

### Post-Deployment

Once the deployment finishes, you will need to configure your DNS or ingress controller to properly route traffic to the Jaeger service. The exported `jaegerUrl` is the address you will use for these configurations or for direct access.

Always remember to check the Helm chart documentations for `cert-manager` and Jaeger to ensure you have the most suitable configuration for your needs.

This Pulumi program should give you a foundational setup for Jaeger on GKE with SSL certificates managed by `cert-manager`.