Deploy the neuvector-core helm chart on Azure Managed Openshift Service

Question

Pulumi · Accepted Answer

To deploy the neuvector-core helm chart on an Azure Managed OpenShift Service, you need to complete a few steps.

First, you would set up an Azure Managed OpenShift cluster using `azure-native.containerservice.OpenShiftManagedCluster`. This will provide you with a Kubernetes-compliant environment managed by Microsoft on Azure.

Secondly, you will deploy the Helm chart to the OpenShift Cluster. For this, you use `kubernetes.helm.sh/v3.Chart`, a Pulumi resource that allows you to deploy Helm charts on a Kubernetes cluster.

Here's a step-by-step guide in TypeScript, provided as a Pulumi program:

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure-native";
import * as k8s from "@pulumi/kubernetes";

// Create an Azure Resource Group
const resourceGroup = new azure.resources.ResourceGroup("resourceGroup", {
    // You can specify additional properties here as needed
});

// Assuming the managed OpenShift cluster is already created and available
// Fetch the cluster's kubeconfig for connecting to its Kubernetes API server
const cluster = azure.containerservice.getOpenShiftManagedCluster({
    resourceName: "myOpenShiftCluster", // Change to your cluster's name
    resourceGroupName: resourceGroup.name,
});

// Instantiate a Kubernetes provider with the OpenShift cluster's kubeconfig
const k8sProvider = new k8s.Provider("openshiftK8s", {
    kubeconfig: cluster.kubeConfigRaw,
});

// Deploy the neuvector-core Helm chart
const neuvectorChart = new k8s.helm.v3.Chart("neuvector-core", {
    chart: "neuvector-core",
    // Make sure to add the repository where neuvector-core chart is located
    fetchOpts: {
        repo: "https://helm-chart-repository-where-neuvector-is-hosted/", // Replace with the correct repository URL
    },
    // Declare any custom values you want to override in the chart
    values: {
        // These values would be specific to neuvector-core chart and their override semantics
    },
}, { provider: k8sProvider }); // Ensure to pass the OpenShift Kubernetes provider

// Export the frontend endpoint of NeuVector if applicable
export const frontendEndpoint = neuvectorChart.getResourceProperty("v1/Service", "neuvector-core-frontend", "status");
```

In the above code:

- We create a new Azure Resource Group as a container that holds related resources for an Azure solution.
- We assume that a Managed OpenShift cluster is already available. We then retrieve the cluster's information to get its `kubeConfig`.
- We create a Pulumi Kubernetes provider instance that leverages OpenShift's `kubeConfig` to interact with the Kubernetes API server running on Azure.
- We deploy the `neuvector-core` Helm chart to the existing OpenShift cluster using Pulumi's Kubernetes (`@pulumi/kubernetes`) library. The `chart` field specifies the name of the chart, and `fetchOpts.repo` is where the chart can be downloaded. This would need to be replaced with the actual repository URL hosting the `neuvector-core` chart.

If you need to set up the Managed OpenShift cluster from scratch instead of using an existing one, you would add additional Pulumi resources to do so, which would significantly extend the code provided above.

Finally, the code exports the frontend service's endpoint, which would be how you access the NeuVector console. The `getResourceProperty` function is used to extract the endpoint from the service once it is deployed. This is particularly useful if you have a LoadBalancer service type and need to know the public IP or DNS name assigned to it.

Make sure to replace placeholders like `myOpenShiftCluster` and the Helm repo URL with your actual values. The values for the Helm chart would also need to be specified according to your needs. Note that you need to have the Azure Pulumi provider configured with your credentials for the above code to work.