Deploy the tyk-operator helm chart on AWS EKS

Question

Pulumi · Accepted Answer

To deploy the Tyk Operator using a Helm chart on an AWS EKS cluster, you need to follow these general steps using Pulumi:

1. **Set up the EKS Cluster**: Begin by provisioning an EKS cluster on AWS. You would need to define the VPC and subnet configurations to prepare the networking environment for the EKS cluster.
2. **Define the IAM Roles**: Define the necessary IAM roles for your EKS cluster. This would typically include roles for the EKS service and the node group.
3. **Create the Node Group**: Attach a node group to the EKS cluster which will serve as the workers running the services.
4. **Install the Helm Chart**: Use the 'kubernetes.helm.v3.Chart' resource to deploy the Tyk Operator helm chart into the EKS cluster.

Here's a comprehensive Pulumi TypeScript program demonstrating the deployment of the Tyk Operator on AWS EKS. It includes comments explaining why each step is required, and what each section of the code accomplishes.

```typescript
import * as aws from "@pulumi/aws";
import * as eks from "@pulumi/eks";
import * as awsx from "@pulumi/awsx";
import * as k8s from "@pulumi/kubernetes";

// Create a VPC for our cluster.
const vpc = new awsx.ec2.Vpc("tyk-vpc", {
  numberOfAvailabilityZones: 2,
});

// IAM role for the EKS cluster itself.
const clusterRole = new aws.iam.Role("tyk-cluster-eks-role", {
  assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "eks.amazonaws.com" }),
});
new aws.iam.RolePolicyAttachment("tyk-cluster-eks-AmazonEKSClusterPolicy", {
  role: clusterRole,
  policyArn: aws.iam.ManagedPolicy.AmazonEKSClusterPolicy,
});
new aws.iam.RolePolicyAttachment("tyk-cluster-eks-AmazonEKSVPCResourceController", {
  role: clusterRole,
  policyArn: aws.iam.ManagedPolicy.AmazonEKSVPCResourceController,
});

// Create the EKS cluster using the cluster role defined above.
const cluster = new eks.Cluster("tyk-eks-cluster", {
  roleArn: clusterRole.arn,
  vpcId: vpc.id,
  subnetIds: vpc.subnetIds,
});

// Define the IAM role for the EKS node group.
const nodeGroupRole = new aws.iam.Role("tyk-node-group-eks-role", {
  assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "ec2.amazonaws.com" }),
});
new aws.iam.RolePolicyAttachment("tyk-node-group-eks-policy-AmazonEKSWorkerNodePolicy", {
  role: nodeGroupRole,
  policyArn: aws.iam.ManagedPolicy.AmazonEKSWorkerNodePolicy,
});
new aws.iam.RolePolicyAttachment("tyk-node-group-eks-policy-AmazonEKS_CNI_Policy", {
  role: nodeGroupRole,
  policyArn: aws.iam.ManagedPolicy.AmazonEKS_CNI_Policy,
});
new aws.iam.RolePolicyAttachment("tyk-node-group-eks-policy-AmazonEC2ContainerRegistryReadOnly", {
  role: nodeGroupRole,
  policyArn: aws.iam.ManagedPolicy.AmazonEC2ContainerRegistryReadOnly,
});

// Create a node group attached to the created cluster.
const nodeGroup = cluster.createNodeGroup("tyk-node-group", {
  instanceType: "t3.medium",
  desiredCapacity: 2,
  minSize: 1,
  maxSize: 3,
  labels: { "ondemand": "true" },
  instanceRole: nodeGroupRole,
});

// Install the Tyk Operator Helm chart.
const tykOperatorChart = new k8s.helm.v3.Chart("tyk-operator", {
  chart: "tyk-operator",
  version: "0.9.0",
  namespace: "tyk-operator-system",
  fetchOpts: {
    repo: "https://helm.tyk.io/public/charts",
  },
}, { provider: cluster.provider });

// Define the necessary outputs.
export const kubeconfig = cluster.kubeconfig;
export const clusterName = cluster.eksCluster.name;
export const nodeGroupRoleArn = nodeGroupRole.arn;
```

In this program:

- We create a new VPC for the EKS cluster to run in, ensuring that it is well isolated within AWS.
- We define IAM roles that will be assumed by the EKS service and the nodes within our EKS cluster.
- We instantiate the EKS cluster itself, passing in the IAM role and VPC configuration.
- We create a node group which is a set of EC2 instances that will be part of the EKS cluster and run our applications.
- We use the Pulumi Kubernetes Helm Chart resource to deploy the Tyk Operator.
- We export some outputs for easy access to important details, like the kubeconfig, the cluster name, and the node group role ARN.

Please ensure you replace `version: "0.9.0"` with the version of the Tyk Operator Helm chart you wish to use, if it's different.

To run this program, you will need to have Pulumi installed and AWS configured with the necessary permissions. Then, you simply run `pulumi up` to provision the resources. Afterward, use `pulumi stack output kubeconfig` to get the kubeconfig file necessary to interact with your EKS cluster using `kubectl`.