Deploy the wazuh-manager-filebeat helm chart on Azure Managed Openshift Service

Question

Pulumi · Accepted Answer

Deploying a Helm chart on an Azure Managed OpenShift cluster involves several steps. First, we need to create an OpenShift cluster on Azure. Managed OpenShift on Azure provides a fully managed and more secure deployment of Kubernetes with integrated best practices around a secure regulatory framework. For deploying Helm charts, OpenShift provides an integrated environment for running them just like a standard Kubernetes cluster.

Once we have an OpenShift cluster, we can install the Helm CLI to handle charts and deploy the wazuh-manager-filebeat Helm chart onto our OpenShift cluster.

Below, you'll find a Pulumi program written in TypeScript that sets up an Azure Managed OpenShift Service and deploys a specific Helm chart into it. Make sure you have configured your Pulumi environment with the necessary Azure credentials.

First, we will install the necessary Pulumi packages:

@pulumi/azure-native: This package provides native Azure resources.
@pulumi/kubernetes: This package is used for deploying resources to a Kubernetes cluster including Helm charts.

Here's how you can install these in your Pulumi project:

pulumi new azure-typescript # if starting a new project
npm install @pulumi/azure-native @pulumi/kubernetes

Now, let's look at the Pulumi TypeScript program:

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
import * as k8s from "@pulumi/kubernetes";
import * as random from "@pulumi/random";

// Create an Azure resource group
const resourceGroup = new azure_native.resources.ResourceGroup("resourceGroup");

// Create an Azure AD Application for OpenShift service principal
const adApp = new azure_native.graphrbac.Application("openshiftADApp", {
    availableToOtherTenants: false,
    displayName: "OpenShiftServicePrincipal",
});

// Create a Service Principal for the Application
const adSp = new azure_native.graphrbac.ServicePrincipal("openshiftADSp", {
    appId: adApp.applicationId,
});

// Create a random password for the Service Principal
const password = new random.RandomPassword("password", {
    length: 20,
    special: true,
});

// Create a Service Principal password
const adSpPassword = new azure_native.graphrbac.ServicePrincipalPassword("openshiftADSpPassword", {
    servicePrincipalId: adSp.id,
    endDate: "2099-01-01T00:00:00Z",
    value: password.result,
});

// Provision an Azure OpenShift Managed Cluster
const openshiftCluster = new azure_native.redhatopenshift.OpenShiftCluster("myOpenShiftCluster", {
    resourceGroupName: resourceGroup.name,
    resourceName: "myOpenShiftCluster",
    clusterProfile: {
        pullSecret: "<PULL_SECRET>", // Obtain this from Red Hat OpenShift site
        version: "4.9.10",
    },
    masterProfile: {
        vmSize: "Standard_D8s_v3",
    },
    workerProfiles: [{
        name: "worker",
        vmSize: "Standard_D4s_v3",
        diskSizeGB: 128,
        count: 3, // Number of worker nodes
    }],
    servicePrincipalProfile: {
        clientId: adApp.applicationId,
        clientSecret: adSpPassword.value,
    },
    networkProfile: {
        podCidr: "10.128.0.0/14",
        serviceCidr: "172.30.0.0/16",
    },
    apiserverProfile: {
        visibility: "Public",
    },
    location: resourceGroup.location,
});

// Install the Helm chart for 'wazuh-manager-filebeat' into the Azure OpenShift
// NOTE: Before deploying, the 'wazuh-manager-filebeat' Helm chart must be accessible in a Helm repository.
const wazuhManagerChart = new k8s.helm.v3.Chart("wazuhManagerFilebeat", {
    chart: "wazuh-manager-filebeat",
    version: "1.0.0", // Use the desired version
    fetchOpts: {
        repo: "https://helm-repo-url-here", // Helm repository URL containing the chart
    },
    // Define any custom values needed for 'wazuh-manager-filebeat' Helm chart.
    values: {
        // exampleValue: "example",
    },
}, { provider: new k8s.Provider("k8sProvider", { kubeconfig: openshiftCluster.kubeconfig }) }); // Pass the OpenShift's kubeconfig to the Kubernetes provider

// Export the kubeconfig of the OpenShift cluster to connect with `kubectl`
export const kubeconfig = openshiftCluster.kubeconfig;

In this program, we are doing the following:

Creating an Azure resource group to hold our OpenShift cluster.
Setting up an Azure AD application and service principal which are required to create an OpenShift cluster.
Defining a password for the service principal authentication.
Creating an Azure Red Hat OpenShift cluster with a given version and specifications for master and worker nodes.
Deploying a Helm chart into the OpenShift cluster. You have to replace <PULL_SECRET> with your Red Hat OpenShift pull secret, which can be obtained from the Red Hat OpenShift Cluster Manager site. Additionally, replace the Helm chart version and repository URL with actual ones for the wazuh-manager-filebeat.

To run this Pulumi program, you would save this TypeScript code to an index.ts file in a Pulumi project, and execute it using the standard Pulumi workflow:

pulumi stack init dev
pulumi up

After you run pulumi up, Pulumi will handle the provisioning of all the resources, and if successful, it will output the kubeconfig needed to interact with your OpenShift cluster using kubectl.

Remember to replace placeholder values in the program with actual values relevant to your deployment. The pull secret can be obtained from the Red Hat OpenShift website after you have registered for an account. The wazuh-manager-filebeat Helm chart repository URL should also be replaced with the actual URL where the chart is located.