feat(eks): Allow helm pull from OCI repositories #18547
Conversation
|
|
github-actions
bot
added
the
@aws-cdk/aws-eks
|
@otaviomacedo , Any updates on this ? |
packages/@aws-cdk/aws-eks/README.md
Outdated
| @@ -1144,6 +1144,24 @@ cluster.addHelmChart('test-chart', { | |||
| }); | |||
| ``` | |||
|
|
|||
| ### OCI Charts | |||
|
|
|||
| OCI charts are also supported. Before executing ensure the handler lambda has the required ECR IAM permissions. | |||
There was a problem hiding this comment.
What are the required permissions? Can we automate that for the user?
There was a problem hiding this comment.
They would be ecr repository permissions to be able to log in. Ideally, it
should be present on the lambda.
There was a problem hiding this comment.
The handler role is this one:
You will need to add the ecr:GetAuthorizationToken permission to it
There was a problem hiding this comment.
@otaviomacedo , Done. please review
There was a problem hiding this comment.
Looks good. But the tests have to be updated now.
There was a problem hiding this comment.
@otaviomacedo , When I am trying to run tests from aws-eks directory. It appears to be not picking up tests at all or giving other errors. Could you advise me on the correct steps to execute tests?
There was a problem hiding this comment.
yarn build && yarn test should be the only thing you need. Another thing you can try is to build the whole transitive closure before running the test:
aws-eks $ ../../../scripts/buildupThere was a problem hiding this comment.
@otaviomacedo , the tests are now complete. Could we please merge this ?
There was a problem hiding this comment.
@otaviomacedo , Could you please review?. Thanks
mergify
bot
dismissed
otaviomacedo’s stale review
Pull request has been modified.
otaviomacedo
added
the
pr/do-not-merge
otaviomacedo
removed
the
pr/do-not-merge
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mergify
bot
dismissed
otaviomacedo’s stale review
Pull request has been modified.
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
@otaviomacedo , thanks a lot for your help ! |
|
Hi there, cluster.addHelmChart(
'AckS3', {
chart: 'ack-s3',
repository: 'oci://public.ecr.aws/aws-controllers-k8s/s3-chart',
version: 'v0.0.19',
namespace: 'ack-system',
createNamespace: true,
});TIA |
|
Did someone tested this feature? Any help here will be much appreciated |
|
I think I've understood why: I'll open a PR to fix that (tested locally for now) |
…act (#19778) When using helm to pull OCI artifacts, the helm pull command doesn't works well. The [check_output](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess) uses shell=True. That means that all arguments of the commands being passed to the check_output are basically been passed to the shell and not to the helm pull command. Using shell is also discouraged from [security perspective](https://docs.python.org/3/library/subprocess.html#security-considerations) References: https://docs.python.org/3/library/subprocess.html > On POSIX with shell=True, the shell defaults to /bin/sh. If args is a string, the string specifies the command to execute through the shell. This means that the string must be formatted exactly as it would be when typed at the shell prompt. This includes, for example, quoting or backslash escaping filenames with spaces in them. If args is a sequence, the first item specifies the command string, and any additional items will be treated as additional arguments to the shell itself. https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess The previous change that used the `Shell=True` was introduced in commit - #18547 (comment) EDIT: Adding commit for the following items: - Adding integration test for helm OCI support in aws-eks - Upgrading helm version to 3.8.1 in `aws-lambda-layer` because of issues with the current version of helm that is been used, for OCI chart supports - update `integ.eks-helm-asset.expected.json` file ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) - NO new unconventional dependencies ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? - NO * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? - NO *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…act (#19778) When using helm to pull OCI artifacts, the helm pull command doesn't works well. The [check_output](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess) uses shell=True. That means that all arguments of the commands being passed to the check_output are basically been passed to the shell and not to the helm pull command. Using shell is also discouraged from [security perspective](https://docs.python.org/3/library/subprocess.html#security-considerations) References: https://docs.python.org/3/library/subprocess.html > On POSIX with shell=True, the shell defaults to /bin/sh. If args is a string, the string specifies the command to execute through the shell. This means that the string must be formatted exactly as it would be when typed at the shell prompt. This includes, for example, quoting or backslash escaping filenames with spaces in them. If args is a sequence, the first item specifies the command string, and any additional items will be treated as additional arguments to the shell itself. https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess The previous change that used the `Shell=True` was introduced in commit - #18547 (comment) EDIT: Adding commit for the following items: - Adding integration test for helm OCI support in aws-eks - Upgrading helm version to 3.8.1 in `aws-lambda-layer` because of issues with the current version of helm that is been used, for OCI chart supports - update `integ.eks-helm-asset.expected.json` file ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) - NO new unconventional dependencies ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? - NO * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? - NO *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…act (aws#19778) When using helm to pull OCI artifacts, the helm pull command doesn't works well. The [check_output](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess) uses shell=True. That means that all arguments of the commands being passed to the check_output are basically been passed to the shell and not to the helm pull command. Using shell is also discouraged from [security perspective](https://docs.python.org/3/library/subprocess.html#security-considerations) References: https://docs.python.org/3/library/subprocess.html > On POSIX with shell=True, the shell defaults to /bin/sh. If args is a string, the string specifies the command to execute through the shell. This means that the string must be formatted exactly as it would be when typed at the shell prompt. This includes, for example, quoting or backslash escaping filenames with spaces in them. If args is a sequence, the first item specifies the command string, and any additional items will be treated as additional arguments to the shell itself. https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess The previous change that used the `Shell=True` was introduced in commit - aws#18547 (comment) EDIT: Adding commit for the following items: - Adding integration test for helm OCI support in aws-eks - Upgrading helm version to 3.8.1 in `aws-lambda-layer` because of issues with the current version of helm that is been used, for OCI chart supports - update `integ.eks-helm-asset.expected.json` file ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) - NO new unconventional dependencies ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? - NO * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? - NO *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The feature allows lambda to install charts from OCI repositories. This also adds login capabilities when the AWS registry is used.
Fixes - #18001
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license