fix(eks): fix helm deploy login for public ECR repositories (#24104)

fix helm deploy login for public ECR repositories

I have tested this issue fixed in `us-east-1` and `us-west-2` integ testing for
```
yarn integ-runner integ.eks-helm-asset.js --force --parallel-regions us-east-1
yarn integ-runner integ.eks-helm-asset.js --force --parallel-regions us-west-2
```

Closes #23977.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py

@@ -111,7 +111,7 @@ def get_oci_cmd(repository, version):
  region = os.environ.get('AWS_REGION', 'us-east-1')
 
  cmnd = [
- f"aws ecr-public get-login-password --region {region} | " \
+ f"aws ecr-public get-login-password --region us-east-1 | " \
  f"helm registry login --username AWS --password-stdin {public_registry['registry']}; helm pull {repository} --version {version} --untar"
  ]
  else:

packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts

@@ -165,6 +165,11 @@ export class KubectlProvider extends NestedStack implements IKubectlProvider {
  iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly'),
  );
 
+ // For OCI helm chart public ECR authorization.
+ this.handlerRole.addManagedPolicy(
+ iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonElasticContainerRegistryPublicReadOnly'),
+ );
+
  // allow this handler to assume the kubectl role
  cluster.kubectlRole.grant(this.handlerRole, 'sts:AssumeRole');
 

packages/@aws-cdk/aws-eks/test/cluster.test.ts

@@ -2103,6 +2103,13 @@ describe('cluster', () => {
  ':iam::aws:policy/AmazonEC2ContainerRegistryReadOnly',
  ]],
  },
+ {
+ 'Fn::Join': ['', [
+ 'arn:',
+ { Ref: 'AWS::Partition' },
+ ':iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly',
+ ]],
+ },
  ],
  });
  });
@@ -2297,6 +2304,13 @@ describe('cluster', () => {
  ':iam::aws:policy/AmazonEC2ContainerRegistryReadOnly',
  ]],
  },
+ {
+ 'Fn::Join': ['', [
+ 'arn:',
+ { Ref: 'AWS::Partition' },
+ ':iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly',
+ ]],
+ },
  ],
  });
  });

packages/@aws-cdk/aws-eks/test/integ.eks-service-account-sdk-call.js.snapshot/asset.76b95b763a0d19e172361b0123e88b00854f56785669102a9ab0127f4f738bf5/cluster.ts → packages/@aws-cdk/aws-eks/test/integ.alb-controller.js.snapshot/asset.42ee7a787eab7842c3d815365d104cacb9168fb9beb8a1bc019b0a6d7e969bee/cluster.ts

@@ -326,8 +326,8 @@ function analyzeUpdate(oldProps: Partial<aws.EKS.CreateClusterRequest>, newProps
  return {
  replaceName: newProps.name !== oldProps.name,
  replaceVpc:
- JSON.stringify(newVpcProps.subnetIds) !== JSON.stringify(oldVpcProps.subnetIds) ||
- JSON.stringify(newVpcProps.securityGroupIds) !== JSON.stringify(oldVpcProps.securityGroupIds),
+ JSON.stringify(newVpcProps.subnetIds?.sort()) !== JSON.stringify(oldVpcProps.subnetIds?.sort()) ||
+ JSON.stringify(newVpcProps.securityGroupIds?.sort()) !== JSON.stringify(oldVpcProps.securityGroupIds?.sort()),
  updateAccess:
  newVpcProps.endpointPrivateAccess !== oldVpcProps.endpointPrivateAccess ||
  newVpcProps.endpointPublicAccess !== oldVpcProps.endpointPublicAccess ||