diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py index a7b26b264118b..c9120c1926e03 100644 --- a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py +++ b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py @@ -6,7 +6,6 @@ import shutil import tempfile import zipfile -from urllib.parse import urlparse, unquote logger = logging.getLogger() logger.setLevel(logging.INFO) @@ -95,26 +94,25 @@ def helm_handler(event, context): def get_oci_cmd(repository, version): # Generates OCI command based on pattern. Public ECR vs Private ECR are treated differently. - cmnd = [] - private_ecr_pattern = '\d+.dkr.ecr.[a-z]+-[a-z]+-\d.amazonaws.com' - public_ecr = 'public.ecr.aws' + private_ecr_pattern = 'oci://(?P\d+.dkr.ecr.(?P[a-z]+-[a-z]+-\d).amazonaws.com)*' + public_ecr_pattern = 'oci://(?Ppublic.ecr.aws)*' - registry = repository.rsplit('/', 1)[0].replace('oci://', '') + private_registry = re.match(private_ecr_pattern, repository).groupdict() + public_registry = re.match(public_ecr_pattern, repository).groupdict() - if re.fullmatch(private_ecr_pattern, registry) is not None: + if private_registry['registry'] is not None: logger.info("Found AWS private repository") - region = registry.replace('.amazonaws.com', '').split('.')[-1] cmnd = [ - f"aws ecr get-login-password --region {region} | " \ - f"helm registry login --username AWS --password-stdin {registry}; helm pull {repository} --version {version} --untar" + f"aws ecr get-login-password --region {private_registry['region']} | " \ + f"helm registry login --username AWS --password-stdin {private_registry['registry']}; helm pull {repository} --version {version} --untar" ] - elif registry.startswith(public_ecr): + elif public_registry['registry'] is not None: logger.info("Found AWS public repository, will use default region as deployment") region = os.environ.get('AWS_REGION', 'us-east-1') cmnd = [ f"aws ecr-public get-login-password --region {region} | " \ - f"helm registry login --username AWS --password-stdin {public_ecr}; helm pull {repository} --version {version} --untar" + f"helm registry login --username AWS --password-stdin {public_registry['registry']}; helm pull {repository} --version {version} --untar" ] else: logger.error("OCI repository format not recognized, falling back to helm pull") diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-helm-asset.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-helm-asset.ts index 563af5eacb87d..a3a39739d98bc 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-helm-asset.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-helm-asset.ts @@ -60,6 +60,14 @@ class EksClusterStack extends Stack { createNamespace: true, }); + // there is no opinionated way of testing charts from private ECR, so there is description of manual steps needed to reproduce: + // 1. `export AWS_PROFILE=youraccountprofile; aws ecr create-repository --repository-name helm-charts-test/s3-chart --region YOUR_REGION` + // 2. `helm pull oci://public.ecr.aws/aws-controllers-k8s/s3-chart --version v0.1.0` + // 3. Login to ECR (howto: https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html ) + // 4. `helm push s3-chart-v0.1.0.tgz oci://YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com/helm-charts-test/` + // 5. Change `repository` in above test to oci://YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com/helm-charts-test + // 6. Run integration tests as usual + this.cluster.addHelmChart('test-oci-chart-different-release-name', { chart: 'lambda-chart', release: 'lambda-chart-release', @@ -79,4 +87,3 @@ new integ.IntegTest(app, 'aws-cdk-eks-helm', { }); app.synth(); -