fix(eks): fix helm deploy for public-ecr repositories #23176
Conversation
|
|
github-actions
bot
added
bug
|
As mentioned above, I wasn't able to run the integration tests timely on our own environment using gitpod. If somebody could run them for me, it would be greatly appreciated 🙏 |
|
Could you add a new integration test, ideally for the reproduction code in the first post of the linked issue? I can run the integ test. |
| logger.info("Found AWS public repository, will use default region as deployment") | ||
| region = os.environ.get('AWS_REGION', 'us-east-1') | ||
| logger.info("Found AWS public repository, will use region 'us-east-1' as deployment") | ||
| region = 'us-east-1' |
There was a problem hiding this comment.
I don't see a change to the unit tests for this; could you add a unit test for this change?
There was a problem hiding this comment.
I went through the previous commits for this lambda handler but didn't see any unit tests (unless I missed those) for these functions, so not sure what to add exactly here. What kind of unit test are you looking for?
Note that the integration test https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-eks/test/integ.eks-helm-asset.ts#L54 should already cover the behaviour change here as well, which I think makes more sense than a unit test in this case?
There was a problem hiding this comment.
Woops, this is a custom resource lambda. We have no unit tests for these, so disregard this.
I think the integration test defined here should already cover this change https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-eks/test/integ.eks-helm-asset.ts#L54. Note that the original issue normally would only occur when running this test in a region not |
| logger.info("Found AWS public repository, will use default region as deployment") | ||
| region = os.environ.get('AWS_REGION', 'us-east-1') | ||
| logger.info("Found AWS public repository, will use region 'us-east-1' as deployment") | ||
| region = 'us-east-1' |
There was a problem hiding this comment.
There's two valid regions, us-east-1 and us-west-2. If someone today is using us-west-2, then this change will force them to redeploy to update to us-east-1. We try to avoid forcing new deployments in new releases, so can you update this to check if AWS_REGION is us-west-2, and if it is, continue to use us-west-2?
There was a problem hiding this comment.
Looks like region is only used for grabbing temp ECR password and pass it to helm, and not subsequent commands or any SDK calls, so shouldn't impact rendered resources?
There was a problem hiding this comment.
According to the Amazon ECR public registries documentation the region should always be us-east-1 for the ecr-public get-login-password operation.
https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth
When authenticating to a public registry, always authenticate to the us-east-1 Region when using the AWS CLI.
so I think we should always make it us-east-1 here, even deploying in us-east-2.
aws-cdk/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py
Lines 111 to 121 in c0b1019
|
This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
|
This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error. |
aws-cdk-automation
added
the
closed-for-staleness
|
This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error. |
pahud
removed
the
closed-for-staleness
pahud
added
the
pr-linter/do-not-close
|
reopening this PR with branch update. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Hi @HannesBBR Do you have the capacity to update the failed tests with |
|
This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error. |
aws-cdk-automation
added
the
closed-for-staleness
|
The pull request linter fails with the following errors: PRs must pass status checks before we can provide a meaningful review. |
Fixes #23052
Using the default region causes
aws ecr-public get-login-password --region {region}to fail, which then breaks the further steps of the helm deploy process. See the issue #23052 for more details.According to the ECR docs the region should be either
us-east-1orus-west-2for public-ecr.Note that the command also requires additional permissions to succeed, for which I added the Managed Policy
AmazonElasticContainerRegistryPublicReadOnlyto the handler lambda role.I've tested the solution in our environment by updating the lambda-handler code and permissions accordingly with the proposed changes here, and now the helm deploy step succeeds, e.g.:
I also updated the integration tests to check for the addition of the managed policy, but did not run the actual integration tests yet. I tried running them from gitpod, but since the accounts in our environment have SCPs that only allow deploying to a single region, I wasn't able to complete all integration tests in time before gitpod closes me off. If someone could help out running the integration tests, that would be great 🙏
All Submissions:
Adding new Construct Runtime Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license